Ethical Hacker

Ace your homework & exams now with Quizwiz!

UTF code for ../..

%C1%9C

The database file on a domain controller that stores passwords

%SystemRoot%\NTDS\Ntds.dit OR %SystemRoot%System32\Ntds.dit

Directory that contains a listing of port numbers for well known ports as defined by IANA

%windir%\system32\drivers\etc\services

Adding this after a process name indicates it should run in the background on Linux

&

Specifies a raw IP packet in hping2

-0 (or --rawip)

Specifies an ICMP packet in hping2

-1 (or --icmp)

Specifies a UDP packet in hping2

-2 (or --udp)

Configures Snort to log only the timestamp, alert message, source IP address and port, and destination IP address and port

-A fast option

Command for a full zone transfer.

-AXFR

Instructs G++ to stop after preprocessing and to output preprocessed C source code

-E option

Configures Netcat to accept inbound connections on a Unix host

-I flag

Command for an incremental zone transfer.

-IXFR

Configures Netcat to listen for inbound connections and to restart after an existing inbound session terminates (only available on MS Windows platforms)

-L flag

Configures grep to accept a regular expression pattern as a search term

-Le

Configures nmap to scan hosts that do not respond to ICMP pings

-P0

Older nmap parameters that can be used to disable ICMP pings and replaced with the -Pn parameter

-P0 and -PN

Instructs G++ to stop after compilation and to create an assembler file

-S option

Configures Snort to log packets in binary format, which is also called Tcpdump format

-b option

Instructs G++ to compile or assemble the source files and to output an object file but not to perform linking

-c option

Configures Snort to run in NIDS mode and uses the rules in a configuration file named snort.conf. Snort will evaluate each packet based on the rules located in the configuration file

-c snort.conf option

Command in netcat used to specify the program that should be executed when a session is established

-e flag

The switch that allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes.

-l

Enables packet logger mode in Snort

-l option

Instructs G++ to send output to a specific file (If not specified G++ will place an executable file in a.out, place an object file in source.o, place an assembler file in source.s, place a precompiled header in source.suffix.gch, or place preprocessed C source code on standard output

-o option

Command used to specify the TCP port on which Netcat should listen for inbound connections

-p flag

Enables Telnet negotiation in netcat

-t flag

Command that can be used to specify the UDP port on which Netcat should listen for inbound connections

-u flag

Directory with basic Linux commands

/bin

Directory with all administration files and passwords in Linux

/etc

Linux directory that holds the user home directories

/home

Linux directory that holds the access locations you have mounted

/mnt

Linux system binaries folder which holds more administrative commands

/sbin

Linux directory that holds almost all of the information, commands, and files unique to the users

/usr

Code in NetBIOS enumeration that indicates the domain name (group)

00

Code in NetBIOS enumeration that indicates the hostname (unique)

00

This software can be used for many purposes, such as bypassing firewalls and other similar security computers.

007 Shell

Code in NetBIOS enumeration that indicates the service running on the system

03

Netscape Administrator Interface port

10000

Diffie-Hellman Group Modulus 2

1024-bit

The IPv4 loopback address

127.0.0.1

Diffie-Hellman Group Modulus 5

1536-bit

A layer 3 directed broadcast address which is sent to all devices on a subnet

192.168.0.255

Code in NetBIOS enumeration that means domain master browser

1B

Code in NetBIOS enumeration that means domain controller

1C

Code in NetBIOS enumeration that means the master browser for a subnet

1D

Code in NetBIOS enumeration that indicates the server service running

20

Diffie-Hellman Group Module 14

2048-bit

Compaq Insight Manager port

2381

The layer 3 limited broadcast address which is sent to all devices on a broadcast domain

255.255.255.255

Logical Safeguards Administrative Safeguards Physical Safeguards

3 Components of Risk Assessment

Client/Presentation Layer Business Logic Layer Database Layer

3 Layers of Web Application Architecture

Device Attacks Network Attacks Datacenter (Cloud Attacks)

3 Main avenues of attack for mobile platforms

Preparation Assessment Post-Assessment

3 Phases of a Penetration Test

Diffie-Hellman Group Module 15

3072-bit

Symmetric Encryption Algorithm; 168 bit key; more effective than DES but much slower

3DES

Diffie-Hellman Group Module 16

4096-bit

Risk Identification Risk Assessment Risk Treatment Risk Tracking Risk Review

5 Phases of Risk Management

Cloud Carrier Cloud Provider Cloud Broker Cloud Consumer Cloud Auditor

5 Roles in Cloud Architecture as defined by NIST SP 500-292

Identify Security Objectives Application Overview Decompose Application Identify Threats Identify Vulnerabilities

5 Sections of Threat Modeling

Diffie-Hellman Group Module 17

6144-bit

BEA Weblogic port

7001

BEA Weblogic over SSL port

7002

Sun Java Web Server over SSL port

7070

Diffie-Hellman Group Modulus 1

768-bit

Apache Tomcat port

8005

54 Mbps; 5 GHz; OFDM Modulation Type wireless standard

802.11a

1000 Mbps; 5 GHz; QAM modulation type wireless standard

802.11ac

11 Mbps; 2.4 GHz; DSSS Modulation Type wireless standard

802.11b

Global use frequency wireless standard

802.11d

Wireless standard that was a QoS initiative for data and voice

802.11e

54 mbps; 2.4 GHz wireless standard

802.11g

WPA/WPA2 Encryption standard

802.11i

100+ Mpbs; 2.4-5 GHz wireless standard

802.11n

Defines the standards for Bluetooth

802.15.1

Defines the standards for Zigbee

802.15.4

Defines the standards for WiMAX

802.16

IEEE standard defined as a method to establish port-based Network Access Control (NAC) using EAP. It is designed to require authentication before allowing a client to access a network.

802.1X

Diffie-Hellman Group Module 18

8192-bit

Kerberos port

88

IBM Websphere admin client port

900

Sun Java Web Server Administration module port

9090

Maps a hostname to an IP address (forward record) in DNS

A (Address)

Ensures reliable access to your key network services by detecting and blocking external threats such as DDoS and other cyber-attacks before they escalate into costly service outages

A10 Thunder TPS

Used to map a host name to a 128-bit IPv6 address (like A record for IPv4)

AAAA record

Creates scripts not recognizable by signature files

ADMutate

Symmetric Encryption Algorithm; block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES or 3DES

AES

IANA group responsible for Asia Pacific region

APNIC

IANA group responsible for North America

ARIN

Resolves IP addresses to MAC addresses

ARP

Displays the ARP entries for the network interface specified by if_addr

ARP -N

Displays current ARP entries by interrogating the current protocol data.

ARP -a OR -g

Deletes the host specified by inet_addr in ARP, inet_addr may be wildcarded with * to delete all hosts.

ARP -d

Adds the host and associates the internet address inet_addr with the physical address eth_addr in ARP. The physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent.

ARP -s

Displays current ARP entries in verbose mode. All invalid entries and entries on the loop-back interface will be shown.

ARP -v

Attack involving sending malicious ARP packets to a default gateway in order to change the IP-to-MAC pairings in its table.

ARP Poisoning

A computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairings of IP addresses with MAC addresses along with a timestamp of when the pairing appeared on the network.

ARPWatch

A Linux-based management center that acts as a centralized platform for THOR and SPARK scans. It can collect, forward, and analyze thousands of host-based system scans. If a response is required based on scan results, it can coordinate the response tasks. The hard appliance version can handle up to 20,000 end systems; the soft appliance version can handle up to 3,000 end systems.

ASGARD

First data handling, message identification and routing layer in IoT architecture

Access Gateway Layer

Checks web applications for SQL injections, XSS, and so on. Includes advanced penetration testing tools to ease manual security audit processes and creates professional security audit and regulatory compliance reports

Acunetix Web Vulnerability Scanner

A fast and free software for network scanning. It will allow you to quickly detect all network computers and obtain access to them. With a single click, you can turn a remote PC on and off, connect to it via Radmin, and more.

Advanced IP Scanner

IANA group responsible for Africa

AfriNIC

A utility for decrypting WEP encryption on an 802.11b network, that must gather roughly five to ten million encrypted packets from a wireless access point before it can attempt to recover the wireless key.

AirSnort

A resource for statistics about websites

Alexa.com

Provides a feature-rich open-source SIEM complete with event collection normalization and correlation. Provides one unified platform with many essential security capabilities including asset discovery, vulnerability assessment, intrusion detection, behaviorial monitoring, and SIEM event correlation

AlienVault OSSIM

X platform, open source, and robust website censorship circumvention tool that also maps cesnsorship patterns around the world

Alkasir

Allows attackers to simulate a DoS/DDoS attack on web servers from mobile phones

AnDOSid

A very fast IP address and port scanner. It can scan IP addresses in any range as well as their ports. It is cross-platform and lightweight, not requiring any installations, it can be freely copied and used anywhere.

Angry IP Scanner

Large number of hosts can receive

Anycast

Consume the resources necessary for an application to run

Application Attacks

Layer responsible for delivery of services and data to the user in IoT architecture

Application Layer

Firewall that works like a proxy, allowing specific services in and out; inspect the packets as well but commonly are specific to a particular protocol.

Application-Level Gateway

Provides cached websites from various dates which possibly have sensitive information that has now been removed.

Archive.org

Provides a toolset for zigbee devices.

Attify Zigbee

Verifies an IP packet's integrity and determines the validity of its source.

Authentication Header (AH) protocol

Core Impact CANVAS

Automated PEN Test Application Suites

A Blackberry-centric tool that's useful in an attack called Blackjacking

BB Proxy

TCP 179

BGP

The simplest type of PSK used in biometric passports and smart credit cards

BPSK

A well-known tool for finding and enumerating nearby bluetooth devices

BT Browser

Application that can perform inquiries and brute force scans on bluetooth devices.

BTScanner

Like device to cloud but adds abilities for parties to collect and use the data

Back-End Data Sharing

A browser that makes multiple simultaneous server requests in order to quickly download entire websites or part of a site including HTML, graphics, Java Applets, sound and other user definable files, and saves all the files in your hard drive, either in their native format, or as a compressed ZIP file you can view offline.

BackStreet Browser

Nessus drop-down options from the General Settings tab include these

Basic Port Scanning Performance Advanced

Hosts on the screened subnet designed to protect internal resources

Bastion Hosts

A secure state machine. The intent is to protect confidentiality. Does not allow write down, but can read up.

Bell-LaPadula

An interface to the data link layer of a system.

Berkeley Packet Filter (BPF)

Goal is data integrity. Three objectives in ensuring integrity: unauthorized parties cannot modify data; authorized parties cannot modify data without specific authorization; and data stored should be true and accurate. Data and people have classification levels (integrity levels). Does not allow write up, but can read down

Bilba Model

An example of an integrity attack where the outcome is not to gain information but to obscure the data from the actual user.

Bit Flipping

An internet tool that will allow you to carry out various functions, among them "sniffing" a website for downloadable content, scanning for email addresses, creating site maps and detecting errors.

Black Widow

A design in which a database or knowledgebase is established to solve a particular problem. A variety of expert or specialist sources can then contribute information to the database in an effort to solve the problem. Modern systems built on a this type of architecture are typically a form of artificial intelligence, such as Bayesian antispam techniques in which users contribute samples of spam in order to teach the application how to recognize it.

Blackboard Architecture

Hacker can inject malicious data or commands into intercepted communications in a TCP session, even if the victim disables source routing. Attacker guesses next ISN of a computer attempting to establish a conneciton. Attacker sends malicious data on command, such as password setting to allow access from another location on network, but attacker can never see the response

Blind Hijacking

An application designed and created for bluebugging.

