Term
|
Definition
|
|
Term
DNS Record Type:
A (Host) |
|
Definition
| Maps a name to IP address |
|
|
Term
DNS Record Type:
HINFO/SOA (Start of Authority) |
|
Definition
| Essential information such as primary name server for the zone, properties such as expieration, and TTL (Time To Live) |
|
|
Term
DNS Record Type:
SRV (Service) |
|
Definition
| Service host name and port number for specific services such as Active Directory |
|
|
Term
DNS Record Type:
PTR (Pointer) |
|
Definition
| Used in reverse zone DNS lookups to resolve an IP address to a host name |
|
|
Term
DNS Record Type:
NS (Name Server) |
|
Definition
| Identifies name servers in the namespace |
|
|
Term
DNS Record Type:
MX (Mail Exchange) |
|
Definition
|
|
Term
DNS Record Type:
CNAME (Canonical Name or Alias) |
|
Definition
| Alias for a server, most commonly for www |
|
|
Term
ICANN
(Internet Corporation for Assigned Names and Numbers) |
|
Definition
| Overall management of IP address allocation, domain registrants |
|
|
Term
ARIN
(American Registry for Internet Numbers) |
|
Definition
| North/South America, sub-Saharan Africa |
|
|
Term
APNIC
(Asia-Pacific Network Information Centre) |
|
Definition
|
|
Term
RIPE
(Reseaux IP Europeens) |
|
Definition
| Europe, Middle East, parts of central Asia, Northern Africa |
|
|
Term
LACNIC
(Latin America and Caribbean Network Information Center) |
|
Definition
| Latin America and the Caribbean |
|
|
Term
AfriNIC
(African Network Information Center) |
|
Definition
|
|
Term
|
Definition
1. Identify Live Systems
2. Discover Open Ports
3. Identify the OS and services
4. Scan for Vulnerabilities |
|
|
Term
|
Definition
| Echo Reply -- Expected answer from a live system to a Type 8 ECHO request |
|
|
Term
|
Definition
|
|
Term
ICMP Message Type :
3- Error Codes |
|
Definition
0: Destination network unreachable
1: Destination host unreachable
6: Network unknown
7: Host unknown
9 : Network administratively prohibited
10 : Host administratively prohibited
13: Communication administratively prohibited (Often a firewall filtering ICMP) |
|
|
Term
|
Definition
| Source Quench --- Congestion control |
|
|
Term
|
Definition
Redirect -- Indicates more than one route to destination, and the optimum route is not the configured default gateway
0 : Redirect Datagram for the network
1 : Redirect Datagram for the host |
|
|
Term
|
Definition
| Echo Request -- A typical ping message |
|
|
Term
|
Definition
| Time Exceeded -- Packet took too long to be routed to destination Code 0: TTL expired |
|
|
Term
| What are the Well-Known Ports? |
|
Definition
TCP Ports 0-1023
UDP Ports 0-1023
Generally reserved for specific ports, many are obscure, but should still not be selected arbitrarily |
|
|
Term
| What are the Registered Port Numbers? |
|
Definition
TCP Ports 1024-49151
UDP Ports 1024-49151 |
|
|
Term
| What are the Unregsitered Port Numbers? |
|
Definition
TCP Ports 49,152 - 65,535
UDP Ports 49,152 - 65,535 |
|
|
Term
| What port does FTP use and what is it for? |
|
Definition
| FTP uses port number 21 for both TCP and UDP and is used for File Transfer |
|
|
Term
| What port does SSH use and what is its purpose? |
|
Definition
| SSH uses port 22 and is for secure, encrypted connections to protect against sniffing - e.g., telnet via SSH prevents plaintext sniffing of telnet credentials |
|
|
Term
| What port does Telnet use and for what purpose? |
|
Definition
| Telnet uses port 23 and is for Remote management of an operating system or network device such as a router or pc |
|
|
Term
| What port does SMTP use and for what purpose? |
|
Definition
SMTP uses port 25 to send mail
(Simple Mail Transfer Protocol) |
|
|
Term
| What port does DNS use and for what purpose? |
|
Definition
DNS uses port 53 for both UDP and TCP and is used for DNS zone transfers
(Domain Name Server) |
|
|
Term
What port does DHCP use and for what purpose?
Is DHCP used with TCP or UDP? |
|
Definition
DHCP uses UDP port 67 and is used for Automatic IP configuration of DHCP network clients
(it picks the IP addresses for you via port 67) |
|
|
Term
What port does TFTP use and for what purpose?
