· 6 years ago · Nov 12, 2019, 08:24 AM
1CEH
2
3- CEH Study Notes
4 - DOS Attacks
5 - LAND Attack (Local Area Network Denial)
6 - Uses TCP three-way handshake to occupy a servers resources and disable the target.
7 - In this attack the attacker sends a spoofed IP address that has the source of the target systems address. This forces a "looped" TCP connection to itself
8 - Probably obsolete by now
9 - WinNUKE
10 - Exploits certain TCP implemenations and how they process packets with the URG flag set
11 - The URG flag tells the target OS to process the packets immediately (out-of-band)
12 - This attack sent a stream of packets to port 139 with the URG flag set, usually causing the OS to crash on the target system
13 - Targa
14 - Can run 8 different DOS attacks
15 - Can be run simultaneously or 1 at a time
16 - Slowloris
17 - Highly targeted attack, using one web server to take down another web server
18 - This is performed by holding as many connections to the target web server open for as long as possible creating a denial condition for legit requests
19 - This is not a DDOS, but instead a DOS attack
20 - Zombies and Bots
21 - Common names for computers in a botnet
22 - "Shaft"
23 - Derivative of Trinoo
24 - Attack options are:
25 - ICMP
26 - UDP
27 - TCP
28 - Low Orbit Ion Cannon (LOIC)
29 - Uses TCP/UDP to flood a target
30 - Uses Windows
31 - Has a "Linux" version (LOIC Java)
32 - Smurf Attack
33 - DDOS attack
34 - Uses ICMP packets with victims SPOOFED source IP
35 - Sends requests to broadcast address on network, causing all nodes to respond back to the victim machine creating a DOS
36 - Fraggle
37 - Attacker crafts packet and pings the broadcast address
38 - Uses UDP instead of ICMP
39 - Fraggle vs Smurf
40 - Fraggle uses UDP for attack vector
41 - Smurf uses ICMP for attack vector
42 - RUDY (R U Dead Yet?)
43 - Used to execute slow-rate attacks
44 - Implemented via long form field submissions
45 - Classes of DOS attacks
46 - Application layer
47 - Volumetric
48 - TCP State Exhaustion
49 - Fragmentation
50 - State Attack
51 - Botnet definition
52 - Collection of security compromised computers controlled by a third party
53 - Usually controlled through IRC
54 - Sends SPAM and performs DDOS
55 - Filter ICMP packets at firewalls is a countermeausre to DOS attacks
56 - Ping of Death
57 - Sends a very large (64K) ICMP packet to a victim
58 - Exploited the fragmentation and reassembly implementations on a target by sending IP packets, usually ICMP echo requests, that exceed the maximum size once they have been reassembled.
59 - Obsolete now
60 - "RID" is a scanning tool used to detect:
61 - TFN
62 - OLD method used to initiate DDoS
63 - Uses ICMP, Syn flood, UDP flood & smurf attack
64 - Can do IP Spoofing
65 - Built in remote command execution for controlling botnet
66 - TRINOO
67 - is a program used to conduct DDoS attacks.
68 - Stacheldraht
69 - Malware written by Random for Linux and Solaris
70 - Provides DDoS agent service
71 - Detects and auto enables source address forgery
72 - Uses TCP Syn, ICMP flood and UDP flood
73 - Zombie Zapper
74 - Tool created to fight DDOS
75 - Free, open source
76 - Works against Trinoo, TFN and Stacheldraht
77 - DOS counters
78 - Network Ingress filtering
79 - IDS
80 - Rate limiting Network Traffic
81 - Syn cookies
82 - Does not allow server to dedicate resources until 3-way handshake has been completed
83 - Micro Blocks
84 - Method to prevent SYN flood attacks by allocating only a small space in memory for the connection record
85 - RST Cookies
86 - Server sends invalid SYN-ACK to client intentionally as a way to verify the request is legitimate
87 - If legit, logs entry and allows a connection from client
88 - Stack tweaking
89 - Tweaking TCP/IP implementation to mitigate or limit DoS affects.
90 - Fragmentation attack
91 - TearDrop
92 - Uses fragmentation and a bug in the TCP/IP implementation
93 - AKA IP Fragmentation
94 - AKA Overlapping Fragment
95 - Fast Flux
96 - DNS technique to hide phishing and malware delivery sites behind constantly changing compromised hosts.
97 - Syn flood vs Syn Attack
98 - Syn flood - sending SYN packets to target (aka half open attack)
99 - Syn Attack - spoofing source address, sending SYN packets to target
100 - CPUHog
101 - DoS tool used to consume processor cycles
102 - Hping3
103 - Can be used for DoS and Fingerprinting
104 - Mstream
105 - Uses both TCP and UDP for DoS
106 - Three tiered DDoS tool (Attacker > Master > Agent > Target
107 - The five stages of hacking in CEH
108 - 1. Recon / Footprinting
109 - Internet searches
110 - Social engineering
111 - Dumpster diving
112 - non-intrusive network scanning
113 - 2. Scanning
114 - Looking for open ports & services
115 - Vulnerabilities
116 - Enumeration of hardware and software
117 - 3. Gaining Access
118 - 4. Maintaining Access
119 - 5. Covering tracks
120 - Named Vulnerabilities
121 - POODLE = Padding Oracle On Downgraded Legacy Encryption
122 - Man in the middle attack, exploits fall back mechanism in TLS to SSL
123 - Can decrypt a single byte of an encrypted message by making up to 256 SSL 3.0 requests while eavesdropping on the encrypted connection
124 - HEARTBLEED
125 - OPENSSL Vulnerability
126 - Allows an attacker to obtain about 64 KB of info from a web servers memory at regular intervals.
127 - Discovered in 2014
128 - Memory handling bug
129 - Found in OpenSSL 1.0.1 through 1.0.1f; OpenSSL 1.0.1g fixed the bug
130 - Attackers can obtain servers private key and allow them to perform MITM attacks
131 - FREAK = Factoring Attack on RSA-EXPORT
132 - Man in the middle attack
133 - Forces downgrade of an RSA key to a weaker length; attack then attempts to brute force the shorter (weaker) key
134 - Discovered in 2015
135 - SHELLSHOCK
136 - AKA Bashbug
137 - Allows attacker to execute arbitrary code through vulnerability in BASH
138 - Found in September 2014
139 - How to exploit shellshock on webserver?
140 - By using CGI to deliver malformed code
141 - CCS Injection Vulnerability
142 - Discovered in 2014
143 - Man in the middle attack
144 - Requires attacker to craft a specific handshake that forces OpenSSL to use a weak method of keying
145 - Password Cracking
146 - Dictionary Attack
147 - This is a method of attack that uses a dictionary (or multiple dictionaries) of words to guess a password.
148 - Neped
149 - Used to detect password sniffing
150 - PWDump2
151 - Used to find and "dump" hashed password
152 - Most secure hash algorithm
153 - Whirlpool
154 - OPHcrack
155 - Claims to have 99% success rate
156 - Run off from live CD (not remotely run)
157 - Runs on linux
158 - Uses rainbow tables
159 - Hashcat
160 - "Worlds fastest CPU based password recovery tool"
161 - Availible on Linux, OS X, Windows
162 - Uses CPU or GPU
163 - John the ripper
164 - Used for brute forcing passwords
165 - Can crack NT Hashes
166 - Can crack Unix Hashes
167 - Cain and Abel
168 - Can be used for password cracking
169 - Can be used for ARP poisoning
170 - Can be used to sniff traffic
171 - Runs on windows
172 - Uses Dictionary and Brute force among other types of attacks
173 - Brutus
174 - Can be used for remote password cracking
175 - Only runs on windows
176 - Supports HTTP, POP3, FTP, SMB, Telnet, IMAP and others
177 - Password sniffing
178 - This is a "passive" attack style
179 - Rainbow tables are used to speed up the cracking of password hashes
180 - Makes use of precomputed password hashes
181 - SALT in HASHes can slow down this method
182 - Password Management definition
183 - The process of defining, implementing and maintaining password policies
184 - PAP
185 - Password Authentication Protocol
186 - Sends clear text usernames and passwords
187 - Password / Brute Force tools
188 - Brutus
189 - Rainbow Crack
190 - Wfuzz
191 - Brute Force Attack
192 - Tries all possible combinations of letters, numbers and special characters.
193 - Computationally intensive
194 - Not always able to recover the password in a reasonable time
195 - Time consuming
196 - Best performed offline
197 - One time password is also referred to a "dynamic" password
198 - password sniffing
199 - A way to grab a password from a user electronically, usually during authentication
200 - Hashing is a one way process
201 - Hashes can NEVER be reversed
202 - Rule based password attack
203 - A focused password cracking technique; limits password attempts to only those allowed (think alphanumeric, 8 characters long, etc...)
204 - Why try 4 character passwords when 8 is the minimum?
205 - What does a hash provide?
206 - It provides integrity.
207 - What is a SALT?
208 - This is padding added to a password before it is HASHED making it more difficult to brute force
209 - Typical size for a salt is 2 to 8 bytes
210 - Tools used to create rainbow tables
211 - Winrtgen
212 - rtgen
213 - cowpatty
214 - What is two factor auth?
215 - Something you have, something you are, something you know (pick 2)
216 - THC Hydra
217 - Can perform brute force against remote systems using more than 50 protocols
218 - Can use HTTPS-form-get, SSH2 & SIP protocols, telnet, FTP, SMB,
219 - Well known online password cracking tool
220 - Hybrid attack
221 - Similiar to a dictionary attack, but ADDS numbers and symbols to the dictionary words (making it a hybrid attack)
222 - LM Hash (LANManager or LANMAN)
223 - Used by windows up to 2003/XP
224 - Passwords shorter than 8 char would have 7 null bytes hashed making it easier to crack
225 - Converts all characters to uppercase letters before encrypting
226 - Password is restricted to 14 characters in length
227 - If password is less than 7 characters, padding = 0XAAD3B435B51404EE
228 - Reverse brute force attack
229 - Trying one password against a set of usernames
230 - Instead of trying one username with a bunch of different passwords
231 - Syllable Password Attack
232 - A combo of Brute Force and Dictionary Attack
233 - Similar to a "Hybrid" attack, but is based in "brute force" while hybrid is based in Dictionary
234 - Tries smaller fragments of dictionary words rearranged and combined into new passwords
235 - CHNTPW
236 - Tool used to reset/enable/disable accounts in windows
237 - Must be run from boot disk
238 - Runs on linux
239 - HASH suite
240 - Windows brute force password cracking tool
241 - Burp
242 - Integrated platform to perform security testing of web apps
243 - Modules
244 - Spider - Used for auto crawling an application - discovery
245 - Scanner - Used to auto scan HTTP requests to find security vulnerabilities
246 - Intruder - Allows your to perform customized automated attacks
247 - Repeater - Used to manually modify and reissue individual HTTP request (over and over)
248 - Sequencer - This is used to analyse the quality of randomness in an applications session tokens
249 - Decoder - Lets you transform bits of application data using common encoding and decoding schemes
250 - Comparer - Used to perform a visual comparison of bits of application data to find interesting differences
251 - Brute Force Cryptoanalyses
252 - This is when all possible keys are tested to recover the plaintext that is used to produce a specific ciphertext
253 - Account policies
254 - These define lockouts periods for accounts when a bad password is entered
255 - SAMInside
256 - Brute force password cracking tool
257 - SMBRelay
258 - Tool for implementation an eavesdropping attack
259 - Email is sent to victim, victim clicks link, this then sends the victims credentials over the network
260 - Cryptography
261 - Cryptographic Attacks
262 - Noninvasive
263 - An attack on the hardware of the cryptographic module without ever actually coming into physical contact with it
264 - Collision hash
265 - When one message produces the same digest as a different message
266 - Birthday Attack
267 - Exploits the collision found in a hashing algorithm
268 - MD5 is vulnerable to birthday attack
269 - Replay cryptanalytic attack
270 - When an attacker captures some systematic data and replays it in order to spoof a computing system into thinking they are engaging in authorized activity.