Bloover

Symmetric Encryption Algorithm; fast block cipher; replaced by AES; 65 bit block size; 32 to 448 bit key; considered public domain

Blowfish

Tool from Sourceforge that does a great job of finding bluetooth devices around you, and can also try to extract and display as much information as possible

BlueScanner

Attack where the attacker sends data to a bluetooth device without having gone through the pairing process or without the user knowing about the pairing.

Bluejacking

Attacker denies access to a Bluetooth device. Similar to a ping of death except this attack relies on oversized Logical Link Control and Adaptation Layer Protocol (L2CAP) ping messages.

Bluesmack

The unauthorized access of information from a wireless device through a Bluetooth connection.

Bluesnarfing

Uses two types of phase-shift keying (PSK) digital modulation: pi/4-DQPSK and 8DPSK. The former when transmitting at 2 Mbps and the latter at 3bps

Bluetooth 2.0 with Enhanced Data Rate (EDR)

In blind-based SQL injection, an attacker uses a Boolean operation to generate database information. For example, a query can be run once with AND 1=2 (an always-false statement) and once with AND 1=1 (an always-true statement). An attacker can compare the results to determine whether the injection was successful.

Boolean-based

These attackers typically use IRC or HTTP as a CNC channel often forcing the infected computers to propagate malware or to launch a DoS attack against one or more victims

Botherders

The last address of a subnet

Broadcast address

GET /AAAAAAAAAAAA\x90\x90\x90\x83\xec\x27\xeb\x0c\xe7\xe1\xe6\xc1\sc0\xff 500

Buffer Overflow Attack

Integrated platform for performing security testing of web applications. Its various tools support entire testing process from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities. Contains intercepting proxy, application aware spider, advanced web application scanner, intruder tool, repeater tool, sequencer tool, and CSRF PoC generator function

Burp Suite

Reviews business applications and services for signs of incidents. Checks audit logs of critical servers that are vulnerable to attacks. Gathers informaiton related to security incident according to request of ISO.

Business Applications and Onlline Sales Officer

This role is responsible for maintaining all management processes in organizations and making trade-off decisions in risk management process. Empowered with the authority to manage almost all processes in organization.

Business and Functional Managers

Location in Windows where the SAM file is stored (Registry location).

C:\Windows\System32\Config

Automated testing tool with hundreds of exploits, automated exploitation system, and extensive exploit development framework

CANVAS

The number after the forward slash is the number of bits used in the subnet mask

CIDR notation

This role is responsibile for executing policies and plans required for supporting IT and computer systems of organizations. Their main responsibility is to train employees and other executive management regarding possible risks in IT and its effect on the business. Also responsibile for IT planning, budgeting, and performance based on risk management program and plays a vital role in formation of basic plans and policies for risk management.

CIO

Maps a name to an A record in DNS. Also provides for aliases within the zone.

CNAME (Canonical Name)

A security standard that categorizes control objectives into domains, such as planning and organization or delivery and support. It is an IT management framework that was created by ISACA and the ITGI. It defines the following four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.

COBIT

An IT governance framework and toolset created by ISACA and ITGI.

COBIT (Control Objectives for Information and related Technology)

HTTP request method reserved for use with proxy

CONNECT

A standard defined by the Object Management Group designed to facilitate the communication of systems that are deployed on diverse platforms not using XML.

CORBA

Finds vulnerabilities on an organization's web server. Allows user to evaluate security posture of a web server using the same techniques employed by today's cyber-criminals

CORE Impact

Client-side attack which exploits vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY and HTTPS. Attacker tries to access the authentication cookie to hijack the victim's session

CRIME

An attack where the characters for a carriage return and line feed are inserted into a stream reading by an application. The attack can be a diversion or its main focus.

CRLF Injection

Configuring the web server to send random challenge tokens is the best mitigation for this attack

CSRF

An attack where the user is tricked into visiting a malicious website. While the user has an active authenticated session with the trusted website, the malicious website can then instruct the user's web browser to send a request to the target website.

CSRF (Cross Site Request Forgery)

A password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. It can also extract voice from VoIP data.

Cain and Abel

Viruses that overwrite unused portions of a file, but do not change their size.

Cavity

A document that specifies how an organization plans to use a PKI and how it will operate and function

Certificate Practice Statement (CPS)

A TOR-based botnet Trojan that uses a keylogger and memory scanner to target payment and POS systems.

ChewBacca

The integrity method used by WPA2. Created to correct vulnerabilities in TKIP, and fully implements the IEEE 802.11i standard. It creates a message integrity code that can be used to validate whether the message source or the payload data was altered in transit.

Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Firewall that works on layer 5

Circuit-Level Gateway

DDoS mitigation appliance that employs the most advanced anomaly recognition, source verification, and anti-spoofing technology to identify and block individual attack flows while allowing legitimate transactions to pass

Cisco Guard XT5650

Does not rely on state machine or use subjects and objects. Instead it defines data items and only allows access through a small number of known programs

Clark-Wilson Integrity Model

A tool that profits from the Core Impact and Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users. Designed for AWS cloud subscribers and runs an automated, all-in-on testing suite specifically for your cloud subscription

CloudInspect

A tool that provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds

CloudPassage Halo

Tool that utilizes fuzz testing that learns the tested system automatically; allows for pen testers to enter new domains such as VoIP assessment, etc.

Codenomicon

Allows attacker to create custom network packets and helps security professionals assess network. Attacker can select TCP packet from provided templates and change parameters with editor. Also supports saving packets to packet files and sending packets to network. Audits networks and checks network protections against attacks and intruders.

Colasoft Packet Builder

Used to create custom network packets and fragmenting packets. Can create custom network pakcets such as Ethernet, ARP, IP, TCP, and UDP packets

Colasoft Packet Builder

Wireless network monitor and analyzer for 802.a/b/g/n networks. Captures packets to display important information such as list of AP's and stations, per-node and per-channel statistics, signal strength, list of packets and network connections, protocol distribution charts, and more. By providing this information, one can view and examine packets, pinpoint network problems, and troubleshoot software and hardware

CommView for WiFi

Web application attack in which the attacker gains shell access using Java or similar

Command Injection

Publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures

Common Vulnerabilities and Exposures (CVE)

Published standard that provides open framework for communicating characteristics and impacts of IT vulnerabilities. Two common uses are prioritization of vulnerability remediation activities and in calculating severity of vulnerabilities disclosed on one's systems.

Common Vulnerability Scoring System (CVSS)

Controls used to supplement directive controls.

Compensating

In G++ involves the following stages: preprocessing, compilation, assembly, and linking

Compiling

Executive Summary of the organization's security posture. Names of all participants and dates of tests. List of all findings, presented in order or risk. Analysis of each finding and recommended mitigation steps. Log files and other evidence (screenshots, etc).

Comprehensive Report Parts for a Pen Test

An attack that takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.

Connection String Parameter Pollution (CSPP) attack

Helps identify weak cookie generation and insecure implementations of session management by web applications. Works by collecting and analyzing cookies issued by web application for multiple users

Cookie Digger

Best known, all-inclusive automated testing framework; tests everything from web applications and individual systems to network devices and wireless

Core Impact Pro

Controls used to repair damage caused by malicious events.

Corrective

Dynamic ARP inspection using DHCP snooping XArp Default gateway MAC added permanently to each machine's cache

Countermeasures against ARP Poisoning

5th Hacking phase: Steps taken to conceal success and intrusion by an attacker on a system.

Covering Tracks

Steps taken to conceal success and intrusion of a system.

Covering Tracks (Phase 5 or Hacking)

A virus that infected systems on the ARPAnet but caused no actual damage

Creeper Virus

A method of federated identity management that enables participants to trust another participant's PKI.

Cross-Certification Trust Model

The encrypted version of netcat

Cryptcat

Can encrypt binary code in executables to hide malware like viruses, keyloggers, and RATs

Crypters

Application used to look at malware and what it may be up to.

Cutter

A remote control Trojan used to manage multiple servers in a target network.

CyberGate

Linux environment of GNU and Open Source tools that can run on Microsoft Window Platforms.

Cygwin

A proprietary Microsoft technology for communication among software components distributed across networked computers.

DCOM

Blocks DDoS attacks with multi-layered protection

DDoS Protector

HTTP request method that requests origin server delete resource

DELETE

Symmetric Encryption Algorithm; block cipher; 56 bit key

DES

UDP port 67

DHCP

Replacing a DLL in the application directory with your own version which gives you the access you need

DLL Hijacking

A layer 7 protocol that is used tomap hosts names and domain names to IP addresses

DNS

TCP/UDP port 53

DNS

A web server attack that uses recursive DNS to DoS a target; amplifies DNS answers to target until it cannot do anything

DNS Amplification

Changes cache on a machine to redirect requests to a malicious server

DNS Poisoning

Also known as cache poisoning

DNS Spoofing

Helps prevent DNS poisoning by encrypting records

DNSSEC

Affects SSL and TLS services and allows attackers to break the encryption and steal sensitive data using flaws in SSL v2

DROWN

The process of detecting and recovering data that has been intentionally hidden on a computer. Detecting and recovering hidden data can reveal the intent, ownership, and knowledge of an attacker.

Data-Hiding Analysis

A program to extract (reverse engineer) data points from a graph

DataThief

Nessus drop-down options from the Preferences tab when creating a new policy in Nessus 5.2 include these

Database Compliance Checks Cisco IOS Compliance Checks Global Variable Settings

Firewall that looks beyond the headers and into the payload of hte packet, therefore, providing the ability to inspect higher layer protocols

Deep Packet Inspection

Controls used to monitor and alert on malicious or unauthorized activity.

Detective

Controls that are used to dissuade potential attackers.

Deterrent

IoT device communicates directly to a cloud service

Device to Cloud

Communicates directly with other IoT devices

Device to Device

IoT device communicates with a gateway before sending to the cloud

Device to Gateway

Assymmetric Encryption Algorithm; developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MitM attacks

Diffie-Hellman

Controls also known as procedural because they deal with company procedures such as security policies, operations plans, and guidelines.

Directive

A web server attack that requests a file that should not be accessible from the web server (e.g. ../)

Directory Transversal

GET /scripts/..%255c../windows/system32/cmd.exe?/c+dir HTTP/1.1 200

Directory Traversal Attack

Converts operations codes to mnemonics

Disassembly

A technique used for recovering password-protected files that utilizes unused processing power of machines across the network to decrypt passwords

Distributed Network Attack (DNA)

Searching for and publishing information about an individual usually with malicious intent.

Doxing

Android application for security analysis in wireless networks and capturing Facebook, Twitter, LinkedIn, and other accounts

DroidSniff

Used for session hijacking on Android devices connected on common wireless network. Gets session ID of active user and uses it to access website as an authorized user

Droidsheep

many-to-many address mapping in NAT

Dynamic NAT

An attack in which a valid 802.1x EAP exchange is observed. The attacker then sends the client a forged EAP-failure message

EAP-Failure attack

SEC database that stores all public filings associated with a company. Includes the 10-K annual report, 10-Q quarterly reports, 11-K including details about employee stock option plans, and Schedule 14-A proxy statement

EDGAR

Provides confidentiality for IPSec by encrypting each packet

ESP

Provides actual delivery address of mailing list and aliases in SMTP

EXPN

Enterprise configuration audit and analytics solution that analyzes a system's current configuration state.

