A
A (host address) resource records
destination domains, 449
DNSSEC, 138–139
e-mail, 455
FQDNs, 308
AAAA resource records
e-mail, 455
FQDNs, 308–309
access control lists (ACLs) on routers
extended, 214–217
standard, 207–214
traffic filtering, 186
access-list commands, 209–211, 213–215
access-list deny command, 210–211, 214
access-list deny host command, 210
access-list deny tcp command, 216–217
access-list permit command, 211
access-list permit any command, 211, 213–214
access-list permit ip any any command, 216–217
Account Operators group, 323
account policies, finding examples of, 72
ACK (acknowledgement) flag
connect scans, 403–404
connection termination, 406–408, 411–413
TCP connections, 397–398
ACLs (access control lists) on routers
extended, 214–217
standard, 207–214
traffic filtering, 186
ACM (Association for Computing Machinery) ethics, 597–600
actions in Event Viewer, 314
Active Directory (AD)
filters, 333–334
forests, 306–307
groups, 325–326
namespaces, 305–306
organizational units and groups, 317–326
Recycle Bin, 333
Active Directory Domain Services (AD DS)
connectivity, 308–317
installing, 312–313
Active Directory Users and Computers, 329–331
AD. See Active Directory (AD)
AD DS (Active Directory Domain Services)
connectivity, 308–317
installing, 312–313
Adaptive Security Appliance (ASA), 208
addgroup command, 53
Address Resolution Protocol (ARP)
cache, 555
adduser command, 35–36
Adleman, Leonard, 104
administrative commands in Meterpreter, 557–558
administrative distance in routers, 192
Administrators group, 329
Advanced Encryption Standard (AES), 99–102
advanced Google searches, 624–629
Advanced IP Scanner., 259–260
Advanced Persistent Threats (APTs), 541
advapi32.dll file, 363
AES (Advanced Encryption Standard), 99–102
AGDLP role-based access controls, 326
AGUDLP role-based access controls, 326
aireplay command, 268
Akamai Real-Time Web Attack Monitor, 7
alerts
IDSs and IPSs, 278
Snort, 289–292, 294–297, 298–300
unauthorized devices, 203, 205
algorithms, cryptographic, 97–98
aliases, 63–64
allocation units in drives, 578–579
AllSigned execution policy option, 517
Amazon Web Services (AWS)
exploring, 479–484
training and certification, 476–479
American Registry of Internet Numbers (ARIN), 138
anomaly-based IDSs and IPSs, 279
antivirus tools, 376–379
anycast addressing, 135
ApateDNS tool, 384–389
APIPA (Automatic Private IP Addressing) addresses, 310
Apple Inc. vs. FBI, 119
applications in Event Viewer, 314
applied cryptography
Apple vs. FBI, 119
Assistance and Access Bill, 120–121
e-mail, 123–130
key term quiz, 131
lab analysis, 131
overview, 118
“To Serve Man” episode, 122
APTs (Advanced Persistent Threats), 541
arguments in Zsh, 25
ARIN (American Registry of Internet Numbers), 138
Armitage GUI, 560–561
ARP (Address Resolution Protocol)
cache, 555
arp command, 555
Art of War, The, 2
artifacts in malware, 379–382
ASA (Adaptive Security Appliance), 208
ASNs (autonomous system numbers), 186
Assistance and Access Bill, 120–121
Association for Computing Machinery (ACM) ethics, 597–600
asymmetric key encryption, 103–105
attachments in phishing attacks, 81
attacks
malware. See malware
overview, 358–362
attributes
Active Directory objects, 304–306
GPOs, 342
permissions, 334–335
Australia, Assistance and Access Bill in, 120–121
authentication
brute force password attacks, 233–238
cryptography, 96
dictionary password attacks, 226–233
DKIM, 458–461
key term quiz, 251
lab analysis, 250–251
overview, 222–225
Windows password attacks, 238–243
authoritative transfer (AXFR), 147, 149
autocompletion of IOS commands, 184–185
Automatic Private IP Addressing (APIPA) addresses, 310
autonomous system numbers (ASNs), 186
autonomous systems, 186
Autopsy tool, 587–592
availability
CIA triad, 20
cryptography, 96
privacy, 612
AWS (Amazon Web Services)
exploring, 479–484
training and certification, 476–479
AWS Educate, 476–479
AXFR (authoritative transfer), 147, 149
Azure Marketplace, 474–475
B
backbone routers, 186
background command, 557
BadRabbit ransomware attacks, 239
banner information, 614
baselines
description, 304
IDSs and IPSs, 279
Bash (Bourne-again shell), 24
basic service set identifiers (BSSIDs), 257
Berkeley Internet Name Domain (BIND) DNS servers, 148
BGP (Border Gateway Protocol), 135, 187
binaries, embedding, 372–376
BIND (Berkeley Internet Name Domain) DNS servers, 148
bind shells, 420
bitstream images in forensics, 586–587
black hat hackers, 540
black swan events, 531
block ciphers, 99
Boolean logic, 100–101
booting switches, 174
bootloaders, 165–166
Border Gateway Protocol (BGP), 135, 187
Bourne-again shell (Bash), 24
BPAs (business partnership agreements), 76
breaches
PII, 488
plaintext passwords, 150
privacy, 612
SQL injection, 497
broad network access in cloud computing, 466
brute force password attacks, 224, 233–238
BSSIDs (basic service set identifiers), 257
Build a solution section in AWS, 481–482
Builtin Administrators group, 329
business continuity plans (BCPs)
definition, 530
key term quiz, 536
lab analysis, 535
purpose, 531
webinars, 532
business partnership agreements (BPAs), 76
Bypass execution policy option, 517
C
C language for malware, 362
C++ language for malware, 362
cables for routers, 188–189
cache poisoning in DNS, 136
call operator (&) in PowerShell scripts, 525–526
CAM (content addressable memory) tables, 180, 202–203
cameras, discovering, 620–623
capturing keystrokes, 553–554
care standard in ethics, 596
case-sensitivity in Linux, 25
casino hacking, 614
cat command, 32
CC (Creative Commons) licenses, 605–606
cd command
Meterpreter, 556
Zsh, 26–27
Cerf, Vint, 400
certificate authorities (CAs) in TLS, 159
certificates
e-mail cryptography, 125
TLS, 158–160
certifications
Amazon Web Services, 476–479
importance, 4–5
CFAA (Computer Fraud and Abuse Act)
Insecam, 621
port scanning, 395–396
Shodan, 616
chains in rainbow table attacks, 244–246
change management
components, 530
COVID-19 effects, 534–535
key term quiz, 536
lab analysis, 536
policy examples, 71
Change permissions, 336
chat servers, creating, 421–424
Check Point ThreatCloud Live Cyber Threat Map, 6–7
Cherokee County Georgia Emergency 911 System, 395–396
chgrp command, 51–52
child domains in Active Directory, 305–306
China, great firewall in, 137
chmod command
file mode, 40
chown command, 52–53
CIA triad, 20–21
ciphertext, 98
CIRTs (computer incident response teams), 538
Cisco
IOS commands, 184–185
Packet Tracer, 181–185
router password recovery, 168–172
switch password recovery, 172–174
classification.config file, 293
classtype option in Snort rules, 295
clear command, 58
clear access-list counters command, 213
clearev command, 557–558
clients, deauthenticating, 266–272
CLIs (command line interfaces), 23
cloud computing
Amazon Web Services, exploring, 479–484
