CompTIA Security+ (SY0-501) - Tools of the trade

What are some of the common Nmap switches?

-A, query for OS version -v, increase the "verbocity"

What switch would you add to dig to list all of the mail server (MX) servers for a domain?

-MX

What netstat command switch displays the executable file making the connection?

-b

APIPA addresses always start with ___________.

169.254

How many times does ping run in Windows?

4 times

network scanner

A computer program used to retrieve usernames and info on groups, shares, and services of networked computers.

Management Information Base (MIB)

A database used for managing the entities in a communication network.

Wireshark

A free and open source packet analyzer.

TShark

A network protocol analyzer. that lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

What are the two separate functions of a packet analyzer?

A packet sniffer that grabs the frames/packets, and the packet analyzer that looks at all the collected packets and analyzes them.

agent

A program that can gather information about a piece of hardware, organize it into predefined entries, and respond to queries using the SNMP protocol.

Simple Network Management Protocol (SNMP)

A set of protocols for network management and monitoring. These protocols are supported by many typical network devices such as routers, hubs, bridges, switches, servers, workstations, printers, modem racks and other network components and devices.

netcat (or nc)

A terminal program for Linux that enables you to make any type of connection and see the results from a command line.

protocol analyzer

A tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Also called a packet analyzer.

tracert

A utility that records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer.

Which tools can you (and hackers) use to open ports on your network? (Choose three.) A. Port scanner B. Nmap C. Angry IP Scanner D. hostname

A, B, C. The hostname command simply returns the host name of the local system. All other tools mentioned can scan ports to locate network vulnerabilities.

traps

Alert messages sent from a remote SNMP-enabled device to a central collector, the "SNMP manager".

Security Information and Event Management (SIEM)

An enterprise-level technology and infrastructure that collects data points from a network, including log files, traffic captures, SNMP messages, and so on, from every host on the network.

____________ is an important part of risk management simply because it provides a means to confirm that risk mitigations are in place and functioning.

Auditing

What does nslookup do? A. Retrieves the name space for the network B. Queries DNS for the IP address of the supplied host name C. Performs a reverse IP lookup D. Lists the current running network services on localhost

B. The nslookup command queries DNS and returns the IP address of the supplied host name.

Which tools are used explicitly to monitor and diagnose problems with DNS? A. Nmap or Wireshark B. nslookup or dig C. ping or pathping D. tracert or pathping

B. The nslookup tool and the more powerful dig tool are used to diagnose DNS problems.

Which tool enables you to query the functions of a DNS server? A. ipconfig B. nslookup C. ping D. xdns

B. The tool to use for querying DNS server functions is nslookup.

Your manager wants you to institute log management and analysis on a small group of workstations and servers that are not connected to the larger enterprise network for data sensitivity reasons. Based upon the level of routine usage and logging, you decide not to implement a management console but intend to examine each log separately on the individual hosts. What type of log management are you using in this scenario? A. Centralized log management B. Enterprise-level log management C. Decentralized log management D. Workgroup-level log management

C. In this scenario, you are using decentralized log management, since you are not using a centralized log management facility or console to collect all the applicable logs and review them in one place.

What command do you use to see the DNS cache on a Windows system? A. ping /showdns B. ipconfig /showdns C. ipconfig /displaydns D. ping /displaydns

C. To see the DNS cache on a Windows system, run the command ipconfig /displaydns at a command prompt.

What does Wireshark use to handle packet capture?

Capturing is handled by libpcap in Linux or WinPcap on Windows systems

dig

Command that is a Linux-based DNS querying tool. Works with the host's DNS settings.

How many times does ping run in Linux?

Continuously until you stop it.

One of your users calls you with a complaint that he can't reach the site www.google.com. You try and access the site and discover you can't connect either but you can ping the site with its IP address. What is the most probable culprit? A. The workgroup switch is down. B. Google is down. C. The gateway is down. D. The DNS server is down.

D. In this case, the DNS system is probably at fault. By pinging the site with its IP address, you have established that the site is up and your LAN and gateway are functioning properly.

