11.1 - 11.7 Security Assessments
An active IDS, also called an IPS, performs the functions of an IDS but can also react when security breaches occur. An IPS:
> Can automate responses to malicious or suspicious traffic > Can terminate sessions (using the TCP-RST command) or restart other processes on the system. > Performs behaviors that can be seen by anyone watching the network. Usually these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS.
False negative
A false negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.
False positive
A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.
Negative
A negative traffic assessment means that the system deemed the traffic harmless and let it pass.
Positive
A positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.
Active Reconnaissance
After an attacker has gained as much information as possible through passive reconnaissance, the next step is the active reconnaissance phase. Active reconnaissance is the process of gathering information by interacting with the target in some manner. Because there is direct interaction with the target, there is also a risk of exposure. There are many different methods to perform active reconnaissance, but the goal is to gather additional information on the target, including: > Network information - IP configurations - Domains and sub-domains - DNS information > System information - Operating systems - Software versions - Usernames and passwords - Physical server locations - Additional organizational information Performing reconnaissance provides the attacker with the information needed to perform a successful attack on the target. The goal is to know and understand the following information about the target: > Security posture (this includes both network and physical security) > How to narrow the focus for attack > Potential vulnerabilities > How to best create a network map
Reconnaissance
Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.
Heuristic-based detection
Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.
Signature-based detection
Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.
Device Implementation
An IDS/IPS can be implemented as a host-based or network-based device. The below table describes each implementation:
Open-Source Intelligence (OSINT)
Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.
11.3 Intrusion Detection
As you study this section, answer the following questions: > What is the difference between an IDS and IPS? > Which component gathers data from source devices? > Why is a false negative the worst possible action by an IDS? > Which detection method causes more false negatives? > What is the difference between an inline and out-of-band IDS installation? In this section, you will learn to: > Implement intrusion monitoring. > Implement intrusion prevention. > Use Squil and Squert.
11.2 Monitoring and Reconnaissance
As you study this section, answer the following questions: > What is the goal of network monitoring? > What is the difference between passive and active reconnaissance? > What tool is a search engine for internet-connected devices? In this section, you will learn to: > Perform port and ping scans. > Perform reconnaissance with Nmap. > Perform reconnaissance with the Harvester.
11.1 Penetration Testing
As you study this section, answer the following questions: > What is the purpose of a penetration test? > What are the different types of penetration tests? > What is the role of the purple team? > Which document defines what is included in the penetration test? > What is the final phase in the penetration testing life cycle? In this section, you will learn to: > Explain the types of penetration tests.
Which of the following activities are typically associated with a penetration test?
Attempt social engineering. Penetration testing typically uses tools and methods that are available to attackers. Penetration testing might start with attempts at social engineering or other reconnaissance activities. This may be followed by more active scans of systems and actual attempts to access secure systems. A vulnerability scanner checks a system for weaknesses. Vulnerability scanners typically require administrative access to a system and are performed internally. They are not done to test system security. Typically, penetration testers cannot run a vulnerability scanner unless they have gained authorized access to a system. A performance baseline is created by an administrator to identify normal network and system performance. Auditing might include interviewing employees to make sure that security policies are being followed.
Documentation/Contracts
Before any penetration test can take place, the goals and guidelines of the test must be established. These are spelled out in the scope of work and rules of engagement documents. The following table describes these important documents:
You have been hired as part of the team that manages an organization's network defense. Which security team are you working on?
Blue Blue team members are the defense of the system. This team is responsible for stopping the red team's advances. Members of the purple team work on both offense and defense. This team is a combination of the red and blue teams. The red team members are the ethical hackers. This team is responsible for performing the penetration tests. The white team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.
Blue team
Blue team members are the defense of the system. This team is responsible for stopping the red team's advances.
Detection Methods
Both systems monitor data packets for malicious or unauthorized traffic. The below table shows the different methods they can use to distinguish attacks and threats from normal traffic:
As part of a special program, you have discovered a vulnerability in an organization's website and reported it to the organization. Because of the severity, you are paid a good amount of money. Which type of penetration test are you performing?
