Ethical Hacking Chapter #1
reusability
Having access controls on predefined parameters can help increase the level of security One user or program may not reuse or manipulate objects that another user or program is currently accessing in order to prevent violation of security
Active - modify the target system Passive - violate the confidentiality of a system's data without affecting the state of that system
How are attacks can be classified as?
TCP ICMP IP optimizes UDP scanning
How does unicorn scan handle port scanning
Many security testers use the ____ tool to bypass filtering devices by injecting modified IP packets. a. Tcpdump c. Nmap b. Hping d. Nessus
Hping
The ____ tool enables you to craft an IP packet to your liking. a. Unicornscan c. Nmap b. Hping d. Ethereal
Hping
port 80
Hypertext Transfer Protocol (HTTP) Used when connecting to a Web server
First byte is reserved for network address Last three bytes are available for host computers Supports more than 16 million host computers Limited number of Class A networks Reserved for large corporations and governments Format: network.node.node.node
IP addressing Class A consists of what?
Divided evenly Two-octet network address Two-octet host address Supports more than 65,000 hosts Assigned to large corporations and Internet Service Providers (ISPs) Format: network.network.node.node
IP addressing class A consists of what
Three-octet network address and one-octet host address More than two million Class C addresses Supports up to 254 host computers Usually available for small business and home use Format: network.network.network.node
IP addressing class C consists of what
Consists of four bytes Divided into two components Network address Host address
IP addressing consists of how many bytes? divided into how many components
enables multiple users to communicate over the Internet in discussion forums
IRC
program that sends automatic responses to users, giving the appearance of a person being present on the other side of the connection
IRC "bot"
Why are employees sometimes not told that the company is being monitored?
If a company knows that it's being monitored to assess the security of its systems, employees might behave more vigilantly and adhere to existing procedures. Many companies don't want this false sense of security; they want to see how personnel operate without forewarning that someone might attempt to attack their network.
If subnetting is used in an organization, you can include the broadcast address by mistake when performing ping sweeps. How might this happen?
If you decide to use ping sweeps, be careful not to include the broadcast address in your range of addresses. You can do this by mistake if subnetting is used in an organization. For example, if the IP address 193.145.85.0 is subnetted with a 255.255.255.192 subnet mask, four subnets are created: 193.145.85.0, 193.145.85.64, 193.145.85.128, and 193.145.85.192. The broadcast addresses for each subnet are 193.145.85.63, 193.145.85.127, 193.145.85.191, and 193.145.85.255, respectively. If a ping sweep was inadvertently activated on the range of hosts 193.145.85.65 to 193.145.85.127, an inordinate amount of traffic could flood through the network because the broadcast address of 193.145.85.127 was included. This would be more of a problem on a Class B address, but if you perform ping sweeps, make sure your client signs a written agreement authorizing the testing.
How can a computer criminal use HTTP methods before running an exploit on a server?
If you know HTTP methods, you can send a request to a Web server and, from the generated output, determine what OS the Web server is using. You can also find other information that could be used in an attack. After you determine which OS version a company is running, you can search for any exploits that might be used against that network's systems.
Why is port scanning useful for hackers?
Port scanning helps you answer questions about open ports and services by enabling you to quickly scan thousands or even tens of thousands of IP addresses. Many port-scanning tools produce reports of their findings, and some give you best-guess assessments of which OS is running on a system. Most, if not all, scanning programs report open ports, closed ports, and filtered ports in a matter of seconds. When a Web server needs to communicate with applications or other computers, for example, port 80 is opened. An open port allows access to applications and can be vulnerable to an attack. A closed port does not allow entry or access to a service. For instance, if port 80 is closed on a Web server, users wouldn't be able to access Web sites. A port reported as filtered might indicate that a firewall is being used to allow specified traffic in or out of the network.
port 110
Post Office Protocol 3 (POP3) Used for retrieving e-mail
reconnaissance
Preparatory phase where an attacker gathers as much information as possible about the target prior to launching the attack
Denial of service attack
Prevents legitimate users from accessing network resources Some forms do not involve computers
steganography
Process of hiding data in other data, for instance image and sound files
Macroviruses
Programs that support a macro programming language (e.g., Visual Basic for Applications) Lists of commands Can be used in destructive ways
"____" is not a domain tested for the CEH exam. a. Sniffers c. Footprinting b. Social engineering d. Red team testing
Red team testing
port 135
Remote Procedure Call (RPC) Critical for operation of Microsoft Exchange Server and Active Directory
Worms: examples are code red and numda Theoretically can infect every computer in the world over a short period
Replicates and propagates without a host
The ____ Institute Top 20 list details the most common network exploits and suggests ways of correcting vulnerabilities. a. SANS c. CERT b. CompTIA d. ISECOM
SANS
the main protocol for transmitting e-mail messages across the Internet
SMTP
primarily used to monitor devices on a network, such as remotely monitoring a router's state
SNMP
enables a remote user to log on to a server and issue commands
SSH
TCP header flag that signifies the beginning of a session
SYN
A computer that receives a SYN packet from a remote computer responds to the packet with a(n) ____ packet if its port is open. a. FIN c. SYN/ACK b. RST d. ACK
SYN/ACK
____ is a Web tool used to gather IP and domain information. It is available for both UNIX and Window OSs. a. Samba c. SamSpade b. Bugnosis d. FOCA
SamSpade
A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt. a. script c. snippet b. program d. signature
Script
Some hackers are skillful computer operators, but others are younger inexperienced people who experienced hackers refer to as ____. a. script kiddies c. packet sniffers b. repetition monkeys d. crackers
Script kiddies
In a(n) ____, the tester does more than attempt to break in; he or she also analyzes the company's security policy and procedures and reports any vulnerabilities to management. a. penetration test c. hacking test b. security test d. ethical hacking test
Security Test
____ takes penetration testing to a higher level. a. Hacking c. Security testing b. Cracking d. Packet sniffing
Security testing
Internet Control Message Protocol (ICMP)
Sends messages related to network operations Helps troubleshoot network connectivity problems Ping command Tracks the route a packet traverses Traceroute command
____ can be used to read PINs entered at ATMs or to detect long-distance authorization codes that callers dial. a. Shoulder surfing c. Zone transferring b. Footprinting d. Social engineering
Shoulder surfing
To help prevent ____ attacks, you must educate your users not to type logon names and passwords when someone is standing directly behind them—or even standing nearby. a. shoulder-surfing c. piggybacking b. footprinting d. social engineering
Shoulder-surfing
port 25
Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this port
____ means using a knowledge of human nature to get information from people. a. Fingerprinting c. Zone transferring b. Footprinting d. Social engineering
Social engineering
What type of information is usually gathered by social engineering?
Social engineering means using a knowledge of human nature to get information from people. In computer attacks, the information is usually a password to a network or other information an attacker could use to compromise a network. A salesperson can get personal information about customers, such as income, hobbies, social life, drinking habits, music preferences, and the like, just by asking the customer the right questions. A salesperson uses charm and sometimes guile to relax customers. In a sense, a salesperson attempts to bond with customers by pretending to be empathetic with them. After leaving the store, customers might regret some of the information they freely gave, but if the salesperson was personable, they might not think twice about the personal information the salesperson elicited. Social engineers might also use persuasion tactics, intimidation, coercion, extortion, and even blackmail to gather the information they need. They are probably the biggest security threat to networks and the most difficult to protect against.
____ can be used to gather information useful for computer criminals, like company phone directories, financial reports, interoffice memos, resumes of employees, etc. a. Shoulder surfing c. Piggybacking b. Footprinting d. Dumpster diving
dumpster diving
Describe an example of a macro virus.
The most infamous macro virus is Melissa, which appeared in 1999. The virus was initiated after a user opened an infected document; the virus then sent an e-mail message to the first 50 entries it located in the infected computer's address book.
What is a Class B IP address?
