Cheat Sheet

Description

ceh
Cristian Osvaldo Gómez
Flashcards by Cristian Osvaldo Gómez, updated more than 1 year ago
Cristian Osvaldo Gómez
Created by Cristian Osvaldo Gómez about 2 years ago
18
0

Resource summary

Question Answer
5 phases to a penetration test Reconnaissance Scanning & Enumeration Gaining Access Maintaining Access Covering Tracks
Attack Types OS: Attacks targeting default OS settings App level: Application code attacks Shrink Wrap: off-the-shelf scripts and code Misconfiguration: not configured well
RFC 1918 Private IP Standard
RFC 3227 Collecting and storing data
ISO 27002 InfoSec Guidelines
CAN-SPAM email marketing
DMCA Intellectual Property
GLBA Personal Finance Data
FISMA Gov Networks Security Std
CVSS Common Vuln Scoring System
CVE Common Vulns and Exposure
Symmetric Encryption Key pairs required =
Symmetric Algorithms DES: 56bit key (8bit parity); fixed block 3DES: 168bit key; keys ≤ 3 AES: 128, 192, or 256; replaced DES IDEA: 128bit key Twofish: Block cipher key size ≤ 256bit Blowfish: Rep. by AES; 64bit block RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit block)
Asymmetric Encryption Public key = Encrypt, Private Key = Decrypt
Asymmetric Algorithms Diffie-Hellman: key Exchange, used in SSL/ IPSec ECC: Elliptical Curve. Low process power/ Mobile EI Gamal: !=Primes, log problem to encrypt/ sign RSA: 2 x Prime 4,096bit. Modern std.
Hash Algorithms MD5: 128bit hash, expres as 32bit hex SHA1: 160bit hash,rq 4 use in US apps SHA2: 4 sep hash 224,256,384,512
Trust Models Web of trust: Entities sign certs for each other Single Authority: CA at top. Trust based on CA itself Hierarchical: CA at top. RA’s Under to manage certs XMKS - XML PKI System
Cryptography Attacks Known Plain-text Search plaintext for repeatable sequences. Compare to t versions.
Cryptography Attacks Ciphertext-only Obtain several messages with same algorithm. Analyze to reveal repeating code.
Cryptography Attacks Replay Performed in MITM. Repeat exchange to fool system in setting up a comms channel.
Digital Certificate Used to verify user identity = nonrepudiation Version: Identifies format. Common = V1 Serial: Uniquely identify the certificate Subject: Whoever/whatever being identified by cert Algorithm ID: Algorithm used Issuer: Entity that verifies authenticity of certificate Valid from/to: Certificate good through dates Key usage: Shows for what purpose cert was made Subject’s public key: self-explanatory Optional fields: e.g., Issuer ID, Subject Alt Name...
Reconnaissance Gathering information on targets, whereas foot-printing is mapping out at a high level.
Reconnaissance Google Hacking Operator: keyword additional search items site: Search only within domain ext: File Extension loc: Maps Location intitle: keywords in title tag of page allintitle: any keywords can be in title inurl: keywords anywhere in url allinurl: any of the keywords can be in url incache: search Google cache only
Reconnaissance DNS port 53 nslokup (UDP), Zone xfer (TCP)
Reconnaissance DNS Record types Service (SRV): hostname & port # of servers Start of Authority (SOA): Primary name server Pointer (PTR): IP to Hostname; for reverse DNS Name Server (NS): NameServers with namespace Mail Exchange (MX): E-mail servers CNAME: Aliases in zone. list multi services in DNS Address (A): IP to Hostname; for DNS lookup DNS footprinting: whois, nslookup, dig
Reconnaissance TCP Header Flags URG: Indicates data being sent out of band ACK: Ack to, and after SYN PSH: Forces delivery without concern for buffering RST: Forces comms termination in both directions SYN: Initial comms. Parameters and sequence #’s FIN: ordered close to communications
Reconnaissance DHCP Client — Discover-> Server Client<—Offers—- Server Client —Request—> Server Client<—-ACK—- Server IP is removed from pool
Scanning & Enumeration ICMP Message Types 0: Echo Reply: Answer to type 8 Echo Request 3: Destination Unreachable: No host/ network Codes 0 ― Destination network unreachable 1― Destination host unreachable 6 ― Network unknown 7 ― Host unknown 9 ― Network administratively prohibited 10 ― Host administratively prohibited 13 ― Communication administratively prohabited 4: Source Quench: Congestion control message 5: Redirect: 2+ gateways for sender to use or the best route not the configured default gateway Codes 0 ― redirect datagram for the network 1 ― redirect datagram for the host 8: Echo Request: Ping message requesting echo 11: Time Exceeded: Packet too long be routed
