Cyber Security and Kill Chain Overview

Questions and Answers

Phishing emails and text messages never claim there's a problem with your account or payment information.

False (B)

Which of these is NOT a method used when scanning a network?

Password cracking (correct)

Checking for listening ports

Checking for live systems

Grab banners

A TCP connect scan attempts to complete a ______ with the target.

three-way handshake

What does the acronym NMAP stand for?

Network Mapper

Match the network scanning techniques with their respective descriptions:

TCP Connect Scan = Attempts to complete a three-way handshake with the target. XMAS Scan = Uses a packet with FIN, PSH, and URG flags set to 1. FIN Scan = Sends a TCP segment with the FIN flag set.

Which tool is a commercial vulnerability scanner?

Tenable Nessus (B)

What does HPing do?

It extends ping to support TCP, UDP, ICMP, and Raw IP, enabling advanced network testing and diagnostics.

Scanning network is the use of a computer system to systematically probe a target network to gather information about systems.

True (A)

Which of these protocols are known to transmit usernames and passwords in plain text?

Telnet, POP, IMAP, SMTP, NNTP, FTP, HTTP (D)

LDAP enumeration involves identifying and exploiting vulnerabilities in Lightweight Directory Access Protocol.

True (A)

What is the primary purpose of the SNMP protocol?

SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices. It allows administrators to collect data about network devices and their performance, configure settings, and troubleshoot issues.

The process of capturing and analyzing network traffic is called ______.

sniffing

Match the enumeration countermeasures with their corresponding protocol:

Silently ignore unknown recipients = Email Disable Zone Transfer = DNS Use SNMPv3 with authentication = SNMP Authenticate queries to only domain users = LDAP

DHCP starvation attacks involve flooding the network with DHCP requests, preventing legitimate devices from obtaining IP addresses.

True (A)

Which of the following tools is typically used for managing Active Directory domains?

AD Domain Services mgmt pack (A)

What are two security measures that can be implemented to mitigate the risk of SNMP vulnerabilities?

Two security measures include using SNMPv3 with authentication and changing the default community name. SNMPv3 provides strong authentication and encryption, while using a unique community name prevents unauthorized access.

To scan for hosts in the network using Ettercap, you should go to Host >> ______.

scan for Host

When installing Ettercap, it's recommended to select all available plugins for optimal functionality.

True (A)

Which of the following tools can be used for ARP poisoning attacks?

Ettercap (B)

Which of the following steps is NOT required to perform ARP poisoning in Ettercap?

Click "Log all packets and infos" under "Logging". (E)

ARP poisoning attacks only affect the victim's device and not the network.

False (B)

What is the purpose of using the "Host >> save to file" option in Ettercap?

To save the list of scanned hosts to a file for later use.

Match the following Ettercap menu options with their corresponding functions:

Sniff >> Unified Sniffing = Captures all network traffic on the selected interface. Host >> Host List = Displays a list of scanned hosts on the network. MitM >> ARP Poisoning = Performs ARP poisoning on selected targets. Logging >> Log all packets and infos = Enables detailed logging of all network traffic and information.

What is the primary function of ARP?

Address Resolution Protocol (ARP) maps Layer 2 MAC addresses to Layer 3 IP addresses.

To start capturing network traffic between two machines, which of the following steps should be performed in Ettercap?

Click "Target" >> "Current target". (A), Click "Start" >> "Start sniffing". (E), Click "MitM" >> "ARP Poisoning". (F)

A poisoned ARP cache can lead to _______ of data.

sniffing

Match the following countermeasures with the corresponding security attack:

Subnet based monitoring of MAC address changes = ARP poisoning Dynamic ARP inspection = Spoofing DHCP snooping = DNS poisoning IP source guard = ARP poisoning

Performing ARP poisoning allows you to intercept network traffic between two machines, including potentially sensitive information.

True (A)

Why is it important to add two IP addresses to Target 1 and Target 2 when attempting to capture username and password information?

To perform a Man-in-the-Middle attack, intercepting communication between two specific targets.

Which of the following is NOT a recommended security measure for a wireless network?

Use WEP encryption (A)

To change the default username and password for a router or access point, you should access the router's ______ interface.

administration

Disabling SSID broadcasts will make your wireless network completely invisible to other devices.

False (B)

What is the purpose of a firewall and an intrusion detection system (IDS) on a network?

