Index

A

A (host address) resource records

destination domains, 449

DNSSEC, 138–139

e-mail, 455

FQDNs, 308

AAAA resource records

e-mail, 455

FQDNs, 308–309

access control lists (ACLs) on routers

extended, 214–217

standard, 207–214

traffic filtering, 186

access-list commands, 209–211, 213–215

access-list deny command, 210–211, 214

access-list deny host command, 210

access-list deny tcp command, 216–217

access-list permit command, 211

access-list permit any command, 211, 213–214

access-list permit ip any any command, 216–217

Account Operators group, 323

account policies, finding examples of, 72

ACK (acknowledgement) flag

connect scans, 403–404

connection termination, 406–408, 411–413

open ports, 400–402, 438

Scapy, 440, 442

TCP connections, 397–398

ACLs (access control lists) on routers

extended, 214–217

standard, 207–214

traffic filtering, 186

ACM (Association for Computing Machinery) ethics, 597–600

actions in Event Viewer, 314

Active Directory (AD)

filters, 333–334

forests, 306–307

groups, 325–326

namespaces, 305–306

objects, 304–305, 327–334

organizational units and groups, 317–326

Recycle Bin, 333

Active Directory Domain Services (AD DS)

connectivity, 308–317

installing, 312–313

Active Directory Users and Computers, 329–331

AD. See Active Directory (AD)

AD DS (Active Directory Domain Services)

connectivity, 308–317

installing, 312–313

Adaptive Security Appliance (ASA), 208

addgroup command, 53

Address Resolution Protocol (ARP)

cache, 555

flooding, 180, 290

adduser command, 35–36

Adleman, Leonard, 104

administrative commands in Meterpreter, 557–558

administrative distance in routers, 192

Administrators group, 329

Advanced Encryption Standard (AES), 99–102

advanced Google searches, 624–629

Advanced IP Scanner., 259–260

Advanced Persistent Threats (APTs), 541

advapi32.dll file, 363

AES (Advanced Encryption Standard), 99–102

AGDLP role-based access controls, 326

AGUDLP role-based access controls, 326

aireplay command, 268

Akamai Real-Time Web Attack Monitor, 7

alerts

IDSs and IPSs, 278

Snort, 289–292, 294–297, 298–300

unauthorized devices, 203, 205

algorithms, cryptographic, 97–98

aliases, 63–64

allocation units in drives, 578–579

AllSigned execution policy option, 517

Amazon Web Services (AWS)

exploring, 479–484

training and certification, 476–479

American Registry of Internet Numbers (ARIN), 138

anomaly-based IDSs and IPSs, 279

antivirus tools, 376–379

anycast addressing, 135

ApateDNS tool, 384–389

APIPA (Automatic Private IP Addressing) addresses, 310

Apple Inc. vs. FBI, 119

applications in Event Viewer, 314

applied cryptography

Apple vs. FBI, 119

Assistance and Access Bill, 120–121

e-mail, 123–130

key term quiz, 131

lab analysis, 131

overview, 118

“To Serve Man” episode, 122

APTs (Advanced Persistent Threats), 541

arguments in Zsh, 25

ARIN (American Registry of Internet Numbers), 138

Armitage GUI, 560–561

ARP (Address Resolution Protocol)

cache, 555

flooding, 180, 290

arp command, 555

Art of War, The, 2

artifacts in malware, 379–382

ASA (Adaptive Security Appliance), 208

ASNs (autonomous system numbers), 186

Assistance and Access Bill, 120–121

Association for Computing Machinery (ACM) ethics, 597–600

asymmetric key encryption, 103–105

attachments in phishing attacks, 81

attacks

malware. See malware

overview, 358–362

attributes

Active Directory objects, 304–306

GPOs, 342

permissions, 334–335

Australia, Assistance and Access Bill in, 120–121

authentication

brute force password attacks, 233–238

cryptography, 96

dictionary password attacks, 226–233

DKIM, 458–461

key term quiz, 251

lab analysis, 250–251

overview, 222–225

Windows password attacks, 238–243

authoritative transfer (AXFR), 147, 149

autocompletion of IOS commands, 184–185

Automatic Private IP Addressing (APIPA) addresses, 310

autonomous system numbers (ASNs), 186

autonomous systems, 186

Autopsy tool, 587–592

availability

CIA triad, 20

cryptography, 96

privacy, 612

AWS (Amazon Web Services)

exploring, 479–484

training and certification, 476–479

AWS Educate, 476–479

AXFR (authoritative transfer), 147, 149

Azure Marketplace, 474–475

B

backbone routers, 186

background command, 557

BadRabbit ransomware attacks, 239

banner information, 614

baselines

description, 304

IDSs and IPSs, 279

Bash (Bourne-again shell), 24

basic service set identifiers (BSSIDs), 257

Berkeley Internet Name Domain (BIND) DNS servers, 148

BGP (Border Gateway Protocol), 135, 187

binaries, embedding, 372–376

BIND (Berkeley Internet Name Domain) DNS servers, 148

bind shells, 420

bitstream images in forensics, 586–587

black hat hackers, 540

black swan events, 531

block ciphers, 99

Boolean logic, 100–101

booting switches, 174

bootloaders, 165–166

Border Gateway Protocol (BGP), 135, 187

Bourne-again shell (Bash), 24

BPAs (business partnership agreements), 76

breaches

DBIR, 20, 222

e-mail, 123, 223

PII, 488

plaintext passwords, 150

privacy, 612

SQL injection, 497

broad network access in cloud computing, 466

brute force password attacks, 224, 233–238

BSSIDs (basic service set identifiers), 257

Build a solution section in AWS, 481–482

Builtin Administrators group, 329

business continuity plans (BCPs)

definition, 530

key term quiz, 536

lab analysis, 535

purpose, 531

webinars, 532

business partnership agreements (BPAs), 76

Bypass execution policy option, 517

C

C language for malware, 362

C++ language for malware, 362

cables for routers, 188–189

cache poisoning in DNS, 136

call operator (&) in PowerShell scripts, 525–526

CAM (content addressable memory) tables, 180, 202–203

cameras, discovering, 620–623

capturing keystrokes, 553–554

care standard in ethics, 596

case-sensitivity in Linux, 25

casino hacking, 614

cat command, 32

CC (Creative Commons) licenses, 605–606

cd command

Meterpreter, 556

Zsh, 26–27

Cerf, Vint, 400

certificate authorities (CAs) in TLS, 159

certificates

e-mail cryptography, 125

TLS, 158–160

certifications

Amazon Web Services, 476–479

importance, 4–5

CFAA (Computer Fraud and Abuse Act)

Insecam, 621

port scanning, 395–396

Shodan, 616

chains in rainbow table attacks, 244–246

change management

components, 530

COVID-19 effects, 534–535

key term quiz, 536

lab analysis, 536

policy examples, 71

Change permissions, 336

chat servers, creating, 421–424

Check Point ThreatCloud Live Cyber Threat Map, 6–7

Cherokee County Georgia Emergency 911 System, 395–396

chgrp command, 51–52

child domains in Active Directory, 305–306

China, great firewall in, 137

chmod command

file mode, 40

permissions, 41, 43–48

chown command, 52–53

CIA triad, 20–21

ciphers, 97, 99–103

ciphertext, 98

CIRTs (computer incident response teams), 538

Cisco

IOS commands, 184–185

Packet Tracer, 181–185

router password recovery, 168–172

switch password recovery, 172–174

classification.config file, 293

classtype option in Snort rules, 295

clear command, 58

clear access-list counters command, 213

clearev command, 557–558

clients, deauthenticating, 266–272

CLIs (command line interfaces), 23

cloud computing

Amazon Web Services, exploring, 479–484

Amazon Web Services, training and certification, 476–479

characteristics, 466–467

deployment models, 468–469

key term quiz, 485

lab analysis, 485

Microsoft Azure, exploring, 471–475

Microsoft Azure, training, 469–471

service models, 467–468

Cloud Computing 101, 477–479

cloud storage of evidence, 566–567

clusters on drives, 579

cmdlets, 517

Code of Ethics in ACM, 597–600

code pages, 363

Cofense study, 82

collision attacks in hashing, 106–107

color images for steganography, 581–586

command line interfaces (CLIs), 23

commands

IOS, 184–185

Meterpreter, 552–558

Zsh, 24

comments in SQL injection, 506–508

Common Vulnerabilities and Exposures (CVE) system, 543

communications

NICs, 392–393

sockets, 419–427

community clouds, 468

Complete Guide to Shodan, 615, 618

complex passwords, 224–225

compressed (packed) malware, 370–372

Computer Configuration for GPOs, 343

computer forensics. See forensics

Computer Fraud and Abuse Act (CFAA)