Ecora

Consists of sensors, RFID tags, readers and the IoT devices

Edge Technology Layer

Assymmetric Encryption Algorithm; not based on prime number factoring; uses solving of discrete logarithmic problems

El Gamal

Tool that allows attackers to break complex passwords, recover strong encryption keys, and unlock documents in a production environment

Elcomsoft distributed Password Recovery

An example of a wrapper program that can be used to bind a Trojan to a legitimate software application.

EliteWrap

First virus on the PC - it just copied itself

Elk Cloner

Assymmetric Encryption Algorithm; uses ponts on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices

Elliptic Curve Cryptosystem (ECC)

In trasnport mode, encrypts only the IP payload. In tunnel mode, encrypts the entire packet

Encapsulating Security Payload (ESP)

This should be configured if you want to mitigate IP spoofing attacks

Encrypted VPN

Process that determines how systems work within an organization

Enterprise Information Security Architecture (EISA)

Floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.

EtherFlood

An application that can perform ARP spoofing in a console or GUI mode as well as act as a sniffer that can also run man-in-the-middle attacks and DNS spoofing.

Ettercap

Website where researchers and developers post exploit code and proof of concept code that works against identified vulnerabilities

Exploit-db.org

The layer 2 Ethernet broadcast address sent to all nodes on a switch but not forwarded to routers

FF:FF:FF:FF:FF:FF

A 2013 bill that was intended to change the framework that determines how the US government purchases technology.

FITARA

Contained sections that were made US law as part of the National Defense Authorization Act (NDAA) for Fiscal Year 2015.

FITARA

Capable fo scanning a wide variety of documents

FOCA

MitM attack that forces a downgrade of RSA key to a weaker length

FREAK

TCP Port 20, 21

FTP

Android application that allows you to sniff and intercept web session profiles over wifi that mobile session is connectedd to. WiFi cannot be using EAP

Faceniff

A law updated in 2004 to codify the authority of the DHS with regard to implementation of information security policies.

Federal Information Security Management Act of 2002 (FISMA)

The process of providing access to a company's data resources to organizations or parties that are not owned by the company. There are two federated identity management models: the trusted third-party certification model and the cross-certification model.

Federated Identity Management

Version Serial number Signature Algorithm Algorithm ID Issuer Subject Public Key Information Public Key algorithm Key Usage

Fields of an X.509 certificate

Web application attack in which attacker injects a pointer in a web form to an exploit hosted elsewhere

File Injection

Mobile application for Android and iOS that scans and provides complete network information such as IP address, MAC address, device vendor, and ISP location

Fing

These are all multihomed devices

Firewalls

Performs security assessments in IoT networks.

Firmalyzer

1. Acquisition 2. Identification 3. Analyzing 4. Evaluation 5. Generating Reports

Five phases/steps of a vulnerability assessment

The organized research and investigation of Internet addresses owned or controlled by a target organization. Searching for high-level information on a target.

Footprinting

A type of Man-in-the-Middle attack possible when the crypto nonce is reused while establishing an HTTPS session with the server

Forbidden Attack

An application that leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world IoT applications where other means of debug (cable or network-based monitoring) are too costly or impractical.

Foren6

Surgically removes network and application layer DDoS attacks while letting legitimate traffic flow without being impacted

FortiDDoS-1200B

Know the Security Posture Reduce the Focus Area Identify Vulnerabilities Draw a Network Map

Four Main Focuses of Reconnaissance

An attack that sends a large number of UDP packets to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target

Fraggle Attack

Attacks that take advantage of the system's ability to reconstruct fragmented packets

Fragmentation Attacks

An application used to intercept, modify, and rewrite egress traffic destined for a specified host. It features a simple rule-set language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. Basically used to mangle captured packets before they are sent to a target you specify.

Fragroute

HTTP request method that retrieves whatever information is in the URL; sending data is done in URL

GET

A complete vulnerability management solution, which allows you to scan, detect, assess and rectify security vulnerabilities on your network.

GFI Languard

3rd Hacking phase: Attacks are leveled against the system in order to gain access.

Gaining Access

Attacks are leveled in order to gain access to a system

Gaining Access (Phase 3 of Hacking)

A special packet to update an ARP cache even without a request. Can be used to poison the cache on other machines.

Gratuitous ARP

Configures grep to search for files that do not contain the specified search term

Grep -L

HTTP request method identical to get except for no body return

HEAD

The HTTP request to perform banner grabbing

HEAD / HTTP/1.0

The resource type on a DNS server that configures the OS type of a particular DNS record

HINFO

Registry with information on file associates and OLE classes

HKEY_CLASSSES_ROOT (HKCR)

A pointer to the current configuration in the registry system.

HKEY_CURRENT_CONFIG (HKCC)

Registry with profile information on the current user including preferences

HKEY_CURRENT_USER (HKCU)

Registry with information on hardware and software

HKEY_LOCAL_MACHINE (HKLM)

Layer 7 attack where attacker uses time delayed HTTP holder to hold on to HTTP connection and exhaust web server resources

HTTP GET Attack

Layer 7 attack where attacker sends HTTP requests with complete headers but incomplete message body to targetweb server or application

HTTP POST Attack

An attack that adds header response data into the input field so that the server splits the response into two responses.

HTTPS Response Splitting Attack

A free and open-source Web crawler and offline browser, developed by Xavier Roche and licensed under the GNU General Public License Version 3. Allows users to download World Wide Web sites from the Internet to a local computer.

HTTrack

Offline browser utility that downloads Website from Internet to local directory, building all directories recursively, getting HTML, images, and other files from the server

HTTrack

An attack where the attacker hacks IoT devices in order to shut down air conditioning services

HVAC Attack

Perceived value or worth of a target as seen by the attacker.

Hack value

Tool used in rolling code attacks

HackRFone

Multi-OS, multi-platform compatible cracker that can perform multi-hash and multi-device password cracking

Hashcat

Injects code into the heap, which is where dynamically allocated memory is taken from

Heap Spraying Attack

An SSL vulnerability that exploits the heartbeat issue in data transfer.

Heartbleed

In blind-based SQL injection, retrieves a large amount of data, requiring time for the database to execute, which can simulate a time-based blind-based SQL injection.

Heavy Query

A CLI tool that could be used to determine the security state of computers on a network. It was integrated into previous versions of MBSA but is not supported in the latest version of MBSA. Uses a file downloaded from the Microsoft Download Center Website, not WUA, to scan the security state of network computers.

Hfnetchk

A web server attack that modifies hidden form fields producing unintended results

Hidden Field Tampering

Network stress and Dos/DDoS attack application written in BASIC. Designed to attack 256 target URL's simultaneously. Sends HTTP POST and GET requests at computer that uses lulz inspired GUI's

High Orbit Ion Cannon (HOIC)

Lightweight, low-interaction, portable, and generic honeypot for mobile devices that aims at the detection of malicious, wireless network environments

HosTaGe

An area of a hard drive that is protected from the OS so that it does not show up in the directory structure.

Host-Protected Area (HPA)

1. Create a hash of the message 2. Encrypt the hash with your private key 3. Encrypt the message with the recipient's public key

How to create a digital signature on a message

Manages and secures Windows OS's. Features active task matching options, group member matrix, and active editor improvements

Hyena

The first AD management product to support customizable Active Directory queries at every object level. Define your own queries, or use any of the predefined queries to display custom 'views' of exactly what directory attributes you want to see for organizational units, users, groups, or computers.

Hyena

Sends a large number of ICMP echo request packets to a target host in an attempt to saturate the target's network or resource capacity. Typically, an attacker will send the messages with spoofed source IP addresses or will send the messages from zombies in order to free the attacking device of the burden of processing the ICMP Echo Request messages.

ICMP Flood Attack

A telnet-like protocol that allows users to connect to a remote host and to open a shell using only ICMP to send and receive data. Written in C for the UNIX environment.

ICMP Shell (ISH)

Echo Reply

ICMP Type 0

Time exceeded (Code 0 is TTL expired)

ICMP Type 11

Destination network unreachable.

ICMP Type 3 Code 0

Destination host unreachable

ICMP Type 3 Code 1

Host administratively prohibited

ICMP Type 3 Code 10

Destination network Unreachable for Type of Service

ICMP Type 3 Code 11

Destination Host unreachable for type of service

ICMP Type 3 Code 12

Code that shows traffic is being blocked by a firewall

ICMP Type 3 Code 13

Communications administratively prohibited. Indicates a poorly configured firewall.

ICMP Type 3 Code 13

Host Precedence Violation

ICMP Type 3 Code 14

Precedence cutoff in effect

ICMP Type 3 Code 15

Code that tells you the client itself has the port closed

ICMP Type 3 Code 3

Fragmentation needed and "don't fragment" was set

ICMP Type 3 Code 4

Source Route Failed

ICMP Type 3 Code 5

Network unknown

ICMP Type 3 Code 6

Host unknown

ICMP Type 3 Code 7

Source Host Isolated

ICMP Type 3 Code 8

Network administratively prohibited.

ICMP Type 3 Code 9

Source Quench Congestion control message

ICMP Type 4

Redirect datagram for the network

ICMP Type 5 Code 0

Redirect datagram for the host

ICMP Type 5 Code 1

Echo Request

ICMP type 8

Symmetric Encryption Algorithm; block cipher; 128 bit key; originally used in PGP 2.0

IDEA

Simple Internet server identification utility

IDServe

An IPSec VPN scanning, fingerprinting, and testing tool.

IKE Scan

TCP port 143

IMAP

Version Header Length Type of Service Total Length Identifdication Flags Fragment Offset TTL Protocol Source and Destination Address

IP Header Fields

IP scanner for iOS that scans the local network to determine identity of all its active machines and Internet devices

IP Scanner

Useful in gaining unauthorized access to a computer with the help of a trusted host's IP address. Allows attackers to create their own acceptable packets to insert into the TCP session

IP Spoofing: Source Routed Packets

Share used for interprocess communications between hosts

IPC$

These are dynamic link library (DLL) files that enhance the functionality of a webserver. Data passes through these filters until the filter finds something relevant to process. However, they are notoriously insecure and can expose the webserver to threats.

ISAPI filters

A security standard based on the British BS 17799 standard that focuses on security governance.

ISO 27001

Standards based on BS 17799 but focus on security objectives and provide security controls based on industry best practicies.

ISO 27002 and 17799

Describes how to best manage security risks using an organized and systematic approach.

ISO 27005

Describes audits and certifications for security managmenet systems

ISO 27006

This role protects personnel and physical and information systems in organization. Responsible for implementing security controls.

IT Security Practitioners

This role is responsible for the organizations Information Security programs and provides the required support to IS owners with selection of security controls for protecting systems. They plan an important role in the selection and amendment of security controls in the organization.

IT Security Program Managers and Computer Security Officers (ISSO)

A method that provides network resources such as storage and allows the client to deploy software and add network components such as firewalls. (Amazon EC2 is one example)

IaaS (Infrastructure as a Service)

In this attack user identities are captured from clear tesxt 802.1x Identity Response packets

Identity Theft attack

Technical experts in their particular area who apply appropriate technology and try to eradicate and recover from incident

Incident Analyst

Acts as link between various groups affected by incidents. Plays vital role between security teams and networking groups. Helps in communication process and keeps everyone updated.

Incident Coordinator

CIRT role that focuses on incident and analyzes manner in which to handle it from a management and technical point of view. Responsible for actions performed by incident analysts and reports information to incident coordinator. Must be a technical expert with understanding of security and incident management.

Incident Manager

What solutions does Foundstone provide

Incident response Security Training Security Assessment

CIRT role that identifies the nature and scope of computer security incident. Communicates with information security specialists as well as with other team members. Provides incident handling training to members. Examines details of investigation. Makes sure evidence is gathered and the chain of custody is followed and evidence is stored correctly. Prepares report of incident and takes corrective action.