Amazon Web Services, training and certification, 476–479
characteristics, 466–467
deployment models, 468–469
key term quiz, 485
lab analysis, 485
Microsoft Azure, exploring, 471–475
Microsoft Azure, training, 469–471
service models, 467–468
Cloud Computing 101, 477–479
cloud storage of evidence, 566–567
clusters on drives, 579
cmdlets, 517
Code of Ethics in ACM, 597–600
code pages, 363
Cofense study, 82
collision attacks in hashing, 106–107
color images for steganography, 581–586
command line interfaces (CLIs), 23
commands
IOS, 184–185
Meterpreter, 552–558
Zsh, 24
comments in SQL injection, 506–508
Common Vulnerabilities and Exposures (CVE) system, 543
communications
NICs, 392–393
sockets, 419–427
community clouds, 468
Complete Guide to Shodan, 615, 618
complex passwords, 224–225
compressed (packed) malware, 370–372
Computer Configuration for GPOs, 343
computer forensics. See forensics
Computer Fraud and Abuse Act (CFAA)
Insecam, 621
port scanning, 395–396
Shodan, 616
computer incident response teams (CIRTs), 538
computer objects in organizational units, 321
Computer Security Resource Center (CSRC) glossary
incident definition, 538
risk definition, 514
CONCAT() function, 509–510
concatenating
database columns, 509–510
files, 32–33
confidentiality
CIA triad, 20
cryptography, 96
privacy, 612
config-register command, 172
configure terminal command
global configuration mode, 170, 172, 189
passwords, 196–197
conflicts, ethical, 596
confreg command, 171
congruent symbol, 114
connect scans, 403–405
connectivity for Active Directory Domain Services, 308–317
contact information in organizational units, 325
content addressable memory (CAM) tables, 180, 202–203
contiguous namespaces in Active Directory, 305
contingency plans, 530
continuity of operations plans (COOPs), 530
Control Panel for GPOs, 344–346
Copy-Item cmdlet, 525
copy running-config startup-config command, 170, 199, 206
copy startup-config running-config command, 172
copying files, 28–29
copyright issues, 603–605
Copyright Term Extension Act, 604–605
costs in forensics, 565
COVID-19 pandemic effects
business continuity plans, 531–532
change management, 534–535
disaster recovery plans, 532–533
cp command, 28–29
Creative Commons (CC) licenses, 605–606
credential policies, finding examples of, 72
credentials, obtaining in fake sites, 87–88
crossover cable for routers, 188
crunch program, 233–238
cryptanalysis, 96–97
crypto key generate rsa command, 198
cryptography
applied. See applied cryptography
asymmetric key encryption, 103–105
Diffie-Hellman key exchange, 112–114
hashing, 106–112
key term quiz, 115
lab analysis, 115
overview, 96–97
symmetric key encryption, 99–103
cryptology
description, 97
TLS, 156–160
CSRC (Computer Security Resource Center) glossary
incident definition, 538
risk definition, 514
current directory in Zsh, 25–27
CURRENT_USER() function, 508
CurrentUser object in execution policies, 519–520
customized payloads in hping3, 428–433
CVE (Common Vulnerabilities and Exposures) system, 543
cyber threat maps, 5–8
cybercrimes, 564
cybersecurity survey, 8–10
D
Damn Vulnerable Web App (DVWA), 489–497
downloading, 492
incorporating, 493
login, 495–496
SQL injection, 502
data as evidence, 565
Data Breach Investigations Report (DBIR), 20–22, 222
Data Encryption Standard (DES), 99
data policies, finding examples of, 72
databases
Active Directory, 305
creating, 493–496
exploits, 545–547
Google Hacking Database, 625–626
passwords, 106, 109–110, 223–227
queries, 499–502
registry, 567
sandboxes, 360
signatures, 279
SQL injection, 497–510
DBIR (Data Breach Investigations Report), 20–22, 222
DCIM (Digital Camera IMages), searching for, 627–629
DCode, 568–570
deauthenticating clients, 266–272
debuggers for malware, 361
decrypting packets, 268–269, 271–272
Default Domain Policy for GPOs, 343
Default execution policy option, 517
default values, 65–66
Defender Antivirus, 239
del command, 556
delegation in organizational units, 317–318, 322–324
delegation signer (DS) resource records, 141–144
deleted files, recovering, 586–589
deleting
directories, 31
files, 31
groups, 56
users from groups, 55
delgroup command, 56
deluser command, 56
denial of service (DoS) attacks
inline IPSs, 277
on-demand signing vulnerability, 155
port scanning, 396
SQL injection, 497
deny statement, 209–211, 213, 215
deny any statement, 208, 210–211
deny tcp statement, 216–217
deployment models in cloud computing, 468–469
DES (Data Encryption Standard), 99
DESCRIBE command, 498–499
destination IP addresses, 208
destination ports
network communications, 394
detection engine in Snort, 291
Deteque Botnet Threat Map, 7
device detection in wireless networks, 256–260
Device Manager, 168–169
Device Parameter key in Registry, 576
DHCP. See Dynamic Host Configuration Protocol (DHCP)
dictionary (dict) files in WPA2, 269
dictionary password attacks, 224, 226–233
Diffie, Whitfield, 112
Diffie-Hellman key exchange (DHKE)
asymmetric cryptography, 112–114
passwords, 198
dig tool
DNS, 137–147
DNSSEC, 148–155
Digital Attack Map, 7
Digital Camera IMages (DCIM), searching for, 627–629
digital certificates
e-mail cryptography, 125
TLS, 158–160
digital forensics. See forensics
digital signatures. See signatures
dir command, 556
dir_flash command, 174
directories
changing, 26–27
creating, 26–27
current, 25–27
deleting, 31
Meterpreter commands, 556
permissions, 39–47
renaming, 29–30
with special characters, 57
directory services in Event Viewer, 314
disable command, 196
Disabled setting for GPOs, 344
disabling users, 331–332
disassemblers for malware, 361
disaster recovery plans (DRPs)
COVID-19 effects, 532–533
definition, 530
key term quiz, 536
lab analysis, 535
webcast, 533
disjointed namespaces in Active Directory, 305–306
display() function in Scapy, 440
distributed denial-of-service (DDoS) attacks, 96, 526, 555
distribution groups in Active Directory, 325–326
DKIM (DomainKeys Identified Mail), 454, 458–461
DLL (dynamic link library) files for strings, 362–363
DMARC (Domain-based Message Authentication, Reporting and Conformance), 454, 461–463
DNS. See Domain Name System (DNS)
DNSKEY resource records, 139–145
DNSSEC protocol
for exploiting, 147–155
for security, 134–147
documentation, training, 73–74
Domain Admins group, 329
Domain-based Message Authentication, Reporting and Conformance (DMARC), 454, 461–463
domain controllers (DCs)
Active Directory, 305–308
organizational units, 319
promoting machines to, 313
domain local groups in Active Directory, 325–326
Domain Name System (DNS)
ApateDNS spoofing, 384–389
authoritative servers, 148–149
DNSSEC, 137–147
e-mail, 449
events, 314
for member servers, 308
port scanning, 414
resource records, 137, 139–142, 149–155
servers, 310
TTL field, 136
URLs, 134–136
DomainKeys Identified Mail (DKIM), 454, 458–461
domains
Active Directory, 305–307
