Security+ Domain 4

Tracert / Traceroute

This shows the route taken from a computer to a remote host such as a website.

Nslookup

is a diagnostic tool for verifying the IP address of a hostname (A record by default) in the DNS server database. Using the set type= command, you can change the type of records it searches

Dig

is the equivalent of nslookup in a Linux/Unix environment.

ipconfig / ifconfig

These commands show the IP configuration. The Windows version is ipconfig, but Unix/Linux can use ifconfig.

Nmap

a free and open-source network mapper that can be used to create an inventory of devices on your network

\
Also good for banner grabbing (computer and service info).

Pathping

has the functionality of both ping and tracert. also calculates statistics after the trace, showing the packet loss at each router (each hop) it passes through.

Hping

an open-source packet generator and analyzer for the TCP/IP protocol, often used for auditing firewalls and networks.

\
for example, testing firewall rules and open ports, and analyzes network traffic, including packet formats and traceroute.

Netstat

a native tool on Windows operating system. used to see the established connections, listening ports, and even running services.

\
Netstat shows listening ports and established connections, but if you reboot the computer, the established connections disappear.

netcat

or nc, is a Linux/UNIX utility for showing network connections, port scanning, and even file transfer.

IP Scanners

the Angry IP scanner is a popular free and opensource, that will scan addresses in a range and ID open ports. will export results to TXT, CSV, or XML format

Address Resolution Protocol (ARP)

a protocol for mapping an IP address to a physical MAC address on a local area network. the arp -a command shows the ARP cache.

route

enables listing existing routes in the local routing table, as well as adding manual entries into the network routing tables. route print to view local route table, route add to add a route

Curl

command-line tool used to transfer data using any of these supported protocols:

HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP, or FILE

TheHarvester

This is a passive tool that comes with Kali Linux used to harvest the email addresses of an organization.

\
Example:

search for email addresses in kali.org domain, limiting results to 500, using Google:

theharvester -d kali.org -l 500 -b google

Sn1per

a penetration test reconnaissance tool that can be used for automated tests.

\
can scan for vulnerabilities, open ports, web application vulnerabilities and perform attack surface discovery.

\
used by pen testers, bug bounty researchers, and red teams.

Scanless

pentesting tool to perform anonymous open port scans on target hosts, such as web servers. (free and open-source)

\
developed in Python, utilizes a number of port scanners, like ipfingerprints, pingeu, spiderip, portcheckers

Dnsenum

is a command-line tool that automatically identifies basic DNS records and it has the ability to attempt reverse DNS resolution.

\
brute forces (queries for the existence of hostnames) in order to get their IP address of subdomains and hostnames.

\
used in web penetration testing to identify potential targets for further exploration.

Nessus

a network security (vulnerability) scanner. It utilizes plug-ins, which are separate files, to handle the vulnerability checks.

\
raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access.

Cuckoo

This tool creates a sandbox that can be used for analyzing files for malware inspection.

Concatenate (cat)

The cat command in Linux can be used to create files, view files, and also concatenate several files into another file.

\
To create a new file called weblog, we use the following syntax:

cat > weblog

\
You can also concatenate the contents of three files and combine them in an output file using the following syntax:

cat file1.txt file2.txt file3.txt | sort > samplefile.txt

Head

the /var/log/messages file is an important log file, which shows system events such as shutdown and reboot.

\
We can use the head command to check the top 10 messages from that log

head /var/log/messages -n 10

Tail

views the last X lines at the end of a log file

\
Example:

view the last 10 messages in the /var/log/messages log file: tail /var/log/messages -n 10

Grep

used to search text and log files for specific values.

\
EXAMPLE:

search a file called users.txt for the name PETE, we would use the following syntax:

grep -f PETE users.txt

\
EXAMPLE:

search a whole directory for the word project, we can use the following syntax:

grep -r project

chmod

The chmod command is used to change the permission level, for example:

chmod 766

\
In example above, the owner has rwx, the group has rw-, and others have rw-.

Logger

can add a message to the local system log file or to a remote syslog server.

\
Frequently used to send log messages from automation scripts to record actions performed and errors encountered.

\
EXAMPLE:

logger -n 10.10.10.10 'hostname’ found a potential backdoor attack

SSH

created to serve as a secure alternative to telnet for running commands remotely; it is commonly used when you want remote access to network devices. It can be used as a command-line tool or in a Graphical User Interface (GUI), but it is not browser-based

PowerShell

PowerShell can perform tasks in a Windows environment. Each command is known as a cmdlet and can be saved to a script with a .ps1 extension.