A firewall acts as a barrier to block unauthorized access to your network, while an IDS detects malicious activity and alerts you to potential security threats.

Match the following tools with their primary functions:

Httrack = Cloning websites Havij = Automatic SQL injection tool Acunetix = Web vulnerability scanner

Which of the following steps is NOT involved in using Havij to access a database?

Check the desired table and click 'Get DBs' (B)

When using Httrack to clone a website, you can save the cloned website to a local folder on your computer, typically in a directory called ______.

My Web Sites

It is recommended to use identifying information like your name or address in your wireless network SSID.

False (B)

Which of the following tools can be used to capture and analyze network traffic for security purposes?

All of the above (D)

A malicious browser extension can potentially capture data from form fields, inject Javascript, exfiltrate data, and hijack authenticated sessions.

True (A)

The MITRE ATT&CK framework helps security professionals understand and analyze the phases of an attack, which includes: Reconnaissance, [BLANK], Lateral Movement, C2 and Exfiltration.

Initial Access

What is the primary function of Wireshark in cybersecurity?

Network analysis and troubleshooting

Match the following security countermeasures with their corresponding categories:

Think before you click = Session Hijacking Counter Measures Disable insecure HTTP = Web Server Security Patch webservers for vulnerabilities = Web Server Security Use logout functions = Session Hijacking Counter Measures Probe systems, pen testing = Web Server Security Clear browser history, cache and cookies = Session Hijacking Counter Measures

Which of the following are indicators of compromise (IoCs) that can be observed in network traffic?

All of the above (E)

Session IDs, if not using TLS, are always encrypted and secure.

False (B)

What is the primary purpose of using TLS (Transport Layer Security) in web server security?

To encrypt communication between client and server

Flashcards

Installing Ettercap

Choose all plugins during installation and proceed with directory selection.

Unified Sniffing

A method in Ettercap to capture network traffic on a selected interface.

Host List

A feature in Ettercap to view hosts discovered on the network.

Scanning for Hosts

The process of searching for devices on the network in Ettercap.

Saving Host List

The action of storing discovered hosts into a file for later reference.

ARP Poisoning

A technique used to intercept network traffic between devices by manipulating ARP cache.

Logging Packets

The practice of recording traffic data during sniffing sessions in Ettercap.

Man-in-the-Middle (MitM) Attack

An interception strategy where an attacker can monitor or alter communication between two parties.

Machine in the Middle Attack

An attack where the intruder intercepts communication between two parties.

Port-Security

A Cisco feature that limits the number of MAC addresses on a port.

DNS Poisoning

An attack that corrupts DNS cache, redirecting traffic to malicious sites.

Dynamic ARP Inspection (DAI)

A Cisco feature that validates ARP packets to prevent spoofing.

DHCP Snooping

A security feature that protects against rogue DHCP servers.

Sniffing Tools

Software used to capture and analyze network traffic.

ARP Cache

A table that maps IP addresses to MAC addresses within a network.

SNMP Scanner

A tool used to discover and monitor devices on a network via SNMP.

LDAP

Lightweight Access Protocol for directory services, operates over TCP/IP.

LDAPs

Secure version of LDAP that uses encryption over TCP/638.

Sniffing

The process of capturing and analyzing network traffic.

DHCP

Dynamic Host Configuration Protocol that assigns IP addresses to devices.

DHCP Starvation

An attack that exhausts available IP addresses by spoofing requests.

Plain Text Protocols

Protocols where usernames and passwords are transmitted unencrypted.

Encryption

The process of converting information into a secure format to prevent unauthorized access.

SSID Change

Change the default SSID for your router or access point.

Router Security

Change the default username and password for your router/AP.

SSID Broadcasts

Disabling SSID broadcasts hides your network from casual observers.

MAC Address Filtering

Allows only specified devices to connect to your network.

WPA3/WPA2 Security

Use WPA3 or WPA2 for secure Wi-Fi; avoid WEP due to poor security.

Havij Tool

An automatic SQL injection tool for retrieving data from databases.

HTTrack

A tool to clone websites for offline browsing.

Firewall and IDS

Use firewalls and Intrusion Detection Systems to protect your network.

Malicious Javascript

JavaScript that has harmful effects on users or systems.

Session Hijacking

Unauthorized access or control over a user's session.

Machine in the Middle (MitM)

An attack where an attacker intercepts communications between two parties.

Countermeasures for Session Hijacking

Strategies to prevent unauthorized access to a session.