connectivity, 308–317
joining, 315–316
organizational units and groups, 317–326
SPF, 456
users, 327–334
dorking, Google, 624–629
DoS attacks. See denial of service (DoS) attacks
dotted decimal notation for wildcard masks, 210
DownloadFile function, 522, 525
DownloadString function, 524–525
drop rules in Snort, 294
DS (delegation signer) resource records, 141–144
dsniff tools, 202
due diligence in forensics, 566
dumpster diving, 89
DVWA. See Damn Vulnerable Web App (DVWA)
Dynamic Host Configuration Protocol (DHCP)
IP addresses, 310–311
for member servers, 308
registry keys, 571
dynamic link library (DLL) files for strings, 362–363
dynamic malware analysis, 358–361
dynamic ports, 394
dynamic routing protocols for load balancing, 194
E
cryptography, 123–130
DKIM, 458–461
DMARC, 461–463
ethics scenario, 602
headers, 448–452
key term quiz, 464
lab analysis, 463
Maltego tool, 91–93
phishing attacks, 80–81
spam, 453–463
SPF, 455–458
EAPoL (Extensible Authentication Protocol over LAN), 266–267, 272
EAS (Exchange ActiveSync), 449
echo command
Meterpreter, 556
Zsh, 32–33
echo requests in Scapy, 436–437
edge routers, 193
edit mode in vim editor, 37–38
editing Registry, 567
EGP (Exterior Gateway Protocol), 187
802.1X, 266–267
EIGRP (Enhanced Interior Gateway Routing Protocol), 187
elasticity in cloud computing, 467
embedded binaries, 372–376
emergency patches for WannaCry ransomware, 542
enable command
Cisco routers, 170–172
passwords, 196
Enabled setting for GPOs, 344
encryption keys for passwords, 198
end devices
description, 178
Packet Tracer, 182–183
end-of-service-life (EOSL) agreements, 76
Enhanced Interior Gateway Routing Protocol (EIGRP), 187
enterprise mode in WPA2, 266
EOSL (end-of-service-life) agreements, 76
Equation Group, 541
/etc/passwd file, 111, 228–229
/etc/shadow file, 61, 111, 223, 228–229
/etc/sudoers file, 62–65
EternalBlue tool
Mimikatz tool, 239
WannaCry exploit, 548
zero-day exploit, 541
ethics
ACM, 597–600
key term quiz, 609
lab analysis, 608–609
overview, 596
scenarios, 602–603
USENIX, 600–601
European Union (EU) GDPR, 488
Event Viewer, 314
events in Process Monitor, 382–384
evidence
cloud storage, 566–567
description, 564–565
RAM and hard drives, 578–581
Registry, 567–578
types, 565
Exchange ActiveSync (EAS), 449
Exchangeable Image File Format (EXIF) metadata, 591
exculpating evidence, 564
EXEC mode
passwords, 196
switches, 183–184
execute permissions, 39–46
execution policy in PowerShell, 517–520, 522–523
EXIF (Exchangeable Image File Format) metadata, 591
exit command
Cisco routers, 170
superusers, 37
expert witnesses, 564
Exploit Database, 625
exploits
configuring, 548–549
definition, 540
description, 543–544
DNSSEC, 147–155
Metasploit, 548–549
phishing, 550
extended ACLs, 207–208, 214–217
Extensible Authentication Protocol over LAN (EAPoL), 266–267, 272
Exterior Gateway Protocol (EGP), 187
external zone transfers, 147–149
F
fair use doctrine, 605
fake sites, malicious links to, 86–88
Federal Bureau of Investigation (FBI) vs. Apple Inc., 119
Federal Wiretap Act, 254
file transfer protocol (FTP), 134, 393, 440
fileless malware, 515–516, 520–527
files
concatenating, 32–33
copying, 28–29
creating, 28
deleting, 31
displaying, 59
finding, 58
GPTs, 342
hiding, 581–586
integrity, 109–110
Meterpreter commands, 556
owners, 51–53
recovering, 586–589
Registry, 572–574
renaming, 29–31
signatures, 588–591
sorting, 34
text in, 32
transfers, 424
Zsh filenames, 25
filters
ACLs, 208
Active Directory, 333–334
Event Viewer, 314
ports, 395
Process Monitor, 384
Wireshark, 265–266
FIN flag, 399
FIN scans, 405–413
find command, 58
finding files, 58
FireEye Cyber Threat Map, 6
firewalls
bind shells, 420
limitations, 276–277
ports, 395
rules, 309
flash_init command, 173
flaws, ethics scenario for, 603
floods
multicasts, 180
Scapy, 442–444
folders
GPTs, 342
permissions, 335
sharing, 335–341
forensics
2009-M57-Patents scenario, 591–592
file recovery, 588
file signatures, 588–591
imaging, 586–587
key term quiz, 593
lab analysis, 592
overview, 564–567
RAM and hard drives, 578–581
Registry, 567–578
steganography, 581–586
forests in Active Directory, 306–307
FQDNs. See fully qualified domain names (FQDNs)
fraud in forensics, 565
Free Software Foundation (FSF), 606–608
FTP (file transfer protocol), 134, 393, 440
Full control permissions, 335–336
full zones, 147
fully qualified domain names (FQDNs)
ApateDNS, 384–389
dots in, 137
e-mail, 455
MX records, 449
parts, 134
SRV records, 308
strings, 363
switches, 198
G
gaming, ethics scenario for, 603
Garfinkel, Simson L., 256
gdi32.dll file, 363
gedit text editor, 292–293
General Data Protection Regulation (GDPR), 488
General Electric Comprehensive Operating System (GECOS), 111
Get-Content cmdlet, 526
Get-ExecutionPolicy cmdlet, 517, 520
Get-Process cmdlet, 525
Get-Service cmdlet, 524
GHDB (Google Hacking Database), 626, 628
gid option in Snort rules, 295
GIDs (Group IDs), 111
GLBA (Gramm–Leach–Bliley Act), 488
global catalog in Active Directory, 306–307
global configuration mode
passwords, 198
switches, 184
global groups in Active Directory, 325–326
Global System for Mobile Communications (GSM) standard, 99
globally unique identifiers (GUIDs), 342
GNU GRUB 2 (GNU GRand Unified Bootloader version 2), 165–166
GNU operating system, 606–608
GNU Privacy Guard (GPG), 123
Goldman, David, 255
hacking, 624–629
Street View cars, 254–256
Google Hacking Database (GHDB), 626, 628
Google Project Zero, 543
GPCs (Group Policy containers), 342
GPG (GNU Privacy Guard), 123
GPMC. See Group Policy Management Console (GPMC)
GPME (Group Policy Management Editor), 343–344, 346–348
GPOs. See Group Policy Objects (GPOs)
GPTs (Group Policy templates), 342
gpupdate command, 345–346, 348, 350
Gramm–Leach–Bliley Act (GLBA), 488
graphical user interfaces (GUIs)
Armitage, 560–561
description, 23
Meterpreter, 558–560
great firewall of China, 137
grep command
filters, 41
groups, 54
Group IDs (GIDs), 111
Group Policy containers (GPCs), 342
Group Policy Management Console (GPMC)
Control Panel, 344
Default Domain Policy, 343
logon warnings, 346–347
users, 353
Group Policy Management Editor (GPME), 343–344, 346–348
Group Policy Objects (GPOs)
Control Panel, 344–346
creating, 347–348
Default Domain Policy, 343
in execution policies, 519
Internet access, 348–349
logon warnings, 346–347
mapping network drives to shared folders, 349–351
network shares, 353–354
organizational units, 317–318
overview, 342–343
shared folders, 351–353
Group Policy templates (GPTs), 342
groupadd command, 53
groupdel command, 56
groups
Active Directory, 325–326
adding users to, 328–329
creating, 53–54
deleting, 56
deleting users from, 55
displaying, 55
domains, 317–326
organizational units, 318, 323
groups command, 54–55
GSM (Global System for Mobile Communications) standard, 99
GUIDs (globally unique identifiers), 342
