Untitled Quiz

Questions and Answers

What is the primary function of Nmap?

Creating network diagrams

Monitoring network traffic in real time

Mapping and reconnaissance of networks (correct)

Encrypting network communications

Which tool is designed specifically for vulnerability scanning?

L0phtCrack

Tripwire

SuperScan

Nessus (correct)

Which of the following tools is known for assessing IT configurations against internal policies?

Tripwire (correct)

GFI LANguard

Nmap

Metasploit

What type of scan does Nmap perform that is harder to detect by the target host?

Stealth scanning

Which software tool can also run queries like whois and traceroute?

SuperScan

What is the primary purpose of SIEM in an enterprise setting?

Real-time reporting and long-term analysis of security events

Which of the following tools is primarily focused on password auditing?

L0phtCrack

What is the main purpose of penetration testing?

To simulate an attacker's methods with permission

Why is it important to consider the evolution of network testing tools?

Tools can become legacy and less effective over time

Which type of testing allows the tester to have no knowledge of the system?

Black box testing

Which of the following phases involves establishing the rules of engagement?

Planning

What distinguishes gray box testing from black box testing?

Gray box testing is partially known environment

Which testing method is the most time-consuming and expensive?

White box testing

What technique is employed during the Discovery phase of penetration testing?

Conducting reconnaissance

Why is penetration testing considered a part of ethical hacking?

It simulates attacks to improve security

What is 'foot printing' in the context of penetration testing?

Utilizing public sources for information gathering

What purpose does the Layer 3 port scanning feature serve in Nmap?

Identifying Layer 3 protocol support on a host

How does Nmap help in masking the source of a scan?

By using decoy hosts on the same LAN as the target host

In what environment can Nmap operate?

UNIX, Linux, Windows, and OS X

Which of the following is NOT a feature of SuperScan version 4?

Protocol analysis on Layer 2

What is a primary function of Security Information Event Management (SIEM) technology?

To provide real-time reporting and long-term analysis of security events

What type of scanning methods does SuperScan support?

TCP Syn scanning and UDP scanning

What limitation does network testing tools like Nmap and SuperScan have?

They cannot prepare for every potential security issue.

What administrative privilege is necessary for using SuperScan?

Administrator privileges

What is the primary purpose of operations security in network security testing?

To ensure day-to-day secure practices are in place

Which phase is NOT part of the penetration testing process?

Monitoring

Which of the following tools is primarily used for port scanning?

Nmap

What is the main goal of a penetration test?

To simulate real attack methods for security evaluation

Which tool is known for forensic analysis and aggregation of security data?

SIEM

During which stage of network security testing is vulnerability scanning typically performed?

Operational stage

Which term describes the process of reviewing logs as part of security testing?

Log review

What is the objective of vulnerability scanning?

To identify and address weaknesses in a system

What is the primary function of a vulnerability scanner?

To assess computers and networks for weaknesses.

Which of the following best describes sniffing?

Examining network traffic regardless of the destination.

What distinguishes intrusive scans from other types of vulnerability scans?

They attempt to exploit vulnerabilities.

Which command line tool is typically used for network diagnostics?

Netcat

Why is physical security important in network security?

It prevents unauthorized access to critical systems.

What role do SIEM systems play in network security?

They aggregate log data from multiple sources.

What is a credentialed scan in vulnerability assessment?

A scan providing authorized access through usernames and passwords.

Which of the following tools is NOT categorized as a vulnerability scanner?

Wireshark

What does the command 'tracert' help to determine?

It traces the route a packet takes to a destination.

Which command is specifically aimed at troubleshooting NetBIOS name resolution issues?

nbtstat

One of the primary functions of a SIEM system is to:

Identify internal and external threats.

What is one of the capabilities of 'nmap'?

Locate network hosts and detect services.

What does the command 'netstat' provide information about?

It shows ports a computer is listening on and active connections.

Which statement describes a function of SIEM systems?

Generate alerts when potential security issues are detected.

What is the primary purpose of the 'arp' command?

Map known MAC addresses to their associated IP addresses.

The function of 'hping' includes which of the following?

Assemble and analyze packets for various network tasks.