These address are evenly divided between a two-octet network and a two-octet host address, allowing more than 65,000 host computers per Class B network address. Large organizations and Internet service providers are often assigned Class B Internet addresses. Class B addresses have the format "network.network.node.node".
Often technical personnel who aren't familiar with security techniques think that restricting access to ports on a router or firewall can protect a network from attack. Is this a good solution?
This is easier said than done. After all, if a firewall prevents any traffic from entering or exiting a network on port 80, you have indeed closed a vulnerable port to access from hackers. However, you have also closed the door to Internet access for your users, which probably isn't acceptable to your company. The tricky (and almost impossible) part for security personnel is attempting to keep out the bad guys while allowing the good guys to work and use the Internet.
What are the problems on depending on ping sweeps to find out which hosts are "live"?
To find out which hosts are "live," ping sweeps simply ping a range of IP addresses and see what type of response is returned. The problem with relying on ping sweeps to identify live hosts is that a computer might be shut down at the time of the sweep, indicating that the IP address does not belong to a live host. Another problem with ping sweeps is that many network administrators configure nodes to not respond to an ICMP Echo Request (type 8) with an ICMP Echo Reply (type 0). This doesn't mean the computer isn't alive; it just means it isn't replying to the attack computer at that moment. Add to that the possibility of a firewall filtering out ICMP traffic, and you have many reasons for using caution when running ping sweeps.
What is the most important recommendation that should be made to a client to help prevent viruses from being introduced into corporate networks?
To help prevent viruses from being introduced into corporate networks, the most important recommendation you should make to a client is to update virus signature files as soon as they're available from the vendor. Most antivirus software does this automatically or prompts the user to do so. An organization can't depend on employee vigilance to protect its systems, so centralizing all antivirus software updates from a corporate server is prudent.
can be set to 0 off or 1 on
each flag occupies one bit of the TCP segment
secure shell (SSH)
enables a remote user to log on to a server securely and issue commands interactively
internet relay chat (IRC)
enables multiple users to comm over the internet in discussion forums
telnet
enables users to log on to a server remotely and issue commands interactively
Attempt to cause users on a network to flood each other with data, making it appear as if everyone is attacking each other
What are smurf attacks
Persuasion Intimidation Coercion Extortion/blackmailing
What are social engineering tactivs
black box testing, white box testing, and gray box testing
What are the 3 categories for ethical hacking testing?
former black hats white hats consulting firms
What are the ethical hackers categories?
preparation, conduct, and conclusion
What are the three phases of security testing
used to erase the attacker's activities from the system's log files
What are trojans like ps or netcat used for
sometimes employed by companies to perform penetration tests
ethical hacker
Disclosure, deception, disruption, and usurpation
examples of loss
A closed port can be vulnerable to an attack.
false
A closed port responds to a SYN scan with an RST packet, so if no packet is received, the best guess is that the port is open.
false
A disadvantage of Nmap is that it is very slow because it scans all the 65,000 ports of each computer in the IP address range.
false
A hex number is written with two characters, each representing a byte.
false
In the TCP/IP stack, the Transport layer includes network services and client software.
false
Malware programs cannot be detected by antivirus programs.
false
Namedroppers is a tool that can be used to capture Web server information and possible vulnerabilities in a Web site's pages that could allow exploits such as SQL injection and buffer overflows.
false
The HTTP CONNECT method starts a remote application-layer loopback of the request message.
false
To retrieve e-mail from a mail server, you most likely access port 119.
false
might indicate that a firewall is being used
filtered port
Based on the starting decimal number of the ____ byte, you can classify IP addresses as Class A, Class B, or Class C. a. first c. third b. second d. fourth
first
In computer jargon, the process of finding information on a company's network is called ____________________.
footprinting
accesses a computer system or network without the authorization of the system's owner
hacker
An April 2009 article in USA Today revealed that the federal government is looking for ____ to pay them to secure the nation's networks. a. crackers c. hackers b. IT professionals d. security testers
hackers
suicide hackers
hacktivists who are willing to become martyrs for their cause
Each character represents a nibble Value contains alphabetic letters A representing 10 and F representing 15
hex consists of 2 characters
Convert each nibble to binary Convert binary value to decimal
hex number in binary or decimal
Uses 16 as its base Supports numbers from 0 to 15
hexadecimal number system uses what as a base
Group of 8 bits Can represent 28 (256) different colors
how are bytes grouped?
Encoding base 64 Used to reduce size of e-mail attachments Represents zero to 63 using six bits A is 000000... Z is 011001
how are viruses encoded
Use turnstiles Train personnel to notify security about strangers Do not hold secured doors for anyone Even people they know All employees must use access cards
how do you prevent piggybacking
Watch authorized personnel enter an area Quickly join them at security entrance Exploit desire to be polite and helpful Attacker wears a fake badge or security card
how does piggybacking work
Attacker creates a large ICMP packet More than allowed 65,535 bytes Large packet is fragmented into small packets Reassembled at destination Destination point cannot handle reassembled oversize packet Causes it to crash or freeze
how does ping of death attacks work?
1023
how many ports are considered well known
Create groups of four characters Convert decimal value of each letter to binary Rewrite as three groups of eight bits Convert binary into decimal
in viruses, how do you convert 64 strings to decimal equivalent
application layer
includes network services and client software
In TCP, the ______________________________ is a 32-bit number that tracks the packets received by the node and allows reassembling of large packets that have been broken up into smaller packets.
initial sequence number (ISN) ISN initial sequence number
IDS stands for ____. a. Intrusion Detection System c. Information Destruction System b. Information Dissemination System d. Intruder Dispersal System
instruction detection system
In the TCP/IP stack, the ____ layer uses IP addresses to route packets. a. Internet c. Transport b. Network d. Application
internet
____ are devices or computer programs that can be used to capture keystrokes on a computer. a. Viruses c. Macro viruses b. Keyloggers d. Firewalls
keyloggers
network layer
layer represents the physical network pathway and the network interface card
A(n) ____________________ is a virus encoded as a macro in programs that support a macro programming language, such as Visual Basic for Applications (VBA).
macro virus
____________________ is malicious software, such as a virus,worm, or Trojan program, introduced to a network for just that reason.
malware
2005 hybrid worm with backdoor capabilities spread by mass e-mailing and exploiting Windows vulnerabilities
mytob
____________________ or rootkits are computer programs that give attackers a means of regaining access to the attacked computer later.
backdoors
gray hats
believe in full disclosure (information is better out in the open than kept in secret
puts the burden on the tester to find out what technologies the company is using
black box model
In the TCP/IP stack, the ____ layer is concerned with physically moving electrons across a medium. a. Internet c. Transport b. Network d. Application
network
allows access to applications
open port
Derogatory term referring to people who copy code from knowledgeable programmers instead of creating the code themselves.
packet monkey
copies code from knowledgeable programmers instead of creating the code himself/herself
packet monkey
operates on ports 65301, 22, 5631, and 5632
pcAnywhere
In a(n) ____________________, an ethical hacker attempts to break into a company's network to find the weakest link in that network or one of its systems.
penetration test
____ is trailing closely behind an employee who has access to an area without the person realizing that you didn't use a PIN or a security badge to enter the area. a. Shoulder surfing c. Piggybacking b. Footprinting d. Dumpster diving
piggybacking
To verify if all the IP addresses of a network are being used by computers that are up and running, you can use a port scanner to ____________________ the range of IP addresses.
ping
Port scanners can also be used to conduct a(n) ____________________ of a large network to identify which IP addresses belong to active hosts.
ping sweep
An OpenVAS____________________ is a security test program (script) that can be selected from the client interface.
plug-in
A(n) ____ is the logical, not physical, component of a TCP connection. a. ISN c. port b. socket d. SYN
port
simple network management protocol (SNMP)
primarily used to monitor devices on a network, such as monitoring a router's state remotely.
