Sy0 601 03

R
Lesson 3 NT E
C E
Performing Security Assessments L
N A
S IO
ES
OF
P R
C I S
A
R
Topic 3A N T E
C E
Assess Organizational Security withLNetwork
Reconnaissance Tools NA IO
S S
F E
R O
S P
C I
A
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered
• 4.1 Given a scenario, use the appropriate tool to assess organizational

E R
security
N T
C E
A L
IO N
S S
F E
R O
S P
C I
A
ipconfig, ping, and arp
• Footprinting the network layout and rogue system detection
• ipconfig/ifconfig/ip
E R
• Report the local IP configuration
N T
• ping
• Test connectivity with a host C E
• Use a ping sweep to detect live hosts on a subnet A L
• arp
IO N
• Address Resolution Protocol (ARP) cache
S S
•
F E
Shows IP to Media Access Control (MAC) address mapping
•
R O
Detect spoofing (validate MAC of default gateway)
S P
C I
A Screenshot used
with permission
from Microsoft.
route and traceroute
• route
• Show the local routing table
E R
• Identify default route and local subnet
N T
• Check for suspicious entries
C E
• tracert/traceroute
A L
• Test the path to a remote host
IO N
• pathping/mtr
S S
• Measure latency
F E
R O
S P
C I
A
IP Scanners and Nmap
• Host discovery
E R
• Test whether host in
N T
IP range responds to
probes C E
• Port scan A L
• Test whether TCP or IO N
UDP port allows
S S
connections
F E
R O
S P
C I
A Screenshot used with permission from nmap.org.
Service Discovery and Nmap
• Service discovery
E R
• Scan custom TCP/UDP
N T
port ranges
C E
• Service and version
detection A L
• Fingerprinting each port IO N
• Protocol S S
• Application/version F E
• OS type R O
• Device type S P
C I
A Screenshot used with permission from nmap.org.
netstat and nslookup
• netstat
E R
• Report port status on local machine
N T
• Switches to filter by protocol
C E
• Display process name or PID that opened port
A L
• nslookup and dig
IO N
• Query name servers
S S
• Zone transfers
F E Screenshot used with permission from Microsoft.
R O
S P
C I
A
Other Reconnaissance and Discovery Tools
• theHarvester
E R
• Collate open source intelligence (OSINT)
N T
• dnsenum
C E
• Collate DNS hosting information, name records, and IP schemas
A L
• scanless
IO N
•
S S
Collate results from third-party port scanning sites
• curl
F E
•
R O
Craft and submit protocol requests
• Nessus
S P
•
C I
Perform automated vulnerability scanning
A
Packet Capture and tcpdump
• Packet analysis versus protocol analysis

E R
• Sniffer—tool for capturing network frames
N T
• Use software to interact with host network driver (libpcap/winpcap)
C E
• Mirrored ports/switched port analyzer (SPAN)
A L
•
IO N
Use a test access port (TAP) device to read frames from network media
• Placement of sensors
S S
• tcpdump
F E
• Write to pcap
R O
• Read from pcap
S P
• Filters
C I
Atcpdump -i eth0 "src host 10.1.0.100 and
(dst port 53 or dst port 80)"
Packet Analysis and Wireshark
• Output panes
E R
• Packet list
N T
•
C E
Packet details (headers and fields)
A L • Packet bytes (hex and ASCII)
IO N
• Capture and display filters
S S Coloring rules
•
F E • Follow TCP Stream
R O
S P
C I
A
Screenshot used with permission from wireshark.org.
Packet Injection and Replay
• Packet injection
E R
• Crafting spoofed packets
N T
• Dsniff, Ettercap, Scapy
C E
• hping
A L
• Host/port detection and firewall testing
IO N
• Traceroute
S S
• Denial of service (DoS)
F E
• tcpreplay
R O
•
S P
Stream a packet capture through an interface
• I
Sandbox analysis and intrusion detection testing
AC
Exploitation Frameworks
• Simulate adversary tools for

E R
exploitation and backdoor access
N T
• Metasploit
C E
• Modules to exploit known code
vulnerabilities A L
• Couple exploit module with payload
IO N
• Obfuscate code to evade detection
S S
• Sn1Per
F E
•
R O
Penetration test reporting and
P
evidence gathering
S
•
C I
Run automated suites of tests
Screenshot used with permission from metasploit.com
•
A
• Other frameworks
Linux, embedded, browser,
web/mobile app, cloud, ….
Netcat
• Simple tool capable of very

E R
wide range of network tasks
echo "head" | nc 10.1.0.1 -v 80 N T
• Port scanning and
C E
fingerprinting
A L
• Command prompt listener N
nc -l
O -p 666 -e cmd.exe
over arbitrary port
• File transfer over arbitrary S SI
port F E type accounts.sql | nc
P RO 10.1.0.192 6666
C I S
A
R
Topic 3B N T E
C E
Explain Security Concerns with General
L Vulnerability
Types NA IO
S S
F E
R O
S P
C I
A
• 1.6 Explain the security concerns associated with various types of

