CEH Test1

¡Supera tus tareas y exámenes ahora con Quizwiz!

Blind Hijacking

Occurs when an attacker blindly injects data into the communication stream without being able to see if it is successful or not because he does not see the response

Blind SQLi

Often used when error-based and union-based SQLi do not work. Relies on the response and behavior patterns of the server and can be classified as: Boolean: The attacker sends a SQL query and result will vary based on whether query is true or false Time-based: Attacker sends a SQL query which makes the database wait before it can react. The attacker can see from the time that it takes whether a query is true or false

services.msc

Opens Windows Services Manager.

ncpa.cpl

Opens the Network Connections in Control panel. ncpa = Network Control Panel Applet, cpl = Control Panel

DMS-specific SQLi

Out-of-band SQLi (or DMS-specific SQLi) is a much less common approach to attacking an SQL server. It relies on certain features of an SQL database to be enabled; if those features aren't, the OOB attack won't succeed. OOB attacks involve submitting a DNS or HTTP query to the SQL server that contains an SQL statement. If successful, the OOB attack can escalate user privileges, transmit database contents, and generally do the same things other forms of SQLi attacks do.

EU Safe Harbor

Principles developed in order to prevent private organizations within the EU or US which store customer data from accidentally disclosing or losing personal information

SHA-1

Produces a 160-bit hash value and is used in DSS. Typically rendered in hex, 40 digits long.

NIST-800-53

Provides a catalog of security and privacy controls for all US federal information systems except those related to national security

Transport Layer

Provides data segmentation and the control necessary to reassemble these pieces into the various communication streams. All about ports Primary responsibilities are: · Tracking the individual communication between applications on the source and destination hosts; · Segmenting data and managing each piece; · Reassembling the segments into streams of application data · Identifying the different applications.

Registration Hijacking

Refers to the action of an attacker to register himself as the targeted VoIP user. If succeful, incoming VoIP calls can be directed to attacker

nmap -F

Specifies that you wish to scan fewer ports than the default. Default is 1000 most common and -f reduces to 100 most common

iBoot exploit

Targets boot-loader. Allows user-level and iboot-level access

Bootrom exploit

Targets rom. It allows user-level access and iboot-level access

SHA-2

The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-256 and SHA-512 are novel hash functions computed with 32-bit and 64-bit words, respectively

-sT

The default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. In this scan Nmap asks the underlying OS to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call used by web browsers and P2P connections. Nmap uses this API to obtain status information on each connection attempt.

DNSSEC (Domain Name System Security Extension)

The most widely used cache poisoning prevention tool. Computers will be able to confirm if DNS responses are legitimate. It also has the ability to verify that a domain name does not exist at all, which can help prevent mtm attacks

SYN/FIN Scannnig using IP fragments

The process of scanning that was developed to avoid false positives with the use of packet filtering. The TCP header splits into several packets to evade the packet filter

Non-repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.

SSL/TLS Renegotiation Vulnerability

The vulnerability is with the renegotiation feature, which allows one part of an encrypted connection.to be controlled by one party with another part

Common routing attacks

Traffic redirection— enabling the attacker to modify traffic in transit or sniff packets; · Traffic sent to a routing black hole— the attacker can send specific routes to null0, effectively kicking IP addresses off the network; · Router denial-of-service (DoS)—attacking the routing process can crash the router or severe service degradation; · Routing protocol DoS—Similar to the attack previously described against a whole router, a routing protocol attack could be launched to stop the routing process from functioning properly; · Unauthorized route prefix origination—this attack aims to introduce a new prefix into the routing table that shouldn't be there. The attacker might do this to get a covert attack network to be routable throughout the victim network.

What are the two main conditions for a digital signature.

Unforgeable and authentic

Access Gateway

Used to bridge the gap in IoT architecture between two endpoints such as a device and a client. It also carries out message routing, message identification and subscribing. For example the device that connects IoT sensors to the network

-sM

Uses the TCP Maimon Scan The attacker sends a SYN packet to the target system, just like in a regular TCP SYN scan. If the target system responds with a SYN-ACK packet, it means the port is open, and the attacker can establish a connection. However, instead of completing the handshake by sending an ACK packet, the attacker sends a RST packet, which terminates the connection. This prevents the target system from logging the connection attempt. If the target system responds with a RST packet, it means the port is closed, and the attacker moves on to the next port. If the target system does not respond at all, it means the port is filtered, and the attacker can move on to the next port.