PKI stands for ____. a. Public Key Infrastructure c. Protected Key Infrastructure b. Private Key Infrastructure d. Primary Key Infrastructure
public key infratructure
composed of people with varied skills who perform penetration tests
red team
A ____ is created after an attack and usually hides itself within the OS tools, so it's almost impossible to detect. a. toolbox c. shell b. rootkit d. macro virus
rootkit
Trojan Programs can install a backdoor or ____ on a computer. a. rootkit c. worm b. shell d. macro virus
rootkit
set of instructions that runs in sequence to perform tasks on a computer system
script
Many experienced penetration testers can write computer programs or ____ in Perl or the C language to carry out network attacks. a. kiddies c. scripts b. packets d. crackers
scripts
____ enables an attacker to join a TCP session and make both parties think he or she is the other party. a. A DoS attack c. A buffer overflow attack b. The Ping of Death d. Session hijacking
session hijacking
____ is an attack that relies on guessing the ISNs of TCP packets. a. ARP spoofing c. DoS b. Session hijacking d. Man-in-the-middle
session hijacking
executable piece of programming code that should not appear in an e-mail attachment
shell
A(n) ____________________ is a person skilled at reading what users enter on their keyboards, especially logon names and passwords.
shoulder surfer
Antivirus software compares ____________________ of known viruses against the files on the computer; if there's a match, the software warns you that the program or file is infected.
signatures programming code
SYN flag: synch flag ACK flag: acknowledgment flag PSH flag: push flag URG flag: urgent flag RST flag: reset flag FIN flag: finish flag
six TCP segment flags
purported to have shut down more than 13,000 ATMs
slammer
Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use ____________________ attacks that are more difficult to detect.
stealth
In addition to a unique network address, each network must be assigned a(n) ____________________, which helps distinguish the network address bits from the host address bits.
subnet mask
Simple mail transfer protocol (SMTP)
the main protocol for transmitting email messages across the internet
Hypertext transfer protocol (HTTP)
the primary protocol used to communicate over the web
security
the state of well-being of a system's data and infrastructure
The collection of tools for conducting vulnerability assessments and attacks is sometimes referred to as a "____". a. black box c. gray box b. white box d. tiger box
tiger box
TCP stands for ____. a. Transfer Control Protocol c. Transfer Congestion Protocol b. Transmission Control Protocol d. THE Control Protocol
transmission control protocol
In the TCP/IP stack, the ____ layer is concerned with controlling the flow of data, sequencing packets for reassembly, and encapsulating the segment with a TCP or UDP header. a. Internet c. Transport b. Network d. Application
transport
One of the most insidious attacks against networks and home computers worldwide is ____, which disguise themselves as useful computer programs or applications. a. macro viruses c. spyware programs b. worms d. Trojan programs
trojan programs
Software keyloggers behave like ____ and are loaded on a computer. a. Trojan programs c. shells b. viruses d. firewalls
trojan programs
An octal digit can be represented with only three bits because the largest digit in octal is seven.
true
Computer crime is the fastest growing type of crime worldwide.
true
Network attacks often begin by gathering information from a company's Web site.
true
No matter what medium connects computers on a network—copper wires, fiber-optic cables, or a wireless setup—the same protocol must be running on all computers if communication is going to function correctly.
true
Port scanning is a method of finding out which services a host computer offers.
true
Some cookies can cause security issues because unscrupulous people might store personal information in cookies that can be used to attack a computer or server.
true
The average home user or small-business owner doesn't typically use Telnet.
true
The most effective approach to protect a network from malware being introduced is to conduct structured training of all employees and management.
true
To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information.
true
Wget is a tool that can be used to retrieve HTTP, HTTPS, and FTP files over the Internet.
true
You can search for known vulnerabilities in a host computer by using the Common Vulnerabilities and Exposures Web site.
true
Limited vulnerability analysis Attack and penetration testing
two most common approaches to security testing conduct phase
Half a byte or four bits Helps with reading numbers by separating the byte Example: 1111 1010 versus 11111010
understanding nibbles
In an ACK scan, if the attacked port returns an RST packet the attacked port is considered to be "____". a. open c. unfiltered b. closed d. unassigned
unfiltered
white hats
use skills for defensive purposes
black hats
use skills for illegal or malicious purposes
internet layer
uses IP addresses to route packets to the correct destination network
A ____ can replicate itself, usually through an executable program attached to an e-mail. a. shell c. keylogger b. virus d. rootkit
virus
Obtain confidential information (passwords) Obtain other personal information
what are goals of social engineering
Used to capture keystrokes on a computer Software Loaded on to computer Behaves like Trojan programs Hardware Small and easy to install device Goes between keyboard and computer Examples: KeyKatcher and KeyGhost
what are keyloggers
Can pick deadbolt lock in less than five minutes After only a week or two of practice
what are lock up servers
Executable piece of programming code Creates interface to OS for issuing commands Should not appear in an e-mail attachment
what are shells in viruses
Binoculars or high-powered telescopes Key positions and typing techniques Popular letter substitutions $ equals s, @ equals a
what are shoulder surfer tools
Reads what users enter on keyboards Logon names Passwords PINs
what are shoulder surfers
Urgency Quid pro quo Status quo Kindness Position
what are social engineering techniques
software (personal) and hardware (enterprise)
what are the 2 firewalls?
Owner permissions (rwx) Group permissions (rwx) Other permissions (rwx) Setting permission (rwxrwxrwx) means they all have read, write, and execute permissions
what are the UNIX permissions
Insidious attack against networks and computers Disguise themselves as useful programs Can install backdoors and rootkits Allow attackers remote access
what are trojan programs
Discarded computer manuals Passwords jotted down Company phone directories Calendars with schedules Financial reports Interoffice memos Company policy Utility bills Resumes
what can be found in dumpster diving
Web server OS Names of IT personnel
what can you determine with just a URL
pull info from a web server
what do HTTP commands do?
Identifies traffic on unfamiliar ports
what do good software or hardware firewall do?
Open ports Closed ports Filtered ports Best-guess running OS
what do port scanning programs report
Cripples the network Makes it vulnerable to other attacks
what does attempting to access information do
OS runs this code Code elevates attacker's permission Administrator, owner, or creator
what happens when an attacker writes code that overflows buffer
Commonly used Gathers IP address and domain information Attackers can also use it
what is Whois
One-pixel by one-pixel image file Referenced in an <IMG> tag Usually works with a cookie Purpose similar to spyware and adware Comes from third-party companies Specializing in data collection
what is a web bug
purpose: Determine user's purchasing habits Tailors advertisement problem: Slows down computers
what is adware's main purpose? or problem?
Look over the location Find weakness in security systems Types of locks and alarms used
what is case the joint
Gathering information using technology
what is competitive intelligence
Finding information on company's network Passive and nonintrusive Several available Web tools
what is footprinting
Powerful tool for UNIX and Windows OSs Requires Java J2SE
what is paros
Usually framed as urgent request to visit a Web site Web site is a fake
what is phishing
Trailing closely behind an employee cleared to enter restricted areas
what is piggybacking
Finds which services are offered by a host Identifies vulnerabilities
what is port scanning
Enables attacker to join a TCP session Attacker makes both parties think he or she is the other party Complex attack Beyond the scope of this book
what is session hijacking
adware: installed without users being aware
what is similar to spyware.
Convincing other people to reveal information such as unlisted phone numbers, passwords, etc.
what is social engineering
Combines social engineering and exploiting vulnerabilities E-mail attacks directed at specific people Comes from someone the recipient knows Mentions topics of mutual interest
what is spear phishing
helps protect against spyware and and adware
what is spybot and ad-aware?