271 - Frequency Analysis
272 - Involves counting the number of times a character appears in the cipher text
273 - Works on assumption that certain characters in a language are more common than others
274 - FMS Attack
275 - Fluhrer, Mantin and Shamir
276 - Stream cipher attack on RC4 stream cipher
277 - Meet-in-the-middle Attack
278 - Referred to as a Plain Text attack
279 - Attacker must know a piece of the plaintext and the cipher text
280 - "Generic space-time tradeoff cryptographic attack"
281 - Algebraic Cryptanalytic Attack
282 - An attack that exploits mathematical structures in encryption algorithms
283 - Differential Cryptanalytic Attack
284 - Occurs when an attacker examines the cipher text pairs generated by the encryption of plaintext pairs and analyses the differences
285 - Exhaustive Key search
286 - AKA Brute force search
287 - Tries every possible key (ala brute force password attack)
288 - Statistical Attack
289 - Focuses on the inability to produce random numbers
290 - Targets the lack of randomness in the key generation process
291 - Cache-timing attack
292 - This is a side channel attack
293 - Does not attack the cipher itself, but analyzes the effects of implementation of the cipher on a particular system
294 - Measures the time taken to encrypt data as part of the attack
295 - known-cipher attack
296 - AKA ciphertext-only attack (COA)
297 - This style of attack the attacker is assumed to have access only to some cipher texts
298 - Attacker has no access to plain texts
299 - known-plaintext attack
300 - Attacker obtains cipher text and plaintext for same message
301 - They use this to decrypt future messages since they can see "how the sausage is made"
302 - Side Channel attack
303 - These primarily focus on how info is delivered and not what is delivered
304 - power-monitoring attack
305 - Monitors power consumption of the system performing the encryption
306 - Frequency analyses
307 - Attacks looks at patterns in cipher text
308 - Analytic attack
309 - This is an algebraic manipulation that attempts to reduce the complexity of a cryptographic algorithm
310 - Cryptography implementation
311 - PGP (Pretty Good Privacy)
312 - Often used for encryption and signing of emails
313 - Uses IDEA algorithm for encryption
314 - Uses RSA algorithm for key distribution
315 - Developed by P.R. Zimmerman
316 - IPSec
317 - Tunnel mode
318 - The entire packet is encrypted
319 - Transport mode
320 - Only data is encrypted in transport mode
321 - PPTP (Point to Point Tunneling Protocol)
322 - Only works over IP networks
323 - Uses TCP for control channel
324 - Uses GRE tunnel for operating and encapsulate PPP packets
325 - Uses IKE (Internet Key Exchange) for peer authentication and key exchange
326 - Public Key Infrastructure
327 - ISAKMP
328 - Internet Security Association and Key Management Protocol
329 - Only proivdes a framework for authentication and key exchange
330 - Best way to describe public key crypto system?
331 - Use the receivers private key to decrypt data encrypted by the receivers public key
332 - SSHv2 uses Diffie-Helman for secure key exchange
333 - Purpose of PKI
334 - This is a set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certs.
335 - Four basic components of PKI
336 - Certificate Authority
337 - Needs to be trusted by all for PKI to work
338 - Issues digital certs
339 - Provides Verification (controls the Certificate Revocation List)
340 - Performs certificate revocation
341 - Enables Enrollment (identifies person and creates X.509 cert)
342 - Registration Authority
343 - Authority on a network that verifies user requests for a digital certificate and tells the CA to issue it
344 - Certificate Repository
345 - This is where all unexpired certificates are held
346 - Archive
347 - This is where all expired certs are held
348 - X.509
349 - Standard is based on public key cryptography and digital signitures
350 - Registration Authority
351 - This is responsible for verifying certificate content for the certification authority
352 - Validates the certificate request
353 - Online Certificate Status Protocol (OCSP)
354 - Internet protocol used for obtaining the revocation status of an X.509 digital cert
355 - Certificate Revocation List (CRL)
356 - A list of digital certs that have been revoked by the issuing CA before their scheduled expiration date
357 - Intermediate CAs
358 - Subordinate CA that issues certificates only to users and to other subordinate CAs
359 - Kirchhoff's law
360 - A crypto-system should be secure even if everything about the system, except the key, is public knowledge.
361 - XOR
362 - Primary algorithm used in stream cipher
363 - XOR example:
364 - 1011001 (plaintext) with
365 - 0110101 key =
366 - 1101100 cipher text (1's when different, 0's when the same)
367 - Cryptographic hashes are used to preserve integrity
368 - Key space
369 - A range of values used to construct the key
370 - Hashed Message Authentication Code (HMAC)
371 - This is also called a checksum
372 - Used to validate data integrity
373 - Clipper chip
374 - A device that enables gov agencies to bypass encryption
375 - Used the skipjack algorithm
376 - Cryptography definition
377 - This is the science of protecting info by encoding it into unreadable format
378 - symmetric encryption
379 - Faster than Asymmetric encryption
380 - Weaker than Asymmetric encryption
381 - Only one key is used
382 - Uses "shared private keys" for encryption
383 - Symmetric algorithms:
384 - DES
385 - AES
386 - Blowfish
387 - Two basic modes:
388 - Block and Cipher
389 - Stream and Bit
390 - Because the key must be shared before encryption can occur, this makes it weaker than asymmetric encryption
391 - Elliptic Curve Cryptography (ECC)
392 - This uses less computation and memory, well suited for mobile application
393 - Uses a smaller key, making it more effecient
394 - Typically used to encrypt cell phone sessions
395 - Key clustering
396 - A situation where two different keys generate the same cipher text from the same plaintext
397 - Hashing Algorithms
398 - SHA1
399 - SHA2
400 - MD4
401 - MD5
402 - HAVAL
403 - Diffie-Helman
404 - DH Group 1 = 768-bit
405 - DH Group 2 = 1024-bit
406 - DH Group 5 = 1536-bit
407 - SHA-1
408 - Produces a 160-bit hash value regardless of the size of the input (message)
409 - Stands for "Secure Hash Algorithm"
410 - DES
411 - effective Key size = 56 bits
412 - 8 bits are used for parity checking
413 - TOTAL key size = 64 bits
414 - Block cypher
415 - Uses DEA algorithm
416 - DES operates in four modes:
417 - OFB
418 - ECB
419 - CBC
420 - CFB
421 - Triple DES
422 - Based on symmetric encryption
423 - Basically uses DES, three times over, different keys each time
424 - BlowFish
425 - Symmetric algorithm
426 - Uses 448-bit key length
427 - Developed in 1993 by Bruce Schneier
428 - MD5
429 - Creates a 128-bit hash value based on variable length plaint text
430 - subject to frequent collisions
431 - RC4
432 - Stream cipher
433 - Work factor
434 - The amount of time and resources needed to break the cryptosystem or its encryption process
435 - One-time pad
436 - AKA Vernam-cipher AKA perfect cipher
437 - Only unbreakable encryption in existance
438 - Used in WW2
439 - Uses a key of the same length as the message
440 - Asymmetric encryption
441 - Slower than symmetric
442 - Stronger than symmetric
443 - Uses two keys
444 - Message authentication & Integrity controls:
445 - Parity checks
446 - CRC Values
447 - Checksums
448 - digital signature
449 - Main purpose: Provide data authenticity
450 - This provides:
451 - Verification of the source (because it uses asymmetric encryption)
452 - Verification of the integrity of the data (provides authentication)
453 - Created by encrypting the message hash with the senders private key
454 - SALTS
455 - Used to add randomness to encryption process
456 - Takes random values, adds them to the encryption process for additional complexity
457 - Concealment Cipher
458 - This hides a message within a message
459 - RSA Algorithm
460 - Uses two large prime numbers as the basis of encryption
461 - Suitable for both digital signature and encryption
462 - Asymmetric
463 - One of the first great advances in public key cryptography
464 - Block Cipher
465 - Messages are divided into blocks of bits
466 - Caesar Cipher
467 - AKA Shift cipher
468 - One of the simplest forms of encryption
469 - Simply "shifts" letters from a few spaces over to "encrypt"
470 - VERY SMALL keyspace
471 - Stream cipher
472 - Works in real time on a single bit at a time
473 - Implemented in hardware
474 - Used one time then discarded
475 - Cryptoanalyses
476 - The goal is find a weakness or insecurity in a cryptographic scheme.
477 - Rijndael
478 - Uses 128, 192, 256 bit key sizes
479 - Block cipher
480 - Selected to become the new AES by NIST (current AES)
481 - Cryptography can help data integrity and confidentiality
482 - Steganography
483 - The practice of concealing a file, message, image or video within another file
484 - Steganography comes from the greek word Steganos meaning covered or concealed and graphein meaning written
485 - El Gamal
486 - Uses logarithmic numbers and conditions
487 - Used for transmitting digital signatures and key space exchanges
488 - Asymmetric encryption
489 - Monoalphabetic Cipher
490 - This is a cipher in which the cipher alphabet remains unchanged throughout the message
491 - Also called Monoalphabetic Substitution Cipher
492 - Substitutes an alphabetic character with another of the same alphabet
493 - Polyalphabetic Cipher
494 - Uses two or more fabricated substitution alphabets
495 - Concealment cipher
496 - Places a message within a message
497 - Classic example:
498 - Every 6th letter in a document can be used to spell out a smaller message hidden with the larger document
499 - Transposition Cipher
500 - This uses plaintext messages which are transposed into cipher text
501 - Decryption
502 - Converting cipher text to plaintext
503 - Session key
504 - A single use symmetric key used for encrypting all messages in one communication session
505 - Hashing
506 - Can not be reversed
507 - This is a one-way process
508 - KECCAK
509 - Selected to become SHA-3 in October 2012 by NIST
510 - "BLACK" was in final round, but beaten by KECCAK
511 - Biometric passport
512 - This is something you have
513 - This is a chip in a "thing" that stores bio metric data, this is not a part of a person
514 - IV (Initialization Vector) is only used on WEP wireless
515 - In order to be effective, this needs to be random
516 - Malware
517 - Worm
518 - Self-replicating form of malware
519 - Does not need user interaction to replcate
520 - Rootkit
521 - Designed to conceal the presence of other malware
522 - Wrapper
523 - These are used to install malware alongside legitimate software
524 - Uses a single exe file
525 - Logic Bomb
526 - Program set to execute at a specific time or when a specific action occurs
527 - Malware definition
528 - Any software with potential to compromise or destroy or give control to malware developer for their intended use for theft or fraud
529 - RAT = Remote Access trojan
530 - Behaves like an exe
531 - Interacts with registry
532 - Sometimes creates its own system services
533 - Keyloggers can collect:
534 - Text
535 - Images
536 - Voice
537 - Keyloggers can be hardware or software
538 - NTRootkit
539 - Can keylog at sys console
540 - Hide processes
541 - Hide files
542 - Hide registry entries
543 - Spyware main goal = steal info
544 - Torjans use covert channels to avoid detection by IDS
545 - Polymorphic virus
546 - change their signature every time they replicate
547 - Utilities to detect trojans
548 - Netstat
549 - fport
550 - tcpview
551 - rootkit = malware thats used to gain access to a computer while being undetected
552 - Virus can infect:
553 - Disk clusters
554 - Source code
555 - Companion files
556 - .exe, .sys and .com file types
557 - SpyAnywhere can:
558 - Shutdown/restart remote system
559 - lock/freeze
560 - browse file system
561 - Masters paradise = type of trojan
562 - Uses ports 40422, 40423, 40421
563 - AutoHotKey can be used to develop a trojan
564 - Morris (of the "Morris Worm") was the first person convicted under the 1986 Computer Fraud and Abuse Act
565 - Back Orifice 2k (BO2K)
566 - Considered to be a trojan
567 - Older, but in courseware
568 - Logs sessions, redirect network traffic, prompt en user with message, remote shell via telnet, keylogging
569 - eblaster
570 - Type of spyware
571 - captures incoming/outgoing email, forwarding to other emails
572 - Captures IM convos
573 - Tracks websites visited
574 - Majority of AV detect using signatures
575 - Zeus trojan or Zbot
576 - Used primarily to steal banking info
577 - Uses keylogging
578 - Can also install ransomware
579 - spread through drive by downloads and phishing
580 - June 2009, Zeus had compromised 74,000 FTP accounts
581 - First found in 2007
582 - Macro Virus
583 - Can infect different platforms because they live in documents
584 - Cavity Virus
585 - Infects empty space that has been allocated to a file, possibly evading detection because of this
586 - Malware analysis
587 - Post mortem analyses
588 - Data that was written into swap space
589 - changes to file contents
590 - local or remote logging
591 - Steganography
592 - Steganography
593 - A method of hiding data in another media type in order to conceal it
594 - Uses images, MP3, Videos or white space in a document to hide/extract data.