\
Each PowerShell cmdlet is comprised of a noun and a verb.

\
EXAMPLE: Get-Help will show the help commands.

Python

a popular and powerful programming language used by open source developers, and data scientists.

OpenSSL

a suite that can be used to create and manage Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocol.

\
often used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.

Packet Capture and Replay

A protocol analyzer can also be referred to as a packet sniffer.

Protocol analyzers can save the data that they collect to a packet capture file (PCAP).

tcpreplay

This is an open-source tool that can be used to analyze .pcap files generated by either Wireshark or tcpdump

\
It can then replay the traffic and send it to the NIPS.

tcpdump

a network packet analyzer command line tool on Linux/UNIX

\
EXAMPLE:

tcpdump -i eth0 shows information on the first Ethernet adapter

WIreshark

a free and open-source packet analyzer, with commandline and GUI versions, available for Windows and Linux.

Forensics

Tools in the forensics category are often used in forensic investigation.

dd

when the forensics team needs to investigate an image on a desktop or laptop, the dd command can be used to clone a disk or copy a folder in a Linux/Unix environment.

\
In a SCSI environment, the first disk is /dev/sda, the second as /dev/sdb, If the first disk has two partitions, they will be sda1 and sda2.

\
The if command is the input file and the of command represents the output file.

Copy Entire Hard Disk

We are going to copy the first SCSI disk to the second SCSI disk. The syntax would be:

dd if = /dev/sda of = /dev/sdb

Create an Image

We are going to make a disk image of /dev/sda. We would use the this syntax:

dd if=/dev/sda of=\~/sdadisk.img

WinHex

a hexadecimal editor that can be used on any version of Windows operating systems to help forensics teams find evidence.

\
can be used to find and recover deleted or lost data from a corrupt drive.

Capturing System Memory Dump FIles

When a computer system crashes (commonly known as the blue screen of death), all of the content of the memory is saved in a dump file (.dmp).

\
dump files can be analyzed by using a tool such as BlueScreenReview.

\
the Linux equivalent is memdump.

FTX Imager

a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted.

Autopsy

can be used to analyze hard drives, smartphones, and media cards. has a built-in translator to translate foreign languages into English.

Exploitation framework tools

such as the open-source Metasploit Framework, contain capabilities to detect and then exploit vulnerabilities on remote systems.

\
can be used to harden your IT systems before they are attacked.

\
use information from the National Vulnerability Database, which is comprised of Common Vulnerabilities and Exposures (CVE)

\
Uses the Common Vulnerability Scoring System (CVSS), to show the level of severity of each of the vulnerabilities.

Most Popular Exploit Frameworks

Metasploit Framework (http://www.metasploit.com)

\
CORE IMPACT (http://www.coresecurity.com) Immunity

\
CANVAS (http://www.immunitysec.com)

Password Crackers

such as the Cain portion of Cain and Able or LOphtcrack, can be used to crack the passwords and create password hashes.

\
In the Security+ exam, when you see names in clear text followed by hashes, the hash is a password hash.

Data sanitization

the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory, SSDs, etc.)

\
It is important to use the proper technique to ensure that all data is purged

Plan

A set of intended actions, usually mutually related, through which one expects to achieve a goal.

Process

A series of related tasks or methods that together turn inputs into outputs.

Procedure

A prescribed way of undertaking a process or part of a process. A particular method for performing a task

Preparation

Where incident response plans are written, and configurations documented.

Identification

determining whether or not an organization has been breached.

Containment

Limiting damage (scope) of the incident.

Eradication

Once affected systems are identified, coordinated isolation or shutdown, rebuild, and notifications.

Recovery

Root cause is addressed and time to return to normal operations is estimated and executed.

Lessons Learned

Helps prevent recurrence, improve IR process

Tabletop

You distribute copies of incident response plans to the members of the incident response team for review.

\
Team members then provide feedback about any updates needed to keep the plan current.

Walkthrough

Members of the incident response team gather in a large conference room and role-play an incident scenario.

\
Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting.

\
Can ensure needed tools and resources are available, and team members are familiar with their roles.

Simulation

Similar to structured walkthrough, except some of the response measures are then tested (on non-critical functions).

Mitre Attack Framework

An online framework that can be used by commercial organizations.

\
Developed by MITRE, a US Government-sponsored company whose aim is to help prevent cyber-attacks.

\
Provides information about adversaries and their attack methods.

