CySA+ Tools and commands

nmap

A network-vulnerability scanner.

nmap -O

Performs OS fingerprinting

nmap -sV

Service version identification.

Determines what version services are running and on what ports

nmap -sT

TcpConnect scan. Scans by attempting the TCP three way handshake connection (easiest to detect, but most reliable). This is the default scan that will be performed if no flags are added (so just "nmap hostname")

nmap -sX

Xmas scan. Scans by setting all flags on TCP packet (FIN, URG, PUSH). If the target doesn't respond, the port is open. If the connection resets (RST), the port is closed. Does not work on Windows machines.

nmap -sU

UDP scan.

nmap -sS

Performs a stealth scan which limits the visibility of the scan on the network. SYN scan. Just send SYN packet. Requires raw socket access (root user access).

netstat

A universal command-line utility used to examine the TCP/IP connections open on a given host.

netstat -a

Displays active tcp and udp connections.

netstat -0

Identify a process using a connection.

Once you know the process, you can terminate it.

netstat -e

Displays ethernet statistics on sent/received data.

Useful in a similar way to netflow; you can see if there is a suspicious amount of data usage, possibly that you did not do, alerting you that there could be someone stealing your data.

netstat -r

Displays the routing table.

Useful because you can see if you have unwanted/backdoor routes.

-ps

Linux command used to list the currently running processes and their PIDs

-top

Linux command like -ps, but also provides sorting processes by top usage

-df

Linux command that reports file system disk space usage

-w

Linux command that shows who is logged on and what they are doing

service --status-all

Linux command that lists the state of services controlled by System

-dd

A Linux command that clones drives using bit-by-bit copy.

use with the command bs to set the block size

-dd bs=64k if=/etc of=/etc

if is the input file, of is the output file

use conv=noerror to continue to copy if there are read errors.

md5sum

Linux command that will compute and check MD5 message digest

md5sum

nslookup/dig

a tool used to query the DNS server for information such as IP addresses, canonical names, cache timers, ect. Good for troubleshooting DNS servers. dig is more detailed.

host

Unix command. DNS lookup utility, finding the IP address of a domain name. It also performs reverse lookups, finding the domain name associated with an IP address.

whois

query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name or an IP address block. Will provide details such as company, names, addresses, phone numbers, emails, and more for a given domain.

tcpdump

A Unix command-line protocol analyzer. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Qualys

Vulnerability scanner that is good, popular, allows for asset grouping and inventorying, scan comparisons, set groups, schedule scans

Nessus

Vulnerability scanner comparable to Qualys

Nexpose

Vulnerability scanner comparable to Qualys and Nessus

OpenVAS

Open source vulnerability scanner. low cost (free). OpenVAS is a fork of the original Nessus.

Nikto

Web application vulnerability scanner (other tools scan databases, but Nikto scans the coding of the web server. Nikto is a great supplemental scanner to use with other vulnerability scanners to gain a different perspective.)

Microsoft Baseline Security Analyzer (MBSA)

Run on the local machine itself. Performs a basic security test- makes sure that the firewall is enabled, updates installed, registry is good, etc. Only works on systems below Windows 10.

Wireshark

A free and open source packet analyzer that has a GUI.

Command line version is called Tshark and features the same capabilities except for the GUI.

Cisco Firewall

Next Generation Firewall. Can incorporate Sourcefire.

Snort

IPS that uses community-curated set of rules to identify patterns of known malicious software.

Sourcefire

IPS that was bought by Cisco

Bro

Open source IDS/IPS. Provides network traffic logging.

netcat (nc)

Opens a port and sends or receives traffic. Can be used as a backdoor.

-v verbose, provides more information

-t limits it to tcp ports

-u limits it to udp ports

Burpsuite

An interception proxy that features both automated and manual modes. Useful for web application security testing.

Splunk

popular SIEM that provides graphical data used for analysis

ELK Stack

Set of 3 open source tools used for monitoring, troubleshooting and securing IT environments. This is a SIEM.

shasum

Linux command that will compute a SHA hash for a file

shasum

Aircrack-ng

This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.

WLAN/802.11 penetration testing tool. Open source.

ufw (Uncomplicated Firewall)

Command line firewall in Ubuntu. Allows for easy administration of the firewall ACLs.