595 - Information can be hidden in the file systems "Slack space"
596 - Slack space, unused space in storage blocks that are empty
597 - Noise Floor consistency analysis
598 - An advanced steganogrphy analyses technique
599 - Alternate Data Stream (ADS)
600 - This is a feature of NTFS file systems
601 - Designed to allow for compatibility with the Mac file system (HFS)
602 - Allows a file to be "run" by opening or running another file
603 - Least Significant Bit (LSB) Insertion
604 - During this method the bit which has the least impact on binary data is replaced with a bit from the embedded message
605 - Software Security
606 - Language most susceptible to buffer overflows
607 - C / C++
608 - Lacks built in protection against accessing of overwritting data in any part of memory
609 - Does not auto check that data written to an array is within bounds
610 - Software testing levels
611 - Regression Testing
612 - This is testing changes to a computer programs to make sure that older programming still works with new changes
613 - Acceptance testing
614 - This is where a system is tested for acceptability.
615 - Purpose of test is to evaluate the software compliance with the requirements set forth during development
616 - Integration testing
617 - This phase of testing is where individual modules of software are combined and tested as a whole or a completed product
618 - Static Software testing
619 - Software test that tests code passively
620 - Sometimes called dry run testing
621 - Programmers manually read the code looking for errors
622 - Program is not run
623 - Stack overflow
624 - This occurs when the call stack pointer exceeds the stack bounds
625 - Buffer overflow attack
626 - Targets the call stack component of the buffer
627 - This is an exploit that causes the system to fail by overloading the memory or executing commands arbitrarily
628 - How to prevent buffer overflows
629 - Enable bounds checking
630 - Perform thorough input validation
631 - Set OS to protect memory pages that can execute content
632 - Make changes to programming language to prevent them
633 - Use dynamic or static code analyzers
634 - Operating System
635 - Kerberos
636 - Key Distribution Center
637 - This handles authentication in kerberos
638 - Ticket Granting Service
639 - Distributes unique tokens (tickets) to each client for each requested service
640 - Uses Time Stamps to protect from replay
641 - Windows File Protection
642 - Protects critical files that are installed as part of Windows
643 - DLL
644 - EXE
645 - OCX
646 - SYS
647 - Security Account Manager (SAM Database)
648 - Used by Windows XP, Vista & 7
649 - Fault tolerant systems continue to operate when faults are discovered, they do not correct them
650 - Multiprocessing
651 - This is the parallel execution of instructions
652 -
653 - Windows
654 - NLTM and LanMan are used for authentication
655 - NTLM uses SHA2 for hashing
656 - How can SAM file be accessed?
657 - Using tools to dump the contents
658 - Accessing it through a "live CD" (boot from thumbdrive, etc..)
659 - Default location for SAM database
660 - C:\Windows\System32\config
661 - SID2User
662 - Command line tool used to associate SID with username
663 - Server 2008 Default users
664 - Guest
665 - Administrator
666 - RID for Administrator
667 - Suffix of 500 for Administrators
668 - File system supported by Windows 7
669 - NTFS
670 - FAT16
671 - FAT32
672 - LM hashes
673 - No distinction between upper case and lower case letters
674 - Simple algorithim, can produce 100000 hashes a second
675 - Max password length 14 char
676 - ls -a
677 - List all files in directory, including hidden files
678 - SC Query
679 - Used to list all running services
680 - tasklist /svc
681 - This lists all running processes and the services associated with those processes
682 - attrib +h
683 - This is used to hide a file
684 - How to prevent SMB hijacking in Windows?
685 - Use SMB signing
686 - Web Server Security
687 - phpinfo();
688 - This function is used to display info about PHP version and config, doc root, memory limits and timezone
689 - SQLMap
690 - This can be used for SQL injection attacks
691 - Apache Tomcat
692 - Most commonly used to deliver Java web pages
693 - Valid load balancing techniques
694 - Reverse proxy
695 - Distributed content
696 - DNS Balancing
697 - Web Cache Poisoning
698 - When cached web pages are replaced with malicious entries
699 - CGI is the slowest server side scripts
700 - Server Side Scripting languages
701 - PHP
702 - ASP
703 - ColdFusion
704 - Ruby on Rails
705 - Perl
706 - HTTP Codes
707 - 200 = OK
708 - 201 = created
709 - 202 = Accepted
710 - 203 = non-authoritative info
711 - 204 = no content
712 - 205 = reset content
713 - 206 = partial content
714 - 400 = bad request
715 - 401 = Unauthorized access attempted
716 - 403 = Forbidden
717 - 404 = Not found
718 - 503 = Service unavailable
719 - HTTP Methods
720 - GET
721 - HEAD
722 - POST
723 - PUT
724 - DELETE
725 - CONNECT
726 - OPTIONS
727 - TRACE
728 - HTTP response hijacking
729 - When an attacker sends a response splitting request to a webserver
730 - Attacker then gets users credentials as a result
731 - Directory traversals are also known as:
732 - dot dot slash
733 - backtracking
734 - directory climbing
735 - Directory Busting
736 - Detecting directories and pages
737 - MIME types
738 - Primary mechanism for deciding how the content is to be displayed
739 - Over 370 MIME types exist
740 - Used by Apache
741 - NMAP scan to find all availible HTTP Methods
742 - Use the NMAP HTTP-METHODS scan to find all methods available
743 - Native Modules
744 - These are only found in IIS
745 - SSL Handshake authentication
746 - The SERVER authenticates to the client (most common)
747 - WTLS
748 - Wireless Transport Security Protocol
749 - Has three security classes:
750 - Class 1: Anon Auth
751 - Class 2: Server Auth
752 - Class 3: Two-way Auth
753 - IISExploit
754 - A tool built for testing directory traversal attacks
755 - HTTP PUT attack
756 - This can:
757 - Get access to write privileges on a server
758 - Insert garbage data in sensitive locations
759 - Upload arbitrary scripts on a server and execute it
760 -
761 - Wireless
762 - EAP types
763 - EAP-TLS
764 - EAP-FAST
765 - EAP-AKA
766 - EAP-FAST
767 - Uses Protected Access Credentials to authenticate systems
768 - EAP-MD5
769 - One way authentication only
770 - Kismet
771 - sends no packets that can be logged
772 - Detects 802.11a/b/g/n
773 - Used on linux
774 - Kismet file types:
775 - .netxml
776 - Network data in XML format
777 - .nettxt
778 - Network data in TXT format
779 - .gpsxml
780 - Per packet GPS log
781 - ICMPTX
782 - Ip over ICMP method / tool
783 - AircrackNG
784 - Relies on large amounts of traffic to work best
785 - Mobile Devices
786 - Android
787 - Bootloader
788 - Unlocked bootloader could allow for a "cold boot attack"
789 - Locked bootloader limits phone to mostly manufacturer and carrier approved software
790 - Locked bootloader prevents custom ROMS, kernels or startup files on phones
791 - Jail breaking techniques
792 - Userland
793 - iBoot
794 - Allows file system and iBoot access
795 - Bootrom
796 - Linux
797 - Environment variables
798 - TERM
799 - HOME
800 - EDITOR
801 - USER
802 - Commands
803 - CD .. (command)
804 - Goes back one directory
805 - PS -aux (command)
806 - Used for listing all running processes
807 - PS -a & PS -e achieve the same thing
808 - CD ../.. (command)
809 - Goes back two directories
810 - Touch (Command)
811 - This is used to change a files timestamp
812 - Side effect, it "creates" the file again
813 - LS -la (Command)
814 - List all files in current directory AND display their permissions, size and owner
815 - the -l is "long list" which adds the details above
816 - The -a is "all files" which shows all files including hidden files
817 - DD (command)
818 - Creates an image of a volume
819 - Watch (command)
820 - This can be used to execute instructions every "n" secopnds
821 - Service [service name] stop
822 - This is how you stop services in linux
823 - On a linux webserver
824 - Document root is most likely in /var/www/
825 - After a reboot, files in /TMP are removed; this is usually written to memory hence why it is deleted when shut down
826 - Password hashes are stored in /etc/shadow file
827 - Linux text editors
828 - Jove
829 - VI
830 - Pico
831 - Nano
832 - /etc contains most of the linux config files
833 - Root UID is always 0
834 - ROOT default home directory
835 - /root
836 - SELinux
837 - This is a module to strengthen Linuxs security
838 - Security Enhanced Linux
839 - Uses mandatory access control (MAC) style
840 - Malware Analyses
841 - Why perform Malware Analyses
842 - Asses the damage
843 - Determine level of sophistication
844 - To ID an attacker
845 - Rootkits can:
846 - Hide files
847 - Hide processes
848 - Hide Reg keys
849 - Footprinting
850 - Footprinting definition
851 - Gathering info about an organizations:
852 - Applications
853 - Network Architecture
854 - OS and version
855 - Blackwidow
856 - Used to copy all files on website
857 - Netcraft.com
858 - A feature found on this site called "Whats the site running" allows someone to get publicly available info about technologies on websites
859 - PTR records
860 - These are the opposte of A records
861 - Used for reverse DNS lookups
862 - RIP has a 15 hop maximum
863 - The pipe operator has the same affect as the OR keyword in Google searches
864 - Tools to automate gathering competitive intelligence in Kali
865 - Paros
866 - Recon-ng
867 - Maltego
868 - Golismero
869 - Network
870 - Evading IDS
871 - False Negative
872 - Characterized by the IDS failing to properly classify attacks as an attack
873 - Does not trigger IDS alerts
874 - Common ways to evade IDS
875 - Encode/Embed payload into a powerpoint presentation
876 - Fragment the payload
877 - Encode the payload
878 - Use Unicode
879 - Decoy Traffic
880 - Gratuitous ARP
881 - Used to send an unsolicited ARP reply to a host on the same subnet
882 - Used to inject bad info into ARP cache on target/victim
883 - Tools for ARP spoofing
884 - Arpspoof
885 - Ettercap
886 - Yersinia
887 - Low-level protocol attack tool
888 - Can become root bridge, create CDP neighbor, become active router in HSRP
889 - Focuses on layer 2 protocols
890 - IP Address and routing attacks
891 - DHCP Starvation
892 - Attack which broadcast DHCP requests with spoofed MAC addresses to deplete DHCP servers IP scope
893 - Defenses to MITM
894 - TLS over HTTP
895 - Stronger mutual authentication
896 - Secure DNS extension
897 - MACOF
898 - Used to flood switches with MAC addresses
899 - SMBRelay
900 - Can be used for MITM attacks
901 - Session Fixation
902 - An attack that forces a users session ID to be a specific value
903 - Firewalking
904 - Term used to describe the method of analyzing a firewall for vulnerabilities
905 - ACK Flag Probe Scan
906 - This method is used to determine whether the host is protected by some kind of filtering
907 - Attacker sends ACK with random sequence to the target
908 - If no response, that means there is a firewall
909 - If a RST is received, it means the port is closed
910 - SCP (Secure Copy Protocol) uses SSH on Port 22
911 - FTPS uses SSL/TLS on port 21
912 - TCP Flags
913 - Fin aka Finish, no more transmissions will be sent
914 - Syn aka Syncronize, step 1 in 3-way handshake
915 - Syn Ack, step 2 in 3-way handshake
916 - Ack, step 3 in 3-way handshake
917 - RST resets connections
918 - FTP is a TCP service
919 - Control runs on port 21
920 - Data on Port 20
921 - TACACS+ uses TCP or UDP
922 - Wireshark
923 - Filter on IP
924 - ip.addr=XXX.XXX.XXX.XXX
925 - Filter on source
926 - ip.src=XXX.XXX.XXX.XXX
927 - Filter on Destination
928 - ip.dst=XXX.XXX.XXX.XXX
929 - Qualities of XMAS scan
930 - Inability to distinguis open and filtered ports
931 - Detection of closed ports
932 - fast scanning
933 - detection of open ports
934 - VERY NOISY
935 - ICMP
936 - ICMP runs on layer 3, does not need a port to function (a layer 4 service does)
937 - Type 3 (this means "destination unreachable)
938 - Code 10 = Destination unreachable because communication with Destination host is administratively prohibited
939 - Code 13 = Administratively Prohibited
940 - Type 11
941 - Provide the source with a "time exceeded" message
942 - Type 8
943 - Echo
944 - Type 0
945 - Echo Reply
946 - ARP Poisoning
947 - Invalid entries are inserted into the ARP cache
948 - Results in attackers MAC address being linked to valid IP address
949 - RADIUS uses only UDP
950 - Sniffing countermeasures
951 - Use encryption
952 - Restrict physical access to network
953 - Wifi access points function like HUBS (not like switch)
954 - DNS
955 - Zone transfers use TCP 53
956 - Quries use UDP 53
957 - TCP
958 - Transport layer protocol
959 - Establishes end to end connection before transmitting data
960 - Uses sequence numbers to identify each byte of data.
961 - The sequence number identifies the order of the bytes sent from each computer
962 - The sequence number of the first byte of data is determined during the 3-way handshake
963 - How to start a properly formed HTTP request?
