CEH

Study online at quizlet.com/_2rb8c

1.

802.11i

*** is an amendment to the original IEEE 802.11. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, it deprecated the broken WEP. 802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher. Absinthe is an automated tool that is used to implement SQL injections and to retrieve data from Web server databases. The following are the features of Absinthe: It supports Web application injection parameters. It supports SQL injections on various databases, i.e., MS SQL Server, MSDE, Oracle, and Postgres. It supports cookies and additional HTTP Headers. It supports additional text appended to queries. It supports the use of Proxies/Proxy Rotation. It supports multiple filters for page profiling and custom delimiters. ** is a technique used to attack an Ethernet wired or wireless network. * may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution. The principle of * is to send fake ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it. ** attacks can be run from a compromised host, or from an attacker's machine that is connected directly to the target Ethernet segment.

2.

Absinthe

3.

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), AirSnort

4.

** is a Linux-based WLAN WEP cracking tool that recovers encryption keys. ** operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. *** may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The *** is the most important phase of penetration testing. Different exploitive and responsive hacking tools are used to monitor and test the security of systems and the network. Some of the actions performed in the attack phase are as follows: Penetrating the perimeter Escalating privileges Executing, implanting, and retracting *** is a free powerful tool, which is used to generate Web, streaming, mail server statistics graphically. It works as a CGI or from command line. AWStats shows all possible information contained in a log. It can analyze log files from almost all server tools such as Apache log files, WebStar, IIS (W3C log format) and various other Web, proxy, wap, streaming servers, mail servers and some ftp servers. AWStats can work with all Web hosting providers, which allow Perl, CGI and log access. ** is a program or account that allows access to a system by skipping the security checks. Many vendors and developers implement back doors to save time and effort by skipping the security checks while troubleshooting. ** is considered to be a security threat and should be kept with the highest security. If a back door becomes known to attackers and malicious users, they can use it to exploit the system. *** is the process of using another bluetooth device that is within range (about 30' or less) and sending unsolicited messages to the target. *** is a process whereby the attacker actually takes control of the phone. Perhaps copying data or even making calls.

5.

ARP spoofing attack phase

6.

7.

AWStats

8.

Back door

9.

Blue jacking Blue snarfing

10.

11.

boot sector virus

A ** infects the master boot files of the hard disk or floppy disk. Boot record programs are responsible for booting the operating system and the ** copies these programs into another part of the hard disk or overwrites these files. Therefore, when the floppy or the hard disk boots, the virus infects the computer. (Data link), Connects two or more networks and forwards packets between them. Bridges read and filter packets and frames. Bridges do not require IP addresses and will pass broadcast traffic. (Data,network),Device which bridges some packets (i.e., forwards based on data link layer information) and routes other packets (i.e.,forwards based on network layer information). The bridge/route decision is based on configuration information. In a *** , an attacker uses software that tries a large number of the keys combinations in order to get a password. To prevent such attacks, users should create passwords more difficult to guess, e.g., using a minimum of six characters, alphanumeric combinations, and lower-upper case combinations, etc. ** is a condition in which an application receives more data than it is configured to accept. It helps an attacker not only to execute a malicious code on the target system but also to install backdoors on the target system for further attacks. All ** attacks are due to only sloppy programming or poor memory management by the application developers. The main types of buffer overflows are: Stack overflow Format string overflow Heap overflow Integer overflow *** is an IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA, and WEP, the earlier, insecure protocol. CCMP is a mandatory part of the WPA2 standard, an optional part of the WPA standard, and a required option for Robust Security Network (RSN) Compliant networks. CCMP is also used in the ITU-T home and business networking standard. CCMP, part of the 802.11i standard, uses the Advanced Encryption Standard (AES) algorithm. Unlike in TKIP, key management and message integrity is handled by a single component built around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FIPS 197 standard. *** to use public key and private key pairs for secure communication on the intranet. Certificate server is a standards-based, highly customizable server program for managing the creation, issuance, and renewal of digital certificates. It uses public key cryptography that is a technology widely used for secure communication on a network such as intranet or Internet. Public key cryptography uses two types of keys, a public key and a private key. The public key is available to everyone, while the private or secret key is available only to the recipient of the message. For example, when a user sends a message or data to another user, the sender uses a public key to encrypt the data. The receiver uses his private key to decrypt the data. Public key cryptography is the most secure cryptographic implementation. *** refers to the problem of a microprocessor (chip), which, over time, would work its way out of the socket. This was mainly an issue with old computers. It occurs due to the thermal expansion; the contracting and expanding during system heat up and cools down. While chip creep was most common with older memory modules it was a problem with other main chips (or CPUs) that were inserted into CPU sockets. In this type of attack, an attacker can choose the ciphertext to be decrypted and can then analyze the plaintext output of the event. The early versions of RSA used in SSL were actually vulnerable to this attack. In a ***, an attacker somehow picks up the information to be encrypted and takes a copy of it with the encrypted data. This is used to find patterns in the cryptographic output that might uncover a vulnerability or reveal a cryptographic key. In this attack, an attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. For example, the original version of WEP used RC4, and if sniffed long enough, the repetitions would allow a hacker to extract the WEP key. Such types of attacks do not require the attacker to have the plaintext because the statistical analysis of the sniffed log is enough.

