Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
86 Cards in this Set
- Front
- Back
|
What are the 8 phases to exploitation?
|
Foot printing
Scanning Enumeration Gain access (exploitation) Privilege escalation Situational awareness Covering tracks Creating backdoors |
|
|
What are 3 commonly used techniques used for foot printing?
|
Trace Route
Record Route (ping -r) Ping Sweep |
|
|
What are the 3 types of trace routes?
|
ICMP
UDP TCP |
|
|
What type of trace route is the default for windows?
|
ICMP
|
|
|
How many packets are sent with an ICMP trace route?
|
3
|
|
|
What type of trace route is the default for unix?
|
UDP
|
|
|
What does a UDP trace route include other than a destination IP address?
|
destination port
|
|
|
Where does a UDP trace route destination port normally start?
|
33000
|
|
|
True or False
During a UDP trace route: The client will increment the destination port? |
TRUE
|
|
|
True or False
During a TCP trace route: The trace route will be directed to a specific TCP port? |
TRUE
|
|
|
During a TCP trace route what will be returned when the target is reached?
|
RST
|
|
|
This command and option combination will will store the outbound interfaces that a trace route can't retrieve; this information is stored in the IP header options field.
|
ping -r (windows)
ping -R -s -v (unix) -R invokes record route -s send 1 datagram/sec collect stats -v verbose mode (display results) |
|
|
_____ is used to determine if a given range of IP address are live. It consists of ICMP echo requests sent to multiple hosts.
|
ping sweeping
|
|
|
This phase identifies the target OS and listening ports/applications.
|
Scanning
|
|
|
What are the 2 types of OS fingerprinting?
|
Active & Passive
|
|
|
_____ fingerprinting is defined as analyzing the TCP/IP stack of an OS.
|
Active
|
|
|
_____ sends a packet with the "FIN" control flag set to an open port of a host and waits for a response.
|
FIN Probe
|
|
|
The correct response to a _____ is to not respond, however, some systems such as windows, HP-UX, and Iris will respond with the "RST" "ACK" flags set
|
FIN Probe
|
|
|
A _____ sends a packet with one of the bits set in the reserver undefined TCP flag section of the TCP header. Linux systems prior to kernel 2.0.35 will keep the flag set in their response. Other OSs will reset the connections when they receive it.
|
BOGUS Flag Probe
|
|
|
_____is used to find patterns in the initial sequence numbers ISN chosen by the TCP implementation when responding to a connection request.
|
TCP ISN Samling
|
|
|
_____ relies on intentionally creating a half-open connections with a target. When the target does not see the final ACK, it sends another SYN plus ACK based on the time out interval between re-transmissions you could fingerprint the OS.
|
(RTO) Re-transmission Time OUT
|
|
|
_____ fingerprinting is defined as monitoring network traffic and analyzing it to determine an OS
|
Passive
|
|
|
What are four items you can look at in a packet capture to passively ID an OS?
|
TTL
Window Size DF (Don't Fragment) TOS (Type of Service) |
|
|
List some passive OS finger printing tools.
|
P0f
Ettercap Wireshark |
|
|
_____ is the most basic form of TCP scanning. It uses the connect system call of the OS on a target system to open a connection to every open port on that machine.
|
TCP connect scan
|
|
|
_____ is referred to as a "half-open" scan. The scanner sends a packet with the SYN flag set to all ports on the target and waits for the responses from the target, however, it does not send teh final ACK back
|
SYN stealth scan
|
|
|
True or False
Closed ports always send a RST in response to a SYN? |
True
|
|
|
____ sends a packet with the SYN control flag set to all ports on the target and waits for the responses. It completes the 3-way handshake.
|
TCP connect scan
|
|
|
_____ sends a packet with the SYN control flag set to all ports on the target and waits for the responses from the target, but does not send the final ACK back to the target.
|
SYN Stealth scan (half-open)
|
|
|
_____ sends a packet with NO control flag set to all ports on the target machine and waits for the responses. Open ports will ignore the packet, while closed ports will respond with a RST.