964 - HEAD / HTTP/1.0
965 - SCP, SFTP, SSH all use port 22
966 - Application layer protocols
967 - SNMP
968 - DNS
969 - Telnet
970 - Three way handshake
971 - 1: Syn
972 - 2: Syn / Ack
973 - 3: Ack
974 - Fraggle
975 - DOS attack
976 - Sends large amount of spoofed UDP traffic to a routers broadcast address
977 - Similar to smurf, but uses UDP instead of ICMP
978 - Most routers no longer forward packets sent to the broadcast address, remediating this
979 - Common ports
980 - Telnet = 23 (TCP)
981 - Internet Printing Port = 631 (TCP)
982 - SSH / SCP / SFTP = 22 (TCP)
983 - SMTP = 25
984 - DNS = 53
985 - TFTP = 69
986 - Microsoft SQL Server = 1433 (TCP)
987 - LDAP = 389
988 - IMAP = 143 (TCP)
989 - SNMP Listener = 161 (UDP)
990 - L2TP = 1701 (UDP)
991 - LDAP over SSL/TLS = 636 (TCP/UDP)
992 - Tacacs/Tacacs+ = 49
993 - NTP = UDP 123
994 - Pop3 = TCP 110
995 - HTTPS = TCP 443
996 - NetBios = 137, 138, 139
997 - RDP = 3389
998 - FTP (Control) = 21 TCP
999 - FTP (Data) = 20 TCP
1000 - PPTP = 1723
1001 - IPSEC = 500
1002 - Kerberos = 88
1003 - SMB = 445
1004 - POP3 over SSL = 995
1005 - SNMP Async trap = 162
1006 - DHCP = 67/68 UDP
1007 - NFS = 2049
1008 - Syslog = 514
1009 - IRC = 6667
1010 - CIFS (common internet file service) = TCP 445
1011 - Automatic network simulation that uses real-time data relies on UDP (NOT TCP)
1012 - TCP/IP Model
1013 - This has 4 layers (do not confuse with OSI model)
1014 - SNMP
1015 - A protocol specifically designed for transporting event messages
1016 - Low Orbit Ion Cannon (LOIC)
1017 - Open Source network stress testing tool and DOS application
1018 - Documentation
1019 - Policies
1020 - Policies should be as short as possible; shorter policies are usually easier to understand
1021 - Maximum of three pages (best practice)
1022 - Helps to improve security awareness
1023 - They should:
1024 - NOT contain specific info
1025 - avoid using directive words like should, may, can
1026 - USE words like MUST and WILL
1027 - Database terms and definitions
1028 - Atomicity
1029 - The property of a transaction that guarantees that either all or none of the changes made by the transaction are written to the DB.
1030 - Concurrency
1031 - The property in which two or more computing processes are executing at the same time.
1032 - How to best describe a hierarchical database?
1033 - They form a tree of data, made out of records and fields to make a logical tree structure
1034 - A child node (in a hierarchical database) can have only one parent.
1035 - The root node has no parent
1036 - Stored Procedures
1037 - These can be used to limit the potential for SQL injections
1038 - With stored procedures, the SQL statement lives on the DB server and can only be modified by the DB Admin
1039 - Database definition
1040 - An organized collection of data
1041 - Has schemas, tables, queries, reports, views and other objects
1042 - Database normalization
1043 - Considered the most important part of database design
1044 - Ensures that attributes in a table depend only on a primary key
1045 - Commit
1046 - Type of mechanism that periodically saves database information while it is being modified by users or applications.
1047 - Database admins should be allowed to:
1048 - Reorganize DB
1049 - Maintain DB
1050 - Implement Access Rules
1051 - DB admin should not:
1052 - Authorize access to a DB (separation of duties)
1053 - Foreign Key
1054 - A Column or group of columns in a relational database that provides a link between data in two tables. It acts as a cross reference.
1055 - Relational Databases
1056 - Contain two-dimensional tables of related data
1057 - Tuple
1058 - Tuple = series of values (usually numbers)
1059 - In a relational database a tuple (one record or row) is identified by the relations primary key
1060 - Cardinality
1061 - A ratio of unique values to the toal number of values
1062 - number of unique values for an attribute or key in a relation
1063 - Trusted front end
1064 - Used for retrofitting multilevel security to a DBMS
1065 - Schema
1066 - Used to describe the structure of a database
1067 - Rollback
1068 - Canceling a set of changes and restoring the DB to its prior state is called a Rollback
1069 - Locking
1070 - Mechanism used by databases to avoid collisions where two or more programs may be updating the same table at the same time
1071 - Database Management System types (4)
1072 - Hierarchical
1073 - Network
1074 - Relational
1075 - Object-oriented
1076 - Data Dictionary
1077 - This is a collection of description of the data objects or items in a data model for the benefits of programmers and others who need to refer to them.
1078 - Central repository of metadata and data relationships
1079 - Database "view"
1080 - This is a searchable object in a database that is defined by a query.
1081 - Does not store data, but can pull data from two or more tables
1082 - SQL Sub languages
1083 - DDL = Data Definition Language
1084 - Syntax is similar to a computer programming language
1085 - Used for defining data structures, especially database schemas
1086 - Examples: "create table" & "alter table"
1087 - DML = Data Manipulation Language
1088 - This is used to retreive, store, modify, insert and update data in a DB
1089 - Examples: "INSERT", "SELECT", "DELETE"
1090 - Database Integrity services (3)
1091 - Semantic
1092 - Ensures semantic and structural rules are enforced
1093 - These rules pertain to data types, logical values, uniqueness constraints, etc...
1094 - Referential
1095 - When all foreign keys reference existing primary keys, this exists
1096 - Entity
1097 - This gurantees that the tuples are uniquely identified by primary key values
1098 - Cell suppression
1099 - A technique used to hide specific cells that contain sensitive information
1100 - Database Relation
1101 - Term associated with data that is represented by a collection of tables
1102 - Common ways to prevent inference attacks
1103 - Partition the DB
1104 - Add noise to the DB
1105 - cell suppression
1106 - Information Systems vulnerabilities
1107 - Common Criteria
1108 - Target of Evaluation (TOE)
1109 - System being evaluated
1110 - Protection Profile (PP)
1111 - A document, usually created by a user, identifying security requirements for a class of security devices
1112 - Security Target (ST)
1113 - This is the document that identifies the security properties of the TOE
1114 - Can claim conformance to one or more PPs
1115 - Security Functional Requirements (SFR)
1116 - Specifies individual security functions which may be provided by a product
1117 - Security Assurance Requirements (SAR)
1118 - Describes the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality
1119 - Evaluation Assurance Level
1120 - Numerical rating describing the depth and rigor of an evaluation
1121 - CVSS
1122 - Common Vulnerability Scoring System
1123 - Provides a way to capture the principle characteristics of a vulnerability and provides a numerical score
1124 - SQL Injection tools
1125 - SQL Injector
1126 - Absinthe
1127 - Havij
1128 - SQL Ninja
1129 - Pangolin
1130 - Which HTTP method could allow an attacker to use a system as a file repo?
1131 - HTTP PUT
1132 - HTTP POST is used to create
1133 - HTTP PUT is used to place a file somewhere (think "Put this file here on the server.."
1134 - CVE
1135 - Common Vulnerability and Exposures
1136 - This is a dictionary of common names (CVE ID's) for publicly known cyber security vulnerabilities
1137 - Cache poisoning
1138 - Also refered to as DNS spoofing
1139 - "cache" refers to DNS server cache, not ARP cache
1140 - OSSTTM (Open Source Security Testing Methodology Manual)
1141 - Three compliance types
1142 - Legislative
1143 - Contractual
1144 - Standards
1145 - PCI DSS is a contractual type of compliance
1146 - Inference Engine
1147 - Uses forward chaining & backward chaining
1148 - Part of an "expert system", programmed using AI techniques
1149 - NIKTO
1150 - Web vulnerability scanner
1151 - Controls for vulnerability scanners
1152 - Use a dedicated admin account
1153 - Limit scanning from a single or small sub-set of IPs
1154 - TCB (Trusted Computing Base)
1155 - Everything in a computing system that provides a secure environment
1156 - This includes:
1157 - OS
1158 - Software
1159 - Hardware
1160 - Firmware
1161 - Attack Vector
1162 - A metric that reflects how vulnerabilities are exploited
1163 - Salami Attack
1164 - An attack in which criminals take a small amount of money over time adding up to large sums
1165 - Threat
1166 - This is the potential exploitable danger associated with a vulnerability
1167 - Common vulnerability scanners
1168 - Nexpose
1169 - Nessus
1170 - OpenVAS
1171 - Nikto
1172 - CVSS = Common Vulnerability Scoring System
1173 - Free open source, industry standard means to assess vulnerabilities
1174 - Overt channel
1175 - This is the normal and legitimate way that programs communicate within a computer system or network.
1176 - Covert channel definition
1177 - A covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supported to be allowed to communicate by the computer security policy
1178 - Communication method that allows transferring information in a way that violates the systems security policy
1179 - Covert comm can also take advantage of unused TCP/IP header fields to carry data (remains hidden)
1180 - TEMPEST
1181 - A military term used to name the study of electromagnetic emissions that are emanated from an electronic source
1182 - The use of a ' in a URL can identify SQL injection vulnerabilities
1183 - Threats * Vulnerabilities * Asset Value = Total Risk
1184 - Aggregation (attack)
1185 - This is a type of attack that combines (aggregates) non-sensitive info to learn sensitive info.
1186 - Race Condition
1187 - A race condition is a behavior of a system where the output is dependent on the sequence or timing of other uncontrollable events
1188 - Buffer Overflow
1189 - Condition caused when data exceeds its memory allocation
1190 - One of the most common programmer-generated flaws+
1191 - C++ functions to avoid
1192 - strcopy() strcat() streadd()
1193 - These are vulnerable to buffer overflows
1194 - Null Operation (NOP)
1195 - Used at beggining of code in a buffer overflow during an attack
1196 - Cross site request forgery (CSRF)
1197 - AKA one-click attack
1198 - AKA session riding
1199 - Forces an end user to execute unwanted actions on a web app in which they are currently authenticated
1200 - CSPP Attack
1201 - Connection String Parameter Pollution
1202 - Uses the ";" character to perform attack
1203 - hyperlink spoofing
1204 - Rely on users not verifying the domain name in a URL
1205 - Asynchronous attack
1206 - AKA TOC/TOU attack (time of check / time of use)
1207 - Targets timing
1208 - Data mining
1209 - Examining large amounts of data looking for sensitive info
1210 - Transaction Management Systems
1211 - Intended to prevent:
1212 - Deadlock
1213 - DoS
1214 - Data loss
1215 - HTTP Digest authentication
1216 - This applies a hash function to the username and password before sending them over a network
1217 - Hashing is weak, even though it is salted allowing attackers to break the integrity of the communication
1218 - Open Source Vulnerability Database (OSVDB)
1219 - Independent, open source database created by and for the community
1220 - Holds more than 66,000 exploits
1221 - Exploit Database (EDB)
1222 - Control Zone
1223 - Type of TEMPEST countermeasure involving implementation of protection devices that reduces electrical emissions (like white noise machine or faraday cage)
1224 - Threat Event
1225 - The accidental or intentional exploitation of vulnerabilities carried out by a threat agent
1226 - Zero Day
1227 - Previously undiscovered or unpublished flaw in a software application
1228 - Cross site scripting (XSS)
1229 - An attack in which the attacker injects malicious script into a web page where a victim clicks on the malicious code, allowing the attacker to access the victims cookies
1230 - Can be mitigated by blocking HTML tags from data inputs (think username fields or email submissions)
1231 - Perturbation
1232 - Is a technique of inserting bogus info in the hopes of misdirecting an attacker or confusing the matter enough that the actual attack will not be fruitful
1233 - AKA DISINFORMATION
1234 - SOAP = Simple Object Access Protocol
1235 - This is used to exchange XML messages
1236 - Data mining techniques
1237 - KDT = Knowledge Discovery in Texts
1238 - Maintenance Hook
1239 - This is a mechanism (hardware or software) that is installed to permit maintenance of the system and bypasses the systems security protections
1240 - Setup by the installer or vendor of the system
1241 - Change control procedure purpose
1242 - Ensures all changes are authorized, tested and recorded
1243 - Inference Channels (3)
1244 - Abductive
1245 - Deductive
1246 - Statistical
1247 - VM Escaping
1248 - When malware or code run on a virtual machine allows the guest operating system in the VM to "break out" and interact with the hypervisor
1249 - Electro magnetic signals can result in data leakage
1250 - Vulnerability Assessment
1251 - The process of identifying, quantifying and priorityizing (ranking) vulnerabilities found in a system
1252 - Symlink race = TOCTOU = Race condition
1253 - This is a type of asynchronous attack
1254 - SODA = Secure Object-oriented Database
1255 - Uses Polyinstantiation and is a remedy for multiparty update conflicts
1256 - Covert Storage Attack
1257 - This occurs when a higher-level subject writes data to the storage area and a lower-level subject reads that data
1258 - Timing channel
1259 - This is a type of covert channel
1260 - Used by a Trojan where it loops and waits in cycles
1261 - Polyinstantiation
1262 - Used in database information security to hide information
1263 - Shellshock
1264 - Discovered in 2014
1265 - Gave attackers the ability to run remote commands on vulnerable systems (linux)
1266 - Defense for Aggregation and Inference Attacks
1267 - Constant vigilance over permission granted to users of databases is the best defense
1268 - Heartbleed
1269 - Allows an attacker to steal a private key
1270 - Discovered in OpenSSL
1271 - Discovered in 2014
1272 - When exploited, it leaks memory content from the server to the client
1273 - Ethical Hacking Fundamentals
1274 - Confidentiality
1275 - When only authorized users have access to particular data
1276 - SUDOers file
1277 - Contains
1278 - Host_Alias
1279 - Cmnd_Alias
1280 - User_Alias
1281 - Availability
1282 - Making sure data is accessible when permitted parties request it
1283 - Privacy Act of 1974
1284 - Governs how personal identifiable info can be used, collected and distributed by the US government
1285 - Shrink-wrap code attack
1286 - Takes advantage of built0in code and scripts most off the shelf applications come with
1287 - John the Ripper
1288 - Well known, linux brute force password tool
1289 - SNMP
1290 - Usually uses UDP
1291 - Doxxing
1292 - Publishing PII about someone that has been collected from a publicly available database and social media.
