Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CEH ch8-10
Certified Ethical Hacker ch 8-10
| Term | Definition |
|---|---|
| Crypter: | a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from undergoing reverse engineering or analysis, thus hard to get detected by the security mechanism. |
| Downloader: | Type of Trojan that downloads other malware (or) malicious code and files from the Internet on to the PC or device. Usually, attackers install this when they first gain access to a system. |
| Dropper: | Installs the malware program or code on the system covertly to make it run. malware is code undetected by antivirus scanners, can download additional files to execute malware on target system. |
| Exploit: | The malware that contains code or commands to exploit a bug or vulnerability. breaches the system’s security to spy or install malware. can be remote. |
| Injector: | This program injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal. |
| Obfuscator: | A program to conceal the malicious code of malware via various techniques, thus making it hard for security mechanisms to detect or remove it. |
| Packer: | This software compresses the malware file to convert the code and data of malware into an unreadable format. The packers use compression techniques to pack the malware. |
| Payload: | Part of the malware that performs desired activity when activated. The payload may be used for deleting, modifying files, affecting the system performance, opening ports, changing settings, etc. as part of compromising the security. |
| Android Rooting tools: | KingoRoot TunesGo OneClickRoot MTK Droid |
| iOS Rooting tools: | evasi0n7, GeekSn0w, Pangu, Redsn0w, Absinthe, Cydia. |
| Untethered jailbreaking - | kernel will remain patched (that is, jailbroken) after reboot, with or without a system connection. Think BootROM exploit. |
| Semi-tethered jailbreaking - | reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used. Think iBoot exploit. |
| Tethered jailbreaking - | reboot removes all jailbreaking patches, and the phone may get stuck in a perpetual loop on startup, requiring a system connection (USB) to repair. |
| Userland exploit | leveraged to gain root access, modify the fstab, and patch the kernel. cannot be tethered because nothing can cause a recovery mode loop, but they can be patched by Apple. This exploit provides user-level access but not admin. |
| iBoot exploit | Found in bootloader, uses a vulnerability in the bootloader to turn codesign off and runs a program that gets everything done. can be semi-tethered, and can be patched by Apple. |
| BootROM exploit | Allows access to the file system, iBoot, and custom boot logos, and is found in the device’s first bootloader. This kind of exploit can be untethered, but cannot be patched by Apple: it’s hardware, not software. |
| use Device Administration API ... | to create Android "security-aware" apps |
| MDM Tools: | XenMobile, IBM MaaS360, AirWatch, and MobiControl. |
| Mobile Trojans | Obad, Fakedefender, TRAMP.A, ZitMo. |
| Stagefright - | software bugs affecting Android operating systems. In short, options for making messages and media transfer more fun have allowed attackers to perform remote code execution and privilege escalation. |
| Mobile device attack platform tools | Network Spoofer; DroidSheep; Nmap; Kali Linux; NetCut |
| Bluesmacking | A simple denial-of-service attack against the device. |
| Bluejacking | Consists of sending unsolicited messages to, and from, mobile devices. |
| Bluesniffing | An effort to discover Bluetooth-enabled devices—much like war driving in wireless hcking. |
| Bluebugging | Successfully accessing a Bluetooth-enabled device and remotely using its features. |
| Bluesnarfing | The actual theft of data from a mobile device due to an open connection—such as remaining in discovery mode. |
| Blueprinting | Think of this as footprinting for Bluetooth: involves collecting device information over Bluetooth. |
| BBProxy | a Blackberry-centric tool that’s useful in an attack called blackjacking. |
| Bluetooth detection tools: | BlueScanner; BT Browser; Bluesniff; btCrawler |
| Bluetooth hacking tools: | Blooover; PhoneSnoop; Super Bluetooth Hack |
| BlueScanner | for finding bluetooth devices, will also try to extract and display as much information as possible. |
| BT Browser | for finding and enumerating nearby bluetooth devices. |
| Bluesniff and btCrawler | provide GUI formats for bluetooth detection. |
| Blooover | for Bluebugging |
| PhoneSnoop | spyware on a Blackberry. |
| Super Bluetooth Hack | all-in-one software package to do almost anything. If the device is a smartphone, can read all messages and contacts, change profiles, restart the device, and even make calls as if they’re coming from the phone itself. |
| IoT Architecture components | this with OS for sensing; IoT gateways; the cloud |
| RIOT OS | It can run on embedded systems, actuator boards, and sensors, uses energy efficiently, and has very small resource requirements. |
| ARM mbed OS | This is mostly used on wearables and other devices that are low-powered. |