12.

Bridge Brouter

13.

14.

brute force attack

15.

Buffer overflow

16.

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) certificate server

17.

18.

Chip creep

19.

Chosen ciphertext attack Chosen plaintext attack Ciphertext only attack

20.

21.

22.

computer security policy

A *** defines the goals and elements of the computer systems of an organization. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or un-secure. These formal policy models can be categorized into the core security principles, which are as follows: Confidentiality Integrity Availability In ***, the attacker tricks the user's computer intorunning code, which is treated as trustworthy because it appears to belong to the server, allowingthe attacker to obtain a copy of the cookie or perform other operations. *** is a process that supports creating and deleting processes and threads, running 16-bit virtual DOS machine processes, and running console windows. A *** is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as a network saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by sending a large number of protocol packets to the network. The effects of a DoS attack are as follows: Saturates network resources Disrupts connections between two computers, thereby preventing communications between services Disrupts services to a specific computer Causes failure to access a Web site Results in an increase in the amount of spam A *** is very common on the Internet because it is much easier to accomplish. Most of the DoS attacks rely on the weaknesses in the TCP/IP protocol. The following methods are used to investigate the ***: Sniff network traffic to the failing machine. Look for unusual traffic on Internet connections and network segments. Look for core files or crash dumps on the affected systems.

23.

Cross-site scripting csrss.exe Denial-ofService (DoS) attack

24.

25.

26.

Denial-ofService (DoS) attack

A *** is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as a network saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by sending a large number of protocol packets to the network. The effects of a DoS attack are as follows: Saturates network resources Disrupts connections between two computers, thereby preventing communications betweenservices Disrupts services to a specific computer Causes failure to access a Web site Results in an increase in the amount of spam A *** is very common on the Internet because it is much easier to accomplish. Most of the DoS attacks rely on the weaknesses in the TCP/IP protocol.

27.

Device Seizure

*** is a software, which is used in forensic analysis and recovery of mobile phone and PDA data. It is used for data recovery, full data dumps of certain cell phone models, logical and physical acquisitions of PDAs, data cable access, and advanced reporting. Device Seizure also provides feature of GSM SIM card acquisition and deleted data recovery using SIMCon technology. *** is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks. *** is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request.

28.

Dictionary attack

29.

DNS cache poisoning

30.

