CySA+ Chapter 1: Reconnaissance Techniques

What's a good packet sniffer program mentioned in the book?

Tcpdump would be a good packet sniffer

What is "WHOIS?"

Whenever a domain is registered, the registrant provides details about the organization for public display. This might include name, telephone number, and email contact information, DNS details, and mailing address. This information can be queried using a tool called "WHOIS."

What is an "Active Tap?"

An "Active Tap," or "Active Relay," completely terminates the signal in the tap device, sending a copy of the signal to a local interface and moving the original signal to a forwarder. The forwarder then amplifies the original signal, if necessary, and passes it to its original destination. This method works well for Gigabit lines, but at the expense of adding another electrical device in the chain.

What is an "XMAS Tree scan?"

An attacker sends a TCP packet to the remote target with the URG, PSH, and FIN flag set. Similar to the FIN scan, an open port does not respond. On the other hand, a closed port responds with an RST packet. Some hosts send an RST packet in response to a null packet, regardless of whether the port is open or not.

Why shouldn't you fully trust the OS fingerprinting feature in nmap?

Because variants of operating systems, such as Linux, can be hard to differentiate. Attackers can also configure their hosts to report the wrong operating system

Explain what "Active Reconnaissance" means?

"Active Reconnaissance" is used when you want to gather more than just open source intelligence. As opposed to passive reconnaissance, we are not actively engaging target systems. This is a direct interaction.

What is a "Container" when referring to virtualization?

"Container virtualization," often referred as "operating system virtualization," is more than just a different kind of hypervisor. Containers use the host operating system as their base, and not the hypervisor. Rather than virtualizing the hardware, which requires full-virtualized operating system images for each guest, containers virtualize the OS itself, sharing the host OS kernel and its resources with both the host and other containers.

What is "DNS Harvesting?"

"DNS Harvesting" is the process of interrogating DNS servers with nslookup and dig commands and collecting their records. One process of doing this is by capturing snapshots of DNS zone transfers, which reveals hostnames, IP addresses, MX records, and more on a domain.

Port scanners are said to "enumerate." What does that mean?

"Enumerating" means we are scanning or querying ports on a host to identify what services are running on it, a process called "Service Discovery."

What is "Google Hacking?"

"Google Hacking" uses Google "Operators" to help restrict and narrow down your search results. This can help you find vulnerabilities in a web site or network. Or it can help you gather info on a specific person.

What is "IP Scanning?"

"IP Scanning," or a "Ping Sweep," is used to ID the live systems connected to a network segment or IP range. IP scanning is used by system admins to check the connectivity of hosts on the network. Ping sends an ICMP request to test which target hosts are accessible across an IP network. Target hosts that are live return ICMP Reply messages. A technique such as ping sweep is used to ID a range of IP addresses or live port numbers of the target system.

What is IaaS?

"IaaS" is "Infrastructure as a Service." IaaS provides users with complete administrative control over a computing platform hosted by the cloud service provider. An example of this would be spawning an instance of a Windows Server 2012 R2 server that you could then configure whatever manner you'd like. Cloud computing has been extremely attractive to businesses because it reduces the upfront investment in hardware solutions that will constantly have to be replaced as technology advances. Rather than purchasing hardware in the traditional cycle, companies can now subscribe to IaaS services to perform the same tasks without having to worry about how they're being done. Additionally, companies can scale more easily without waiting to install computing or storage they hadn't planned on needing. Since IaaS services provide you with the hardware, it is often called "Hardware as a Service (HaaS)." you have full control of the OS and must update and configure it.

How can a "Job Site" help you gather open source intelligence?

"Job Sites," like indeed.com, is where thousands of people voluntarily upload their full professional history, phone number, email, and even current position, which identities their role in the target network and allows you maybe some social engineering.

In terms of virtualization, what is NFV?

"NFV" stands for "Network Function Virtualization." Key functions, such as routing, switching, intrusion prevention, firewalling, and load balancing can all be provided by the same hardware running virtualized devices. NFV relies heavily on the concept of "orchestration," or the automatic configuration and management of virtualized resources.

Name two very popular Web application vulnerability scanners.

"Nessus" is a vulnerability scanner, available for commercial use with a license. Another example is "Open Vulnerability Assessment System," or "OpenVAS." It's open source and perhaps better than Nessus

Port Scanners, like nmap, provide OS fingerprinting. What is that?

