Security+

Malware that avoids detection by changing its code signature

Malicious code that replicates itself by attaching itself to an executable. Requires host code to run. Boot sector and program viruses were the first two types

Malware that is very difficult or impossible to reverse engineer to make understanding how it works harder for antivirus and security specialists

Encrypts files on a system making them unusable. Ransomware is a type of crypto malware. Usually automated.

Performs some action and extracts a random from the user. (E.g. encrypting the files and requiring user to purchase the key)

Code that tries to penetrate networks and systems. Can make copies of itself on new systems. Does not rely on other code to run. Does not rely on human interaction like viruses do

Malware disguised as something else that the user would want to install. Stand alone program that must be run by the user.

Modifies the OS to do something nonstandard. Allowed programmers to have greater control over the operating system. Avoids detection by subverting security functions of the OS. Can add vulnerabilities. 5 types, firmware (e.g. video cards) virtual ( before the os loads), kernel, library, and application

• - Firmware
• - Virtual
• - Kernel
• - Library
• - Application

Logs all keystrokes. Malicious is when it unknown to the user and not under the users control. Used against users interests. Can obtain passwords and other info.

Software supported by advertisement. Can also be malware in which it presents unwanted ads. Popups

Spies on users and can record keyboard, clicks, monitor how a user uses software

A functioning piece of software that performs some task under the control of another program

A group of bots. They can do spam to fraud to spyware. Can use resources to do things like mine bitcoins.

Remote Access Trojan. Designed to provide covert surveillance and or capability to gain unauthorized access to a target system. Mimic behaviors of keylogger or packet sniffers using automated collection of keystrokes, usernames, passwords etc. Usually used by more advanced actors. It is not just a program, it has an operator behind it.

Deliberately installed software usually by an authorized user. Sits dorment for some time until some event or date invokes the application program

Originally nothing more than methods used to ensure they could gain access to an application even if something were to happen to normal methods. Problem is that these backdoors can be exploited by malicious users

Indicators of Compromise. Indications that a system has been compromised by unauthorized activity. Forensic artifacts are left behind in the system. IOCs act as bread crumbs providing clues that can help identify the presence of an attack.

• Examples:
• Unusual outbound traffic
• Anomalies in privileged user account activity
• Geographical irregularities in network traffic
• Account login red flags
• Increase in database reads
• Large number of requests for the same file
• Unusual DNS requests
• Unexpected patching of systems
• Mobile device profile changes
• Bundles of data in the wrong place
• Web traffic with non human behavior
• Signs of DDoS

YARA can take IOCS then scan the system and determine whetyher a specific threshold is set

OpenIOC - Open source developed by Mandiant

STIX/TAXII/CybOx - Mitre designed Structured Threat Information Expression, Trusted Automated Exchange of Indicator Information, and Cyber Observable Expression

• Confidentiality
• Integrity
• Availability

• Exploiting the social nature of people to gain access to systems they shouldn't have.
• Familiarity/kindness to make it seem like you belong
• Creating a hostile situation, acting on the side of people who feel they've been mistreated
• Body language- mirro movements, smile. Quid quo pro

Attacker attempts to obtain sensitive information masking as a trusted entity. E.g. get usernames, passwords, credit card numbers, bank accounts. Bulk email or false sites

Phishing attack that targets a specific group with somethign in common which makes it seem more plausible

An attack targeting a high value person such as CEO or CFO. Custom built to increase the odds of the attack being successful. Spear phishing used against whales as to be ordinary business for the target.

Vishing is a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Takes advantage of the trust that some people place in telephones. Users are unaware that attackers can spoof calls from legitimate entities using VoIP. Establish a form of trust to get credit card info or identity theft.