Insecam, 621

port scanning, 395–396

Shodan, 616

computer incident response teams (CIRTs), 538

computer objects in organizational units, 321

Computer Security Resource Center (CSRC) glossary

incident definition, 538

risk definition, 514

CONCAT() function, 509–510

concatenating

database columns, 509–510

files, 32–33

confidentiality

CIA triad, 20

cryptography, 96

privacy, 612

config-register command, 172

configure terminal command

global configuration mode, 170, 172, 189

passwords, 196–197

conflicts, ethical, 596

confreg command, 171

congruent symbol, 114

connect scans, 403–405

connectivity for Active Directory Domain Services, 308–317

contact information in organizational units, 325

content addressable memory (CAM) tables, 180, 202–203

contiguous namespaces in Active Directory, 305

contingency plans, 530

continuity of operations plans (COOPs), 530

Control Panel for GPOs, 344–346

Copy-Item cmdlet, 525

copy running-config startup-config command, 170, 199, 206

copy startup-config running-config command, 172

copying files, 28–29

copyright issues, 603–605

Copyright Term Extension Act, 604–605

costs in forensics, 565

COVID-19 pandemic effects

business continuity plans, 531–532

change management, 534–535

disaster recovery plans, 532–533

cp command, 28–29

Creative Commons (CC) licenses, 605–606

credential policies, finding examples of, 72

credentials, obtaining in fake sites, 87–88

crossover cable for routers, 188

crunch program, 233–238

cryptanalysis, 96–97

crypto key generate rsa command, 198

cryptography

applied. See applied cryptography

asymmetric key encryption, 103–105

Diffie-Hellman key exchange, 112–114

hashing, 106–112

key term quiz, 115

lab analysis, 115

overview, 96–97

symmetric key encryption, 99–103

cryptology

description, 97

TLS, 156–160

CSRC (Computer Security Resource Center) glossary

incident definition, 538

risk definition, 514

current directory in Zsh, 25–27

CURRENT_USER() function, 508

CurrentUser object in execution policies, 519–520

customized payloads in hping3, 428–433

CVE (Common Vulnerabilities and Exposures) system, 543

cyber threat maps, 5–8

cybercrimes, 564

cybersecurity survey, 8–10

D

daemons, 24, 393

Damn Vulnerable Web App (DVWA), 489–497

downloading, 492

incorporating, 493

login, 495–496

SQL injection, 502

data as evidence, 565

Data Breach Investigations Report (DBIR), 20–22, 222

Data Encryption Standard (DES), 99

data policies, finding examples of, 72

databases

Active Directory, 305

creating, 493–496

exploits, 545–547

Google Hacking Database, 625–626

passwords, 106, 109–110, 223–227

queries, 499–502

registry, 567

sandboxes, 360

signatures, 279

SQL injection, 497–510

DBIR (Data Breach Investigations Report), 20–22, 222

DCIM (Digital Camera IMages), searching for, 627–629

DCode, 568–570

deauthenticating clients, 266–272

debuggers for malware, 361

decrypting packets, 268–269, 271–272

Default Domain Policy for GPOs, 343

Default execution policy option, 517

default routes, 185–186, 193

default values, 65–66

Defender Antivirus, 239

del command, 556

delegation in organizational units, 317–318, 322–324

delegation signer (DS) resource records, 141–144

deleted files, recovering, 586–589

deleting

directories, 31

files, 31

groups, 56

users, 56, 333

users from groups, 55

delgroup command, 56

deluser command, 56

denial of service (DoS) attacks

inline IPSs, 277

on-demand signing vulnerability, 155

port scanning, 396

SQL injection, 497

deny statement, 209–211, 213, 215

deny any statement, 208, 210–211

Deny permissions, 335, 351

deny tcp statement, 216–217

deployment models in cloud computing, 468–469

DES (Data Encryption Standard), 99

DESCRIBE command, 498–499

destination IP addresses, 208

destination ports

hping3, 429, 434

network communications, 394

detection engine in Snort, 291

Deteque Botnet Threat Map, 7

device detection in wireless networks, 256–260

Device Manager, 168–169

Device Parameter key in Registry, 576

DHCP. See Dynamic Host Configuration Protocol (DHCP)

dictionary (dict) files in WPA2, 269

dictionary password attacks, 224, 226–233

Diffie, Whitfield, 112

Diffie-Hellman key exchange (DHKE)

asymmetric cryptography, 112–114

passwords, 198

dig tool

DNS, 137–147

DNSSEC, 148–155

Digital Attack Map, 7

Digital Camera IMages (DCIM), searching for, 627–629

digital certificates

e-mail cryptography, 125

TLS, 158–160

digital forensics. See forensics

digital signatures. See signatures

dir command, 556

dir_flash command, 174

directories

changing, 26–27

creating, 26–27

current, 25–27

deleting, 31

listing, 26, 57–58

Meterpreter commands, 556

permissions, 39–47

renaming, 29–30

with special characters, 57

directory services in Event Viewer, 314

disable command, 196

Disabled setting for GPOs, 344

disabling users, 331–332

disassemblers for malware, 361

disaster recovery plans (DRPs)

COVID-19 effects, 532–533

definition, 530

key term quiz, 536

lab analysis, 535

webcast, 533

disjointed namespaces in Active Directory, 305–306

display() function in Scapy, 440

distributed denial-of-service (DDoS) attacks, 96, 526, 555

distribution groups in Active Directory, 325–326

DKIM (DomainKeys Identified Mail), 454, 458–461

DLL (dynamic link library) files for strings, 362–363

DMARC (Domain-based Message Authentication, Reporting and Conformance), 454, 461–463

DNS. See Domain Name System (DNS)

DNSKEY resource records, 139–145

DNSSEC protocol

for exploiting, 147–155

for security, 134–147

documentation, training, 73–74

Domain Admins group, 329

Domain-based Message Authentication, Reporting and Conformance (DMARC), 454, 461–463

domain controllers (DCs)

Active Directory, 305–308

organizational units, 319

promoting machines to, 313

domain local groups in Active Directory, 325–326

Domain Name System (DNS)

ApateDNS spoofing, 384–389

authoritative servers, 148–149

DNSSEC, 137–147

e-mail, 449

events, 314

for member servers, 308

port scanning, 414

resource records, 137, 139–142, 149–155

servers, 310

TTL field, 136

URLs, 134–136

DomainKeys Identified Mail (DKIM), 454, 458–461

domains

Active Directory, 305–307

connectivity, 308–317

joining, 315–316

organizational units and groups, 317–326

SPF, 456

users, 327–334

dorking, Google, 624–629

DoS attacks. See denial of service (DoS) attacks

dotted decimal notation for wildcard masks, 210

DownloadFile function, 522, 525

DownloadString function, 524–525

drop rules in Snort, 294

DS (delegation signer) resource records, 141–144

dsniff tools, 202

due diligence in forensics, 566

dumpster diving, 89

DVWA. See Damn Vulnerable Web App (DVWA)

Dynamic Host Configuration Protocol (DHCP)

