Mod 14 Flashcards
(164 cards)
1
Q
PORT 445
A
SMB Direct | TCP
2
Q
WINDOWS HASH:
___ - A secure asymmetric algorithm. Passwords up to 256 characters (all ASCII characters, 211 unique characters).
A
NT LAN Manager (NTLM) Hash
3
Q
NETCAT Options:
__ = Help; provides all options
A
-h
4
Q
PAYLOAD TYPES:
___ - Opens a port on the target system and listens for incoming connections. The attacker initiates the connection (call-in) to the target. Firewalls often block the connection.
A
Bind TCP
5
Q
___ gathers information about a target of interest without actually probing the target.
A
Passive Analysis
6
Q
Syntax for Nikto
A
nikto -host
- host = specific target host
- H = list all options
7
Q
PORT 110
A
POP3 | TCP
8
Q
___ ties directly into the target development aspect of the Target Research/SIGINT Analysis Module.
A
Information Gathering
9
Q
___ - Designed to target a specific vulnerability in an application. Most common method of execution in use is the Buffer Overflow.
A
Code-Based Exploit
10
Q
Active Exploitation skills are also employed in the civilian sector by network security professionals who perform ___.
A
Penetration Tests (pentests)
11
Q
SCAN EXTENSIONS:
___ = Version detection communicates with ports to determine what is actually running.
A
-sV
12
Q
___ is a technique that involves connecting to common applications on target host to identify version of running applications. Can be done suing Nmap, Telnet, and Netcat.
A
Banner Grabbing
13
Q
PORT 513
A
RLOGIN | TCP
14
Q
PAYLOAD TYPES:
Staged systems:
___ - Fully functional remote shell loaded by the Stager. Offers the availability to run commands on the target system through a remote shell.
A
Stage (s1)
15
Q
NETCAT Options:
__ = Indicates verbose details; it only reports open ports.
A
-v
16
Q
___ is a command used to generate and output various types of shellcode payloads. Used for standalone custom payloads, used outside of Metasploit framework.
A
msfpayload
17
Q
HOST DISCOVERY:
___ = Disable host discovery. Does not ping hosts at all before scanning them; allows scanning of networks through firewalls that block ICMP.
A
-Pn
18
Q
PORT 3389
A
RDP | TCP
19
Q
PORT 53
A
DNS | TCP & UDP
20
Q
Exploits used through ___ do not use encryption so, when traversing a hop, the exploit and payload is vulnerable to exposure and capture.
A
Satellite Hops
21
Q
Linux:
Syntax for ping with record route.
A
ping -R
-R = invokes record route option
22
Q
United Stated Codes (USC)
Title 18 ___ - Store Wire and Electronic Communications and Transactional Records Access. Unlawful Access to Stored Communications.
A
Title 18 USC 2701
23
Q
Cisco IOS Passwords:
Type 7 is ___ and type 5 is ___.
A
Symmetric
Asymetric
24
Q
NETCAT Options:
__ = Reports all responses within the range
A
-vv
25
OS: Linux
Example: CentOS, Kali
TTL: ___
TTL = 64
26
UNIX/Linux hashes are store in the ___ file.
/etc/shadow
27
NORMAL PROGRAM EXECUTION:
| ___ - When a program needs to perform a specific procedure, the program's main routine call out a subroutine.
Function Call
28
PORT 80
HTTP | TCP
29
The _ program is the purpose of the exploit. It gets execution from the NOP sled and provides access to interact with the OS across the network.
Payload
30
___ is available in most Unix/Linux variations and can perform zone transfers. ___ take IP addresses or server names as arguments.
dig
31
PORT 135
RPC | TCP
32
United Stated Codes (USC)
| Title 18 ___ - Fraud and Related Activity in Connection with Computers.
Title 18 USC 1030
33
___ uses UDP by default for traceroutes.
UNIX/Linux
34
METERPRETER COMMANDS:
| ___ - List running processes.
ps
35
Common tools for online password cracking include: ___ and ___.