GUIs (graphical user interfaces)
Armitage, 560–561
description, 23
Meterpreter, 558–560
H
Halifax Chamber of Commerce webinar, 535
handshakes
hard drives
evidence, 578–581
read/write mode, 166–167
hashes and hashing
asymmetric key encryption, 104
characteristics, 106
dictionary password attacks, 226
DKIM, 459
file integrity, 109–110
one-way functions, 108–109
passwords, 110–111, 199, 223–224
rainbow table attacks, 243–247
SHAttered attack, 106–107
TLS, 159
head command, 59
headers
e-mail, 448–452
IP addresses, 135–136
TCP, 397–398
Health Insurance Portability and Accountability Act (HIPAA), 488
Hellman, Martin, 112
hidden files, 57
Hide’N’Send tool, 583–586
hiding files, 581–586
HIDS (host-based IDS), 278–279
HIPS (host-based IPS), 278–279
Hirschfeld, Scott, 616
Home Depot attack, 332
home directory, 43
passwd file, 111
Zsh, 24
honeypots, 5
horizontal organizational units, 317
hospitals, attack on, 542
host address resource records. See A (host address) resource records
host-based IDS (HIDS), 278–279
host-based information for evidence, 566
host-based IPS (HIPS), 278–279
host keyword in ACLs, 210
host systems, detecting, 560–561
hostname command
FQDNs, 198
switches, 184
hostnames
renaming, 315
SPF, 456
Houston Astros, password guessed, 222
How To Use Google Forms page, 9
How To Use Google Slides page, 10
hping3 utility
packet crafting, 427–435
traffic sending with customized payloads, 428–431
traffic sending with multiple protocols, 431–433
traffic sending with spoofed items, 433–435
HTTP (hypertext transfer protocol), 134
human resources policies, finding examples of, 72
Hurley, Lawrence, 256
Hutchins, Marcus, 542
HxD tool, 579–581
hybrid clouds, 469
Hydra tool, 223
hypertext transfer protocol (HTTP), 134
hypervisors, 261
I
IaaS (Infrastructure as a Service), 468
IANA (Internet Assigned Numbers Authority), 394
ICANN (Internet Corporation for Assigned Names and Numbers), 153
ICMP. See Internet Control Message Protocol (ICMP)
ICMP Destination Unreachable Port Unreachable message, 414–415
ICMP Port Unreachable message, 414
IDA (Interactive Disassembler), 361
IDG TECHtalk webcast, 533
IDSs (intrusion detection systems)
installing, 280–282
overview, 276–280
IETF (Internet Engineering Task Force), 123
ifconfig command, 554
IGP (Interior Gateway Protocol), 187
IM (instant messaging), 448
images
forensics, 586–587
steganography, 581–586
IMAP (Internet Message Access Protocol), 448–449
inbound ACLs, 211–212
incident response
Armitage GUI, 560–561
companies and stories, 538–540
definition, 564
key term quiz, 562
lab analysis, 562
Metasploit exploits, 544–550
Meterpreter, 551–560
overview, 538
policy examples, 73
vulnerability examples, 540–544
incidents, description, 564
incremental transfer (IXFR), 147
inculpating evidence, 564
Infrastructure as a Service (IaaS), 468
infrastructure security, 202
ACLs on routers, extended, 214–217
ACLs on routers, standard, 207–214
key term quiz, 219
lab analysis, 218–219
port security on switches, 202–207
init link, 166
Innovatio IP Ventures, 255
Insecam project, 620–623
installing
AD DS, 312–313
Kali Linux, 11–12
Ubuntu and Snort, 280–282
WampServer, 490–492
Windows 10, 13–14
Windows Server 2019, 15–16
Wireshark, 282
instant messaging (IM), 448
insults setting, 65
integrity
CIA triad, 20
cryptography, 96
files, 109–110
privacy, 612
Interactive Disassembler (IDA), 361
interconnection security agreements (ISAs), 76
interface command for routers, 189
interface vlan command, 197
Interior Gateway Protocol (IGP), 187
Internet Assigned Numbers Authority (IANA), 394
Internet Control Message Protocol (ICMP)
error messages, 185
hping3, 431–433
Scapy echo requests, 436–437
sniffing, 272
Snort, 285
Internet Corporation for Assigned Names and Numbers (ICANN), 153
Internet Engineering Task Force (IETF), 123
Internet Message Access Protocol (IMAP), 448–449
Internet of Things (IoT), discovering, 613–616
Internet vs. World Wide Web, 613
Internetworking Operating System (IOS) commands, 184–185
interoperability agreements, 74–76
intrusion detection systems (IDSs)
installing, 280–282
overview, 276–280
intrusion prevention systems (IPSs), 276–280
Invoke-Expression cmdlet, 524, 526
IOS (Internetworking Operating System) commands, 184–185
IoT (Internet of Things), discovering, 613–616
ip access-group command, 213, 217
IP addresses
ApateDNS spoofing, 384–389
DHCP, 310–311
DNS, 308–309
DNSSEC for, 137–147
headers, 135–136
hping3, 433–434
hypervisors, 261
joining domains, 316
Metasploit, 549
monitor mode sniffing, 263–266
netstat tool, 422
routers, 189–191
Scapy, 440–441
servers, 310
Snort rules, 294
Snort sniffer mode, 284–288
sockets, 419
URLs, 134–136
ip any any command, 216
ip default-gateway command, 197
ip domain-name command, 198
ip link command, 264
ip route command, 191–192
ip ssh version command, 198
ipconfig command
ApateDNS, 387
Meterpreter, 554–555
subnet masks, 310–311
switches, 183–184
VMs, 309
IPSs (intrusion prevention systems), 276–280
ISAs (interconnection security agreements), 76
ISO 31000 risk standards, 514
IT Governance webinar, 532
iw dev command, 264
iw wlan0 command, 264
IXFR (incremental transfer), 147
J
James-Civetta, Gloria, 622
job questionnaire, ethics scenario for, 603
John the Ripper
brute force password attacks, 233–238
dictionary password attacks, 226–233
Windows password attacks, 242–243
joining domains, 315–316
JPEG images
signatures, 591
steganography, 581–586
justice standard in ethics, 596
K
Kahn, Bob, 400
Kali Linux
downloading, 11
installing, 11–12
shell, 24
Kaspersky Cyberthreat Real-Time Map, 7
Kaspersky Lab, 542
Kennedy, Dave, 83
Kerckhoffs’s Principle, 98
key exchange protocols, 112–114
key signing keys (KSKs), 139–141, 143–145
keys
asymmetric key encryption, 103–105
cryptography, 97–98
DKIM, 459
e-mail cryptography, 125–127
passwords, 198–199
SSH, 199
symmetric key encryption, 99–103
TLS, 158
keyscan_dump command, 554
keyscan_start command, 553–554
keyscan_stop command, 554
keystrokes, capturing, 553–554
Kravets, David, 255
KSKs (key signing keys), 139–141, 143–145
L
Last password change field in passwd file, 112
latency in IPSs, 277–278
law enforcement
Apple vs. FBI, 119
Assistance and Access Bill, 120–121
Lawson, Kent, 255
LDAP (Lightweight Directory Access Protocol), 308
LDAs (local delivery agents), 449
Leafpad text editor, 232
League of Professional System Administrators (LOPSA) website, 600–601
Learn to build section in AWS, 482–483
least significant bits (LSBs) in steganography, 581–582
lecture setting, 65
Lee, Timothy B., 255
legal issues
Apple vs. FBI, 119
Assistance and Access Bill, 120–121
copyrights, 603–605
Creative Commons, 605–606
FSF and GNU, 606–608
Google hacking, 624–625
Insecam, 621
key term quiz, 609
lab analysis, 608–609
Shodan, 615–616
Leiderman, Jay, 621
less utility, 269
licenses