The Windows tracert tool fails sometimes because many routers block ______ packets. A. ping B. TCP C. UDP D. ICMP

D. The Windows tracert tool fails because it relies on ICMP packets that routers commonly block.

Which of the following displays the correct syntax to eliminate the DNS cache? A. ipconfig B. ipconfig /all C. ipconfig /dns D. ipconfig /flushdns

D. The command ipconfig /flushdns eliminates the DNS cache.

What is Wireshark? A. Protocol analyzer B. Packet sniffer C. Packet analyzer D. All of the above

D. Wireshark can sniff and analyze all the network traffic that enters the computer's NIC.

Zenmap

GUI that enables you to enter Nmap commands and then provides some handy analysis tools.

socket

In Unix/Linux, an endpoint for connections.

real-time network monitoring

Involves protocol and traffic monitoring (also known as sniffing) using a protocol analyzer, so that the data may be collected and stored for later analysis.

centralized log management

Log files from different machines are automatically sent to a centralized logging facility or server, such as a syslog server, for example.

Nmap

Nmap (Network Mapper) is a security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich), used to discover hosts and services on a computer network, thus building a "map" of the network.

What is a good way to verify you have a good DNS server?

Running ping using a DNS name.

Network scanners fit into what two categories?

Simple and powerful.

What protocol analyzer is used by Wireshark?

TShark

How does SNMP work?

The Simple Network Management Protocol (SNMP) enables proactive monitoring of network hosts in real time. Devices that use SNMP have a small piece of software known as an agent installed on them, and this agent can report certain types of data back to a centralized monitoring server. This agent is configured with a Management Information Base (MIB), which is a very specific set of configuration items tailored for the device. Using the MIB, the agent can relay very specific event information to a centralized console in real time.

auditing

The collective measures done to analyze, study and gather data about a network with the purpose of ascertaining its health in accordance with the network/organization requirements.

netstat

The go-to tool in Windows and Linux to get any information you might need on the host system's TCP and UDP connections, status of all open and listening ports, and a few other items such as the host's routing table.

reporting

The portion of network monitoring at which the administrator receives reports from the different data points from different audit trails and logs, from network intrusion detection systems, and so on, and correlates this data in a report that shows different types of trends or activities occurring on the network.

Dynamic Host Configuration Protocol (DHCP)

The standard protocol used for automatically allocating network addresses within a single broadcast domain.

nslookup

Tool, built into both Windows and Linux, that has one function: if you give nslookup a DNS server name or a DNS server's IP address, nslookup will query that DNS server and (assuming the DNS server is configured to respond) return incredibly detailed information about any DNS domain.

ARP spoofing

When a separate system uses the arp command to broadcast another host's IP address.

What command enables you to observe and administer the cache of mapped IP-to-Ethernet addresses for the local network?

arp

____________ is only for IPv4 addresses. IPv6 uses the ____________.

arp, Neighbor Discovery protocol

What are two common ways to achieve log management?

decentralized or centralized

What is the functional equivalent to ipconfig in Unix/Linux environments?

ifconfig

What are some examples of SNMP data collected for network monitoring?

intrusion detection/prevention system alerts, firewall alerts and logs, and real-time network monitoring

What linux command replaces ifconfig, doing many of the same tasks, such as viewing IP information on a system, checking status of network connections, managing routing, and starting or stopping an Ethernet interface?

ip

What command would you use on a linux system to see all the Ethernet and IP information for a system?

ip a

What is the Windows-only reporting utility that shows the current status of the network settings for a host system?

ipconfig

What utility do linux systems have for wireless communciations?

iwconfig

What command would you type to show all active connections between a host and other hosts?

netstat

What command would you use to see all listening ports?

netstat -a

What two tools used to diagnose DNS issues?

nslookup and dig

What utility takes advantage of the fact that by design all TCP/IP hosts respond to ICMP requests to verify a system is connected and is properly IP addressed?

ping

What type of monitoring enables a network administrator to receive alerts or alarms as the event is happening, giving them the time and resources to stop an attack or security issue actively and prevent damage to systems and data?

real-time monitoring

What is the Linux equivalent command to tracert?

traceroute

____________ is often a great way to determine the ISP just by looking at the router names.

tracert

What are some of the useful switches to use with ping?

• -a Resolve addresses to hostnames • -f Set Don't Fragment flag in packet (IPv4 only) • -4 Force using IPv4 • -6 Force using IPv6 • -t Force continuous ping in Windows.

What switches are useful with ipconfig?

• /all Exhaustive listing of virtually every IP and Ethernet setting • /release Releases the DHCP IP address lease. • /renew Renews the DHCP IP address lease • /flushdns Clears the host's DNS cache • /displaydns Displays the host's DNS cache

What are some examples of information that a network scanner might return?

• Topology • MAC addresses • IP addresses • Open ports • Protocol info on open ports • Operating systems