Uses 8 as its base Supports values from 0 to 7
what is the base for the octal numbering system
spyware
what sends information from infected computer to attacker
Loss of bandwidth Degradation or loss of speed
what will flooding a network with billions of packets do
In the ____________________ model, the tester is told what network topology and technology the company is using and is given permission to interview IT personnel and company employees.
white box
Require pushing in a sequence of numbered bars
why are rotary locks harder to pick
New viruses, worms, and Trojan programs appear daily
why is it difficult to protect against malware attacks
A ____ is a computer program that replicates and propagates itself without having to attach itself to a host. a. virus c. worm b. Trojan d. shell
worm
In a Linux script, the line ____ is important because it identifies the file as a script. a. #!/bin/sh c. #!/bin/shscript b. #!/bin/script d. #!/bin/sc
#!/bin/sh
In a ____ attack, a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of memory space use. a. buffer overflow c. DDoS b. DoS d. session hijacking
buffer overflow
the primary protocol used to communicate over the World Wide Web
HTTP
Request not understood by server
HTTP 400 Bad Request
Server understands request but refuses to comply
HTTP 403 Forbidden
Unable to match request
HTTP 404 Not Found
Request not allowed for the resource
HTTP 405 Method Not Allowed
Request not made by client in allotted time
HTTP 408 Request Timeout
Request could not be fulfilled by server
HTTP 500 Internal Server Error
Server received invalid response from upstream server
HTTP 502 Bad Gateway
Server is unavailable due to maintenance or overload
HTTP 503 Service Unavailable
Server did not receive a timely response
HTTP 504 Gateway Timeout
Operating system attacks Application-level attacks Shrink-wrap code attacks Misconfiguration attacks
Hacker attacks can be categorized as what?
The U.S. Department of Justice labels all illegal access to computer or network systems as "____". a. cracking c. sniffing b. hacking d. trafficking
Hacking
port 119
Network News Transfer Protocol Used to connect to a news server for use with newsgroups
List at least five domains tested for the Certified Ethical Hacker (CEH) exam.
- Ethics and legal issues - Footprinting - Scanning - Enumeration - System hacking - Trojan programs and backdoors - Sniffers - Denial of service - Social engineering - Session hijacking - Hacking Web servers - Web application vulnerabilities - Web-based password-cracking techniques - Structured Query Language (SQL) injection - Hacking wireless networks - Viruses and worms - Physical security - Hacking Linux - Intrusion detection systems (IDSs), firewalls, and honeypots - Buffer overflows - Cryptography - Penetration-testing methodologies
What are four different skills a security tester needs?
- Knowledge of network and computer technology - Ability to communicate with management and IT personnel - An understanding of the laws that apply to your location - Ability to apply the necessary tools to perform your tasks
The ____ option of Nmap is used to perform a TCP SYN stealth port scan. a. -sS c. -sV b. -sU d. -S
-sS
What steps are involved in TCP's "three-way handshake"?
1. Host A sends a TCP packet with the SYN flag set (that is, a SYN packet) to Host B. 2. After receiving the packet, Host B sends Host A its own SYN packet with an ACK flag (a SYN-ACK packet) set. 3. In response to the SYN-ACK packet from Host B, Host A sends Host B a TCP packet with the ACK flag set (an ACK packet).
The POP3 service uses port ____. a. 110 c. 135 b. 119 d. 139
110
The Network News Transport Protocol service uses port ____. a. 110 c. 135 b. 119 d. 139
119
The Microsoft RPC service uses port ____. a. 110 c. 135 b. 119 d. 139
135
The NetBIOS service uses port ____. a. 110 c. 135 b. 119 d. 139
139
The binary number 11000001 converted to decimal is ____. a. 128 c. 193 b. 164 d. 201
193
Currently, the CEH exam is based on ____ domains (subject areas) with which the tester must be familiar. a. 11 c. 31 b. 22 d. 41
22
The SMTP service uses port ____. a. 25 c. 69 b. 53 d. 80
25
Each Class C IP address supports up to ____ host computers. a. 254 c. 65,000 b. 512 d. 16 million
254
ISN
32-bit number Tracks packets received by a node Allows reassembly of large packets Sent on steps one and two of TCP three-way handshake Sending node ISN is sent with SYN packet Receiving node ISN is sent back to sending node with SYN-ACK packet
The DNS service uses port ____. a. 25 c. 69 b. 53 d. 80
53
To represent 0 to 63 characters you need only ____ bits. a. four c. six b. five d. seven
6
The TFTP service uses port ____. a. 25 c. 69 b. 53 d. 80
69
An octet is equal to ____________________ bits, which equals one byte.
8
HTTP uses port ____ to connect to a Web service. a. 21 c. 25 b. 22 d. 80
80
The HTTP service uses port ____. a. 25 c. 69 b. 53 d. 80
80
What is the purpose of a Web bug? How do they relate to or differ from spyware?
A Web bug is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. Its purpose is similar to that of spyware and adware: to get information about the person visiting the Web site. Web bugs are not from the same Web site as the Web page creator. They come from third-party companies specializing in data collection. Security professionals need to be aware of cookies and Web bugs to keep these information-gathering tools off company computers.
exposure
A breach in security Can vary from one company to another, or even from one department to another loss due to an exploit
Reconnaissance Scanning Gaining access Maintaining access Covering tracks
What are five phases that make up an attack
____ is concerned with the security of computers or devices that are part of a network infrastructure. a. Attack security c. Computer security b. Cybercrime d. Network security
Network security
The ____ tool was originally written for Phrack magazine in 1997 by Fyodor. a. Unicornscan c. Nessus b. Fping d. Nmap
Nmap
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is launched against a host from multiple servers or workstations. In a DDoS attack, a network could be flooded with literally billions of packets; typically, each participant in the attack contributes only a few of the total number of packets. If one server bombards an attacked server with hundreds or even thousands of packets, available network bandwidth could drop to the point that legitimate users notice a performance degradation or loss of speed. Now imagine 1000 servers or even 10,000 servers involved, with each server sending several thousand IP packets to the attacked server. There you have it: a DDoS attack. Keep in mind that participants in the attack often aren't aware their computers are taking part in the attack. They, too, have been attacked by the culprit. In fact, in one DDoS attack, a company was flooded with IP packets from thousands of Internet routers and Web servers belonging to Yahoo.com.
What types of ports do successful Trojan programs commonly use?
A good software or hardware firewall would most likely identify traffic that's using unfamiliar ports, but Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect. The programmer who wrote Backdoor.Slackbot.B controlled a computer by using Internet Relay Chat (IRC), which is on port 6667.
Architecture and configuration of the target system Skill level of the perpetrator Initial level of access obtained
A hacker's chances of gaining access into a target system are influenced by factors such as:
exploit
A specific way to breach the security of an IT system through a vulnerability
What is Spyware
A spyware program sends information from the infected computer to the person who initiated the spyware program on your computer. This information could be confidential financial data, passwords, PINs—just about any data stored on your computer. You need to make sure your users understand that this information collection is possible, and that spyware programs can register each keystroke entered. It's that simple. This type of technology not only exists, but is prevalent. It can be used to record and send everything a user enters to an unknown person located halfway around the world.
Why is "attach" a key word when talking about viruses?
A virus does not stand on its own. It can't replicate itself or operate without the presence of a host program. A virus attaches itself to a host program, just as the flu attaches itself to a host organism.
Describe some actions which security testers cannot perform legally.
Accessing a computer without permission, destroying data, or copying information without the owner's permission is illegal. Certain actions are illegal, such as installing worms or viruses on a computer network that deny users access to network resources. As a security tester, you must be careful that your actions don't prevent customers from doing their jobs. For example, DoS attacks should not be initiated on your customer's networks.
threat
Action or event that might compromise security
Source IP address Destination IP address Flags
What are packet components
What is Back Orifice
Back Orifice is still one of the most common Trojan programs used today. It allows attackers to take full control of the attacked computer, similar to the way Windows XP Remote Desktop functions, except that Back Orifice works without the user's knowledge. The program has been around since 1999, but it's now marketed as an administrative tool rather than a hacking tool.