Boot Sector Viruses

When computer boots the MBR is moved to another location on the hard disk and copies itself to the original location of the MBR

Unicode invasion

Where each character has a unique value regardless of the platform, program, or language. For ex. an attacker may evade an IDS by using the unicode character c1 to represent a slash for a Web page request

CRLF Injection

Which of the following web application attack inject the special character elements "Carriage Return" and "Line Feed" into the user's input to trick the web server, web application, or user into believing that the current object is terminated and a new object has been initiated?

Metasploit Payload Module

While using an exploit against a vulnerable machine, a payload is generally attached to the exploit before its execution

nmap -sX

Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Which Google search operators allows restricting results to those from a specific website?

[site:]

Pretexting

a form of social engineering in which one individual lies to obtain confidential data about another individual. Usually the attackers create a fake identity and use it to manupulate

Boot.ini

a text file that contains the boot options for computers with BIOS firmware running NT-based operating system prior to Windows Vista. Located at the root of the system partition

Insertion Attack

attacker can send packets whose time-to-live (TTL) fields are crafted to reach the IDS but not the target computers. This will result in the IDS and the target system having two different character strings. An attacker confronts the IDS with a stream of one-character packets (the attacker-originated data stream), in which one of the characters (the letter "X") will be accepted only by the IDS. As a result, the IDS and the end system reconstruct two different strings.

Returns the most recent cached version of a web page (providing the page is indexed, of course).

cache:

What command launches the computer management console from "Run" as a windows local admin?

compmgmt.msc

Find pages with a certain word (or words) in the URL. For this example, any results containing the word "apple" in the URL will be returned.

inurl:

RST Hijacking

involves injecting an authentic-looking reset (RST) packet using a spoofed source address and predicting the acknowledgment number

Find pages linking to a specific domain or URL. Google killed this operator in 2017, but it does still show some results—they likely aren't particularly accurate though.

link:

You managed to compromise a server with an IP address of 10.10.0.5, and you want to get fast a list of all the machines in this network. Which of the following Nmap command will you need?

nmap -T4 -F10.10.0.0/24 This high -T value scarifices stealth for speed but what really makes this correct is the -F (Fast (limited port) scan) which scans the most common 100 ports instead of 1000

What Nmap command allows you to most reduce the probability of detection by an IDS when scanning common ports?

nmap -sT -O -T0 Nmap offers a simple approach, with six timing templates. You can specify them with the -T option and their number (0-5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. The trick here is to choose the slowest scan to avoid detection

gpedit.msc

or Group Policy Editor is a configuration manager for Windows which makes it easier to configure Windows settings. Instead of going through Windows Registry, the user can configure different aspects of the Windows operating system through the Group Policy Editor

POODLE

which stands for "Padding Oracle On Downgraded Legacy Encryption" is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages

nmap -oG

-oG <filespec> (grepable output) It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff, and Perl.

What means the flag "-oX" in a Nmap scan?

-oX <filespec> - Requests that XML output be directed to the given filename.

IoT Layers

1st. Sensor-connected IoT devices 2nd. IoT gateway devices 3rd. Cloud 4th. Analytics (raw data is converted into actionable business insights)

802.11b

2.4 GHz, 11 Mbps

802.11g

2.4 GHz, 54 Mbps

802.11a

5GHz, 54Mbps

RSA

A cipher is based on factoring the product of two large prime numbers. One of the oldest public-key cryptosystem

SHA-1

A cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard.

Tcpdump

A data-network packet analyzer computer program that runs under a command-line interface.

Wireshark

A free and open-source packet analyzer. Used for network troubleshooting, analysis, software and communications protocol development, and education Presents data in Hexadecimal in the packet bytes pane

John the Ripper

A free password cracking software tool.

Concolic testing

A hybrid software verification technique that preforms symbolic execution, a classical technique that treats program variables as symbolic variables along a concrete execution path.

Kismet

A network detector, packet sniffer, and IDS for 802.11 WLANs. Works with and wireless card that supports raw monitoring mode.

Aircrack-ng

A network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

Cain and Abel

A password recovery tool for microsoft. Can recover passwords with methods such as packet sniffing, cracking password hashes with dictionary attacks, brute force, or cryptanalysis.

