Lesson 3 Flashcards

1
Q

Footprinting

A

Scanning the network layout and roque system detection. Scanning for hosts, IP ranges and routes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ipconfig ifconfig

A

IPconfig (windows) ifconfig (linux)

Reports on local IP configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ping

A

Uses Internet control measure protocol (ICMP)

  • Test connectivity with a host
  • Use a ping sweep to detect live hosts on a subnet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

subnet

A

locl network segment. All hosts ona subnet will have similar ip address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

arp

A

Address Resolution Protocol (ARP) cache

Shows IP to Media Access Control (MAC) address mapping
• Detect spoofing (validate MAC of default gateway)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

route

A

*If the host is not a router, additional entries in teh routing table could be suspicious

  • Show the local routing table
  • Identify default route and local subnet
  • Check for suspicious entries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

tracert/ traceroute

A

tracert (windows) traceroute (linux)

Test the path to a remote host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

route vs tracert/traceroute vs pathping/mtr

A

route - local routing table

tracert/traceroute - path to remote host

pathping/mtr - measures latency and packet loss along a route

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

pathping/ mtr

A

pathping = windows mtr = linux

measures latency and packet loss along a route

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Nmap

A

network mapper - type of IP scanner

host discovery => port scan => service discovery

Host discovery
• Test whether host in
IP range responds to
probes

Port scan
• Test whether TCP or
UDP port allows connections and are open

Service discovery
• Scan custom TCP/UDP
port ranges

Service and version 
detection
• Fingerprinting each port
• Protocol (tenet, http, ftp, etc)
• Application/version
• OS type
• Device type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

netstat & nslookup(dig)

A

Basic service discovery tasks can also be performed using tools built into the Windows
and Linux operating systems:

netstat

• Report TCP/UDP port status on local machine
4

nslookup (windows) dig (linux
nslookup/dig—query name records for a given domain using a particular DNSresolver under Windows (nslookup) or Linux (dig). An attacker may test a
network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the
way the network is configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

theHarvester

A

Collate open source intelligence (OSINT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

dnsenum

A

• Collate DNS hosting information, name records, and IP schemas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

scanless

A

• Collate results from third-party port scanning sites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

curl

A

• Craft and submit protocol requests

curl is a command-line client for performing data transfers over many types of
protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT
requests as part of web application vulnerability testing. curl supports many other
data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Nessus

A

• Perform automated vulnerability scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

• Packet analysis versus protocol analysis

A

• Packet analysis refers to deep-down frame-by-frame scrutiny of captured frames.

• Protocol analysis means using statistical tools to analyze a sequence of packets, or
packet trace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Sniffer

A

tool for capturing network frames. Can identify malicious traffice that got past the firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

tcpdump

A

is a command-line packet capture utility for Linux

  • Write to pcap
  • Read from pcap
  • Filters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Wireshark

A

Packet analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

• Packet injection

A
  • Crafting spoofed packets

* Dsniff, Ettercap, Scapy, hping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

hping

A

Packet injection tool for pen testers. also does a lot of stuff that nmap does

  • Host/port detection and firewall testing
  • Traceroute
  • Denial of service (DoS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

tcpreplay

A

tcpreplay - takes packet previously captured traffic that has been saved to a pcap file and replays it
• Stream a packet capture through an interface
• Sandbox analysis and intrusion detection testin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Exploitatoin Frameworks