Following closely behind a person who has just used their own PIN or access card to gain physical access. Mantrap (door that doesn't doesn't open untill the first one is closed)

Can be in person, over phone or online. Attacker assumes a role that is recognized by the person being attacked. Uses victim's biases against their better judgment to follow procedures

Using previously obtained information about project, deadlines, etc attacker arrives with 1) something victim would see as normal or expect, 2) uses the guise of a project in trouble or somewhere where the attacker will bee seen as helpful or someone not to upset 3) name drop the name of "Mr Big" who can't be reached. Seldom asks for anything that seems unreasonable or is unlikely to be shared

Calls to or from help desk. An attacker can pose as an employee to get a password reset or some other info about a system. Social engineer can also be the attacker to call employees to get info from them that can be used later

People can pretend to be janitors or other contractors that people aren't familiar with to gain access to areas they wouldn't otherwise have access to

Impersonation can be employed online. social media scams, phishing attempts

Going through targets trash in hopes of finding valuable info. Can gather passwords or user info or info useful in social attack. Companies should have policies on getting rid of information

Directly observing inndividual entering sensitive information. Looking over shouldere at work or binoculers or something else.

Can try to cause users to take some sort of action that weakens security. (e.g. to dlete important files, modify security, etc. Beware emails from unofficial sources that tell you to share tips or techniques

Attackers can plant malware at sites where users are likely to frequent. Infect a target website with malware. Complex and often backed by nation states and other high resource attacks

• Works on peoples desire to be helpfull
• Seek to Avoid confrontation

• Use of authority ot lead to an environment where one party feels at risk. Entice the target to act in a certain way by acting like authority.
• Best defense is to set policies with no exceptions

Either subtle or through direct communication

Group wide decision. Group negotiation that can be manipulatted to achieve desired outcomes

By making something seem valued and/or in short supply can cause a target to make a decision quickly without deliberation

People do things for people they like or feel connected to.

Having an understanding of how something will act under specific conditions. Can be used to shapae perceptions of the target to trust the attacker

Time can be manipulated to drive a sense or urgency and encourage shortcuts that can lead to opportunities for attackers to inject themselves into the process.

Denial of service attack. Exploits a known vulnerabilty in a specific apploication or operation system or attack weaknesses in protocols or services. Attempts to deny authorized access to information or systems.

• Example of DoS attack that takes advantage of TCP/IP. Usual TCP/ IP Goes SYN->
• <-SYN/ACK
• ->ACK

Syn flooding send fake SYNS that can't be responded to. There will never be an ACK back from the SYN/ACK since it was sent from a fake IP. The target soon stops taking new connections

DDoS is Distributed denial of service. Same goal of DoS to deny access, but uses multiple attacking systems. Overwhelms target with traffic from many systems. Network of attack agentswhich are usually compromised systems. Compromised systems are often called zombies

When an attacker is able to place himself in the middle of two communicating hosts by routing all communication to the target can then moddify or block traffic. Hard for target host to attack.

Input buffer used to hold program input with data larger than the buffer cna hold. Buffer typically inherit the level of privilege enjoyed by the program. Can use input validation to protect against this

When user input is not validated it can cause specific events to occur when the input is used e.g. SQL XML or LDAP

Cross Site Scripting - Caused by weak validation. An attacker can include script in input and have it render as part of the web process

Injected script is not persisted or stored but immediately executed and passed back via the web server

The script is permanently stored on the on the web server or some back-end storage. This allows the script to be used against others who login to the system

Script executed in the browser via DOM process vs the web server

Cross Site Request Forgery 0 uynilize unintended behaviors that are proper but performed outside of authorized use. When one entity mistakenly performs an action on behalf of another. Used on sites that have an authenticated user and explooits sites trust in a previous authentication event. Tricks user browser to send n HTTP request to the target site. Can send hidden requests when sites don't require authentication on every request. Can limit authentication times, to cookie expiration, or header checking or random XSRF tokens in form submissions

Most start with privilege of ordinary user. Exploits vulnerabilitiese that enable them to achieve root or admin level access. You can use existing privilege to do an act that lets you steal better credentials

Address Resolution Protocol

• ARP Request: Who has this IP?
• ARP Reply: I have this IP address; my MAC address is ___
• Revers ARP Request (RARP) Who has this MAC Address?
• RARP reply: I have that MAC address, my IPaddress is

These messages are used with a device's ARP table where a form of short term memory associated with these data elements resides. The commands are used as a simple form of lookup. When a machine sends an ARP request, the reply is entered into all devices that hear to facilitate efficient lookup of addresses. When an ARP gets a reply, it auto trusts and updates the table. No mechanism to verify the truth of the data. Attacker can corrupt the ARP table and cause packets to be misrouted. Can be used for a man in the middle attack.