It's free.

EMET (Enhanced Mitigation Experience Toolkit)

Free Microsoft product desgined to protect windows systems against a variety of threats, particularly zero day threats.

This tool is at its end of life, but its features will be added to future OS's.

DEP, ASLR prevent memory attacks (like buffer overflows)

Mod Security

Web Application Firewall. Open source. Originally designed for Apache web servers.

NAXSI (Nginx Anti XSS and SQL Injection)

Web Application Firewall. Open source, efficient and fast. Deny by default whitelisting policy.

Imperva

Web Application Firewall. Offers dynamic profiling which learns trusted app structures and trusted user behavior.

Palo Alto

Next Generation Firewall provider. High cost, cloud based malware detection and threat intelligence sharing.

Check Point

Next Generation Firewall Provider. Known for their SCADA and ICS firewalls.

nmap -sP

Performs a ping sweep. Sends an ICMP echo and TCP ack to each host it scans and then determines whether a host is up or not based on its response.

nmap -T

Lets you space out scans to avoid detection. Choose a number 0-5 after the -T to slow down or speed up the scan.

nmap -T 0 : stealthiest option

nmap -T 5 : most aggressive scanning option

SIEMs

ArcSight, QRadar, Splunk, AlienVault, OSSIM, Kiwi Syslog, ELK stack

Network General

Company that developed the original network packet sniffer in 1986.

Zenmap

GUI verison of nmap.

Nagios

Monitoring tool that automatically detects a heartbeat from various nodes across a network.

SolarWinds

Network performance monitor. Multi-vendor network monitoring, able to scale for large environments.

Cacti

Open source network monitoring and graphing tool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

MRTG (Multi Router Traffic Grapher)

Free software for monitoring and measuring the traffic load on network links. It allows the user to see traffic load on a network over time in graphical form.

Netflow Analyzer

A unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom

Sysinternals

A suite of tools designed to assist with troubleshooting issues with windows.

OpenSSL

A widely used open-source implementation of the SSL/TLS protocol that was affected by the Heartbleed bug.

ZAP (Zed Attack Proxy)

Interception proxy developed by OWASP

Vega

Interception proxy and security scanner tool

Metasploit

Open source exploit tool framework. Offers hundreds of plugins/extensions for delivering exploit payloads. Very versatile, can be automated.

Peach fuzzer

Versatile and powerful fuzzer that can target not only software but also internet protocols, hardware, drivers, IoT devices, embedded systems, binaries, etc.

Microsoft SDL/Regex fuzzer

Basic file and regular expression fuzzer

Untidy

XML fuzzer for discovering vulnerabilities in web clients and servers.

John the Ripper

Free command line password cracking software

Cain and Abel

GUI/application password recovery tool for Windows

nbtstat

diagnostic tool for NetBIOS over TCP/IP

-s shows current NetBIOS sessions and their status

-c shows the NetBIOS name cache

-r displays the count of NetBIOS names resolved through a WINS server query and broadcaster

less, cat, head, tail

Linux command that allows you to view files without opening an editor(cat, less).

head shows the first lines of the file

tail shows the last lines of the file

at

Windows command that can be used to schedule tasks or programs to run at specific times

Forensics software

Encase, FTK, cellebrite, helix, sysinternals

which

Linux command that shows where a command is being run from

netcat (nc) -z

Zero I/O mode.

Allows netcat to perform port scans.

netcat (nc) -l

displays listening ports/sets up port as listening

nmap -Pn

Disables ping/host discovery.

Some hosts are configured to not respond to ICMP packets, and so nmap will not scan them because it believes that are not online.

-Pn skips this host discovery phase and scans every target as if their IP is active.

WinDump

Windows version of TCPdump

netcat (nc) -e

program/command to execute after connection occurs

OSSIM

Open source SIEM.

Kiwi Syslog

SIEM/log management tool made for windows.

Encase

Windows digital forensics suite for collection, analysis, and reporting. Uses E01 file format.

FTK

Windows forensic imaging suite. Used for file discovery and volume replication.

Helix

Digital forensics suite for nondestructive forensics analysis.

Cellebrite

Mobile forensic suite for data extraction and analysis of mobile devices.