4.1 Given a scenario, use the appropriate tool to assess organizational security.
Netcat
Utility for reading and writing raw data over a network connection. Netcat can be used for port scanning and fingerprinting Netcat can also establish connections with remote machines , Netcat can be used to receive files • "Read" or "write" to the network - Open a port and send or receive some traffic • Many different functions - Listen on a port number - Transfer data - Scan ports and send data to a port • Become a backdoor - Run a shell from a remote device • Other alternatives and OSes - Ncat
WinHex
Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images. WinHex from X-Ways (x-ways.net/winhex) is a commercial tool for forensic recovery and analysis of binary data, with support for a range of file systems and memory dump types (depending on version Winhex • A universal hexadecimal editor for Windows OS • Edit disks, files, RAM - Includes data recovery features • Disk cloning - Drive replication • Secure wipe - Hard drive cleaning • Much more - A full-featured forensics tool
theHarvester
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular domain or company name (github.com/laramies/theHarvester). It works by scanning multiple public data sources to gather emails, names, subdomains, IPs, URLs and other relevant da theHarvester • Gather OSINT - Open-Source Intelligence • Scrape information from Google or Bing - Find associated IP addresses • List of people from LinkedIn - Names and titles • Find PGP keys by email domain - A list of email contacts • DNS brute force - Find those unknown hosts; vpn, chat, mail, partner, etc.
FTK imager
tools to grab registry files. • AccessData forensic drive imaging tool - Includes file utilities and read-only image mounting - Windows executable • Widely supported in many forensics tools - Third-party analysis • Support for many different file systems and full disk encryption methods - Investigator still needs the password • Can also import other image formats - dd, Ghost, Expert Witness, etc.
Wireshark - Packet capture and replay
-Application that captures and analyzes network packets -Wireshark (wireshark.org) is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interface to listen on, the output is displayed in a three-pane view. The packet list pane shows a scrolling summary of frames. The packet details pane shows expandable fields in the frame currently selected from the packet list. The packet bytes pane shows the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers and payloads of hundreds of network protocols. Wireshark • Graphical packet analyzer - Get into the details • Gathers frames on the network - Or in the air • Sometimes built into the device - View traffic patterns - Identify unknown traffic - Verify packet filtering and security controls • Extensive decodes - View the application traffic
pathping-reconnaissance and discovery
A TCP / IP command that provides information about latency and packet loss on a network Windows utility for measuring latency and packet loss along a route.. pathping • Combine ping and traceroute - Included with Windows NT and later • First phase runs a traceroute - Build a map • Second phase - Measure round trip time and packet loss at each hop
PowerShell - Shell and script environments
A command shell and scripting language built on the .NET Framework. PowerShell is the preferred method of performing Windows administration tasks (docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7). It has also become the Windows hacker's go-to toolkit. PowerShell statements can be executed at a PowerShell prompt, or run as a script (.ps1) on any PowerShell-enabled host. The Get-Help cmdlet shows help on different elements of the PowerShell environment. PowerShell is case-insensitive. Most PowerShell usage is founded on cmdlets. A cmdlet is a compiled library that exposes some configuration or administrative task, such as starting a VM in Hyper-V. Cmdlets use a Verb-Noun naming convention. Cmdlets always return an object. Typically, the return from a cmdlet will be piped to some other cmdlet or function. For example: Windows PowerShell • Command line for system administrators - .ps1 file extension - Included with Windows 8/8.1 and 10 • Extend command-line functions - Uses cmdlets (command-lets) - PowerShell scripts and functions - Standalone executables • Automate and integrate - System administration - Active Domain administration
tcpdump - Packet capture and replay
A command-line protocol analyzer. Administrators use it to capture packets. A command-line packet sniffing utility. tcpdump is a command line packet capture utility for Linux (linux.die.net/man/8/tcpdump). The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen on. The utility will then display captured packets until halted manually (Ctrl+C). Frames can be saved to a .pcap file using the -w option. Alternatively, you can open a pcap file using the -r option tcpdump is often used with some sort of filter expression to reduce the number of frames that are captured: 1. Type—filter by host, net, port, or portrange. 1. Direction—filter by source (src) or destination (dst) parameters (host, network, or port). 3. Protocol—filter by a named protocol rather than port number (for example, arp, icmp, ip, ip6, tcp, udp, and so on). tcpdump • Capture packets from the command line - Display packets on the screen - Write packets to a file