Certain types of attacks could be considered to be dependent on volume. Amplification is when an attacker uses a specific protocol aspect to achieve what a single machine cant. E.g forge a ping requesting packet so the reply address is a specifc machine and then all responses will go to one machine with an amplified response

DNS used to convert a name to an IP address. Changing of where DNS is resolved. Detected by knowing what the authoritative DNS entry should be and detecting when it changes unauthorized. Using a VPN can change a DNS source which may be desired or an attack. Sometimes nslookup will return a non authoritative answer usually meaning it is from cache. A variant of DNS spoofing where an attacker changes a DNS record using one of many methods. US is trying to make DNS records more secure

Changing the registration of a domain name without the permission of its original registrant. DNS system will spread false domain location automatically.

The man-in-the-browser (MitB) is a variant of the man-in-the-middle attack. First element is a malware attack that places a Trojan that can act as a proxy on the target machine. It changes browser behavior through helper objects or extensions. When a user connects to a url malware recognizes if it is a targeted transaction and injects itself in the stream of communication performing requests not authorized by the user after they log in

Uses a vulnerability for which there is no previous knowledge outside of the attacker, or at least not the software vendor. They are critical because there is no known defense to the vulnerability itself leaving only secondary security solutions such as catching subsequent hacker activity. Highly valued by attackers because they are a sure fire way to attack a system. Hackers trade zero day vilnerabilities. Some governments also use zero day vulnerabilities

When attacker captures a portion of communication and then retransmits it at a later time often used to try and circumvent authentication mechanisms. Best way to prevent is with encryption, cryptographic authentication and time stamps.

Highly technical attack targeting the (Windows) authentication process injecting a copy of the password hash directly into the system. Captures the hash used to authenticate a process so the hacker does not need to know the password itself

Where attacker hijacks a users experience after the exchange of credentials or in the backround where the user is not awe of the attack process

An attack against the design element of a user interface. Tricks a web browser into clicking something different from what the user perceives by means of malicious code in the webpage (e.g. transparent overlay or disguising rogue element so they think they are clicking on one thing but really clicking the attackers hidden code

TCP/IP hijacking / session hijacking refer to the process of taking control of an already existing session between a client and a server. The advantage is that the attacker doesn’t have to circumvent any authentication methods since the user is already authenticated. And established a session. The attacker can usurp the session and carry on as if the attacker had authenticated. To prevent the user from noticing anything is wrong the attacker can attack the users system and perform a denial of service attack on it taking it down so that the user and system will not notice extra traffic. They are usually used against web and telnet sessions. Sequence numbers also apply to session hijacking since the hijacker will need to provide the correct sequence numbers to continue the appropriate sessions

Wide range of attacks that target the URL. If the URL is tampered or altered you can get different content than the authointended content. Can be changed via malware manipulations to typo squatting to ad based attacks that make the user think they are clicking the correct link

When a user mistypes a url and an attackers page appears instead intending to deceive the user into thinking they are at the right url. Also called URL hijacking, fake URL or brandjacking. Often used for phishing attacks, to plant malware, earn click through revenue.

Attacks that change drivers on a system thus changing the behavior of the system. Drivers being signed hel[ prevent this issue

Putting a layer of code between the driver and the OS. Allows flexibility and portability since it enables changes between different versions of the OS without modifying the original driver code. It can change driver behavior without changing the driver itself

Where an attacker can alter code while still maintaining its original functionality.

Making data look like it has come from a different source. TCP/IP makes friendly assumptions such as individuals who have access to the network layer would be privileged/trusted users. You can fill in the source with a different address than your own.