THC Hydra
| L0phtCrack
36
PORT 138
NetBios Datagram | UDP
37
PORT 3306
MYSQL | TCP
38
The ___ parameter is set to the target IP address where the payload is running (these options may change when using tunnels).
RHOST
39
Three types of traceroute are:
ICMP, UDP, TCP
40
___ Includes activites taken to minimize the exploitation footprints in a target network, discovering and documenting information about targets of interest, and remain undetectable by using obfuscation techniques.
Tradecraft
41
SCANLINE Options:
- n =
- b =
- p =
- t =
- u =
- z =
- ? =
SCANLINE Options:
- n = No port scanning
- b = Get port banners
- p = Do not ping before scanning
- t = TCP ports to scan
- u = UDP ports to scan
- z = Randomize IP and port scan order
- ? = Help
42
United Stated Codes (USC)
| Title 18 ___ - Fraud and Related Activity in Connection with Access Devices.
Title 18 USC 1029
43
METERPRETER COMMANDS:
| ___ - Displays target system information.
sysinfo
44
Metasploit Module Categories:
| ___ - Contains code that exploits run on targets, such as command shell access.
Payloads
45
A small assembly program called ___ makes up the payload.
shellcode
46
Ports:
| 6667 = ___
Linux
47
___ is an extremely versatile tool designed for network and password auditing. Uses dictionary and brute force BUT also uses cryptanalysis attacks to break hashing schemes.
Cain and Abel
48
The ___ modernised US Cybercrime legislation and mandates life sentences for offenders who knowingly or recklessly cause or attempt to cause the death of other by attacking transportation systems, power companies, or other public services or utilities.
Cyber Security Enhancement Act of 2002
49
Metasploit Module Categories:
| ___ - Contains advanced scanners and server modules.
Auxiliary
50
PORT 111
SunRPC PORTMAPPER | TCP
51
NETCAT Options:
| __ = No DNS resolution
-n
52
___ is an offline password cracker. It's primary configuration file is located at /etc/john.conf.
John the Ripper
53
TIMING:
| __ - __ = Default scanning method. Runs as quickly as possible without overloading.
3 - Normal
54
PORT 443
HTTPS | TCP
55
PORT 25
SMTP | TCP
56
NETCAT Options:
| __ = Specifies port to listen on (TCP by default)
-p
57
METERPRETER COMMANDS:
| ___ - List out files or contents of a directory.
ls
58
Ports:
| 88, 389, and 445 = ___
2K3
59
Syntax for Nmap
nmap
60
FILE PLACEMENT:
| ___ - places files onto target. Useful for putting tools or modified log files onto the target filesystem.
upload
61
Metasploit Commands:
| ___ - Set exploit parameters.
set
62
WINDOWS HASH:
| ___ - A weak symmetric algorithm. Passwords are limited to 14 characters (A-Z, 0-9, 36 unique characters).
LAN Manager (LM) Hash
63
PAYLOAD TYPES:
| ___ - Creates a connection (callback) back to the attacker. Firewalls often allow this connection.
Reverse TCP
64
PORT 20/21
FTP | TCP
65
PAYLOAD TYPES:
___ - Self contained and standalone. Exploit delivers a payload in one shot. Most ___ are functional remote shells that offer the ability to run commands on the target system.
Single
66
Metasploit Module Categories:
| ___ - Contains modules to use after target access.
Post
67
NETCAT Options:
| __ = Conducts UDP port scan
-u
68
FILE COLLECTION:
| ___ - enables retrieving target files or directories of interest.
download
69
PORT 88
KERBEROS | TCP
70
Common tool for offline password cracking include: ___ and ___.
John the Ripper
| Cain and Abel
71
Military members may use active exploitation techniques and tools in support of __ or ___ missions.
