intro to cybersecurity 1 CTS1120 module one complete

Closed Source/Proprietary Intelligence

Business information Legal data Educational records Banking information Medical records

Vulnerability Databases

Common source of threat intelligence, researchers find vulnerabilities and upload them here because everyone needs to know about them. Examples of this are: CVE (Common vulnerabilities and exposures) U.S. National Vulnerability Database (NVD)

There are four key pillars of intelligence/information gathering, and these are known as CART, which stands for:

Completeness Accuracy Relevance Timeliness

Which of the following are the phases in Open Source Intelligence (OSINT)? [Choose all that apply]

Source Identification Data Processing Data Harvesting Data Analysis Result Delivery

What is an objective of state-sponsored attackers?

To spy on citizens

shadow IT

works to circumvent or work around the bottlenecks that they face on the network. As in the given example, you could not find a way to test your applications and, therefore, set up your network. So, to circumvent the network's security controls, you set up your network to test applications. In a way, you have used the IT resources to beat their security controls.

Pseudonymous

you collect information that is published by the target under a pseudo name or pseudonym. The target uses this name so that the information about him or her cannot be traced back to them

internet recon.

you use the internet to find out information

anonymous recon.

you will collect information anonymously. You would use this method when you do not want someone to trace you. For example, there are several free VPN tools available that allow you to surf the web anonymously.

The Route Analysis category includes the following tools:

: 0trace intrace irpas-ass irpass-cdp netdiscover netmask

OSINT

Open Source INTelligence; gathered from publicly available sources

Recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python (CLI - Linux)

The SMB Analysis category includes the following tools:

enum4linux nbtscan smbmap

Luna is reading a book about the history of cybercrime. She read that the very first cyberattacks that occurred were mainly for what purpose?

fame

Reconniassance can be split into 3 parts

footprinting, scanning, enumeration

to use a wildcard to do ip range scan with nmap

nmap * 192.168.0.*

to scan specific ports you can also use the - - top-ports parameter with a specified number to find ports. To do this, type the following command:

nmap --top-ports 10 (insert ip address ex:192.168.0.1)

to trace the route between each host and the system:

nmap --traceroute 192.168.0.0/24

to use the -A parameter with the nmap command to perform fingerprinting. type the following command:

nmap -A 192.168.0.6

Which of the following type of attacker keeps exfiltrating the data quietly, without being detected?

APT

Kali Linux also includes reconnaissance or footprinting tools under different categories, which are:

DNS Analysis IDS/IPS Identification Live Host Identification Network & Port Scanners OSINT Analysis Route Analysis SMB Analysis SMTP Analysis SNMP Analysis SSL Analysis

nmap can be used for:

Discovering hosts, services, and ports Fingerprinting operating system Enumeration Discovering vulnerabilities on the local and remote host Find the IP address of a remote system

There are different phases in OSINT.

Source Identification: The threat actor identifies sources from which information can be gathered. Data Harvesting: The threat actor collects information from identified sources. Data Processing: The threat actor processes and identifies information that can help in enumerating the target. Data Analysis: The threat actor performs data analysis of information that was processed in the previous phase. Result Delivery: This is the final phase in OSINT in which information about the target is finalized.

scanning

Using active reconnaissance methods, such as nmap scanning, to extract information about networks and systems.

how to perform discovery scans

Using ping scan Using ARP scan Using a port scan

external threat actor

a threat actor that does not have legitimate access to an organization's resources

5 Types of Reconnaissance

active passive pseudonymous internet anonymous

There are primarily two types of fingerprinting:

active passive

theharvester

an information-gathering tool. By providing a domain name and a search engine name, you can search for the following information: E-mail accounts User names Hostnames Subdomains Banners

The Live Host Identification category includes the following tools:

arping cdpsnarf fping hping3 masscan miranda ncat thcping6 unicorscan wof-e xprobe2

what does the --osscan-guess option with the -O parameter do?

attempts to detect the operating system. If it is not able to do so, then it will provide the closest signature possible. It performs an aggressive detection of the operating system. To do this, type the following command: nmap -O --osscan-guess (insert ip address ex:192.168.0.3)

The OSINT Analysis category includes the following tools:

automater maltego theharvester twofi urlcrazy

Which of the following is not a recognized attack vector?

b. On-prem

Which of the following groups have the lowest level of technical knowledge?

b. Script kiddies

how do you find different commmands on recon-ng

command help

What is the term used to describe the connectivity between an organization and a third party?

d. System integration

How do vendors decide which should be the default settings on a system?

d. Those settings that provide the means by which the user can immediately begin to use the product.