Changing a MAC address to bypass security checks based on the MAC address. When return packets are being routed by IP address and can be correctly linked to the correct MAC address. Not all MAC spoofing is an attack. Small firewall routers usually have a MAC clone function by which it can clone a MAC address to make it seem transparent to other devices such as the cable modem connnection

Nothing prevents the originators of any IP packet to include a different IP address from their own. Can be spoofed for several different reasons

Take advantage of a trusted relationship between two systems. Individual on one system might not be forced to go through an authentication again. System being impersonated could interfere with attack since it would receive an ack for a request it never made. The attacker will often initially launch a DoS attack (such as SYN flooding) to take out the spoofed system while the sp=the trusted relationship is being exploited. The administrators may not even realize the attack occurred. Strictly limit trusted relationships between hosts

Spoofing is hard depending on whether there is encryption and where the attacker is related to the target. E.g inside a network it is easier to perform. Formulating the packets is more complicated for external attackers because a sequence number is associated with TCP packets. It is a 32 bit number established by the host that is incremented for each packet since they are not guaranteed to be received in order. In the TCP 3 way handshake 2 sets of sequence numbers are created. First system chooses the sequence to send with the original SYN. The SYN ack sends an acknowledgement number back which is the first number + 1. It also creates its own sequence number as well

Wireless attack repeating info that was transmitted wirelessly. Use encryption to prevent this

Initialization Vector used in wireless as a randomization element at the beginning of a connection. Attacks against it aim to determine the value thereby finding the repeating key sequence. Primary weakness in WEP since IV is sent in plaintext and the same key will ultimately be reused

Attack against the wireless protocol via substitute hardware. Uses an access point owned by an attacker that looks like a better connection to users connecting to it. Attackers can then analyze traffic and perform man in the middle attacks

Attacker can attempt to get clients to connect to it as if it were authorized and then authenticate to the real AP. A. Simple way to have access to the network and the client’s credentials. Can act as a man in the middle

Denial of service that targets the radio spectrum. Can enable attachment to a rogue AP

WiFi Protected setup - A security standard to provide users with an easy method of configuring wireless networks. It’s Extensible Authentication protocol messages are susceptible to a brute force attack. It can reveal the pin.oassphrase and allow unauthorized parties to gain access to the network

Sending the unauthorized message to another Bluetooth device. Attacker has to be in close range and must be in discoverable mode.

The attacker copies the victims info from their device using Bluetooth. Requires devices to be discoverable, but not necessarily paired since the attacker can brute force the devices 48 bit name.

• Radio Frequency Identification tags. Use unique serialization. Several different forms, either active or passive. Active have a power source, passive use the RF energy transmitted to them. Used as a means of ID over bar codes since they do not have to be visible. Often used in smart cards. Physical security is a challenge. They are used as ID and so the data needs to be confidential. Several standards of securing the data. (ISO/IEC)
• Several types of attacks:
• - Against the chips and readers themselves
• - Against the communication channel between the device and the reader
• - Against the reader and the back-end system

Replay and eavesdropping can be used

Near Field Communication- wireless technologies enabling devices to establish radio communication over a short proximity. Now used between phones and payment systems

Wireless system attacks designed to disassociate a host from the access point and from the wireless network. Stem from the deauthentication frame used to remove unauthorized stations from a wifi access point. Due to the design they can be implemented by anyone with the MAC address of the victim. They send a spoofed message to the access point resulting in the disconnection of the victim machine. A type of DoS atttack. Usually used in concert with another attack objective like sniffing passwords, or man in the middle

• A category of attacks designed to take advantages of two weaknesses:
• - Lack of general understanding of encryption leading people to trust it unfoundedly
• - Algorithmic weaknesses can often be overlooked by developers when implementing encryption

A type of brute force attack that gets its name from the birthday paradox (the odds of two people having the same birthday is very high even at low numbers). This same phenomenon applies to passwords.

If the attacker has the original plaintext and ciphertext for a message they can determine the key used through brute force attempts targeting the key space. Difficult to mitigate and some messages are particularly prone to the problem. (E.g. german weather reports in WW2) Modern encryption algorithms have protection against this

Least technical. People are really bad at picking passwords in general since easy available info is easy for them to remember. Standard formatting of usernames in an enterprise.

Precomputed hash values associated with passwords. Can change the search from a computational problem to a lookup problem, reducing the level of work needed to crack a password. Best defense is salted hashes with increases the complexity of the problem making the pre computing process not replicable between systems.