USCYBERCOM Cyberspace Operations (CO)
or
NSA/CSS Computer Network Exploitation (CNE)
72
Syntax for Timing
nmap -T <0-5>
73
2 ways to use a Handler:
___ During masquerades, or when connecting to a backdoor, a handler can be started by itself to connect to the target. Command used is:
use multi/handler
Manual
74
WINDOWS HASH:
| ___ - Part of the SID that uniquely identifies an account (group).
Relative ID (RID)
75
TIMING:
| __ - __ = Reduces network load to prevent crashing systems. 4 second wait between sending.
2 - Polite
76
TIMING:
| __ - __ = Scans very slowly to avoid IDS detection. 5 minutes between sending.
0 - Paranoid
77
Metasploit Commands:
| ___ - Load a specific exploit module.
use
78
Upon execution, John the Ripper (JtR) deploys a (1)__ file where it stores successfully cracked password. By default, it is stored in (2)___.
pot
| /root/.john/john.pot
79
METERPRETER COMMANDS:
| ___ - Display current working directory on target.
pwd
80
OS: UNIX
Example: Solaris
TTL: ___
TTL = 255
81
Ports:
| 135 and 5000 = ___
WinXP
82
PORT 161/162
SNMP | UDP
83
HOST DISCOVERY:
| ___ = ICMP Timestamp uses an ICMP Timestamp Request (type 13) packet to find listening hosts.
-PP
84
METERPRETER COMMANDS:
| ___ - Displays system ARP cache.
arp
85
Syntax for Ping Sweep
nmap -sn -PI
- sn = ping sweep scan
- PI = ICMP echo request
86
___ - is a memory address used to overwrite the Return Address memory slot.
Return Pointer
87
Domain controllers store the domain user hashes in the ___ file.
NTDS.DIT (NT Directory Services Directory Information Tree)
88
Method: hashdump
Platform: Meterpreter
Description: Allocates memory space in LSASS.exe to load assembly code: ___.
retrieves account hashes from memory.
89
HOST DISCOVERY:
| ___ = ICMP Echo is an option that uses an ICMP Echo (Request) packet.
-PI
90
PORT 23
Telnet | TCP
91
John the Ripper; 3 modes of operation:
___
___
___
Single
Wordlist
Incremental
92
the ___ parameter is set to the listening port of the payload (these options may change when using tunnels).
LPORT
93
___ - The application dynamically allocates heap memory at run-time and memory locations for function will not be static. Exploitation occurs by corrupting the program data at specific points in the process to cause the application to overwrite memory addresses or functions.
Heap Buffer Overflow
94
OS: Cisco
Example: 12.0
TTL: ___
TTL = 255
95
___ queries information using the domain name or IP address. Output can vary based on the request submitted. Used in Windows.
Nslookup
96
Heap Buffer Overflow usually requires a ___ to gain control of execution.
Heap Spray
97
Ports:
| 111 = ___
Solaris
98
Metasploit Module Categories:
| ___ - Used to alter payloads and avoid detection.
Encoders
99
OS: Windows
Example: 2K, XP, 7
TTL: ___
TTL = 128
100
PORT 389
LDAP | TCP
101
PORT 69
TFTP | UDP
102
NORMAL PROGRAM EXECUTION:
___ - When the subroutine completes its work, the pointer jumps to the address store in the stack's frame's return address.
Return to Main
103
NETCAT Options:
| __ = Execute command after connection
-e
104
Ports:
| NOT 88, NOT 389, BUT 445 = ___
2K8
105
```
Metasploit Commands:
___ - List out exploit module details.
```
info
106
PORT 137
NetBios Name | UDP
107
___ - is the assembly opcode x90 that tells the processor to execute nothing, just move the Instruction Pointer forward.
No Operation (NOP) Sled
108
METERPRETER COMMANDS:
| ___ - Display Meterpreter help menu and available commands.
help
109
TIMING:
| __ - __ = Adds a 5 minute timeout per host and never waits more than 1.25 seconds for probe response.
4 - Aggressive
110
There are 2 categories of password cracking: ___ and ___.