IP addresses, 310–311

for member servers, 308

port scanning, 414, 416–417

registry keys, 571

dynamic link library (DLL) files for strings, 362–363

dynamic malware analysis, 358–361

dynamic ports, 394

dynamic routing protocols for load balancing, 194

E

e-mail

cryptography, 123–130

DKIM, 458–461

DMARC, 461–463

ethics scenario, 602

headers, 448–452

key term quiz, 464

lab analysis, 463

Maltego tool, 91–93

phishing attacks, 80–81

spam, 453–463

SPF, 455–458

EAPoL (Extensible Authentication Protocol over LAN), 266–267, 272

EAS (Exchange ActiveSync), 449

echo command

Meterpreter, 556

Zsh, 32–33

echo requests in Scapy, 436–437

edge routers, 193

edit mode in vim editor, 37–38

editing Registry, 567

EGP (Exterior Gateway Protocol), 187

802.1X, 266–267

EIGRP (Enhanced Interior Gateway Routing Protocol), 187

elasticity in cloud computing, 467

embedded binaries, 372–376

emergency patches for WannaCry ransomware, 542

enable command

Cisco routers, 170–172

passwords, 196

Enabled setting for GPOs, 344

encryption keys for passwords, 198

end devices

description, 178

Packet Tracer, 182–183

end-of-service-life (EOSL) agreements, 76

Enhanced Interior Gateway Routing Protocol (EIGRP), 187

enterprise mode in WPA2, 266

EOSL (end-of-service-life) agreements, 76

Equation Group, 541

/etc/passwd file, 111, 228–229

/etc/shadow file, 61, 111, 223, 228–229

/etc/sudoers file, 62–65

EternalBlue tool

Mimikatz tool, 239

WannaCry exploit, 548

zero-day exploit, 541

ethics

ACM, 597–600

key term quiz, 609

lab analysis, 608–609

overview, 596

scenarios, 602–603

USENIX, 600–601

European Union (EU) GDPR, 488

Event Viewer, 314

events in Process Monitor, 382–384

evidence

cloud storage, 566–567

description, 564–565

RAM and hard drives, 578–581

Registry, 567–578

types, 565

Exchange ActiveSync (EAS), 449

Exchangeable Image File Format (EXIF) metadata, 591

exculpating evidence, 564

EXEC mode

passwords, 196

routers, 170–171, 189–192

switches, 183–184

execute permissions, 39–46

execution policy in PowerShell, 517–520, 522–523

EXIF (Exchangeable Image File Format) metadata, 591

exit command

Cisco routers, 170

superusers, 37

expert witnesses, 564

Exploit Database, 625

exploits

configuring, 548–549

definition, 540

description, 543–544

DNSSEC, 147–155

Metasploit, 548–549

phishing, 550

extended ACLs, 207–208, 214–217

Extensible Authentication Protocol over LAN (EAPoL), 266–267, 272

Exterior Gateway Protocol (EGP), 187

external zone transfers, 147–149

F

fair use doctrine, 605

fake sites, malicious links to, 86–88

Federal Bureau of Investigation (FBI) vs. Apple Inc., 119

Federal Wiretap Act, 254

file transfer protocol (FTP), 134, 393, 440

fileless malware, 515–516, 520–527

files

concatenating, 32–33

copying, 28–29

creating, 28

deleting, 31

displaying, 59

finding, 58

GPTs, 342

hiding, 581–586

integrity, 109–110

Meterpreter commands, 556

owners, 51–53

permissions, 39–50, 334–335

recovering, 586–589

Registry, 572–574

renaming, 29–31

signatures, 588–591

sorting, 34

text in, 32

transfers, 424

Zsh filenames, 25

filters

ACLs, 208

Active Directory, 333–334

Event Viewer, 314

ports, 395

Process Monitor, 384

Wireshark, 265–266

FIN flag, 399

FIN scans, 405–413

find command, 58

finding files, 58

FireEye Cyber Threat Map, 6

firewalls

bind shells, 420

limitations, 276–277

ports, 395

rules, 309

flash_init command, 173

flaws, ethics scenario for, 603

floods

multicasts, 180

Scapy, 442–444

folders

GPTs, 342

permissions, 335

sharing, 335–341

forensics

2009-M57-Patents scenario, 591–592

file recovery, 588

file signatures, 588–591

imaging, 586–587

key term quiz, 593

lab analysis, 592

overview, 564–567

RAM and hard drives, 578–581

Registry, 567–578

steganography, 581–586

forests in Active Directory, 306–307

FQDNs. See fully qualified domain names (FQDNs)

fraud in forensics, 565

Free Software Foundation (FSF), 606–608

FTP (file transfer protocol), 134, 393, 440

Full control permissions, 335–336

full zones, 147

fully qualified domain names (FQDNs)

ApateDNS, 384–389

dots in, 137

e-mail, 455

MX records, 449

parts, 134

SRV records, 308

strings, 363

switches, 198

G

gaming, ethics scenario for, 603

Garfinkel, Simson L., 256

gdi32.dll file, 363

gedit text editor, 292–293

General Data Protection Regulation (GDPR), 488

General Electric Comprehensive Operating System (GECOS), 111

Get-Content cmdlet, 526

Get-ExecutionPolicy cmdlet, 517, 520

Get-Process cmdlet, 525

Get-Service cmdlet, 524

GHDB (Google Hacking Database), 626, 628

gid option in Snort rules, 295

GIDs (Group IDs), 111

GLBA (Gramm–Leach–Bliley Act), 488

global catalog in Active Directory, 306–307

global configuration mode

passwords, 198

routers, 189, 191–193

switches, 184

global groups in Active Directory, 325–326

Global System for Mobile Communications (GSM) standard, 99

globally unique identifiers (GUIDs), 342

GNU GRUB 2 (GNU GRand Unified Bootloader version 2), 165–166

GNU operating system, 606–608

GNU Privacy Guard (GPG), 123

Goldman, David, 255

Google

hacking, 624–629

Street View cars, 254–256

Google Hacking Database (GHDB), 626, 628

Google Project Zero, 543

GPCs (Group Policy containers), 342

GPG (GNU Privacy Guard), 123

GPMC. See Group Policy Management Console (GPMC)

GPME (Group Policy Management Editor), 343–344, 346–348

GPOs. See Group Policy Objects (GPOs)

GPTs (Group Policy templates), 342

gpupdate command, 345–346, 348, 350

Gramm–Leach–Bliley Act (GLBA), 488

graphical user interfaces (GUIs)

Armitage, 560–561

description, 23

Meterpreter, 558–560

great firewall of China, 137

grep command

filters, 41

groups, 54

Group IDs (GIDs), 111

Group Policy containers (GPCs), 342

Group Policy Management Console (GPMC)

Control Panel, 344

Default Domain Policy, 343

logon warnings, 346–347

users, 353

Group Policy Management Editor (GPME), 343–344, 346–348

Group Policy Objects (GPOs)

Control Panel, 344–346

creating, 347–348

Default Domain Policy, 343

in execution policies, 519

Internet access, 348–349

logon warnings, 346–347

mapping network drives to shared folders, 349–351

network shares, 353–354

organizational units, 317–318

overview, 342–343

shared folders, 351–353

Group Policy templates (GPTs), 342

groupadd command, 53

groupdel command, 56

groups

Active Directory, 325–326

adding users to, 328–329

changing, 51–52, 54

creating, 53–54

deleting, 56

deleting users from, 55

displaying, 55

domains, 317–326

organizational units, 318, 323

permissions, 39, 336

groups command, 54–55

GSM (Global System for Mobile Communications) standard, 99

GUIDs (globally unique identifiers), 342

GUIs (graphical user interfaces)

Armitage, 560–561

description, 23

Meterpreter, 558–560

H

Halifax Chamber of Commerce webinar, 535

handshakes

TCP, 134, 397–400

WPA2, 266–267, 269–270

hard drives

evidence, 578–581

read/write mode, 166–167

hashes and hashing

asymmetric key encryption, 104

characteristics, 106

dictionary password attacks, 226

DKIM, 459

file integrity, 109–110

one-way functions, 108–109

passwords, 110–111, 199, 223–224

rainbow table attacks, 243–247

SHAttered attack, 106–107

TLS, 159

head command, 59

headers

e-mail, 448–452

IP addresses, 135–136

TCP, 397–398

Health Insurance Portability and Accountability Act (HIPAA), 488

Hellman, Martin, 112

hidden files, 57

Hide’N’Send tool, 583–586

hiding files, 581–586

HIDS (host-based IDS), 278–279

HIPS (host-based IPS), 278–279

Hirschfeld, Scott, 616

Home Depot attack, 332

home directory, 43

passwd file, 111

Zsh, 24

honeypots, 5

horizontal organizational units, 317

hospitals, attack on, 542

host address resource records. See A (host address) resource records

host-based IDS (HIDS), 278–279

host-based information for evidence, 566

host-based IPS (HIPS), 278–279

host keyword in ACLs, 210

host systems, detecting, 560–561

hostname command

FQDNs, 198

switches, 184

hostnames

renaming, 315

SPF, 456

Houston Astros, password guessed, 222

How To Use Google Forms page, 9

How To Use Google Slides page, 10

hping3 utility

packet crafting, 427–435

traffic sending with customized payloads, 428–431

traffic sending with multiple protocols, 431–433

traffic sending with spoofed items, 433–435

HTTP (hypertext transfer protocol), 134

human resources policies, finding examples of, 72

Hurley, Lawrence, 256

Hutchins, Marcus, 542

HxD tool, 579–581

hybrid clouds, 469

Hydra tool, 223

hypertext transfer protocol (HTTP), 134

hypervisors, 261

I

IaaS (Infrastructure as a Service), 468

IANA (Internet Assigned Numbers Authority), 394

ICANN (Internet Corporation for Assigned Names and Numbers), 153

ICMP. See Internet Control Message Protocol (ICMP)