Password cracking program that uses a list of dictionary words to try to guess the password. Either single word or multiple words. Allow attacker to create various rules on how to combine words and substitute numbers for letters.

If the password is not found in the dictionary, the only way a password can be cracked is for attacker to attenpt a brute force attack in which it attempts all [possible password combinations. Length of password and size of the set of possible characters will affect the time the brute force will take.Can take place at two levels. On a system e,.g. Login prompt or a list of password hashes contained in a password file

Online attacks tend to be easy to see by security monitoring and are limited by system response time and bandwidth. Offline can be used to perform hash comparisons against a stolen password file. It is challenging to steal password file, but if you do you can use parallel computing to try a lot of passwords at high rates

Uses all types of password attack methods first trying dictionary and moving on to brute force.

Where two different inputs yield the same output of a hash function. Creating subtle changes that are not visible to the user yet creates a different version of the digital file using the birthday attack to find a collision between any two of the many version an attacker can create a file with changed visible content but identical hashes.

As part of TLS/SSL (Transport layer security/ secure sockets layer) there is a specification of the sipper suite to be used. It is done to enable the highest form of encryption that both server and browser can support. In a downgrade attack, the attacker takes advantage of the backward compatibility of browsers to downgrade security,

Replay a series of encrypted packets

Problem associated with backwoods security. (EG how SSL has fallen to attackers but sites will still use it instead of TLS)

• Social Engineering- Attacks against people/user
• Application/service attacks against specific types of components
• Wireless attacks against the connection
• Cryptographic attacks

• Hardware or software that can be used to capture and analyze traffic passing over a communications channel, such as a network. Most common use is for the capture and examination of network traffic. Also called
• Packet Sniffer,
• Network Analyzer
• Network Sniffer,
• Packet Analyzer,
• Sniffer

Packet analyzers can capture and any like wired or wireless traffic. Must have the capability to place a network interface in promiscuous mode telling the interface to accept and process every packet it see no matter where the destination is. Can be placed on switches for SPAN or monitor port. See where traffic is going.

Wireshark

Switched Port ANalyzer usually associated with Cisco switches. Also called port mirroring or port monitoring. It has the ability to copy network traffic and forward it to a port designated for traffic capture and analysis. Used as a collection point for traffic given to a protocol analyzer or IDS/IPS

• A tool designed to probe a network or systems for open ports and therefore machines on the network.. It problems for open (or listening) ports and report back to the user which ports are closed, which are filtered, and which are open. Capable of working on any IP network, os and mobile platform because they are examining network connections. Most frequently used is Nmap (Network Mapper) Also called port scanners
• Search for “live hosts on a network”.
• Search for any open ports
• Search for specific ports
• Identify services on ports
• Look for TCP/UDP services

Open - they accept connections. If you can connect with a network scanner, the ports are not being filtered at the network level. There may be ports that are open but may not immediately drop your connections. This means its being filtered by a firewall

Closed - when the scan target returns an RST packet

Filtered - when an ICMP unreachable error is returned. This indicates the port is being filtered by a firewall or other device

Additional types - Some network scanners attempt to further classify responses such as dropped, blocked, denied, timeout, and so on.

To determine if unauthorized equipment is attached to a network. Rogue systems are unauthorized systems and fall outside of the enterprise operations umbrella which adds risk. You can detect rogue systems with active scans of the network or passive scans via examination of packets

Network mapping tools are another name for network scanners. Designed to create network diagrams of how machines are connected. Network scanners can do additional tasks but mapping just identifies nodes of a network and characterizes them as to OS, purpose, Systems, etc

Can be used to perform network analysis of the wireless side of your networks. Who is connecting to them? What are they accessing? Is everything in conformance with the security plan? You should actively pursue and answer these questions on a regular basis.

• Examples of wireless scanners:
• Kismet
• NetStumbler
• Mini-Stumbler

• Cracking:
• AirSnort
• AirCrack
• CoWPatty

Used by hackers to find weap passwords. Can be used by sysadmins to make sure user passwords are secure. Work on dictionary and brute force.