____ is currently the standard port-scanning tool for security professionals. a. Unicornscan c. Nessus b. Fping d. Nmap
Nmap
a port scanning tool
Nmap
typically used to get past a firewall
ACK scan
Why is ATM shoulder surfing much easier than computer shoulder surfing?
ATM theft is much easier than computer shoulder surfing because a keypad has fewer characters to memorize than a computer keyboard. If the person throws away the receipt in a trash can near the ATM, the shoulder surfer can match the PIN with an account number and then create a fake ATM card. Often shoulder surfers use binoculars or high-powered telescopes to observe PINS being entered, making it difficult to protect against this attack.
____ is a reasonably priced commercial port scanner with a GUI interface. a. AW Security Port Scanner c. Ethereal b. Common Vulnerabilities and Exposures d. Tcpdump
AW Security Port Scanner
NDA, to protect the client's confidential data Clause stating that the ethical hacker has full consent of the client to hack into their systems
After discussing security issues with the client, a formal contract should be drawn up that contains
attack
Any attempt by an unauthorized person to access, damage, or use network resources
binary octal hexadecimal
As a security professional, knowledge of numbering systems will come into play:
What are the critical components of a TCP header? How may hackers abuse them?
As a security professional, you should know the critical components of a TCP header: TCP flags, the initial sequence number, and source and destination port numbers. Hackers abuse many of these TCP header components; for example, when port scanning,many hackers use the method of sending a packet with a SYN-ACK flag set even though a SYN packet was not sent first.
Which ports should security professionals scan when doing a test? Why?
As a security tester, you need to know which ports attackers are going after so those ports can be closed or protected. Security professionals must scan all ports when doing a test, not just the well-known ports (Ports 1 to 1023, the most common, are covered in Chapter 2). Many computer programs use port numbers outside the range of well-known ports. For example, pcAnywhere operates on ports 65301, 22, 5631, and 5632. A hacker who discovers that port 65301 is open might want to check the information at the Common Vulnerabilities and Exposures Web site for a possible vulnerability in pcAnywhere. After a hacker discovers an open service, finding a vulnerability or exploit isn't difficult.
As a security tester, should you use social-engineering tactics?
As a security tester, you should never use social-engineering tactics unless the person who hired you gives you permission in writing. You should also confirm on which employees you're allowed to perform social-engineering tests, and document the tests you conduct. Your documentation should include the responses you received, and all test results should, of course, be confidential.
Remove evidence of their entry Install a backdoor or a Trojan to gain repeat access Install rootkits at the kernel level to gain full administrator access to the target compute
Attackers, who choose to remain undetected do what
Inside - initiated from within a network by an authorized user Outside - caused by an external intruder who does not have authorization to access the network
Attacks can be categorized as inside or outside attacks by what
Why is it hard for an ethical hacker to avoid breaking any laws?
Because the job of an ethical hacker is fairly new, the laws are constantly changing. Even though a company has hired you to test its network for vulnerabilities, be careful that you aren't breaking any laws for your state or country. If you're worried that one of your tests might slow down the network because of excessive bandwidth use, that concern should signal a red flag. The company might consider suing you for lost time or monies caused by this delay.
common Trojan program
Black Orifice
In the ____ model, management does not divulge to staff that penetration testing is being conducted, nor does it give the tester any diagrams or describe what technologies the company is using. a. gray box c. black box b. white box d. red box
Black box
A ____ can be created that welcomes new users joining a chat session, even though a person isn't actually present to welcome them. a. byte c. switch b. packet d. bot
Bot
The HTTP ____________________ method is used with a proxy that can dynamically switch to a tunnel connection, such as Secure Socket Layer (SSL).
CONNECT
The ____ certification for security professionals is issued by the International Information Systems Security Certifications Consortium (ISC2). a. Global Information Assurance Certification (GIAC) b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)
Certified Information Systems Security Professional (CISSP)
The International Council of Electronic Commerce Consultants (EC-Council) has developed a certification designation called ____. a. CompTIA Security+ b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)
Certifies Ethical Hacker (CEH)
What type of class has the IP address 193.1.2.3? a. Class A c. Class C b. Class B d. Class D
Class C
Some of the most infamous cases are hacks carried out by ____ students, such as the eBay hack of 1999. a. graduate c. college b. high-school d. engineering
College
Ethical hackers are employed or contracted by a company to do what illegal hackers do: break in. Why?
Companies need to know what, if any, parts of their security infrastructure are vulnerable to attack. To protect a company's network, many security professionals recognize that knowing what tools the bad guys use and how they think enables them to better protect (harden) a network's security.
TCP three way handshake
Computer A sends computer B a SYN packet Computer B replies with a SYN-ACK packet Computer A replies with an ACK packet
Crimes facilitated by use of a computer Crimes where the computer is the target
Computer crimes can be separated into two categories:
network security
Concern with security of network infrastructure
computer security
Concerned with security of a stand alone computer Not part of a network infrastructure
assurance
Confidence that the system will behave according to its specifications
TCP is a(n) ____________________ protocol, which means the sender doesn't send any data to the destination node until the destination node acknowledges that it's listening to the sender.
Connection-oriented
Remote network Remote dial-up network Local network Stolen equipment Social engineering Physical entry
Ethical hacker will attempt attacks over various channels:
Shut down computers cannot respond Networks may be configured to block ICMP Echo Requests Firewalls may filter out ICMP traffic
What are ping sweeps problems
Text file Contains multiple commands
What are script or batch file
What can an attacker see on the target system? What can an intruder do with that information? Are the attackers' attempts being noticed on the target systems?
Ethical hacker's evaluation of a client's information system security seeks answers to what 3 basic questions?
subnet mask
Each network must be assigned a subnet mask Helps distinguish network from host address bits Subnetting concepts are important Utilities return information based on IP address and subnet information May be useful when penetration testing
transport layer
Encapsulates data into segments Use TCP or UDP to reach a destination host TCP is a connection-oriented protocol
white box testing
Ethical hacker is given full advance knowledge of the system
black box testing
Ethical hacker is given no prior knowledge or information about a system
the tester might get information about which OSs are used, but not get any network diagrams
Gray box model
attack
Deliberate assault on that system's security
antivirus programs
Detection based on virus signatures Signatures are kept in virus signature file Must update periodically Some offer automatic update feature
With commands such as ____, you can perform zone transfers of all DNS records. a. Dig c. DNS b. Whois d. Netcat
Dig
____ is a tool that is used to perform DNS zone transfers. a. Whois c. Metis b. Netcat d. Dig
Dig
A ____ attack prevents legitimate users from accessing network resources. a. buffer overflow c. social engineering b. session hijacking d. DoS
DoS
port 53
Domain Name Service (DNS) Connects to Web sites using URLs instead of IP addresses
The HTTP ____ method is the same as the GET method, but retrieves only the header information of an HTML document, not the document body. a. CONNECT c. POST b. PUT d. HEAD
HEAD
What is the "poor man's firewall"?
Even though IPX/SPX is not widely used today, many corporations have legacy systems that rely on it. In fact, some users separate their internal networks from the outside world by running IPX/SPX internally. An intruder attempting to attack a network over the Internet would be blocked when the protocol changes from TCP/IP to IPX/SPX. This tactic is referred to as "the poor man's firewall." Of course, it's not a recommended solution for protecting a network, but as a network security professional, you might see it used.
When a TCP three-way handshake ends, both parties send a(n) ____ packet to end the connection. a. SYN c. FIN b. ACK d. RST
FIN
____ was the standard for moving or copying large files and is still used today, although to a lesser extent because of the popularity of HTTP. a. FTP c. SNMP b. TFTP d. SMTP
FTP
allows different operating systems to transfer files between one another
FTP
All states look at port scanning as noninvasive or nondestructive in nature and deem it legal.
False
An ethical hacker is a person who performs most of the same activities a cracker does, but with the owner or company's permission.
