CYBR7200
6 phases of ethical hacking
1. Reconnaissance 2. Scanning 3. Gaining access 4. Maintaining access 5. Clearing tracks 6. Reporting
subnet mask
A 32-bit number that masks and IP address and divides the IP address into network addresses and host addresses.
Cyberkit
A graphical tool that allows an attacker to use whois, single ping, traceroute and port scanners
Sam spade
A graphical tool which allows you to do DNS interrogation, among other things
User Datagram Protocol (UDP)
A protocol for sending packets quickly with minimal error-checking and no resending of dropped packets. One-to one or One-to-many, connectionless.
Transmission Control Protocol (TCP)
A protocol for sending packets that does error-checking to ensure all packets are received and properly ordered
Server Message Block (SMB)
A protocol used by Windows to share files and printers on a network.
Whois tool
A query and response protocol that is widely used for querying databases that store the registered users of assignees of an internet resource, such as a domain name, an IP address block, or an autonomous system
HTTP Methods
A set of commands that help your browser communicate with Web servers.
Internet Protocol (IP)
A set of rules responsible for disassembling, delivering, and reassembling packets over the Internet.
Spoofing
A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
Telnet
A terminal emulation protocol used to log on to remote hosts using the TCP/IP protocol.
hping3
A tool that can map the network topology and help locate firewall vulnerabilities
IP spoofing attack
A type of software attack where an attacker creates IP packets with a forged source IP address and uses those packets to gain access to a remote system.
IP Address (Internet Protocol Address)
A unique number identifying every computer on the Internet (like 197.123.22.240). Network layer, analogous to a street address for a building. Includes a network ID and a host ID. consists of 32 bits.
polymorphic virus
A virus that can change its own code or periodically rewrites itself to avoid detection
Cavity virus
A virus that looks for a program with a large amount of free space and, if large enough, stores themselves there
Appending Virus
Adds coding to the end of the file of a host program. Not intended to destroy the host program just aims to modify the code
hping
An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities
Wireshark
Application that captures and analyzes network packets
Class B IP Address
Assigned to medium-sized networks. Two high-order bits are set to binary 1 0. Next 14 bits complete the network ID, remaining 16 bits are the Host ID.
Class A IP Address
Assigned to networks with very large number of hosts. Higher order but set to zero, next seven are network ID. Remaining 24 bits are the host ID.
Bootsector Virus
Attaches itself to the first part of the hard disk that is read by the computer during the boot up process.
Bouncing
Attack technique wherein an attacker bounces their scan through services running on other computers that allow commands to pass through, in effect covering the attackers tracks.
Teardrop Attack
Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine
Decoying
Attack using a set of spoofed IPs which are sent to the server during a port scan
Fragmentation
Attack using small IP packets to evade firewalls and packet filters
Routing Attacks
Attack where routing information protocol (RIP) is used to distribute routing info w/in networks and advertising routs out from the local network.
Tcdump
Data-network packet analyzer that runs under a command line interface. Allows user to display TCP/IPand other packets being transmitted or received over a network to which the computer is attached.
Traceroute
Displays the path a packet took to its destination. Can be used to map a network. Uses a combination of TTL and ICMP replies to map out a network route. Shows every hop along the way.
Null scan
Does not set any bits (TCP flag header is 0). Everything is turned off. And if the port being scanned is closed, it will receive a RST response. If the port is opened, no response will be provided.
Dumb scan
Involves the use of a third party computer that receives little or no traffic. Attacker sends repetitive ICMP ping to the dumb host w ID number of +1. Attacker sends a spoofed SYN packet to host w dumb host's IP Address in place of their own. If a port is open on the target computer, the the ID number will increase. If it is closed, the ID will remain at +1
ARP spoofing
More commonly known as ARP poisoning, this involves the MAC (Media Access Control) address of the data being faked.
Xplico
Open Source network forensic analysis tool (NFAT) that extracts applications data contained from an internet traffic capture. Example--- from a pcap file it would extract all email, HTTP contents, VOIP calls, FTP, etc...
Stateful firewall
Packet filtering, also inspect the state of a connection associated with an incoming IP packet
Ping Flood Attack
Ping utility used to send large number of echo request messages and overwhelms server
Slow scan
Port scanner set to scan a host with an elongated time between scans so as not to have multiple, quick scans in succession which will be easier to see on a log
Half-Open-Scan
This technique is often referred to as TCP SYN, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection.
ICMP Attacks
Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.
Ping of Death Attack
Type of attack in which a large ICMP packet is sent to overflow the remote host's buffer. This usually causes the remote host to reboot or hang.
Class C IP Address
Used for small networks. Three high-order bits are set to 1 1 0. Next 21 bits complete the network ID. Remaining 8 bits are the host ID
dnsenum
Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization
Metamorphic virus
Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)
multipartite virus
designed to infect multiple file types in an effort to fool the antivirus software that is looking for it
Internet layer
responsible for addressing, packaging, and routing messages on the Internet. (3rd layer down on TCP/IP, equivalent to Network layer in OSI)
Network interface layer
responsible for placing packets on and receiving them from the network medium. (Bottom layer in TCP/IP, equivalent to physical and data-link layers in OSI)
Transport layer
responsible for providing communication with the application by acknowledging and sequencing the packets to and from the application. (2nd layer down in TCP/IP)
Address Resolution Protocol (ARP)
responsible for resolving IP addresses to network interface layer addresses, including hardware addresses
Internet Group Management Protocol (IGMP)
responsible for the management of IP multicast groups
dig command
send domain name query packets to name servers for debugging or testing
FIN scan
sends TCP packets to a device without first going through the normal TCP handshaking, thus preventing non-active TCP sessions from being formally closed
Footprinting
the process of systematically identifying the network and its security posture (usually a passive process)
SOA record (Start of Authority)
used to store important information about a domain or zone. Every domain must have a [Answer] at the cutover point where the domain is delegated from its parent domain.
DNS zone transfers
Process where a DNS server passes a copy of or part of its database (which is called a zone) to another DNS server. Enables more than one DNS server to answer queries about a particular zone.
Application layer
Provides applications the ability to access the services of the other layers and defines the protocols that applications use to exchange data. Top layer of TCP/IP, equivalent to the application, presentation, and session layers in OSI
Class D IP Address
Reserved for multicast addresses. Four high-order bits are set to 1 1 1 0. Remaining bits are for the address that interested hosts recognize.
nslookup
Resolves a fully qualified domain name to an IP address.
Internet Control Message Protocol (ICMP)
Responsible for providing diagnostic functions and reporting errors due to the unsuccessful delivery of IP packets
UDP scan
Sends UDP requests to a target port. If no replies the port is assumed open, Destination Unreachable port is closed
Christmas tree scan
Sends a TCP packet to the target with the URG, PUSH, and FIN flags set
Inverse mapping
The process of identifying live network hosts (mapping internal network layout) positioned behind a filtering device by probing for addresses known not to be in use.
Stateless firewall
The source is the originating IP address and port number tuple, and the destination is also an IP address and port number tuple. Possible rules include accept and drop