ICMP Destination Unreachable Port Unreachable message, 414–415

ICMP Port Unreachable message, 414

IDA (Interactive Disassembler), 361

IDG TECHtalk webcast, 533

idletime command, 552, 559

IDSs (intrusion detection systems)

installing, 280–282

overview, 276–280

IETF (Internet Engineering Task Force), 123

ifconfig command, 554

IGP (Interior Gateway Protocol), 187

IM (instant messaging), 448

images

forensics, 586–587

steganography, 581–586

IMAP (Internet Message Access Protocol), 448–449

inbound ACLs, 211–212

incident response

Armitage GUI, 560–561

companies and stories, 538–540

definition, 564

key term quiz, 562

lab analysis, 562

Metasploit exploits, 544–550

Meterpreter, 551–560

overview, 538

policy examples, 73

vulnerability examples, 540–544

incidents, description, 564

incremental transfer (IXFR), 147

inculpating evidence, 564

Infrastructure as a Service (IaaS), 468

infrastructure security, 202

ACLs on routers, extended, 214–217

ACLs on routers, standard, 207–214

key term quiz, 219

lab analysis, 218–219

port security on switches, 202–207

init link, 166

Innovatio IP Ventures, 255

Insecam project, 620–623

installing

AD DS, 312–313

Kali Linux, 11–12

Ubuntu and Snort, 280–282

WampServer, 490–492

Windows 10, 13–14

Windows Server 2019, 15–16

Wireshark, 282

instant messaging (IM), 448

insults setting, 65

integrity

CIA triad, 20

cryptography, 96

files, 109–110

privacy, 612

Interactive Disassembler (IDA), 361

interconnection security agreements (ISAs), 76

interface command for routers, 189

interface vlan command, 197

Interior Gateway Protocol (IGP), 187

Internet Assigned Numbers Authority (IANA), 394

Internet Control Message Protocol (ICMP)

error messages, 185

hping3, 431–433

Scapy echo requests, 436–437

sniffing, 272

Snort, 285

Internet Corporation for Assigned Names and Numbers (ICANN), 153

Internet Engineering Task Force (IETF), 123

Internet Message Access Protocol (IMAP), 448–449

Internet of Things (IoT), discovering, 613–616

Internet vs. World Wide Web, 613

Internetworking Operating System (IOS) commands, 184–185

interoperability agreements, 74–76

intrusion detection systems (IDSs)