Tcpreplay-Packet capture and replay
A command-line utility that replays packets saved to a file back through a network adapter. tcpreplay takes previously captured traffic that has been saved to a .pcap file and replays it though a network interface (linux.die.net/man/1/tcpreplay). Optionally, fields in the capture can be changed, such as substituting MAC or IP addresses. tcpreplay is useful for analysis purposes. If you have captured suspect traffic, you can replay it through a monitored network interface to test intrusion detection rules. IDS, Firewalls, and Honeypots. Tool to replay saved tcpdump or snoop files at arbitrary speeds. SideStep IDS, Firewalls, and Honeypots. An IDS evasion tool. Tcpreplay • A suite of packet replay utilities - Replay and edit packet captures - Open source • Test security devices - Check IPS signatures and firewall rules • Test and tune IP Flow/NetFlow devices - Send hundreds of thousands of traffic flows per second • Evaluate the performance of security devices - Test throughput and flows per second
ARP -reconnaissance and discovery
Address Resolution Protocol arp—display the local machine's Address Resolution Protocol (ARP) cache. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. This can be useful if you are investigating a suspected spoofing attack. For example, a sign of a man-in-the-middle attack is where the MAC address of the default gateway IP listed in the cache is not the legitimate router's MAC address. MAC address :A unique hardware address hard-coded into a network adapter. This provides local addressing on Ethernet and Wi-Fi networks. A MAC address is 48 bits long with the first half representing the manufacturer's Organizationally Unique Identifier (OUI).
cuckoo
Cuckoo is packaged software that aims to provide a turnkey sandbox solution A sandbox for malware - Test a file in a safe environment • A virtualized environment - Windows, Linux, macOS, Android • Track and trace - API calls, network traffic, memory analysis - Traffic captures - Screenshots
tracert ( windows) \ traceroute (linux) - Network reconnaissance and discovery
Diagnostic utilities that trace the route taken by a packet as it "hops" to the destination host on a remote network. tracert is the Windows implementation, while traceroute runs on Linux. uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. tracert is the Windows version of the tool. Traceroute -Diagnostic utilities that trace the route taken by a packet as it "hops" to the destination host on a remote network. tracert is the Windows implementation, while traceroute runs on Linux. Takes advantage of ICMP Time to Live Exceeded error message - The time in TTL refers to hops, not seconds or minutes - TTL=1 is the first router, TTL=2 is the second router, etc. • Not all devices will reply with ICMP Time Exceeded messages - Some firewalls filter ICMP - ICMP is low-priority for many devices
ipconfig/ifconfig-reconnaissance and discovery
IPCONFIG short for Internet Protocol configuration is a utility used in Microsoft Windows to know information about TCP/IP network configuration.IFCONFIG is a similar utility used in Linux and Unix like operating systems to know the IP and other TCP/IP network configuration.Both these are command line utilities ipconfig—show the configuration assigned to network interface(s) in Windows, including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses, default gateway, and whether the address is static or assigned by DHCP. If the address is DHCP-assigned, the output also shows the address of the DHCP server that provided the lease. • Most of your troubleshooting starts with your IP address - Ping your local router/gateway • Determine TCP/IP and network adapter information - And some additional IP details •ipconfig - Windows TCP/IP configuration •ifconfig - Linux interface configuration
OpenSSL - Shell and script environments
In a Windows environment, certificate infrastructure is installed and managed as Active Directory Certificate Services. There is a certutil tool for command line management, or you can use PowerShell. OpenSSL • A toolkit and crypto library for SSL/TLS - Build certificates, manage SSL/TLS communication • Create X.509 certificates - Manage certificate signing requests (CSRs) and certificate revocation lists (CRLs) • Message digests - Support for many hashing protocols • Encryption and Decryption - SSL/TLS for services • Much more
DD
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging. use the dd command to make a copy of an input file (if=) to an output file (of=) and apply optional conversions to the file data. In the following sda is the fixed drive: dd • A reference to the DD command in - IBM mainframe JCL (Job Control Language) - Data Definition (ASCII to EBCDIC converter) • Create a bit-by-bit copy of a drive - Used by many forensics tools • Create a disk image - dd if=/dev/sda of=/tmp/sda-image.img • Restore from an image - dd if=/tmp/sda-image.img of=/dev/sda
memdump
Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file. memdump • Copy information in system memory to the standard output stream - Everything that happens is in memory - Many third-party tools can read a memory dump • Copy to another host across the network - Use netcat, stunnel, openssl, etc.