Is TFTP used with TCP or UDP? |
|
Definition
| TFTP uses UDP port 69 and is a Fast method to transfer files on a local network |
|
|
Term
| What port does HTTP use and for what purpose? |
|
Definition
| HTTP uses TCP port 80 and is the Protocol of Web Browsers |
|
|
Term
| What port does POP3 use and for what purpose? |
|
Definition
| POP3 uses TCP port 110 and is used to Receive Internet e-mail |
|
|
Term
| What port does RPC use and for what purpose? |
|
Definition
RPC uses TCP port 135 and is used as a Connection to Administer a remote computer
(Remote Procedure Call) |
|
|
Term
| What port does NetBIOS use and for what purpose? |
|
Definition
| NetBIOS uses TCP and UDP ports 137-139 and is Primarily a Microsoft method to communicate over the network |
|
|
Term
| What port does IMAP use and for what purpose? |
|
Definition
| IMAP uses TCP port 143 and us used to Receive internet e-mail and has more flexibility than POP3 |
|
|
Term
| What port does SNMP use and for what purpose? |
|
Definition
SNMP uses UDP ports 161 & 162 and is used to Request and receive network device status and error messages
(Simple Network Management Protocol) |
|
|
Term
| What port does LDAP use and for what purpose? |
|
Definition
| LDAP uses TCP & UDP port 389 and is Required to access Active Directory Services |
|
|
Term
| What port does HTTPS use and for what purpose? |
|
Definition
| HTTPS uses TCP port 443 and is used to Secure internet communication to protect data and ensure integrity |
|
|
Term
| What port does SMB use and for what purpose? |
|
Definition
SMB uses TCP port 445 and is Primarily a Windows method to make shared resources available to the network
(Server Message Block) |
|
|
Term
| What is SMB (Server Message Block)? |
|
Definition
| An application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network |
|
|
Term
What is the TCP Header Flag SYN?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
SYN means Synchronize
Decimal Equivalent = 2
Hex Equivalent = 0x02
Set on intial communication, and specifies negotiation of parameters and sequence numbers |
|
|
Term
What is the TCP Header Flag ACK?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
ACK means Acknowledge
Decimal Equivalent = 16
Hex Equivalent = 0x10
Response to inbound SYN flag, and included on all segments after intial SYN |
|
|
Term
What is the TCP Header Flag SYN/ACK?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
SYN/ACK means Synchronization has been Acknowledged
Decimal Equivalent = 18
Hex Equivalent = 0x012
Add 2 + 16 = 18 |
|
|
Term
What is the TCP Header Flag PSH?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
PSH means Push
Decimal Equivalent = 8
Hex Equivalent = 0x08
Forces data delivery regardless of buffering |
|
|
Term
What is the TCP Header Flag RST?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
RST means Reset
Decimal Equivalent = 4
Hex Equivalent = 0x04
Terminates communcation in both directions |
|
|
Term
What is the TCP Header Flag URG?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
URG means Urgent
Decimal Equivalent = 32
Hex Equivalent = 0x20
Data is sent out-of-band |
|
|
Term
What is the TCP Header Flag FIN?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
FIN means Finish
Decimal Equivalent = 1
Hex Equivalent = 0x01
Graceful close to communication |
|
|
Term
What is the TCP Header Flag XMAS?
Give the Decimal and Hex Equivalent as well as a Description. |
|
Definition
XMAS means Christmas
Decimal Equivalent = 41
Hex Equivalent = 0x29
Called XMAS because the SYN/PUSH/URG flags are all lit (like a christmas tree(very noisy)) |
|
|
Term
| What does the nmap switch -sP mean? |
|
Definition
| This is a Ping Sweep and is very noisy and easily detectible. Only detects live hosts, and is easily blocked by firewalls including windows firewall |
|
|
Term
| What does the nmap switch -sA mean? |
|
Definition
| This is an ACK scan and is used to determine firewall rulesets, whether they are stateful, and which ports are filtered |
|
|
Term
| What does the nmap switch -sT mean? |
|
Definition
| This is a TCP Connect Scan and Open ports respond with SYN/ACK, closed ports respond with a RST/ACK |
|
|
Term
| What does the nmap switch -sS mean? |
|
Definition
| This is a SYN scan, AKA Stealth or Half-open Scan, and Open ports respond with SYN/ACK and then nmap sends a RST. Closed ports with a RST/ACK |
|
|
Term
| What does the nmap switch -sF mean? |
|
Definition
| This is a FIN scan, AKA Inverse scan, If a RST is received, port is closed. If no response, the port is open or filtered. The port is marked filtered if an ICMP unreachable error code is received (type 3 code 1,2,3,9,10, or 13) |
|
|
Term
| What does the nmap switch -sX mean? |
|
Definition
| This is an XMAS scan, if a RST is received, the port is closed. If no response the port is open or filtered. The port is marked filtered if an ICMP unreachable error code is received (Type 3 Code 1,2,3,9,10 or 13) |
|
|
Term
| What does the nmap switch -sN mean? |
|
Definition
| This is a NULL scan, Responses vary depending on the Operating System. Null scans are designed for UNIX/Linux Operating Systems |
|
|
Term
| What does the nmap switch -sI mean? |
|
Definition
| This is an IDLE scan, AKA Side-Channel Scan, Uses spoofed IP address to prompt responses to a scan that are sent back to the spoofed address. This scan can be somewhat complex, look here for specific details : http://nmap.org/book/idlescan.html |
|
|
Term
|
Definition
This scan is pretty noisy and many IDS (Intrusion Detection Systems) will detect it. This scan only detectws if the host is up, which is one of the first necessary steps in scanning. The "-n" avoids DNS name resolution for the IP address to accelerate the scan.