Bug bounty Bug bounties are unique tests that are set up by organizations such as Google and Facebook. The organization sets strict guidelines and boundaries for ethical hackers to operate within. Discovered vulnerabilities are reported, and the ethical hacker is paid based on the severity of the vulnerability. In a white box test, the ethical hacker is given full knowledge of the target or network. This test is comprehensive and thorough, but it isn't very realistic. In a black box test, the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats. In a gray box test, the ethical hacker is given partial information about the target or network, such as IP configurations and email lists. This test simulates an insider threat.
11.1.4 Section Quiz
CIST 1601
11.2.9 Section Quiz
CIST 1601
A passive IDS monitors, logs, and detects security breaches, but it takes no action to stop or prevent the attack. A passive IDS:
Can send an alert, but this requires the security administrator to interpret the degree of the threat and respond accordingly > Cannot be detected on the network because it takes no detectable actions
Curl and wget
Curl and wget are two common command line programs that can be used to download or upload files. An example of using these tools is to download an entire website for offline analysis. Because these tools actively engage with the target, they are considered active reconnaissance tools.
Security Teams
Depending on their role, members of security operations can be placed on different teams. These teams all work together to discover and fix security vulnerabilities. The following table describes the more common security teams:
Intrusion detection system
Device or software that monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack.
Intrusion Prevention System
Device that monitors, logs, detect, and can also react to stop or prevent security breaches.
Dnsenum
Dnsenum is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. This information can help find other information such as usernames, computer names, IP addresses, and more.
Eavesdropping
Eavesdropping is the act of covertly listening in on a communication between other people. This can include: > Listening to employees conversations without them knowing. > Shoulder surfing, which is an eavesdropping technique where the listener obtains passwords or other confidential information by looking over the shoulder of the target as the target logs on or types information. > Dumpster diving, which is also considered eavesdropping. When dumpster diving, the attacker goes through the trash to find important information that may have accidentally been thrown away.
Heuristic-based
Heuristic-based detection, also referred to as behavior, anomaly, or statistical-based detection, first defines a baseline of normal network traffic and then monitors it. It looks for anything that falls outside that baseline. > Clipping levels, or thresholds, are defined and used to identify deviations from the baseline. > When the threshold is reached, an alert is generated or action is taken. > Heuristic-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file). > This detection method usually causes more false positives than signature-based detection.
hping
Hping is a security tool that can check connectivity and also analyze the target to gather information. Hping can send ICMP, TCP. UDP, and RAW-IP packets. Hping is primarily designed for Linux but can be installed in Windows.
Engine
IDS component that analyzes sensor data and events; generates alerts; and logs all activity.
Sensor
IDS component that passes data from the source to the analyzer.
IP scanners
IP scanners are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. Advanced scans can also display information such as: > Routes > Hostnames > Operating systems
Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs?
Maintain access Once a penetration tester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans. Gain access is the third phase of the penetration test life cycle and uses the information gathered in earlier phases to exploit discovered vulnerabilities. Reconnaissance is the first phase in the penetration testing process. This is when the penetration tester begins gathering information. Enumeration is the second phase in the penetration testing process. The penetration tester uses scanning techniques to extract information such as usernames and computer names.
Purple team
Members of the purple team work on both offense and defense. This team is a combination of the red and blue teams.
You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use?
Nessus A vulnerability scanner is a software program that searches an application, computer, or network for weaknesses. These weaknesses could be things such as open ports, running applications or services, missing critical patches, default user accounts that have not been disabled, and default or blank passwords. Vulnerability scanning tools include Nessus, Retina Vulnerability Assessment Scanner, and Microsoft Baseline Security Analyzer (MBSA). Wireshark is a protocol analyzer. LC4 is a password-cracking tool that you can use to identify weak passwords. Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system.
Nessus
Nessus is a proprietary vulnerability scanner that is developed by Tenable. Nessus can be used to scan the target for any known vulnerabilities, which can be exploited to gain access to the target.
You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use?
Network mapper A network mapper is a tool that can discover devices on a network and show those devices in a graphical representation. Network mappers typically use a ping scan to discover devices and a port scanner to identify open ports on those devices. A ping scanner only identifies devices on a network, but does not probe for open ports. A port scanner finds open ports, but it might not display devices in a graphical representation. Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system.
Gathering as much personally identifiable information (PII) on a target as possible is a goal of which reconnaissance method?