"OS Fingerprinting" identifies the target's operating system. In some cases, port scanners can also identify the version of that operating system too. If it can't come to a conclusion, a port scanner can also provide a best-guess of the operating system running on the target.

What is OSINT?

"OSINT" refers to "Open Source Intelligence," and it's a way in which we conduct passive reconnaissance. Open Source Intelligence is merely information we've collected from third parties in legitimate ways.

What is PaaS?

"PaaS" is "Platform as a Service." In PaaS, the user gets access to a computing platform that is typically built on a server OS. As an example, you could spawn an instance of Windows Server 2012 R2 preconfigured to provide web services rather than building it yourself. The service provider is normally responsible for configuring and securing the platform, however, so the user normally does not get administrative privileges over the entire platform. This is how modern development teams collaborate in real time on programming projects. It includes the services required to develop, test, deploy, and maintain applications using a common environment. Facilitated by such technologies as containerization, PaaS allows for development operations from a diverse set of contributors. PaaS provides you with a platform of various services, but you have no control of this platform or the operating system.

What are "Packet Sniffers?"

"Packet Sniffers" are programs that query a network interface, captures packets, and puts them in a capture file. These programs sit on a single computer, or perhaps on a router, a switch, or a dedicated piece of hardware. Packet sniffers by themselves aren't very useful.

Explain what "Passive Reconnaissance" means.

"Passive Reconnaissance" is a process of gathering intelligence from a target without directly interacting with it. No trace, fingerprints, or logs, are left behind.

What is "Port Scanning?"

"Port Scanners" are programs designed to probe a host or server to determine what ports are open. A good port scanner is nmap.

What is SaaS?

"SaaS" is "Software as a Service." SaaS provides users with access to specific applications hosted by a service provider. Part of the popularity of SaaS is due to the fact that, as users generate and share content on mobile platforms, the need has emerged to move software to the Web. Rather than users working from a local installation of an application, software is run from and managed at a central location. With SaaS, users are no longer responsible for installation, properly performing patches, and applying updates. Instead they just use the web interface provided by the software, and everything else happens in the backend.

What is a "Type-1," or "Bare-Metal," hypervisor?

"Type-1," or "Bare-Metal," Hypervisors are where the hypervisor software runs directly on the host computer hardware. Type-1 hypervisors have direct access to all hardware and manage guest operating systems. Today's more popular Type-1 hypervisors include VMware ESX, Microsoft Hyper-V, and Kernel-based Virtual Machine (KVM).

What is a "Type-2" hypervisor?

"Type-2" Hypervisors are run from within an already existing OS. These hypervisors act just like any other piece of software written for an OS and enable guest OSs to share the resources that the hypervisor has access to. Popular Type-2 hypervisors are VMware Player, VirtualBox, and Parallels.

What is "Virtualization?"

"Virtualization" is the creation and use of computer and network resources to allow for varied instances of operating systems and applications on an ad-hoc basis.

What's "Web Application Vulnerability Scanning?"

"Web Application Vulnerability scanning" is another type of scanning method besides network mapping and port scanning. It's an automated tool that scans web applications to determine security vulnerabilities. Included in popular utilities are common tests, such as those for SQL injection, command injection, XSS, and improper server configuration.

What is "theharvester" tool?

"theharvester" tool, available in Kali-Linux is an e-mail accounts, username, hostname, and subdomains gathering tool. As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, the following is the appropriate command: (#./theHarvester.py -d targetdomain -l 100 -b google)

What is a "Packet or Protocol Analyzer?"

'Packet and Protocol Analyzers" are the same thing. They are programs read capture files from packet sniffers and analyzes them based on our monitoring needs. A good packet analyzer can file and sort a capture file based on almost anything and create an output to help us do monitoring properly.

What are two methods of preventing ARP Poisoning?

1. Enable "Unicast Flood protection," which disables the port where the flood of ARP replies is originating from 2. "Dynamic ARP Inspection," or "DAI," which was created by Cisco to discard ARP packets with invalid MAC address to IP address bindings.