Side Note: You can add "--packet_trace" to any of these nmap commands to see specific details of the scan in progress
e.g.,:
nmap -sP -n -vv <target> |
|
|
Term
|
Definition
Most popular services use TCP. This scan attempts a full connection (SYN, SYN/ACK, ACK) This type of scan is fast and the most reliable, but not stealthy
nmap -sT -P0 -v v <target>
the -P0 is useful to avoid sending a ping first. |
|
|
Term
|
Definition
Scan for services on UDP such as DNS, SNMP, and DHCP (53, 161/162 and 67/68) This type of scan is somewhat slow
nmap -sU -P0 -vv <target> |
|
|
Term
|
Definition
Uses reverse lookups for a range of targets. Useful to confirm that scanned hosts are in the intended network
nmap -sL -vv <target> |
|
|
Term
|
Definition
(Half-Open Scan) Stealthy because no 3-way handshake takes place. Many IDS only register events on full connections. Closed ports reply with RST. Open ports reply with SYN/ACK and then nmap sends back a RST to tear down the connection.
nmap -sS -vv <target> |
|
|
Term
|
Definition
| Also Stealthy, and more successful against some firewalls that are configured to watch for SYN scans to restricted ports. Unfortunately, most Windows systems will send a RST regardlesss of whether the port is open or closed |
|
|
Term
|
Definition
| FIN, URG, PUSH Flags are all on. XMAS scans work best on Linux but not so much on Windows. Try FIN and XMAS in trial and error to see which one has success |
|
|
Term
|
Definition
| Sometimes useful for stateful packet inspection firewall. a NULL header on a packet gives the SPI nothing to inspect so it might pass successfully |
|
|
Term
|
Definition
| Circumvent packet filtering firewalls. The firewall has to accept all ACK packets if it does not have a state table to track SYNs. |
|
|
Term
|
Definition
| Moves the hard drive boot sector to another location, allowing virus to load first. Removal usually requires fdisk or MBR and then reinstallation of the drive from kown-good backup. |
|
|
Term
|
Definition
| Wraps around application code so that it executes prior to the actual legitimate application. Especially dangerous to AV software, because if it is attached to AV it can execute and immediately shutdown the AV software so that the virus continues undetected |
|
|
Term
|
Definition
| Multiple attack vectors, usually including one or more files and the boot sector |
|
|
Term
|
Definition
| Usually infects Microsoft Office template files like Word and Excel. Written with visual basic for applications |
|
|
Term
|
Definition
| A virus that constantly changes its signature, making it difficult for AV products to detect. Heuristic detection helps this |
|
|
Term
|
Definition
| Similar to Polymorphic, except that it rewrites every time it infects a new file instead of constantly changing |
|
|
Term
|
Definition
| Might not do any real damage, and usually is a prank that could rename a title bar or change an interface item. Also known as a defacement Virus |
|
|
Term
| TCP Wrappers use what TCP port? |
|
Definition
|
|
Term
| What TCP port does the Trojan Doom use? |
|
Definition
|
|
Term
| What TCP port does the Trojan Snipernet use? |
|
Definition
|
|
Term
| What TCP port does the Trojan Tini use? |
|
Definition
|
|
Term
| What TCP port does the Trojan WinHole use? |
|
Definition
|
|
Term
| What TCP port does the Trojan RAT use? |
|
Definition
|
|
Term
| What TCP port does the Trojan SpySender use? |
|
Definition
|
|
Term
| What TCP port does the Trojan Deep Throat use? |
|
Definition
|
|
Term
| What TCP port does the Trojan NetBus use? |
|
Definition
|
|
Term
| What TCP port does the Trojan Whack a Mole use? |
|
Definition
|
|
Term
| What TCP port does the Trojan Back Orifice use? |
|
Definition
|
|
Term
| What are the three different types of Rootkits? |
|
Definition
Application-Level
Kernel - Level
Library- Level |
|
|
Term
| What is an Application-Level Rootkit? |
|
Definition
| Replaces legitimate application or OS files with replacements that include rootkit binaries. In this respect, they are also Trojans. |
|
|
Term
| What does a Kernel-level rootkit do? |
|
Definition
| Attack boot sector and critical OS files. Kernel-level OS files are replaced with root-kit infected code. This type is the most threatening and difficult to detect and remove |
