Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
125 Cards in this Set
- Front
- Back
Most common (traditional) method for creating a sled |
NOOP sled |
|
2 types of NOOP sleds |
90 or 9000 in hex |
|
one-byte NOOP sleds use what opcode? |
0x42 |
|
multi-byte NOOP equivalent sled |
uses multi-byte opcodes to perform same sled effect |
|
sled that jumps directly to the shell regardless of what byte the return pointer hits |
trampoline sled |
|
trampoline sled uses what hex? |
08/eb/06/eb/04 |
|
shell code that sockets on target system back to the attacker |
connect back |
|
SADMIN is always what shell code |
connect back |
|
Kaht is always what shell code |
port bind |
|
LSASS is always what shell code |
both |
|
what shell code has "refer" in the ASCII? |
drive-by download |
|
MItM allows the attacker to : |
read and possible modify messages between two parties |
|
MItM indicator : |
double syn packets, same IP and different MAC |
|
IP spoof attack : |
change source IP to masquerade as another host or hosts |
|
IP spoof indicator : |
multiple syn packets, different IP and same MAC |
|
#1 attack on IPv6 |
Neighbor Discovery Protocol |
|
neighbor discovery protocol : |
intercept traffic or cause congested links to become overloaded |
|
Routing headers : |
add arbitrary numbers of routing headers to IPv6 packets |
|
a type 0 routing header is what? |
an attack |
|
trespassing takes advantage of what? |
neighbor discovery protocol |
|
substitution boxes (s-boxes) : |
utilizes bit substitution |
|
compression : |
compresses plain text to alleviate language redundency |
|
permutation : |
changes relative order of plain text. AKA transposition |
|
expansion : |
expands plain text by adding more bits |
|
symmetric key algorithms : |
same key to perform encryption and decryption, is also faster than asymmetric |
|
2 modes of operation for 3DES |
3DES-EEE and 3DES-EDE |
|
2 examples of symmetric key encryptions : |
blowfish and twofish |
|
asymmetric key algorithm : |
uses two keys, public and private and are mathematically related |
|
example of a key exchange method : |
diffie hellman |
|
MD algorithms do what |
generate special numbers that are effectively hash codes |
|
MD algorithms : |
MD5 and SHA |
|
PKI is based on what? |
asymmetric encryption |
|
private key : |
portion of the key you actually use to sign into something |
|
public key : |
portion of the key that is available to other people |
|
digital certificates are issued by : |
CA's, certificate authorities |
|
certificate authorites : |
trusted third-party to provide authentication |
|
digital certificate standard : |
X.509 |
|
type of digital certificate that is self-signed |
root certificates |
|
intermediate certificates provide : |
authority to sign server, personal publisher or other immediate CA's |
|
4 types of certificates : |
certificate authority, server, personal, publisher |
|
certificate authority : |
contains public key of a particular CA |
|
server : |
contains public key of web server |
|
personal : |
contains individuals public keys to verify user identity |
|
publisher : |
contains public keys of individuals or vendors representing a program |
|
a CAC is roughly the size of ___________ and stores how much data? |
standard credit card, 144k |
|
access to CAC requires : |
PIN number, system access to secure CAC applications |
|
CAC's store what kinds of data? |
data relating to work functions or benefits and privileges provided as a uniformed service memeber |
|
CAC's use what type of authentication? |
two-factor authentication |
|
two-factor authentication uses what? |
physical code and passcode |
|
SSH uses asymmetric keys to : |
create a secret key shared between client and server |
|
by default client and server in SSH must support what? |
3DES |
|
3 possible authentication methods : |
.rhosts, .rhosts and RSA, password |
|
SSL provides what? |
secure communications through the world wide web |
|
SSL uses what port and resides with HTTP in what layer? |
443, application layer |
|
SSL security features : |
authentication, data integrity, privacy/confidentiality |
|
authentication : |
ensures client and server identity |
|
data integrity : |
SSL data is sent out via record layer in SSL |
|
privacy/confidentiality : |
data is compressed and encrypted with stream and block cipher |
|
file infector virus : |
infects files |
|
boot sector virus : |
infects boot sector |
|
multipartite virus : |
infects multiple files in the system |
|
polymorphic virus : |
produces varied but operational copies of itself |
|
macro virus : |
infects data files, normally microsoft office applications |
|
hoax virus : |
displays warnings of viruses that are non-existent |
|
difference between viruses and worms : |
worms spread without user interaction |
|
most infamous worm : |
Stuxnet |
|
remote access trojan (RAT) : |
grant remote access, installed on target system with a listening port |
|
security disabler trojan : |