1293 - grey-box testing
1294 - Less likely to make assumptions about the environment than white box testing
1295 - More expedient and can skip past recon efforts
1296 - Purpose of key escrow
1297 - Access Sensitive data if the need arises
1298 - How many tiers in N-tier implementation?
1299 - three or more tiers
1300 - In this model, the presentation, application processing and data management processes are separated (three or more tiers)
1301 - Enumeration
1302 - Net view
1303 - Used to obtain a list of al the shared resources of a remote host or workgroup
1304 - Windows only
1305 - SNScan
1306 - Used to access info related to SNMP
1307 - From mcafee
1308 - Onesixtyone
1309 - A tool for achieving unauthorized access
1310 - Uses a dictionary attack to try and guess the community strings
1311 - SNMPWalk
1312 - Can be used to enumerate SNMP messages or settings on a device
1313 - Requires you find the community string
1314 - Metagoofil
1315 - Information gathering tool built to extract metadata of public documents
1316 - Can gather info like usersnames, software versions, servers or machine names
1317 - Sniffing
1318 - Traffic padding is an effective way to hide traffic
1319 - Omnipeek
1320 - Sniffer AKA Etherpeek
1321 - packet analyzer
1322 - MAC Flooding can be used to sniff traffic in a switched network
1323 - Two types of sniffing
1324 - Passive
1325 - Listening/capturing traffic
1326 - Undetectable
1327 - Active
1328 - ARP spoofing
1329 - Detectable
1330 - CACE Pilot
1331 - Network analysis system
1332 - GUI based analyzer, integrates with wireshark
1333 - Promiscuous mode
1334 - Allows NIC to send all traffic to CPU rather
1335 - DHCP snooping bindings
1336 - Used to prevent IP and MAC address spoofing
1337 - IP Restrictions scanner (IRS)
1338 - Scans for IP restrictions set for a particular host or IP
1339 - Combines ARP poisoning with half-scan techniques
1340 - Session Hijacking
1341 - Session state parameters
1342 - Session ID
1343 - Master secret
1344 - Peer cert
1345 - Bad practices when making session keys
1346 - sequences
1347 - Weak random number generation
1348 - time dependency
1349 - Ways to prevent session hijacking
1350 - Create session keys with lengthy/random numbers making guessing harder
1351 - Reduce life space on session or cookie
1352 - Expire session when user logs out
1353 - Regen session key once user logs in
1354 - How Hijacking occurs
1355 - Attacker uses sniffing to read traffic between two parties to steal cookie
1356 - Attacker tricks users computer into running code which is treated as trustworthy
1357 - Sets a users session id to one known to him
1358 - Session ID best practices
1359 - Dont allow users to choose session IDs
1360 - Ensure that each user gets a clean session ID on every visit to site
1361 - Use cookies for storing session values
1362 - Sidejacking exploit
1363 - Steals the users session cookie
1364 - Tools used for session hijacking
1365 - T-Sight
1366 - Can monitor network connections in real time
1367 - Intrusion and response tool
1368 - En Garde systems developed it
1369 - Burp Suite
1370 - Can perform session hijacking
1371 - Juggernaut
1372 - HUNT Project
1373 - Hamster
1374 - Can also perform session hijacking
1375 - Firesheep
1376 - Extension for FireFox that uses packet sniffer to intercept unencrypted cookies
1377 - Cookies for session management
1378 - Cookies are usually more difficult to modify than hidden fields in CGI params
1379 - Cookies can be restricted to a specific site or subsection of a site or set them to expire automaticly
1380 - Cookies can be protected by setting the secure flag (protecting them from sniffing)
1381 - 3 phases of session hijacking
1382 - Tracking session
1383 - Desynching connection
1384 - injecting attackers packet
1385 - PHP session ID passing methods
1386 - Cookies
1387 - URL Parameters
1388 - 3 Types of hijack attacks
1389 - Active
1390 - Passive
1391 - Hybrid
1392 - Session ID's occur at the Application Layer of the OSI model
1393 - Microsoft IIS session token parameter
1394 - ASPSESSIONID
1395 - Tools
1396 - Kismet
1397 - Sniffing tool for linux
1398 - Kismet "is truly passive" per EC Council
1399 - Windump
1400 - Windows version of TCPDump
1401 - NBTSTAT
1402 - Used to display NetBIOS info like name tables, name cache, NetBIOS of TCP/IP protocol stats
1403 - nbtstat -a
1404 - lists remote machines name table given its name
1405 - nbtstat -A
1406 - lists the remote machines anem table given its IP address
1407 - nbtstat -c
1408 - Lists NBT's cache of remote machine names and ip addresses
1409 - nbtstat -r
1410 - Lists names resolved by broadcast and via WINS
1411 - nbtstat -R
1412 - Purges and reloads the remote cache name table
1413 - nbstat -S
1414 - list sessions table with destination IP addresses
1415 - nbtstat -s
1416 - lists sessions table converting dest ip addresses to netbios names
1417 - nbtstat -RR
1418 - Sends name release packets to WINDS and then starts a refresh
1419 - NSLookup
1420 - To enter interactive mode type NSLOOKUP
1421 - Set type = (MX, PTR, A, ANY, SOA, NS, CNAME, SRV)
1422 - server hostname (server DNSservername for example)
1423 - NMAP
1424 - NMAP -A = Combines OS detection, script scanning, version scanning
1425 - NMAP -sS = tcp syn scan
1426 - Also called a "half open scan" or "stealth scan"
1427 - NMAP -sT = TCP Connect scan
1428 - NMAP -sF = TCP FIN scan
1429 - NMAP -sX = Xmas tree scan
1430 - Has FIN, URG, PSH flags set
1431 - NMAP -sC = Run Default Script
1432 - Enables script scanning with the NMAP script engine (NSE)
1433 - NMAP -sP = Ping scan
1434 - NMAP -sV = Version Detection Scan
1435 - NMAP -sU = UDP Scan
1436 - NMAP -sO = IP Protocol Scan
1437 - NMAP -O = OS Scan
1438 - NMAP -sA = ACK scan
1439 - Can be used to find out if a network is behind a firewall
1440 - Logic: Ack is not how you start a TCP connection, if a firewall exist on the other side it will block the ACK and no response will be sent (filtered). If no firewalling, the host will respond with a RST because the ACK was unexpected (open).
1441 - NMAP -sW = Windows Scan
1442 - NMAP -sR = RPC Scan (Now alias for -sV)
1443 - NMAP -sL = List scan
1444 - NMAP -sI = Idle scan
1445 - NMAP -b = FTP Bounce Attack
1446 - NMAP -P0 = For hosts that don't respond to pings
1447 - NMAP -PT = TCP Ping
1448 - NMAP -PS = SYN PING
1449 - NMAP -PI = ICMP Ping
1450 - NMAP -PB = PI and PT Ping
1451 - NMAP -PP = ICMP Timestamp
1452 - NMAP -PM = ICMP Netmask
1453 - NMAP -oN = Normal output
1454 - NMAP -oX = NMAP XML Output
1455 - NMAP -oG = NMAP Grepable output
1456 - NMAP -oA = NMAP all output
1457 - NMAP -P <PORT RANGES>
1458 - NMAP -- randomize_host s -O
1459 - NMAP --traceroute enables traceroute
1460 - Paranoid scan
1461 - serial scan
1462 - wait 300 sec
1463 - Sneaky scan
1464 - Serial scan
1465 - wait 15 sec
1466 - Polite scan
1467 - serial scan
1468 - wait 0.4 sec
1469 - Normal scan
1470 - parallel scan
1471 - Aggressive scan
1472 - parallel scan
1473 - 300 sec timeout
1474 - 1.25 sec/probe
1475 - Insane scan
1476 - parallel scan
1477 - 75 second timeout
1478 - .3sec/probe
1479 - HPing2
1480 - Uses TCP by default
1481 - Has five different "modes" it can run in
1482 - RAW IP mode
1483 - ICMP mode
1484 - UDP Mode
1485 - NetCat
1486 - NCat ipaddress portnumber (connects to IP as client)
1487 - EX: ncat 192.168.0.1 80 (connects to IP at port 80)
1488 - NCat -l portnumber = Listen mode for inbound connections
1489 - EX: ncat -l 8000 (makes netcat listen on port 8000 for connections)
1490 - NCat -e programname = launches a program after a succesful connection
1491 - NCat -L = Listen harder; re-listen on socket close
1492 - NCat -o = local port number
1493 - NCat -t = Answer telnet negotiation
1494 - NCat -u = UDP mode
1495 - NCat -v = verbose mode
1496 - NCat -w seconds = timeout for connect and final net counts
1497 - NCat -n = tells netcat to not perform DNS lookups on names of machines found
1498 - NetStumbler
1499 - inSSIDer
1500 - Aircrack-ng
1501 - golismero
1502 - unicornscan
1503 - Maltego
1504 - Tool that can analyze relationships between different entities
1505 - Can coordinate info from:
1506 - Companies
1507 - Organizations
1508 - People
1509 - Websites
1510 - Phrases
1511 - Documents
1512 - Files
1513 - Ettercap
1514 - NetSleuth
1515 - pOf
1516 - Nikto
1517 - Open source, web server scanner
1518 - Performs comprehensive tests against web servers including dangerous files and CGI's
1519- Boson CEH study
1520 - ISO 27001 (Governance)
1521 - "Governance" standard
1522 - Security Standard also based on BS 7799 but focuses on governance
1523 - Defines a standard for creating an information security management system
1524 - ISO 27002 (Security Controls)
1525 - "Security controls" standard
1526 - Security Standard that recommends security controls based on industry best practices
1527 - Based on British Standard BS 7799
1528 - P0F
1529 - Passive OS fingerprinting tool
1530 - SSO
1531 - This is not a federated identity management model
1532 - G++
1533 - This is a C++ compiler
1534 - C++ compiles into .cpp file extensions
1535 - L2TP and PPTP operate at Datalink layer or layer 2 of OSI model
1536 - To take advantage of Shellshock / Bashbug
1537 - Send a specially crafted env variable with trailing commands
1538 - Cain & Able can do:
1539 - Record and extract VOIP conversations
1540 - Capture/decrypt RDP traffic
1541 - Collect and prepare server certs for a MITM attack
1542 - Poison ARP tables
1543 - start/stop/pause/continue/remote windows services
1544 - detect 802.11 WLANs
1545 - reveal passwords in text boxes
1546 - Enumerate networks and extract SIDs
1547 - Retinal scan
1548 - Most likely to reveal private health info about a user
1549 - Considered invasive
1550 - Windows XP and Windows 7 do not respond to ICMP echo requests that are directed to a network address or broadcast address
1551 - HTTPOnly flag in cookies can mitigate XSS attacks
1552 - "Net" command
1553 - Can do the following:
1554 - Manage services
1555 - manage user accounts
1556 - connect to a remote resource
1557 - manage a printer que
1558 - manage shared resources
1559 - Nmap, Xprobe, Queso - all active OS fingerprinting tools
1560 - Metamorphic virus
1561 - Rewrites themselve each time they infect a new file
1562 - Microsoft Secure Development Lifecycle
1563 - Training
1564 - Train team member on security
1565 - Requirements
1566 - Establish security requirements
1567 - Create quality gates and bug bars
1568 - Design
1569 - Establish design requirements
1570 - Analyse attack surface
1571 - Use threat modeling
1572 - Implementation
1573 - Use approved tools
1574 - deprecate unsafe functions
1575 - perform static analyses
1576 - Verification
1577 - Perform dynamic analyses
1578 - Fuzz testing
1579 - Release
1580 - Create IRP
1581 - Final security review
1582 - Response
1583 - Everything that occurs after the software is released
1584 - Cain & Abel
1585 - Can crack Cisco VPN client passwords and record and extract voip conversations while John the Ripper can not do this
1586 - HTTP PUT methods should be considered RISKY
1587 - This allows clients to update files on the webserver
1588 - A worm and a Bot can propagate without human interaction.