installing, 280–282

overview, 276–280

intrusion prevention systems (IPSs), 276–280

Invoke-Expression cmdlet, 524, 526

IOS (Internetworking Operating System) commands, 184–185

IoT (Internet of Things), discovering, 613–616

ip access-group command, 213, 217

IP addresses

ACLs, 208–210, 216–217

ApateDNS spoofing, 384–389

DHCP, 310–311

DNS, 308–309

DNSSEC for, 137–147

e-mail, 449–450, 455–456, 458

headers, 135–136

hping3, 433–434

hypervisors, 261

joining domains, 316

Metasploit, 549

monitor mode sniffing, 263–266

netstat tool, 422

routers, 189–191

Scapy, 440–441

servers, 310

Snort rules, 294

Snort sniffer mode, 284–288

sockets, 419

strings, 363, 367

switches, 183, 197

URLs, 134–136

ip any any command, 216

ip default-gateway command, 197

ip domain-name command, 198

ip link command, 264

ip route command, 191–192

ip ssh version command, 198

ipconfig command

ApateDNS, 387

Meterpreter, 554–555

subnet masks, 310–311

switches, 183–184

VMs, 309

IPSs (intrusion prevention systems), 276–280

ISAs (interconnection security agreements), 76

ISO 31000 risk standards, 514

IT Governance webinar, 532

iw dev command, 264

iw wlan0 command, 264

IXFR (incremental transfer), 147

J

James-Civetta, Gloria, 622

job questionnaire, ethics scenario for, 603

John the Ripper

brute force password attacks, 233–238

dictionary password attacks, 226–233

Windows password attacks, 242–243

joining domains, 315–316

JPEG images

signatures, 591

steganography, 581–586

justice standard in ethics, 596

K

Kahn, Bob, 400

Kali Linux

downloading, 11

installing, 11–12

shell, 24

Kaspersky Cyberthreat Real-Time Map, 7

Kaspersky Lab, 542

Kennedy, Dave, 83

Kerckhoffs’s Principle, 98

kernel32.dll file, 362, 367

key exchange protocols, 112–114

key signing keys (KSKs), 139–141, 143–145

keys

asymmetric key encryption, 103–105

cryptography, 97–98

DKIM, 459

DNS, 139–141, 143–145

e-mail cryptography, 125–127

passwords, 198–199

SSH, 199

symmetric key encryption, 99–103

TLS, 158

keyscan_dump command, 554

keyscan_start command, 553–554

keyscan_stop command, 554

keystrokes, capturing, 553–554

Kravets, David, 255

KSKs (key signing keys), 139–141, 143–145

L

Last password change field in passwd file, 112

latency in IPSs, 277–278

law enforcement

Apple vs. FBI, 119

Assistance and Access Bill, 120–121

Lawson, Kent, 255

LDAP (Lightweight Directory Access Protocol), 308

LDAs (local delivery agents), 449

Leafpad text editor, 232

League of Professional System Administrators (LOPSA) website, 600–601

Learn to build section in AWS, 482–483

least significant bits (LSBs) in steganography, 581–582

lecture setting, 65

Lee, Timothy B., 255

legal issues

Apple vs. FBI, 119

Assistance and Access Bill, 120–121

copyrights, 603–605

Creative Commons, 605–606

FSF and GNU, 606–608

Google hacking, 624–625

Insecam, 621

key term quiz, 609

lab analysis, 608–609

Shodan, 615–616

Leiderman, Jay, 621

less utility, 269

licenses

Creative Commons, 605–606

ethics scenario, 603

GPL, 489

Npcap, 387, 398

Windows, 14–16

Wireshark, 398

Lightweight Directory Access Protocol (LDAP), 308

line vty command, 198

LinkedIn, 3–5

links to fake sites, 86–88

Linux

brute force password attacks, 233–238

dictionary password attacks, 226–233

password recovery, 164–167

Linux file system management

copying files, 28–29

hierarchy, 25–27

overview, 22–23

renaming and deleting files and directories, 29–32

starting, 24–25

text, 32

Linux system administration

file creation, 37–40

file listings, 57–59

file owners, 51–53

groups, 53–57

overview, 34–35

permissions, 39–50

users, 35–36

Linux system security

default values, 65–66

locked accounts, 60–62

overview, 59–60

sudo command, 62–64

LISA Special Interest Group, 600–601

List folder contents permission, 335

listing directories, 57–58

load balancing, 194

load_helper command, 174

local delivery agents (LDAs), 449

local permissions, 337

local security groups in Active Directory, 325–326

LocalMachine object in execution policies, 519

locked root accounts, 60–62

login local command, 198

login shell in passwd file, 111–112

logon warnings in GPOs, 346–347

logs

clearing, 558

Event Viewer, 314, 557–558

sandboxes, 360

Snort, 289–292, 294, 297, 300

LookingGlass Threat Map, 7

loopholes, ethics scenario for, 603

LOPSA (League of Professional System Administrators) website, 600–601

ls command

directories, 57–58

Zsh, 26

LSBs (least significant bits) in steganography, 581–582

lsusb command, 263

M

MAAs (mail access agents), 449

MAC addresses

monitor mode sniffing, 260–266

OUIs, 360–361

registry, 570

switches, 179–181, 184, 202–207

MachinePolicy object in execution policies, 519

Macof tool, 202

mail access agents (MAAs), 449

mail exchanger (MX) resource records, 449, 455

mail/message delivery agents (MDAs), 449

mail/message transfer agents (MTAs), 448–449

mail/message user agents (MUAs), 448

malicious links to fake sites, 86–88

Maltego tool, 90–93

malware

analysis, 358–362

ApateDNS, 384–389

artifacts, 379–382

embedding binaries, 372–376

fileless, 515–516, 520–527

key term quiz, 390

lab analysis, 389–390

Process Monitor tool, 382–384

Regshot tool, 379–382

strings, 362–370

unpacking, 370–372

virtual machines, 360–361

VirusTotal tool, 376–379

MalwareTech researcher, 542

man-in-the-middle (MITM) attacks, 99

MAPI (Messaging Application Programming Interface), 449

mapping network drives to shared folders, 349–351

maps of cyber threat, 5–8

masks

ACLs, 210–211

subnet, 310–311

Matherly, John, 615

Maximum number of days the password is valid for field in passwd file, 112

McCarrin, Michael, 256

md command, 556

MD4 hash function, 224

MD5 hash function, 223

MDAs (mail/message delivery agents), 449

measured service in cloud computing, 467

measurement systems analysis (MSA), 75

Medusa tool, 223

memoranda of agreement (MOA), 75

memoranda of understanding (MOU), 75

memory

evidence, 578–581

malware analysis, 361

Merdinger, Shawn, 614

message digests, 106–107

Messaging Application Programming Interface (MAPI), 449

metadata

evidence, 565

EXIF, 591

Snort rules, 295

Metasploit framework

Armitage GUI, 560–561

exploits, 548–549

Meterpreter, 551–560

starting, 546–547

working with, 544–546

Meterpreter tool, 545–546, 551–552

administrative commands, 557–558

commands list, 552–553

file commands, 556

GUI, 558–560

keystroke capturing, 553–554

network commands, 554–555

Mickey Mouse Protection Act, 604–605

microphones, Registry data for, 576–577

Microsoft Azure

exploring, 471–475

training, 469–471

Mimikatz tool, 239–242

Minimum number of days between password changes field in passwd file, 112

mirroring, port, 277

MITM (man-in-the-middle) attacks, 99

mkdir command, 26–27

MOA (memoranda of agreement), 75

mobile devices

detecting, 256–260

overview, 254–256

modifications by malware, 379–382

Modify permissions, 335

monitor mode for sniffing, 260–266

morals. See ethics

Mossad National Intelligence Agency, 396

MOU (memoranda of understanding), 75

MRUListEx value in Registry, 573–575

MSA (measurement systems analysis), 75

MSFconsole tool, 545–547

MSFvenom tool, 545–546

msg option for Snort rules, 295

msvcrt.dll file, 367

MTAs (mail/message transfer agents), 448–449

MUAs (mail/message user agents), 448

multicasts with switches, 180

mv command, 29–31

MX (mail exchanger) resource records, 449, 455

N

N-day attacks, 542–543

names

Active Directory objects, 304–305

directories, 29–30

files, 29

SPF, 456

users, 332–333

namespaces for Active Directory, 305–306

NAT (Network Address Translation), 420

National Health Service (NHS) hospitals, attack on, 542

National Institute of Standards and Technology (NIST)

business continuity plans, 530

cloud computing, 466

disaster recovery plans, 530

hardening definitions, 304

incident definition, 538

password guides, 225

privacy definition, 612

risk definition, 514

spam definition, 453

National Security Agency (NSA)

EternalBlue tool, 239

Tailored Access Operations, 541

Ncrack tool, 223

NDAs (nondisclosure agreements), 76

nested organizational units, 317

netcat/ncat tool

chat servers, 421–424

file transfers, 424

shell creation, 425–427

sockets, 419–427

NetSpot app, 257–259

netstat tool

ApateDNS, 387

open ports, 422

Network Address Translation (NAT), 420

network-based firewalls, 395

network-based IDSs (NIDSs), 278–279

network-based IPSs (NIPSs), 278–279

network command for routers, 194

network data as evidence, 566

network drives, mapping to shared folders, 349–351

network fundamentals, 178

key term quiz, 200

lab analysis, 199–200

passwords and SSH, 195–199

router configuration, 185–195

switch configuration, 179–185

network interface cards (NICs)

communications through, 392–393

sniffing, 260–266

Network Intrusion Detection System (NIDS) mode in Snort, 290–300

network operating systems (NOSs), 308

network security

key term quiz, 301

lab analysis, 301

overview, 276–280

Snort Network Intrusion Detection System mode, 290–300

Snort packet logger mode, 288–290

Snort sniffer mode, 283–288

Ubuntu and Snort installation, 280–282

network shares in GPOs, 353–354

networks

cloud computing, 466

Meterpreter commands, 554–555

Registry data, 570–572

New-Object cmdlet, 522

New Technology File System (NTFS) permissions, 334–341

New Technology LAN Manager (NTLM) passwords, 224

next hops for routers, 191

Next SECure (NSEC) resource records, 150–152

NHS (National Health Service) hospitals, attack on, 542

NICs (network interface cards)

communications through, 392–393

sniffing, 260–266

NIDS (Network Intrusion Detection System) mode in Snort, 290–300

NIDSs (network-based IDSs), 278–279

NIPSs (network-based IPSs), 278–279

NIST. See National Institute of Standards and Technology (NIST)

Nmap tool

connect scans, 403–405

Null, FIN, and Xmas scans, 405–413

port scanning with, 392–419

SYN scans, 401

test site, 418–419

UDP, 414–417

no accesslist command, 214

no ip route command, 194

no shutdown command, 189–190

nondisclosure agreements (NDAs), 76

nonexistent domain (NXDOMAIN) responses, 385, 389

nonexistent domain (NXDOMAIN) status, 149–151

NOSs (network operating systems), 308

Not Configured setting for GPOs, 344

NotPetya attack, 239, 542

Npcap, 387, 398–399

NS resource records, 146

NSA (National Security Agency)

EternalBlue tool, 239

Tailored Access Operations, 541

NSEC (Next SECure) resource records, 150–152

NSEC3 resource records, 153–155

NSEC3 White Lies, 154

nslookup tool

DKIM, 460–461

DMARC, 462

SMTP server information, 451

SPF, 455–458

ntdll.dll file, 363

NTDS.dit file, 223

NTFS (New Technology File System) permissions, 334–341

NTLM (New Technology LAN Manager) passwords, 224

Null scans, 405–413

NULL values in SQL injection, 507

Number of days after the password expires before the account will be disabled field in passwd file, 112

Number of days before a user will be warned that a password must be changed field in passwd file, 112

Number of days from Unix time when the account will be disabled field in passwd file, 112