E R
vulnerabilities
N T
C E
A L
IO N
S S
F E
R O
S P
C I
A
Software Vulnerabilities and Patch Management
• Exploits for faults in software code

E R
• Applications
N T
• Different impacts and exploit scenarios
C E
• Client versus server apps
A L
• Operating system (OS)
IO N
• Obtain high level privileges
S S
• Firmware
F E
• PC firmware
R O
•
S P
Network appliances and Internet of Things devices
I
• Improper or weak patch management
C
• A
Undocumented assets
• Failed updates and removed patches
Zero-day and Legacy Platform Vulnerabilities
• Zero-day
E R
• Vulnerability is unknown to the vendor
N T
• Threat actor develops an exploit for which there is no patch
C E
• Likely to be used against high value targets
A L
• Legacy platform
IO N
• Vendor no longer releases security patches
S S
F E
R O
S P
C I
A
Weak Host Configurations
• Default settings
E R
T
• Vendor may not release product in a default-secure configuration
N
• Unsecured root accounts
C E
• Threat actor will gain complete control
A L
• Limit ability to login as superuser
I O N
• Open permissions
• Configuration errors allowingE S S
unauthenticated access
• Allowing write access whenO Fonly read access is appropriate
P R
I S
AC
Weak Network Configurations
• Open ports and services

E R
• Restrict using an access control list
Disable unnecessary services or block ports N T
•
• Block at network perimeter C E
• Unsecure protocols A L
eavesdropping IO N
• Cleartext data transmissions are vulnerable to snooping and
• Weak encryption S S
F E
• Storage and transport encryption
R O
• Key is generated from a weak password
P
• Cipher has weaknesses
S
C I
• Key distribution is not secure
• Errors A
• Error messages that reveal too much information
Impacts from Vulnerabilities
• Data breaches and data exfiltration impacts

E R
• Data breach is where confidential data is read or transferred T
without
authorization E N
C
• Data exfiltration is the methods and tools by which an attacker transfers data
L
without authorization
N A
• Identity theft
S IO
• Abuse of data from privacy breaches
E S
• Data loss and availability loss Fimpacts
O security property
R
• Availability is also a critical
P
• I S
Financial and reputation impacts
AC
Third-Party Risks
• Supply chains
E R
• Due diligence
N T
• Weak links
C E
• Vendor management
A L
IO N
• Process for selecting suppliers and evaluating risks
• System integration
S S
• Lack of vendor support
F E
• Outsourced code development
R O
• Data storage
S P
•
C I
Cloud-based versus on-premises risks
A
R
Topic 3C N T E
C E
Summarize Vulnerability Scanning Techniques
L
N A
S IO
S
OFE
P R
C I S
A
• 1.7 Summarize the techniques used in security assessments

E R
N T
C E
A L
IO N
S S
F E
R O
S P
C I
A
Security Assessment Frameworks
• Methodology and scope for security assessments

E R
• NIST SP 800-115
N T
• Testing
C E
• Examining
A L
• Interviewing
IO N
S
• Vulnerability assessment versus threat hunting and penetration testing
S
E
• Vulnerability assessments can use a mix of manual procedures and
F
automated scanning tools
R O
S P
C I
A
Vulnerability Scan Types
• Automated scanners configured

E R
with list of known vulnerabilities
N T
• Network vulnerability scanner
C E
• Configured with tests for most
A L
•
types of network hosts
Focused on scanning OS plus IO N
some desktop and server S S
applications
F E
O
• Application and web application
R
scanners
S P
• C I
Configured with application-
A
specific tests Screenshot used with permission from Greenbone Networks (openvas.org).
Common Vulnerabilities and Exposures
• Vulnerability feed/plug-in/test
E R
• Security Content Automation
N T
Protocol (SCAP) Score
C E Description
• Mechanism for updating scanner

via feed
0.1+
N
4.0+
AL Low
Medium
• Common identifiers
S IO
• Common Vulnerabilities and S 7.0+ High
Exposures (CVE)
O FE 9.0+ Critical
R
• Common Vulnerability Scoring
P
System (CVSS)
C I S
A
Intrusive versus Non-intrusive Scanning
• Remote scanning versus agent-based scanning

E R
• Non-intrusive scanning
N T
• Passively test security controls
C E
• Scanners attach to network and only sniff traffic
A L
• Possibly some low-interaction with hosts (port scanning/banner
grabbing) IO N
• Intrusive/active scanning S S
• Establish network session F
E
• Agent-based scan R O
S P
•
C I
Exploitation frameworks
• HighlyA intrusive/risk of system crash
• Used with penetration testing
Credentialed versus Non-credentialed Scanning
• Non-credentialed • Credentialed
• Anonymous or guest • Scan configured with logon E R
access to host only
N
• Can allow privileged access to configuration T
• Might test default passwords settings/logs/registry
C E
L
• Use dedicated account for scanning
A
IO N
S S
F E
R O
S P
C I
A
Screenshot used with permission from Greenbone Networks (openvas.org).
False Positives, False Negatives, and Log Review
• Analyzing and validating scan