DNS poisoning attack

In ***, an attacker distributes incorrect IP address. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. *** is a network tool, like nslookup, that queries DNS name servers. It can be used to simulate a DNS resolver or a name server. The dig command can be used for network troubleshooting also. Following is an example of digging a site ce.sharif.edu: Reference: Linux MAN Pages, Contents: "lsof" copyright 2008-2010 www.ucertify.com $ dig ce.sharif.edu ; <<>> DiG 9.2.4 <<>> ce.sharif.edu ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23567 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;ce.sharif.edu. IN A ;; ANSWER SECTION: ce.sharif.edu. 864000 IN A 81.31.164.3 ;; AUTHORITY SECTION: ce.sharif.edu. 864000 IN NS netserver.ce.sharif.edu. ;; ADDITIONAL SECTION: netserver.ce.sharif.edu. 864000 IN A 81.31.164.2 ;; Query time: 1 msec ;; SERVER: 81.31.164.2#53(81.31.164.2) ;; WHEN: Wed Nov 1 17:02:16 2006 ;; MSG SIZE rcvd: 87 *** is a tool that is used to detect steganography. Steganography is an art and science of hiding information by embedding harmful messages within other seemingly harmless messages. It works by replacing bits of unused data, such as graphics, sound, text, and HTML, with bits of invisible information in regular computer files. This hidden information can be in the form of plain text, cipher text, or even in the form of images. *** is an authentication protocol, which provides mutual authentication, integrityprotected negotiation of cryptographic service providers, and a secret key exchange between two systems that use public key cryptography. EAP-TLS works on a network that is configured for public key infrastructure (PKI) and uses certificates for authentication. These certificates can be stored on computers or on smart cards.

31.

Domain Information Groper (DIG)

32.

Dskprobe

33.

Extensible Authentication ProtocolTransport Level Security (EAP-TLS) Extensible Authentication ProtocolTransport Level Security (EAP-TLS)

34.

*** is an authentication protocol, which provides mutual authentication, integrityprotected negotiation of cryptographic service providers, and a secret key exchange between two systems that use public key cryptography. EAP-TLS works on a network that is configured for public key infrastructure (PKI) and uses certificates for authentication. These certificates can be stored on computers or on smart cards.

35.

Extensible Storage Engine (ESE)

***, also known as JET Blue, is an Indexed Sequential Access Method (ISAM) data storage technology from Microsoft. ESE is notably a core of Microsoft Exchange Server and Active Directory. Its purpose is to allow applications to store and retrieve data via indexed and sequential access. Windows Mail and Desktop Search in the Windows Vista operating system also make use of ESE to store indexes and property information respectively. ESE provides transacted data update and retrieval. A crash recovery mechanism is provided so that data consistency is maintained even in the event of a system crash. Transactions in ESE are highly concurrent, making ESE suitable for server applications. ESE caches data intelligently to ensure high performance access to data. In addition, ESE is lightweight, making it suitable for auxiliary applications. The filetype google search query operator is used to search a specified file type. For example, if you want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf hacking. ** is a forensic instrument, which is designed to load hard drives on computer systems. It is attached with the hard drives using FireWire 400 or USB cables. It also has dual FireWire 400 ports, which allow daisy-chaining for more efficiency. ** does not require any additional drivers. It can transfer data at the transfer rate of minimum 35 MB per second. *** is an Incident Response tool, which is used to make image of the system's memory and any devices attached to the system. FAU contained a modified Windows version of the Unix utility dd that could image not only the hard drives but also memory. With the help of Forensic Acquisition Utilities (FAU), forensic investigators can use the search tools to find text in the memory image, IP addresses, URLs and passwords. In a ***, an attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses. These UDP requests have a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all the hosts, most of the IP addresses send an ECHO reply message. However, on a multi-access broadcast network, hundreds of computers might reply to each packet when the target network is overwhelmed by all the messages sent simultaneously. Due to this, the network becomes unable to provide services to all the messages and crashes. *** is an application, which is used to examine the contents of the cookie files. Galleta parses the information in a Cookie file and output the results in a field delimited manner so that it may be imported into spreadsheet program. Galleta is built to work on various platforms and will execute on Windows (through Cygwin), Mac OS X, and Linux. Small set of data: Honey pots collect small amounts of data, but almost all of this data is about real attacks or unauthorized activity. Reduced false positives: Honey pots almost detect or capture attacks or unauthorized activities that reduce false positives. False negatives: Honey pots detect and record any unseen or unnoticed attacks or behavior. Cost effective: Honey pots only interact with malicious activity. So there is no need for high performance resources. Limited View: Honey pots can only see activities that interact with them. They cannot see or capture any attacks directed against existing systems. Discovery and Fingerprinting: Honey pots can be easily detected and fingerprinted by several tools. Risk of takeover: Since there are many security holes in honey pots, a malicious attacker can takeover the honey pot and can use it to gain access and hack other networks. When an attacker performs a dictionary as well as a brute force attack, the attack is known as a ***. In this method, an attack is performed with the dictionary attack method of adding numerals and symbols to dictionary words. The *** is displayed when a Network Administrator has prohibited communication with the server by using a firewall.