\
Uses the acronym ATT&CK to better articulate the attack vectors used by attackers:

Adversarial Tactics, Techniques, & Common Knowledge

Adversarial

This looks at the behavior of potential attackers who are put into different groups.

Tactics

the medium by which (how) the attack will be carried out.

Techniques

a breakdown of the processes of how an attack will be launched

Common Knowledge

documentation relating to the attackers’ tactics and techniques that have been made available online to the general public.

The Cyber Kill Chain

Traces stages of a cyberattack from early reconnaissance to the exfiltration of data

Reconnaissance (Step 1 of CKC)

Harvesting email addresses, company info, etc.

Weaponization (Step 2 of CKC)

Actor creates malware tailored to vulnerabilities of the remote target

Delivery (Step 3 of CKC)

Delivering weaponized bundle to victim via email, web, USB, etc.

Exploitation (Step 4 of CKC)

Exploiting a vulnerability to execute code on the victim’s system

Installation (Step 5 of CKC)

Installing malware on the asset

Command and Control (Step 6 of CKC)

Command channel for remote manipulation of the victim

Actions on Objectives

With ‘hands on keyboard’ access, intruders accomplish their original goals

Diamond Model of Intrusion Analysis

A framework for gathering intelligence on network intrusion attacks, comprised four key elements:

\
Adversary

Capabilities

Victim

Infrastructure

Adversary

The threat actor group

Capabilities

where the adversary develops an exploit that they use to carry out the attack

Victim

The person targeted by the adversary

Infrastructure

This is how the attacker can get to the victim.

Communication Plan

The plan that details how relevant stakeholders will be informed in event of an incident.

\
Would include plan to maintain confidentiality, such as encryption to ensure that the event does not become public knowledge.

\
Contact list should be maintained that includes stakeholders from the government, police, customers, suppliers, and internal staff.

Stakeholder Management

is a party with an interest in an enterprise; corporate stakeholders include investors, employees, customers, and suppliers.

When we have an incident, there are multiple groups of relevant stakeholders that we need to inform and manage, and may include:

\-Internal stakeholders

\-Cyber insurance provider

\-Business partners

\-Customers

\-Law enforcement

BCP (Business Continuity Plan)

the overall organizational plan for “how-to” continue business.

DRP (Disaster Recovery Plan)

the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operation.

COOP (Continuity of Operations Plan)

the plan for continuing to do business until the IT infrastructure can be restored.

Business Continuity Planning

focuses on the whole business

Disaster Recovery Planning

focuses more on the technical aspects of recovery

\
BCP will cover communications and process more broadly

Incident Response Team

When an incident occurs, it is important to get an incident response team together to deal with the incident.

\
Includes the following roles:

Incident Response Manager

Security Analyst

IT Auditor

Risk Analyst

HR

Legal

Public Relations

Incident Response Manager

A top-level manager who takes charge.

Security Analyst

Technical support to the incident.

IT Auditor

Checks that the company is compliant.

Risk Analyst

Evaluates all aspects of risk.

HR

Sometimes employees are involved in the incident.

Legal

Gives advice and makes decisions on legal issues.

Public Relations

Deals with the press to reduce the impact.

Data classification

Labeling / tagging of data based on type, like personally identifiable info (PII), protected health info(PHI), etc.

Regulatory compliance

for legal and compliance reasons, you may need to keep certain data for different periods of time.

\
EXAMPLES: some financial data needs to be retained for 7 years Some medical data may need to be retained up to 20-30 years.

Data retention policy

ensure that legal and compliance issues are addressed.

vulnerability scanner

can identify and report various vulnerabilities before they are exploited, such as:

Examples include:

\-software flaws

\-missing patches

\-open ports

\-services that should not be running

\-weak passwords

\
will help companies avoid known attacks such as SQL injection, buffer overflows, denial of service, and other type of malicious attacks.

Credential vulnerability scan

is the most effective as it provides more information than any other vulnerability scan.

SIEM Dashboards

dashboards are very useful to the security operations centers as they provide centralized visibility and information on threats in real time.

Sensor

are deployed across your network to monitor and collect changes in network patterns or monitor changes in log file entries as events occur.

\
Varies by solution and device. May be a sensor, syslog, text log, API or other format.

Sensitivity

can monitor PII, PHI, and other sensitive information to ensure regulatory compliance (HIPAA, PCI DSS, GDPR)

Trends

can identify trends in network traffic, event volume, or changes in activities/ activity levels across identities, endpoints, network and infrastructure