OSINT Open-source intelligence is any data that is collected from publicly available sources. The goal is to gather as much personally identifiable information (PII) as possible on the target. Dumpster diving is when an attacker goes through the trash to find important information that may have accidentally been thrown away. Active reconnaissance is the process of gathering information by interacting with the target in some manner. Packet sniffing is the process of capturing data packets that are flowing across a network and analyzing them for important information.
Penetration Testing Life Cycle
Once the paperwork is complete, the pentester can begin work. The following table covers the phases of the penetration testing life cycle.
Maintain Access
Once the pentester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.
Open-source intelligence (OSINT)
Open-source intelligence is any data that is collected from publicly available sources. The goal is to gather as much personal identifiable information (PII) as possible. This includes information found from resources such as: > Search engines (Google, Bing) > Social media (Facebook, LinkedIn) > Company websites (About sections of websites, company directories) > Media sources (news sites, interviews, articles) > Public government sources (property appraisal sites, public records)
Packet sniffing
Packet sniffing is the process of capturing data packets that are flowing across the network and analyzing them for important information. Modern networks should have good protection against network sniffing attacks, but there are occasional circumstances that allow an attacker to gather sensitive information from the data packets. Packet sniffing is most easily performed on open wireless networks. Because the attacker is not sending data or actively interacting with the target, this is considered passive reconnaissance. Scanning for open wireless networks needs to be done before packets can be sniffed. Two common methods are war driving and war flying: > War driving is driving around with a wireless device looking for open, vulnerable wireless networks. > War flying uses drones or unmanned aerial vehicles to find open wireless networks.
Which type of reconnaissance is dumpster diving?
Passive Dumpster diving is when an attacker goes through the trash to find important information that may have accidentally been thrown away. Because there is no direct interaction with the target, dumpster diving is a form of passive reconnaissance. Active reconnaissance is the process of gathering information by interacting with the target in some manner. Dumpster diving does not fall under this category. Open-source intelligence (OSINT) is any data that is collected from publicly available sources. Dumpster diving does not fall under this category. Packet sniffing is the process of capturing data packets that are flowing across a network and analyzing them for important information. Dumpster diving does not fall under this category.
Passive Reconnaissance
Passive reconnaissance involves gathering information on the target with no direct interaction with that target. Valuable information can be gathered using passive reconnaissance. The following table shows some of the common passive reconnaissance methods:
Which of the following uses hacking techniques to proactively discover internal vulnerabilities?
Penetration testing Penetration testing is the practice of proactively testing systems and policies for vulnerabilities. This approach seeks to identify vulnerabilities internally before a malicious individual can take advantage of them. Common techniques are identical to those used by hackers and include network/target enumeration and port scanning.
11.1.2 Penetration Testing Facts
Penetration testing, also commonly referred to as pentesting or ethical hacking, is the authorized simulation of an attack against an organization's security infrastructure. This can include physical and network security. This lesson covers the following topics: > Types of penetration tests > Security teams > Documentation/contracts > Penetration testing life cycle
ping
Ping is a command line tool that is used to perform a connection test between two network devices. Ping works by sending ICMP packets to a specified device on the network and waiting for a response. This shows if there is a connection issue or not. The syntax for the ping command is: ping <target IP address or hostname> The following switches are the more common switches that can be used to modify the ping command: -t sends ICMP packets until manually stopped. -a resolves addresses to hostnames. -n <count> specifies the number of ICMP packets to send. Ping sends 4 packets by default -l <size> specifies the packet size in bytes. ping sends 32-byte packets by default
Which phase or step of a security assessment is a passive activity?
Reconnaissance Reconnaissance is the only step of a security assessment (penetration test) that is passive. Enumeration, vulnerability mapping, and privilege escalation are all active events in a security assessment.
11.2.8 Reconnaissance Facts
Reconnaissance, also known as footprinting, is the process of gathering as much information about a target before beginning any penetration test or security audit. The more information we know about the target, the more prepared we can be for anything that may come up. This lesson covers the following topics: > Passive reconnaissance > Active reconnaissance > Reconnaissance tools
Scan/enumerate
Running scans on the target is the second phase. During this phase, the ethical hacker is actively engaged with the target. Enumeration is part of the scanning phase. Enumeration uses scanning techniques to extract information such as: > Usernames > Computer names > Network resources > Share names > Running services
Which of the following is a very detailed document that defines exactly what is going to be included in the penetration test?