|
TCP Null scan
(not effective against MS) |
|
|
_____ sends a packet with the FIN control flag set to all ports on the target and waits for the responses. Open ports will ignore the packet, while closed ports wil respond with a RST.
|
TCP FIN scan
(not effective against MS) |
|
|
_____ sends a packet with the FIN, URG, and PSH control flags set to all ports on the target and waits for the responses. Open ports will ignore the packet, while closed ports will respond with a RST.
|
TCP Xmas scan
(not effective against MS) |
|
|
_____ sends a connect scan, but breaks it up into a fragmented scan set to all ports on the target machine.
|
TCP Frag scan
|
|
|
_____ utilizes the Identification protocol to provide disclosure of the owner of processes connected to TCP services. The target must be running Identd.
|
TCP reverse Ident scan
|
|
|
_____ sends an ACK packet (with random acknowledgment/sequence numbers) to the ports specified.
|
ACK stealth scan
|
|
|
_____ similar to the ACK scan except that it can sometimes detect open ports as well as filtered/unfilered ports due to an anomaly in the TCP window size reporting by some OSs.
|
TCP window scan
|
|
|
_____ uses exclusion sequence rule. It sends UDP requests and if no replies come back, it's assumed open. If it receives "Destination Unreachable", it's assumed closed.
|
UDP scan
|
|
|
_____ sends raw IP packets without any further protocol header to each specified protocol on the target; if it receives an ICMP protocol unreachable message, then the protocol is not in use. Otherwise, it assumes it is open.
|
IP protocol scan
|
|
|
_____ simply generates and prints a list of IP addresses or host names without actually pinging or port scanning them.
|
List scan
|
|
|
_____ is an advanced scan method that allows for a truly blind TCP port scan. It uses the IP identification field in teh IP header. This field is utilized to reassemble fragment packets. Most OSs increment this field by a value of 1, regardless if there is fragmentation.
|
Zombie scan (Idle Scan)
|
|
|
This option Floods open TCP/UDP ports with SunRPC program NULL commands to determine whether they are RPC ports, and if so, what program they call up.
|
RPC scan
|
|
|
The _____ option attempts to determine what type of OS you are scanning
|
OS detection
|
|
|
This option communicates with open TCP/UDP ports to determine more about what is actually running.
|
version detection
|
|
|
_____ is a command line TCP/UDP port scanning tool provided by Foundstone. It's small size makes it a great "take it with you" scanner.
|
FCscan
|
|
|
The _____ phase focuses on validating user accounts and verifying application versions which leads to the exploitation selection.
|
enumeration
|
|
|
_____ involves connecting to common applications on the target to identify the version of teh applications.
|
Banner grabbing
|
|
|
Most popular methods of banner grabbing are done in what 2 ways.
|
Telnet
Netcat |
|
|
The _____ command displays the target host's NFS exported file system.
|
showmount
|
|
|
The _____ command displays information on logged-in users.
|
finger
|
|
|
The _____ command displays information on logged-in users. similar to the finger command.
|
rusers
|
|
|
The _____ command displays RPC services running on the target host by program #, transport, service name, and owner.
|
rpcifo
|
|
|
The _____ utility uses SNMP GETNEXT requests to query objects in the management information base.
|
SNMP-Walk
|
|
|
What group does each ASN# represent? (7th digit)
|
ASN 1= name, location, description of equipment
ASN 2= network Interface and their measure traffic ASN 3= address translation ASN 4= IP packet statistics ASN 5= stats about received ICMP messages ASN 6= TCP algorithms, paramaters, and statistics ASN 7= UDP traffic statistics ASN 8= EGP protocol traffic statistics ASN 10= Reserved for media-specific MIBs ASN 11= SNMP traffic statistics |
|
|
A _____ occurs when data written to a buffer, due to insufficient bounds checking, corrupts data valued in memory addresses adjacent to the allocated buffer.
