ReliaQuest

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Reflected XSS

Injected script is reflected off the web server, such as in an error message, search result, or any other response. Attacks are delivered via another route such as email or other website. Code travels to vulnerable site and reflects attack back to user's browser; also called Non-Persistent or Type-II

MITM Attack

Intercepts communication between two systems

Burp Suite

Java-based web pentesting framework. Can be configured in your browser to route traffic through the burp suite proxy server and BS analyzes each request to and from the target app so you can analyze it

What is UDP?

Layer 4 protocol that doesn't provide acknowledgement of sent packets; tends to be used in voice and video streaming; no session multiplexing; connectionless; no flow control and relies on higher layer protocols

IDS vs IPS

IDS (intrusion detection system) sits on a switch on the network; detects threats that are already in the network and attacks in progress IPS (intrusion prevention system) sits before a switch; monitors internal traffic to block attacks

Host firewall

IP table in a Linux box

Stored XSS

Injected script is permanently stored on the target servers (i.e., database, message forum, comment field, etc.); also called Persistent or Type-I

How to browse directories, list users, processes, etc. in Linux

cd (change directory), pwd (print working directory), top (see user usage), ps (list all running processes), uname -all (Linux version), systemctl (all services)

How to copy files in Linux

cp

Where is local user info stored

etc/passwd file; can be opened using cat or less

Stateless firewall

Designed to protect network based on static info such as source and destination; use packet filtering rules that specify conditions

DDoS

DoS employs multiple attacking systems to deny the users access to a particular service or system

Hub

Essentially a repeater; sends incoming traffic to its port to all other ports

Where would you find a log in you're investigating an incident?

Event viewer - tool to search and view logs generated by Windows hosts; is a log aggregator /var/logs on Linux

DoS

Exploit a known vulnerability in a specific application, OS, protocol, or service in order to deny authorized users access

Pfsense Firewall

Firewall/router software distribution based on FreeBSD. Installed on a physical computer or virtual machine to make a dedicated firewall/router for a network

Suricata

Gets one packet at a time from the system; pre-processed, passed to detection engine, can use pcap in IDS mode, but can connect to nfnetlink_queue

What role does SIEM play in security operations?

Goal is to keep networks, computer systems, applications, and environments up and running in a secure and protected manner

Offensive Security: ARP Poisoning

When an attacker sends falsified ARP messages over the LAN to link an attacker's MAC address with the IP address of a legitimate computer or server on the network

Other ports

110 - default POP3 non-encrypted port 995 - used for secure POP3 connection 143 - default IMAP non-encrypted port 993 - used for secure IMAP connection 25 - default SMTP non-encrypted port 2525 - opened on all SiteGround servers in case 25 is filtered; non-encrypted SMTP 465 - used for secure SMTP connection

SIEM (Security Information and Event Management)

- Log consolidation: centralized logging to a server - Threat correlation: the intel used to sort through multiple logs to identify attacks - Incident management: workflow that executes once threat is identified - Reporting

Linux logs

/var/log

RSA Encryption

1. Client Hello - client sends hello message to server; includes TLS version, cipher suites, and the client random (string of random bytes) 2. Server Hello - server replies with message containing SSL cert, cipher suite, and server random 3. Authentication - client verifies server's SSL certificate with the cert authority; confirms the server's identity 4. Premaster Secret - client sends another client random; encrypted with public key and can only be decrypted with server's public key 5. Private Key - server decrypts premaster secret 6. Session Keys - client and server generate session keys from the client random, server random, and premaster secret; should arrive at same results 7. Client and Server Ready - client and server send a finished message to each other that is encrypted with session key 8. Secure Symmetric Encryption Achieved - handshake is completed; communication continues using session keys

TCP/IP Model

1. Network Interface Layer - encompasses physical and data link layers 2. Internet - encompasses network layer 3. Transport - encompasses transport layer; also connects systems, TCP/UDP 4. Application - encompasses session, presentation, and application layers; TCP looks at apps as apps

OSI Model

1. Physical - cables 2. Data Link - anything with a MAC address; network cards, switches 3. Network - anything with a logical address; IP addresses, routers 4. Transport - responsible for assembly/disassembly of packets 5. Session - responsible for the connection between two systems; TCP between server and client, shared folder between two computers 6. Presentation - responsible for converting data into a format that applications can read 7. Application - API inside of applications that allows for apps to connect

Most common ports leveraged in cyber attacks

22 - SSH: meterpreter (interactive shell that attacker can use to explore target machine and execute code), banner grabbing (attack sends request to system to gain more information), brute force, stealing PGP keys 80 - HTTP: websites, apache exploits 443 - HTTPS: secure websites, heartbleed (bug that can make memory readable) 20-21 - FTP: file transfer protocol, anonymous logic through WinSCP, disable anonymous login, banner grabbing, sniffing 3389 - RDP: brute force, DOS attack 53 - DNS: enumeration (check if a name exists in a database; iterative attack), can reveal the size of an organization 25 - SMTP

Nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

Metasploit

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits

Directory traversal

Aims to access files or directories outside of the web root folder by manipulating variables that reference files with the (../) sequence or by using absolute file paths

SQL Injection

An attack that targets SQL servers by injecting commands to be manipulated by the database; prevent by using input sanitation (prepared statements, stored procedures, whitelist input validation, escape user supplied input)

Wireshark

Application that captures and analyzes network packets

DMZ (demilitarized zone)

Area of a network that sits outside of the main company network; external facing services (web servers, guest networks, mail servers, DNS servers) are here; usually right after the firewall; traffic gets redirected here by firewall based on requested services

Router

Connect networks together and tend to be grouped with switches in a home setting

Switch

Connects computers within a network; send traffic from one port to another but keep a list of MAC addresses that are plugged into each port so that traffic is only sent to those devices

File permissions

Defined by owner, group, and everyone else

What is TCP?

Layer 4 protocol that provides acknowledgements of received packets; reliable because it resends lost packets; one drawback is that it has additional overhead (additional data that needs to be sent); used by application protocols like HTTP and FTP; provides session multiplexing - connection must be established first and is closed afterwards; provides end-to-end flow control which is realized using a sliding window - sends acknowledgement from receiver's end regarding the data that the receiver can receive at a time

Kali Linux

Linux distribution designed for digital forensics and pentesting

XSS (Cross Site Scripting)

Malicious script is injected into a website so that it executes when a user enters the site; can be used to steal cookies, session tokens, or rewrite the content of an HTML page

Polymorphic malware

Malware that can change its code after each use; changes are designed to not affect the functionality of the code

Systemd & SystemV

Method used to manage and launch services/applications on Linux hosts; similar to task manager on Windows

Stateful firewall

Monitors the entire state of any network connections; constantly analyze entire data packet; once it approves of a traffic the first time, is added to a state table and can travel more freely into network; very resource intensive and vulnerable to DDoS attacks; Windows Firewall but can be configured to be stateless

Bro/Zeek

NIDS features, incident response, forensics, file extraction, and hashing

Snort

Open source NIDS; packet sniffer that monitors network traffic in real time, analyzing each packet closely to detect a dangerous payload or suspicious anomaly; can be run in logging mode, packet capture mode, or IDS mode with the available rulesets

Ransomware

Performs some action and extracts ransom from a user; ransom is used to remove malware from machine

Worm

Piece of code that attempts to penetrate networks and computer systems by copying itself and propagating through networks and the Internet; does not rely on itself attaching to another piece of code

Virus

Piece of malicious code that replicates by attaching itself to another piece of executable code

Trojan

Piece of software that appears to do one thing but hides itself of other functionality

RedHat vs Ubuntu

RedHat is more geared towards enterprise systems where Ubuntu is more of a home desktop environment; Ubuntu is known to be more newbie-friendly

Su-

Run command as root

TCP 3-Way Handshake

SYN - client sends SYN segment to server requesting a connection; will let the server know what sequence number its segments will start with SYN/ACK - server responds with SYN + ACK signal bits, acknowledging the connection to be made; lets the client know what sequence number its segments will start with ACK - client acknowledges the server response Steps 1-2 establish the connection one way while steps 2-3 establish the connection the other way

Vulnerability Scanning vs. Vulnerability Sweeping

Scanning - scans any port on one or more hosts Sweeping - looks for a specific port across multiple hosts

Cron

Scheduler used by Linux systems; can use to have a box communicate to you at only certain times

Find-

Search a file system

Grep-

Search content of a file

Malware

Software that can be designed to cause damage or enable unauthorized access to a system

Bots

Software that performs some task under the control of another program; can create botnets

Keylogger

Software that records keystrokes

Examples of SIEMs

Splunk, SolarWinds, IBM Radar, RSA NetWitnews, AlienVault, LogRhythm

SSL/TLS Handshake

Takes place whenever connection via HTTPS is used; occurs AFTER a TCP connection has already been made 1. Specify which version of TLS will be used (1.0, 1.2, 1.3) 2. Decide which cipher suites will be used 3. Authenticate the server using the public key and the SSL cert authority's digital signature 4. Generate session keys in order to use symmetric encryption after handshake is complete

Man In The Browser Attack

Trojan horse is used to intercept and manipulate calls between the main application's executable and its security mechanisms or libraries ; used to cause financial fraud by manipulating transactions

Phishing

Type of social engineering in which the attacker attempts to obtain sensitive information from users by acting as a trusted entity

Windows 10 commands

netstat - aos: display stats of all active ports netstat -aon: display all network data on running ports netstat -a: display all active ports netstat -aon | find /i "LISTENING" | find "port#": list specific info about a port

How to update Linux system

yum or apt-get; varies depending on the version of Linux


Ensembles d'études connexes

Australia and New Zealand (States & Territories, Capitals and Features)

View Set

Chapter_8_Subnetting IP Networks

View Set

Physiology- regulation of blood flow

View Set

Chapter 15: Stockholders' Equity

View Set