Complete this definition of information security: That which protects the integrity, confidentiality, and availability of information _____.

d. through products, people, and procedures on the devices that store, manipulate, and transmit the information

a fast scan

hich will scan for the 100 common ports on a given system nmap -F (insert address)

The SMTP Analysis category includes the following tools:

smtp-user-enum swaks

Which type of phishing targets specific individuals and companies?

spear fishing

The SSL Analysis category includes the following tools:

sslaudit ssldump sslh sslscan sslyze tlssled

What steps did you take to determine system properties?

start, settings, system, about

Which of the following groups use Advanced Persistent Threats?

state actors

Insider threats are generated by the individuals who are either the organization's employees or are closely associated with the organization as a vendor or a third-party. [TRUE/FALSE]

true

enumeration

use the information to find the area that you want to attack. For example, if the attacker finds out that a specific version of Apache is being used, then the attacker can narrow down the attack to exploit its vulnerabilities.

Which type of phishing is conducted over the Voice over IP (VoIP) lines where the attacker pretends to be a legitimate caller from a bank or a financial institution?

vishing

Which type of attack does the attacker infect a website that is often visited by the target users?

watering hole

Which tool is most commonly associated with state actors?

APT

Which of the following attack uses CDs, DVDs, or USB drives?

baiting

use theHarvester, perform the following steps:

in the terminal type theHarvester -d practice-labs.com -l 500 -b google

Which type of hacker will probe a system for weaknesses and then privately provide that information back to the organization?

a. White hat hackers

Which of the following is not true regarding security?

b. Security is a war that must be won at all costs.

Which type of hackers break into systems for personal or financial gain?

black hat

The SNMP Analysis category includes the following tools:

braa onesixtyone snmp-check

Which of the following is not an issue with patching?

c. Patches address zero-day vulnerabilities

Which of the following is true regarding the relationship between security and convenience?

c. Security and convenience are inversely proportional.

The DNS Analysis category includes the following tools:

dnsenum dnsmap dnsrecon dnstracer dnswalk fierce urlcrazy

The IDS/IPS Identification category includes the following tools:

fragroute fragrouter ftest lbd wafw00f

Which of the following performs hacking for either a political reason or wants to bring in a social change?

hackivist

Which of the following of the CIA Triad ensures that the information is correct, and no unauthorized person has altered it?

integrity

Which of the following is not used to describe those who attack computer systems?

malicious agent

Network & Port Scanners category includes the following tools:

masscan nmap unicorscan zenmap

how do you use installed modules in recon-ng

modules load "insert module name"

scan for live hosts on a network using an IP address range

nmap (insert ip address range ex: 192.168.0.1-4

Hackivists

A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage.

threat maps

A real-time map of the computer security attacks that are going on at any given time. there are many websites that have threat maps

nmap (network mapper)

A security vulnerability scanner that can determine which devices are connected to the network

Active reconnaissance can include the following methods:

IP or Port scanning Operating system scanning Footprinting of existing services in a system Zone transfer on an internal DNS server Spidering the public Webpages Fuzzing Social Engineering

different states of a port

Open: An application is listening for connections on this port. Closed: The messages were received, but no application is listening on the port. Filtered: The messages were not received, and the state of the port could not be determined. This state occurs when some type of filtering is being used on the port. Unfiltered: The messages are received, but still, the state of the port could not be determined. Open/Filtered: The port was either filtered or open, but Nmap was unable to determine the state. Closed/Filtered: The port was either filtered or closed, but Nmap was unable to determine the state.

