Untitled Quiz

Questions and Answers

What is the primary function of Nmap?

• Creating network diagrams
• Monitoring network traffic in real time
• Mapping and reconnaissance of networks (correct)
• Encrypting network communications

Which tool is designed specifically for vulnerability scanning?

• L0phtCrack
• Tripwire
• SuperScan
• Nessus (correct)

Which of the following tools is known for assessing IT configurations against internal policies?

• Tripwire (correct)
• GFI LANguard
• Nmap
• Metasploit

What type of scan does Nmap perform that is harder to detect by the target host?

Stealth scanning (D)

Which software tool can also run queries like whois and traceroute?

SuperScan (A)

What is the primary purpose of SIEM in an enterprise setting?

Real-time reporting and long-term analysis of security events (C)

Which of the following tools is primarily focused on password auditing?

L0phtCrack (A)

What is the main purpose of penetration testing?

To simulate an attacker's methods with permission (D)

Why is it important to consider the evolution of network testing tools?

Tools can become legacy and less effective over time (D)

Which type of testing allows the tester to have no knowledge of the system?

Black box testing (B)

Which of the following phases involves establishing the rules of engagement?

Planning (B)

What distinguishes gray box testing from black box testing?

Gray box testing is partially known environment (C)

Which testing method is the most time-consuming and expensive?

White box testing (A)

What technique is employed during the Discovery phase of penetration testing?

Conducting reconnaissance (C)

Why is penetration testing considered a part of ethical hacking?

It simulates attacks to improve security (A)

What is 'foot printing' in the context of penetration testing?

Utilizing public sources for information gathering (C)

What purpose does the Layer 3 port scanning feature serve in Nmap?

Identifying Layer 3 protocol support on a host (A)

How does Nmap help in masking the source of a scan?

By using decoy hosts on the same LAN as the target host (D)

In what environment can Nmap operate?

UNIX, Linux, Windows, and OS X (B)

Which of the following is NOT a feature of SuperScan version 4?

Protocol analysis on Layer 2 (C)

What is a primary function of Security Information Event Management (SIEM) technology?

To provide real-time reporting and long-term analysis of security events (A)

What type of scanning methods does SuperScan support?

TCP Syn scanning and UDP scanning (B)

What limitation does network testing tools like Nmap and SuperScan have?

They cannot prepare for every potential security issue. (C)

What administrative privilege is necessary for using SuperScan?

Administrator privileges (A)

What is the primary purpose of operations security in network security testing?

To ensure day-to-day secure practices are in place (D)

Which phase is NOT part of the penetration testing process?

Monitoring (C)

Which of the following tools is primarily used for port scanning?

Nmap (A)

What is the main goal of a penetration test?

To simulate real attack methods for security evaluation (A)

Which tool is known for forensic analysis and aggregation of security data?

SIEM (A)

During which stage of network security testing is vulnerability scanning typically performed?

Operational stage (D)

Which term describes the process of reviewing logs as part of security testing?

Log review (A)

What is the objective of vulnerability scanning?

To identify and address weaknesses in a system (C)

What is the primary function of a vulnerability scanner?

To assess computers and networks for weaknesses. (D)

Which of the following best describes sniffing?

Examining network traffic regardless of the destination. (A)

What distinguishes intrusive scans from other types of vulnerability scans?

They attempt to exploit vulnerabilities. (A)

Which command line tool is typically used for network diagnostics?

Netcat (B)

Why is physical security important in network security?

It prevents unauthorized access to critical systems. (A)

What role do SIEM systems play in network security?

They aggregate log data from multiple sources. (A)

What is a credentialed scan in vulnerability assessment?

A scan providing authorized access through usernames and passwords. (A)

Which of the following tools is NOT categorized as a vulnerability scanner?

Wireshark (A)

What does the command 'tracert' help to determine?

It traces the route a packet takes to a destination. (D)

Which command is specifically aimed at troubleshooting NetBIOS name resolution issues?

nbtstat (C)

One of the primary functions of a SIEM system is to:

Identify internal and external threats. (D)

What is one of the capabilities of 'nmap'?

Locate network hosts and detect services. (A)

What does the command 'netstat' provide information about?

It shows ports a computer is listening on and active connections. (A)

Which statement describes a function of SIEM systems?

Generate alerts when potential security issues are detected. (A)

What is the primary purpose of the 'arp' command?

Map known MAC addresses to their associated IP addresses. (D)

The function of 'hping' includes which of the following?

