Studied by 10 peopleOSI Model Layers
7: Application
6: Presentation
5: Session
4: Transport
3: Network
2: Data Link
1: Physical
OSI Layer 7: Application
Human-computer interaction layer, where applications can access the network services.
OSI Layer 6: Presentation
Ensures that data is in a usable format and is where data encryption occurs.
OSI Layer 5: Session
Maintains connections and is responsible for controlling ports and sessions.
OSI Layer 4: Transport
Transmits data using transmission protocols including TCP and UDP.
OSI Layer 3: Network
Decides which physical path the data will take.
OSI Layer 2: Data Link
Defines the format of data on the network.
OSI Layer 1: Physical
Transmits raw bit stream over the physical medium.
AirPcap
The first open, affordable and easy-to-deploy 802.11 packet capture solution for Windows.
Black hat
Individuals who use their extraordinary computing skills for illegal or malicious purposes.
Botnet
A huge network of compromised systems and can be used by an attacker to launch denial-of-service attacks.
Exploit
A malicious code that breaches the system security via software vulnerabilities to access information or install malware.
Exposure
The disclosure of private data, financial loss, and discontinuation of operations.
Firewall
Hardware and/or software designed to prevent unauthorized access to or from a private network.
Grey hat
The individuals who work both offensively and defensively at various times.
IDS
An intrusion detection system (IDS) is a software system or hardware device that inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach.
IPS
Intrusion prevention systems (IPS) are continuous monitoring systems that often sit behind firewalls as an additional layer of protection.
Penetration test
A method of evaluating the security of an information system or network by simulating an attack to find out vulnerabilities that an attacker could exploit.
Snort
An open-source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching and is used to detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. It uses a flexible rules language to describe traffic to collect or pass, as well as a detection engine that utilizes a modular plug-in architecture.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Vulnerability
A weakness in an IT system that can be exploited by an attacker to deliver a successful attack.
Vulnerability assessment
An in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation.
Vulnerability researcher
The process of analyzing protocols, services, and configurations to discover the vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse.
Warchalking
Symbols are drawn in public places to advertise open Wi-Fi networks.
Wardriving
Attackers drive around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks.
White hat
Individuals who use their hacking skills for defensive purposes.
Cyber Kill Chain
Reconnaissance: Gather data on the target to probe for weak points.
Weaponization: Create a deliverable malicious payload using an exploit and a backdoor.
Delivery: Send weaponized bundle to the victim using email, USB, etc.
Exploitation: Exploit a vulnerability by executing code on the victim’s system.
Installation: Install malware on the target system.
Command and Control: Create a command and control channel to communicate and pass data back and forth.
Actions on Objectives: Perform actions to achieve intended objectives/goals.
CAN-SPAM
A law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Digital Millenium Copyright Act (DMCA)
An American copyright law that implements two 1996 treaties from the World Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. In order to implement US treaty obligations, the DMCA defines legal prohibitions against circumvention of the technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information. It contains five different titles:
Title I: WIPO TREATY IMPLEMENTATION
Title II: ONLINE COPYRIGHT INFRINGEMENT LIABILITY LIMITATION
Title III: COMPUTER MAINTENANCE OR REPAIR
Title IV: MISCELLANEOUS PROVISIONS
Title V: PROTECTION OF CERTAIN ORIGINAL DESIGNS
Sarbanes Oxley Act (SOX)
Enacted in 2002, the Sarbanes-Oxley Act aims to protect the public and investors by increasing the accuracy and reliability of corporate disclosures. This act does not explain how an organization must store records but describes the records that organizations must store and the duration of their storage. The Act mandated several reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It contains eleven different titles:
Title I: Public Company Accounting Oversight Board (PCAOB)
Title II: Auditor Independence
Title III: Corporate Responsibility
Title IV: Enhanced Financial Disclosures
Title V: Analyst Conflicts of Interest
Title VI: Commission Resources and Authority
Title VII: Studies and Reports
Title VIII: Corporate and Criminal Fraud Accountability
Title IX: White-Collar-Crime Penalty Enhancement
Title X: Corporate Tax Returns
Title XI: Corporate Fraud Accountability
Gramm-Leach-Bliley Act (GLBA)
Requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Privacy Rule provides federal protections for the individually identifiable health information held by covered entities and their business associates and gives patients an array of rights to that information. At the same time, the Privacy Rule permits the disclosure of health information needed for patient care and other necessary purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to ensure the confidentiality, integrity, and availability of electronically protected health information.
Family Educational Rights and Privacy Act (FERPA)
The foundational federal law on the privacy of students’ educational records, FERPA safeguards student privacy by limiting who may access student records, specifying for what purpose they may access those records, and detailing what rules they have to follow when accessing the data.
