Chapter 3: Information Gathering

Open Source Intelligence

OSINT

Common Vulnerabilities and Exposures (CVE)

list that identifies vulnerabilities by name, number, and descriptions

CVE-[YEAR]-[NUMBER]

CVE listing format

Common Weakness Enumeration

community developed list of vulnerabilities, similar to CVE

Fingerprinting Organizations and Collected Archives

FOCA

generic top level domain

gTLD

country code top level domain

ccTLD

DNS zone transfer (AXFR)

transaction that is intended to be used to replicate DNS databases between DNS servers.

Wardriving

process of scanning for wireless networks while mobile (usually in a car), but can also be done by walking though public areas

Google Hacking Database

GHDB

Range of Well-Known/System ports

0-1023

Registered Ports range

1024-49151

Operating system fingerprinting

ability to identify an operating system based on the network traffic that is being sent

Nmap -sS

Nmap TCP SYN scan

Nmap -sT

Nmap TCP Connect

Nmap -sU

UDP only scan

-p

command line option for Nmap that lets you choose the port range or port name
Ex. - _ http

Nmap -sA

Nmap TCP ACK

Nmap -T0 to -T5

Increases the speed of an nmap scan

Nmap -O

OS detection flag for nmap

Nmap -Pn

disable the ping for nmap scan

Nmap -T

control the aggressiveness of the timing, nmap scan

Nmap -IL

input from a target, nmap

Nmap -oX

XML format output for nmap

Nmap -oN

Normal output for nmap

Nmap -oG

Greppable format nmap

Nmap -oA

all output mode nmap

vulnerability management life cycle

VMLC

VMLC phases

1) Detection

2) Remediation

3) Testing