Assemble and analyze packets for various network tasks. (B)

Flashcards

arp

A utility that maps MAC addresses to IP addresses.

tracert/traceroute

Traces the route a packet takes to a destination.

nslookup/dig

Queries a DNS server to troubleshoot DNS issues.

netstat

Displays open ports and active connections on a computer.

nbtstat

Used for troubleshooting NetBIOS name resolution problems in Windows.

nmap

Used for security auditing. Locates hosts, detects OSes, and identifies network services.

netcat (nc)

Gathers information from network connections.

hping

Assembles and analyzes network packets; used for scanning/testing.

Nmap/Zenmap

Network mapping tool to discover computers and their services on a network.

SuperScan

Port scanning software to identify open TCP/UDP ports and running services.

SIEM

Security Information and Event Management system for real-time and long-term security event analysis.

GFI LANguard

Network and security scanner identifying vulnerabilities.

Tripwire

Assesses IT configurations against policies, compliance, and best practices.

Nessus

Vulnerability scanning tool, focusing on remote access, misconfigurations, and DoS.

L0phtCrack

Password auditing and recovery application.

Metasploit

Tool for vulnerability information, penetration testing, and IDS signature development.

OS Fingerprinting

Identifying the operating system of a remote computer.

Layer 3 Port Scanning

Nmap feature that identifies network protocols supported by a host, e.g. GRE, OSPF.

Port Scanning

Identifying open ports on a computer or network device to assess vulnerabilities.

Security Information Event Management (SIEM)

A technology for real-time security event reporting and long-term analysis.

Penetration Testing

Evaluating a system's security by simulating attacks.

Network Vulnerabilities

Weaknesses in a network that could be exploited by attackers if they know how to use those techniques.

Vulnerability Testing

A process that identifies potential security weaknesses in a system or network but does not attempt to exploit them.

Ethical Hacking

Using hacking techniques for legal and authorized purposes, often to assess security vulnerabilities.

Black Box Testing

A penetration testing method where the tester has no prior knowledge of the system's inner workings.

Gray Box Testing

A penetration testing method where the tester has limited knowledge of the system.

White Box Testing

A penetration testing method where the tester has full knowledge of the system's inner workings.

Penetration Testing Phases

The stages involved in conducting a penetration test: Planning, Discovery, Attack, Reporting.

Discovery Phase

Gathering information about the target system to identify potential attack vectors.

What is Network Sniffing?

Network sniffing is the process of capturing and examining network traffic, which can reveal sensitive information like passwords or confidential data. It's like eavesdropping on a conversation.

How can Sniffing be Used?

Network sniffing can be used for malicious purposes (like stealing data) or for legitimate network troubleshooting and security analysis by network administrators.

Types of Vulnerability Scanners

Vulnerability scanners come in various types, including network scanners, application scanners, and web application scanners, each focusing on different aspects of security.

Intrusive vs. Credentialed Scans

Intrusive scans attempt to exploit vulnerabilities, which can potentially crash the target, while credentialed scans use legitimate credentials for deeper analysis and information gathering.

What is SIEM?

SIEM (Security Information and Event Management) systems gather and analyze security logs from various sources to detect threats and security incidents.

Common Vulnerability Scanners

Popular vulnerability scanners include Nessus, Retina, Core Impact, and GFI LANguard, each offering different capabilities and focuses.

Command Line Tools for Security Assessment

Various command-line tools like ping, tracert, nslookup, netstat, nmap, netcat, and hping are valuable for network troubleshooting and security assessments.

What is a Security Assessment?

A security assessment is a comprehensive process of evaluating security vulnerabilities and risks in a system or network.

SOAR Tools

Automated systems that gather security threat data from various sources and respond to low-level events without human intervention.

Operations Security

Daily practices needed to maintain a secure system, starting from planning and implementation of a network.

Network Security Testing Techniques

Methods used to assess the effectiveness of security implementations in a network, such as penetration testing, vulnerability scanning, and log reviews.

Nmap (Network Mapper)

A powerful tool for scanning networks and identifying hosts, services, and operating systems.

SIEM (Security Information and Event Management)

Software that collects, analyzes, and correlates security events from various sources, providing real-time and historical security insights.