designed to disable user's security features |
|
downloader trojan : |
stealthily download and run other files |
|
data destruction trojan : |
destroys data on target system |
|
adware : |
software that displays advertisements |
|
spyware : |
steals personal data |
|
between spyware and adware, which is malicious? |
spyware |
|
smurf attack : |
attacker changes IP to that of the victim and pings their broadcast |
|
NBTStream attack : |
attacks windows NT 4.0, windows 2000 and XP, it is a NETBIOS session request flooder |
|
teardrop attack : |
sends overlapping fragmented UDP packets |
|
bonk and boink attack : |
reverse concept of teardrop, bonk attacks UDP port 53, boink can attack a range |
|
fraggle attack : |
same as smurf, but attacker uses UDP instead of ICMP. dest port will usually be 7 (echo) or 19 (chargen) |
|
implements a distributed network DoS tool : |
tribe flood network (TFN) |
|
conducts DDos without attacker knowing what is really going on |
LOIC |
|
more powerful version of LOIC |
HOIC |
|
what is social engineering? |
form of exploitation that plays on human behavior to obtain info |
|
what is pretexting? |
act of creating a scenario to persuade victim to provide information that assists in exploiting a target |
|
what is spear phishing? |
same as phishing, but targeting a specific individual, company or entity |
|
what is a road apple? |
leaving a thumb drive or floppy disk in target area hoping somebody will find and put into a system |
|
quid pro quo : |
representing oneself as somebody from a company to try to get username and password to go on system and upgrade it |
|
True or false : different operating systems have native commands |
true |
|
different between IDS and IPS |
IDS just detects and sends alarm while IPS prevents |
|
IDS technology : pattern matching |
scans packet for specific byte sequences and compares to database of known attacks |
|
IDS technology : traffic anomoly |
scans packets for unusual activity |
|
IDS technology : protocol anomoly |
scans packets for any deviations from standard RFC's |
|
IDS technology : statistical anomaly |
scans packets for deviations from baseline of normal traffic |
|
IDS technology : stateful matching |
scans packets for signatures in context of traffic |
|
2 modes of an IDS |
passive and active |
|
passive mode : |
monitors the potential attack and alerts/logs activity |
|
active mode : |
tears down connection and acts like an IPS |
|
2 types of IDS components : |
detectors and monitors |
|
detectors : |
workhorse behind the IDS, monitor traffic coming across the wire |
|
monitors : |
designed to process and control your detectors |
|
an IPS is placed where? |
in-line with flow of the network |
|
what is snort? |
flexible open source network IDS/IPS |
|
3 modes of snort : |
sniffer mode, packet logger mode, intrusion detection mode |
|
sniffer mode : |
captures network traffic similar to TCPDump |
|
packer logger mode : |
captures network traffic and saves it to directories |
|
network intrusion detection mode : |
captures network traffic and analyzes it against known attacks (most popular) |
|
how does finger appear in a TCP stream? (used in snort rule) |
"/W" |
|
3 files snort uses : |
snort.conf, snort.log, *.rules |
|
false positives : |
triggers an alarm when no malicious activity is involved |
|
false negative : |
no alarm when malicious activity is going on |
|
triggers for false positive : |
protocol violations, new applications, equipment-related alarms, poorly written signatures |
|
triggers for false negative : |
network design problems, improperly written signatures |
|
true statements required for a effective firewall : |
all traffic inside to outside and vice-versa must be parsed, only authorized traffic can pass through, system/host must be resistant to penetration |
|
types of firewalls : |
stateless packet filtering, stateful packet filtering, application level gateway, hyprid |
|
stateless packet filtering firewall : |
examines packet header information |
|
stateful inspection packet filtering firewall : |
keeps track of communication packets over time |
|
application level gateway firewall : |
operates in the application layer |
|
hybrid firewall : |
uses a combination of other firewalls |
|
firewall topologies : |
simple firewall with one choke, classic firewall, belt and suspenders firewall, dual firewall, multi-homed firewall |
|
simple firewall with one choke : |
1 layer of protection |
|
classic firewall : |
2 layers of protection |
|
belt and suspenders firewall : |
3 layers of protection, DMZ is before firewall |
|
dual firewall : |
4 layers of protection, DMZ between firewalls |
|
multi-homes firewall |
3 layers of protection, DMZ is on webserver off of firewall |
|
packet sniffer detection methods : |
local host detection, latency test, ARP method, ping method, DNS queries. LLAPD (local LAPD) |
|
vulnerability identification, retina : |
tells you the problem and how to fix it, but DOES NOT fix the problem |