A

Simulate adversary tools for
exploitation and backdoor access

Examples

  • Metasploit
  • Sn1Per
25
Metasploit
Exploitatoin Framework Modules to exploit known code vulnerabilities • Couple exploit module with payload • Obfuscate code to evade detection
26
Sn1Per
• Penetration test reporting and evidence gathering • Run automated suites of tests
27
Netcat
simple toll for testing network connectivity. CAn be used for port scanning and fingerprinting Port scan - scans a port and determins what services is runs Fingerprinting - detailed anlayis sof services on a host
28
Zero-day
* Vulnerability is unknown to the vendor * Threat actor develops an exploit for which there is no patch * Likely to be used against high value targets
29
• Legacy platform
• Vendor no longer releases security patches
30
Weak Host Configurations
* Default settings * Vendor may not release product in a default-secure configuration * Unsecured root accounts * Threat actor will gain complete control * Limit ability to login as superuser * Open permissions * Configuration errors allowing unauthenticated access * Allowing write access when only read access is appropriate * Open ports and services * Restrict using an access control list * Disable unnecessary services or block ports * Block at network perimeter • Unsecure protocols • Cleartext data transmissions are vulnerable to snooping and eavesdropping * Weak encryption * Storage and transport encryption * Key is generated from a weak password * Cipher has weaknesses * Key distribution is not secure * Errors * Error messages that reveal too much information
31
• Unsecured root accounts
Threat actor will gain complete control | • Limit ability to login as superuser
32
• Open permissions
* Configuration errors allowing unauthenticated access | * Allowing write access when only read access is appropriate
33
• Open ports and services
* Restrict using an access control list * Disable unnecessary services or block ports * Block at network perimeter
34
• Unsecure protocols
Cleartext data transmissions are vulnerable to snooping and | eavesdropping
35
• Weak encryption
* Storage and transport encryption * Key is generated from a weak password * Cipher has weaknesses * Key distribution is not secure
36
Errors
• Error messages that reveal too much information
37
Data breach vs exfiltration
Data breach is where confidential data is read or transferred without authorization • Data exfiltration is the methods and tools by which an attacker transfers data without authorization
38
Security Assessment Frameworks
• Methodology and scope for security assessments
39
• NIST SP 800-115
NIST's Technical Guide to Information Security Testing and Assessment Security Assessment Framework * Testing * Examining * Interviewing
40
• Vulnerability assessment versus threat hunting and penetration testing
Vulnerability assessment - evaluation of system security and ability to meet compliance Threat Hunting - acitivley looking for threats Penn Testing - inserting threats
41
Vulnerability Scan Types
Automated scanners configured with list of known vulnerabilities 1. • Network vulnerability scanner 2. Application and web application scanners
42
Network vulnerability scanner
``` • Configured with tests for most types of network hosts • Focused on scanning OS plus some desktop and server applications ```
43
Application and web application | scanners
• Configured with applicationspecific tests
44
SCAP
``` Security Content Automation Protocol (SCAP) • Mechanism for updating scanner via feed • Common identifiers (cve) ```
45
cve
Common Vulnerabilities and | Exposures (CVE)
46
CVSS
Common Vulnerability Scoring | System
47
Intrusive versus non-intrusive scanning
• Non-intrusive scanning (CONSUMES LESS RESOURCES) • Passively test security controls • Scanners attach to network and only sniff traffic • Possibly some low-interaction with hosts (port scanning/banner grabbing) * Intrusive/active scanning (CONSUMES MORE RESOURCES) * Establish network session * ***Agent-based scan
48
Credentialed vs non credentialed scanning
Non-credentialed • Anonymous or guest access to host only • Might test default passwords ``` Credentialed • Scan configured with logon • Can allow privileged access to configuration settings/logs/registry • Use dedicated account for scanning ```
49
False positive and false negative
you know this
50
Configuration Templates
``` ?? Driven by templates of configuration settings • Open Vulnerability and Assessment Language (OVAL) • Extensible Configuration Checklist Description Format (XCCDF) ```
51
Threat Hunting
• Use log and threat data to search for IoCs * Advisories and bulletins * Plan threat hunting project in response to newly discovered threat • Intelligence fusion and threat data • Use security information and event management (SIEM) and threat data feed to automate searches • Maneuver • Consider possibility of alerting adversary to the search • Use techniques that will give positional advantage
52
Penetration Testing
• Pen test or ethical hacking • Verify threat Identify vulnerability and the vector by which it could be exploited • Bypass security controls Identify lack of controls or ways to circumvent existing controls • Actively test security controls Examine weaknesses that render controls ineffective • Exploit vulnerabilities to prove threat exists (“pwned”) • Active and highly intrusive techniques, compared to vulnerability assessment
53
Black box vs white box vs gray box
Black box (unknown environment) • White box (known environment) • Gray box (partially known environment—to model insider threat agents, for instance)
54
Red team, blue tam, white team, purple team
Red team • Performs the offensive role * Blue team * Performs the defensive role * White team * Sets the rules of engagement and monitors the exercise * Purple team * Exercise set up to encourage collaboration * Red and blue teams share information and debrief regularly * Might be assisted by a facilitator
55
War driving
mapping wireless networks
56
Pen Test Attack Life Cycle
* Initial exploitation * Obtain a foothold via an exploit * Persistence * Establish a command & control backdoor * Reconnect across host shut down/user log off events * Privilege escalation * Internal reconnaissance * Gain additional credentials and compromise higher privilege accounts * Lateral movement * Compromise other hosts * Pivoting * Access hosts with no direct remote connection via a pivot host * Actions on objectives * Cleanup
57
service discovery
Having identified active IP hosts on the network and gained an idea of the network topology, the next step in network reconnaissance is to work out which operating systems are in use, which network services each host is running, and, if possible, which application software is underpinning those services. This process is described as service discovery. Service discovery can also be used defensively, to probe potential rogue systems and identify the presence of unauthorized network service ports.
58
Reconisance, ==> footprinting, route, service discovery
type of assessment activity that maps the potential attack surface by identifying the nodes and connections that make up the network. Footprinting - (or topology discovery) scanning for hosts, IP ranges, and routesbetween networks to map out the structure of the target network ipconfig, ifconfig, ping, arp (for mac addresses) (nmap) routes - testing routes and configuration (Tracert, tracertout, path ping) Service discover - the next step in network reconnaissance is to work out which operating systems are in use, which network services each host is running, and, if possible,which application software is underpinning those services. This process is described as service discovery - netstat, nslookup, nmap
59
What tools to footprinting (topology discovery)
ipconfig, ifconfig, ping, arp (for mac addresses)