Creative Commons, 605–606
ethics scenario, 603
GPL, 489
Windows, 14–16
Wireshark, 398
Lightweight Directory Access Protocol (LDAP), 308
line vty command, 198
LinkedIn, 3–5
links to fake sites, 86–88
Linux
brute force password attacks, 233–238
dictionary password attacks, 226–233
password recovery, 164–167
Linux file system management
copying files, 28–29
hierarchy, 25–27
overview, 22–23
renaming and deleting files and directories, 29–32
starting, 24–25
text, 32
Linux system administration
file creation, 37–40
file listings, 57–59
file owners, 51–53
groups, 53–57
overview, 34–35
permissions, 39–50
users, 35–36
Linux system security
default values, 65–66
locked accounts, 60–62
overview, 59–60
sudo command, 62–64
LISA Special Interest Group, 600–601
List folder contents permission, 335
listing directories, 57–58
load balancing, 194
load_helper command, 174
local delivery agents (LDAs), 449
local permissions, 337
local security groups in Active Directory, 325–326
LocalMachine object in execution policies, 519
locked root accounts, 60–62
login local command, 198
login shell in passwd file, 111–112
logon warnings in GPOs, 346–347
logs
clearing, 558
sandboxes, 360
LookingGlass Threat Map, 7
loopholes, ethics scenario for, 603
LOPSA (League of Professional System Administrators) website, 600–601
ls command
directories, 57–58
Zsh, 26
LSBs (least significant bits) in steganography, 581–582
lsusb command, 263
M
MAAs (mail access agents), 449
MAC addresses
monitor mode sniffing, 260–266
OUIs, 360–361
registry, 570
switches, 179–181, 184, 202–207
MachinePolicy object in execution policies, 519
Macof tool, 202
mail access agents (MAAs), 449
mail exchanger (MX) resource records, 449, 455
mail/message delivery agents (MDAs), 449
mail/message transfer agents (MTAs), 448–449
mail/message user agents (MUAs), 448
malicious links to fake sites, 86–88
Maltego tool, 90–93
malware
analysis, 358–362
ApateDNS, 384–389
artifacts, 379–382
embedding binaries, 372–376
key term quiz, 390
lab analysis, 389–390
Process Monitor tool, 382–384
Regshot tool, 379–382
strings, 362–370
unpacking, 370–372
virtual machines, 360–361
VirusTotal tool, 376–379
MalwareTech researcher, 542
man-in-the-middle (MITM) attacks, 99
MAPI (Messaging Application Programming Interface), 449
mapping network drives to shared folders, 349–351
maps of cyber threat, 5–8
masks
ACLs, 210–211
subnet, 310–311
Matherly, John, 615
Maximum number of days the password is valid for field in passwd file, 112
McCarrin, Michael, 256
md command, 556
MD4 hash function, 224
MD5 hash function, 223
MDAs (mail/message delivery agents), 449
measured service in cloud computing, 467
measurement systems analysis (MSA), 75
Medusa tool, 223
memoranda of agreement (MOA), 75
memoranda of understanding (MOU), 75
memory
evidence, 578–581
malware analysis, 361
Merdinger, Shawn, 614
message digests, 106–107
Messaging Application Programming Interface (MAPI), 449
metadata
evidence, 565
EXIF, 591
Snort rules, 295
Metasploit framework
Armitage GUI, 560–561
exploits, 548–549
Meterpreter, 551–560
starting, 546–547
working with, 544–546
Meterpreter tool, 545–546, 551–552
administrative commands, 557–558
commands list, 552–553
file commands, 556
GUI, 558–560
keystroke capturing, 553–554
network commands, 554–555
Mickey Mouse Protection Act, 604–605
microphones, Registry data for, 576–577
Microsoft Azure
exploring, 471–475
training, 469–471
Mimikatz tool, 239–242
Minimum number of days between password changes field in passwd file, 112
mirroring, port, 277
MITM (man-in-the-middle) attacks, 99
mkdir command, 26–27
MOA (memoranda of agreement), 75
mobile devices
detecting, 256–260
overview, 254–256
modifications by malware, 379–382
Modify permissions, 335
monitor mode for sniffing, 260–266
morals. See ethics
Mossad National Intelligence Agency, 396
MOU (memoranda of understanding), 75
MRUListEx value in Registry, 573–575
MSA (measurement systems analysis), 75
MSFconsole tool, 545–547
MSFvenom tool, 545–546
msg option for Snort rules, 295
msvcrt.dll file, 367
MTAs (mail/message transfer agents), 448–449
MUAs (mail/message user agents), 448
multicasts with switches, 180
mv command, 29–31
MX (mail exchanger) resource records, 449, 455
N
N-day attacks, 542–543
names
Active Directory objects, 304–305
directories, 29–30
files, 29
SPF, 456
users, 332–333
namespaces for Active Directory, 305–306
NAT (Network Address Translation), 420
National Health Service (NHS) hospitals, attack on, 542
National Institute of Standards and Technology (NIST)
business continuity plans, 530
cloud computing, 466
disaster recovery plans, 530
hardening definitions, 304
incident definition, 538
password guides, 225
privacy definition, 612
risk definition, 514
spam definition, 453
National Security Agency (NSA)
EternalBlue tool, 239
Tailored Access Operations, 541
Ncrack tool, 223
NDAs (nondisclosure agreements), 76
nested organizational units, 317
netcat/ncat tool
chat servers, 421–424
file transfers, 424
shell creation, 425–427
sockets, 419–427
NetSpot app, 257–259
netstat tool
ApateDNS, 387
open ports, 422
Network Address Translation (NAT), 420
network-based firewalls, 395
network-based IDSs (NIDSs), 278–279
network-based IPSs (NIPSs), 278–279
network command for routers, 194
network data as evidence, 566
network drives, mapping to shared folders, 349–351
network fundamentals, 178
key term quiz, 200
lab analysis, 199–200
passwords and SSH, 195–199
router configuration, 185–195
switch configuration, 179–185
network interface cards (NICs)
communications through, 392–393
sniffing, 260–266
Network Intrusion Detection System (NIDS) mode in Snort, 290–300
network operating systems (NOSs), 308
network security
key term quiz, 301
lab analysis, 301
overview, 276–280
Snort Network Intrusion Detection System mode, 290–300
Snort packet logger mode, 288–290
Snort sniffer mode, 283–288
Ubuntu and Snort installation, 280–282
network shares in GPOs, 353–354
networks
cloud computing, 466
Meterpreter commands, 554–555
Registry data, 570–572
New-Object cmdlet, 522
New Technology File System (NTFS) permissions, 334–341
New Technology LAN Manager (NTLM) passwords, 224
next hops for routers, 191
Next SECure (NSEC) resource records, 150–152
NHS (National Health Service) hospitals, attack on, 542
NICs (network interface cards)
communications through, 392–393
sniffing, 260–266
NIDS (Network Intrusion Detection System) mode in Snort, 290–300
NIDSs (network-based IDSs), 278–279
NIPSs (network-based IPSs), 278–279
NIST. See National Institute of Standards and Technology (NIST)
Nmap tool
connect scans, 403–405
Null, FIN, and Xmas scans, 405–413
port scanning with, 392–419
SYN scans, 401
test site, 418–419
UDP, 414–417
no accesslist command, 214
no ip route command, 194
no shutdown command, 189–190
nondisclosure agreements (NDAs), 76