Wireshark

A tool used for monitoring and analyzing network traffic.

Indicators of Compromise (IoCs)

Piece of evidence that suggests a breach or network compromise.

TLS (Transport Layer Security)

A protocol that ensures privacy and data integrity between applications.

Attack Patterns

Commonly observed actions taken by attackers during a cyber incident.

Phishing

Fraudulent attempts to obtain sensitive information via fake messages.

Scanning Network

Systematic probing of a target network to gather information about systems.

Vulnerability Scanning

Process of identifying weaknesses in a system through tools.

Metasploit

A framework used for penetration testing and vulnerability assessment.

TCP Connect Scan

A scan that tries to complete a TCP handshake to identify open ports.

Xmas Scan

A scan using TCP flags that can identify open ports based on responses.

FIN Scan

A scan sending TCP packets with FIN flags to identify listening services.

Study Notes

Cyber Security

• Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber attacks. Its goal is to reduce unauthorized exploitation.
• Cyber security practices defend computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. Key aspects include confidentiality, integrity, and availability (CIA). A common attack is denial-of-service (DoS).
• Data Forensics Incidence Response (DFIR) is vital in cyber security. This involves a Security Operations Center (SOC) where analysts monitor various systems for incidents.

Cyber Kill Chain

• Understanding the cyber kill chain is crucial, developed by Lockheed Martin.
• Attack.mitre.org provides a framework, helping understand Tactics, Techniques, and Procedures (TTPs) used in attacks.
• Discovery and account discovery are sub-techniques often used by attackers.
• Helpful for understanding attack patterns.

Helpful Websites

• pentest-standard.org
• owasp.org/index.php/OWASP_Testing_project
• nvlpubs.nist.gov/nistpubs/legacy/SP/nistspecialpublicationsw-115.pdf
• isecom.org/research

Intelligence Gathering

• Reconnaissance utilizes passive/active methods and public, available data.
• Create attack maps possibly from a network diagram based on gathered info.
• Vulnerability analysis uses tools and methods, to find vulnerabilities.

Footprinting

• The initial step in tracking, known as reconnaissance.
• Attack.mitre.org is a useful resource for techniques.
• Active/passive reconnaissance techniques are described.

Email Footprinting

• Tools and techniques for email analysis in penetration testing and intelligence gathering.
• Email addresses are identified based on a domain.

Whois and DNS Footprinting

• Used to gather information about an organization.
• Techniques for using Linux terminal tools like whois and nslookup.

Network Footprinting

• Finding information about networks using tools like host and nmap.

Network Scanning Methodologies

• Explores different network scanning methods, like TCP SYN scans, UDP scans, aggressive scans, and OS detection.

Scanning Tools

• Metasploit, Nmap, PRTG Network Monitor, Softperfect Network Scanner are mentioned as examples for network scanning, vulnerability scanning.

Vulnerability Scanning Tools

• Metasploit, Tenable Nessus (commercial), QualysGuard (commercial) are examples for scanning for vulnerabilities,

Phishing

• Internet fraudsters attempt to steal personal or financial information by sending deceptive messages.

Steganography

• Steganography is the practice of hiding secret data within ordinary files (e.g., images).
• It is used to conceal messages, often in an attempt to avoid detection.

Denial of Service (DoS) Attacks

• Purposeful attacks on a network or resources to prevent authorized access.
• Techniques include volumetric attacks (flooding with requests), protocol attacks (like SYN floods), and application attacks (overloading application with requests).

Botnets

• A network of compromised hosts running automated tasks through remote commands and controls.

Session Hijacking

• Stealing or predicting a valid session token to gain unauthorized access to a web server.

Identity Theft

• Stealing personal information to commit fraud.
• Using stolen information for various fraudulent activities.

Social Engineering

• Manipulation techniques exploiting human error to gain access or other desired outcomes.
• Includes scams based on social interactions, manipulation, and exploiting user behavior.

SQL Injection

• Malicious SQL statements inserted into an entry field for execution.
• Exploiting vulnerabilities in database-driven applications.
• A code injection technique aimed at database applications.

Description

This quiz covers essential aspects of cyber security, including its definition, objectives, and the vital role of Data Forensics Incidence Response (DFIR). Additionally, it explores the Cyber Kill Chain framework and Tactics, Techniques, and Procedures (TTPs) used in cyber attacks. Test your knowledge on these critical concepts in protecting against cyber threats.