E R
report contents
N T
E
• False positives
C
A L• Scanner identifies a
IO N vulnerability that is not

actually present
S S • False negatives
F E • Scanner fails to identify a
R O vulnerability
S P • Review logs to confirm results

C I
A
Screenshot used with permission from Greenbone Networks (openvas.org).
Configuration Review
• Lack of controls
• Security controls that should be present
E R
but are not (or are not functioning)
• Misconfiguration N T
• Settings deviate from template C E
configuration
A L
• Driven by templates of configuration
IO N
settings
• S
Open Vulnerability and Assessment
S
Language (OVAL) F E
•
R O
Extensible Configuration Checklist
P
Description Format (XCCDF)
S
C
in many products
I
• Compliance-based templates available Screenshot used with permission from Microsoft.
A
Threat Hunting
• Use log and threat data to search for IoCs

E R
• Advisories and bulletins
N T
• Plan threat hunting project in response to newly discovered threat
C E
• Intelligence fusion and threat data
A L
• Use security information and event management
I O N (SIEM) and threat data feed to
automate searches
S S
• Maneuver E
F adversary to the search
O
• Consider possibility of alerting
Rwill give positional advantage
P
• Use techniques that
S
I
AC
R
Topic 3D N T E
C E
Explain Penetration Testing Concepts
L
N A
S IO
S
OFE
P R
C I S
A
• 1.8 Explain the techniques used in penetration testing

E R
N T
C E
A L
IO N
S S
F E
R O
S P
C I
A
Penetration Testing
• Pen test or ethical hacking

E R
• Verify threat
N T
• Identify vulnerability and the vector by which it could be exploited
C E
• Bypass security controls
A L
IO N
• Identify lack of controls or ways to circumvent existing controls
• Actively test security controls S
Scontrols ineffective
• Examine weaknesses that render
F E
• Exploit vulnerabilities to Oprove threat exists (“pwned”)
• P R
Active and highly intrusive techniques, compared to vulnerability
assessmentCIS
A
Rules of Engagement
• Agreement for objectives and scope

E R
• Authorization to proceed from system owner and affected third-parties
N T
• Attack profile C E
• Black box (unknown environment)
A L
• White box (known environment)
IO N
•
instance) S S
Gray box (partially known environment—to model insider threat agents, for
• Bug bounty programs F E

R O
S P
C I
A
Exercise Types
• Red team
E R
• Performs the offensive role
N T
• Blue team
C E
• Performs the defensive role
A L
• White team
IO N
•
S S
Sets the rules of engagement and monitors the exercise
• Purple team
F E
•
R O
Exercise set up to encourage collaboration
•
S P
Red and blue teams share information and debrief regularly
•
C I
Might be assisted by a facilitator
A
Passive and Active Reconnaissance
• Pen testing and kill chain attack life cycle

E R
• Reconnaissance phase
N T
• Passive techniques unlikely to alert target
C E
• Active techniques are detectable
A L
• Open Source Intelligence (OSINT)
IO N
• Social engineering
S S
• Footprinting
F E
• War driving
R O
•
S P
Drones/unmanned aerial vehicle (UAV) and war flying
C I
A
Pen Test Attack Life Cycle
• Initial exploitation R
• Obtain a foothold via an exploit
T E
• Persistence
E N
•
•
Establish a command & control backdoor
Reconnect across host shut down/user log off events L C
• Privilege escalation N A
• Internal reconnaissance
S IO
Gain additional credentials and compromise higher privilege accounts
•
• Lateral movement ES
• Compromise other hosts
O F
• Pivoting
P R
•
C I S
Access hosts with no direct remote connection via a pivot host
• Actions on objectives
• Cleanup A
R
Lesson 3 N T E
C E
Summary L
N A
S IO
ES
O F
P R
C I S
A

Sy0 601 03

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sy0 601 03

Uploaded by

Copyright:

Available Formats

R

• 4.1 Given a scenario, use the appropriate tool to assess organizational

• Packet analysis versus protocol analysis

A L • Packet bytes (hex and ASCII)

F E • Follow TCP Stream

• Simulate adversary tools for

• Simple tool capable of very

• 1.6 Explain the security concerns associated with various types of

• Exploits for faults in software code

• Open ports and services

• Data breaches and data exfiltration impacts

• 1.7 Summarize the techniques used in security assessments

• Methodology and scope for security assessments

• Automated scanners configured

• Mechanism for updating scanner

• Remote scanning versus agent-based scanning

• Analyzing and validating scan

IO N vulnerability that is not

S P • Review logs to confirm results

• Use log and threat data to search for IoCs

• 1.8 Explain the techniques used in penetration testing

• Pen test or ethical hacking

• Agreement for objectives and scope

• Bug bounty programs F E

• Pen testing and kill chain attack life cycle

You might also like