nonexistent domain (NXDOMAIN) responses, 385, 389
nonexistent domain (NXDOMAIN) status, 149–151
NOSs (network operating systems), 308
Not Configured setting for GPOs, 344
NS resource records, 146
NSA (National Security Agency)
EternalBlue tool, 239
Tailored Access Operations, 541
NSEC (Next SECure) resource records, 150–152
NSEC3 resource records, 153–155
NSEC3 White Lies, 154
nslookup tool
DKIM, 460–461
DMARC, 462
SMTP server information, 451
SPF, 455–458
ntdll.dll file, 363
NTDS.dit file, 223
NTFS (New Technology File System) permissions, 334–341
NTLM (New Technology LAN Manager) passwords, 224
Null scans, 405–413
NULL values in SQL injection, 507
Number of days after the password expires before the account will be disabled field in passwd file, 112
Number of days before a user will be warned that a password must be changed field in passwd file, 112
Number of days from Unix time when the account will be disabled field in passwd file, 112
NXDOMAIN (nonexistent domain) responses, 385, 389
NXDOMAIN (nonexistent domain) status, 149–151
O
objects
Active Directory, 304–305, 327–334
definition, 330
organizational units, 317–318, 321
obligation, definition, 596
octal numbering system for permissions, 40
on-demand self-service in cloud computing, 466
on-demand signing, 155
one-way hashing functions, 106–109
open ports
netstat tool, 422
UDP, 414
Open Shortest Path First (OSPF) protocol, 187, 194–195
open-source intelligence (OSINT), 89–93
Open Systems Interconnection (OSI) Model
ACLs, 208
network communications, 392–394
zone transfers, 147
Open Web Application Security Project (OWASP), 488
OpenPGP standards, 123–130
OpenPGP Working Group, 123
OpenSaveMRU key in Registry, 575
OpenSavePidlMRU key in Registry, 574
operational and organizational security
interoperability agreements, 74–76
key term quiz, 77
lab analysis, 76–77
overview, 70
policies, 71–73
training documentation, 73–74
ophcrack tool, 248–250
Opportunistic Wireless Encryption (OWE), 267
options in Zsh, 25
organizational units (OUs)
contact information, 325
creating, 319–321
delegating control of, 322–324
domains, 317–326
managing, 321–322
organizationally unique identifiers (OUIs), 360–361
OSI (Open Systems Interconnection) Model
ACLs, 208
network communications, 392–394
zone transfers, 147
OSINT (open-source intelligence), 89–93
OSPF (Open Shortest Path First) protocol, 187, 194–195
OUIs (organizationally unique identifiers), 360–361
OUs. See organizational units (OUs)
outbound ACLs, 211–212
OWASP (Open Web Application Security Project), 488
OWE (Opportunistic Wireless Encryption), 267
owners of files, 51–53
P
PaaS (Platform as a Service), 468
packed (compressed) malware, 370–372
Packet Tracer, 181–185
packets
crafting, hping3, 427–435
crafting, Scapy, 435–444
monitor mode sniffing, 260–266
Snort, decoders, 290
Snort, logger mode, 288–290
Snort, sniffing, 283–288
pandemic effects
business continuity plans, 531–532
change management, 534–535
disaster recovery plans, 532–533
Panorama Consulting Group webinar, 534–535
parameters in Zsh, 25
parent directories, 43
parent domains in Active Directory, 305–306
partial zones, 147
pass rules in Snort, 294
passwd command, 37
passwd_timeout line, 66
passwd_tries line, 66
passwordless root shells, 167
passwords
brute force attacks, 233–238
complex, 224–225
dictionary attacks, 226–233
finding policy examples of, 72
GPOs, 343
hashing, 110–111
overview, 222–225
rainbow table attacks, 243–250
recovery, Cisco routers, 168–172
recovery, Cisco switches, 172–174
recovery, Linux, 164–167
root account, 60–61
routers and switches, 195–199
SQL injection, 503
Windows attacks, 238–243
WPA2, 266–272
patches
vulnerabilities, 543
WannaCry ransomware, 541–542
patents, 605
payloads
exploits, 543–544
hping3, 428–433
Meterpreter, 551–560
Payment Card Industry Data Security Standard (PCI DSS), 488
PayPal, spoofing, 462–463
PECB Group, Inc. webinar, 532
penetration testing, 544
pentesters, 540
permissions
Active Directory, 323–324, 326
files, 39–50
folders, 335–341
groups, 318
organizational units, 317–318
overview, 334–341
permit statement, 209–211, 213
permit any statement, 211, 213–214
permit ip statement, 216–217
personal mode in WPA2, 266
personally identifiable information (PII), 488
PEview tool, 373–376
PGP (Pretty Good Privacy), 123
phishing, 80–83
overview, 453–454
simulating, 550
Social-Engineer Toolkit, 84–86
tests, 88–89
PhishMe study, 82
phones, Registry data for, 576–577
Physical layer, 392–393
physical security
key term quiz, 175
lab analysis, 175
overview, 164
password recovery, Cisco routers, 168–172
password recovery, Cisco switches, 172–174
password recovery, Linux, 164–167
PII (personally identifiable information), 488
pipes, 58
PKI. See Public Key Infrastructure (PKI)
plaintext
asymmetric key encryption, 103
description, 97
passwords, 223
Platform as a Service (PaaS), 468
PoC (proof-of-concept) exploits, 543
policies
GPOs. See Group Policy Objects (GPOs)
overview, 71
working with, 71–73
POP3 (Post Office Protocol version 3), 448–449
port scanning
connect scans, 403–405
description, 394–395
Insecam, 621
with nmap, 392–419
Null, FIN, and Xmas scans, 405–413
steps, 399–403
test site, 418–419
UDP, 414–418
port security on switches, 202–207
ports
description, 393–394
mirroring, 277
netstat tool, 422
routers, 179–180
sockets, 419
source and destination, 394
switches, 179–180
Post Office Protocol version 3 (POP3), 448–449
POST (power-on self-test), 165
PostgreSQL tool, 545
power grid cyberattack, 81
power-on self-test (POST), 165
PowerShell
description, 514–515
exploitation, 520–527
script settings, 516–520
preimage resistance in hashing, 106, 108
preprocessors in Snort, 290–291, 293
preshared key (PSK), 266–267
Pretty Good Privacy (PGP), 123
principle of least privilege, 304
priority option in Snort rules, 295
privacy
Google hacking, 624–629
Insecam, 620–623
key term quiz, 630
lab analysis, 629–630
overview, 612
Shodan search engine, 613–620
private clouds, 468
private keys
asymmetric key encryption, 103–105
passwords, 198
privileged EXEC mode. See EXEC mode
Process Monitor tool, 382–384
Process object in execution policies, 519
processes, description, 24
professional responsibilities and principles in ACM code of ethics, 599–600
promiscuous mode in NICs, 260
promoting machines to domain controllers, 313
prompts in Zsh, 24
proof-of-concept (PoC) exploits, 543
PROTECT IP Act, 605
Protect mode in switchports, 203
.ps1 extension, 517
PSH flag, 405–406
PSK (preshared key), 266–267
public clouds, 469
public key encryption, 103–105
Public Key Infrastructure (PKI), 134
DNSSEC, for exploiting, 147–155
DNSSEC, for security, 134–147
key term quiz, 161
lab analysis, 161
TLS, 156–160
public keys
e-mail cryptography, 125–127
passwords, 198
pwd command, 25
Q
quantum computing, 104