36.

filetype

37.

FireWire DriveDock

38.

Forensic Acquisition Utilities (FAU)

39.

fraggle DoS attack

40.

Galleta

41.

Honey pots have several advantages

42.

Honey pots have some disadvantages

43.

hybrid attack

44.

ICMP TYPE 3 and CODE 13 error message

45.

ICMP type 13 IDLE scan IDS evading tools Image hide

*** is an ICMP Timestamp request message. Therefore, John is using a Timestamp request message to send the ICMP message. The *** is initiated with the IP address of a third party. Hence, it becomes a stealth scan. Since the *** uses the IP address of a third party, it becomes quite impossible to detect the hacker. ADMutate, Fragroute, and Stick *** is a steganography program that hides text within an image. Steganography can encrypt or decrypt malicious data into images that appear identical to the original images. It is estimated that a 640 x 480 pixel image with a color resolution of 256 colors can hide approximately 300KB of information. High resolution images are noted for their payload. For example, a 1024 x 768 pixel image with a 24-bit color resolution can carry about 2.3MB as payload. Image hide warns its users not to save the image file in JPEG format since it is a lossy algorithm and malicious data may be lost during compression. The ** is the tool, which is used for forensic investigations. It is used to duplicate P-ATA and S-ATA drives of high volume. * copies two drives simultaneously at speed up to 2GB/min. Multiple Copy Modes are also available in ** to support the Windows and non-Windows operating Systems. Partitions are scaled and formatted during the copy process, eliminating the requirement of manual preparation of a drive before usage. The *** is also equipped with the Wipeout option, which provides a quick method for erasing data from hard drives. ** is a forensic data acquisition tool, which is used to capture data and make images of the hard drives. It can capture data from IDE, Serial ATA, SCSI drives, and flash cards. ** can generates MD5 and CRC32 hashes during the data capture. It can acquire data with a transfer rate up to 3 GB/minute and has a touch screen user interface. *** is an integral part of IP. It is used to report an error in datagram processing. The Internet Protocol (IP) is used for host-tohost datagram service in a network. The network is configured with connecting devices called gateways. When an error occurs in datagram processing, gateways or destination hosts report the error to the source hosts through the ICMP protocol. The ICMP messages are sent in various situations, such as when a datagram cannot reach its destination, when the gateway cannot direct the host to send traffic on a shorter route, when the gateway does not have the buffering capacity, etc. *** is a prevalent Internet standard protocol for e-mail retrieval. It is an application layer Internet protocol operating on port 143 that allows a local client to access e-mail on a remote server. IMAP supports both connected (online) and disconnected (offline) modes of operation. E-mail clients using IMAP generally leave messages on the server until the user explicitly deletes them. This and other facets of IMAP operation allow multiple clients to access the same mailbox. ** is a standard-based protocol that provides the highest level of VPN security. ** can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password. *** is a form of real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfers via Direct Client-to-Client. IRC client software is available for virtually every computer operating system that supports TCP/IP networking. IRC is an open protocol that uses TCP and optionally TLS. An IRC server can connect to other IRC servers to expand the IRC network. Users access IRC networks by connecting a client to a server.

46.

47.

48.

49.

ImageMASSter 4002i

50.

ImageMASSter Solo-3

51.

Internet Control Message Protocol (ICMP)

52.

Internet Message Access Protocol (IMAP or IMAP4) Internet Protocol Security (IPSec) Internet Relay Chat (IRC)

53.

54.

55.