Scope of work A scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. The rules of engagement document defines exactly how a penetration test is to be carried out. Goals and guidelines is not a document type. The scope of work and rules of engagement documents detail the goals and guidelines of a penetration test. Payment terms are not a document type. Payment terms are defined in the scope of work document.
Reconnaissance Tools
Selecting the right tool allows the attacker to gain the necessary information on the target. Network defenders can also use these tools to discover what information is out there and take the necessary steps to remove or hide anything that should not be available. There are many tools and resources available to assist in the reconnaissance phase. The below table covers some of the popular tools used:
Which of the following tools can be used to see if a target has any online IoT devices without proper security?
Shodan Shodan is a popular search engine for internet-connected devices. Users can search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security. theHarvester is a passive reconnaissance tool that is used to gather information from a variety of public sources. Packet sniffing is the process of capturing data packets that are flowing across the network and analyzing them for important information. Use scanless for port scanning. Instead of the attacker scanning ports from their own machine, scanless uses exploitation websites to perform port scans on their behalf.
Shodan
Shodan is a popular search engines for internet-connected devices. Users are able to search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security.
Signature-based
Signature-based detection, also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS), looks for patterns in network traffic and compares them to known attack patterns called signatures. Similar to how viruses have a unique fingerprint that antivirus programs use to detect their presence, malicious packets have a unique fingerprint that the IDS can use to do the same. These fingerprints are referred to as signatures. > Signatures are written and updated by the IDS vendors. > Signature-based detection cannot detect unknown attacks; they can only detect attacks identified by published signature files. For this reason, it is important to update signature files on a regular basis. > Signature-based detection usually causes more false negatives than heuristic-based detection.
Sn1per
Sn1per is a automated scanner that can be used to enumerate and scan for vulnerabilities. Sn1per combines the functions of many tools and can be used to find information such as DNS information, open ports, running services, and more.
IP scanners
Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.
What is the primary purpose of penetration testing?
Test the effectiveness of your security perimeter. The primary purpose of penetration testing is to test the effectiveness of your security perimeter. Only by attempting to break into your own secured network can you be assured that your security policy, security mechanism implementations, and deployed countermeasures are effective. It is important to obtain senior management's approval before starting a penetration test or vulnerability scanning project. Often, penetration testing or vulnerability scanning is performed by an external consultant or security-outsourcing agency that is hired by your organization.
OSINT framework
The OSINT framework is a collection of resources and tools that are separated by common categories. The OSINT Framework makes it easy to gather all sorts of information, making the initial reconnaissance process much more efficient. Documentation can be found at https://osintframework.com/
Packet sniffing
The act of capturing data packets transmitted across the network and analyzing them for important information.
Eavesdropping
The act of covertly listening in on a communication between other people.
War driving
The act of driving around with a wireless device looking for open vulnerable wireless networks.
War flying
The act of using drones or unmanned aerial vehicles to find open wireless networks.
arp
The arp command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses. The arp command displays, adds, and removes arp information from network devices. Some of the common switches used with the arp command are: -a displays current ARP entries. inet_addr specifies an internet address -d deletes the host specified by inet_addr
Black box
The ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats.
White box
The ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray box
The ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.
Report
The final phase is generating the test results and supporting documentation. After any penetration test, a detailed report must be compiled. Documentation provides extremely important protection for both the penetration tester and the organization.
Perform reconnaissance
The first phase in the pentesting process is reconnaissance, also known as footprinting. In this phase, the pentester begins gathering information on the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.