Study Notes

Module 2: Network Security Testing

• The module is titled Network Security Testing and aims to use tools for network security testing
• The module objective is to use tools for network security testing

Module Objectives

• Module Title: Network Security Testing
• Module Objective: Use tools for network security testing

Security Assessments

• Vulnerability Scanners are used to assess computers, computer systems, networks, or applications for weaknesses.
• Vulnerability scanners automate security auditing by scanning networks, identifying and prioritizing vulnerabilities.
• Vulnerability scanners look for: use of default or common passwords, missing patches, misconfigurations in operating systems and software, open ports, and active IP addresses including unexpected devices.
• Commonly used vulnerability scanners include Nessus, Retina, Core Impact, and GFI Lan Guard.
• The functions of these tools include performance compliance auditing, supplying patches and updates, identifying misconfigurations, supporting mobile and wireless devices, and tracking malware along with identifying sensitive data.

Types of Scans

• Vulnerability scanners are rated for accuracy, reliability, scalability, and reporting.

  • Software-based and cloud-based options exist.

• Network scanners (probe hosts for open ports, enumerate user/group information, and locate known vulnerabilities on networks)

• Application scanners (access application source code, test applications from the inside, do not run the application to identify vulnerabilities in web applications)

• Intrusive scans exploit vulnerabilities (may crash the target); non-intrusive scans minimize harm to the target.

• Credentialed scans use usernames/passwords for authorized access and deeper information gathering, whereas non-credentialed scans offer an outsider's perspective, making them less invasive.

• False positives (mistakenly identifying a vulnerability) and false negatives (failing to identify an existing vulnerability) occur. Credentialed scans generally return fewer false positives and negatives.

Command Line Diagnostic Utilities

• Command-line tools assess an organization's security position.
• ipconfig (TCP/IP settings, IP address, subnet mask, default gateway, DNS information on MAC)
• ping (tests network connectivity by sending ICMP requests to a host)
• arp (maps known MAC addresses to their associated IP addresses)
• tracert (traces a packet's route, records hops along the way)
• nslookup (queries a DNS server to troubleshoot DNS databases)

Security Automation

• Security Information and Event Management (SIEM) systems aggregate log data from various sources to reduce event volume

• Similar events are combined within SIEM systems reducing the workload

• SIEM systems identify deviations from the norm, and then take appropriate action.

• Goals of SIEM system for security monitoring include identifying internal/external threats, monitoring activity and resource usage, supporting incident response, and generating audits.

• If a potential issue is detected, SIEM might log additional information, generate an alert, and halt the activity's progress. Advanced SIEM systems use user and entity behavior analytics to predict and prevent potential threats.

• The volume of data from critical systems and the cost/maintainability of SIEM solutions should be considered during implementation

• Security Orchestration, Automation, and Response (SOAR) tools automatically collect and respond to low-level security events without direct human intervention. This allows organizations to automate various security procedures.

• SOAR tools have capabilities for threat/vulnerability management, security incident response, and security operations automation. Organizations often integrate SOAR tools with their SIEM.

Packet Tracer - Use Diagnostic Commands

• The packet tracer file is used for real-world experience in diagnosing connectivity issues
• Objectives: Gather end-user device settings, gather network device information and diagnose connectivity issues

Network Security Testing Techniques

• Operations Security aims at ongoing secure system maintenance, ensuring security practices are implemented and maintained throughout the lifespan of the network.
• Operational tasks begin after network setup and address system maintenance
• Security staff must have significant security and networking knowledge in operating systems, basic programming, networking protocols (such as TCP/IP), network vulnerabilities, device hardening, firewalls, and IPS.

Testing and Evaluating Network Security

• The effectiveness of a security solution can be tested to verify proper functionality without waiting for a real threat.
• Security testing is done during implementation and operational stages to ensure security practices are functioning as expected.
• Security testing involves risk analysis and contingency planning.
• Security test result documentation, and making results available to other IT areas are required.
• Specific parts of the network are tested during implementation; a Security Test and Evaluation (ST&E) is performed after the network is complete which examines the established protective measures placed on the operational network.
• Security tests should be repeated regularly and when changes are made. Systems exposed to recurring threats are tested more frequently.

Types of Network Tests

• Threat actors utilize reconnaissance techniques to identify vulnerabilities.

• Active reconnaissance involves direct interaction with network systems for information gathering (using penetration testing tools to test network/system)

• Passive reconnaissance involves using external information sources, such as Facebook or dark web, to gather information about a network and its users. This often employs open source intelligence (OSINT)

• Penetration testing (pen testing): Simulates attacks to assess an organization's system's resilience.

• Network scanning: Uses software to ping computers, scan for open ports, and identify available resources.

• Vulnerability scanning: Identifies potential weaknesses in systems, including misconfigurations, default passwords, or potential targets for denial-of-service (DoS) attacks.