IP (Internet Protocol) address spoofing

*** is an attack in which an attacker creates the IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system. The basic protocol for sending data over the Internet and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response. *** is a firewall that is a replacement of the IPChains firewall for the Linux 2.4 kernel and later versions. IPTables has the following features: It supports stateful packet inspections. It filters the packets according to the MAC address and TCP header flag values. It is helpful for preventing attacks using malformed packets. It reduces DoS attacks. It provides better network address translation. It supports the transparent integration of the operating system with Web proxy servers. The syntax of IPTables is as follows: iptables [-t table] command [match] [target/jump] In a known plaintext attack, an attacker should have both the plaintext and ciphertext of one or more messages. These two items are used to extract the cryptographic key and recover the encrypted text. In a *** the attacker sends a spoofed TCP SYN packet in which the IP address of the target is filled in both the source and destination fields. On receiving the spoofed packet, the target system becomes confused and goes into a frozen state. Now-adays, antivirus can easily detect such an attack. This test simulates an employee or other authorized person who has an authorized connection to the organization's network. The primary defenses that must be defeated here are intranet firewalls, internal Web servers, and server security measures. The *** command is used to report a list of all open files and the processes that opened them. These open files include disk files, pipes, network sockets and devices opened by all processes. When a disk cannot be unmounted because unspecified files are in use, this command can be used. The listing of open files can be consulted to identify the process that is using the files. ** is an attack that can be performed by attacking the CAM switches. * is a technique employed to compromise the security of network switches. In a typical ** attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-tophysical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, e-mail and instant messaging conversations), which would not be accessible were the switch operating normally. ** is a technique employed to compromise the security of network switches. In a typical ** attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. A ** is a virus that consists of a macro code which infects the system. A ** can infect a system rapidly. Since this virus has VB event handlers, it is dynamic in nature and displays random activation. The victim has only to open a file having a ** in order to infect the system with the virus. DMV, Nuclear, and Word Concept are some good examples of **. In this form of attack, an attacker places himself in the middle of the communications flow between two parties. Once an attacker enters the communications flow, he is able to perform a ciphertext only attack, exchange bogus keys, etc.

56.

IPTables

57.

Known plaintext attack land attack,

58.

59.

Local network lsof

60.

61.

MAC flooding

62.

MAC flooding macro virus

63.

64.

Man-inthemiddle attack

65.

Man-in-themiddle attacks

*** occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client. *** occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client. A *** is a scenario in which there are two doors (for example one on each end of a short corridor) but only one can be open at a time. Thus a person exiting the building would have to go through one door, close it, go to the other end of the corridor and open that door. The second door could not open until the first was closed. And in an emergency both doors can be automatically sealed. Mark will not choose EAP-Transport Layer Security (EAP-TLS) because this protocol is used for authentication with certificates, generally smart cards. EAP-TLS protocol is not suited for password-based authentication. MD5 is not as strong as PEAP. However, it can be used for password authentication. According to the question, Mark needs to provide the best level of security. *** is a messaging architecture and a Component Object Model based API for Microsoft Windows. MAPI allows client programs to become (e-mail) messaging-enabled, -aware, or -based by calling MAPI subsystem routines that interface with certain messaging servers. While MAPI is designed to be independent of the protocol, it is usually used with MAPI/RPC, the proprietary protocol that Microsoft Outlook uses to communicate with Microsoft Exchange. Simple MAPI is a subset of 12 functions which enable developers to add basic messaging functionality. Extended MAPI allows complete control over the messaging system on the client computer, creation and management of messages, management of the client mailbox, service providers, and so forth. ** is a scanner that scans IP networks for NetBIOS name information. It sends a NetBIOS status query to each address in a supplied range and lists received information in human readable form. It displays IP address, NetBIOS computer name, logged-in user name and MAC address of each responded host. ** works in the same manner as nbtstat, but it operates on a range of addresses instead of just one. *** are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities: 1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator. 2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface. 3. A Network Administrator can also restrict the anonymous user by editing the registry values: a. Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b. Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2

66.

Man-in-themiddle attacks

67.

man-trap

68.

Mark MD5 Messaging Application Programming Interface (MAPI)

69.

70.

71.

NBTscan

72.

NetBIOS NULL session vulnerabilities

73.