queries in databases, 499–502
Quickstart center in Microsoft Azure, 472–473
R
RADIUS (Remote Authentication Dial-In User Service), 266
rainbow table attacks, 224, 243–250
Random Access Memory (RAM)
evidence, 578–581
malware analysis, 361
RandShort() function, 443
ransomware
description, 82
NotPetya and BadRabbit, 239
WannaCry, 541–542
rapid elasticity in cloud computing, 467
Raw IP mode in hping3, 432–433
RC4 (Rivest Cipher 4), 99
rd command, 556
rdesktop command, 559
Read permissions
files, 39–46
NTFS, 334–336
Read & Execute permissions, 334–335
RecentDocs key in Registry, 572–573
reconnaissance through open-source intelligence, 89–93
records, ethics scenario for, 602
recovery
DRPs. See disaster recovery plans (DRPs)
files, 586–589
passwords, Cisco routers, 168–172
passwords, Cisco switches, 172–174
passwords, Linux, 164–167
recursive listing of directories, 57–58
Recycle Bin for Active Directory, 333
redirecting files, 32–33
reduction functions in rainbow table attacks, 243–245
reference option in Snort rules, 295
REG_BINARY values, 569
regional Internet registries (RIRs), 138
registered ports, 394
registers in malware analysis, 361
Registry
advapi32.dll, 363
contents, 567
file data, 572–574
locating information in, 568–570
Metasploit exploits, 557–558
network settings, 570–572
Process Monitor, 382–384
Regshot tool, 379–382
shell creation, 426
USB data, 576–577
user data, 575
Wi-Fi router data, 570
RegSetValueExW function, 363
Regshot tool, 379–382
reject rules in Snort, 294
reload command
routers, 170
switches, 206
Remote Authentication Dial-In User Service (RADIUS), 266
Remote Desktop Protocol, 558–560
RemoteSigned execution policy option, 517, 520
removable media and devices for evidence, 566
rename flash command, 174
renaming
directories, 29–30
files, 29–31
hostnames, 315
users, 332–333
reset command, 171
Resource Hacker tool, 373–375
resource pooling in cloud computing, 466–467
resource record signature (RRSIG) resource records, 139–140, 144–145
resource records
e-mail, 455
Restrict mode in switchports, 203
Restricted execution policy option, 517, 520
rev option in Snort rules, 295
reverse engineering for malware, 358
reverse shells
netcat tool, 420
TCP, 546
rights standard in ethics, 596
Rios, Billy, 614
RIRs (regional Internet registries), 138
risk management
key term quiz, 528
lab analysis, 527
overview, 514–516
PowerShell exploitation, 520–527
PowerShell script settings, 516–520
Rivest, Ron, 104
Rivest Cipher 4 (RC4), 99
rm command, 31–32
rmdir command, 31
RockYou company, 231
rockyou.txt password file, 226, 231–233, 269
role-based training, 74
role of people in security
key term quiz, 94
lab analysis, 93–94
open-source intelligence, 89–93
overview, 80–83
phishing tests, 89–90
Social-Engineer Toolkit, 83–88
ROMMON (ROM monitor) mode, 171
root account
locked, 60–62
passwords, 60–61
root servers, 135–136
root zones, 145
route command, 292–293
router ospf command, 194
routers
ACLs on, extended, 214–217
ACLs on, standard, 207–214
configuration, 185–195
description, 178
passwords, and SSH, 195–199
passwords, recovery, 168–172
ports and interfaces, 179
static routes, 193–195
topologies, 188–189
routing tables, 185–186, 190–193
rows in databases, 505
RRSIG (resource record signature) resource records, 139–140, 144–145
RSA algorithm, 104–105
RST flag
connection termination, 402, 407–408, 412
TCP connections, 399–404
rtgen tool, 244
rules
firewalls, 309
Process Monitor, 384
run-help command, 25
run multi_console_command command, 559
S
SaaS (Software as a Service), 467
SAE (Simultaneous Authentication of Equals) protocol, 267
salts in rainbow table attacks, 246–247
SAM (Security Account Manager), 223
sandboxes, 359–360
SANS Institute Security Policy Templates page, 71
Sarbanes–Oxley Act (SOX), 488
SATs (source address tables), 180, 202, 205, 260
Scapy tool
ICMP echo requests, 436–437
network traffic, 440–442
packet crafting, 435–444
SYN flood attacks, 442–444
TCP segments, 437–439
scareware, 81
screenshare command, 553
screenshot command, 552
scripts
PowerShell exploitation, 520–527
PowerShell settings, 516–520
sdrop rules in Snort, 294
search engine, Shodan, 613–620
searches with Google hacking, 624–629
second-level domains (SLDs), 134
sectors in drives, 578–579
Secure Hash Algorithm 1 (SHA-1), 106, 223
Secure Shell (SSH)
network-based firewalls, 395
passwords, 195–199
Secure Sockets Layer (SSL), 156
secure software development
key term quiz, 511
lab analysis, 510–511
overview, 488
SQL injection, 497–510
WampServer and DVWA, 489–497
security
Internet of Things devices, 613
physical. See physical security
Security Account Manager (SAM), 223
security concepts
Data Breach Investigations Report, 20–22
key term quiz, 67
lab analysis, 66
Linux file system management. See Linux file system management
Linux system administration. See Linux system administration
Linux system security. See Linux system security
overview, 20
security events in Event Viewer, 314
security groups in Active Directory, 325–326
security identifiers (SIDs) for groups, 318
security policies, finding examples of, 72
security through obscurity, 98
security tools and techniques
hping3, 427–435
key term quiz, 445–446
lab analysis, 444–445
overview, 392
port scanning with nmap, 392–419
Scapy, 435–444
sockets, 419–427
security trends
cyber threat maps, 5–8
cybersecurity survey, 8–10
key term quiz, 17
lab analysis, 16–17
overview, 2
staying current, 3–5
virtual labs, 10–16
SecurityIntelligence articles for incident response, 540
segment command, 438
SELECT VERSION() function, 507
send function in Scapy, 436–437
Sender Policy Framework (SPF), 454–458
sensors for cyber threats, 5–6
Serling, Rod, 122
Server Manager, 314
Server Message Block (SMB) protocol
EternalBlue exploit, 541
Metasploit exploits, 548
network connections, 393
service-level agreements (SLAs), 75
service models in cloud computing, 467–468
service set identifiers (SSIDs), 257–259, 265
session keys
e-mail cryptography, 127
TLS, 158
sessions command, 557
SET. See Social-Engineer Toolkit (SET)
SET command in Social-Engineer Toolkit, 84–86
Set-ExecutionPolicy cmdlet, 518–520
SGID (set group ID) permissions, 46–48
SHA-1 (Secure Hash Algorithm 1), 106, 223
SHA-2 family of hashing standards, 110–111
SHA-256, 109–111
SHA-512, 223
sha512crypt, 223
Shamir, Adi, 104
Shannon’s Maxim, 98
shared folders
GPOs, 351–353
mapping network drives to, 349–351
shared secrets
asymmetric key encryption, 104
Diffie-Hellman key exchange, 198
shares and Share permissions for folders, 334–341
SHAttered attack, 106–107
shell32.dll file, 363
shells
creating, 425–427
description, 23
passwd file, 111–112
Shodan search engine, 613–620
show access-lists command, 213–214, 217
SHOW DATABASES command, 498–499
show interface command, 184, 206–207
show ip route command, 190–192