Scanning & Enumeration CIDR Method of the representing IP Addresses IPv4 Notation /30=4 /28=16 /26=64 /24=256 /22=1024 /20=4096 .225.252 .255.240 .255.192 . 255.0 .248.0 .240.0
Scanning & Enumeration Port Numbers 0 — 1023: Well-known 1024 — 49151: Registered 49152 — 65535: Dynamic
Scanning & Enumeration Important Port Numbers FTP: 20/21 SSH: 22 Telnet: 23 SMTP: 25 WINS: 42 TACACS: 49 DNS: 53 HTTP: 80 / 8080 Kerbers: 88 POP3: 110 Portmapper (Linux): 111 NNTP: 119 NTP: 123 RPC-DCOM: 135 NetBIOS/SMB: 137-139 IMAP: 143 SNMP: 161/162 LDAP: 389 HTTPS: 443 CIFS: 445 RADIUS: 1812 RDP: 3389 IRC: 6667 Printer: 515,631,9100 Tini: 7777 NetBus: 12345 Back Orifice: 27374 Sub7: 31337
Scanning & Enumeration HTTP error codes 200 Series - OK 400 Series - Could not provide req 500 Series - Could not process req
Scanning & Enumeration nmap -sA: ACK scan -sF: FIN scan -sS:SYN -sT: TCP scan -sI: IDLS scan -sn: PING sweep -sN: NULL -sS: Stealth Scan -sR: RPC scan -Po: No ping -sW: Window -sX: XMAS tree scan -PI: ICMP ping - PS: SYN ping -PT: TCP ping -oN: Normal output -oX: XML output -A OS/Vers/Script -T<0-4>: Slow - Fast
Scanning & Enumeration Scan Types TCP: 3 way handshake on all ports. Open = SYN/ACK, Closed = RST/ACK SYN: SYN packets to ports (incomplete handshake). Open = SYN/ ACK, Closed = RST/ ACK FIN: Packet with FIN flag set Open = no response, Closed = RST XMAS: Multiple flags set (fin, URG, and PSH) Binary Header: 00101001 Open = no response, Closed = RST ACK: Used for Linux/Unix systems Open = RST, Closed = no response IDLE: Spoofed IP, SYN flag, designed for stealth. Open = SYN/ACK, Closed= RST/ACK NULL: No flags set. Responses vary by OS. NULL scans are designed for Linux/ Unix machines.
Scanning & Enumeration NetBIOS nbstat nbtstat -a COMPUTER 190 nbtstat -A 192.168.10.12 remote table nbtstat -n local name table nbtstat -c local name cache nbtstat -r -purge name cache nbtstat -S 10 -display ses stats every 10 sec 1B ==master browser for the subnet 1C == domain controller 1D == domain master browser
Scanning & Enumeration SNMP Uses a community string for PW SNMPv3 encrypts the community strings
Sniffing and Evasion IPv4 and IPv6 IPv4 == unicast, multicast, and broadcast IPv6 == unicast, multicast, and anycast. IPv6 unicast and multicast scope includes link local, site local and global
Sniffing and Evasion IPv4 and IPv6 IPv4 == unicast, multicast, and broadcast IPv6 == unicast, multicast, and anycast. IPv6 unicast and multicast scope includes link local, site local and global
Sniffing and Evasion MAC Address First half = 3 bytes (24bits) = Org UID Second half = unique number
Sniffing and Evasion NAT (Network Address Translation) Basic NAT is a one-to-one mapping where each internal IP== a unique public IP. Nat overload (PAT) == port address translation. Typically used as is the cheaper option.
Sniffing and Evasion Stateful Inspection Concerned with the connections. Doesn’t sniff ever packet, it just verifies if it’s a known connection, then passes along.
Sniffing and Evasion HTTP Tunnelling Crafting of wrapped segments through a port rarely filtered by the Firewall (e.g., 80) to carry payloads that may otherwise be blocked.
Sniffing and Evasion Snort IDS It has 3 modes: Sniffer/Packet logger/ Network IDS. Config file: /etc/snort, or c:\snort\etc #~alert tcp!HOME_NET any ->$HOME_ NET 31337 (msg : “BACKDOOR ATTEMPT-Back-orifice.”) Any packet from any address !=home network. Using any source port, intended for an address in home network on port 31337, send msg. Span port: port mirroring False Negative: IDS incorrectly reports stream clean
Sniffing and Evasion IDS Evasion Tactics Slow down OR flood the network (and sneak through in the mix) OR fragmentation
Sniffing and Evasion TCPdump syntax #~tcpdump flag(s) interface
Attacking a System LM Hashing 7 spaces hashed: AAD3B435B51404EE
Attack types Passive Online Sniffing wire, intercept cleartext password / replay / MITM
Attack types Active Online Password guessing
Attack types Active Offline Steal copy of password i.e., SAM file. Cracking efforts on a separate system
Attck types Sidejacking Steal cookies exchanged between systems and use tp perform a replay-style attack.