False
Macro viruses are hard to create.
False
UDP
Fast but unreliable delivery protocol Operates on Transport layer Used for speed Does not need to verify receiver is listening or ready Depends on higher layers of TCP/IP stack handle problems Referred to as a connectionless protocol
computer crime
Fastest growing type of crime worldwide
port 20 and 21
File Transfer Protocol (FTP) Was the standard for moving or copying large files Used today to a lesser extent Popularity of HTTP Requires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)
1 represents having permission 111 (rwx): all permissions apply 0 removes permission 101 (r-x): user can read and execute but not write
File permissions are represented with bits
With the ____ tool, you can ping multiple IP addresses simultaneously. a. Fping c. Nessus b. Nmap d. Unicornscan
Fping
The HTTP ____ method retrieves data by URI. a. GET c. POST b. PUT d. HEAD
GET
____ is the most basic HTTP method. a. GET c. CONNECT b. PUT d. HEAD
GET
The SysAdmin,Audit,Network, Security (SANS) Institute offers training and IT security certifications through ____. a. Global Information Assurance Certification (GIAC) b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)
Global Information Assurance Certification (GIAC)
What is "competitive intelligence"?
If you want to open a piano studio to compete against another studio that has been in your neighborhood for many years, getting as much information as possible about your competitor is wise. How could you know the studio was successful without being privy to its bank statements? First, many businesses fail after the first year, so the studio being around for years is a testament to the owner doing something right. Second, you can simply park your car across the street from the studio and count the students to get a good idea of the number of clients. You can easily find out the cost of lessons by calling the studio or looking for ads in newspapers, flyers, telephone books, billboards, and so on. Numerous resources are available to help you discover as much as is legally possible about your competition. Business people have been doing this for years. Now this information gathering, called competitive intelligence, is done on an even higher level through technology. As a security professional, you should be able to explain to the company that hired you all the methods competitors use to gather information. To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information.
If you're good at your job, many IT employees resent you discovering vulnerabilities in their systems. In fact, it's the only profession in which the better you do your job, the more enemies you make!
If you're good at your job, many IT employees resent you discovering vulnerabilities in their systems. In fact, it's the only profession in which the better you do your job, the more enemies you make!
How does a buffer overflow attack work?
In a buffer overflow attack, a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of space use. For example, if a program defines a buffer size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence,you have a buffer overflow. Basically, the attacker writes code that overflows the buffer; this is possible because the buffer capacity hasn't been defined correctly in the program. The trick is to not fill the overflow buffer with meaningless data, but to fill it with executable program code. That way, the OS runs the code, and the attacker's program does something harmful. Usually, the code elevates the attacker's permissions to that of an administrator's level or gives the attacker the same privileges as the program's owner or creator.
How does a SYN scan work?
In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port to which the SYN packet is sent is closed, the computer responds to the SYN packet with an RST/ACK packet. If a SYN/ACK packet is received by an attacker's computer, it quickly responds with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction. In this sense, it is "stealthy." After all, you don't want a transaction to be logged showing the IP address that connected to the attacked computer.
What is a UDP scan?
In this type of scan, a UDP packet is sent to the target computer. If the port sends back an ICMP "Port Unreachable" message, the port is closed. Again, not getting that message might imply the port is open, but this isn't always true. A firewall or packet-filtering device could undermine your assumptions.
target of evaluation
Information resource or asset that is being protected from attacks
ethical hackers
Information security professionals who specialize in evaluating and defending against threats from attackers
gray box testing
Internal testing performed by system administrator and network professionals
What is ICMP used for?
Internet Control Message Protocol (ICMP) is used to send messages that relate to network operations. For example, if a packet cannot reach its destination, you might see the "Destination Unreachable" error. ICMP makes it possible for network professionals to troubleshoot network connectivity problems (with the Ping command) and to track the route a packet traverses from a source IP address to a destination IP address (with the Traceroute command).
port 143
Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mail
The IP in TCP/IP stands for ____________________.
Internet Protocol
hardware keylogger
KeyGhost
protocol
Language used by computers Transmission Control Protocol/Internet Protocol (TCP/IP) Most widely used
port
Logical, not physical, TCP connection component Identifies running service Example: HTTP uses port 80
attack side of a sophisticated cybercrime toolkit that spreads when Web surfers visit a hacked Web site hosting the malware
Luckysploit
____ commands that open and close files can be used in destructive ways. a. Macro c. Keylogger b. Firewall d. Adware
Macro
Most infamous macro virus
Melissa
____ is a tool that is used to gather competitive intelligence from Web sites. a. Whois c. Metis b. Netcat d. Dig
Metis
What is DNS used for?
Most networks require a DNS server so that users can connect to Web sites with URLs instead of IP addresses. When a user enters a URL, such as www.yahoo.com, the DNS server resolves the name to an IP address. The DNS server might be internal to the company, or each computer might be configured to point to the IP address of a DNS server that's serviced by the company's ISP.
Why is port scanning considered legal by most security testers and hackers?
Most security testers and hackers argue that port scanning is legal simply because it doesn't invade others' privacy; it merely discovers whether the party being scanned is available. The typical analogy is a person walking down the street and turning the doorknob of every house along the way. If the door opens, the person notes that the door is open and proceeds to the next house. Of course, entering the house would be a crime in most parts of the world, just as entering a computer system or network without the owner's permission is a crime.
Penetration testers and security testers usually have a laptop computer configured with ____ and hacking tools. a. multiple OSs c. packet sniffers b. tiger boxes d. script kiddies
Multiple OSs
TCP scan with all the packet flags are turned off
NULL scan
Avoid typing when: Someone is nearby Someone nearby is talking on cell phone
Name prevention of shoulder surfing
Nmap Unicornscan Nessus and OpenVAS
Name some port scanning tools
1. Talk with the client about the importance of security and the necessity of testing 2. Prepare NDA (nondisclosure agreement) documents and have the client sign them 3. Prepare an ethical hacking team and create a schedule for testing 4. Conduct the test 5. Analyze the results and prepare the report 6. Deliver the report to the client
Name the ethical hacking assignment six basic steps
port 139
NetBIOS Used by Microsoft's NetBIOS Session Service
To see additional parameters that can be used with the ____ command, you can type nc -h at the command prompt. a. Nslookup c. Netcat b. Namedroppers d. Whois
Netcat
____ is a tool that is used to read and write data to ports over a network. a. Whois c. Metis b. Netcat d. Dig
Netcat
In the TCP/IP stack, the ____________________ layer represents the physical network pathway and the network interface card.
Network
TCP/IP stack Four distinct layers
Network Internet Transport Application
Elaborate on the following statement: "The most difficult job of a security professional is preventing social engineers from getting crucial information from company employees."
No matter how thorough a security policy is or how much money is spent on firewalls and intrusion detection systems (IDSs), employees are still the weakest link in an organization. Attackers know this fact and use it. Employees must be trained and tested periodically on security practices. Just as fire drills help prepare people to evacuate during a fire, random security drills can improve a company's security practices. For example, randomly selecting and testing employees each month to see whether they would give their passwords to someone within or outside the organization is a good way to see if your security memos are being read and followed.
The ____ certification uses the Open Source Security Testing Methodology Manual (OSSTMM), written by Peter Herzog, as its standardized methodology. a. CEH c. CISSP b. OPST d. GIAC
OPST
The ____ certification is designated by the Institute for Security and Open Methodologies (ISECOM), a nonprofit organization that provides security training and certification programs for security professionals. a. CompTIA Security+ b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)
OSSTMM Professional Security tester (OPST)
What is the SANS Institute Top 20 list?
One of the most popular SANS Institute documents is the Top 20 list, which details the most common network exploits and suggests ways of correcting vulnerabilities. This list offers a wealth of information for penetration testers or security professionals.