Name 3 ways in which virtualization increases security

1. Virtualization increases the layers of depth in a system, making it more difficult for an attacker to get an accurate sense of what the real environment is. 2. With virtualization, we can constantly change the network topology using virtual tools, meaning we have fundamentally changed the cost of performing reconnaissance on a network. This increased investment is often enough to thwart many hackers, since they will often opt to move on to low-hanging fruit. 3. The rise of popularity of containerization has also allowed the practical use of layer 7 security, or application-layer firewalls. For example, a standard firewall can be easily configured to block anything but HTTP traffic on port 80. However, attacks that arrive over port 80, such as SQL injection and XSS, are still permitted because these firewalls see this malicious code as a valid request. They are stateless packet filters. Because there is no easy way to distinguish between malicious and normal application data from layer 3 or 4, traditional firewalls are no longer suitable for our increasingly application-diverse environments. Application-layer firewalls mean that administrators have more granular control and can permit or deny specific web application requests.

Name 4 defenses of reconnaissance against your network that were mentioned in Chapter 1

1. Vulnerability Scanning, 2. Auditing critical asset, systems, and services, 3. Routine Log reviewing, and 4. Inspecting firewall ACLs,

What is a "Horizontal Scan?"

A "Horizontal Scan" scans the same port on several hosts in a network.

What is a Passive Tap?

A "Passive Tap" requires no additional power. In a copper medium, this type of tap will form a direct connection to the wires in the cable and split the signal going across the line so that there is power still flowing to the destination, but enough is diverted to the tap to be useful for the sniffer. Similarly, passive optical taps attempt to split the light beam passing through the fiber and divert a portion to a sensor. While these taps require additional hardware, the original signal is not likely to be impacted greatly, should the device fail.

What is a SIEM?

A "SIEM" is a "Security Information Event Management" system designed for centralized log aggregation. It uses syslog as its standard log format. A syslog server or SIEM receiver will gather syslog data sent over UDP port 514 or TCP port 514.

What is a "Vertical Scan?"

A "Vertical Scan" scans a single target to identify the whole range of services running on the target.

What layer 1 device can you use to capture traffic?

A "hub." If, for some reason, the hosts all connect to a hub, all that's required is for the monitoring machine to connect to the same hub via a network cable and start the capture software. A clever technique is for an attacker to purposefully introduce a hub, placing it at a chokepoint within the networks, and collecting traffic at that point.

Name a good Network Mapper tool

A good Network Mapper tool is "nmap." Nmap's default behavior is to send an ICMP Echo Request (ping), a TCP SYN to port 443, a TCP ACK on port 80, and an ICMP Timestamp Request. A successful response to any of these 4 methods is evidence that the address is in use. Nmap also has a traceroute feature that allows it to map out networks of various complexities using the clever manipulation of the Time-to-Live (TTL) values of packets.

What is a simulated phishing campaign?

A security admin at a company can test his employee's practice of good OPSEC by sending simulated phishing e-mails to work addresses and then providing additional training to individuals who fall victim to it.

What is a SDN and its components?

An "SDN," or "Software-Defined Network," is best characterized by its separation of the control and data aspects of the network, allowing for the network to evolve independent of the hardware being used. SDN and NFV are complementary and herald a major shift in network architecture and management. The network above was defined in software. Network devices have two functional planes of operation: 1. Control Plane: part of the device that manages what's going on inside of it. 2. Data Plane: really doing that work, switching, routing, or firewalling. It is concerned with the operation of that particular component.

Why is IP scanning not always reliable?

Based on best security practices, system admins typically configure the firewalls or border routers to block ICMP requests originating from outside the network. But, an IP scanner can be used by an inside attacker to draw a network map.

What is nmap's default host-scanning behavior?

Nmap's default behavior is to send an ICMP echo request (ping), a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP Timestamp Request

Netstat can identify listening ports, remotely connected IP addresses, and program names, but can it tell you the user who opened the socket?

No.

Name two methods of "ARP Poisoning."

Number one, you can execute a "Unicast Flooding Attack" on the switch to learn the MAC Addresses of the hosts connected to the switch. This is done by stressing the switch with continuous spoofed ARP replies. Number two, you can tamper with the ARP table by sending out spoofed ARP replies.

SIEM is a mash-up of two processes. Name them.

SIEM is a combination of "Security Event Management (SEM)" and "Security Information Management (SIM)."

The network distance of this nmap scan result says it is 1 hop. What does this mean?

Since the network distance is only 1 hop, this means that the target and the scanner are directly connected.

How can the "Internet Registries" help you gather Open Source Intelligence?