*Password Crackers (Hacking Technique)*
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases. most password crackers run primarily on Linux. For example, a tool such as Hashcat (hashcat.net/hashcat) is run using the following general syntax The keys to the kingdom - Find the passwords • Online cracking - Try username/password combinations • Offline cracking - Brute force a hash file • Limitations - Password complexity / strength (entropy) - Hashing method and CPU power - Graphics processors are useful hardware tools
Python - Shell and script environments
Python is a popular language for implementing all kinds of development projects, including automation tools and security tools, as well as malicious scripts Where many languages use brackets to denote blocks of code, Python uses indentation (4 spaces per level, by convention) Python is case-sensitive; for example, the variable user cannot be referred to by the label User or USER Comment lines are marked by the # character Python • General-purpose scripting language - .py file extension • Popular in many technologies - Broad appeal and support
IP scanners
Scanning a network using tools such as ping is time consuming and non-stealthy, and does not return detailed results. Most topology discovery is performed using a dedicated IP scanner tool. An IP scanner performs host discovery and identifies how the hosts are connected together in an internetwork. Such suites can be provided with credentials to perform authorized scans and obtain detailed host information via management protocols, such as the Simple Network Management Protocol (SNMP) The Nmap Security Scanner (nmap.org) is one of the most popular open-source IP scanners. Nmap can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection IP scanners • Search a network for IP addresses - Locate active devices - Avoid doing work on an IP address that isn't there • Many different techniques - ARP (if on the local subnet) - ICMP requests (ping) - TCP ACK - ICMP timestamp requests • A response means more recon can be done - Keep gathering information - Nmap, hping, etc.
SSH (Secure Shell) - Shell and script environments
Secure Shell (SSH) is the principal means of obtaining secure remote access to a command line terminal. The main uses of SSH are for remote administration and secure file transfer (SFTP). There are numerous commercial and open source SSH products available for all the major NOS platforms. The most widely used is OpenSSH (openssh.com). SSH (Secure Shell) • Encrypted console communication - tcp/22 • Looks and acts the same as Telnet
sn1per
Sn1per (github.com/1N3/Sn1per) is a framework designed for penetration test reporting and evidence gathering. It can integrate with other tools such as Metasploit and Nikto to run automated suites of tests. Results can be displayed as web reports sn1per • Combine many recon tools into a single framework - dnsenum, metasploit, nmap, theHarvester, and much more • Both non-intrusive and very intrusive scanning options - You choose the volume Another tool that can cause problems - Brute force, server scanning, etc - Make sure you know what you're doing
Exploitation frameworks
Suite of tools designed to automate delivery of exploits against common software and firmware vulnerabilities An exploitation framework uses the vulnerabilities identified by an automated scanner and launches scripts or software to attempt to deliver matching exploits. This might involve considerable disruption to the target, including service failure, and risk data security.. The most intrusive type of vulnerability scanner does not stop at detecting a vulnerability. Exploitation frameworks contain default scripts to try to use a vulnerability to run code or otherwise gain access to the system. This type of highly intrusive testing is more typical of penetration testing than automated vulnerability scanning. Exploitation frameworks • A pre-built toolkit for exploitations - Build custom attacks - Add more tools as vulnerabilities are found - Increasingly powerful utilities • Metasploit - Attack known vulnerabilities • The Social-Engineer Toolkit (SET) - Spear phishing, Infectious media generator
autopsy
The Sleuth Kit is an open source collection of command line and programming libraries for disk imaging and file analysis. Autopsy is a graphical frontend for these tools and also provides a case management/workflow tool. Autopsy is a graphical front-end for these tools and acts as a case management/workflow tool. The program can be extended with plug-ins for various analysis functions. Autopsy is available for Windows and can be compiled from the source code to run on Linux. Autopsy • Perform digital forensics of hard drives, smartphones - View and recover data from storage devices • Extract many different data types - Downloaded files - Browser history and cache - Email messages - Databases - Much more
chmod - File manipulation
The chmod command is used to modify permissions. It can be used in symbolic mode or absolute mode. In symbolic mode, the command works as follows Linux command for managing file permissions. chmod • Change mode of a file system object - r=read, w=write, x=execute - Can also use octal notation - Set for the file owner (u), the group(g), others(o), or all(a) - chmod mode FILE - chmod 744 script.sh •chmod 744 first.txt - User; read, write execute - Group; read only - Other; read only •chmod a-w first.txt - All users, no writing to first.txt •chmod u+x script.sh - The owner of script.sh can execute the file For example, in Linux, there are three basic permissions: Read (r)—the ability to access and view the contents of a file or list the contents of a directory. Write (w)—the ability to save changes to a file, or create, rename, and delete files in a directory (also requires execute). Execute (x)—the ability to run a script, program, or other software file, or the ability to access a directory, execute a file from that directory, or perform a task on that directory, such as file search.