FISMA
The Federal Information Security Management Act of 2002 was enacted to produce several key security standards and guidelines required by Congressional legislation. The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or another source.
Domain Name System (DNS)
A hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol networks. It associates various information with domain names assigned to each of the associated entities.
DNS Zone transfers
The process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. In most cases, the primary DNS server maintains a backup or secondary server for redundancy, which holds all the information stored in the primary server. The DNS server uses zone transfer to distribute changes made to the main server to the secondary server(s). An attacker performs DNS zone transfer enumeration to locate the DNS server and access records of the target organization. If the DNS server of the target organization allows zone transfers, then attackers can perform DNS zone transfer to obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc. assigned within a target domain.
DNS Zone poisoning
A hacker technique that manipulates known vulnerabilities within the domain name system (DNS). When it's completed, a hacker can reroute traffic from one site to a fake version. And the contagion can spread due to the way the DNS works.
DNS Cache Poisoning
Refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site.
DNS reflection/amplification distributed denial-of-service (DDoS)
A common two-step DDoS attack in which the attacker manipulates open DNS servers. The cybercriminal first uses a spoofed IP address to send massive requests to DNS servers. The DNS server then replies to the request, creating an attack on the target victim. The size of these attacks is larger than the spoofed request, resulting in large amounts of traffic going to the victim server. The attack often results in complete inaccessibility of data for a company or organization.
Regional Internet Registrars (location)
The RIRs include the following:
American Registry for Internet Numbers (ARIN) (https://www.arin.net)
African Network Information Center (AFRINIC) (https://www.afrinic.net)
Asia Pacific Network Information Center (APNIC) (https://www.apnic.net)
Réseaux IP Européens Network Coordination Centre (RIPE) (https://www.ripe.net)
Latin American and Caribbean Network Information Center (LACNIC) (https://www.lacnic.net)
ARIN
American Registry for Internet Numbers
APNIC
Asia Pacific Network Information Center
LACNIC
Latin American and Caribbean Network Information Center
RIPE NCC
Réseaux IP Européens Network Coordination Centre
AfrNIC
African Network Information Center
Google Hacking
Refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. The accessed information is then used by attackers to find vulnerable targets. Footprinting using advanced Google hacking techniques involves locating specific strings of text within search results using advanced operators in the Google search engine.
Google Hacking Advanced Operators
Site
Ext
Loc
Intitle
Allintitle
Inurl
Allinurl
Incache
Site
This operator restricts search results to the specified site or domain.
For example, the [games site: www.certifiedhacker.com] query gives information on games from the certifiedhacker site.
Ext
This operator allows you to search for results based on a file extension.
For Example, [jasmine:jpg] will provide jpg files based on jasmine.
Loc
This operator finds information for a specific location.
For example, [location: 4 seasons restaurant] will give you results based on the term “4 seasons restaurant.”
Intitle
This operator restricts results to only the pages containing the specified term in the title.
For example, the [malware detection intitle:help] query returns only pages that have the term “help” in the title, and the terms “malware” and “detection” anywhere within the page.
Allintitle
This operator restricts results to only the pages containing all the query terms specified in the title.
For example, the [allintitle: detect malware] query returns only pages containing the words “detect” and “malware” in the title.
Inurl
This operator restricts the results to only the pages containing the specified word in the URL.
For example, the [inurl: copy site:www.google.com] query returns only Google pages in which the URL has the word “copy.”
Allinurl
This operator restricts results to only the pages containing all the query terms specified in the URL.
For example, the [allinurl: google career] query returns only pages containing the words “google” and “career” in the URL.
Nmap scans
A security scanner for network exploration and hacking. It allows you to discover hosts, ports, and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. It scans vast networks of literally hundreds of thousands of machines. Nmap includes many mechanisms for port scanning (TCP and UDP), OS detection, version detection, ping sweeps, and so on.
NMAP discovery scans
-sP
-sL
-sO
-sV
-sP
Perform a ping scan only
-sL
Create a host list
-sO
OS detection
-sV
Service version detectioon
Important nmap options
-A
-n
-v
-P0
-A
Aggressive scan
-n
Disable reverse DNS resolution
-v
Version detection
-P0
Disable ICMP scan type
Ports
FTP
SSH
Telnet
SMTP
WIND
DNS
HTTP
Kerberos
POP3
NNTP
SMB
IMAP
LDAP
RDP
FTP (File Transfer Protocol)
Ports 20 (data) and 21 (control): A connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration. If attackers identify that FTP server ports are open, then they perform enumeration on FTP to find information such as the software version and state of existing vulnerabilities to perform further exploitations such as the sniffing of FTP traffic and FTP brute-force attacks
SSH (Secure Shell)
Port 22: A command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22. Attackers may exploit the SSH protocol by brute-forcing SSH login credentials.