Netcat

*** is a freely available networking utility that reads and writes data across network connections by using the TCP/IP protocol. Netcat has the following features: It provides outbound and inbound connections for TCP and UDP ports. It provides special tunneling such as UDP to TCP, with the possibility of specifying all network parameters. It is a good port scanner. It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data. It is an optional RFC854 telnet code parser and responder. A*** is a generic document that outlines rules for computer network access. It also determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. It is a very complex document, meant to govern data access, Web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company. Security policy should keep the malicious users out and also exert control over potential risky users within the organization. nmap -sS -PT -PI -O -T1 <ip address> is used to slow down the scan process in nmap. The nmap ("Network Mapper") command is used for network exploration and security auditing. It rapidly scans large networks, although it works fine against single hosts. nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While nmap is commonly used for security audits, many systems and network administrators use it for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or serviceuptime. For performing serial and parallel scan with some delay, nmap uses the following switches: In the -T Paranoid switch, nmap performs serial scan with 300 sec delay between each scan. In the -T Sneaky switch, nmap performs serial scan with 15 sec delay between each scan. In the -T Polite switch, nmap performs serial scan with 4 sec delay between each scan. In the -T Normal switch, nmap performs parallel scans. In the -T Aggressive switch, nmap performs the parallel scan with 300 sec timeout, and 1.25 sec/probe. In the -T Insane switch, nmap performs the parallel scan with 75 sec timeout, and .3sec/probe. The *** is a method in which NTP protocol is used to grab valuable data from a vulnerable network. NTP protocol is used to synchronize the time and date between computers in the network. When an attacker queries the NTP server, he can get quite valuable information. The NTP enumeration is mainly performed by the following Linux commands: ntpdate ntptrace ntpdc ntpq ** is a method to securely transmit authentication information over wired or wireless networks. It was jointly developed by Cisco Systems, Microsoft, and RSA Security. ** is not an encryption protocol; as with other EAP protocols, it only authenticates a client into a network.

74.

network security policy

75.

nmap

76.

nmap scan

77.

NTP enumeration

78.

PEAP (Protected Extensible Authentication Protocol) ping command-line utility ping flood attack Point-to-Point Tunneling Protocol (PPTP)

79.

The *** is used to test connectivity with a host on a TCP/IP-based network. This is achieved by sending out a series of packets to a specified destination host. On receiving the packets, the destination host responds with a series of replies. These replies can be used to determine whether or not the network is working properly. In a ***, an attacker sends a large number of ICMP packets to the target computer using the ping command, i.e., ping f target_IP_address. When the target computer receives these packets in large quantities, it does not respond and hangs. ** is a remote access protocol. It is an extension of the** is used to securely connect to a private network by a remote client using a public data network, such as the Internet. Virtual private networks (VPNs) use the tunneling protocol to enable remote users to access corporate networks securely across the Internet. *** supports encapsulation of encrypted packets in secure wrappers that can be transmitted over a TCP/IP connection.

80.

81.

82.

Polymorphic virus

** has the ability to change its own signature at the time of infection. This virus is very complicated and hard to detect. When the user runs the infected file in the disk, it loads virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. The mutation engine of * generates a new encrypted code, this changes the signature of the virus. Therefore, ** cannot be detected by the signature based antivirus. The *** phase involves restoring the system to normal pretest configurations. It includes removing files, cleaning registry entries, and removing shares and connections. Analyzing all the results and presenting them in a comprehensive report is also the part of this phase. These reports include objectives, observations, all activities undertaken, and the results of test activities, and may recommend fixes for vulnerabilities. *** is a document, which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks. It should cover all available methods to remotely access internal resources, which are as follows: dial-in (SLIP, PPP) ISDN/Frame Relay telnet access from Internet Cable modem This mode simulates an attack against the client's modem pools. The main targets of dial up testing are PBX units, Fax machines, and central voice mail servers. The primary defenses that must be defeated here are user authentication schemes. This mode attempts to simulate an attack launched over the Internet. The primary defenses that must be defeated in this test are border firewalls, filtering routers, etc. (Physical Device), used to amplify and/or regenerate attenuated signals. In this type of attack, an attacker tries to repeat or delay a cryptographic transmission. A replay attack can be prevented using session tokens. A *** is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet. (Network),Device that determines the next network point to which a data packet should be forwarded towards its destination. The router is connected to at least two networks and determines which way to send each data packet based on its current understanding of the state of the networks it is connected to. Routers create or maintain a table of the available routes and use this information to determine the best route for a given data packet. The *** is used to find the RPC applications. After getting the RPC application port with the help of another port scanner, RPC port scanner sends a null RPC packet to all the RPC service ports, which are open into the target system. *** is a software package that enables Linux clients to connect to the network resources (such as file shares and printers on a network) with the computers that use the Server Message Block (SMB) protocol. *** is a state of well-being of information and infrastructures in which the possibilities of successful yet undetected theft, tampering, and/or disruption of information and services are kept low or tolerable. The elements of security are as follows: 1. Confidentiality: It is the concealment of information or resources. 2. Authenticity: It is the identification and assurance of the origin of information. 3. Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. 4. Availability: It refers to the ability to use the information or resource as desired. In*** , the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.