| RealSense OS X | Intel’s depth sensing OS version, this is mostly found in cameras and other sensors. |
| Nucleus RTOS | OS primarily used in aerospace, medical, and industrial applications. |
| Brillo | An Android-based OS, this is generally found in thermostats. |
| Contiki | OS made for low-power devices; however, it is found mostly in street lighting and sound monitoring. |
| Zephyr | option for low-power devices, and devices without many resources. |
| Ubuntu Core | OS used in robots and drones, and is also known as "snappy." |
| Integrity RTOS | OS primarily found in aerospace and medical, defense, industrial, and automotive sectors. |
| Apache Mynewt | OS for devices using Bluetooth Low Energy Protocol. |
| IoT gateways | • device to device, • device to gateway (adds a collective before sending to a cloud, can offer some security controls), • device to cloud, or • back-end data sharing (adds ability for 3rd parties to collect and use the data). |
| Architecture layers inside IoT | EDGE TECHNOLOGY - sensors, RFID tags, readers, & device. ACCESS GATEWAY - 1st data handling, with msg ID & routing. INTERNET LAYER - main comm. component. MIDDLEWARE- between app & hardware. APPLICATION - delivery of services & data. |
| Sybil attack | multiple forged identities are used to create the illusion of traffic congestion that affects everyone else in the local IoT network. |
| Dyn attack, | one of the largest DDoS attacks ever. Devices ranging from security cameras, printers, routers, and even baby monitors infected with malware launched an attack lasting approximately 3.5 hours. |
| BlueBorne rolling code attack | attack on rolling code, Attack can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing the attacker to steal the code. |
| rolling code, | code used by key fobs to unlock (and in some cases) start cars. |
| HackRF One | Tool for IoT BlueBorne rolling code attacks |
| Mirai | malware that searches for and interjects itself onto IoT devices to create gigantic botnets. |
| Tools for information gathering, reconnaissance and footprinting for IoT devices. | Shodan dangerous, Nmap noisy, Censys, and Thingful. |
| Tools for IoT vulnerability scanning: | Nmap, Beyond Trust: RIoT Vulnerability Scanner and beSTORM; IoTsploit; IoT Inspector. |
| IoT tools for launching attacks: | Firmalyzer for performing active security assessments on IoT devices), KillerBee, JTAGulator, and Attify Zigbee Framework providing a suite of tools for testing Zigbee devices |
| Foren6 | IoT sniffer - passive sniffer devices to reconstruct a visual and textual representation of IoT network |
| Roots of Trust (RoT) | a set of functions within the Trusted Computing Model that are always trusted by the computer’s operating system (OS) |
| Cloud Control Layers | Applications (firewall, SDLC, app scanners); Information (encrypt, DLP, CMF); Management (patching, governance, IAM); Network (firewall, QOs, IDS); Trusted computing (RoT, APIs); computer and storage (HIDS, firewalls, logs, encrypt); physical. |
| Core’s CloudInspect - | tool designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription. |
| CloudPassage’s Halo | tool provides instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds. delivered as a service, and scales on-demand. uses minimal system resources. |
| SOA (Service Oriented Architecture) | an API that makes it easier for application components to cooperate and exchange information on systems connected over a network. to deliver information directly to other components over a network. |
| cloud-based Session riding | this attack is CSRF (cross-site request forgery) under a different name and deals with cloud services instead of traditional data centers. |
| cloud-based side channel attack | this attack, aka cross-guest VM breach, deals with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of attacks. |
| Abuse of cloud resources threat | - applies specifically to IaaS and Paas. can access cloud services anonymously, leverage the tremendous resources to crack a password or encryption key, build rainbow tables, create and control botnets, and even host exploits and malicious sites. |
| Amazon’s EC2 | provides resizable compute capacity in the cloud via VMs that can be controlled via an API, applies to IaaS. |
| wrapping attack | (where a SOAP message is intercepted and the data in the envelope is changed and then sent/replayed) |
| Insecure interfaces and APIs threat | circumventing user-defined policies and interfere with input data verification. provider and subscriber must ensure strong encryption and authorization access to APIs and connectivity. This threat applies to all models of cloud. |
| Data breach or loss threat | refers to the malicious theft, erasure, or modification of anything in the cloud CSA recommends multifactor authentication and encryption as protection against data breaches. |
| nc -e IPaddress Port# | establish command-line access to the machine using netcat |
| nc -l -p 5555 | open a listening port using netcat. |
| Port number used by "Death Trojan" | Port 2 |