NXDOMAIN (nonexistent domain) responses, 385, 389

NXDOMAIN (nonexistent domain) status, 149–151

O

objects

Active Directory, 304–305, 327–334

definition, 330

organizational units, 317–318, 321

obligation, definition, 596

octal numbering system for permissions, 40

on-demand self-service in cloud computing, 466

on-demand signing, 155

one-way hashing functions, 106–109

open ports

netstat tool, 422

UDP, 414

Open Shortest Path First (OSPF) protocol, 187, 194–195

open-source intelligence (OSINT), 89–93

Open Systems Interconnection (OSI) Model

ACLs, 208

network communications, 392–394

zone transfers, 147

Open Web Application Security Project (OWASP), 488

OpenPGP standards, 123–130

OpenPGP Working Group, 123

OpenSaveMRU key in Registry, 575

OpenSavePidlMRU key in Registry, 574

operational and organizational security

interoperability agreements, 74–76

key term quiz, 77

lab analysis, 76–77

overview, 70

policies, 71–73

training documentation, 73–74

ophcrack tool, 248–250

Opportunistic Wireless Encryption (OWE), 267

options in Zsh, 25

organizational units (OUs)

contact information, 325

creating, 319–321

delegating control of, 322–324

domains, 317–326

managing, 321–322

organizationally unique identifiers (OUIs), 360–361

OSI (Open Systems Interconnection) Model

ACLs, 208

network communications, 392–394

zone transfers, 147

OSINT (open-source intelligence), 89–93

OSPF (Open Shortest Path First) protocol, 187, 194–195

OUIs (organizationally unique identifiers), 360–361

OUs. See organizational units (OUs)

outbound ACLs, 211–212

OWASP (Open Web Application Security Project), 488

OWE (Opportunistic Wireless Encryption), 267

owners of files, 51–53

P

PaaS (Platform as a Service), 468

packed (compressed) malware, 370–372

Packet Tracer, 181–185

packets

crafting, hping3, 427–435

crafting, Scapy, 435–444

decrypting, 268–269, 271–272

monitor mode sniffing, 260–266

Snort, decoders, 290

Snort, logger mode, 288–290

Snort, sniffing, 283–288

pandemic effects

business continuity plans, 531–532

change management, 534–535

disaster recovery plans, 532–533

Panorama Consulting Group webinar, 534–535

parameters in Zsh, 25

parent directories, 43

parent domains in Active Directory, 305–306

partial zones, 147

pass rules in Snort, 294

passwd command, 37

passwd_timeout line, 66

passwd_tries line, 66

passwordless root shells, 167

passwords

brute force attacks, 233–238

complex, 224–225

dictionary attacks, 226–233

finding policy examples of, 72

GPOs, 343

hashing, 110–111

overview, 222–225

rainbow table attacks, 243–250

recovery, Cisco routers, 168–172

recovery, Cisco switches, 172–174

recovery, Linux, 164–167

root account, 60–61

routers and switches, 195–199

SQL injection, 503

users, 37, 328, 331

Windows attacks, 238–243

WPA2, 266–272

patches

vulnerabilities, 543

WannaCry ransomware, 541–542

patents, 605

payloads

exploits, 543–544

hping3, 428–433

Meterpreter, 551–560

Payment Card Industry Data Security Standard (PCI DSS), 488

PayPal, spoofing, 462–463

PECB Group, Inc. webinar, 532

penetration testing, 544

pentesters, 540

permissions

Active Directory, 323–324, 326

files, 39–50

folders, 335–341

groups, 318

organizational units, 317–318

overview, 334–341

permit statement, 209–211, 213

permit any statement, 211, 213–214

permit ip statement, 216–217

personal mode in WPA2, 266

personally identifiable information (PII), 488

PEview tool, 373–376

PGP (Pretty Good Privacy), 123

phishing, 80–83

overview, 453–454

simulating, 550

Social-Engineer Toolkit, 84–86

tests, 88–89

PhishMe study, 82

phones, Registry data for, 576–577

Physical layer, 392–393

physical security

key term quiz, 175

lab analysis, 175

overview, 164

password recovery, Cisco routers, 168–172

password recovery, Cisco switches, 172–174

password recovery, Linux, 164–167

PII (personally identifiable information), 488

pipes, 58

PKI. See Public Key Infrastructure (PKI)

plaintext

asymmetric key encryption, 103

description, 97

passwords, 223

Platform as a Service (PaaS), 468

PoC (proof-of-concept) exploits, 543

policies

GPOs. See Group Policy Objects (GPOs)

overview, 71

working with, 71–73

POP3 (Post Office Protocol version 3), 448–449

port scanning

connect scans, 403–405

description, 394–395

Insecam, 621

with nmap, 392–419

Null, FIN, and Xmas scans, 405–413

steps, 399–403

test site, 418–419

UDP, 414–418

port security on switches, 202–207

ports

description, 393–394

hping3, 429, 434–435

mirroring, 277

netstat tool, 422

routers, 179–180

sockets, 419

source and destination, 394

switches, 179–180

Post Office Protocol version 3 (POP3), 448–449

POST (power-on self-test), 165

PostgreSQL tool, 545

power grid cyberattack, 81

power-on self-test (POST), 165

PowerShell

description, 514–515

exploitation, 520–527

script settings, 516–520

preimage resistance in hashing, 106, 108

preprocessors in Snort, 290–291, 293

preshared key (PSK), 266–267

Pretty Good Privacy (PGP), 123

principle of least privilege, 304

priority option in Snort rules, 295

privacy

Google hacking, 624–629

Insecam, 620–623

key term quiz, 630

lab analysis, 629–630

overview, 612

Shodan search engine, 613–620

private clouds, 468

private keys

asymmetric key encryption, 103–105

passwords, 198

privileged EXEC mode. See EXEC mode

Process Monitor tool, 382–384

Process object in execution policies, 519

processes, description, 24

professional responsibilities and principles in ACM code of ethics, 599–600

promiscuous mode in NICs, 260

promoting machines to domain controllers, 313

prompts in Zsh, 24

proof-of-concept (PoC) exploits, 543

PROTECT IP Act, 605

Protect mode in switchports, 203

.ps1 extension, 517

PSH flag, 405–406

PSK (preshared key), 266–267

public clouds, 469

public key encryption, 103–105

Public Key Infrastructure (PKI), 134

DNSSEC, for exploiting, 147–155

DNSSEC, for security, 134–147

key term quiz, 161

lab analysis, 161

TLS, 156–160

public keys

e-mail cryptography, 125–127

passwords, 198

PuTTY, 168–170, 173

pwd command, 25

Q

quantum computing, 104

queries in databases, 499–502

Quickstart center in Microsoft Azure, 472–473

R

RADIUS (Remote Authentication Dial-In User Service), 266

rainbow table attacks, 224, 243–250

Random Access Memory (RAM)

evidence, 578–581

malware analysis, 361

RandShort() function, 443

ransomware

description, 82

NotPetya and BadRabbit, 239

WannaCry, 541–542

rapid elasticity in cloud computing, 467

Raw IP mode in hping3, 432–433

RC4 (Rivest Cipher 4), 99

rd command, 556

rdesktop command, 559

Read permissions

files, 39–46

NTFS, 334–336

Read & Execute permissions, 334–335

RecentDocs key in Registry, 572–573

reconnaissance through open-source intelligence, 89–93

records, ethics scenario for, 602

recovery

DRPs. See disaster recovery plans (DRPs)