• Designed to probe a system for weaknessses misconfiguration, old versions of software, etc.
• 3 Main categories:
• Network
• Host
• Application

Will contain or use a port scanner for an initial assessment, then probes each system. Good for broad sweeps but generate a lot of traffic

E.G Nessus

Designed to run on a specific host and look for vulnerabilities or misconfigurations. Tend to be more specialized than network vulnerability scanners because they are looking for issues associated with a specific operating system or set of operating systems.

• E.g. Microsoft Baseline Security Analyzer (MBSA)
• Typically run on the host itself.

Designed to look for vulnerabilities in applications or certain types of applications. Some of the most specialized scanners they look for only misconfiguration or vulnerabilities in a specific type of application. Different types of scanners for different types of applications. Some are specific to an application or to a type of application.

Web based application scanners are most popular since they are widely available and targets.

E.g. Acunetix WVS (Web Vulnerability Scanner)

Automating configuration checks against the standard compliance format: SCAP (Security Content Automation Protocol).

Wide variety of configuration compliance scanners can perform automated validation and managing information related to security configurations. Many use the first scan as a baseline for future checks

Tool sets designed to assist hackers in the tasks associated with exploiting vulnerabilities. Exploitation usually involves multiple steps done in precise order to gain meaningful effect.

E.g. Metasploit - a set of “tools” designed to assist a pen tester in carrying out steps needed to exploit a known vulnerability. Can be used to test how exploitable a system is based on existing vulnerabilities and security controls

Used to destroy, purge, or target specific types of data that should be destroyed on systems. Before it is retired or disposed of, you need to sanitize the data on the system to be destroyed.

• Approaches:
• Wiping the entire system storage on disk. Can use self encrypting disks and then destroy the key
• Identify the sensitive data and only destroy that. E.g. using Identity Finder

Steganography is the science of hidden writing- specifically hiding messages in other content. In streaming you can embed additional content in the file. If it is invisible to the typical user, then it is considered to be steganography. Same techniques are used to add visible or invisible watermarks to trace lineage or documents to see who leaks copies.

Server that is designed to act like the real server on a corporate network, but instead of having real data, its data is fake. They serve as traps for attackers since traffic can be assumed to be malicious. A honey net is a network that is a collection of honeypots.

Backs up data in case of loss. Backing up of an enterprise causes issues, segregating data, scale, and management of backup files.

A technique used to gather info from a service that publicizes information via a banner. Banners can be used to identify services by type, version, etc. They enable administrators to post information, including warnings, to users when they log in. Attackers can us banners to determine what services are running, and typically do for common banner-issuing services such as HTTP, FT{, SMTP nad Telnet. Orgs can guard against this by making banners less specific.

The ping command sends echo requests to a designated machine to determine if communication is possible. The syntax is ping [options] targetname/address. The options include items such as name resolution, how many pings, data size, TTL counts, and more. Figure 7-6 shows a ping command on a Windows machine.

• The netstat command is used to monitor network connections to and from a system. The following are some examples of how you can use netstat:
• •  netstat –a Lists all active connections and listening ports
• •  netstat –at Lists all active TCP connections
• •  netstat –an Lists all active UDP connections

Many more options are available and useful. The netstat command is available on Windows and Linux, but availability of certain netstat command switches and other netstat command syntax may differ from operating system to operating system.

•  netstat –a Lists all active connections and listening ports

•  netstat –at Lists all active TCP connections

Lists all active UDP connections

The tracert command is a Windows command for tracing the route that packets take over the network. The tracert command provides a list of the hosts, switches, and routers in the order that a packet passes by them, providing a trace of the network route from source to target. As tracert uses ICMP, if ICMP is blocked, tracert will fail to provide information. On Linux and macOS systems, the command with similar functionality is traceroute.

The DNS system is used to convert a name into an IP address. There is not a single DNS system, but rather a hierarchy of DNS servers, from root servers on the backbone of the Internet, to copies at your ISP, your home router, and your local machine, each in the form of a DNS cache. To examine a DNS query for a specific address, you can use the nslookup command.