| Port number used by "Senna Spy Trojan" | Port 20 |
| Port number used by "Hackers Paradise Trojan" | Port 31, 456 |
| Port number used by "TCP wrappers Trojan" | Port 421 |
| Port number used by "Doom, Satanz BackDoor Trojan" | Port 666 |
| Port number used by "Silencer, WebEx Trojan" | Port 1001 |
| Port number used by "RAT Trojan" | Port 1095-1098 |
| Port number used by "SubSeven Trojan" | Port 1243 |
| Port number used by "Shivka-burka Trojan" | Port 1600 |
| Port number used by "Trojan Cow Trojan" | Port 2001 |
| Port number used by "Deep Throat Trojan" | Port 6670-71 |
| Port number used by "Tini Trojan" | Port 7777 |
| Port number used by "NetBus Trojan" | Port 12345, 12346 |
| Port number used by "Whack a MoleTrojan" | Port 12361-63 |
| Port number used by "Back Orifice Trojan" | Port 31337, 31338 |
| netstat -an | will show all the connections and listening ports in numerical form |
| Neverquest Trojan | targets banking websites. It’s designed to steal credentials and sensitive information and to set up Virtual Network Computing (VNC) remote access to target systems. |
| netstat -b | displays all active connections and the processes or applications that are using them |
| Process Explorer | a free tool from Microsoft for showing running processes |
| AutoRuns | free Microsoft tool, for figuring out what runs at startup on your system. |
| Fport | a free tool from McAfee that reports all open TCP/IP and UDP ports and maps them to the owning applications. Same as ‘netstat -an’ command, and maps listed ports to running processes with the PID, process name, and path. |
| Exploit Kits: | Infinity, Bleeding Life, Crimepack, and Blackhole. |
| Registry Monitor Tools | SysAnalyzer, Tiny Watcher, Active Registry Monitor, and Regshot. |
| msconfig command | will open a configuration window showing you all sorts of startup (and other) settings you can work with |
| Tripwire | a well-respected integrity verifier that can act as an HIDS in protection against Trojans. |
| SIGVERIF | built into Windows machines to help verify the integrity of critical files on the system. sigverif.txt at c:\windows\system32 folder. The log is overwritten each time the tool is run. |
| WannaCry | a virus spread to over 230k machines in 150 countries by taking advantage of an unpatched SMB exploit "Eternal Blue." Microsoft’s implementation of SMBv1 mishandled specially crafted targets, which allowed remote attackers to execute code on the machine. |
| Boot sector virus | aka system virus, moves the boot sector, forcing the virus code to be executed first. almost impossible to get rid of once you get infected. You can re-create the boot record—old-school fdisk or mbr could do the trick for you—but it’s not easy. |
| Shell virus | Working just like the boot sector virus, this virus type wraps itself around an application’s code, inserting its own code before the application’s. Every time the application is run, the virus code is run first. |
| Cluster virus | virus type modifies directory table entries so that user or system processes are pointed to the virus code instead of the application or action intended. A single copy of the virus "infects" everything by launching when any application is initiated. |
| Multipartite virus | Attempts to infect both files and the boot sector at the same time. This generally refers to a virus with multiple infection vectors. |
| Macro virus | usually written with Visual Basic for Applications (VBA). This virus type infects template files created by Microsoft Office, normally Word and Excel. The Melissa virus was a prime example of this. |
| Polymorphic code virus | This virus mutates its code using a built-in polymorphic engine. This type of virus is difficult to find and remove because its signature constantly changes. No part of the virus stays the same from infection to infection. |
| Metamorphic virus | This virus type rewrites itself every time it infects a new file. |
| Encryption virus | type of virus uses encryption to hide the code from antivirus scanners. |
| Stealth virus | aka "tunneling virus," evades antivirus (AV) applications by intercepting the AV’s OS request and returning them to itself. The virus then alters the requests and sends them back to AV as uninfected, making the virus now appear "clean." |
| Cavity virus | overwrite portions of host files so as not to increase the actual size of the file. This is done using the null content sections of the file and leaves the file’s actual functionality intact. |
| Sparse infector virus | This virus type only infects occasionally. For example, maybe the virus only fires every tenth time a specific application is run. |
| File extension virus | virus type changes the file extensions of files to take advantage of most people having file extension view turned off. For example, readme.txt.vbs might appear as readme.txt with extensions turned off. |
| virus crafting tools | Sonic Bat, PoisonVirus Maker, Sam’s Virus Generator, and JPS Virus Maker. |
| Ghost Eye Worm | a hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts. |