grep - File manipulation
The grep command invokes simple string matching or regex syntax to search text files for specific strings. This enables you to search the entire contents of a text file for a specific pattern within each line and display that pattern on the screen or dump it to another file. Linux command for searching and filtering input. This can be used as a file search tool when combined with ls. find things inside files grep • Find text in a file - Search through many files at a time •grep PATTERN [FILE] - grep failed auth.log
head / tail -File manipulation
The head and tail commands output the first and last 10 lines respectively of a file you provide. You can also adjust this default value to output more or fewer lines using the -n switch. For example, the following command shows the 20 most recent entries in a log file Linux utility for showing the first lines in a file. head • View the first part of a file - The head, or beginning, of the file - head [OPTION] ... [FILE] ... • Use -n to specify the number of lines - head -n 5 syslog Linux utility for showing the last lines in a file.
logger - File manipulation
The logger command writes input to the local system log or to a remote syslog server (linux.die.net/man/1/logger). You can use the command in a script to write any text string or use the -f option to write the contents of another file. You can also write the output of commands by enclosing the command in backticks. The following command writes the name of the local machine along with the text "up" to the syslog server at 10.1.0.242: logger • Add entries to the system log - syslog • Adding to the local syslog file - logger "This information is added to syslog" • Useful for including information in a local or remote syslog file - Include as part of an automation script - Log an important event
Data sanitization tools
Tools used to remove data to ensure that the data cannot be recovered. Overwrite the data "x" number of times to ensure it is unrecoverable. Number of passes can be configured. Data sanitization • Completely remove data - No usable information remains • Many different use cases - Clean a hard drive for future use - Permanently delete a single file • A one-way trip - Once it's gone, it's really gone - No recovery with forensics tools
NSLOOKUP/DIG Command - Network reconnaissance and discovery
Utility to query a DNS and return information about a particular domain name. query name records for a given domain using a particular DNS resolver under Windows (nslookup) or Linux (dig). An attacker may test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the way the network is configured. nslookup and dig • Lookup information from DNS servers - Canonical names, IP addresses, cache timers, etc. •nslookup -Both Windows and POSIX-based - Lookup names and IP addresses - Deprecated (use dig instead) •dig or DiG (Domain Information Groper) - More advanced domain information - Probably your first choice - Install in Windows: https://professormesser.link/ digwin
netstat-reconnaissance and discovery
Utility to show network information on a machine running TCP/IP, notably active connections and the routing table. show the state of TCP/UDP ports on the local machine. The same command is used on both Windows and Linux, though with different options syntax. You can use netstat to check for service misconfigurations (perhaps a host is running a web or FTP server that a user installed without authorization). You may also be able to identify suspect remote connections to services on the local host or from the host to remote IP addresses. If you are attempting to identify malware, the most useful netstat output is to show which process is listening on which ports. netstat • Network statistics - Many different operating systems •netstat -a - Show all active connections •netstat -b - Show binaries •netstat -n - Do not resolve names
ipconfig/ifconfig ?