Informaiton Security Officer

CIRT role that acts as communication point for various computer security incidents. Notifies information security officer to provide IRT to carry out necessary operations. Ensures incident managment team and other activated teams are supported via available technology.

Informaiton Technology Officer

CIRT role that coordinates activities with ISO. Prepares documentation for different types of data that may have been breached. Helps individuals in discussing investigation issues related to customer privacy and employee PII. Provides guidance for creating communication among affected agencies. Monitors need for altering practices, privacy policies, and procedures as a result of security incident.

Information Privacy Officer

Spouse, friend or client of an employee who uses the employee's credentials to gain access

Insider Affiliate

Someone with limited authorized access such as a contractor, guard or cleaning service person

Insider Associate

Person search site with detailed information; searchable by name but not username

Intelius

Checks whether information systems are in compliance with security policies and controls. Performs audit test to make sure that patches and service packs are current with mission critical systems. Identifies and reports any security loopholes to management for necessary actions.

Internal Auditor

Crucial layer which serves as main component to allow communication in IoT architecture

Internet Layer

TCP port 631

Internet Printing Protocol (IPP) and Common UNIX Printing Gateway Protocol (CUPS)

Translates scripting-language source code into machine code every time the script is executed

Interpreter

A signal that indicates that an event has occurred, it can cause an application to stop, but it does not necessarily

Interrupt

Flooding tool

Inundator

I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

IoT Vulnerabilities and Attacks

HIDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable systems, services and Trojans

KFSensor

A built-in sniffer and password cracker looking for port 88 Kerberos traffic

KerbCrack

A replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven.

Key Reinstallation Attack (KRACK)

A keylogger

KeyLlama

A wireless packet analyzer/sniffer that can be used for discovery. Works without sending any packets and can detect access points that have not been configured. Works by channel hopping.

Kismet

Designed to audit password and recover applications. recovers last MS Windows Password with help of dictionary, hybrid, rainbow table, and brute-force attacks; also checks strength of password

L0phtCrack

IANA group responsible for Latin America

LACNIC

An authentication method used on early versions of Windows (i.e. 98 and 95) that expands all passwords to 14 characters, converts them to uppercase, splits them into two separate seven-character strings, and then creates a 16-character hexadecimal hash for each string independently. Fills out anything that is not 14 characters long with empty spaces. Therefore, a DES hash of seven blank characters will always be AAD3B435B51404EE.

LAN Manager (LM)

Sends a SYN packet to the target with a spoofed IP that matches the target; if vulnerable, target loops endlessly and crashesTake

LAND attack

TCP/UDP port 389

LDAP

Web application attack that exploits applications that construct LDAP statements. Format includes )(&)

LDAP Injection

In this attack user credentials are recovered from captured 802.1x LEAP packets using a dictionary attack tool

LEAP Cracking attack

A .NET program that can run on Windows as well as Linux systems that have the Mono package installed. The application runs DoS attacks - blasts requests to both URL and IP addresses (TCP, UDP, or HTTP requests).

LOIC (Low Orbit Ion Cannon)

A open-source scanner that checks for the presence of indicators of compromise (IOC). IOCs are derived from incident reports, YARA rules, hashes, or file names. It consists of only three modules, so it is not as fully featured as SPARK or THOR. Installation files are available for Windows, Linux, and Mac OS.

LOKI

Sniffers operate at what two layers of the OSI model. One layer provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and the other layer handles the packets and payloads (IP addressing and such)

Layer 2 and Layer 3

Packet filtering firewalls work at what layer.

Layer 3

Stateful firewalls work at what layer.

Layer 4

Circuit level firewalls work at what layer.

Layer 5

Application-Level Firewalls work at what layer.

Layer 7

The packet capture library/drive used by virtually every sniffing and scanning tool on Linux machines

Libpcap

48 bits long and displayed as 12 hex characters separated by colons. Includes an organizationally unique identifier and the physical address of a NIC

MAC Address

Designed to scan and locate a variety of security issues on Windows products including missing patches, weak passwords, and security misconfigurations.

MBSA

Hash Algorithm; produces 128 bit hash expressed as 32 digit hex number; has serious flaws; still used for file download verification

MD5

Takes a message of arbitrary length as input and produces a 128-bit hash value output.

MD5

The resource type that is used to display email mailbox information

MINFO

A type of switching that enables any one of several Layer 2 protocols to carry multiple types of Layer 3 protocols. One of its benefits is the ability to use packet-switched technologies over traditionally circuit-switched networks. Can also create end-to-end paths that act like circuit-switched connections.

MPLS (Multiprotocol Label Switching)

Label, Traffic Class (TC), Bottom-of-Stacks (S), and TTL.

MPLS fields

Lists email servers in DNS

MX (Mail Exchange)

4th Hacking phase: Items are put in place to ensure the attacker has future access to the system.

Maintaining Access

Items are put in place to ensure future access to a system.

Maintaining Access (Phase 4 of Hacking)

Displays relational information by using graphs and links. It is a data mining tool that can analyze relationships from information found on the Internet. Information that can be harvested and correlated includes names, email addresses, companies, websites, domains, IP addresses, documents, and files. It captures this information from a variety of sources, including search engines, social networks, DNS records, and WHOIS records. The information is then presented by graphically linking the associated relationships.

Maltego

Software used for open-source intelligence and forensics, developed by Paterva. It focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. A unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. It's unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

Maltego

Virtual database containing formal description of all network objects that SNMP manages. Collection of hierarchicaly organized information. Provides information as Object ID (OID) which includes object's type, access level, service restrictions, and range information converted to human intelligible informaiton by SNMP manager

Management Information Basse (MIB)

A port scanner that will scan as fast as your system and network connection will allow it to go; uses --rate=[#] to indicate packets/second; can also grab banners with the --banners parameter.

Masscan

A GUI based tool that runs under Windows. The tool incorporates several functions into a single interface including a ping scan, port scanning, and other enumeration utilities. Port scans can be ran with preselected port selections.

MegaPing

Process deployed by Apple that leads to tricking the process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution

Meltdown Vulnerability

A fixed-length value that is generated by running the entire message through a cryptographic algorithm and outputs a hash

Message Authentication Code

A feature of WPA that provides integrity checking and helps protect against man-in-the-middle attacks. It adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.

Message Integrity Check (MIC)

Viruses that rewrite themselves each time they infect a new file.

Metamorphic

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits. Developed as an exploit framework and now has over 1000 auxiliary modules, many of which are scanners for reconnaissance and enumeration. The program can import scans from OpenVAS, Nessus, and Nexpose.

Metasploit

An OS agnostic shell language payload within the Metasploit Framework that provides control to run a number of commands on a target system. Once loaded, the application resides completely in the memory of the exploited host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.

Meterpreter

Creates a listener port on port 31337 that can be connected to in order to get a meterpreter shell

Metsvc

Layer that sits between the application and hardware in IoT architecture; handles data device managment, data analysis and aggregation

Middleware Layer

A utility metasploit module that could be used to extract passwords from a compromised system

Mimikatz

Monitors application permissions, sorting them into three categories by privacy-risk level

Mobile Privacy Shield

Helps in taking control of mobile applications; easily allow/block application connectivity and block background application activitiy. Generates alerts when new applications access the Internet

Mobiwol

One way that attackers attempt to hide data on a computer.

Modifying File Extensions

A tool used to automate SQL injection attacks

Mole

Used to automate SQL injection attacks

Mole tool

Uses a combination of volumetric, protocol, and application-layer attacks to take down target system or service

Multi-Vector Attack

Firewall that has two or more interfaces

Multi-homed

Addressed for multiple host interfaces

Multicast

Viruses that attempt to infect both files and the boot sector at the same time.

Multipartite

Web application security scanner that searches for vulnerabilities such as clickjacking, XSS, and SQL injection

N-STalker Web Application Security Scanner

Distributes process across multiple servers; normally as three-tiers: Presentation (web), Logic (application), and data (database)

N-Tier Architecture

This architecture allows each tier to be modified independently of the other tiers

N-tier

Often implemented on a network by connecting it to the switched port analyzer (SPAN) port on a switch.

NIDS device

Older tool for fragmenting bits

NIDSbench

Standard that catalogs the security and privacy controls for federal information systems; created to assist the implementation of FISMA.

NIST SP 800-53

An open source firewall for the NetBSD operating system

NPF

Lists the nameservers for a namespace in DNS

NS (Nameserver)

Provides authentication, encryption, and message encryption. It is a management protocol used to synchronize the clock on network devices. You can configure it to ensure that only specified devices are used for time synchronization. It supports DES encryption for message integrity and authentication. It uses UDP port 123.

NTP

UDP Port 123

NTP

US Government repository of standards based vulnerability management data represented using the SCAP. Enables automation of vulnerability management, security measurements, and compliance

National Vulnerability Database (NVD)

A CLI tool that is available for both Linux and windows hosts that can generate many types of packets and inject packets at Layer 2 or 3. It can generate ARP, Ethernet, TCP and UDP packets as well.

Nemesis

The most commonly-deployed vulnerability assessment solution which helps you perform high-speed asset discovery, target profiling, configuration auditing, malware detection, sensitive data discovery and so much more.

Nessus

TCP/UDP port 137, UDP port 138, TCP port 139

NetBIOS

Full-featured advanced Android no-root firewall used to fully control mobile device network. Can create network rules based on application, IP address, domain name, and more

NetPatch Firewall

Investigation tool that allows one to troubleshoot, monitor, discover, and detect devices on network. Gathers information about local LAN, Internet users, IP addresses, ports, and more. Finds vulnerabilities and exposed ports in a system. combines many network tools and utilities catogorized by their function.

NetScan Tools Pro

SMTP email generation tool tests process of sending email message through an SMTP server

NetScan Tools Pro

A Windows tool that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. It can also collect and decrypt the wireless packets.

NetStumbler

A tool for Windows that has similar features to NetStumbler and Kismet and does not require special drivers

NetSurveyor

A simple Unix/Linux utility which reads and writes data across network connections using TCP or UDP protocols. There is also a binary available for Windows platforms. Commonly embedded in Trojan payloads.

Netcat

Networking utility that reads and writes data acrosss network connections using TCP/IP protocol

Netcat

A search engine that provides information about websites and possibly OS information.

Netcraft

Determines OS of queried host by looking in detail at network characteristics of HTTP response received from website. Identifies vulnlerabilities in web server via indirect methods

Netcraft

Tools that can assist in protecting against phishing. These two tools can help in identifying risky sites and phishing behavior.

Netcraft Toolbar PhishTank Toolbar

Finds and reports web application vulnerabilities such as SQL injection and XSS on all types of web apps regardless of platform and technology they are built with

Netsparker

Used for Network statistics

Netstat

Examines computer network traffic for signs of incidents/attacks. Uses tracer tools to identify incidents. Contacts ISP and seeks their assistance in handling incidents. Performs necessary actions required to block network traffic from suspected intruder

Network Administrator

Android application with automated network analysis and network honeypot for guarding your network

Network Guard

Special port on a switch that allows the connected device to see all traffic

Network Tap

A command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

Nikto

Can save or log information to Metasploit, CSV, NBE, HTML, text, and XML format.

Nikto

Vulnerability scanner used extensively to identify potential vulnerabilities in web applications and servers

Nikto2

Creates a portable XML output of a scan in nmap

Nmap --webxml

An exploit that pushes a CPU's instruction execution to a desired location when the exact target branch instruction is unpredictable.