Reverse Social Engineering

A person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem

Hosts File

A plaintext file configured on a client machine containing a list of IP addresses and their associated host names, which can be used for host name resolution as an alternative to DNS.

ACK Scanning

A port scanning technique. Attacker sends a series of TCP packets with the ACK flag set to the target system without setting the SYS flag. This causes the target system to send a response to the attacker with either an RST (reset) flag or no response at all, depending on whether the target port is open or closed. Can also be used to determine whether the port is filtered or unfiltered.

Nessus

A program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities such as config errors or default/weak passwords

Palantir

A public American software company that specializes in big data analytics.

Heartbleed bug

A security bug i the OpenSSL cryptography library, which is a widely used implementation of the TLS protocol. Used by exploiting improper input validation. The vulnerability is classified as a buffer over-read

Describe a software firewall

A software firewall is placed between the normal application and the networking components of the OS and regulates data traffic through two things: port numbers and applications.

Maltego

A software used for open-source intelligence and forensics. Maltego focuses on providing a library of transforms for discovery of data from open sources and visualizing that information in a graph format suitable for link analysis and data mining. Maltego permits creating custom entities, allowing it to represent any type of information in addition to the basic entity types which are part of the software. The basic focus of the application is analyzing real-world relationships (Social Networks, OSINT APIs, Self-hosted Private Data and Computer Networks Nodes) between people, groups, Webpages, domains, networks, internet infrastructure, and social media affiliations.

RC5

A symmetric-key block cipher notable for its simplicity.

Source Routing

A technique that allows a sender of a packet to specify the route that the packet should take.

HTTP Get/Post (HTTP Flood)

A type of DDoS attack where the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. Often uses a botnet

TCP/IP hijacking

A type of Man-in-the-Middle attack where an attacker is able to view the packets of the network participants and send their own packets to the network. The attacker takes advantage of the TCP connection establishment features and can be carried out during the "triple handshake" and when the connection is established.

Slowloris

A type of denial of service attack tool which alows a single machine to take down another machines web server with minimal bandwidth and side effects of unrelated services and ports. Slowloris opens connections to the target web server by sending partial HTTP requests.

Userland Exploit

A type of jailbreaking which allows user-level access and does not allow iboot-level access

Cross-Site Scripting (XSS)

A web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into an outside website's contents. When a victim views an infected page on the website, the victim's browser executes the injected code. Consequently, the attacker has bypassed the browser's same-origin policy and can steal private information from a victim associated with the website.

Calculating ALE

AV= Asset value SLE = AV * EF (Exposure Factor) ARO= Annual rate of occurrence ALE = SLE * ARO

Wrapping Attacks

Aim at injecting a faked element into the message structure so that a valid signature covers the unmodified element while a faked one is processed by the application login. As a result the attacker can preform an arbitrary Web Service request while authenticating as a legitimate user.

Shellshock

Also known as bashdoor is a security bugs in the Unix Bash shell. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Reflected XSS attacks

Also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts' execution. The vulnerability is typically a result of incoming requests not being sufficiently sanitized. Link is often placed in an email or in the comment section on a website

SOAP (Simple Object Access Protocol)

An XML-based web services protocol that is used to exchange messages.

Internet Relay Chat (IRC)

An application layer protocol that facilitates communication in text. Works on a client/server networking model

Cloudborne

An attack scenario affecting various providers. In this scenario attackers implant persistent backdoors for data theft into bare-metal cloud servers which remains intact as cloud infrastructure moves from customer to customer

Fuzz testing

An automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

The firewall prevents packets from entering the organization through certain ports and applications. What does this firewall check?

Application layer headers and transport layer port numbers.

Metasploit Exploit Module

Are pieces of code within a database that when running on a victim computer. The attacker will attempt to leverage a vulnerability on the local or remote system compromising the payload module such as the Meterpreter shell

According to the Payment Card Industry Data Security Standard, when is it necessary to conduct external and internal penetration testing?

At least once a year and after any significant upgrade or modification

Web Parameter Tampering

Attack is based on manipulating parameters exchanged between client and server to modify application data such as user credentials and permissions, price and quantity.