| Code Red | Named after the soft drink the eEye Digital guys were drinking when they discovered it, exploited indexing software on IIS servers in 2001. The worm used a buffer overflow and defaced hundreds of thousands of servers. |
| Darlloz | Known as the worm for "the Internet of Things," a Linux-based worm that targets running ARM, MIPS, and PowerPC architectures—which are usually routers, set-top boxes, and security cameras. |
| Slammer aka SQL Slammer, Sapphire, SQL_HEL, and Helkern - | a DOS worm attacking buffer overflow weaknesses in Microsoft SQL Services., it spread quickly using UDP, and its small size (the entire worm could fit inside a single packet) allowed it to bypass many sensors. |
| Nimda | admin spelled bkwd. a file infection virus that modified all web content on a machine. most widespread worm in history. spread through e-mail, open network shares, and websites, used backdoors left on machines infected by the Code Red worm. |
| Bug Bear | Propagating over open network shares and e-mail, terminated AV applications and set up a backdoor for later use. It also contained keylogging capabilities. |
| Pretty Park | spread via e-mail (attempting a send every 30 minutes) and took advantage of IRC to propagate stolen passwords and the like. Running the worm executable often displayed the 3D Pipe screensaver on Windows machines. |
| sheepdip system | system set up to check physical media, device drivers, and other files for malware before it is introduced to the network. is isolated from the other computers, configured with AV programs, port monitors, registry monitors, and file integrity verifiers. |
| netizen | (a.k.a. cybercitizen: a person actively involved in online communities) |
| distributed reflection denial-of-service (DRDoS) attack | botnet or spoof attack, uses multiple intermediary machines to pull off a DOS, the secondary machines send the attack at the behest of the attacker. The attacker remains hidden because the attacks appear to originate from those secondary machines |
| Smurf | attacker sends a large number of pings to the broadcast address of the subnet, with the source IP spoofed to the target. The entire subnet will then begin sending ping responses to the target, exhausting the resources there. |
| fraggle attack | same as Smurf but uses UDP for the same purpose. |
| Trinity, | a Linux-based DDoS tool much like LOIC |
| R-U-Dead-Yet (RUDY) | performs DoS with HTTP POST via long-form field submissions. |
| Skydance | can help detect and prevent DoS attacks |
| session hijack steps (per EC-Council): | 1. Sniff traffic between the client & the server. 2. Monitor the traffic and predict the sequence numbering. 3. Desynchronize the session with the client. 4. Predict the session token and take over the session. 5. Inject packets to the target server. |
| Hunt | can sniff, hijack, and reset connections at will. |
| T-sight | (commercially available) can easily hijack sessions as well as monitor additional network connections. |
| Zaproxy and Paros | hijacking tools (both known more as a proxy tools), |
| Juggernaut | Linux based hijacking tool |
| Hamster, and Ferret. | hijacking tools. |
| MIB | man-in-the-browser attacks (MIB) occurs when the hacker sends a Trojan to intercept browser calls. The Trojan sits between the browser and libraries, allowing a hacker to watch, and interact within, a browser session. |
| Mudge Beacon | placed on a box, you can "browser pivot" as if all target’s active sessions become your own. sets up a local proxy port so you can point your browser to it, and it directs all of your requests through the beacon on the target machine. |
| Countermeasures for session hijacking | using unpredictable session IDs (remember this one); limiting incoming connections; minimizing remote access; regenerating the session key after authentication is complete; use encryption to protect the channel. |
| IPSec architecture elements | Authentication Header; Encapsulating Security Payload; Internet Key Exchange; Oakley (uses Diffie-Hellman to create master and session keys); Internet Security Association Key Management Protocol (ISAKMP); |
| Authentication Header (AH) | a protocol within IPSec that guarantees the integrity and authentication of the IP packet sender. |
| Encapsulating Security Payload ( ESP) | provides IPSec origin authenticity and integrity, confidentiality (through encryption) too. does not provide integrity and authentication for the entire IP packet in transport mode, but in tunnel mode protection is provided to the entire pkt. |
| Internet Key Exchange (IKE) | is the IPSec protocol that produces the keys for the encryption process. |
| Oakley | An IPSec protocol that uses Diffie-Hellman to create master and session keys. |
| Internet Security Association Key Management Protocol (ISAKMP) | IPSec Software that facilitates encrypted communication between two endpoints. |
| Spectre and Meltdown | attacks that took advantage of speculative processing (in slightly different ways), requiring existing access to exploit, leaving almost no evidence exploit even occurred. |
Created by:
CountChocula7623