NMAP/PACKET ANALYSIS
What is the Primary purpose an attacker would conduct a “Port Scan”?
To conduct reconnaissance on a potential target
Which of the following is not a primary mode of Snort?
* Sniffer Mode
* Packet Logger Mode
* Network Intrusion Detection Mode
* Notify Mode
Notify Mode
What firewall topology is the follow image?
multi-homed or dual-homed firewall
What social engineering method compromises a website that is appealing or frequently visted?
water hole attack
ALL QUESTIONS IN THIS CATEGORY ARE A RACE. FIRST TEAM TO FIND THE ANSWER GETS THE POINTS!!!
In your Practical_Hash_03 directory, which file has the following hash: 63abc18dc32b2b9c7ebcc9cfa9facf5d
300.186.jpeg
In the command `“nc -zv 10.1.245.12 265-1278 2>&1 | grep 'succeeded'”`. What does 265-1278 represent?
A range of port numbers to scan
What classification is the following scenario:
Returning from HBL you notice that files have been ex-filtrated from your TS government workstation. You look through the logs and see that in fact someone tunneled into your work station. When talking to the SSO, their security alerts show no such activity.
False Negative
For a NOP sled, what detection method would be best to identify the attack?
answer is: ______-based detection method
signature-based detection method
Geolocation privacy falls under which category of mobile tech threats?
Mobile application security threats
Based off your snort configurations, what ports are associated with the variable "SIP_Ports"?
[5060,5061,5600]
When analyzing network traffic, what flags would you see when someone is conducting a "TCP Connect Scan"? LIST ALL STEPS
SYN
SYN/ACK
ACK
RST/ACK
What interface mode would possibly alert you to a device having a packet sniffer?
promiscuous mode
What type of firewall acts as a proxy between a trusted network and an untrusted network?
Web application firewall/ application level gateway
Which web-based mobile security threat automatically download application when users visit web pages? Varies from user interaction required to automatic execution.
Drive-by Download
in your Practical_Hash_00 directory, what file matches the following hash:
407b9dacef6cb90c81797d0842c3290cdcd941207ed05c893d10dc53a4720904
200.129.jpeg
RACE TO SEE WHICH TEAM CAN FIND THE ANSWER FIRST!!!!!
In your "hostdiscovery.pcap" file, what IP address is doing the scanning?
192.168.65.20
RACE TO SEE WHICH TEAM FINISHES FIRST
Create a snort rule that creates a Log you when an IP from the 27.100.0.0 network with subnetmask 255.255.255.0 makes a tcp connection to 112.168.100.150 using the doom port . This rule should Display "Doom Guy has landed". This is the seventh revision of the rule with the unique id of 2000028.
log tcp 27.100.0.0/24 any -> 112.168.10.150 666 (msg:"Doom Guy has landed"; sid:2000028; rev:7;)
Name 1 kind of "user specific changes" you might observe when performing malware discovery.
Personal Files (Home Dir)
Common Applications
Wallpaper
AutoStarts
Your CAC was stolen (thats what you told 1SG anyway... but you actually lost in when you went and got a motto tat), list at least 3 peices of information that your CAC contains.
Public Key Infrastructure (PKI) - certificates that enable cardholders to "sign" documents digitally, encrypt and decrypt emails, and establish secure online network connections.
Two digital fingerprints
Digital photo
Personal Identity Verification (PIV) certificate
Organizational Affiliation
Agency
Department
Expiration Date
What snort rule comes when you download snort with the sid 2655?
misc.rules
RACE TO SEE WHICH TEAM CAN FIND THE ANSWER FIRST!!!
What is the first operating system and version listed under "aggressive OS guesses" when you scan "scanme.nmap.org"?
Linux 2.6.32
What is the PROPER NAME of the utility that sends a small packet to a particular IP address called? This packet contains 32 data bytes and 8 bytes of protocol reader information.
Packet InterNet Groper
What are the four main components of an IDS?
1. Database (Rules)
2. Database (configuration)
3. Detection Engine (sensor)
4. Decision Engine
Name all general categories of hacker types and expertise levels.
Back, white, grey hat, Hacktivist
Script Kiddies, hacker, elite hacker
Create a non verbose nmap scan that will scan a 198.216.0.0/16 network for version information on services ssh,dns,pop3 and RDP.
nmap -sV 198.216.0.0/16 -p 22,53,110,3389