|
buffer overflow
|
|
|
What are the 2 types of buffer overflows?
|
Stack Buffer Overflow
Heap Buffer Overflow |
|
|
A _____ stems from the use of unfiltered user input in the format string parameter of various C programming language functions that perform formatting.
|
Format String Attack
|
|
|
A _____ attack is derived from the process of converting data that has more than one possible representation. This type of attack is normally associated with web servers to access information OUTSIDE the root web directory. Normally used for directory traversal attacks.
|
canonicalization
|
|
|
_____ refers to inputting raw transact SQL queries into an application to perform an unexpected action or result.
|
SQL injection
|
|
|
This attack sends a modified RPC packet set to the host name of the remote system, it will then be processed as if it was a local request.
|
Sadmin exploit
|
|
|
This tool overflows the telnet client environment variable buffer with 65 characters which caused the remote system to drop the user into a shell.
|
TTYPrompt Exploit
|
|
|
This attack targets a specific function in the ftpd service called globbing. It sends bogus RNFR requests with 73 self-referencing directory locations "./" this is done four times, escaping the boundary of the ftpd service and then stores exploit code into memory.
|
WU-ftpd exploit (7350wurm)
|
|
|
This attack loads user-specifig kernel modules by using directory traversal sequences and employing the mount() or sysfs() system calls. If successful it will call out a shell with root privileges.
|
Solaris vfs_getvfssw() exploit
|
|
|
What are the 4 modes for john the ripper?
|
external
internal single wordfile |
|
|
What category involves identifying logged on users, specific processes, identifying hardware components, possible security packages, and logging capabilities?
|
Situational awareness
|
|
|
The _____ command displays a summary of system and user activity.
|
w
|
|
|
The _____ command displays logged in username, terminal, login time, and where the user logged in from.
|
who
|
|
|
The _____ command displays logged in username, active processes/CPU time owned by the user and login time. The header displays the time of day and machine name.
|
whodo
|
|
|
The _____ command displays information on all users (regardless of whether they are logged in) and system accounts. Output displays user, UID, froup name, GUID, and comment name.
|
logins
|
|
|
The _____ command prints information on active processes.
|
ps
|
|
|
The _____ command for solaris and the _____ command for linux provides interactive monitoring of active processes. Also provides a summary of how many processes are running and the owner.
|
solaris: prstat
linux: top |
|
|
The _____ command displays information about the processor to include the type, co-processor, and processor chip.
|
psrinfo
|
|
|
The _____ command displays information about terminal, disk, and tape I/O activity.
|
iostat
|
|
|
The _____ command displays information about the current system.
|
uname
|
|
|
The _____ command displays information about disk space usage.
|
df
|
|
|
The _____ command displays information about installed software packages.
|
pkginfo
|
|
|
The _____ command displays all patches on the system.
|
showrev -p
|
|
|
What file controls what will be logged and where it will be logged?
|
/etc/syslog.conf
|
|
|
What file controls where the logs will be sent (what system)?
|
/etc/hosts
|
|
|
This utility removes user's last entry from the WTMP, UTMP, LASTLOG, WTMPX, and UTMPX binaries. It works with most unix variants.
|
zap3
|
|
|
What is the only shell that does not have a shell history file?
|
bourne shell (sh)
|
|
|
What are 3 ways to modify a history file or log file?
|
vi
copy and replace echo complete file to /dev/null (most intrusive) |
|
|
What command would you use to modify the date of a file?
|
touch
|
|
|
_____ provide an easy means to return to the target after is has been exploited.
|
Back doors
|
|
|
_____ is a program that will add 3 back doors on a target.
|
SM4CK
|
|
|
_____ a collection of programs that support the following concepts: Hiding processes/directories/files, running packet sniffers, clearing logs, allowing back doors, and capturing local logins and passwords.
|
Root kits
|
|
|
What are the 2 types of root kits?
|
application
kernel |