1589 - N-tier architecture
1590 - Allows each tier to be modified independently of the other tiers.
1591 - UTF-8
1592 - Enabled unicode characters to be represented in an ASCII compatible length of 1 to 4 bytes
1593 - You can perform Blackjacking with BBProxy
1594 - Known plaintext attack
1595 - Attacker has access to both plaintext and cipher text!
1596 - Block ciphers
1597 - Encrypt specific blocks of data
1598 - ISECOM maintains the OSSTMM
1599 - NMAP IPADDRESS <--this will work, returning results of first 1000 ports
1600 - Signature based IDS have low false positive rates
1601 - Software interrupt
1602 - a signal that indicates an event has occured
1603 - COBIT (Control Objects for Information Related Technology)
1604 - IT management framework that was created by ISACA AND IT Governance Institute (ITGI)
1605 - Four domains in COBIT
1606 - Planning and Organization
1607 - Acquisition and implementation
1608 - Delivery and support
1609 - Monitoring and Evaluation
1610 - ITIL (Information Technology Infrastructure Library)
1611 - Developed by the Central Computer and telecom Agency (CCTA) for the UK Gov
1612 - ITIL Standardizes IT management procedures
1613 - ITIL is divided into five main tasks:
1614 - Service strategy
1615 - Service design
1616 - Service transition
1617 - Service operation
1618 - Continual Service improvement
1619 - Windows NT 4.0 SP4 uses MD5 for hashing
1620 - Kismet
1621 - Supports Linux, Mac OS X, 802.11n and monitor mode
1622 - Kismet can be used as a IDS
1623 - NetStumbler
1624 - Only installed on Windows
1625 - Does not detect 802.11n
1626 - Detects 802.11a, 802.11b & 802.11g
1627 - Does not support monitor mode
1628 - ARP spoofing is most likely to occur because of a trust relationship
1629 - SC Query shows ONLY active services
1630 - 802.11X
1631 - Uses EAP (Extensible Authentication Protocol) to establish port-based Network Access Control
1632 - NIDS are often setup using Switch SPAN ports
1633 - 7 Categories of controls
1634 - Directive
1635 - Sometimes called procedural controls
1636 - Used to define appropriate use and behavoir within an organization
1637 - Deterrent
1638 - Used to dissuade or deter a potential attack
1639 - EX: Sign that warns of an alarm or policy that threatens termination if a user does X
1640 - Preventive
1641 - Used to stop potential attacks by preventing users from performing specific actions
1642 - Compensating
1643 - Used to supplement directive controls
1644 - EX: An admin who reviews log data looking for policy violations
1645 - Detective
1646 - Used to monitor or send alerts about malicious or authorized activity
1647 - Corrective
1648 - Used to repair damage caused by malicious events
1649 - EX: AV taking action to repair damage caused by virus
1650 - EX: IPS blocking network traffic after detecting malicious traffic
1651 - Recovery
1652 - Used to restore system to a normal state after malicious activity has occurred
1653 - EX: A backup system
1654 - Port Scanning attack
1655 - This is an attempt to determine whether vulnerabilities exist on the computers
1656 - This is an attempt to access a computer through an open port
1657 - Application layer firewalls
1658 - Operate primarily at layer 7
1659 - Circuit layer firewalls
1660 - These operate at level 5 / session layer of OSI model
1661 - Packet filtering firewalls
1662 - These operate at the network level / Layer 3 of the OSI model
1663 - Stateful multi-layer firewalls
1664 - These combine qualities of other types of firewalls and operate at multiple layers
1665 - Hinfo (DNS record)
1666 - Contains info about OS's used by organization
1667 - CPU type
1668 - OS type
1669 - Job postings
1670 - This is a good way to gain info about the services and applications used in an organization
1671 - OSSTMM (Open Source Security Testing Methodology Manual)
1672 - Defines three types of compliance
1673 - Legislative
1674 - SOX, HIPAA
1675 - Contractual
1676 - PCI DSS
1677 - standards-based
1678 - ITIL, ISO, OSSTMM itself
1679 - WPA uses MIC (Message Integrity Checks)
1680 - MIC ensures frame integrity to protect against MITM attacks
1681 - Metagoofil
1682 - Uses google to search sites for DOC, PowerPoint, Excel, PDF and Open doc formats
1683 - Metagoofil can extract metadata from those docs to reveal potentially useful info
1684 - -f writes all the links to a date-time stamped .txt file instead of HTML
1685 - -t recognizes ALL which will search all 17576 three letter file extensions
1686 - -e allows you to specify the time delay between searches
1687 - -r specifies the number of threads to use when downloading files
1688 - PCI DSS Requirements
1689 - Requirement 1: Install/Maintain a Firewall
1690 - Requirement 2: Do not use vendor supplied defaults
1691 - Requirement 3: Protect Card Holder data
1692 - Requirement 4: Encrypt transmission of cardholder data across open/public network
1693 - Requirement 5: Use and regularly update AV
1694 - Requirement 6: Develop and maintain secure systems
1695 - Requirement 7: Restrict Access to cardholder data
1696 - Requirement 8: Assign a unique ID to each person with computer access
1697 - Requirement 9: Restrict physical access to cardholder data
1698 - Requirement 10: Track and monitor all access to network resources and cardholder data
1699 - Requirement 11: Regularly test security systems and processes
1700 - Requirement 12: Maintain a policy that addresses information security for all personnel
1701 - 802.11i (WPA2) uses block cipher instead of stream cipher
1702 - Libwhisker
1703 - Perl module that supports IDS evasion techniques
1704 - Nikto uses libwhisker for session splicing
1705- CEH Book (Matt Walker)
1706 - Chapter 1
1707 - Threat modeling
1708 - Five stages:
1709 - Identify security objectives
1710 - Application overview
1711 - Decompose Strategy
1712 - Identify threats
1713 - Identify vulnerabilities
1714 - EISA (Enterprise Information Security Architecture)
1715 - A collection of requirements and processes that help determine how an organizations information systems are built and how they work
1716 - Security Controls
1717 - Physical
1718 - Guards, lights, cameras
1719 - Technical
1720 - Encryption, smart cards, ACLs
1721 - Administrative
1722 - Training, awareness, policy efforts
1723 - Methods of security controls
1724 - Preventative
1725 - Authentication
1726 - Detective
1727 - Alerts on unauthorized access to resources
1728 - Corrective
1729 - backups and restoration options
1730 - ALE=SLE*ARO
1731 - ALE (Annualized loss expectancy)
1732 - SLE (single loss expectancy
1733 - ARO (annual rate of occurrence)
1734 - Bit flipping
1735 - Attack on integrity
1736 - Attack on encryption, whereby an attacker manipulate bits in plain text to aid in decipher the plain text fed into the cipher
1737 - Common Criteria
1738 - TOE (Target of Evaluation)
1739 - What is being tested
1740 - ST (Security target)
1741 - Document describing the TOE and security requirements
1742 - PP (Protection Profile)
1743 - A set of security requirements specifically for the type of product being tested
1744 - EAL (Evaluation Assurance level)
1745 - This is the result of the above steps/testing, allows vendors to make a claim as to the products security level
1746 - Standards
1747 - Mandatory rules used to achieve consistancy
1748 - Baselines
1749 - Provide minimum security level possible
1750 - Guidelines
1751 - Flexible recomendations, used when there is no standard to follow
1752 - Procedures
1753 - Detailed, step by step instructions
1754 - Policies
1755 - Approved by board
1756 - Lacking technical detail, broad in nature
1757 - Mandatory
1758 - Attacks phases:
1759 - Recon
1760 - Scan/enumeration
1761 - Gaining access
1762 - Maintaining access
1763 - Covering tacks
1764 - Passive recon
1765 - gathering info about the target without their knowledge
1766 - Active recon
1767 - Uses tools and techniques that may or may not be discovered, but put your activities at more risk of being discovered
1768 - IE Injecting packets into a network to see what happens vs just listening to packets and gathering data
1769 - OSSTM ("Awestem")
1770 - Peer-reviewed, formalized method of security testing and analysis that can provide
1771 - Defines three types of compliance:
1772 - Legislative
1773 - Government standards
1774 - Contractual
1775 - Industry or group requirements
1776 - Standards
1777 - Practices that must be followed to be secure
1778 - Five network zones
1779 - Internet
1780 - uncontrolled
1781 - DMZ
1782 - controlled, buffer between networks
1783 - Production Network
1784 - Very restricted zone
1785 - Very strict access rules that control access from uncontrolled zones
1786 - Intranet
1787 - Controlled zone with very few to no restrictions
1788 - Management network
1789 - Highly secured zone, very strict policies
1790 - BIA
1791 - Business impact analyses
1792 - Effort to ID the the systems and processes that are critical for operations
1793 - MTD
1794 - Maximum tolerable downtime
1795 - BCP
1796 - Business continuity plan
1797 - this includes the DRP, addresses exactly what to do in event of disaster
1798 - FISMA
1799 - Defines comprehensive framework to protect government information, operations and assets against natural or man-made threats
1800 - Federal Information Security Management Act
1801 - Created in 2002
1802 - Electronics Communication Privacy act
1803 - created in 1986
1804 - Extended government restrictions to wire taps to include transmission of data sent by computers
1805 - Prohibited access stored electronic communications
1806 - PATRIOT act
1807 - Created in october 2001
1808 - Privacy act of 1974
1809 - Established a code of fair information practices that governs collection, maintenance, use and dissemination of info about individuals that is maintained in systems of records by federal agencies.