files, 586–589

passwords, Cisco routers, 168–172

passwords, Cisco switches, 172–174

passwords, Linux, 164–167

recursive listing of directories, 57–58

Recycle Bin for Active Directory, 333

redirecting files, 32–33

reduction functions in rainbow table attacks, 243–245

reference option in Snort rules, 295

REG_BINARY values, 569

regional Internet registries (RIRs), 138

registered ports, 394

registers in malware analysis, 361

Registry

advapi32.dll, 363

contents, 567

file data, 572–574

locating information in, 568–570

Metasploit exploits, 557–558

network settings, 570–572

Process Monitor, 382–384

Regshot tool, 379–382

shell creation, 426

USB data, 576–577

user data, 575

Wi-Fi router data, 570

RegSetValueExW function, 363

Regshot tool, 379–382

reject rules in Snort, 294

reload command

routers, 170

switches, 206

Remote Authentication Dial-In User Service (RADIUS), 266

Remote Desktop Protocol, 558–560

RemoteSigned execution policy option, 517, 520

removable media and devices for evidence, 566

rename flash command, 174

renaming

directories, 29–30

files, 29–31

hostnames, 315

users, 332–333

reset command, 171

Resource Hacker tool, 373–375

resource pooling in cloud computing, 466–467

resource record signature (RRSIG) resource records, 139–140, 144–145

resource records

DNS, 137, 139–145, 149–155

e-mail, 455

Restrict mode in switchports, 203

Restricted execution policy option, 517, 520

rev option in Snort rules, 295

reverse engineering for malware, 358

reverse shells

netcat tool, 420

TCP, 546

rights standard in ethics, 596

Rios, Billy, 614

RIRs (regional Internet registries), 138

risk management

key term quiz, 528

lab analysis, 527

overview, 514–516

PowerShell exploitation, 520–527

PowerShell script settings, 516–520

Rivest, Ron, 104

Rivest Cipher 4 (RC4), 99

rm command, 31–32

rmdir command, 31

RockYou company, 231

rockyou.txt password file, 226, 231–233, 269

role-based training, 74

role of people in security

key term quiz, 94

lab analysis, 93–94

open-source intelligence, 89–93

overview, 80–83

phishing tests, 89–90

Social-Engineer Toolkit, 83–88

ROMMON (ROM monitor) mode, 171

root account

locked, 60–62

passwords, 60–61

root servers, 135–136

root zones, 145

route command, 292–293

router ospf command, 194

routers

ACLs on, extended, 214–217

ACLs on, standard, 207–214

configuration, 185–195

description, 178

passwords, and SSH, 195–199

passwords, recovery, 168–172

ports and interfaces, 179

static routes, 193–195

topologies, 188–189

routing tables, 185–186, 190–193

rows in databases, 505

RRSIG (resource record signature) resource records, 139–140, 144–145

RSA algorithm, 104–105

RST flag

closed ports, 405, 438

connection termination, 402, 407–408, 412

Scapy, 439, 442

TCP connections, 399–404

rtgen tool, 244

rules

firewalls, 309

Process Monitor, 384

Snort, 290–291, 293–300

run-help command, 25

run multi_console_command command, 559

S

SaaS (Software as a Service), 467

SAE (Simultaneous Authentication of Equals) protocol, 267

salts in rainbow table attacks, 246–247

SAM (Security Account Manager), 223

sandboxes, 359–360

SANS Institute Security Policy Templates page, 71

Sarbanes–Oxley Act (SOX), 488

SATs (source address tables), 180, 202, 205, 260

Scapy tool

ICMP echo requests, 436–437

network traffic, 440–442

packet crafting, 435–444

SYN flood attacks, 442–444

TCP segments, 437–439

scareware, 81

screenshare command, 553

screenshot command, 552

scripts

PowerShell exploitation, 520–527

PowerShell settings, 516–520

sdrop rules in Snort, 294

search engine, Shodan, 613–620

searches with Google hacking, 624–629

second-level domains (SLDs), 134

sectors in drives, 578–579

Secure Hash Algorithm 1 (SHA-1), 106, 223

Secure Shell (SSH)

network-based firewalls, 395

passwords, 195–199

Secure Sockets Layer (SSL), 156

secure software development

key term quiz, 511

lab analysis, 510–511

overview, 488

SQL injection, 497–510

WampServer and DVWA, 489–497

security

Internet of Things devices, 613

physical. See physical security

Security Account Manager (SAM), 223

security concepts

Data Breach Investigations Report, 20–22

key term quiz, 67

lab analysis, 66

Linux file system management. See Linux file system management

Linux system administration. See Linux system administration

Linux system security. See Linux system security

overview, 20

security events in Event Viewer, 314

security groups in Active Directory, 325–326

security identifiers (SIDs) for groups, 318

security policies, finding examples of, 72

security through obscurity, 98

security tools and techniques

hping3, 427–435

key term quiz, 445–446

lab analysis, 444–445

overview, 392

port scanning with nmap, 392–419

Scapy, 435–444

sockets, 419–427

security trends

cyber threat maps, 5–8

cybersecurity survey, 8–10

key term quiz, 17

lab analysis, 16–17

overview, 2

staying current, 3–5

virtual labs, 10–16

SecurityIntelligence articles for incident response, 540

segment command, 438

SELECT VERSION() function, 507

send function in Scapy, 436–437

Sender Policy Framework (SPF), 454–458

sensors for cyber threats, 5–6

Serling, Rod, 122

Server Manager, 314

Server Message Block (SMB) protocol

EternalBlue exploit, 541

Metasploit exploits, 548

network connections, 393

service-level agreements (SLAs), 75

service models in cloud computing, 467–468

service set identifiers (SSIDs), 257–259, 265

services, 24, 393

session keys

e-mail cryptography, 127

TLS, 158

sessions command, 557

SET. See Social-Engineer Toolkit (SET)

SET command in Social-Engineer Toolkit, 84–86

Set-ExecutionPolicy cmdlet, 518–520

SGID (set group ID) permissions, 46–48

SHA-1 (Secure Hash Algorithm 1), 106, 223

SHA-2 family of hashing standards, 110–111

SHA-256, 109–111

SHA-512, 223

sha512crypt, 223

Shamir, Adi, 104

Shannon’s Maxim, 98

shared folders

GPOs, 351–353

mapping network drives to, 349–351

shared secrets

asymmetric key encryption, 104

Diffie-Hellman key exchange, 198

shares and Share permissions for folders, 334–341

SHAttered attack, 106–107

shell32.dll file, 363

shells

creating, 425–427

description, 23

passwd file, 111–112

Shodan search engine, 613–620

show access-lists command, 213–214, 217

SHOW DATABASES command, 498–499

show interface command, 184, 206–207

show ip route command, 190–192

show ip ssh command, 199

show mac-address-table command, 184

show options command, 549

show port-security command, 205–207

show port-security interface command, 205–207

show run command, 213

show running-config command

routers, 170

switches, 199, 205–206

show ssh command, 199

SHOW TABLES command, 498–499

Shutdown mode in switchports, 203

sid option in Snort rules, 295

SIDs (security identifiers) for groups, 318

signatures

DKIM, 459–460

files, 588–591

hping3, 429

TLS, 159

Simple Mail Transfer Protocol (SMTP), 448–451

Simple Network Management Protocol (SNMP), 197, 203

Simultaneous Authentication of Equals (SAE) protocol, 267

site containers in Active Directory, 307

site surveys, NetSpot for, 257–259

SLAs (service-level agreements), 75

SLDs (second-level domains), 134

SMB (Server Message Block) protocol

EternalBlue exploit, 541

Metasploit exploits, 548

network connections, 393

smishing, 80

SMTP (Simple Mail Transfer Protocol), 448–451

sniffing

monitor mode, 260–266

Snort mode, 283–288

SNMP (Simple Network Management Protocol), 197, 203

snort.conf file, 293

Snort IDS, 279–280

configuration files, 293, 300

installing, 282

Network Intrusion Detection System mode, 290–300

packet logger mode, 288–290

sniffer mode, 283–288

Social-Engineer Toolkit (SET)

launching, 84

malicious links to fake sites, 86–88

overview, 83–84

phishing, 84–86, 88–89

social engineering, 80

sockets, 419–427

Software as a Service (SaaS), 467

software recommendations, ethics scenario for, 603

Sonny Bono Copyright Term Extension Act, 604–605

sort command, 34

sorting files, 34

source address tables (SATs), 180, 202, 205, 260

source IP addresses, 208

source ports

hping3, 429, 434

IP addresses, 394

SOX (Sarbanes–Oxley Act), 488

spam, 453–463

SpamAssassin, 457

SpamHaus Technology Live Botnet Threats Worldwide, 7

SPAN (Switched Port Analyzer), 277

spear phishing, 82

special characters, directories with, 57

special permissions, 46–50

SPF (Sender Policy Framework), 454–458

spoofed items, hping3 with, 433–435

spoofing

Diffie-Hellman key exchange, 112

DNS, 136

sport command, 440, 443

SQL injection. See Structured Query Language (SQL) injection

sr() function, 437

sr1() function, 441–442

srloop() function, 443

SRV resource records, 308

SSH (Secure Shell)

