Cybersecurity & cloud
Active Scanning
Unlike passive scanning, which cannot be detected, active scanning can be detected on a network. This lab uses two methods ways to do active scanning - command line and graphical user interface (GUI) tools. The goal of active scanning is to gain inventory information about a machine.
What is vishing?
Vishing is when somebody impersonates somebody you trust through voice calls to get you to reveal to them sensitive and private information. It is a variant of phishing attacks, except the main difference is that it is mostly conducted via voice rather than written text.
Wireshark
Wireshark is a network protocol analyzer. It allows you to inspect and capture packets on your network. It allows you to inspect the traffic that is transmitting on your network. In this lab, you use Wireshark to capture and investigate packets to uncover machine's IP addresses on the network.
What is a threat?
a threat is from someone targeting a vulnerability (or weakness) in the organization that was not mitigated or taken care of since it was not properly identified as a risk.
What is risk?
the probability of an unwanted outcome
Which of the following attacks involves the use of previously captured network traffic? Replay Smurf Vishing DDoS
replay
What is encryption?
the process of transforming clear text into coded, unintelligible text for secure storage or communication
What is encoding?
the processing of information into the memory system
Why might you do a vulnerability assessment instead of a penetration test?
vulnerability assessments tend to be less expensive and take less time than a penetration test. They're also lower-risk: a penetration test will involve actual exploits of production-level services, which might lead to disruption or downtime for critical services.
What is vulnerability?
weakness
What is a black box penetration test?
A black box penetration test is one where the tester is given no access to company systems or information and has only public information to go on.
What is a clean desk policy?
A clean desk policy is something that ensures all data is secure even when employees are not at work. This is a critical part of cybersecurity as data security should not be dependent on employees showing up to work all the time.
What is a null session?
A null session is one where the user is not authenticated by either username or password. It can be a bit of a security risk for applications since this means that the person behind the request is unknown.
What is a polymorphic virus?
A polymorphic virus is one that changes to avoid detection and then returns to its routine code when scans are done in order to neutralize anti-virus measures.
What kind of cookie would a spyware attack typically use?
A spyware attack would typically use a tracking cookie rather than a session cookie, which would persist across different sessions rather than stopping at one session.
What is a traceroute?
A traceroute, or tracert, can help you see where a breakdown of communications occurred. It shows what routers you touch as you move along to your final destination. If there is somewhere you cannot connect, you can see where it happened.
What is the difference between a worm and a virus?
A worm is self-replicating but a virus isn't self-replicating
What is it called when somebody is forced to reveal cryptographic secrets through physical threats?
Attacks like this when you have somebody reveal their secrets due to physical threats are called a rubber hose attack.
What's the difference between auditing and logging?
Auditing involves going through logs and looking for events, while logging is simply compiling events into logs. You can think of it as usually being a two-part process: first, you log events, then you audit your logs to see if anything is abnormal.
What is the difference between UDP and TCP?
Both are protocols for sending packets of information over the internet and are built on top of the internet protocol. TCP stands for transmission control protocol and is more commonly used. It numbers the packets it sends to guarantee that the recipient receives them. UDP stands for user datagram protocol. While it operates similarly to TCP, it does not use TCP's error-checking abilities, which speeds up the process, but makes it less reliable.
f you had to both compress and encrypt data during a transmission, which would you do first?
Compress and then encrypt, since encrypting first might make it hard to show compression having much of an effect.
Maintaining Access
Once the hacker has broken into the system, the hacker will maintain access on the system through different techniques, such as uploading malware to maintain persistence.
What are the differences between HTTPS, SSL, and TLS?
HTTPS is hypertext transfer protocol and secures communications over a network. TLS is transport layer security and is a successor protocol to SSL.
Clearing Tracks
Hackers do not want to be caught so they will cover their tracks such as deleting log entries and removing all remnants of the hacking including any software installed and folders and files. Next, we will discuss active and passive scanning and how an attacker can use both of these methods to gather information about network resources.
What are honeypots?
Honeypots are targets placed for an attack in order to study how different attackers are attempting exploits. While often used in an academic setting, private organizations and governments can use the same idea to study their vulnerabilities.
What is a hash function?
It hashes (converts) a number in a large range into a number in a smaller range. The smaller range corresponds to the index numbers in an array.