|
|
Term
| What is a Library-Level Rootkit? |
|
Definition
| Uses system-level calls to conceal themselves |
|
|
Term
| What can you type in Windows Command Prompt to show connections and listening ports? |
|
Definition
|
|
Term
| What can you see if you can access the SPAN port on a switch? |
|
Definition
| all of the network traffic |
|
|
Term
| What kind of Hash does Windows NTLMv2 use? |
|
Definition
|
|
Term
| What is The Onion Network (TOR) for? |
|
Definition
| This is a method of concealing identity online. Client software routes internet traffic through routers provided by volunteers and makes it very difficult to trace back |
|
|
Term
| When using Basic Authentication on Web Servers, how is the data sent over the network? |
|
Definition
|
|
Term
| What is an example of a Buffer Overflow statement? |
|
Definition
| If (I>=300) then exit (1) |
|
|
Term
|
Definition
| This effectively allows a hacker to perform operations on a database including changing, extracting, or deleting data. |
|
|
Term
| When you see "../../../" what does this mean? |
|
Definition
|
|
Term
| When starting a SQL Injection attack what would you start the line with? |
|
Definition
' or 1=1, because the evaluation of 1=1 is always true
Single quote is the key item to look for in SQL Injection |
|
|
Term
| How many bits is Twofish? |
|
Definition
|
|
Term
| How many bits is Blowfish? |
|
Definition
32 to 448-bit Key
public domain
very fast
largely replaced by AES |
|
|
Term
How many bits is IDEA?
(International Data Encryption Agency) |
|
Definition
128-bit key
Originally the Pretty Good Privacy (PGP)
Mostly used in Europe |
|
|
Term
| How many bits is Rivest Ciper (RC)? |
|
Definition
RC4 - 40 to 256 bits
Often used in SSL,WEP several vulnerabilities
RC5- Variable block size: 32,64, or 128 bits
up to 2040 bit key
generally 64-bit block, 128 bit key, 12 rounds--Brute Force may take up to 90 years on a 72-bit key
RC6 - Block size 128 bits
Key size: 128,192, or 256 bits
Interweaves two parallel RC5 encryption processes |
|
|
Term
How many bits is DES?
(Digital Encryption Standard) |
|
Definition
56-bit key
Not considered secure, rarely used |
|
|
Term
|
Definition
168-bit key
Use up to three keys inmultiple-encryption
Slower than DES but more effective |
|
|
Term
How many bits is AES?
(Advanced Encryption Standard) |
|
Definition
Key lengths 128,192, or 256
Replaces DES & 3DESmore secure and also much faster |
|
|
Term
| What are the Symmetric Algorithms? |
|
Definition
Twofish
Blowfish
IDEA
RC
DES
3DES
AES |
|
|
Term
| What are the Asymmetric Algorithms? |
|
Definition
Diffie-Helman
Elliptic Curce Cyrptosystem (ECC)
RSA(Rivest, Shamir, Aldeman - Foundrs of RSA)
|
|
|
Term
|
Definition
| Diffie-Helman is an asymmetric algorithm, with key exchange protocol and used in SSL and IPSec |
|
|
Term
| What is Elliptic Curce Cryptosystem (ECC)? |
|
Definition
Involves points from an elliptical curce and logarithmic calculations
Used for encryption and signatures
Favored for mobile devices (Uses less processing)
Side Note: Cracked with 200 PS3 game consoles in July 2009 and 2600 computers running for 17 months in April 2004 |
|
|
Term
|
Definition
Basis of public/private keys for encryption and decryption, strong encryption using 2 large prime numbers
Key sizes are up to 4096 bits
accepted as the current standard |
|
|
Term
| What are the Hashing Algorithms? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Four separate hash function producing outputs of 224, 256, 384, and 512 bits |
|
|
Term
| How many bits does Syskey use? |
|
Definition
|
|
Term
| Wireless type 802.11a gives what radio frequency, range and bandwidth? |
|
Definition
5GHz frequency
50 meter range
up to 54 Mbps |
|
|
Term
| Wireless type 802.11b gives what radio frequency, range and bandwidth? |
|
Definition
2.4 GHz Frequency
100 meter range
11 Mbps |
|
|
Term
| Wireless type 802.11g gives what radio frequency, range and bandwidth? |
|
Definition
2.4 GHz frequency
100 meter range
54 Mbps |
|
|
Term
| Wireless type 802.11n gives what radio frequency, range and bandwidth? |
|
Definition
2.4 & 5 GHz frequency
100 meter range
108-250 (MIMO) Mbps |
|
|