Error-based SQLi

Attacker intentionally creates an error to generate error message to learn more about the database used

Compound SQLi

Attacks that involve using SQLi alongside cross-site scripting, denial of service, DNS hijacking, or insufficient authentication attacks.

Low-bandwidth attacks

Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap's slow scan, can be difficult to pick out of the background of benign traffic. Ex. A online password cracker that tests one password for each user every day will look nearly identical to a normal user mistyping their password

IPID Scanning

Called Idle Scan. Takes advantage of the predictable identification field value from a UIP header.

Union SQLi

Can be used when an application is vulnerable to SQL injection and the results of the query are returned with the applications responses. The UNION keyword lets you execute one or more additional select queries and append the results to the original query.

-sS

Command-line flag to set a stealth scan for Nmap. Referred to as a TCP SYN scan. Sends a SYN packet to target systems specified port. If system responds with SYN-ACK, Nmap replies with a RST to abort connection and marks port as open. If target responds with a RST, Nmap marks port as closed. ex. nmap -sS -p 1-100 -v 192.168.1.1 (-v is for verbose output)

IPsec

Connections include the following steps: Key exchange: Keys are necessary for encryption; a key is a string of random characters that can be used to "lock" (encrypt) and "unlock" (decrypt) messages. IPsec sets up keys with a key exchange between the connected devices so that each device can decrypt the other device's messages. Packet headers and trailers: All data sent over a network is broken down into smaller pieces called packets. Packets contain both a payload, the actual data being sent, headers, or information about that data so that computers receiving the packets know what to do with them. IPsec adds several headers to data packets containing authentication and encryption information. IPsec also adds trailers, which go after each packet's payload instead of before. Authentication: IPsec provides authentication for each packet, like a stamp of authenticity on a collectible item. This ensures that packets are from a trusted source and not an attacker. Encryption: IPsec encrypts the payloads within each packet and each packet's IP header (unless transport mode is used instead of tunnel mode). This keeps data sent over IPsec secure and private. Transmission: Encrypted IPsec packets travel across one or more networks to their destination using a transport protocol. At this stage, IPsec traffic differs from regular IP traffic in that it most often uses UDP as its transport protocol rather than TCP. TCP, the Transmission Control Protocol, sets up dedicated connections between devices and ensures that all packets arrive. UDP, the User Datagram Protocol, does not set up these dedicated connections. IPsec uses UDP because this allows IPsec packets to get through firewalls. Decryption: At the other end of the communication, the packets are decrypted, and applications (e.g., a browser) can now use the delivered data.

COBIT

Control Objectives for Information and Related Technology The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.

Cookie Tampering

Cookies are files on a user's computer which allow a web application to store information that is subsequently used to identify returning users. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker.

Jailbreaking

Defined as a process of installing a modified set of kernel patches that allows users to run third party applications not signed by OS vendor. Provides root level access to OS. Types of jailbreaking - Userland Exploit - iBoot Exploit - Bootrom Exploit

Metasploit Auxiliary Module

Do not require the use of a payload to run like exploit models. These modules include programs such as scanners, fuzzier, and SQL injection tools.

Spoofed Session Flood

Fake Session attacks try to bypass security under the disquise of a valid TCP session by carrying a SYN, multiple ACK, and one or mor RST or FIN packets. Can bypass mechanisms that are only monitoring incoming traffic on the network.

FISMA

Federal Information Security Management Act The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Cloud-based detection

Identifies malware by collecting data from protected computers while analyzing it on the provider's infrastructure instead of locally. This is usually done by capturing the relevant details about the file and the context of its execution on the endpoint and providing them to the cloud engine for processing.

MD5

Message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database.

Metasploit

Metasploit project is computer security project that provides information about security vulnerabilities and aids in pen-testing and IDS signature development Metasploit framework is sub-project and is tool for developing and executing exploit code against a remote target machine

-sU

Nmap flag to activate UDP scan which is ignored by default on most scans


Conjuntos de estudio relacionados

Unit 3 AP Government Test Beerman 2021

View Set

Ponto de Encontro: Lição 3 - Horas de lazer

View Set

FSN 121 midterm #3 Grains, legumes, and nuts

View Set

Infection prevention and control in the hospital

View Set

NurseLogic Testing and Remediation Beginner

View Set

Hip, Pelvis, Thigh and Knee Conditions

View Set

Poetic Techniques/Devices and Forms

View Set