Authentication Types Type 1: Something you know Type 2: Something you have Type 3: Something you are
Session Hijacking Refers to the active attempt to steal an entire established session from a target 1. Sniff traffic between client and server 2. Monitor traffic and predict sequence 3. Desynchronise session with client 4. Predict session token and take over session 5. Inject packets to the target server
Kerberos Kerberos makes use of symmetric and asymmetric encryption technologies and involves: KDC: Key Distribution Centre AS: Authentication Service TGS: Ticket Granting Service TGT: Ticket Granting Ticket Process 1. Client asks KDC (who has AS and TGS) for ticket to authenticate throughout the network. this request is in clear text. 2. Server responds with secret key. hashed by the password copy kept on AD server (TGT). 3. TGT sent back to server requesting TGS if user decrypts. 4. Server responds with ticket, and client can log on and access network resources.
SAM file Security Account Manager C:\Windows\system32\config
Registry 2 elements make a registry setting: a key (location pointer), and valu (define the key setting). Rot level keys are as follows: HKEY_LOCAL_MACHINE_Info on Hard/software HKEY_CLASSES_ROOT ― Info on file associations and Object Linking and Embedding (OLE) classes HKEY_CURRENT_USER ― Profile info on current user HKEY_USERS ― User config info for all active users HEKY_CURRENT-CONFIG―pointer to\hardware Profiles\. HEKY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion
Social Engineering Human based attacks Dumpster diving Impersonation Technical Support Should Surfing Tailgating/ Piggybacking
Social Engineering Computer based attacks Phishing - Email SCAM Whaling - Targeting CEO’s Pharming - Evil Twin Website
Social Engineering Types of Social Engineers Insider Associates: Limited Authorized Access Insider Affiliates: Insiders by virtue of Affiliation that spoof the identity of the Insider Outsider Affiliates: Non-trusted outsider that use an access point that was left open
Web-based Hacking CSRF - Cross Site Request Forgery Dot-dot-slash Attack Variant of Unicode or un-validated input attack SQL Injection attack types Union Query: Use the UNION command to return the union of target Db with a crafted Db Tautology: Term used to describe behavior of a Db when deciding if a statement is true. Blind SQL Injection: Trial and Error with no responses or prompts. Error based SQL Injection: Enumeration technique. Inject poorly constructed commands to have Db respond with table names and other information
Web-based Hacking Buffer Overflow A condition that occurs when more data is written to a buffer than it has space to store and results in data corruption. Caused by insufficient bounds checking, a bug, or poor configuration in the program code. Stack: Premise is all program calls are kept in a stack and performed in order.Try to change a function pointer or variable to allow code exe Heap: Takes advantage of memory “on top of” the application (dynamically allocated). Use program to overwrite function pointers NOP Sled: Takes advantage of instruction called “no-op”. Sends a large # of NOP instructions into buffer. Most IDS protect from this attack. Dangerous SQL functions The following do not check size of destination buffers: gets() strcpy() stract() printf()
Wireless Network Hacking Wireless sniffing Compatible wireless adapter with promiscuous mode is required, but otherwise pretty much the same as sniffing wired
Wireless Network Hacking 802.11 Specifications WEP: RC4 with 24bit vector. Kers are 40 or 104bit WAP: RC4 supports longer keys; 48bit IV WPA/TKIP: Changes IV each frame and key mixing WPA2: AES + TKIP features; 48bit IV
Wireless Network Hacking Bluetooth Attacks Bluesmacking: DoS against a device Bluejacking: Sending messages to/from devices Bluesniffing: Sniffs for Bluetooth Bluesnarfing: actual theft of data from a device
Show full summary Hide full summary

Similar

Modulo 1 CEH
Pico Pico menoriko
AQA AS Biology Unit 2 DNA and Meiosis
elliedee
Input, output and storage devices
Mr A Esch
All AS Maths Equations/Calculations and Questions
natashaaaa
New English Literature GCSE
Sarah Egan
Forces and motion
Catarina Borges
The Periodic Table
asramanathan
2PR101 1.test - 4. část
Nikola Truong