Study Notes

Module 2: Network Security Testing

• The module is titled Network Security Testing and aims to use tools for network security testing
• The module objective is to use tools for network security testing

Module Objectives

• Module Title: Network Security Testing
• Module Objective: Use tools for network security testing

Security Assessments

• Vulnerability Scanners are used to assess computers, computer systems, networks, or applications for weaknesses.
• Vulnerability scanners automate security auditing by scanning networks, identifying and prioritizing vulnerabilities.
• Vulnerability scanners look for: use of default or common passwords, missing patches, misconfigurations in operating systems and software, open ports, and active IP addresses including unexpected devices.
• Commonly used vulnerability scanners include Nessus, Retina, Core Impact, and GFI Lan Guard.
• The functions of these tools include performance compliance auditing, supplying patches and updates, identifying misconfigurations, supporting mobile and wireless devices, and tracking malware along with identifying sensitive data.

Types of Scans

• Vulnerability scanners are rated for accuracy, reliability, scalability, and reporting.

  • Software-based and cloud-based options exist.

• Network scanners (probe hosts for open ports, enumerate user/group information, and locate known vulnerabilities on networks)

• Application scanners (access application source code, test applications from the inside, do not run the application to identify vulnerabilities in web applications)

• Intrusive scans exploit vulnerabilities (may crash the target); non-intrusive scans minimize harm to the target.

• Credentialed scans use usernames/passwords for authorized access and deeper information gathering, whereas non-credentialed scans offer an outsider's perspective, making them less invasive.

• False positives (mistakenly identifying a vulnerability) and false negatives (failing to identify an existing vulnerability) occur. Credentialed scans generally return fewer false positives and negatives.

Command Line Diagnostic Utilities

• Command-line tools assess an organization's security position.
• ipconfig (TCP/IP settings, IP address, subnet mask, default gateway, DNS information on MAC)
• ping (tests network connectivity by sending ICMP requests to a host)
• arp (maps known MAC addresses to their associated IP addresses)
• tracert (traces a packet's route, records hops along the way)
• nslookup (queries a DNS server to troubleshoot DNS databases)

Security Automation

• Security Information and Event Management (SIEM) systems aggregate log data from various sources to reduce event volume

• Similar events are combined within SIEM systems reducing the workload

• SIEM systems identify deviations from the norm, and then take appropriate action.

• Goals of SIEM system for security monitoring include identifying internal/external threats, monitoring activity and resource usage, supporting incident response, and generating audits.

• If a potential issue is detected, SIEM might log additional information, generate an alert, and halt the activity's progress. Advanced SIEM systems use user and entity behavior analytics to predict and prevent potential threats.

• The volume of data from critical systems and the cost/maintainability of SIEM solutions should be considered during implementation

• Security Orchestration, Automation, and Response (SOAR) tools automatically collect and respond to low-level security events without direct human intervention. This allows organizations to automate various security procedures.

• SOAR tools have capabilities for threat/vulnerability management, security incident response, and security operations automation. Organizations often integrate SOAR tools with their SIEM.

Packet Tracer - Use Diagnostic Commands

• The packet tracer file is used for real-world experience in diagnosing connectivity issues
• Objectives: Gather end-user device settings, gather network device information and diagnose connectivity issues

Network Security Testing Techniques

• Operations Security aims at ongoing secure system maintenance, ensuring security practices are implemented and maintained throughout the lifespan of the network.
• Operational tasks begin after network setup and address system maintenance
• Security staff must have significant security and networking knowledge in operating systems, basic programming, networking protocols (such as TCP/IP), network vulnerabilities, device hardening, firewalls, and IPS.

Testing and Evaluating Network Security

• The effectiveness of a security solution can be tested to verify proper functionality without waiting for a real threat.
• Security testing is done during implementation and operational stages to ensure security practices are functioning as expected.
• Security testing involves risk analysis and contingency planning.
• Security test result documentation, and making results available to other IT areas are required.
• Specific parts of the network are tested during implementation; a Security Test and Evaluation (ST&E) is performed after the network is complete which examines the established protective measures placed on the operational network.
• Security tests should be repeated regularly and when changes are made. Systems exposed to recurring threats are tested more frequently.

Types of Network Tests

• Threat actors utilize reconnaissance techniques to identify vulnerabilities.

• Active reconnaissance involves direct interaction with network systems for information gathering (using penetration testing tools to test network/system)

• Passive reconnaissance involves using external information sources, such as Facebook or dark web, to gather information about a network and its users. This often employs open source intelligence (OSINT)

• Penetration testing (pen testing): Simulates attacks to assess an organization's system's resilience.

• Network scanning: Uses software to ping computers, scan for open ports, and identify available resources.

• Vulnerability scanning: Identifies potential weaknesses in systems, including misconfigurations, default passwords, or potential targets for denial-of-service (DoS) attacks.