11.3.2 IDS Facts
The first step in defending a network against unauthorized access is knowing that someone is gaining access. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. An active IDS is known as an intrusion prevention system (IPS). This lesson covers the following topics: > Differences between IDSs and IPSs > Detection methods > Device implementation
11.2.2 Network Monitoring Facts
The goal of monitoring is to keep track of conditions on the network, identify situations that might signal potential problems, pinpoint the source of problems, and locate areas of your network that might need to be upgraded or modified. As you monitor your network, look for the top talkers and listeners. > Top talkers are computers that send the most data, either from your network or into your network. > Top listeners are hosts that are receiving most of the data by streaming or downloading large amounts of data from the internet. It is important to know which computers are the big receivers and senders of information because it is a good way to tell if something is wrong on your network. An unauthorized system that is sending large amounts of data to locations outside of your network could be a sign of a data breach. The below table lists some of the tools used to monitor the health of a network:
ipconfig/ifconfig
The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP configuration on the local computer. Information such as the following can be shown using these commands: > Adapter name > Adapter MAC address > If DHCP is enabled or not > IPv6 address > IPv4 address > Subnet mask > IP lease information > Default gateway > DHCP server > DNS server
netcat
The netcat security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports. You can download netcat from the internet.
nmap
The nmap utility is a network security scanner. Use nmap to scan an entire network or specific IP addresses to discover all sorts of information such as: > Open ports > Running services > Operating system Nmap can use many different protocols and options depending on the network or device being scanned. Nmap is a command line tool, but a GUI version called Zenmap is available.
nslookup/dig
The nslookup and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server. > nslookup is used in Windows. > dig is used in Linux.
pathping
The pathping Windows command line tool combines the tracert and ping tools. Use pathping to locate network devices that are down or causing latency issues.
Passive reconnaissance
The process of gathering information about a target with no direct interaction with the target.
Active reconnaissance
The process of gathering information by interacting with the target in some manner.
Types of Penetration Tests
The purpose of a penetration test is to discover any vulnerability in an organization's network or physical security. Different types of penetration tests can be performed to simulate internal or external threats. The following table details the types of penetration tests:
Red team
The red team members are the ethical hackers. This team is responsible for performing the penetration tests.
route
The route command is used in both Windows and Linux to show the routing table and to make manual changes to the table.
Rules of engagement
The rules of engagement document defines exactly how the penetration test will be carried out. The following should be defined in the rules of engagement: > Type of test - whether the test will be a white box, black box, or gray box test. > Data handling - an explicit statement of how sensitive data is to be handled. Be aware that the pentester will typically come across sensitive data during a penetration test. > Notifications - the detailed process on when and how to notify the IT team.
Scope of work
The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. This document should answer the: > Who - specific IP ranges, servers, applications, etc. should be explicitly listed. > What - anything that is off limits, such as specific servers or tactics, should be explicity listed. > When - the time frame for the penetration test. This should identify how long the test will run, the deliverables, and when the deliverables are due. > Where - the location of the penetration tester. Sometimes the penetration tester will be located in a different state. In this case, all parties must agree on which state laws will be followed. > Why - the purpose and goals of the test. Penetration tests are often performed for compliance purposes and these requirements must be detailed in the document. Special considerations, such as travel, required certifications, or anything else unexpected will be defined in the scope of work. Finally, the scope of work should define payment and how to handle requests for additional work. This will help to reduce scope creep.
Gain access
The third phase takes all of the information gathered in the reconnaissance and scanning phases to exploit any discovered vulnerabilities in order to gain access. After gaining access, the pentester can perform lateral moves, pivoting to other machines on the network. The pentester will begin trying to escalate privileges with the goal of gaining administrator access.
tracert/traceroute
The tracert tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop. Use tracert to locate network devices that are down or causing latency issues. > tracert is the Windows version and sends ICMP packets. > traceroute is used in Linux and sends UDP packets.
White team
The white team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.
Bug bounties
These unique tests are programs that are setup by organizations such as Google, Facebook, and many others. The organization sets strict guidelines and boundaries for ethical hackers to operate within. Any discovered vulnerabilities are reported and the ethical hacker is paid based on the severity of the vulnerability.