No Operation (NOP) slide/sled

Network security auditing tool suite, includes more than 45 network tools and utilities for network security auditing, network scanning, network monitoring and more.

Nsauditor

Works similiar to a XMAS scan but Windows boxes will respond as well

Null and FIN scans

A proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects.

OLE

Nmap has a database of fingerprints containing details about how each OS behaves including how IP identification field is generated, the initial sequence number, the initial windows size, and several other details. Must find at least 1 open and 1 closed port.

OS Scanning

Uses open source intelligence to get information about a target

OSRFramework

Methodology manual maintained by ISECOM and defines three types of compliance (Legislative, Contractual, Standards Based).

OSSTMM

Interactive Controls including authentication, indemnification, subjugation, continuity, and resilience.

OSSTMM Class A

Process Controls including non-repudiation, confidentiality, privacy, integrity, and alarm.

OSSTMM Class B

M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality

OWASP Top 10 Mobile Risks

A1. Injection Flaws A2. Broken Authentication and Session Management A3. Sensitive Data Exposure A4. XML External Entities (XXE) A5. Broken Access Control A6. Security Misconfiguration A7. Cross-Site Scripting A8. Insecure Deserialization A9. Using Components with Known Vulnerabilities A10. Insufficient Logging and Monitoring

OWASP Web Top 10

When using this application, you should address code injection, buffer overflow, string formatting, and thread racing vulnerabilities.

Objective-C

Provides a graphical interface to analyze and troubleshoot enterprise networks. Offers real-time visibility and analysis into every part of the network from a single interface

OmniPeek enterprise

A switch port and IP address management software that can manage IP addresses, map switch ports, detect rogue devices, monitor bandwidth usage, monitor DHCP server, backup Cisco configuration files, view SNMP traps, get MAC IP list, and more.

OpUtils

Allows for browsing websites smoothly and anonymously

OpenDoor

A software framework of several services and tools offering vulnerability scanning and vulnerability management. All products are free software, and most components are licensed under the GNU General Public License.

OpenVAS

Proxy app that allows other apps to use Internet more securely. Uses Tor to encrypt Internet traffic, then hides it by bouncing through series of computers around the world. Creates truly private Internet connection.

Orbot

Someone outside the organization who uses an open access channel to gain access to an organization's resources

Outside Affiliate

many-to-one address mapping in NAT

PAT (Port Address Translation)

Install and maintain a firewall configuration to protect cardholder data

PCI DSS Requirement 1

Track and Monitor all access to network resources and cardholder data

PCI DSS Requirement 10

Regularly test security systems and processes

PCI DSS Requirement 11

Maintain a policy that addresses information security for all personnel

PCI DSS Requirement 12

Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Requirement 2

Protect stored cardholder data

PCI DSS Requirement 3

Encrypt transmission of cardholder data across open, public networks

PCI DSS Requirement 4

Use and regularly update antivirus software or programs

PCI DSS Requirement 5

Develop and maintain secure systems and applications

PCI DSS Requirement 6

Restrict access to cardholder data by business need to know

PCI DSS Requirement 7

Assign a unique ID to each person with computer access

PCI DSS Requirement 8

Restrict physical access to cardholder data

PCI DSS Requirement 9

A free data encryption program that requires no management of server services and provides privacy and authentication for data communication. Can encrypt disks as well as emails and other data.

PGP (Pretty Good Privacy)

Man-in-the-middle exploit which takes advantage of the Internet and security software clients' fallback to SSL 3.0.

POODLE

TCP port 110

POP3

HTTP request method that sends data via body - data not shown in URL or in history

POST

A tunneling protocol that operates at the Data Link layer (Layer 2).

PPTP (Point to Point Tunneling Protocol)

A system used by the NSA to wiretap external data coming into the US

PRISM

Monitors all systems, devices, traffic, and applications of IT infrastructure using various technologies such as SNMP, WMI, SSH, and others

PRTG Network Monitor

Helps to control and manage remote systems from CLI using multiple commands

PSTools Suite

Maps an IP to a hostname (Reverse record) in DNS

PTR (Pointer)

HTTP request method that requests data to be stored at the URL

PUT

Geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software

PaaS

An application that uses a GUi approach to packet crafting.

PackETH

Programs that can deliver malware; obscure the actual program code because the only executable function is one designed to extract and decompress the real malware

Packers

The area at the bottom of Wireshark display that contains hexadecimal characters.

Packet Bytes Pane

Firewall that only looks at the headers; makes determination about disposition of packets based on protocol, ports, and addresses.

Packet-filtering

Used to create encrypted packets that can subsequently be used for injection

Packetforge-ng

A web server attack that manipulates parameters with URL to achieve escalation or other changes

Parameter Tampering (URL Tampering)

A network policy that locks everything down.

Paranoid

By default, Snort IDS rules are evaluated in this order

Pass, Drop, Alert, Log

Windows password recovery tool

Passware Kit Forensic

Kismet, L0phtCrack, Nmap, Ngrep, Snort, Tcpdump, and Wireshark all use what as their packet capture library

Pcap

The packet capture library/drive used by virtually every sniffing and scanning tool on Windows

Pcap

A search application that allows one to search for people by name or username.

PeekYou

Network policy that blocks only known dangerous sites/objects.

Permissive

Redirects victims by modifying the host configuration or DNS

Pharming

A DoS attack that causes permanent damage to a system; also called bricking a system

Phlashing

Good for spyware on a Blackberry

PhoneSnoop

An attack that uses fragmented ICMP messages to disable a target host when the messages are reassembled

Ping of Death

A suite of network troubleshooting utilities packaged in an intuitive, easy to use user interface. It can continuously ping multiple hosts at the same time, perform forward & reverse DNS lookups as well as traceroute automatically. Results can be logged to disk or copied to the clipboard.

Pinkie

Type of IDS evasion technique which hides commonly used strings with a simple technique like XOR, so that the payload bypasses signature-based IDSes looking for them. The payload also includes a stub that decodes and executes the hidden shellcode differently each time. Is often used to hide NOP sleds/slides used by buffer overflow attacks.

Polymorphic Shellcode

Translates multiple private IP addresses to a single public IP address; this is also referred to as Network Address Translation (NAT) overload

Port Address Translation (PAT)

Allows traffic from a specific MAC address to enter to a port

Port Security

Controls used to stop potential attacks by preventing users from performing specific actions.

Preventive

TCP Port 515

Printer Listening Service

Hosts internal hosts that only respond to requests from within that zone

Private Zone

An attacker who exploits a flaw in an application to bypass the security of the application has performed what?

Privilege Escalation Attack

A wide open network policy.

Promiscuous

A set of security requirements and objects for the type of product to be tested

Protection Profile (PP)

It is primarily used to hide the source of a network connection. It terminates the connection with the source device and initiates a new connection with the destination device, thereby hiding the true source of the traffic. When the reply comes from the destination source, it forwards the reply to the original source device.

Proxy Firewall

Proxy server that displays data passing through it in real time and allows drilling into particular TCP/IP connections, view their history, save data to file, and view socket connection diagram.

Proxy Workbench

Application to help set proxy on Android devices

ProxyDroid

Allows one to surf the Internet anonymously without disclosing IP address. Helps access various blocked sites in organization.

ProxySwitcher

A network policy that blocks most sites and only allows things for business purposes.

Prudent

Lightweight telnet replacement that can execute processes on other systems, complete witt full interactivity for console apps, without having to manually install client software

PsFile

CLI tool that gathers key information about local/remote legacy WinNT/2000 systems including type of installation, kernel build, registered organization and owner, number of processors and type, amount of physical memory, installation date of system, and expiration date

PsInfo

Kill utility that can kill processes on remote systems and terminate processes on local computer

PsKill

CLI tool that displays information about process, CPU, and memory information of threat statistics

PsList

Clone of elogdump except that it can log into remote systems in situations where user's security credentials would not permit access to event log and retrieves message strings from computer on which event log resides

PsLogList

Applet that displays both locally logged on users and users logged on via resources for either local/remote computer

PsLoggedOn

Can change account password on local/remote systems, enabling administrators to create batch files that run against computers they manage in order to perform mass change of administrator password

PsPasswd

Can shutdown/reboot local/remote computers

PsShutdown

An anonymizer like Proxify and Tor

Psiphon

Circumvention tool that utilizes VPN, SSH, and HTTP proxy technology to provide open and uncensored access to Internet content; does not increase online privacy and is not an online security tool

Psiphon

Employee with all rights and access associated with being an employee

Pure Insider

Doubles the data rate of BPSK but requires slightly more complex transmitters and receivers. It is used for code division multiple access (CDMA) cellular networks and for 802.11b wireless networks DBPSK is used for basic-rate 802.11b.

QPSK

Allows organizations to proactively scan their websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution

Qualys Guard Malware Detection Service

A cloud service that gives you instantaneous, global visibility to where your IT systems might be vulnerable to the latest Internet threats and how to protect against them.

Qualys Vulnerability Management

Starves a webserver by keeping sessions open as long as possible. It does this by sending a HTTPS POST request that tells the webserver that a long packet is coming. It then sends the data one byte at a time at 10-s intervals. The connection to the webserver will remain open while the date is being received. It will create several of these slow POST requests, thereby consuming all of a webserver's available connections, leaving none for legitimate users.

R-U-Dead-Yet (RUDY)

Syskey utilizes this form of encryption

RC4

Symmetric Encryption Algorithm; block cipher; variable key length up to 2040 bits; latest version uses 128 bit blocks and 4 bit working registers

RC6

Defines recipients in SMTP

RCPT TO

A binary value in the registry system

REG_BINARY

A 32-bit unsigned integer in the registry system

REG_DWORD

Expandable string value in registry system

REG_EXPAND_SZ

A symbolic link to another key int he registry system

REG_LINK

Character string in a registry

REG_SZ

IANA group responsible for Europe and the Middle East

RIPE

Hash Algorithm; works through 80 stages, executing 5 blocks 16 times each; uses modulo 32 addition

RIPEMD-#

TCP Port 514

RLogin Access

TCP port 135

RPC

TCP/UDP port 135. A protocol that works on the Application layer and is used to share files, serial ports, printers, and communications devices, including mail slots and named pipes, between computers.

RPC

Assymmetric Encryption Algorithm; achieves strong encryption through the use of two large prime numbers; factoring these create key sizes up to 4096 bits; modern de facto standard

RSA

Specifically vulnerable to chosen-cipher-text attacks because it uses a public key to encrypt and a private key to decrypt, so an attacker could use the public key to encrypt tons of things for analysis

RSA

Involves injecting an authentic-looking RST packet using spoofed source address and predicting the ACK number. Hacker can reset the victim's connection if it uses an accurate ACK number.

RST Hijacking

Uses API's to collect information about target system

Recon-Dog

Built as a web reconnaissance framework with independent modules, database interaction, built-in convenience functions, interactive help, and command completing that provides environment in which open source web-based reconnaissance can be conducted.

Recon-ng

1st Hacking phase: Attacker gathers information about targets.

Reconnaissance

Gathering evidence about targets

Reconnaissance (Phase 1 of Hacking)

Cain can crack a variety of passwords, as well as perform these tasks

Record and extract VoIP conversations; capture and decrypt RDP traffic; collect server certificates and prepare them for a MitM attack; poison ARP tables; start, stop, pause, continue, and remove Windows services; calculate RSA SecurID tokens; remotely manipulate Windows registry parameters; detect 802.11 wireless LANs (WLANs); reveal passwords in text boxes; and enumerate network devices and extract Security Identifiers (SIDs).