At times, nslookup will return a nonauthoritative answer, as show. This typically means the result is from a cache as opposed to a server that has an authoritative (that is, known to be current) answer, such as from a DNS server.

While nslookup works on Windows systems, the command dig works on Linux systems. One difference is that dig is designed to return answers in a format that is easy to parse and include in scripts, a common trait of Linux command-line utilities.

The arp command allows a system administrator the ability to see and manipulate the ARP cache on a system. This way they can see if entries have been spoofed or if other problems, such as errors, occur.

Both ipconfig (for Windows) and ifconfig (for Linux) are command-line tools to manipulate the network interfaces on a system. They have the ability to list the interfaces and connection parameters, alter parameters, and refresh/renew connections. If you are having network connection issues, this is one of the first tools you should use, to verify the network setup of the operating system and its interfaces.The ip command in Linux is used to show and manipulate routing, devices, policy routing, and tunnels.

The tcpdump utility is designed to analyze network packets either from a network connection or a recorded file. You also can use tcpdump to create files of packet captures, called pcap files, and perform filtering between input and output, making it a valuable tool to lessen data loads on other tools. For example, if you have a complete packet capture file that has hundreds of millions of records, but you are only interested in one server’s connections, you can make a copy of the pcap file containing only the packets associated with the server of interest. This file will be smaller and easier to analyze with other tools.

Nmap is a program developed by Gordon Lyon and has been the standard network mapping utility for Windows and Linux since 1999. The nmap command is the command-line command to launch and run the nmap utility.

Netcat is the network utility designed for Linux environments. It has been ported to Windows, but is not regularly used in windows environments. The actual command-line command to invoke netcat is nc –options –address.

The netcat utility is the tool of choice in Linux for reading from and writing to network connections using TCP or UDP. Like all Linux command-line utilities, it is designed for scripts and automation. Netcat has a wide range of functions. It acts as a connection to the network and can act as a transmitter, or a receiver, and with redirection it can turn virtually any running process into a server. It can listen on a port and pipe the input it receives to the process identified.

Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals.

The Domain Name Service (DNS) is a protocol for the translation of names into IP addresses. When users enter a name such as www.example.com, the DNS system converts this name into the actual numerical IP address. DNS records are also used for e-mail delivery. The DNS protocol uses UDP over port 53 for standard queries, although TCP can be used for large transfers such as zone transfers. DNS is a hierarchical system of servers, from local copies of records, up through Internet providers to root-level servers. DNS is one of the primary underlying protocols used on the Internet and is involved in almost all addressing lookups. The problem with DNS is that requests and replies are sent in plaintext and are subject to spoofing.DNSSEC (Domain Name System Security Extensions) is a set of extensions to the DNS protocol that, through the use of cryptography, enables origin authentication of DNS data, authenticated denial of existence, and data integrity, but does not extend to availability or confidentiality. DNSSEC records are signed so that all DNSSEC responses are authenticated but not encrypted. This prevents unauthorized DNS responses from being interpreted as correct. Authenticated denial of existence also allows a resolver to validate that a certain domain name does not exist.Data transfers over UDP 53 are size limited to 512 bytes, and DNSSEC packets can be larger. For this reason, DNSSEC typically uses TCP port 53 for its work. It is possible to extend UDP packet size to 4096 to cope with DNSSEC, and this is covered in RFC 2671.

UDP over 53 for standard queries, but TCP can be used for large (eg zone) transfers

Data transfers over UDP 53 are size limited to 512 bytes, and DNSSEC packets can be larger. For this reason, DNSSEC typically uses TCP port 53 for its work. It is possible to extend UDP packet size to 4096 to cope with DNSSEC, and this is covered in RFC 2671.

The Secure Shell (SSH) protocol is an encrypted remote terminal connection program used for remote connections to a server. SSH uses asymmetric encryption but generally requires an independent source of trust with a server, such as manually receiving a server key, to operate. SSH uses TCP port 22 as its default port.

SSH uses public-key cryptography for secure remote terminal access and was designed as a secure replacement for Telnet.