1810 - CISPA (Cyber intelligence and protection Act)
1811 - Aimed to help the US government investigate cyber threats and ensure the security of networks against cyber attacks
1812 - Consumer data security and notification act
1813 - This bill requires certain commercial entities regulated by the FTC to do the following
1814 - 1: Implement security measures to protect electronic info
1815 - 2: Restore integrity, security, and confidentiality of data systems following the discovery of a breach
1816 - 3: Determine where there is a risk that breach will result in identity theft
1817 - Requires notification of breach be sent to individual
1818 - Computer security act of 1987
1819 - aimed to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practice for such systems
1820 - HIPPA
1821 - Developed by US Dept of Health and Human Services
1822 - Address privacy standards with regard to medical info
1823 - SOX
1824 - This was created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior
1825 - NIST 800-53
1826 - Publication that recommends security controls for federal info systems and organizations and documents security controls for all federal info systems, except those designed for national security
1827 - Chapter 2
1828 - Footprinting (purposes of)
1829 - Know the security posture
1830 - Reduce the focus area
1831 - ID vulnerabilities
1832 - Draw a network map
1833 - Social engineering is considered active footprinting by the ECC
1834 - Dumpster diving is considered passive
1835 - google, yahoo, twitter all offer notification services to keep you updated on a target
1836 - Google hacking
1837 - filetype:type
1838 - Index of /string
1839 - info:string
1840 - intitle:string
1841 - inurl:string
1842 - link:string
1843 - related:webpagename
1844 - site:domain
1845 - DNS Records
1846 - SRV = Service
1847 - Defines hostname and port number
1848 - SOA = Start of Authority
1849 - ID's primary name server for the zone
1850 - PTR = Pointer
1851 - Maps an IP address to a hostname. Usually associated with email servers
1852 - NS = Name Server
1853 - Defines name servers within your name space
1854 - MX = Mail Exchange
1855 - IDs email servers
1856 - CNAME = Canonical Name
1857 - Provides domain name aliases within your zone
1858 - A = Address
1859 - Maps an IP address to a hostname
1860 - Be familiar with WHOis output
1861 - Registrant
1862 - Admin names
1863 - Contact numbers
1864 - DNS servers
1865 - Nslookup
1866 - Interactive mode (simply type NSLOOKUP and hit enter)
1867 - Once in interactive mode, these options are availible:
1868 - server servername
1869 - set type = type
1870 - You can select a resource record type (see DNS records above for types) or select ALL
1871 - You use "set" to choose an options
1872 - Windows vs Nix Trace route function
1873 - Windows is called tracert, uses ICMP only
1874 - Linux is called traceroute, can use ICMP, UDP and others
1875 - Chapter 3
1876 - IPV4 address types
1877 - Unicast
1878 - Multicast
1879 - Broadcast
1880 - Per ECC, scanning methodology is:
1881 - 1. Check for live systems
1882 - 2. Check for open ports
1883 - 3. Scan beyond IDS
1884 - 4. Perform banner grabbing
1885 - 5. scan for vulnerabilities
1886 - 6. draw network diagrams
1887 - 7. prepare proxies
1888 - ICMP Message types
1889 - Type 0
1890 - Echo REPLY
1891 - Type 3
1892 - Destination Unreachable
1893 - Codes:
1894 - 0 destination network unreachable (bad or missing routes)
1895 - 1 destination host unreachable (host down)
1896 - 6 Network unknown
1897 - 7 Host unknown
1898 - 9 Network admin prohibited
1899 - 10 host admin prohibited
1900 - 13 comm admin prohibited (firewall)
1901 - Type 4
1902 - Source Quench
1903 - Type 5
1904 - Redirect
1905 - Type 8
1906 - Echo REQUEST
1907 - Type 11
1908 - Time Exceeded
1909 - Ping steps
1910 - step 1. ICMP type 8 (Echo request) is sent to target from sender
1911 - step 2. ICMP type 0 (Echo reply) is sent from target to sender
1912 - Ping sweeps = ICMP Echo scanning
1913 - Nmap ACK flag scan
1914 - This is used to check filtering at remote end
1915 - If ACK is sent, and no reponse = firewall
1916 - If ACK is sent, RST comes back = no firewall
1917 - gzapper
1918 - Utility to remove google tracking cookies from system
1919 - Active banner grabbing
1920 - sending specially crafted packets to the system to guess the OS based on responses
1921 - Passive banner grabbing
1922 - Reading error messages
1923 - Sniffing network traffic
1924 - looking at page extensions
1925 - NBTstat
1926 - -n is the local table
1927 - -A IPADDRESS for a remote systems table
1928 - -c for the cache
1929 - Netbios enumeration
1930 - Identifying the code and type
1931 - Netbios name resolution does not work on IPv6
1932 - Which tools can be used to perform it
1933 - Superscan can be used to gather Netbios info
1934 - Hyena can also gather netbios info
1935 - Winfingerprint
1936 - Netbios Enumerator
1937 - NSAuditor
1938 - NTPv3 and SNMPv3
1939 - Both protocols provide encryption, authentication, and message integrity
1940 - SNMP commands
1941 - VRFY
1942 - validates user
1943 - EXPN
1944 - Provides actual delivery address of mailing lists and aliases
1945 - RCPT TO
1946 - defines recipients
1947 - Chapter 4
1948 - Winpcap = Windows packet capture driver
1949 - Libpcap = Linux packet capture driver
1950 - MAC flooding also called switch port stealing
1951 - Rogue DHCP server
1952 - When an attacker sets up a DHCP and services a network
1953 - Wireshark filters
1954 - TCP Contains search-string
1955 - How to search a packet for specific info
1956 - equal to
1957 - ==
1958 - And
1959 - &&
1960 - OR
1961 - or
1962 - ip.dst
1963 - IP Destination
1964 - ip.src
1965 - IP Source
1966 - ip.addr
1967 - Specific ip address or subnet
1968 - ARP poisoning is done on the machine creating the frame - the sender
1969 - TCP Dump
1970 - -A
1971 - Print each packet in ASCII
1972 - -B
1973 - Buffer size (in KB)
1974 - -c
1975 - Exit TCPDump after collecting X packets
1976 - -d
1977 - Dump packet matching code in a human readable form to standard output and stop
1978 - -i
1979 - Interface selection
1980 - -q
1981 - Quick (quiet?) output - prints less protocol info so lines are shorter
1982 - -r filename
1983 - Read packets from a file
1984 - Libwhisker
1985 - Perl library for HTTP functions
1986 - Including vulnerability scanning and IDS evasion
1987 - Network tap
1988 - Any kind of connection that allow you to see all traffic that passes by it
1989 - Snort
1990 - Snort config file = /etc/snort/snort.conf
1991 - Snort rule file = /etc/snort/rules/local.rules
1992 - Snort log directory = /var/log/snort
1993 - -c /etc/snort/snort.conf
1994 - How to point snort to a config file
1995 - -i interface
1996 - specifies an interface
1997 - -i eth0 for example
1998 - -q
1999 - Quiet mode
2000 - -A console
2001 - Prints alerts to console
2002 - example rule:
2003 - alert ICMP any any -> $home_net any (msg: "ICMP test"; sid:10000001; rev:1; classtype:icmp-event;)
2004 - Alert - rule action
2005 - Any Any - Source IP source port
2006 - -> Direction
2007 - $home_net - specifies destination (in this case a subnet)
2008 - any - specifies a port in destination
2009 - MSG = message
2010 - Firewalls are dual homed
2011 - DMZ aka public zone aka screened subnet
2012 - Private zone (per ecc) has hosts that should not deal with internet based hosts
2013 - sniffing = wiretapping in reference to law enforcement
2014 - Gratuitous ARP
2015 - Special ARP that updates the cache of all systems that receive it
2016 - DHCP Starvation
2017 - An attack where an attacker tries to use all DHCP addresses on a server
2018 - IRDP
2019 - ICMP Router Discovery Protocol
2020 - Chapter 5
2021 - LM (LanMan)
2022 - Uses DES
2023 - Used on windows 95/98
2024 - NTLM
2025 - Uses DES and MD4
2026 - Used on NT machines up to SP3
2027 - NTLM V2
2028 - Uses MD5 on NT machines after SP3
2029 - Kerberos came about with Windows 2000
2030 - Linux directories
2031 - / - root directory
2032 - /bin - holds all sorts of basic linux commands
2033 - This is like the c:\windows\system32 folder
2034 - /dev
2035 - This folder contains pointer locations to various storage locations
2036 - /etc
2037 - This folder contains all the administration files and passwords
2038 - /home
2039 - This folder is the users home directories
2040 - /mnt
2041 - This holds access to locations that are mounted
2042 - /sbin
2043 - System binaries folder
2044 - Where daemons are located
2045 - /usr
2046 - Holds all the info, commands and files unique to users
2047 - Linux commands
2048 - &
2049 - Linux command to make process run in background
2050 - nohup
2051 - Linux command to make a process run after user logs out
2052 - adduser
2053 - adds a user
2054 - cat
2055 - displays contents of a file
2056 - cp
2057 - copy command
2058 - ifconfig
2059 - interface config
2060 - kill
2061 - kills a process
2062 - ls
2063 - lists the contents of a folder
2064 - -l provides the most info
2065 - man
2066 - displays the manual page of a command
2067 - passwd
2068 - Used to change your password
2069 - PS
2070 - Process Status command
2071 - use -ef to show ALL processes running on the system
2072 - rm
2073 - Remove files
2074 - -r makes this run recursivly and provides no warnings
2075 - su
2076 - allows you to perform functions as a different user
2077 - sudo allows you to run commands as "super root" admin user
2078 - Hacking steps
2079 - 1. Recon
2080 - 2. Scanning
2081 - 3. Gaining Access
2082 - 4. Maintaining Access
2083 - 5. Covering tracks
2084 - Software key loggers = easy to detect
2085 - Hardware key loggers = very hard to detect
2086 - Vertical privilege escalation
2087 - This occurs when a lower level user executes code a higher priv level they should not have access too
2088 - Horizontal privilege escalation
2089 - This occurs when a user executes from a location on their same level, but from which should not allow execution (write protected, etc...)
2090 - Semagram
2091 - Visual Semagram
2092 - Arraigning items a certain way on a desk to send a message (for example)
2093 - Text Semagram
2094 - Obscuring messages within text by using varying font sizes or font colors
2095 - ECC steps for detecting root kits
2096 - 1. dir /s /b /ah
2097 - 2. dir /s /b /a-h
2098 - 3. Save results from both commands above
2099 - 4. Boot from a clean CD version and same commands again
2100 - 5. Last use WinDiff on both systems to see if you can spot a difference
2101 - Chapter 6
2102 - Review OWASP top 10 from 2013
2103 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
2104 - N-tier
2105 - Usually three tiers
2106 - Presentation
2107 - Logic
2108 - Data
2109 - Apache server
2110 - Configuration is almost alwasy done as part of a module, modules are appropriatly names (mod_negotion for example)
2111 - IIS runs as LOCAL_SYSTEM; shells spawned from this are also at LOCAL_SYSTEM level
2112 - httpd.conf
2113 - This controls a lot of stuff
2114 - php.ini
2115 - This is where you would look for verbose error logging
2116 - HTTP Methods
2117 - GET
2118 - Places data in URL which makes it insecure
2119 - POST
2120 - This is generally considered a more secure option than GET
2121 - DNS Amplification
2122 - An attack in which an attacker uses recursive DNS from a botnet to DOS a target/victim
2123 - Common Unicode characters
2124 - "space" =
2125 - " = "
2126 - ' = $apos;
2127 - & = &
2128 - < = <
2129 - > = >
2130 - SOAP Injection
2131 - Simple Object Access Protocol
2132 - Uses custom XML strings to manipulate a victim
2133 - Buffer overflow = smashing the stack
2134 - Stored XSS or Persistent XSS or Type 1 XSS
2135 - These all reference the same thing
2136 - This is when an XSS attack is stored on the server and launched against visitors repeatedly as they use the site
2137 - Session fixation
2138 - An attacker obtains a legit session ID from a website, then tricks a user into using this session ID to connect to that site. The attacker can then take over the session at that users permission level
2139 - Most SQL injections use DML (Data Markup Language) within SQL
2140 - Blind SQL injectin
2141 - Takes a longer time to pull off attack
2142 - No error messages or screen displays are returned to the attacker
2143 - Chapter 7
2144 - 802.11i
2145 - Amendment to 802.11
2146 - Specified security measures for use on a wireless lan
2147 - 802.16
2148 - This is WiMax
2149 - up to 40 Mbps
2150 - BSSID = MAC address of Access Point
2151 - Spectrum analyzer can be used to verify wireless quality, detect rogue access point, detect various attacks
2152 - Rogue APs = Evil Twins
2153 - Also called a misassociation attack
2154 - Faking a well known AP (like McDonalds) is called "Honeyspot"
2155 - Aircrack uses a dictionary attack on WPA and WPA2
2156 - Cain & Abel relies on statistical measures and PTW technique to break WEP codes
2157 - MDM = mobile device management
2158 - An effort to add controls to a enterprise enviroment
2159 - Can push security policies, application deployment, monitoring
2160 - bluetooth attacks
2161 - Bluesmacking
2162 - DoS attack
2163 - BlueJacking
2164 - Sending unsolicited messages to and from mobile devices
2165 - Bluesniffing
2166 - Like war-driving for wifi, an effort to discover bluetooth devices
2167 - Bluebugging
2168 - Succesfully accessing a bluetooth device and remotely using features
2169 - Bluesnarfing
2170 - The actual theft of data from a bluetooth device
2171 - Blueprinting
2172 - Like footpritning but for bluetooth
2173 - BBProxy is a blackberry centric tool that useful for pulling off Bluejacking attacks
2174 - Chapter 8
2175 - NIST 500-292 (Cloud Computing Reference Architecture)
2176 - Cloud carrier
2177 - The organization responsible for transmitting data to/from the cloud service
2178 - Cloud consumer
2179 - The organization or person that acquires and uses cloud services
2180 - Cloud provider
2181 - The organization providing the cloud service
2182 - Cloud broker
2183 - Manages the cloud services and the relationship between the cloud consumer and the cloud provider
2184 - Cloud auditor
2185 - Independent assessor of cloud service and security controls
2186 - cross-guest VM breach
2187 - If an attacker can gain control of existing VM or place his own VM on a host, he may be able to attack other VMs on that host in several different ways
2188 - Cloud computing threats
2189 - Data breach or loss
2190 - The malicious theft or erasure of any cloud data
2191 - Abuse of cloud resources
2192 - Unauthorized access to cloud resources for malicious purposes
2193 - Insecure interfaces and APIs
2194 - APIs can often circumvent security policies, making them a prime target for attackers
2195 - Session riding
2196 - CSRF under a different name
2197 - Deals with cloud resources instead of web apps, but the idea is the same
2198 - Chapter 9
2199 - Netcat
2200 - Can be used to create "common shell trojan"
2201 - Registry
2202 - Windows autorun locations
2203 - Run
2204 - RunServices
2205 - RunOnce
2206 - RunServicesOnce
2207 - Most questions will focus on HKEY_LOCAL_MACHINE
2208 - Botnet = Distributed reflection denial-of-service (DRDoS) attack
2209 - Also known as spoof attack
2210 - Four categories of DoS
2211 - Fragmentation attacks
2212 - Attack takes advantage of a systems inability to handle packet reassembly
2213 - Volumetric attacks
2214 - Also known as bandwidth attacks, consume all available bandwidth
2215 - Application attacks
2216 - These attacks consume the resources used for the applications, creating DOS
2217 - TCP state-exhaustion attacks
2218 - Focused on load balancers, firewalls, etc...