Online
| Offline
111
METERPRETER COMMANDS:
| ___ - Display/modify routing table information.
route
112
HOST DISCOVERY:
___ = TCP ACK Ping to determine what hosts are up. Sends TCP ACK packets to port 80 on target networks/hosts and waits for response.
-PT
113
___ OS Fingerprinting does not involve sending packets to the target network; instead, it involves monitoring network traffic to determine the OS in use.
Passive OS Fingerprinting
114
2 ways to use a Handler:
| ___ - Connects to the shellcode payload that exploit started in the target machine.
Automatic
115
___ uses ICMP by default for traceroutes.
Windows
116
METERPRETER COMMANDS:
| ___ - Displays process ID for running Meterpreter payload.
getpid
117
Metasploit Commands:
| ___ - Display any modules related to the key term used.
search
118
The 3 primary methods of collecting credentials are: ___, ___, and ___.
Password Cracking
Memory Injection
Open Source Research
119
Analysts build ___ and ___ by documenting target information.
Target Templates and Network Maps
120
PORT 22
SSH | TCP
121
PORT 139
NetBios (SMB) Session | TCP
122
Syntax for Scanline
sl -b -t
123
PORT SCAN TYPES:
- sT = ___
- sS = ___
- sA = ___
- sF = ___
- sN = ___
- sX = ___
- sU = ___
PORT SCAN TYPES:
- sT = TCP Connect Scan
- sS = SYN Stealth Scan
- sA = ACK Stealth Scan
- sF = FIN Stealth Scan
- sN = TCP Null Scan
- sX = TCP Xmas Tree Scan
- sU = UDP Scan
124
___ - Triggers the vulnerability in a service. ___ is the Delivery mechanism that connects to a service and performs the buffer overflow by writing a Return Pointer, a NOP Sled, and a Payload in the target process' memory.
Exploit code
125
NETCAT Options:
| __ = Enables listening mode
-l
126
___ - Technique that employs the use of credentials to gain access to a service and involves impersonating a user to logon (via ssh, telnet, rdp, etc)
Masquerade
127
PORT 79
Finger | TCP
128
NETCAT Options:
| __ = Directs netcat to scan the selected ports in a random fashion
-r
129
SCAN EXTENSIONS:
| ___ = Port Specification. Nmap only scans the ports specified here. This helps limit the number of scanned ports.
-p
130
The ___ phase of the Active Exploitation Methodology takes advantage of data accumulated during the Information Gathering phase to interact directly with target networks.
Scanning and Enumeration phase
131
Metasploit Commands:
| ___ - Display the payloads compatible with the exploit.
show payloads
132
Metasploit Module Categories:
| ___ - Contains service-side and client-side exploits.
Exploits
133
PORT 6667
Unreal IRC Daemon | TCP
134
NORMAL PROGRAM EXECUTION:
___ - Subroutines store temporary data (buffers) on the stack. Each time a subroutine runs, the required memory is allocated on the stack in a unit called a ___.
Stack Frame
135
___ OS Fingerprinting involves connecting to a target port and reviewing the resulting TCP packets sent as a response.
Active OS Fingerprinting
136
Anatomy of a ___:
DELIVERY - rely on authentication as a trusted user to put an executable payload file on the target system.
EXECUTION - an executable payload placed on the target's file system will require manual execution, from command line or a scheduled job.
CONNECTION - a payload from a ___ requires a manual connection from the client program.
MASQUERADE
137
___ is a command line port scanner for Windows. ___ is known as a "take it with you" scanner due to the small size (20 KB) of its executable.
Scanline
138
Syntax for Banner Grabbing:
Nmap =
Telnet =
Netcat =
Syntax for Banner Grabbing:
Nmap = nmap -sV
Telnet = telnet
Netcat = nc -v
139
___ - Title 46 - Crimes, Chapter 815 - Computer-related Crimes, Section 6 - Offense Against Users of Computer, Computer Systems, Computer Networks, and Electronic Devices.