Which of the following works by implanting software on systems but delays execution until a specific set of conditions are met? Logic bomb Trojan Scareware Ransomware
Logic bomb
Armitage/Metasploit
Metasploit is an open-source penetration testing framework that comes bundled with Kali Linux. The msfconsole command db_nmap determines the machines that are running on a given network. Armitage is a hacking tool which is a front end for Metasploit that visualizes targets, recommends, and performs exploits on systems to break into them.
Passive Scanning
Passive scanning is gathering information on the network by just listening to the network traffic. It is also important to note that passive scanning techniques are not usually detectable. Wireshark is a tool that allows an end user to passively scan a network. You will be able to view IP addresses, computer names, MAC addresses, domain names, and protocols.
Which of the following would be MOST appropriate if an organization's requirements mandate complete control over the data and applications stored in the cloud? Hybrid cloud Community cloud Private cloud Public cloud
Private cloud
What is the fastest way to crack a hashed password?
Rainbow tables provide pre-computed results for cracking hashed passwords and is one of, if not the fastest way to un-hash a password.
What is the protocol used for secure file transfers?
SFTP uses SSH and securely transmits files, as opposed to FTPS which uses the unsecured FTP protocol. Secure file transfers should use the SFTP protocol.
What is SSL?
SSL is a standard security technology for creating an encrypted link between a server and a client (usually a web server and a web browser).
What is shoulder surfing?
Shoulder surfing is a physical attack that involves actually physically sneaking looks at people's screens as they're typing in information in a semi-public space.
What is sideloading?
Sideloading is the act of downloading apps outside of official app stores, either on Apple or Android. This is something that puts people at increased risk of downloading malware, as the apps are not approved by the app store providers.
What is Snort?
Snort is a free open-source intrusion detection software.
What is the difference between spear phishing and phishing?
Spear phishing is a phishing attack targeted towards a limited number of high-priority targets — oftentimes just one. Phishing usually involves a mass targeted email or message that targets large groups of people. This means that practically speaking, spear-phishing will be much more individualized and probably more well-researched (for the individual) while phishing is more like an actual fishing expedition that catches whoever bites the hook.
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption uses different keys for encryption and decryption. Asymmetric encryption is commonly used to secure an initial key-sharing conversation, but then the actual conversation is secured using symmetric crypto. Communication using symmetric crypto is usually faster due to the slightly simpler math involved in the encryption/decryption process and because the session setup doesn't involve PKI certificate checking."
What port is typically used by Telnet?
Telnet typically uses port 23. There may be a few questions like this (that are certainly present on the Security+ exam itself) that test your general knowledge of networking and the overall layout of ports and the standards used for each one.
Scanning/Enumeration
The 2nd step in scanning is enumeration. Enumeration is the process of extracting information from a system such as user and group names, machine names, network shares, and services from a machine. In this process, the hacker creates a passive or active connection to the system. The hacker performs queries to gain more information about the target. In this lab, you will do passive scanning using Wireshark and active scanning using various command line tools. You will use the net and the nbstat command which are built in to Windows to enumerate information about users, shares, and machines on the network. You will also use the db_nmap command within Metasploit to uncover machines on the network. Finally, you will use Armitage to see a graphical representation of the machines on the network.
Gaining Access
The 3rd step in hacking is gaining access. The attacker has gathered all the information and now uses that information about the vulnerabilities to exploit the systems.
net Command
The Windows net command line tool is used to query a network and its settings. These settings include users, domains, network shares, network print jobs, and machines.
What are the default ports for HTTP and for HTTPS?
The default port for HTTP is 80, while the default port for HTTPS, the secure version of HTTP, is 443.
Reconnaissance
The first step of hacking is called reconnaissance, also known as footprinting. This is the information gathering phase where ethical hackers are trying to get as much information they can about the target they are investigating/attacking. This can often be done by using publicly available information on web sites.
ifconfig
The ifconfig is a command line tool in Linux that enumerates all the interfaces on a system. It is also used to configure an interface on a Linux machine.
nbtstat
The nbtstat Windows command line tool is used to query NetBIOS name resolution. Nbt stands for NetBIOS over Transmission Control Protocol /Internet Protocol (TCP/IP). NetBIOS provides communication services over networks.
penetration testing process
The phases are reconnaissance, scanning, gaining access, maintaining access, and clearing tracks
What is it called when a user is attacked by directing them to what they think is a legitimate site, but which is actually a scam site?
This is called pharming. An attacker will often use another sort of attack to impersonate a real site and then get users to submit information to a scam one.