2219 - aims to max out the number of connections a device can sustain
2220 - Common DOS attack styles
2221 - SYN attack
2222 - Attacker floods victim with thousands of SYN packets from fake IP addresses. Victim responds to SYN request, but because of spoofed IP no connection is made (wasting resources)
2223 - SYN flood
2224 - Hacker sends thousands of SYN packets to server using real IP
2225 - Uses real IP, but never responds to victims request to create connection
2226 - ICMP flood
2227 - Sends thousands of ICMP echo requests to victim with spoofed source address, exhausting resources on victim
2228 - Application level
2229 - Attack where attacker sends more legit traffic than website can sustain, causing a DoS
2230 - Smurf
2231 - This attack sends a large number of PINGS / ICMP echo requests to the broadcast address of a subnet
2232 - Entire subnet then responds and pings back to the source (which is victim IP address)
2233 - Fraggle
2234 - Uses UDP instead of ICMP, like Smurf above
2235 - Ping of Death
2236 - Attacker fragments a PING packet then sends them to victim
2237 - When victim reassembles ping packet, its larger than allowed and crashed victim
2238 - Teardrop
2239 - A large number of garbled IP fragments with overlapping, over sized payloads are sent to victim
2240 - Takes advantage of fragmentation reassembly problem in older machines
2241 - Peer to peer
2242 - Clients of a peer to peer sharing hub are disconnected and directed to connect to the victim system
2243 - Permanent
2244 - Phlashing
2245 - This attack causes permanent damage to a system, usually to hardware
2246 - session hijacking steps
2247 - 1. Sniff traffic
2248 - 2. Monitor traffic
2249 - 3. Desync session with victim
2250 - 4. Predict the session token
2251 - 5. Inject packets to the victim/target
2252 - TCP sequence numbers increment on acknowledgement
2253 - IPSec
2254 - Transport mode
2255 - Payload and ESP trailer are encrypted
2256 - IP header of original packet is not encrypted
2257 - Tunnel mode
2258 - the entire IP packet is encrypted
2259 - Authentication header
2260 - Protocol within IPSec
2261 - Guarantees Integrity and Authentication
2262 - Encapsulating Security Payload (ESP)
2263 - Provides origin authentication and integrity
2264 - But can also provide confidentiality through encryption
2265 - Internet Key Exchange (IKE)
2266 - Protocol that produces keys for the encryption process
2267 - Oakley
2268 - Protocol that uses diffie-helman to create master and session keys
2269 - Internet Security Association Key Management Protocol
2270 - Software that facilitates encrypted communication between two endpoints
2271 - Trojan port numbers
2272 - Death = 2
2273 - Senna spy = 20
2274 - Hackers paradise = 31,456
2275 - TCP Wrappers = 421
2276 - DOOM, Satanz backdoor = 666
2277 - Silencer, Webex = 1001
2278 - RAT = 1095-1098
2279 - SubSeven = 1243
2280 - Shiva-Burka = 1600
2281 - Trojan Cow = 2001
2282 - Deep Throat = 6670-6671
2283 - tini = 7777
2284 - Netbus = 12345-12346
2285 - whack a mole = 12361-63
2286 - back orfice = 31337-31338
2287 - Ghost eye worm
2288 - Uses random messaging on facebook and other sites to perform malicious acts
2289 - Chapter 10
2290 - Asymetric encryption
2291 - Public key = encrypt
2292 - Private key = decrypt
2293 - Diffie-Helman
2294 - Key Exchange protocol
2295 - Used in SSL and IPSec
2296 - Elliptic Curve Cryptosystem
2297 - Uses points on elliptic curve in conjunction with logarithmic problems for encryption and digital sigs
2298 - El Gamal
2299 - Uses solving discrete logarithmic problems for encryption and digital sigs
2300 - RSA
2301 - Uses factoring of two large prime numbers to create key sizes up to 4096 bits.
2302 - Hashes are used for integrity
2303 - Hashes are one way processes
2304 - How to spot stenography
2305 - Text: Character positions
2306 - Look for patterns in text
2307 - unusual blank spaces
2308 - language anomalies
2309 - Image:
2310 - Files will be larger than they need to be
2311 - may show weird color faults
2312 - Audio/video:
2313 - These require statistical analyses and special tools
2314 - PKI Cross Certification
2315 - A CA can be setup to trust a CA in a completly different PKI using cross-certification
2316 - Heartbleed
2317 - This takes advantage of the "heartbeat" function within OpenSSL that verifies data was received correctly by echoing back a piece of the data sent.
2318 - Attacker sends 1kb of data to server, then tells the server "I sent 64kb". the server responds back with 64 kb of random data from memmory
2319 - NMAP scan to look for this:
2320 - nmap -d -script ssl-heartbleed -script-args vulns.showall -sV hostIPaddress
2321 - This returns: "State: NOT VULNERABLE" if no vuln is found
2322 - OpenSSL versions 1.0.1 through 1.0.1f are vulnerable
2323 - CVE-2014-0160
2324 - FREAK
2325 - Factoring Attack on RSA-Export Keys
2326 - Man in the middle attack, forces downgrade of RSA key to weaker length
2327 - This in turn enables brute forcing which will break shorter keys quicker
2328 - POODLE (AKA POODLEBLEED)
2329 - Padding on Oracle Downgraded legacy
2330 - Forces downgrade from TLS to SSL3.0, allowing an attacker to collect "leaked data" from messages
2331 - CVE-2014-3566
2332 - DROWN
2333 - Decrypting RSA with Obsolete and Weakened eNcryption
2334 - Requires SSLv2 be supported on server
2335 - Turn off support for SSLv2 to fix this problem
2336 - Cryptographic attacks
2337 - Known plain-text
2338 - In this attack, hacker has both plain-text and cipher text
2339 - Chosen plain-text attacks
2340 - In this attack, the attacker encrypts multiple plain text copies in order to gain key
2341 - Adaptive chosen plain-text attack
2342 - Attacker sends a bunch of cipher texts to be decrypted
2343 - Then uses the results of decriptions to select different, closely related cipher texts
2344 - Cipher-text only attack
2345 - Attacker gains copies of several messages encrypted in the same way
2346 - Statistical analyses is then used to reavel a repeating code which is used to break the crypto
2347 - Replay attack
2348 - Usually a MITM attack
2349 - Attacker repeats a portion of a cryptographic exchange hoping to fool the target into setting up communications with the attacking machine
2350 - Chosen cipher attack
2351 - Attacker chooses a particular cipher text message and attempts to discern the key through comparative analysis with multiple keys and plain text version
2352 - RSA is particularly vulnerable to this
2353 - Side channel attack
2354 - A physical attack that monitors environmental variables like power consumption, delay, timing, etc...
2355 - Chapter 11
2356 - ECC Defines 4 phases of social engineering
2357 - Research
2358 - Select the victim
2359 - Develop a relationship
2360 - Exploit the relationship
2361 - Vishing
2362 - Voice phising attack
2363 - Tailgaiting vs piggbacking
2364 - Tailgaters have ID badge, Piggbackers do not have ID
2365 - On questions where these terms do not appear together, they are used interchangeably
2366 - FAKE AV pop up
2367 - AKA rogue security
2368 - "allows potential attacker access to PII"
2369 - Verify any link in an email about rogue security or fake AV
2370 - Directed phishing attempts on high level executives is called WHALING
2371 - Directed phishing attempts on ANYONE is called spear phising
2372 - Methods to detect/deter phising
2373 - Netcraft tool bar identifies risky sites
2374 - Phishtank tool bar identifies risky sites
2375 - A "sign in seal" is a image or watermark that can be verified to indicate the message came from who it says it did (sign in seal is kept local, making it harder to spoof)
2376 - Three categories of physical security (per ECC)
2377 - Physical security
2378 - Like door locks, man traps, bollards in front of doors
2379 - Technical security
2380 - Like smart cards or BIO scanners which you have to touch or a token you bring with you (fob)
2381 - Operation security
2382 - Policies and procedures setup to enforce a security-minded operation
2383 - Measuring effectiveness of bio-metric system
2384 - FRR = False Rejection Rate
2385 - Number of times the system rejects a legit user
2386 - FAR = False Acceptance Rate
2387 - Number of times the system allows a illegit user
2388 - CER = Cross-Over Error Rate
2389 - When graphed, this is where FRR & FAR meet or cross
2390 - ECC Council defines 4 types of mobile attacks
2391 - Publishing malicious apps
2392 - Repackaging legitimate apps with malware
2393 - Fake security apps
2394 - SMS AKA SMISHING
2395 - Chapter 12
2396 - Security audit
2397 - This is procedure and policy focused
2398 - Vulnerability assessment
2399 - Scans and tests system looking for vulnerabilities, but does not exploit them
2400 - Penetration test
2401 - Actively seeks to exploit vulnerabilities
2402 - Shellshock exploitation
2403 - env var =' () ( :;): ECHO BADTHING' Bash -c "Echo Goodthing"
2404 - Essentially passing a env variable to the vulnerable server that defines an command will allow that command to be executed
2405 - Codenomicon
2406 - "automated penetration testing" tool
2407 - CORE impact Pro
2408 - All inclusive automated pen testing tool
2409 - Metasploit
2410 - framework for developing and executing exploit code
2411 - CANVAS
2412 - From immunity security
2413 - Also a framework for testing exploitations
2414 - Three phases of pen test
2415 - Pre-attack
2416 - Gathering info, performing recon, DNS enumeration, NMAP scanning, etc
2417 - Attack phase
2418 - When you actually attempt to penetrate the network
2419 - Post-attack
2420 - Cleanup
2421 - Removing tools, fixing registry as needed, etc...
2422 - Reporting
2423 - Four categories of insider threats (per ECC)
2424 - Pure insider
2425 - employee with all rights and access to internal network
2426 - inside associate
2427 - person with limited, but authorized access (think contractor or consultant)
2428 - inside affiliate
2429 - This is a spouse, friend, family member, etc..who uses an employees credentials to perform actions
2430 - outside affiliate
2431 - Person outside, unknown and untrusted, who uses an open channel to access the internal network
2432- Skillset tests
2433 - HTTP PUT method
2434 - Can be used to leverage all of these attacks:
2435 - Upload arbitrary code
2436 - Inserting garbage data in sensitive locations
2437 - Getting write access to server
2438 - Webserver 401 = Unathorized
2439 - \X41 = unicode for letter "A"
2440 - Girlfriend Trojan uses port 21544
2441 - SSL uses symmetric encryption
2442 - First step in SSL is Client Hello
2443 - Arp Poisoning is a popular way to "get in the middle"
2444 - Paranoid mode in NMAP scans every 5 minutes
2445 - NMAP "decoy" scan requires decoy machine to be on the network (online)
2446 - ARP poisoning and MAC flooding are both forms of active sniffing
2447 - CACE PILOT is used for sniffing
2448 - Apache: Server often runs with priv of www-data
2449 - Kernel level rootkit - attacks OS level that interacts with hardware
2450 - YAGI antenna uses both UHF and VHF bands
2451 - WPS pins = 11,000 attempts AT THE MOST (10,000 for first 4, 1,000 for next 4)
2452 - OS fingerprinting is based on the way different OS vendors implement the TCP/IP stack differently
2453 - Steganography technique that embeds message in frequency domain of a signal is called the transform domain technique
2454 - TKIP rekeys every 5000 packets
2455 - RC6 includes 4 four bit working registers and integer multiplication
2456 - Honeypots show a particular service running but 3-way handshake fails