What two commands are used to display TCP/IP configuration on Windows and Unix / Linux / Mac OS X operating systems, respectively?
dnsenum -reconnaissance and discovery
While you can use tools such as dig and whois to query name records and hosting details and to check that external DNS services are not leaking too much information, a tool such as dnsenum packages a number of tests into a single query (github.com/fwaeytens/dnsenum). As well as hosting information and name records, dnsenum can try to work out the IP address ranges that are in use dnsenum • Enumerate DNS information - Find host names • View host information from DNS servers - Many services and hosts are listed in DNS • Find host names in Google - More hosts can probably be found in the index
cat - File manipulation
cat • Concatenate - Link together in a series • Copy a file/files to the screen - cat file1.txt file2.txt • Copy a file/files to another file - cat file1.txt file2.txt > both.txt
curl -reconnaissance and discovery
curl curl is a command line client for performing data transfers over many types of protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT requests as part of web application vulnerability testing. curl supports many other data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP. curl • Client URL - Retrieve data using a URL - Uniform Resource Locator - Web pages, FTP, emails, databases, etc. • Grab the raw data - Search - Parse - Automate
hping-reconnaissance and discovery
hping is an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs. hping can perform the following types of test: Host/port detection and firewall testing—like Nmap, hping can be used to probe IP addresses and TCP/UDP ports for responses. Traceroute—if ICMP is blocked on a local network, hping offers alternative ways of mapping out network routes. hping can use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces. Denial of service (DoS)—hping can be used to perform flood-based DoS attacks from randomized source IPs. This can be used in a test environment to determine how well a firewall, IDS, or load balancer responds to such attacks. - Command line-oriented TCP/IP packet assembler/analyzer - Works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows (Check "h" tab for more) hping • TCP/IP packet assembler/analyzer - A ping that can send almost anything • Ping a device - ICMP, TCP, UDP - #hping3 --destport 80 10.1.10.1 • Send crafted frames - Modify all IP, TCP, UDP, and ICMP values • A powerful tool - It's easy to accidentally flood and DoS - Be careful!
ping-reconnaissance and discovery
ping—probe a host on a particular IP address or host name using Internet Control Message Protocol (ICMP). You can use ping with a simple script to perform a sweep of all the IP addresses in a subnet. The following example will scan the 10.1.0.0/24 subnet from a Windows machine Internet Control Message Protocol (ICMP). IP-level protocol for reporting errors and status information supporting the function of troubleshooting utilities such as ping. ping • Test reachability - Determine round-trip time - Uses Internet Control Message Protocol (ICMP) • One of your primary troubleshooting tools - Can you ping the host? • Written by Mike Muuss in 1983 - The sound made by sonar - Not an acronym for Packet INternet Groper - A backronym
Nessus
produced by Tenable Network Security (tenable.com/products/nessus/nessus-professional), is one of the best-known commercial vulnerability scanners. It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed for smaller networks. The product is free to use for home users but paid for on a subscription basis for enterprises. As a previously open-source program, Nessus also supplies the source code for many other scanners. One of the best-known commercial vulnerability scanners, produced by Tenable Network Security. Nessus • Industry leader in vulnerability scanning - Extensive support - Free and commercial options • Identify known vulnerabilities - Find systems before they can be exploited • Extensive reporting - A checklist of issues - Filter out the false positives
route -reconnaissance and discovery
route—view and configure the host's local routing table. Most end systems use a default route to forward all traffic for remote networks via a gateway router. If the host is not a router, additional entries in the routing table could be suspicious. Command utility to configure and manage the routing table on a Windows or Linux host. route • View the device's routing table - Find out which way the packets will go • Windows: route print • Linux and macOS: netstat -r
scanless
scanless -Utility that runs port scans through third-party websites to evade detection Port scanning is difficult to conceal from detection systems, unless it is performed slowly and results gathered over an extended period. Another option is to disguise the source of probes. To that end, scanless is a tool that uses third-party sites (github.com/vesche/scanless). This sort of tool is also useful for in a defensive sense by scanning for ports and services that are open, but shouldn't be. scanless • Run port scans from a different host - Port scan proxy • Many different services - Choose the option for scan origination - Your IP is hidden as the scan source