83.

post-attack

84.

Remote access policy

85.

Remote dialup network Remote network Repeater Replay attack replay attack

86.

87. 88.

89.

90.

Router

91.

RPC (Remote Procedure Call) scan Samba Security

92.

93.

94.

Session fixation

95.

Session sidejacking

In ***, the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many Web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or Web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the Web traffic between other nodes and the access point. This process supports the programs needed to implement the user interface, including the graphics subsystem and the log on processes. *** is an attack that generates significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages. In such attacks, a perpetrator sends a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, which multiplies the traffic by the number of hosts responding. *** is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage. *** is a Steganography tool that is used to hide secret data in text files. It is based on the concept that spaces and tabs are generally not visible in text viewers and therefore a message can be effectively hidden without affecting the text's visual representation for the casual observer. It achieves this by appending white spaces to the ends of lines in ASCII text. A *** is a process in which an attacker tries to execute unauthorized SQL statements. These statements can be used to delete data from a database, delete database objects such as tables, views, stored procedures, etc. An attacker can either directly enter the code into input variables or insert malicious code in strings that can be stored in a database. For example, the following line of code illustrates one form of SQL injection attack: query = "SELECT * FROM users WHERE name = '" + userName + "';" This SQL code is designed to fetch the records of any specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious hacker, the SQL statement may do more than the code author intended. For example, if the attacker puts the "userName" value as ' or ''=', the SQL statement will now be as follows: SELECT * FROM users WHERE name = '' OR ''=''; A *** is a file virus. It infects the computer and then hides itself from detection by antivirus software. It uses various mechanisms to avoid detection by antivirus software. It hides itself in computer memory after infecting the computer. It also masks itself from applications or utilities. It uses various tricks to appear that the computer has not lost any memory and the file size has not been changed. The virus may save a copy of original and uninfected data. When the anti-virus program tries to check the files that have been affected, the virus shows only the uninfected data. This virus generally infects .COM and .EXE files. *** is an art and science of hiding information by embedding harmful messages within other seemingly harmless messages. It works by replacing bits of unused data, such as graphics, sound, text, and HTML, with bits of invisible information in regular computer files. This hidden information can be in the form of plain text, cipher text, or even in the form of images. This mode simulates theft of a critical information resource such as a laptop owned by a strategist. This process includes most kernel-level threads, which manage the underlying aspects of the operating system. *** is the default port for DNS zone transfer. Although disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against the NetBIOS NULL session enumeration.

96.

smss.exe Smurf

97.

98.

Snooping

99.

Snow.exe

100.

SQL injection attack

101.

stealth virus

102.

Steganography

103.

Stolen equipment System TCP port 53

104.

105.

106.

TCP SYN scanning

*** is also known as half-open scanning because in this a full TCP connection is never opened. The steps of TCP SYN scanning are as follows: 1. The attacker sends SYN packet to the target port. 2. If the port is open, the attacker receives SYN/ACK message. 3. Now the attacker breaks the connection by sending an RST packet. 4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections. The EDB database files, STM database files, checkpoint files, and the temporary files are the main concern of a professional Computer Hacking Forensic Investigator while investigating emails that are sent using a Microsoft Exchange server. Microsoft Exchange uses the Microsoft Extensible Storage Engine (ESE).

107.

The EDB database files, STM database files, checkpoint files, and the temporary files The Fluhrer, Mantin, and Shamir (FMS) attack The Forensic Toolkit Imager (FTK Imager) The preattack phase The Simple Mail Transfer Protocol (SMTP)

108.