The "Internet Registries" are split into the "Regional Internet Registries," or "RIRs." These corporations allocate IP addresses to specific regions around the globe and that might offer you details about a specific organization

Maymi and Chapman name 4 methods of gathering Open Source Intelligence. Name them.

The 4 ways to gather Open Source Intelligence are: 1. Google hacking, 2. Internet Registries, like DNS and "Who is (WHOIS), 3. Job Sites, and 4. Social Media profiling

What is an "ACK scan?"

The ACK scan sends an ACK to the target to test filtered ports. If there is no response or an "ICMP destination unreachable" message is returned, then the port is considered to be filtered. This means that the firewall is stateful. It knows that no internal host has initiated any SYN packet that matches the ACK packet sent by the attacker. If the target's firewall returns an RST, then the port is unfiltered. Because there is no firewall rule for that port, the attacker knows that the port is vulnerable

What is a "FIN scan?"

The FIN scan sends a FIN to the target. The target should ignore the FIN if the port is open. If the port is closed, the target should respond with RST. But, this is not always the case. Some send a RST when the port is open too.

What is a "Null scan?"

The Null scan sends a packet with no flag bits set. The port is open if the target does not respond. The port is closed if the target responds with a RST. But, some systems send an RST even if port is open, making it an unreliable scan.

What is the "TCP Connect scan?"

The TCP Connect scan completes the entire TCP three-way handshake. The target port is closed if an RST is sent back. This is not good for stealth.

What are the advantages and disadvantages of using a "Passive Tap?"

The advantage of a passive tap is your more discrete. Gigabit connections are much more sensitive to power and may experience high error rate, distortion, or failure should a passive tap be installed. To tap Gigabit lines, an active tap must be used.

What are the advantages and disadvantages of using an "Active Tap?"

The advantage of an active tap is that it works on Gigabit lines and it gives you more of the information travelling on the medium. The disadvantage is you must add a "forwarder." And, should the active tap fail, the entire circuit remain open (in which one or more wires inside the cable simply don't connect from one end of the cable to the other), alerting the administrator that something is amiss. It's important to note that tapping a network using these methods has the potential to change the transmission characteristics of the line. As security professionals, we should be prepared to investigate sudden fluctuations in power, impedance, or error rate, as they may be indications of a tapped line.

What is "Network Mapping?"

The goal of "Network Mapping" is to understand the topology of a network, including perimeter networks, DMZs, and key network devices. The actions used during network mapping are collectively referred to as "Topology Discovery."

"Scanning" is one method of active reconnaissance. Maymi and Chapman named 3 different ways to scan a network or system. Name them.

There are 3 different ways to scan. They are: 1. Network Mapping, 2. Port scanning, and 3. Web Application Vulnerability scanning

What is a "SYN Stealth scan?"

This is a "Half-Open" connection, meaning we only send the first initial SYN to the target. The port is open if it responds with a SYN/ACK. But, we do not respond with the usual ACK. The port is filtered if no response is given.

If your client machine is not able to join a wireless network, the wireless NIC must be able to operate in what mode for the capture software to see 802.11 packets?

To capture wireless packets on an network you're not connected to, your wireless NIC must be set to "Monitor mode."

What mode allows the client to see all traffic traversing the network, contingent on the client already being part of the network.

To see all captured packet traversing the wireless network, your wireless NIC must be set to "Promiscuous mode."

What are two packet or protocol analyzers mentioned in the book?

Two popular protocol analyzers are "Wireshark" and it's command-line version "Tshark."

How can DNS help you gather Open Source Intelligence?

Using nslookup, dig, and host commands, we can interrogate DNS servers. Gathering DNS records is called DNS harvesting, and it helps decipher the topology of a company's network.

What is a "Hypervisor?"

Virtualization is achieved by creating large pools of logical storage, CPUs, memory, networking, and applications that reside on a common physical platform. This is most commonly done using software called a "Hypervisor," which manages the physical hardware and performs the functions necessary to share those resources across multiple virtual machines

How can "Social Media Profiling" help you gather Open Source Intelligence?

You can find publicly available information on social media sites about a person, phone numbers, email addresses, friends, photos, videos, profession, location, job location, etc. The online clues captured from personal pages enables an attacker to conduct "Social Media Profiling," which uses a target's preferences and patterns to determine their likely actions

Google hacking, nmap, ARIN queries, and nslookup. Which one of these is not a form of passive or open source intelligence gathering?

nmap