CompTIA Security+ 501 Summary Part 8
This is a summary of my notes on Chapter 8 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition
Things to keep in mind:
2. Network Scanning Network scanners gather information about hosts within networks, including what type of operating system the host is running, what services are being used, and what ports are open. Nmap is a popular example of a network scanner. Network mapping is seeing how hosts are connected within a network. The scanner will the find the SSID, Service Set Identifier, of all access points, the MAC address of all connected hardware, the signal strength of APs, the Channels being broadcast on, and the security posture of the APs, including if the APs are in open mode or are using encryption like WPA2. Wireless scanners can either use passive or active scans. During a passive scan, traffic is passively listened to. During an active scan, the scanner sends queries to APs. Admins can investigate unknown SSIDs by using the signal strength and walking around an office until you get closer and closer. Banner grabbing is used to gain information about remote systems. It is used to identify the operating system. Banner grabbing works when a queried server returns a Hypertext Markup Language, HTML, banner. You can perform banner grabbing with the tool Netcat. Vuln scanners utilize a dictionary of known vulnerabilities to test against a system. These dictionaries can be from MITRE which maintains the Common Vulnerabilities and Exposures, CVE, list. The CVE list is public but antivirus software detects malware with signature lists that the vendors maintain themselves. Vuln scanners should abide by the Security Content Automation Protocol, SCAP, which is a standard that utilizes the National Vulnerability Database, NVD, a list of common misconfigurations, security-related software flaws, impact ratings, and risk scores. Configuration Compliance scans verify that systems are configured correctly. Nessus, another vulnerability scanner, can have its core functionality upgraded through the use of various plugins, including ones that perform configuration compliance scans. Credentialed scans run under the context of a valid account and are typically more accurate than non-credentialed scans. Non-credentialed can result is more false-positives. Vuln scans are passive. Penetration tests are active. Penetration tests include a passive reconnaissance phase, active reconnaissance phase, and then an exploitation phase where the team tries to break into the system. Passive reconnaissance is the use of open source intelligence(things like google) for gaining information about a target. Active reconnaissance is using vulnerability scanners against the target. You become active because you are interacting with the target and they can detect it. During the exploitation phase, if the team breaches the target, they try to perform privilege escalation and then pivot to target other systems on the network. Black box testers have zero knowledge of a system before a penetration test. White is the opposite and gray is the inbetween. Black box testers often used fuzzing. Penetration testers often use exploitation frameworks as tools to help automate the process. A popular one is Metasploit which is an open source project that runs on Linux systems with over 1,600 exploits in its database. Exploitation frameworks include methods to develop, test, and use exploit code to penetrate a target. Browser Exploitation Framework, BeEF, is an open source web browser exploitation framework that focuses on identifying web browser vulnerabilities. Web Application Attack and Audit Framework, W3AF, is another open source framework that focuses on web application vulnerabilities. Key thing here is that both hackers and security administrators use these tools for their efforts. Admins can use protocol analyzers to capture, display, and analyze packets sent over a network. They do this to troubleshoot and to detect attacks that manipulate or fragment packets. NICs must be configured to use promiscuous mode to be able to capture all traffic.
3. Logs On Linux use tcpdump which can produce packet captures that can be viewed in Wireshark. Netcat can be used for remote administration as well as gaining information about a system. With Netcat you can run a port scan against a single IP address. It is important to know where to look for logs in both Windows and Linux systems. System Log Viewer in Windows and using the cat command from the terminal in Linux. Here are common locations for logs in Linux:
- CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.
- Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.
- Some things are repeated but this is simply to reinforce.
- Hackers are referred to as actors.
- Access Points are referred to as AP
2. Network Scanning Network scanners gather information about hosts within networks, including what type of operating system the host is running, what services are being used, and what ports are open. Nmap is a popular example of a network scanner. Network mapping is seeing how hosts are connected within a network. The scanner will the find the SSID, Service Set Identifier, of all access points, the MAC address of all connected hardware, the signal strength of APs, the Channels being broadcast on, and the security posture of the APs, including if the APs are in open mode or are using encryption like WPA2. Wireless scanners can either use passive or active scans. During a passive scan, traffic is passively listened to. During an active scan, the scanner sends queries to APs. Admins can investigate unknown SSIDs by using the signal strength and walking around an office until you get closer and closer. Banner grabbing is used to gain information about remote systems. It is used to identify the operating system. Banner grabbing works when a queried server returns a Hypertext Markup Language, HTML, banner. You can perform banner grabbing with the tool Netcat. Vuln scanners utilize a dictionary of known vulnerabilities to test against a system. These dictionaries can be from MITRE which maintains the Common Vulnerabilities and Exposures, CVE, list. The CVE list is public but antivirus software detects malware with signature lists that the vendors maintain themselves. Vuln scanners should abide by the Security Content Automation Protocol, SCAP, which is a standard that utilizes the National Vulnerability Database, NVD, a list of common misconfigurations, security-related software flaws, impact ratings, and risk scores. Configuration Compliance scans verify that systems are configured correctly. Nessus, another vulnerability scanner, can have its core functionality upgraded through the use of various plugins, including ones that perform configuration compliance scans. Credentialed scans run under the context of a valid account and are typically more accurate than non-credentialed scans. Non-credentialed can result is more false-positives. Vuln scans are passive. Penetration tests are active. Penetration tests include a passive reconnaissance phase, active reconnaissance phase, and then an exploitation phase where the team tries to break into the system. Passive reconnaissance is the use of open source intelligence(things like google) for gaining information about a target. Active reconnaissance is using vulnerability scanners against the target. You become active because you are interacting with the target and they can detect it. During the exploitation phase, if the team breaches the target, they try to perform privilege escalation and then pivot to target other systems on the network. Black box testers have zero knowledge of a system before a penetration test. White is the opposite and gray is the inbetween. Black box testers often used fuzzing. Penetration testers often use exploitation frameworks as tools to help automate the process. A popular one is Metasploit which is an open source project that runs on Linux systems with over 1,600 exploits in its database. Exploitation frameworks include methods to develop, test, and use exploit code to penetrate a target. Browser Exploitation Framework, BeEF, is an open source web browser exploitation framework that focuses on identifying web browser vulnerabilities. Web Application Attack and Audit Framework, W3AF, is another open source framework that focuses on web application vulnerabilities. Key thing here is that both hackers and security administrators use these tools for their efforts. Admins can use protocol analyzers to capture, display, and analyze packets sent over a network. They do this to troubleshoot and to detect attacks that manipulate or fragment packets. NICs must be configured to use promiscuous mode to be able to capture all traffic.
3. Logs On Linux use tcpdump which can produce packet captures that can be viewed in Wireshark. Netcat can be used for remote administration as well as gaining information about a system. With Netcat you can run a port scan against a single IP address. It is important to know where to look for logs in both Windows and Linux systems. System Log Viewer in Windows and using the cat command from the terminal in Linux. Here are common locations for logs in Linux:
-
cat /var/log/auth.log = authentication log
/var/log/messages = general system messages
/var/log/boot.log = system boot entries
/var/log/faillog = failed login attempts
/var/log/kern.log = information logged by system kernel(operating system)
/var/log/httpd = if system configured as web server, error logs are here
-
Aggregation = combining several dissimilar items into a single item
Correlation Engine = software that collects and analyzes event log data from various systems
Automated Alerting = notification s for suspicious events
Automated Triggers = actions in response to a predefined number of repeated events
Time Synchronization = all servers sending data need to be synchronized with the same time
Event Deduplication = removing duplicate entries
Logs/WORM = methods to prevent anyone from modifying log entries(Write Once Read Many)