Even though you might think you're following the requirements set forth by the client who hired you to perform a security test, don't assume that management will be happy with your results. Provide an example of an ethical hacking situation that might upset a manager.
One tester was reprimanded by a manager who was upset that the security testing revealed all the logon names and passwords to the tester. The manager believed that the tester shouldn't know this information and considered stopping the security testing.
What makes the ____________________ tool unique is the ability to update security check plug-ins when they become available.
OpenVAS
____, an open-source fork of Nessus, functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration. a. Unicornscan c. OpenVAS b. NetScanTools d. Nmap
OpenVAS
The HTTP ____ allows data to be sent to a Web server. a. GET c. POST b. PUT d. HEAD
POST
TCP header flag used to deliver data directly to an application
PSH
The HTTP ____ method requests that the entity be stored under the Request-URI. a. GET c. POST b. PUT d. HEAD
PUT
The ____ tool can generate a report that can show an attacker how a Web site is structured and lists Web pages that can be investigated for further information. a. Netcat c. Dig b. Paros d. Whois
Paros
In the ____ attack, the attacker simply creates an ICMP packet that's larger than the maximum allowed 65,535 bytes. a. DoS c. buffer overflow b. Ping of Death d. session hijacking
Ping of Death
type of DoS attack
Ping of Death
Some security professionals use fear tactics to scare users into complying with security measures. Is this a good tactic?
Some security professionals use fear tactics to scare users into complying with security measures. Their approach is to tell users that if they don't take a particular action, their computer systems will be attacked by every malcontent who has access to the Internet. This method is sometimes used to generate business for security testers and is not only unethical, but also against the OSSTMM's Rules of Engagement. The rule states: "The use of fear, uncertainty, and doubt may not be used in the sales or marketing presentations, websites, supporting materials, reports, or discussion of security testing for the purpose of selling or providing security tests. This includes but is not limited to crime, facts, criminal or hacker profiling, and statistics." Your approach to users or potential customers should be promoting awareness rather than instilling fear. You should point out to users how important it is not to install computer programs—especially those not approved by the company—on their desktops because of the possibility of introducing malware. Users should be aware of potential threats, not terrified by them.
Why is it important for you as a security tester to understand and be able to create scripts?
Some tools might need to be modified to better suit your needs as a security tester. Creating a customized script—a computer program that automates a task that takes too much time to perform manually—can be a time-saving solution. Fping can use an input file to perform ping sweeps. Creating an input file manually with thousands of IP addresses isn't worth the time. Instead, most security testers rely on their basic programming skills to write a script for creating an input file.
The two most popular spyware and adware removal programs are ____ and Ad-Aware. a. Zone Alarm c. McAfee Desktop Firewall b. BlackIce d. SpyBot
Spybot
____ is a remote control program. a. Slammer c. Symantec pcAnywhere b. BlackIce d. Zone Alarm
Symantec pcAnywhere
The ____ disseminates research documents on computer and network security worldwide at no cost. a. International Council of Electronic Commerce Consultants (EC-Council) b. SysAdmin,Audit,Network, Security (SANS) Institute c. Institute for Security and Open Methodologies (ISECOM) d. International Information Systems Security Certifications Consortium (ISC2)
SysAdmin, Audit, Network, Security (SANS) Institute
accountability
System administrators or concerned authorities need to be able to know by whom, when, how and why system resources have been accessed An audit trail or log files can address this
TCP critical components
TCP flags Initial sequence number (ISN) Source and destination port numbers
The most widely used is protocol is ____. a. IPX/SPX c. TCP/IP b. ATM d. NetBIOS
TCP/IP
transport layer
TCP/UDP services layer is responsible for getting data packets to and from the application layer by using port numbers. TCP also verifies packet delivery by using acknowledgements
tunneling
Takes advantage of the transmission protocol by carrying one protocol over another
____ is a protocol packet analyzer. a. Nmap c. Tcpdump b. Fping d. Nessus
Tepdump
Text file generated by a Web server Stored on a user's browser Information sent back to Web server when user returns Used to customize Web pages Some cookies store personal information Security issue
What are cookies and what do they do?
How can computer criminals use the Whois utility for their purposes?
The Whois utility is a commonly used tool for gathering IP address and domain information. With just a company's Web address, you can discover a tremendous amount of information. Unfortunately, attackers can also make use of this information. Often companies don't realize that they're publishing information on the Web that computer criminals can use. The Whois utility gives you information on a company's IP addresses and any other domains the company might be part of.
What is the binary numbering system and why was it chosen by computer engineers to be used in computers?
The binary system uses the number two as its base. Each binary digit, or bit, is represented by a one or zero. Bits are usually grouped by eight because a byte contains eight bits. Computer engineers chose this numbering system because logic chips make binary decisions based on true or false,on or off,and so forth. With eight bits, a computer programmer can represent 256 different colors for a video card, for example. (Two to the power of eight, or 28, equals 256.) Therefore, black can be represented by 00000000, white by 11111111, and so on.
What is the difference between spyware and adware?
The difference between spyware and adware is a fine line. Both programs can be installed without the user being aware of their presence. Adware, however, sometimes displays a banner that notifies the user of its presence. Adware's main purpose is to determine a user's purchasing habits so that Web browsers can display advertisements tailored to that user. The biggest problem with adware is that it slows down the computer it's running on.
List at least five tools available for footprinting.
The following tools can be used for footprinting: Google groups, Whois, SamSpade, Web Data Extractor, FOCA, Necrosoft NS Scan, Google search engine, Namedroppers, White Pages, Metis, Dig, Netcat, Wget, Paros, and Maltego.
In the context of penetration testing, what is the gray box model?
The gray box model is a hybrid of the white and black box models. In this model, the company gives a tester only partial information. For example, the tester might get information about which OSs are used, but not get any network diagrams.
How does the octal numbering system relate to network security? You may answer this question by providing an example.
To see how the octal numbering system relates to network security, take a look at UNIX permissions. Octal numbering is used to express the following permissions on a directory or a file: Owner permissions, Group permissions, and Other permissions. Setting the permission (rwxrwxrwx) for a directory means that the owner of the directory, members of a group, and everyone else (Other) have read, write, and execute permissions for that directory. Because each category has three unique permissions, and each permission can be expressed as true or false (on or off), three bits are used. You don't need all eight bits because three bits (rwx) are enough. Recall from binary numbering that zero is counted as a number, so with three bits, there are eight possible occurrences: 000, 001, 010, 011, 100, 101, 110, and 111. Using octal numbering, 001 indicates that the execute (x) permission is granted, 010 indicates that the write (w) permission is granted, but not read and execute, and so on.
In the TCP/IP stack, the ____________________ layer is responsible for getting data packets to and from the Application layer by using port numbers.
Transport
port 69
Trivial File Transfer Protocol Used for transferring router configurations
As a security tester, you can't make a network impenetrable.
True
Even though the Certified Information Systems Security Professional (CISSP) certification is not geared toward the technical IT professional, it has become one of the standards for many security professionals.
True
The SysAdmin, Audit, Network, Security (SANS) Institute offers training and IT security certifications through Global Information Assurance Certification (GIAC).
True
TCP packet
Two 16-bit fields Contains source and destination port numbers
Passive: attacker does not interact with the system directly Active: attacker interacts with the target system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems, and applications
Types of reconnaissance
Unicornscan optimizes ____ scanning beyond the capabilities of any other port scanner. a. TCP c. ICMP b. UDP d. IP
UDP
____ is a connectionless protocol. a. TCP c. FTP b. UDP d. POP3
UDP
____ is a fast but unreliable delivery protocol that operates on the Transport layer. a. IP c. TFTP b. TCP d. UDP
UDP
UDP is an unreliable data delivery protocol. Why is it widely used on the Internet?
UDP is a widely used protocol on the Internet because of its speed. UDP doesn't need to verify whether the receiver is listening or ready to accept the packets. The sender doesn't care—it just sends, even if the receiver isn't ready to accept the packet.