Florida Computer Crimes Act
140
METERPRETER COMMANDS:
| ___ - Change directory on target.
cd
141
___ Enables script building to automate network scans. The ___ scripts can be run individually or as categories. Banner grabbing, SMB host discovery, and HTTP header are the most commonly used ___ scripts.
Nmap Scripting Engine (NSE)
142
TIMING:
__ - __ = Only suitable for very fast networks or where data loss is acceptable. Times out hosts in 75 seconds and waits only .3 seconds for probes.
5 - Insane
143
An ___ in Cyber Operations is a software tool, script, program, or technique that takes advantage of a vulnerable system to provide command executions.
Exploit
144
PORT 1433
MSSQL | TCP
145
The ___ is how Metasploit connects to a remote payload and is the command line interface used to access remote computers. ___ is the client software that connects to the backdoor payload program that is running on the target system after an exploit.
Handler
146
United Stated Codes (USC)
| ___ addresses Crime and Criminal Procedures; broken into different sections.
Title 18
147
The ___ provides structure and serves as a road map for analysts and operators.
Exploitation methodology
148
___ is an open source web scanner designed to perform tests against web servers to identify security problems. ___ looks for configuration files, potentially dangerous files, updates, and software versioning. Not stealthy, easily detectable.
Nikto
149
On Windows OS's clients and servers, hashes are stored in the ___ file.
Security Accounts Manager (SAM)
150
PORT 514
SYSLOG | UDP
151
___ is a network scanning tool used for identification and enumeration of targets and vulnerable services by performing the following functions:
Ping sweep to find targets, Port scans to identify open/closed ports, OS fingerprinting to determine OS on remote targets, and Banner grabbing to determine application version.
Nmap
152
___ is a staged payload that provides a command shell interface to an exploited target. It evades forensic detection bu using in-memory DLL injection, which writes nothing to disk, and uses encryption for its network connection.
Meterpreter
153
Anatomy of a ___:
DELIVERY - Trigger vulnerability in the target service, which allows us to write a payload program, called shellcode, into memory on target.
EXECUTION - Execute the payload in the memory space of the target application.
CONNECTION - a client program that has been specifically designed to interact with payload programs will make a connection with the payload running on a target. ___ automatically start the client software
CODE-BASED EXPLOIT
154
___ - Overwriting a local variable or data withing the stack can change a programs behavior to an attackers benefit. Overwriting the return address in a stack frame causes a jump to a specified address, where a NOP sled controls execution and passes it to a malicious payload program.
Stack Buffer Overflow
155
```
Metasploit Commands:
___ - Display exploit and payload module parameters (RHOST, RPORT, LPORT)
```
show options
156
___ is an all-in-one centralized console that allows command line access to all options available in the Metasploit framework.
msfconsole
157
Windows:
| Syntax for ping with record route.
ping -r -9
- r = invokes record route option
- 9 = variable # (1-9) to indicate # of hops to record
158
METERPRETER COMMANDS:
| ___ - Displays user Meterpreter is running as.
getuid
159
___ involves probing target networks to discover hosts, IP addresses, and running services.
Active Analysis
160
A ___ determines if an IP address range has live hosts (if hosts can respond to probes). Consists of ICMP echo (requests) sent to multiple hosts. Generally poor tradecraft unless scan is randomized and run slowly.
Ping Sweep
161
PAYLOAD TYPES:
Staged systems:
___ - Sets up a TCP connection with the attackers machine and reads the larger Stage payload into memory; is small enough to fit into the limited memory spaces available in the buffer overflow exploit.
Stager (s0)
162
United Stated Codes (USC)
Title 18 ___ - Wire and Electronic Communications Interception and Interception of Oral Communication. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited.
Title 18 USC 2511
163
TIMING:
| __ - __ = 15 second wait between sending.
1 - Sneaky
164
SCAN EXTENSIONS:
___ = Activates remote host identification via TCP/IP fingerprinting, using numerous techniques to detect the scanned OS. Scan results aid in the effort to determine the target OS type by comparing fingerprints from a database of known OS fingerprints (nmap-os-db).
-o