Telnet
Port 23: Used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login credentials, port-forwarding attacks, etc.
SMTP (Simple Mail Transfer Protocol)
Port 25: A TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks. It runs on the connection-oriented service provided by TCP and uses the well-known port number 25. Below table lists some commands used by SMTP and their respective syntaxes.
HTTP (HyperText Transfer Protocol)
Port 80: A method for encoding and transporting information between a client (such as a web browser) and a web server. It is the primary protocol for transmission of information across the Internet.
Kerberos
Port 88: A network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography, which provides mutual authentication. Both the server and the user verify each other’s identity. Messages sent through this protocol are protected against replay attacks and eavesdropping.
POP3 (Post Office Protocol)
Port 110: An application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. POP version 3 is the version in common use, and along with IMAP the most common protocols for email retrieval.
NNTP (Network News Transfer Protocol)
Port 119: Used to relay Usenet news articles from discussions over the newsgroup. Usenet newsgroups can be a useful source of valuable information about a target. Many professionals seek help on Usenet newsgroups by posting questions and asking for solutions. To obtain solutions to these issues, they sometimes post more detailed information about the target than needed.
SMB (Server Message Block)
Port 445: A transport protocol that is generally used by Windows systems for providing shared access to files, printers, and serial ports as well as remote access to Windows services. By default, SMB runs directly on TCP port 445 or via the NetBIOS API on UDP ports 137 and 138 and TCP ports 137 and 139.
IMAP (Internet Message Access Protocol)
Port 143: Allows a client to access and manipulate electronic mail messages on a server. This protocol offers inadequate security, which allows attackers to obtain data and user credentials in cleartext.
LDAP (Lightweight Directory Access Protocol)
Port 389: An Internet protocol for accessing distributed directory services. LDAP accesses directory listings within Active Directory or from other directory services.
RDP (Remote Desktop Protocol)
Port 3389: A proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection.
Password Cracking Tools
John the Ripper
L0phtcrack
0phtcrack
Cain and Abel
John the Ripper
A free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms.
L0phtcrack
A tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks. It can also be used to check the strength of a password.
0phtcrack
A free open-source program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows
Cain and Abel
A password recovery tool that allows the recovery of passwords by sniffing the network and cracking encrypted passwords. The ARP poisoning feature of the Cain & Abel tool involves sending free spoofed ARPs to the network’s host victims. This spoofed ARP can make it easier to attack a middleman.
Trojans and Malware
Wrapper or binder
Rootkit
HTTP trojan
Netcat
Hoax
Keylogger
Wrapper or binder
A wrapping attack is performed during the translation of the SOAP message in the TLS layer where attackers duplicate the body of the message and sends it to the server as a legitimate user.
Rootkit
Programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time, and in the future.
HTTP trojan
HTTP/HTTPS Trojans can bypass any firewall and work in reverse, as opposed to a straight HTTP tunnel. They use web-based interfaces and port 80. The execution of these Trojans takes place on the internal host and spawns a child program at a predetermined time. The child program is a user to the firewall; hence, the firewall allows the program to access the Internet. However, this child program executes a local shell, connects to the webserver that the attacker owns on the Internet through an apparently legitimate HTTP request, and sends it a ready signal. The apparently legitimate answer from the attacker’s web server is, in fact, a series of commands that the child can execute on the machine’s local shell. The attacker converts all the traffic into a Base64-like structure and gives it as a value for a cgi-string to avoid detection.
Netcat
Hoax
Messages that issue fake warnings to the user about new viruses, Trojans, or worms that may harm the user’s system.
Keylogger
Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location.
Famous Trojans
Tini
Loki
Netbus
Back Orifice
Beast
Nuclear RAT
Tini
Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing.
Loki
A trojan that is often distributed as an attachment to phishing emails and other messages. Anti-phishing solutions that can identify and block malicious content in attachments from reaching the user can protect against infections by Lokibot.
Netbus
A software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a trojan horse. NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998.
Back Orifice
A computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software.
Beast
A Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to XP. Written in Delphi and released first by its author Tataye in 2002, it became quite popular due to its unique features.
Nuclear RAT
Nuclear R.A.T is a trojan horse, first appearing in 2000. Nuclear R.A.T stands for Nuclear Remote Administration Tool. Nuclear is added on to the name because it's more powerful than other R.A.T malware.
Tools to detect trojans
Netstat / fport
Tcpview
Process viewer
Autoruns
Hijack This
Spybot S&D
Netstat / fport
It displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). When used without parameters, netstat displays only active TCP connections.
Tcpview
A Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses, and the state of the TCP connections. It provides a subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.
Note
Flashcard