Entity responsible for receiving the subject's request and verifying the subject's identity in PKI.

Registration Authority (RA)

Remotely installs applications, executes programs/scripts and updates files/folders on Windows systems throughout network. Allows attacker to modify registry, change local admin passwords, disable local accounts, and copy/update/delete files

RemoteExec

The best way to increase security on a webserver

Remove Internet Serices Application Programming Interface (ISAPI) filters

Provides a secure and automated solution for performing authenticated scans with continuously rotating privileged credentials.

Retina CS

Attempts to hide traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. Replace certain OS calls and utilities with own modified versions that in turn undermine security of target system by executing malicious functions. The functions GetFileAttributesEx( ) and GetFileInformationByHandle( ) are used for these purposes

Rootkits

Hash Algorithm; developed by NSA; 160 bit value output

SHA-1

Takes a message of arbitrary length and produces a 160-bit hash value output

SHA-1

Hash Algorithm; four separate hash functions; produce outputs of 224, 256, 384 and 512 bits; not widely used

SHA-2

Hash Algorithm; uses sponge construction

SHA-3

The Windows implementation of RPC. TCP port 445.

SMB

When an organization implements this, it protects against an attacker using a sniffer to capture SMB password hashes and then using those hashes for offline cracking

SMB Signing

TCP port 25

SMTP

Enumerates OS level user accounts on Solaris via SMTP service

SMTP-user-enum

UDP port 161, 162

SNMP

Gets information about the system in SNMP

SNMP GET

Sets information about the system in SNMP

SNMP SET

Identifies SNMP-enabled devices on a network.

SNScan

Indicates the authoritative NS for a namespace in DNS

SOA (Start of Authority)

Web application attack in which the attacker injects query strings in order to bypass authentication

SOAP Injection

Considered to be the little brother of THOR. Like THOR, this is an APT scanner that checks for the presence of hacking tools and attacker activity. It also requires no installation. However, it consists of only nine modules, whereas THOR consists of 26. In addition, it can run on Windows, Linux, and Mac OS. It is written in GO.

SPARK

SQL Injector SQL Ninja Havij Pangolin Absinthe

SQL Injection Tools

Points to a specific service in DNS records

SRV (Service)

TCP port 22

SSH

Operates above the transport layer. is not protected against CBC attacks. Encrypts the entire communication channel, not each message independently.

SSL

Application developed to grab messages and strip the encryption from them.

SSLStrip

Takes advantage of a 3-way handshake. A SYN message alone will consume a connection buffer at the OS

SYN Flood Attack

UDP port 514

SYSLOG

Used to find security vulnerabilities in a website or a web server. Can generate comprehensive test reports and also can assist in fixing security problems that might exist in company's website or web server

ScanMyServer

Obtaining more in-depth information about targets

Scanning & Enumeration (Phase 2 of Hacking)

Check for live systems Check for open ports Scan beyond IDS Perform banner grabbing Scan for vulnerabilities Draw network diagrams Prepare proxies

Scanning Methodology

1. Perform host discovery 2. Perform port scanning 3. Scan beyond IDS and firewall 4. Perform banner grabbing and OS fingerprinting 5. Draw network diagrams 6. Document all the findings

Scanning and Enumeration steps

Specifically looks for Windows authentication traffic on the wire and has a password cracker

ScoopLM

Typically requires an interpreter

Scripting Language

Perl Python Ruby

Scripting Languages

This role is reponsible for developing and providing appropriate training programs on risk management process and IT security awareness in organization. They will be SME's and validate proper content included in program.

Security Awareness Trainers

The documentation for a system or product that is to be tested

Security Target (ST)

Designed for checking lists of HTTPS and SOCKS proxies for "honeypots"

Send-Safe Honeypot Hunter

This role's involvment is required for effective risk managment. Responsibility to supervise risk management plans carried out in organization, development of policies and techniques required to handle commonly occurring risks. Through their expertise can design steps required for handling future risk.

Senior Management

An IDS technique that helps to mitigate session splicing attacks by reassembling the smaller packets before performing expression matching.

Session Reconstruction

The process of delivering pieces of payload by using multiple packets

Session Splicing

High performance x-platform secured sock5 proxy

Shadowsocks

The process of analyzing suspect files for viruses and other malware

Sheep Dipping

A Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands.

Shellshock (Bashdoor) Attack

Website used to look for IoT devices; query language is similar to Google with additional keywords that can be used to identify network traffic and may include part numbers.

Shodan

These IDSs have a low false positive rate because they search network traffic for specific strings of text to determine whether the traffic is malicious in nature

Signature-matching

A platform independent XML-based communication protocol used to provide a way to communicate between applications running on different OS's with different technologies and programming languages. Generally over HTTP (or the Internet).

Simple Object Access Protocol (SOAP)

Used to determine the location of known Wi-Fi access points based on a worldwide database, not to discover nearby Wi-Fi networks and devices. Uses the Wi-Fi Positioning System (WPS) and GPS to locate positioning of devices within 10 to 20 meters.

Skyhook

Tries to download a file in very small increments to keep a web server from serving legitimate requests

Slow Read Attack

Sends incomplete requests to a server

Slowloris Attack

Attack that sends a large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target

Smurf Attack

Disabling the directed broadcast feature on a router will limit the damage and prevent this attack completely.

Smurf Attack

Includes sniffer, packet logger, and network IDS modes. An open-source NIDS that can analyze network traffic in real-time.

Snort

A searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.

Social Engineering Framework (SEF)

An open-source Python penetration testing framework designed for social engineering by Dave Kennedy

Social-Engineer Toolkit (SET)

Works with active directory, Novell Directory services, Netswcape/IPlanet and provides a wide variety of features essential for LDAP development, deployment, and administration of directories

Softerra LDP Admin

A collection of 60-plus tools that let you discover, configure, monitor, and troubleshoot your network.

SolarWinds Engineer's Toolset

Switch configuration that makes the switch send a copy of all frames from other ports to a specific port. Not all switches have the ability and some modern switches do not allow them to send data only listen.

Span Port OR Port Mirroring

Layer 2 protocol that prevents switching loops by killing connecting ports along the way

Spanning Tree Protocol

Viruses that only fire when a specific condition is met.

Sparse Infector

Simulates a complete system and provides an appealing target to lure hackers away from production systems. Offers typical Internet services such as SMTP, FTP, POP3, HTTP, and Telnet which appear perfectly normal to attacker

Specter

Leads to tricking processor to exploit speculative execution to predict future to complete execution faster. Allows attacker to read information that they normally would not have access to

Spectre Vulnerability

Performs multiple attacks on a server, including UDP floods, ICMP floods, TCP SYN floods, and Smurf attacks. It combines the features of Trinoo with the features of Tribe Flood Network (TFN) and adds encryption.

Stacheldraht

SourceHost Contact Email Serial Number Refresh Time Expire Time TTL

Start of Authority (SOA) fields

Based on a finite state machine; at any point, machine is either at a single state or in a transition between two states

State Machine

Firewall that tracks the entire status of a connection; keeps track of the state of messages, so decisions are based on ports, addresses, and state of connection

Stateful Inspection

one-to-one address mapping in NAT

Static NAT

Analyzer for wired and wireless networks that captures terabytes of packet data. Traversing them is the first step for complete real-time and back-in-time analysis

Steel Central Packet Analyzer

1. Perform a Risk Assessment 2. Collect standard guidelines to use as guides 3. Include senior management in the policy development 4. Set clear penalties and enforce them 5. Make the final version of the policies available to the staff 6. Ensure every staff member reads, signs, and understands the policies. 7. Deploy tools to enforce the policies 8. Train and educate users about the policies 9. Review and update the policies on a regular basis

Steps for creating security policies

1. Prepare for incident handling and response 2. Detect and analyze 3. Classify and prioritize 4. Notify 5. Contain 6. Investigate 7. Eradicate and recover 8. Perform post-incident activities

Steps in the Incident Management Process

http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd

Strange Unicode Request

Small executable that unpacks or decrypts the real program

Stub

The first address of a subnet

Subnet or Network address

Application designed for rooting an Android device

SuperOneClick

A free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.

Superscan

Used to obfuscate binary code in an executable so that it is undetectable by anti-virus software. A full undetectable crypter that can also bind other files and spoof extensions.

SwayzCryptor

Tries to update information regarding a specific port in a race condition

Switch Port Stealing

Uses multiple forged identities to create the illusion of traffic in IoT

Sybil Attack

Automates web application security testing and guards organization's web infrastructure against web application security threats.

Syhunt Hybrid Web Application Security Scanner

Examines and updates service packages and patches available on critical systems. Examines backups for critical systems and inspects systems for logs for unusual activity.

System Administrator

Can be used to diagnose problems with the startup process on a computer.

System Configuration Utility (MSCONFIG)

This role mainly monitors plans and policies developed for IS. Responsible for appropriate security controls used to maintain confidentiality, integrity, and availability for IS

System and Information Owners

hping2 uses this to send packets by default

TCP

Packet capture program native to Linux that primarily displays layer 3 information.

TCP Dump

Source and Destination Ports Sequence Number Acknowledgement Number Data Offset Reserved Control Bits Windows Checksum Urgent Pointer Options

TCP Header Fields

Denial of Service attacks that go after load balancers, firewalls, and application servers by attempting to consumer their connection state tables.

TCP State-Exhaustion Attacks

What TTL fields are most often analyzed during passive OS fingerprinting

TCP window sizes DF flags ToS fields

Attacker intercepts an established connection between two communicating parties using spoofed packets and then pretends to be one of them

TCP/IP Hijacking

A host-based tool that displays TCP and UDP connections between the host and destination devices on Windows (Netstat can be used for Windows, Linux, and Unix). Information displayed by TCPView inclues the process ID, protocol, local and remote address, local and remote port, connection state, number of sent and received packets, and number of sent and received bytes for each connection. Devices can be displayed by host name or by IP address. It updates every second by default, but can be set to 1s, 2s, 5s, or Paused.

TCPView

A well-known sniffer and packet analyzer for Linux

TCPdump

UDP port 69

TFTP

A password cracking tool which utilizes a dictionary attack method.

THC Hydra

A full-featured APT scanner. Rather than focus on detecting malware, it detects hacking tools and attacker activity. Results are displayed by color-coded CLI output and can be output to ASCII, HTML, or Syslog. It can be run only on Windows; however, it does not require installation and does not require the .NET framework. It is written in Python

THOR

HTTP request method that requests application layer loopback of message

TRACE

The command line interface of Wireshark.

TShark

A live operating system that a usser can start on any computer from a DVD, USB, or SD card

Tails

Allows you to change the MAC address of your NIC instantly. Has very simple user interface and provides ample information regarding each NIC in the machine

Technitium MAC Address Changeer

An Internet tool for Windows that will allow you to perform different browsing functions, compile data, and view the structure of the website of your choosing.

Teleport Pro

TCP port 23

Telnet

The command in telnet for banner grabbing

Telnet <IPAddress> 80

In Wireshark display, the area between the packet list pane and the packet bytes pane

The Packet Details Pane

The main area in the Wireshark display.

The Packet List Pane

This character is used to denote a character string in SQL commands

The single quote (')

getElementByID( ) get ElementByTagName( )

The two primary object methods used in JavaScript for XSS defacement attacks.

A risk equation component that is best described as the frequency, or rate, of a potential negative event

Threat

In blind-based SQL injection, an attacker will insert a delay that occurs in response to a true or false query. If the delay occurs, an attacker can determine the result of the query. For example, an attacker can query whether a table named CARDNUMBERS exists and, if so, perform a 10-second delay. If the delay occurs, the table exists.