TCP port 22

MIME (Multipurpose Internet Mail Extensions) is a standard for transmitting binary data via an e-mail. E-mails are sent as plaintext files, and any attachments need to be encoded so as to fit the plaintext format, and MIME specifies how this is done with base64 encoding. Because it is plaintext, there is no security associated with the attachments; they can be seen by any machine between sender and receiver. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data in e-mails. S/MIME is designed to provide cryptographic protections to e-mails and is built into the majority of modern e-mail software to facilitate interoperability.

The Secure Real-time Transport Protocol (SRTP) is a network protocol for securely delivering audio and video over IP networks. SRTP uses cryptography to provide encryption, message authentication and integrity, and replay protection to the RTP data.

LDAP is the primary protocol for transmitting directory information. Directory services may provide any organized set of records, often with a hierarchical structure, and are used in a wide variety of situations including Active Directory datasets. By default, Lightweight Directory Access Protocol (LDAP) traffic is transmitted insecurely. You can make LDAP traffic secure by using it with SSL/TLS, known as LDAP Secure (LDAPS). Commonly, LDAP is enabled over SSL/TLS by using a certificate from a trusted certificate authority (CA).LDAPS uses a TLS/SSL tunnel to connect LDAP services. Technically, this method was retired with LDAPv2, and replaced with Simple Authentication and Security Layer (SASL) in LDAPv3. SASL (which is not listed in the exam objectives) is a standard method of using TLS to secure services across the Internet.

• LDAPS communication occurs over port TCP 636.
• LDAPS communication to a global catalog server occurs over TCP 3269.

When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

FTPS is the implementation of FTP over an SSL/TLS secured channel. This supports complete FTP compatibility, yet provides the encryption protections enabled by SSL/TLS. FTPS uses TCP ports 989 and 990.

FTPS uses TCP ports 989 and 990.

SFTP is the use of FTP over an SSH channel. This leverages the encryption protections of SSH to secure FTP transfers. Because of its reliance on SSH, it uses TCP port 22.

SFTP is the use of FTP over an SSH channel. This leverages the encryption protections of SSH to secure FTP transfers. Because of its reliance on SSH, it uses TCP port 22.

The Simple Network Management Protocol version 3 (SNMPv3) is a standard for managing devices on IP-based networks. SNMPv3 was developed specifically to address the security concerns and vulnerabilities of SNMPv1 and SNMPv2. SNMP is an application layer protocol, part of the IP suite of protocols, and can be used to manage and monitor devices, including network devices, computers, and other devices connected to the IP network. All versions of SNMP require ports 161 and 162 to be open on a firewall.

requires firewall ports 161 and 162 to be open

SSL/TLSSecure Sockets Layer (SSL) is an application of encryption technology developed for transport-layer protocols across the Web. This protocol uses public key encryption methods to exchange a symmetric key for use in confidentiality and integrity protection as well as authentication. The current version, V3, is outdated, having been replaced by the IETF standard TLS. All versions of SSL have been deprecated due to security issues, and in the vast majority of commercial servers employing SSL/TLS, SSL has been retired. Because of the ubiquity of the usage of the term, the term SSL will last for quite a while, but in function, it is now done via TLS.

Transport Layer Security (TLS) is an IETF standard for the employment of encryption technology and replaces SSL. Using the same basic principles, TLS updates the mechanisms employed by SSL. Although sometimes referred to as SSL, it is a separate standard. The standard port for SSL and TLS is undefined, for it depends upon what the protocol that is being protected uses; for example, port 80 for HTTP becomes port 443 when it is for HTTPS.

80

443

Secure POP/IMAPSecure POP/IMAP listed under exam objective 2.6 basically refers to POP3 and IMAP (respectively) over an SSL/TLS session. Secure POP3 utilizes TCP port 995 and Secure IMAP uses TCP port 993. Encrypted data from the e-mail client is sent to the e-mail server over a SSL/TLS session. With the deprecation of SSL, TLS is the preferred protocol today. If e-mail connections are started in nonsecure mode, the STARTTLS directive tells the clients to change to the secure ports. The other mail protocol, SMTP uses port 25, and SSL/TLS encrypted SMTP uses port 465.

TCP 995

TCP 993

25

465

143

port 110