network-based firewalls, 395

passwords, 195–199

SSIDs (service set identifiers), 257–259, 265

SSL (Secure Sockets Layer), 156

St. Louis Cardinals, password guessing by, 222

Stallman, Richard, 607

standard ACLs, 207–214

startup-config file command, 174

static IP addresses for servers, 310

static malware analysis, 358–359, 361

static routes, 191–195

steganography, 581–586

sticky bit permissions, 46–50

sticky command, 204–205

Stop-Computer cmdlet, 527

Stop Online Piracy Act, 605

stream ciphers, 99

Street View cars, 254–256

strings

analyzing, 368–370

executing, 523–524

malware, 362–370

uses, 366–368

strings64 file, 365–367

Structured Query Language (SQL) injection

commands, 498–499

example, 502–506

overview, 497–498

queries, 499–502

su command, 37, 61–62

sudo command, 35–36, 62–64

SUID (set user ID) permissions, 46–47

summary() function in Scapy, 442

Sun Tzu, The Art of War, 2

superusers, 35–36

survey, cybersecurity, 8–10

Switched Port Analyzer (SPAN), 277

switched virtual interface (SVI), 197

switches

configurations, 179–185

description, 178

passwords, and SSH, 195–199

passwords, recovery, 172–174

port security on, 202–207

ports and interfaces, 179–180

unicasts, 260

Zsh, 25

switchport mode access command, 204–205

switchport port-security command, 204–205

switchport port-security mac-address command, 205

switchport port-security mac-address sticky command, 204–205

switchport port-security maximum command, 205

switchport port-security violation restrict command, 205

switchports, 202–203

symmetric key encryption, 99–103

SYN flag

connection scans, 403–404

connection termination, 407

flood attacks, 442–444

scans, 401–402

Scapy, 438–440, 442–444

TCP connections, 397–400

SYN-ACK flag

connection scans, 404

connection termination, 407

Scapy, 438–444

SYN scans, 402

TCP connections, 397–400

syntax, Linux, 40

sysinfo command, 552

system hardening

Active Directory objects, 327–334

domain connectivity, 308–317

group policy objects, 342–354

key term quiz, 355

lab analysis, 354–355

organizational units and groups, 317–326

overview, 304–307

permissions and shares, 334–341

system information in Event Viewer, 314

systemd daemon, 166

T

tables

databases, 505

MAC addresses on, 202

switches, 184

tac command, 33

tail command, 59

Tailored Access Operations (TAO), 541

Talos Cyber Attack Map: Top Spam and Malware Senders, 7

taps, network, 277

Target attack, 332

TCP. See Transmission Control Protocol (TCP)

TCP/IP (Transmission Control Protocol/Internet Protocol) protocol

netcat tool, 419–427

site containers, 307

Tentler, Dan, 614

Terminal Emulator, 24

terminals, 23

text in files, 32

THC-Hydra tool, 223

The Shadow Brokers group, 541

The Sleuth Kit, 587

32-bit binaries for malware, 366

threat maps, 5–8

Threatbutt Internet Hacking Attribution Map, 6

three-way handshakes in TCP, 134, 397–400, 403–407

Thunderbird e-mail client, 123–130

Time To Live (TTL) field

DNS, 136

Scapy, 440

timestamp_timeout line, 66

timestamps in Registry, 569

TLDs (top-level domains), 134, 136

TLS (Transport Layer Security), 125, 156–160

“To Serve Man” Twilight Zone episode, 122

Top 10 Web Application Security Risks, 488

top-level domains (TLDs), 134, 136

topologies

ACLs, 211

Packet Tracer, 182–183

routers, 188–189

touch command, 28

tracert command, 193

trademarks, 605

training

Amazon Web Services, 476–479

documentation, 73–74

Microsoft Azure, 469–471

Transaction SIGnature (TSIG), 148

transfer protocols in URLs, 134

transferring files, 424

Transmission Control Protocol (TCP)

connection termination, 406–407

headers, 397–398

ports, 394

Scapy, 437–439, 441

sockets, 419

three-way handshakes, 134, 397–400

zone transfers, 147

Transmission Control Protocol/Internet Protocol (TCP/IP) protocol

netcat tool, 419–427

site containers, 307

transport input ssh command, 198

Transport Layer Security (TLS), 125, 156–160

Transportation Security Administration (TSA) firewall example, 276–277

trees in Active Directory, 305–306

Triple DES (3DES), 99

trust relationships in Active Directory, 305

truth tables, 100–101

TSA (Transportation Security Administration) firewall example, 276–277

TSIG (Transaction SIGnature), 148

TTL (Time To Live) field

DNS, 136

Scapy, 440

Twilight Zone, “To Serve Man” episode, 122

Twitter contractors celebrity spying, 332

2009-M57-Patents scenario, 591–592

type command, 556

U

UAC, bypassing, 557–558

Ubuntu, installing, 280–282

UDP. See User Datagram Protocol (UDP)

UIDs (User IDs), 111

Ukraine power grid cyberattack, 81

Undefined execution policy option, 517

unicasts with switches, 180, 260

Unicode, 363

uniform resource locators (URLs)

decoding, 290

parts, 134–135

UNION operator in SQL, 507–509

universal groups in Active Directory, 326

unpacking malware, 370–372

Unrestricted execution policy option, 517, 520

unshadow file, 237

unshadow utility, 229–230

UPX packer, 370–372

URG flag, 405

urlmon.dll file, 363

URLs (uniform resource locators)

decoding, 290

parts, 134–135

USB devices, Registry data for, 576–577

USB ports, USB-to-serial converter, 168

USE command in SQL, 498–499

use exploit command, 557

USENIX ethics, 600–601

User Configuration category, 343

User Datagram Protocol (UDP)

DNS, 135–136

port scanning, 414–418

ports, 394

sockets, 419

user EXEC mode. See EXEC mode

USER() function, 508

User IDs (UIDs), 111

user32.dll file, 362–363

userdel command, 56

usermod command, 54

%USERNAME% variable, 522, 525

usernames

displaying, 37

passwd file, 111

routers and switches, 196–197

UserPolicy object in execution policies, 519

users

Active Directory, 327–334

adding to groups, 328–329

creating, 35–36, 327–328

deleting, 56

deleting from groups, 55

disabling, 331–332

managing, 332–333

passwords, 37, 331

Registry data, 575

utility standard in ethics, 596

V

Verizon Data Breach Investigations Report, 20–22, 222

Verkada security company, 329

VERSION() function, 508

vertical organizational units, 317

Vi IMproved text editor (vim), 37–39

virtual labs, building, 10–16

virtual local area network (VLAN) interface, 197

virtual machines (VMs)

malware, 360–361

monitor mode, 260–261

switches, 203

VirusTotal tool, 376–379

VirusTotal website, 360

vishing, 80

VLAN (virtual local area network) interface, 197

vmlinuz line, 166

VMware Workstation Player, 10–11

vulnerabilities

examples, 540–544

incident response, 544–550

patches, 543

W

WampServer, 489–497

incorporating, 493

installing, 490–492

starting, 492

WannaCry ransomware, 541–542

WayBackMachine, 89

web cams, discovering, 620–623

web components, 448

well-known ports, 394

WEP (Wired Equivalency Privacy), 266

whaling, 82

white hat hackers, 540

whoami command, 37, 331

Whois tool, 456

Wi-Fi 4 (802.11n), 267

Wi-Fi 5 (802.11ac), 267

Wi-Fi 6 (802.11ax), 267

Wi-Fi Protected Access (WPA), 266

Wi-Fi Protected Access 2 (WPA2)

encryption, 260

passwords, 266–272

Wi-Fi routers, Registry data for, 570

Wifite, 269–272

wildcard masks

ACLs, 210–211

routers, 194

Windows

password attacks, 238–243

rainbow table attacks, 243–250

Windows 10

downloading, 12–13

installing, 13–14

Windows Registry. See Registry

Windows Server 2019

downloading, 14–15

installing, 15–16

wininet.dll file, 363

Wired Equivalency Privacy (WEP), 266

wireless security

device detection, 256–260

key term quiz, 273

lab analysis, 272

monitor mode sniffing, 260–266

overview, 254–256

password cracking, 266–272

Wireshark packet sniffer

installing, 282

packet capture, 265–267

packet decryption, 268–269, 271–272

wordlist-probable.txt file, 268–269

wordlists

brute force password attacks, 233–234

dictionary password attacks, 226–227, 230–232

Workstation Player, downloading, 10–11

World Wide Web vs. Internet, 613

WPA Handshake capture attacks, 270

WPA (Wi-Fi Protected Access), 266

WPA2 (Wi-Fi Protected Access 2)

encryption, 260

passwords, 266–272

WPA3, 266–267

Write permissions

files, 39–46

NTFS, 334–335

ws2_32.dll file, 363

wsock32.dll file, 363

X

X-headers, 449

Xmas scans, 405–413

XOR ciphers, 99–103

Y

yescrypt function, 229–230, 237

Your ServiceNow email relay system, 457

Z

Z shell (Zsh), 24

zero-day attacks, 541

Zimmerman, Phil, 123

zone signing keys (ZSKs), 139–141, 143–145

zone transfers, 147–148

zone walking, 152–153

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
34.203.242.200