Time-Based

In-line threat protection that defends critical data and applications without affecting performance and productivity. Contains over 8700 security filters written to address 0-day and known vulnerabilities. Consists of both inbound/outbound traffic inspection, as well as applied security capabilities

TippingPoint

Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network

Tkjection-ng

This tool counts up the TTL as each hop out is made

Traceroute

Enables security professionals to audit and validate behavior of security devices by generating standard application traffic or attack traffic between two virtual machines. Can be used to assess, audit, and test behavioral characteristics fo any non-proxy packet filtering device

Traffic IQ Professional

Uses a single organization to manage the authentication and verification process for each company that is participating in the model.

Trusted Third-Party Model

AH provides authentication and integrity but not encryption in this mode for the encapsulated packet

Tunnel Mode

Symmetric Encryption Algorithm; block cipher; up to 256 bit key

Twofish

Protocol Unreachable

Type 3 Code 2

Port Unreachable

Type 3 Code 3

Destination and Source Ports Checksum Length

UDP Header Fields

Hijacker forges server reply to client UDP request before server can respond

UDP Hijacking

Sends out a message; closed ports should generate an ICMP port unreachable message and open ports may respond with something or just not at all

UDP Scanning

The resource type that is used to display user information

UINFO

Silently copies the files and folders from a USB when it is connected to the system

USB Dumper

A sniffer for Windows

USB Snoopy

A network sniffer, designed for capture and analysis of the packets going through the network. Using the packet driver, it requests all the packets from the network card driver (even the packets not addressed to this computer).

Ufasoft

Addressed and intended for one host interface

Unicast

In a blind-based SQL injection attack, an attacker uses the UNION command to join multiple SELECT queries, thereby revealing database information to the attacker.

Union-Based

In a host-protected area (HPA) would indicate that hidden data probably exists on a computer.

User-created data

Validates user in SMTP

VRFY

A third-party component that verifies or validates the certificates of entities when presented to the third party

Validation Authority (VA)

Connects to the port and issues correct protocol commands to get the application banner back

Version Scanning

Used to discover a nearby Wi-Fi network, but also supports GPS and live Google Earth tracking to help in GPS mapping

Vistumbler

Bandwidth attacks; consume all bandwidth for the system or service

Volumetric Attacks

A risk equation component that is best described as the likelihood that a threat against a company will be successful

Vulnerability

PTW, FMS, and Korek are valid options in aircrack-ng against what wireless encryption only.

WEP

Wireless Encryption that uses RC4

WEP

IIS server resource kit tool that allows attacker to fully customize an HTTP request and send it to a web server to see the raw HTTP request and response data. Allows attacker to test performance of websites that contain new elements such as active server pages (ASP) or wireless protocols

WFETCH

Lets you peform a domain search, IP lookup and search database for relevant information on domain registry and availability

WHOis

Allows you to find all the devices connected to a network giving data such as IP, manufacturer, device name, and MAC address. Also allows saving a list of known devices with custom name and finds intruders in a short period

WIFi Inspector

Consolidates location and information of wireless networks worldwide to a central database and provides user-friendly Java, Windows, and web applications that can map, query, and update the database via the web. Creates a map for wireless networks

WIGLE

The resource type that is used to display information about a well-known service defined for the host on the DNS server

WKS

Wireless encryption using TKIP with a 128-bit key that it transfers back and forth during an EAP; changes the key every 10,000 packets

WPA

Wireless encryption that uses AES for encryption and can tie to an EAP or RADIUS server in Enterprise mode or uses a pre-shared key in Personal mode

WPA2

The purpose of this web services specification is to advertise security, Quality of Service (QoS), and other policies for web services. Web services and web service consumers can indicate the security tokens they require, the encryption methods they support, and the privacy rules that must be enforced during a communication session.

WS-Policy

The purpose of this web services specification is to create security contexts for faster message exchanges. It establishes a session key that is used for the duration of the web connection. Using it is faster than using WS-Security; in fact, messages are processed twice as fast.

WS-SecureConversation

The purpose of this web services specification is to provide integrity, encryption, and authentication for SOAP messages, which uses XML format. After a sender is identified, a security token is attached to the sender's messages. It can be used with many security token models, including X.509, Kerberos, and Security Assertion Markup Language (SAML)

WS-Security

The purpose of this web services specification is to create security tokens and to broker trust relationships between messaging participants. Windows Communication Foundation (WCF), Windows Identity Framework (WIF), and Web Services Interoperability Technology (WSIT) implement this.

WS-Trust

An extension for Chrome that can be used to identify technologies used in a web site. Used HTTP headers in the past, but does not identify the header.

Wappalyzer

Plugin for Fiddler HTTP proxy that passively audits web application to find security bugs and compliance issues automatically

Watcher Web Security Tool

A web server attack that replaces the cache on a box with a malicious version of it

Web Cache Poisoning

A tool that obtains information from the website such as pages, etc.

Web Spiders

A deliberately insecure application that allows developers to test vulnerabilities commonly found in Java-based applications that use common and popular open-source components. Maintained by OWASP.

WebGOAT

Framework for analyzing applications that communicate using HTTP and HTTPS protocols. Allows attackers to review and modify requests created by browser before they are sent to the server and to review and modify responses to the network from the server before they are received by the browser

WebScarab

An application that allows you to automatically download any file from a website. The program acts as an engine spider that crawls throughout the entire website with the objective of showing you all the multimedia files that you are interested in

Webripper

Incorporates a number of techniques to seamlessly obtain a WEP key in minutes

Wesside-ng

A computer program that retrieves content from web servers. It is part of the GNU Project. It supports downloading via HTTP, HTTPS, and FTP. Its features include recursive download, conversion of links for offline viewing of local HTML, and support for proxies.

Wget

A web based tool used to inquire about domains, IP addresses, block the IP address belongs to, the owner of the block, and technical contact.

Whois

Desktop OS designed for advanced security and privacy. Mitigates threat of common attack vectors while maintaining useability. Online anonymity realized via fail-safe, automatic, and desktop-wide use of Tor network

Whonix

802.11 network discovery tool designed for mobile platforms, Android in partiuclar. Collects information about nearby wireless access points and displays data in useful ways

WiFi Explorer

Helps find security leaks in WiFi network internet connection. Allows detection of intruder accessing network, WiFi, Internet connection without consent

WiFi Intruder Detector

A program that can scan, attack, detect, and protect computers on the local area network. Includes the ability to do an ARP flood attack among other tools.

WinArpAttacker

Nessus drop-down options from the Credentials tab include these

Windows Credentials SSH Settings Kerberos Configuration Cleartext Protocol Settings

These do not respond to ICMP Echo Request messages that are directed to a network address or a broadcast address

Windows OS's

A compatibility layer for running Windows applications on Linux, Mac OSX, and BSD platforms. Converts Windows API calls into similar methods provided by the native system API.

Wine

A common tool used to discover a nearby Wi-Fi network or device by detecting wireless signals, channels, and access points similar to NetStumbler.

WirelessMon

A GUI based application that captures and analyzes network packets.

Wireshark

This attack involves altering SOAP messages and replaying them as legitimate.

Wrapping Attack

An integrated development environment (IDE) for developing iOS mobile apps with the Objective-C language. Includes an iOS simulator for iPlatforms.

XCode

Open ports will not reply so you get filtered/open response; closed ports will respond with RST. Works only on Linux boxes

XMAS scan

Best described as programming code that can be used to harvest cookies stored on a user's computer

XSS

What type of attack is best mitigated by setting the HttpOnly flag in cookies

XSS

A network security/hacking tool for Unix-like operating systems, designed to take advantage of some weakness in different network protocols.

Yersinia

GUI overlay for nmap.

Zenmap

Malware designed to capture the phone itself, thus giving the attacker access to credentials and second authentication factors (sent via text).

ZitMO (Zeus-in-the-Mobile)

In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.

Zone Transfer

A personal firewall

ZoneAlarm

This metacharacter in the regular expression configures grep to match only the beginning of a line

^

Linux command to add a user to the system

adduser

The object methods in JavaScript used to perform large-scale modifications at the node level of the document. Creates new document sections or rearranges existing content based on content retrieved from another web page.

adoptNode( ) importNode( ) renameNode( )

Captures WPA/WPA2 handshake and can act as an ad-hoc access point

airbase-ng

Decrypts WEP/WPA/WPA2 and can be used to strip wireless headers from WiFi packets

airdecap-ng

Provides status information about wireless drives on your system

airdriver-ng

Program used for targeted, rule-based deauthentication of users

airdrop-ng

Command in aircrack-ng to run a deauthentication attack. Format -0 [#] -a [mace address of BSSID] -c [mac address of station]

aireplay-ng

An application that works on Linux distributions and can be used for several types of wireless attacks.

airgeddon

Creates client to access point relationship and common probe graph from airodump file

airgraph-ng

Command in aircrack-ng to createa a monitor interface from a wireless interface allowing it to sniff wi-fi traffic.

airmon-ng

Command in aircrack-ng to sniff BSSID's and other information on wireless networks.

airodump-ng

Stores and manages ESSID and password lists used in WPA/WPA2 cracking

airolib-ng

Allows multiple programs to independently use a WiFi card via a client server TCP connection

airserv-ng

Injects frames into WPA TKIP network with quality of service and can recover MIC key and keystream from WIFi traffic

airtun-ng

Written by Dug Song. Used to inject ourselves between two systems on the network.

arpspoof

Designates the connection in arpspoof

arpspoof -c

Indicates reverse connections should be collected as well in arpspoof

arpspoof -r

Designates the target address in arpspoof

arpspoof -t

This file contains system authorization information as well as a list of user logins and the authentication mechanism that was used by each login. Read with any standard text editor

auth.log

Uses bluetooth to gain access to a phone in order to place a phone call - once the phone call is placed, the attacker has a remote listening device through the phone.

bluebugging

This file contains a list of failed login attempts on a Linux computer. You can read the file by issuing the lastb or last -f commands

btmp

A Windows command-line tool that can be used to assign, display or modify access control lists to files or folders. It cannot be used to take ownership of a file.

cacls.exe

Linux command to display the contents of a file

cat

Linux command to change the permissions of a folder or file

chmod

Look-up database for default passwords, credentials and ports

cirt.net

The meterpreter shell command to clear log files

clearev

Which file do you bind to an executable file using a wrapper tool to create a trojan.

compilation file (.exe)

C++, Java, and Visual basic are this type of language

compiled

Linux command to make copies

cp

A set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information.

dSniff

A layer 4 - 7 UDP message

datagram

This aircrack-ng option works when working to break the encryption of keys in WPA and WPA2

dictionary list

A tool for interrogating DNS name servers; performs DNS lookup and displays the answers returned from the name server on Linux.

dig

Software based WAF that protects website from malicious attacks

dotDefender

A tool that makes use of other, underlying tools to scan systems that have implemented SMB; can be used to enumerate shares or users

enum4linux

Specifies a physical address with ARP.

eth_addr

Utility for dumping passwords on NT/2000/XP/2003/Vista

fgdump

A C library function that performs bounds checking on its input. Bounds checking is a methodology used to verify that input from a data stream does not exceed the size of an available buffer; C and C++ are particularly vulnerable to buffer overflow attacks.

fgets() function

A Linux enumeration command that gives information on user and host machine

finger

An application designed to send ICMP requests to multiple systems; the parameters are a, e, and g for alive, elapsed time, and generate a list of targets from an address block respectively.

fping

A layer 1 message

frame

An open-source C++ compiler used to take source code files and generate runnable executables

g++

Method in JavaScript that retrieves an element based on its identifier.