Types of Network Tests (Continued)

• Password cracking software tests for weak passwords
• Log review checks security logs to identify potential threats
• Integrity checkers identify changes in the system. 
• Virus detection software detects and removes malware

Applying Network Test Results

• Network security test results are used to identify security vulnerabilities, track organizational progress meeting and maintaining security standards, evaluate the status of system security implementations, assess cost-benefit analyses of security improvements, enhance other activities like risk assessments, and serve as a basis for implementing corrective measures.

Network Security Testing Tools

• Many tools exist for assessing system/network security, some are open-source while others are commercial and require licensing.
• Nmap/Zenmap is used for discovering computers and services on a network.
• SuperScan is a Windows port scanning tool.
• SIEM (Security Information and Event Management) provides real-time reporting and long-term security event analysis. GFI is a network security scanner that detects vulnerabilities
• Tripwire is a tool that validates IT configurations
• Nessus is a vulnerability scanning tool that focuses on remote access, misconfigurations, and DoS attacks.
• L0phtCrack tests passwords. 
• Metasploit aids with penetration testing and developing IDS signatures.

Nmap and Zenmap

• Nmap is a commonly used, low-level scanner available publicly.
• Provides features for network mapping and reconnaissance.
• Features (classic TCP/UDP port scanning, classic TCP/UDP port sweeping, stealth TCP/UDP sweeps, and remote operating system identification (fingerprinting).

SuperScan 

• SuperScan is a Microsoft Windows-based tool used to scan ports and identify active systems for penetration testing on networks and anticipates potential attack mechanisms.

SIEM (Continued)

• SIEM provides details about the source of suspicious activity
• Information includes user information, device information, and posture information
• Security engineers quickly evaluate security events and answer critical questions about who's involved, any access to sensitive information, and if any potential compliance issues exist.

Penetration Testing 

• Penetration testing (pen testing) evaluates system vulnerabilities using malicious techniques.
• Pen testing simulates attacks, determines attack feasibility, and identifies security weaknesses.
• Pen testing is often used before other cyber criminals do, allowing organizations to patch and secure their networks
•  Different approaches like 'black box testing' (least costly and time consuming), 'gray box testing' (known parts of the system, moderately time- consuming) and white box testing (most costly and time-consuming, most comprehensive) 
• Penetration phases usually involve planning, discovery (active/passive reconnaissance), attack, and reporting.

Penetration Testing Exercise Types

• Some organizations set up competitive teams that conduct extended penetration exercises (red team, blue team, white team, and purple teams) to thwart potential attacks and evaluate security measures.

Packet Analyzer

• Packet analyzers (or packet sniffers) intercept and log network traffic, allowing analysis of network issues. Examples include Wireshark, EtherApe, tcpdump, Ettercap.

Protocol Analyzer Output

• Sniffing examines network traffic directed at or passed through a network interface card (NIC). Sniffers are useful for network troubleshooting and security analysis but can be used for malicious purposes.
• Sniffers can target specific protocols or examine all network traffic (including usernames, passwords, and other sensitive data)

Lab - Use Wireshark to Compare Telnet and SSH Traffic

• This lab uses Wireshark to analyze web browser traffic, Telnet traffic, and SSH traffic

Network Security Testing Summary

• A vulnerability scanner tests computers and networks for various weaknesses
• Common vulnerability scanners include Nessus, Retina, Core Impact, and GFI LanGuard.
• Vulnerability scanners vary in type: network, application, and web application. Intrusive (exploiting to cause potential damage) and non-intrusive scans each have advantages and disadvantages
• Command-line tools like ipconfig, ping, arp, tracert, and nslookup are used for vulnerability assessments. 
• SIEM (Security Information and Event Management) analyzes security events using log collectors, reducing event volume by aggregating similar events
• SOAR (Security Orchestration, Automation, and Response) automates low-level security events without human intervention
• Operations security emphasizes practices for managing ongoing systems security. Network security testing typically happens during implementation and operational phases and examines protective measures on operational networks.

Network Security Testing Techniques (Continued)

• Operations security focuses on daily practices for deploying and maintaining secure systems; all networks are vulnerable if operational security practices are not followed.
• Testing/evaluation methods include network scanning, vulnerability scanning, password cracking, log review, integrity checking, and virus detection

Network Security Testing Tools (Continued)

• Different software tools for network testing exist. Examples are Nmap, Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and Metasploit.
• Each tool has specific features and capabilities for different analysis purposes.