*** is a particular stream cipher attack, a dedicated form of cryptanalysis for attacking the widely-used stream cipher RC4. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream. The *** attack gained popularity in tools such as AirSnort and aircrack, both of which can be used to attack WEP encrypted wireless networks.

109.

*** is a commercial forensic imaging software package distributed by AccessData. FTK Imager supports storage of disk images in EnCase's or SMART's file format, as well as in raw (dd) format. With Isobuster technology built in, FTK Imager Images CD's to an ISO/CUE file combination. This also includes multi and open session CDs. FTK imager acquires physical device images from FAT, NTFS, EXT 2, EXT 3, HFS, and HFS+ file systems. *** is the first step for a penetration tester. The pre-attack phase involves reconnaissance or data gathering. It also includes gathering data from Whois, DNS, and network scanning, which help in mapping a target network and provide valuable information regarding the operating system and applications running on the systems. Penetration testing involves locating the IP block and using domain name Whois to find personnel contact information. *** is a Internet standard for electronic mail (e-mail) transmission across the Internet Protocol (IP) networks. SMTP was first defined in RFC 821, and is a very popular protocol. SMTP is specified for outgoing mail transport and uses TCP port 25. While electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically only use SMTP for sending messages to a mail server for relaying. For receiving messages, client applications usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) to access their mail box accounts on a mail server. *** is a route-tracing utility that displays the path an IP packet takes to reach its destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host. Traceroute sends out a packet to the destination computer with the TTL field value of 1. When the first router in the path receives the packet, it decrements the TTL value by 1. If the TTL value is zero, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. Traceroute records the IP address and DNS name of that router, and sends another packet with a TTL value of 2. This packet goes through the first router, and then times out at the next router in the path. The second router also sends an error message back to the originating host. Now, the process starts once again and traceroute continues to send data packets with incremented TTL values until a packet finally reaches the target host, or until it decides that the host is unreachable. In the whole process, traceroute also records the time taken for a round trip for each packet at each router.

110.

111.

112.

Traceroute

113.

UDP port scanning

In *** , a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily. The *** is a type of document, which focuses on the requirements for requesting and maintaining an account on computer systems or networks within an organization. This document is very important for large sites where users typically have accounts on many systems. Some sites have users read and sign an Account Policy as part of the account request process. *** stands for virtual private network. It allows users to use the Internet as a secure pipeline to their corporate local area networks (LANs). Remote users can dialin to any local Internet Service Provider (ISP) and initiate a VPN session to connect to their corporate LAN over the Internet. Companies using VPNs significantly reduce long-distance dial-up charges. VPNs also provide remote employees with an inexpensive way of remaining connected to their company's LAN for extended periods. *** is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. *** are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro and Sam Spade can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com. The *** is a hardware forensic tool, which is used to erase data of the hard drives. It can erase data of nine drives simultaneously at speed up to 3GB/min. The *** is also used to perform high volume hard drive sanitizing operations using PATA, S-ATA and laptop hard drives by using optional adapters. The *** can erase data of hard drives of different sizes and models in the same operation. It is also provided with an option for formatting the sanitized drives. ***, also known as Wireless Auto Configuration, or WLAN AutoConfig is a wireless connection management utility included with Microsoft Windows XP and later operating systems as a service that dynamically selects a wireless network to connect to based on a user's preferences and various default settings. This can be used instead of, or in the absence of, a wireless network utility from the manufacturer of a computer's wireless networking device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names to the service. *** also introduce some security threats, which are as follows: *** will probe for networks that are already connected. This information can be viewed by anyone using a wireless analyzer and can be used to set up fake access points to connect. *** attempts to connect to the wireless network with the strongest signal. Attacker can create fake wireless networks with high-power antennas and cause computers to associate with his access point. *** does not interfere in the configuration of encryption and MAC filtering. *** is an open source sniffing tool that is used for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting man-in-the-middle attacks against a number of common protocols.

114.

User Account Policy

115.

VPN

116.

Web ripping

117.

Whois queries

118.

Wipe MASSter

119.

Wireless Zero Configuration (WZC),

120.

wireshark