getElementByID( )

JavaScript method to retrieve an array of element nodes based on the tag name.

getElementsByTagName( )

A tool that is primarily a packet crafting program allowing an attacker to initiate connections using different protocols with the header settings they want.

hping3

hping3 command to insert a file into packet's data

hping3 --file

Command in hping3 that sends packets as fast as possible without showing incoming replies.

hping3 --flood

Sets UDP mode in hping3.

hping3 -2

Sets the system to listen mode in hping3. Expects a signature (e.g. HTTP) and interface (-I eth0).

hping3 -9

Sets the ACK flag in hping3 command.

hping3 -A

Command to set the FIN flag in hping3

hping3 -F

Sets ICMP mode for hping3.

hping3 -I

Command to set the PUSH flag in hping3.

hping3 -P

Command to collect sequence numbers generated by the host in hping3.

hping3 -Q

Sets the RST flag in hping3.

hping3 -R

Command to set the SYN flag in hping3

hping3 -S

Sets the URG flag in an hping3 scan.

hping3 -U

sets the hostname in hping3 (spoof command)

hping3 -a

Command to set the data-size packet body size in hping3

hping3 -d

Sets the scan mode in hping3. Command expects a port range without the -p flag.

hping3 -i

Sets the port number in hping3.

hping3 -p

Tool for advanced web server fingerprinting. Performs banner-grabbing attacks, status code enumeration, and header ordering analysis on target web server

httprecon

If present, this specifies the internet address of the interface whose address translation table should be modified in ARP. If not present, the first applicable interface will be used.

if_addr

Linux command to display network configuration information

ifconfig

A replacement for NetStumbler that supports Apple OS X, in addition to Microsoft Windows and often used in wardriving attacks, verifying network connections and detecting coverage issues.

inSSIDer

WiFi optimization and troubleshooting tool. Scans for wireless networks with your WiFi adapter, so you can visualize their signal strength and what channels they are using. Lists a lot of useful information about each network

inSSIDer Office

Specifies an internet address in ARP

inet_addr

Linux firewall for Linux kernel v 2.2.x. Added the ability to filter for packet fragments.

ipchains

This command configures IP masquerading

ipchains -A forward -s 192.168.51.0/24 -d 0/0 -j MASQ

The first version of the Linux kernel firewall used to control packet filtering or firewall capabilities in versions 1.2.x and 2.0.x

ipfwadm

Linux commands that are all capable of configuring IP masquerading on a Linux-based firewall. All of these commands are also capable of denying traffic from unknown hosts and the configuration of static NAT.

ipfwadm, ipchains, iptables

The latest version of the Linux kernel firewall. Required for kernel 2.4x and above.

iptables

Linux command to kill a running process

kill

A Perl module that supports IDS evasion techniques, such as session splicing

libwhisker

Linux command to display the contents of a folder

ls

nslookup command that lists aliases of computers in the DNS domain

ls -a OR ls -t CNAME

nslookup command that lists all records for the specified DNS domain by initiating a zone transfer

ls -d OR ls -t ANY

nslookup command that lists CPU and OS information for the DNS domain

ls -h OR ls -t HINFO

nslookup command that lists well-known services of computers in the DNS domain

ls -s OR ls -t WKS

A member of the Dsniff suite toolset and mainly used to flood the switch on a local network with random MAC addresses.

macof

Linux command to display the manual page for a command

man

A metasploit framework that allows the tester to encode the payload. In other words, you can change the way it appears to an AV system.

msfencode

Program that takes the payload (windows/meterpreter/revers_tcp) which sends back a connection to meterpreter shell to the specified IP address

msfvenom

A Windows utility that is used to view and manage NetBIOS cache information.

nbtstat

Gives your own information from NetBIOS

nbtstat

Gives remote information on a specific IP address in NetBIOS

nbtstat -A IPADDRESS

Gives cache information in NetBIOS

nbtstat -c

Gives the local table in NetBIOS

nbtstat -n

The correct syntax on Windows for using Netcat to leave a command shell open on port 8080

nc -L 56 -t -e cmd.exe

initiates an oubound connection to an IP on destination TCP port

nc [IP] [port #]

With this command you can manage user accounts by issuing the user command. You can start a service by issuing the start command, stop a service by issuing the stop command, pause a service by issuing the pause command, and continue a service by issuing the continue command. Printer queues can be managed by issuing the print command. You can manage shared resources by issuing the share command. You can connect to a remote resource by issuing the use command.

net command

Displays port connections in numerical form.

netstat -an

Displays executables tied to the open port (admin only)

netstat -b

Defacto port scanner that can perform UDP and TCP scans. It will detect OS types, applications running and their versions, and supports running scripts in the LUA.

nmap

Scans hosts in a random order instead of in numerical (IP) order.

nmap --randomize-hosts

Command to run a script using nmap.

nmap --script -[script name]

Command to perform OS detection, version detection, script scanning and traceroute in nmap.

nmap -A

Command to do an OS scan using TCP in nmap (default scan)

nmap -O

Command to perform an ICMP ping in nmap.

nmap -PI

Command to perform SYN ping in nmap

nmap -PS

Command to perform a TCP ping with nmap.

nmap -PT

Command to perform a no ping scan in nmap.

nmap -Po

Command for normal output in nmap.

nmap -oN

Command for XML output in nmap.

nmap -oX

Command in nmap to conduct an ACK flag probe. If the TTL of the RST packet is < 64 then the port is open; if there is no response, then a stateful firewall is in place.

nmap -sA

Nmap command that activates the Nmap Scripting Engine, which allows Nmap users to create and share Lua scripts to automate many tasks associated with network discovery and vulnerability detection and exploitation.

nmap -sC

Command to perform a FIN scan in nmap. No response means an open port; RST/ACK response means a closed port.

nmap -sF

Performs an IDLE scan in nmap. If the return IPID is an increase of 1, then the port is closed; if it is an increase of 2, then the port is open. Anything else means the third party on the port is not idle.

nmap -sI

Command to perform a DNS (list) scan in nmap.

nmap -sL

Performs a null scan in nmap. If the port is open there is no response. If the port is closed a RST/ACK response is received.

nmap -sN

Command to perform a IP Protocol Scan / Open Port Scan in nmap. (Timing options can avoid detection by an IDS)

nmap -sO

Command to perform a ping scan in nmap.

nmap -sP

Command to perform a RPC scan in nmap.

nmap -sR

SYN (half-open) stealth scan in nmap

nmap -sS

Command to perform a TCP (full) connect scan in nmap.

nmap -sT

Command to perform a UDP scan in nmap.

nmap -sU

Command to perform a version scan in nmap

nmap -sV

Command to perform the Windows version of ACK scan in nmap. If the window on the RST packet received is not equal to 0 then the port is open; if there is no response, a stateful firewall is in place.

nmap -sW

Command to perform a XMAS scan with nmap. Does not work against Windows machines. No response means an open port; RST/ACK response means a closed port.

nmap -sX

Used to query WINS to lookup names where the systems are just broadcasting their information

nmblookup

Linux command to keep a process running even after exiting the shell

nohup

Best option for DNS cache snooping

nslookup -norecursive

Object methods in JavaScript used to completely replace the current web page's content.

open( ) and write( )

Launches an OpenSSL SSL/TLS cllient

openssl s_client

Creates a SSL/TLS server

openssl s_server

Verifies the version of OpenSSL

openssl version

Uses rainbow tables on different OS's

ophcrack

A passive TCP/IP stack fingerprinting tool. It can attempt to identify the system running on machines that send network traffic to the box it is running on or to a machine that shares a medium with the machine it is running on.

p0f

A layer 3 message

packet

Linux command to change the password

passwd

Linux command capable of evading IDSs or other security measures by obfuscating the true source IP address of network traffic. It can be configured to tunnel TCP or UDP traffic to a destination by way of one or more proxy servers

proxychains

Linux command for process status. -ef option will show all processes

ps

Linux command to display the current directory

pwd

Dumps password hashes from NT's SAM database

pwdump7

Abel has these features

remote console; remote Local Security Authority (LSA) secrets dumper; remote NT hashes dumper; remote route table manager; and remote TCP/UDP table viewer

Linux command to remove files. -r option recursively removes all directories and subdirectories

rm

The basic syntax of the route add command

route add [network address] mask [subnet-mask] [gateway-address]

Linux enumeration commands that provide information on RPC in the environment

rpcinfo and rpcclient

Used to identify programs and associated ports on a remote system.

rpcinfor -p [IP]

Lists the running services on a Windows Machine

sc query

Command that displays active and inactive services on a computer running Windows Server 2012

sc query state= all

2nd Hacking Phase: Obtains more in-depth information about targets.

scanning and enumeration

Python is this type of language

scripting

A layer 4 - 7 TCP message

segment

Code you place into overall exploit code that will provide you with shell access on the target system

shellcodes

A Linux enumeration command that displays all shared directories on the machine

showmount

Can be used to "walk" the MIB tree to gather data from SNMP agents

snmpwalk

Linux command to allow you to perform functions as another user

su

A daemon for logging and access control that is a FreeBSD implementation of the TCP Wrapper, which can monitor incoming service requests for services like Telnet, SMTP, FTP, HTTP, and HTTPS. The log can provide simple access control.

tcpd daemon

Daemon that is a FreeBSD implementation of TCP Wrapper, which can monitor incoming service requests for services like Telnet, SMTP, FTP, HTTP, and HTTPS. The daemon can log and provide simple access control. This could prevent a malicious Telnet attack from using standard open ports for other services, like SMTP and HTTP

tcpd daemon

Designates tcpdump to dump the payload in hexadecimal

tcpdump -X

Specifies the interface in tcpdump

tcpdump -i

Command to remove the DNS information in tcpdump

tcpdump -n

Designates tcpdump to read from a specified file.

tcpdump -r

Adds more details in tcpdump

tcpdump -v OR -vv OR -vvv

Command in tcpdump to write to a file

tcpdump -w

A CLI version of TCPView. To run it, issue the [-a] [-c] [-n] [process] command. The -a parameter displays all endpoints; if the -a parameter is not issued, only established TCP connections are displayed. The -c parameter prints the output as a CSV file. The -n parameter configures the tool to not resolve addresses. The process variable can be issued as a process name or as a process ID.

tcpvcon

An information-gathering application used to scrape up emails, subdomains, hosts, employee names, open ports and banners from different public services like popular search engines, PGP key servers, and the Shodan database.

theHarvester

This file contains a list of currently logged-in users. You can read the file by issuing the who or last -f commands

utmp

A rogue access point framework used to impersonate a wireless network while jamming a legitimate access point and then redirecting traffic to a site managed by the attacker.

wifiphisher

Tool used to enumerate themes, users, and plugins

wpscan

This file contains a lit of all login and logout activity. You can read the file by issuing the last command

wtmp

The NOPS module for the Metasploit framework. Used to create a NOP slide.

x86/opty2

The XOR gnerator module for the Metasploit Framework. Used to create a polymorphic shellcode to hide NOP sleds and bypass signature-based IDSes.

x86/xor

A Windows utility that can be used to take ownership of a file from the command line.

xacls.exe

Mobile IPS application that provides comprehensive protection for iOS and Android devices against mobile network, device, and application cyber attacks

zIPS


Related study sets

Life Insurance Licensing Chapter 2

View Set

POLS 3301 - Conflict in the Middle East: Exam One

View Set

Chapter 7: Schedules of Reinforcement

View Set

Artificial Intelligence and Robotics

View Set

Business Law Exam 1 WS (Topics 2 thru 12)

View Set