p0f

Passive OS fingerprinting tool that evaluates large amounts of data while identifying the network hosts involved in TCP/IP communications

nmap ways to scan:

Scan for a single IP: nmap 192.168.0.1 Scan for a host by using its name: nmap host1.plab.com Scan an entire subnet: nmap plab.com/24, nmap 192.168.0.0/24, nmap 192.168.0.* Scan for a range of IP addresses: nmap 192.168.0.1-10 Scan for a range and a system outside the range: nmap 192.168.0.1, 1.10

IoC can be of various types, and some of these are:

Unusual network traffic that is either inbound or outbound Unusual activities performed by an administrative or privileged user account Unusual changes in the operating system or registry Unusual connections established from unknown sources Unusual DNS modifications and requests Untimely system patching

APT attacks have several characteristics that set them apart from traditional threats:

Well-targeted Data focused Looks for high-value information Un-detectable Well organized Well-funded

Fingerprint a System

With fingerprinting, you can determine the type of operating system and its version on a remote system. It can also be used to determine applications, such as web servers.

Which of the following is false about the CompTIA Security+ certification?

a. Professionals who hold the Security+ certification earn about the same or slightly less than security professionals who have not achieved this certification.

What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments?

brokers

To fingerprint a remote system, type the following command:

nmap -O (insert ip address ex: 192.168.0.6) The -O parameter provides more options for operating system detection.

nmap limit the scan for operating systems command?

nmap -O --max-os-tries 2 (insert ip address ex:192.168.0.5)

scan for the operating system only on the live hosts. To do this, type the following command:

nmap -O --osscan-limit 192.168.0.0/24

how do you scan for open ports in nmap

nmap -p 80(ip address ex: 192.168.0.0/24), you can scan for different ports by putting the port number after the p nmap -p 44 nmap -p3389 etc

scan for 65535 ports on a system. To do this, type the following command:

nmap -p- (insert ip address ex:192.168.0.1)

How can you ping using nmap

nmap -sP (insert address) nmap -sn (insert address)

perform port scanning using TCP connect. Type the following command:

nmap -sT (insert ip address ex:192.168.0.1)

scan for the selective UDP ports only. Type the following command:

nmap -sU -p 53,80,3389 (insert ip address ex: 192.168.0.1)

SYN message to a specific port on a subnet to detect live systems. To do this, type the following command:

nmap -sn PS80 192.168.0.0/24

Passive reconnaissance can use some of the following method

Search the Whois database Browse through the target's Website Perform Social Network scraping Search Google or any search engine Extract the DNS information Review blogs, public forums, and Websites Search breach databases and DarkWeb about the target

Various tools can be used in reconnaissance or footprinting. Some of the key tools are:

Whois - Queries for domain names Nslookup - Queries DNS FOCA - Enumeration for users, files, folders, and OS information theHarvester - Information gathering for an E-mail address, subdomains, hostnames, banners Shodan - Information search engine using metadata Maltego - Information gathering Recon-ng - Web reconnaissance Censys - Search engine for information about devices on the Internet

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

internal threat actor

a threat actor that has legitimate access to an organization's resources

You received a call from a person who was pretending to be from a law firm. The caller wanted to know some confidential information about your organization. Which of the following social engineering method was the person using?

authority

Which of the following is not a reason why a legacy platform has not been updated?

no compelling reason for updating

Which of the following ensures that only authorized parties can view protected information?

not availability but confidentiality

types of insiders

pure insider - legit insider associate - 3rd party vendor or contractor insider affliate - could be a spouse of a insider outsider affliate - not associated with business or entity at all but look to get in

After Bella earned her security certification, she was offered a promotion. As she reviewed the job responsibilities, she saw that in this position she will report to the CISO and will be a supervisor over a group of security technicians. Which of these generally recognized security positions has she been offered?

security manager

What is the result of not accepting the license agreement on the installation?

the installation halts

footprinting

the process of systematically identifying the network and its security posture (usually a passive process)