netstat
Use the netstat command to display a variety of network statistics in both Windows and Linux, including: > Connections for different protocols > Open ports > Running programs Some of the common switches used to specify the information shown in Windows are: -a displays all connections and listening ports. -b displays the executable involved in creating each connection or listening port. -f displays the FQDN for the foreign address if possible. -r displays the routing table -p <protocol> shows the connections for a specified protocol (TCP, UDP, TCPv6, UDPv6)
Differences between IDSs and IPSs
Using both of these devices in a network provides the best network detection and protection. If a malicious packet makes it past the IPS, the IDS serves as a backup and alerts the security operations team. The IDS also records and logs everything (this can be viewed in the follow-up). The steps a IDS/IPS takes when monitoring traffic are: > A sensor passes data from the source to the analyzer. > The engine, or analyzer, analyzes the sensor data and events, generates alerts, and logs all activity. An alert is a message indicating an event of interest (such as a possible attack) > The IDS/IPS labels traffic based on its interpretation of whether or not the traffic poses a threat, as described in the following table. > The below table shows the differences between an IDS and an IPS:
The process of walking around an office building with an 802.11 signal detector is known as:
War driving War driving is the act of searching for wireless networks (802.11) using a signal detector or a network client (such as a PDA or notebook). While the phrase war driving originated from the action of driving around a city searching for wireless networks, the name currently applies to any method of searching for wireless networks, including walking around. War dialing and daemon dialing are both the act of dialing phone numbers in search of an answering modem. Often, war/daemon dialing calls all of the phone numbers in an area code or a prefix range in search of active modems. Driver signing is a method of signing device drivers in an attempt to verify the source and quality of installed drivers. However, signing a device driver only indicates its source. Signing does not guarantee the reliability, stability, quality, or compatibility of a device driver.
You have been promoted to team lead of one of the security operations teams. Which security team are you now a part of?
White The white team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads. Blue team members are the defense of the system. This team is responsible for stopping the red team's advances. Members of the purple team work on both offense and defense. This team is a combination of the red and blue teams. The red team members are the ethical hackers. This team is responsible for performing the penetration tests.
You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins. You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins.
White box In a white box test, the ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but it is not very realistic. In a black box test, the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats. In a gray box test, the ethical hacker is given partial information about the target or network, such as IP configurations, email and lists. This test simulates an insider threat. Bug bounties are unique tests that are set up by organizations such as Google and Facebook. The organization sets strict guidelines and boundaries for ethical hackers to operate within. Any discovered vulnerabilities are reported, and the ethical hacker is paid based on the severity of the vulnerability.
Which of the following tools can be used to view and modify DNS server information in Linux?
dig The dig command is used to view and modify DNS settings. These tools can be used to look up DNS server information and give IP addresses and domain names for a network server. The tracert command shows the path a packet takes to reach its destination. This is not the best tool for checking connectivity between two network devices. The route command is used in both Windows and Linux to show the routing table and to make manual changes to it. The netstat command is used to display a variety of network statistics in both Windows and Linux. This command is not used to look up DNS server information.
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use?
nmap The nmap utility is an open-source security scanner used for network enumeration and the creation of network maps. Use nmap to send specially crafted packets to a target host and then analyze the responses to create a map. The scanless utility is used for port scanning. The dnsenum utility is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. Use nslookup to submit name resolution requests to identify DNS name servers and IP addresses for hosts.
You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use?
ping The ping command is used to perform a connection test between two network devices. It works by sending ICMP packets to a specified device on a network and waiting for a response. This shows if there is a connection issue or not. The tracert command shows the path a packet takes to reach its destination. This is not the best tool to check for connectivity between two network devices. The nmap utility is a network security scanner. Use nmap to scan an entire network or specific IP addresses to discover all sorts of information. This is not the best tool to check for connectivity between two network devices. The route command is used in both Windows and Linux to show the routing table and to make manual changes to it.
scanless
scanless is used for port scanning. Instead of scanning ports from the hacker machine, scanless uses exploitation websites to perform port scans. This means the attacker is able to maintain anonymity while scanning the target.
Which passive reconnaissance tool is used to gather information from a variety of public sources?
theHarvester theHarvester is a passive reconnaissance tool that is used to gather information from a variety of public sources. This tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These include search engines, social media sites, and Shodan. Packet sniffing is the process of capturing data packets that are flowing across a network and analyzing them for important information. Shodan is a popular search engine for internet-connected devices. Users can search for specific types of devices and locations. Use scanless for port scanning. Instead of an attacker scanning ports from their own machine, scanless uses exploitation websites to perform port scans on their behalf.
theHarvester
theHarvester is a passive reconnaissance tool that is used to gather information from a variety of public sources. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These sources include search engines, social media sites, and Shodan. theHarvester does have some options, such as brute-forcing DNS and taking screenshots, that would fall under active reconnaissance.