Types of Network Tests (Continued)

• Password cracking software tests for weak passwords
• Log review checks security logs to identify potential threats
• Integrity checkers identify changes in the system. 
• Virus detection software detects and removes malware

Applying Network Test Results

• Network security test results are used to identify security vulnerabilities, track organizational progress meeting and maintaining security standards, evaluate the status of system security implementations, assess cost-benefit analyses of security improvements, enhance other activities like risk assessments, and serve as a basis for implementing corrective measures.

Network Security Testing Tools

• Many tools exist for assessing system/network security, some are open-source while others are commercial and require licensing.
• Nmap/Zenmap is used for discovering computers and services on a network.
• SuperScan is a Windows port scanning tool.
• SIEM (Security Information and Event Management) provides real-time reporting and long-term security event analysis. GFI is a network security scanner that detects vulnerabilities
• Tripwire is a tool that validates IT configurations
• Nessus is a vulnerability scanning tool that focuses on remote access, misconfigurations, and DoS attacks.
• L0phtCrack tests passwords. 
• Metasploit aids with penetration testing and developing IDS signatures.

Nmap and Zenmap

• Nmap is a commonly used, low-level scanner available publicly.
• Provides features for network mapping and reconnaissance.
• Features (classic TCP/UDP port scanning, classic TCP/UDP port sweeping, stealth TCP/UDP sweeps, and remote operating system identification (fingerprinting).

SuperScan 

• SuperScan is a Microsoft Windows-based tool used to scan ports and identify active systems for penetration testing on networks and anticipates potential attack mechanisms.

SIEM (Continued)

• SIEM provides details about the source of suspicious activity
• Information includes user information, device information, and posture information
• Security engineers quickly evaluate security events and answer critical questions about who's involved, any access to sensitive information, and if any potential compliance issues exist.

Penetration Testing 

• Penetration testing (pen testing) evaluates system vulnerabilities using malicious techniques.
• Pen testing simulates attacks, determines attack feasibility, and identifies security weaknesses.
• Pen testing is often used before other cyber criminals do, allowing organizations to patch and secure their networks
•  Different approaches like 'black box testing' (least costly and time consuming), 'gray box testing' (known parts of the system, moderately time- consuming) and white box testing (most costly and time-consuming, most comprehensive) 
• Penetration phases usually involve planning, discovery (active/passive reconnaissance), attack, and reporting.

Penetration Testing Exercise Types

• Some organizations set up competitive teams that conduct extended penetration exercises (red team, blue team, white team, and purple teams) to thwart potential attacks and evaluate security measures.

Packet Analyzer

• Packet analyzers (or packet sniffers) intercept and log network traffic, allowing analysis of network issues. Examples include Wireshark, EtherApe, tcpdump, Ettercap.

Protocol Analyzer Output

• Sniffing examines network traffic directed at or passed through a network interface card (NIC). Sniffers are useful for network troubleshooting and security analysis but can be used for malicious purposes.
• Sniffers can target specific protocols or examine all network traffic (including usernames, passwords, and other sensitive data)

Lab - Use Wireshark to Compare Telnet and SSH Traffic

• This lab uses Wireshark to analyze web browser traffic, Telnet traffic, and SSH traffic

Network Security Testing Summary

• A vulnerability scanner tests computers and networks for various weaknesses
• Common vulnerability scanners include Nessus, Retina, Core Impact, and GFI LanGuard.
• Vulnerability scanners vary in type: network, application, and web application. Intrusive (exploiting to cause potential damage) and non-intrusive scans each have advantages and disadvantages
• Command-line tools like ipconfig, ping, arp, tracert, and nslookup are used for vulnerability assessments. 
• SIEM (Security Information and Event Management) analyzes security events using log collectors, reducing event volume by aggregating similar events
• SOAR (Security Orchestration, Automation, and Response) automates low-level security events without human intervention
• Operations security emphasizes practices for managing ongoing systems security. Network security testing typically happens during implementation and operational phases and examines protective measures on operational networks.

Network Security Testing Techniques (Continued)

• Operations security focuses on daily practices for deploying and maintaining secure systems; all networks are vulnerable if operational security practices are not followed.
• Testing/evaluation methods include network scanning, vulnerability scanning, password cracking, log review, integrity checking, and virus detection

Network Security Testing Tools (Continued)

• Different software tools for network testing exist. Examples are Nmap, Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and Metasploit.
• Each tool has specific features and capabilities for different analysis purposes.