TCP header flag that is used to signify urgent data
URG
____ was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors. a. Unicornscan c. Nessus b. NetScanTools d. Nmap
Unicornscan
List the five techniques used by social engineers in their attempts to gain information from unsuspecting people.
Urgency - Quid pro quo - Status quo - Kindness - Position
UDP stands for ____. a. User Datagram Protocol c. User Data Packet b. Universal Datagram Protocol d. Universal Data Packet
User Datagram protocol
worm that uses UDP port 8998 to contact the attacker's server
W32/Sobig.F
internet protocol version 6 (IPv6)
Wasn't designed with security in mind Many current network vulnerabilities
vulnerability
Weakness in a defined asset that could be taken advantage of or exploited by some threat primary entry point an attacker can use to gain access to a system or to its data
A(n) ____ is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. a. image bug c. Bugnosis detector b. zone transfer d. Web bug
Web bug
Automates tasks Time saving Requires basic programming skills
What are customized scripts
Trojans to transfer user names, passwords, and any other information stored on the system
What can hackers use trojans for?
Educate users Dumpster diving Proper trash disposal Format disks before disposing them Software writes binary zeros Done at least seven times Discard computer manuals offsite Shred documents before disposal
What can you do to prevent dumpster diving
Discovering system design faults and weaknesses that might allow attackers to compromise a system Keeping informed of new products and technologies in order to find news related to current exploits Checking underground hacking Web sites for newly discovered vulnerabilities and exploits Checking newly released alerts regarding relevant innovations and product improvements for security systems
What does vulnerability research include?
Resolves host names to IP addresses People prefer URLs to IP addresses Extremely vulnerable
What is DNS
Closed port responds with an RST packet
What is FIN scan
Ping multiple IP addresses simultaneously Accepts a range of IP addresses Entered at a command prompt File containing multiple IP addresses Input file Usually created with shell-scripting language
What is FPing
Used to: Perform ping sweeps Bypass filtering devices Allows users to inject modified IP packets
What is Hping
First released in 1998 No longer under GPL license Still available for download
What is Nessus
Originally written for Phrack magazine One of the most popular tools New features frequently added
What is Nmap?
Open-source fork of Nessus Performs complex queries while client interfaces with server Capable of updating security check plug-ins Security test programs (scripts)
What is OpenVAS
Identify which IP addresses belong to active hosts Ping a range of IP addresses
What is Ping sweeps
Stealthy scan
What is SYN scan
FIN, PSH and URG flags are set
What is XMAS scan
Packet flags are turned off
What is a NULL scan
Closed port responds with ICMP "Port Unreachable" message
What is a UDP scan
Used to get past firewall
What is an ACK scan
Completes three-way handshake
What is connect scan?
Looking through an organization's trash for any discarded sensitive information
What is dumpster diving
Use it to increase awareness of their social or political agendas Considered a crime, irrespective of intentions
What is hacktivism used for?
Technique used to exploit the system be pretending to be a legitimate user
What is spoofing
Command: nmap 193.145.85.201 Scans every port on computer with this IP address
What is the standard tool for security professionals
Developed to assist with large network tests Ideal for large-scale endeavors Scans 65,535 ports in three to seven seconds
What is unicornscan
dig and host
What is zone transfer tools
What makes the OpenVAS tool unique?
What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author's judgment on what's considered dangerous might differ from yours.
hacktivism
When hackers break into government or corporate computer systems as an act of protest
In the ____ model, the company might print a network diagram showing all the company's routers, switches, firewalls, and intrusion detection systems (IDSs) or give the tester a floor plan detailing the location of computer systems and the OSs running on these systems. a. black box c. red box b. white box d. gray box
White box
The ____________________ utility gives you information on a company's IP addresses and any other domains the company might be part of.
Whois
____ is a tool that is used to gather IP and domain information. a. Whois c. Metis b. Netcat d. Dig
Whois
To identify and correct network vulnerabilities To protect the network from being attacked To get information that helps to prevent security issues To gather information about viruses and malware To find weaknesses in the network and to alert the network administrator before a network attack To know how to recover from a network attack
Why do hackers need vulnerability research?
In order to detect Trojans and compromised files and directories
Why do system administrators deploy host-based IDS
All security testers must be familiar with tool Supports many parameters
Why is Hping a powerful tool
How many host addresses can be assigned with a subnet mask of 255.255.255.0? Give a brief description of how you calculated the result.
With a default subnet mask of 255.255.255.0, 254 host addresses can be assigned to each segment. You use the formula 2x - 2 for this calculation. For this example, x equals 8 because there are eight bits in the fourth octet: 28 - 2 = 254 You must subtract two in the formula because the network portion and host portion of an IP address can't contain all ones or all zeros.
How can DNS be used for footprinting?
Without going into too much detail, DNS uses name servers to resolve names. After you determine what name server a company is using, you can attempt to transfer all the records for which the DNS server is responsible. This process, called a zone transfer, can be done with the Dig command. (For those familiar with the Nslookup command, Dig is now the recommended command.) To determine a company's primary DNS server, you can look for a DNS server containing a Start of Authority (SOA) record. An SOA record shows for which zones or IP addresses the DNS server is responsible. After you determine the primary DNS server, you can perform another zone transfer to see all host computers on the company network. In other words, the zone transfer give you an organization's network diagram. You can use this information to attack other servers or computers that are part of the network infrastructure.
Closed ports respond to a(n) ____ with an RST packet. a. XMAS scan c. Connect scan b. SYN scan d. ACK scan
XMAS scan
in this type of scan, the FIN, PSH, and URG flags are set
XMAS scan
Nmap has a GUI version called ____________________ that makes it easier to work with some of the more complex options.
Zenmap
____ enable you to see all the host computers on a network. In other words, they give you an organization's network diagram. a. Web bugs c. Zone transfers b. Footprints d. Namedroppers
Zone transfers
____ sometimes displays a banner that notifies the user of its presence. a. Spyware c. Webware b. Adware d. Malware
adware
File transfer protocol (FTP)
allows diff OSs to transfer files b/t one anohter
The virus signature file is maintained by ____ software. a. antivirus c. remote control b. keylogger d. firewall
antivirus
In the TCP/IP stack, the ____ layer is where applications and protocols, such as HTTP and Telnet, operate. a. Internet c. Transport b. Network d. Application
application
The ____-layer protocols are the front ends to the lower-layer protocols in the TCP/IP stack. a. Internet c. Transport b. Network d. Application
application
viruses
attaches itself to a file or program Needs host to replicate Does not stand on its own No foolproof prevention method
The ____ vi command deletes the current line. a. d c. dd b. dl d. dw
dd
Which of the following provides the most secure method of securing a company's assets? a. rotary locks c. card access b. combination locks d. deadbolt locks
card access
In any *NIX system, after saving a script, you need to make it executable so that you can run it. From the command line, type ____. a. chmod +execute script_name c. chmod -execute script_name b. chmod +x script_name d. chmod -x script_name
chmod +x script_name
does not allow entry or access to a service
closed port
Components High-order nibble: left side Low-order nibble: right side
components of nibbles
The U.S. government now has a new branch of computer crime called __________________________________________________.
computer hacking and intellectual property (CHIP) CHIP computer hacking and intellectual property
____________________ is defined as securing a stand-alone computer that's not part of a network infrastructure.
computer security
The ____ relies on the OS of the attacked computer, so it's a little more risky to use than the SYN scan. a. NULL scan c. XMAS scan b. connect scan d. ACK scan
connect scan
similar to the SYN scan, except that it does complete the three-way handshake
connect scan
Employees of a security company are protected under the company's ____________________ with the client.
contract
A(n) ____________________ is a text file generated by a Web server and stored on a user's browser.
cookie
Those who break into systems to steal or destroy data are often referred to as ____________________.
crackers