show ip ssh command, 199
show mac-address-table command, 184
show options command, 549
show port-security command, 205–207
show port-security interface command, 205–207
show run command, 213
show running-config command
routers, 170
show ssh command, 199
SHOW TABLES command, 498–499
Shutdown mode in switchports, 203
sid option in Snort rules, 295
SIDs (security identifiers) for groups, 318
signatures
DKIM, 459–460
files, 588–591
hping3, 429
TLS, 159
Simple Mail Transfer Protocol (SMTP), 448–451
Simple Network Management Protocol (SNMP), 197, 203
Simultaneous Authentication of Equals (SAE) protocol, 267
site containers in Active Directory, 307
site surveys, NetSpot for, 257–259
SLAs (service-level agreements), 75
SLDs (second-level domains), 134
SMB (Server Message Block) protocol
EternalBlue exploit, 541
Metasploit exploits, 548
network connections, 393
smishing, 80
SMTP (Simple Mail Transfer Protocol), 448–451
sniffing
monitor mode, 260–266
Snort mode, 283–288
SNMP (Simple Network Management Protocol), 197, 203
snort.conf file, 293
Snort IDS, 279–280
installing, 282
Network Intrusion Detection System mode, 290–300
packet logger mode, 288–290
sniffer mode, 283–288
Social-Engineer Toolkit (SET)
launching, 84
malicious links to fake sites, 86–88
overview, 83–84
social engineering, 80
sockets, 419–427
Software as a Service (SaaS), 467
software recommendations, ethics scenario for, 603
Sonny Bono Copyright Term Extension Act, 604–605
sort command, 34
sorting files, 34
source address tables (SATs), 180, 202, 205, 260
source IP addresses, 208
source ports
IP addresses, 394
SOX (Sarbanes–Oxley Act), 488
spam, 453–463
SpamAssassin, 457
SpamHaus Technology Live Botnet Threats Worldwide, 7
SPAN (Switched Port Analyzer), 277
spear phishing, 82
special characters, directories with, 57
special permissions, 46–50
SPF (Sender Policy Framework), 454–458
spoofed items, hping3 with, 433–435
spoofing
Diffie-Hellman key exchange, 112
DNS, 136
SQL injection. See Structured Query Language (SQL) injection
sr() function, 437
sr1() function, 441–442
srloop() function, 443
SRV resource records, 308
SSH (Secure Shell)
network-based firewalls, 395
passwords, 195–199
SSIDs (service set identifiers), 257–259, 265
SSL (Secure Sockets Layer), 156
St. Louis Cardinals, password guessing by, 222
Stallman, Richard, 607
standard ACLs, 207–214
startup-config file command, 174
static IP addresses for servers, 310
static malware analysis, 358–359, 361
static routes, 191–195
steganography, 581–586
sticky bit permissions, 46–50
sticky command, 204–205
Stop-Computer cmdlet, 527
Stop Online Piracy Act, 605
stream ciphers, 99
Street View cars, 254–256
strings
analyzing, 368–370
executing, 523–524
malware, 362–370
uses, 366–368
strings64 file, 365–367
Structured Query Language (SQL) injection
commands, 498–499
example, 502–506
overview, 497–498
queries, 499–502
SUID (set user ID) permissions, 46–47
summary() function in Scapy, 442
Sun Tzu, The Art of War, 2
superusers, 35–36
survey, cybersecurity, 8–10
Switched Port Analyzer (SPAN), 277
switched virtual interface (SVI), 197
switches
configurations, 179–185
description, 178
passwords, and SSH, 195–199
passwords, recovery, 172–174
port security on, 202–207
ports and interfaces, 179–180
unicasts, 260
Zsh, 25
switchport mode access command, 204–205
switchport port-security command, 204–205
switchport port-security mac-address command, 205
switchport port-security mac-address sticky command, 204–205
switchport port-security maximum command, 205
switchport port-security violation restrict command, 205
switchports, 202–203
symmetric key encryption, 99–103
SYN flag
connection scans, 403–404
connection termination, 407
flood attacks, 442–444
scans, 401–402
TCP connections, 397–400
SYN-ACK flag
connection scans, 404
connection termination, 407
Scapy, 438–444
SYN scans, 402
TCP connections, 397–400
syntax, Linux, 40
sysinfo command, 552
system hardening
Active Directory objects, 327–334
domain connectivity, 308–317
group policy objects, 342–354
key term quiz, 355
lab analysis, 354–355
organizational units and groups, 317–326
overview, 304–307
permissions and shares, 334–341
system information in Event Viewer, 314
systemd daemon, 166
T
tables
databases, 505
MAC addresses on, 202
switches, 184
tac command, 33
tail command, 59
Tailored Access Operations (TAO), 541
Talos Cyber Attack Map: Top Spam and Malware Senders, 7
taps, network, 277
Target attack, 332
TCP. See Transmission Control Protocol (TCP)
TCP/IP (Transmission Control Protocol/Internet Protocol) protocol
netcat tool, 419–427
site containers, 307
Tentler, Dan, 614
Terminal Emulator, 24
terminals, 23
text in files, 32
THC-Hydra tool, 223
The Shadow Brokers group, 541
The Sleuth Kit, 587
32-bit binaries for malware, 366
threat maps, 5–8
Threatbutt Internet Hacking Attribution Map, 6
three-way handshakes in TCP, 134, 397–400, 403–407
Thunderbird e-mail client, 123–130
Time To Live (TTL) field
DNS, 136
Scapy, 440
timestamp_timeout line, 66
timestamps in Registry, 569
TLDs (top-level domains), 134, 136
TLS (Transport Layer Security), 125, 156–160
“To Serve Man” Twilight Zone episode, 122
Top 10 Web Application Security Risks, 488
top-level domains (TLDs), 134, 136
topologies
ACLs, 211
Packet Tracer, 182–183
routers, 188–189
touch command, 28
tracert command, 193
trademarks, 605
training
Amazon Web Services, 476–479
documentation, 73–74
Microsoft Azure, 469–471
Transaction SIGnature (TSIG), 148
transfer protocols in URLs, 134
transferring files, 424
Transmission Control Protocol (TCP)
connection termination, 406–407
headers, 397–398
ports, 394
sockets, 419
three-way handshakes, 134, 397–400
zone transfers, 147
Transmission Control Protocol/Internet Protocol (TCP/IP) protocol
netcat tool, 419–427
site containers, 307
transport input ssh command, 198
Transport Layer Security (TLS), 125, 156–160
Transportation Security Administration (TSA) firewall example, 276–277
trees in Active Directory, 305–306
Triple DES (3DES), 99
trust relationships in Active Directory, 305
truth tables, 100–101
TSA (Transportation Security Administration) firewall example, 276–277
TSIG (Transaction SIGnature), 148
TTL (Time To Live) field
DNS, 136
Scapy, 440
Twilight Zone, “To Serve Man” episode, 122
Twitter contractors celebrity spying, 332
2009-M57-Patents scenario, 591–592
type command, 556
U
UAC, bypassing, 557–558
Ubuntu, installing, 280–282
UDP. See User Datagram Protocol (UDP)
UIDs (User IDs), 111
Ukraine power grid cyberattack, 81
Undefined execution policy option, 517
unicasts with switches, 180, 260
Unicode, 363
uniform resource locators (URLs)
decoding, 290
parts, 134–135
UNION operator in SQL, 507–509
universal groups in Active Directory, 326
unpacking malware, 370–372
Unrestricted execution policy option, 517, 520
unshadow file, 237
unshadow utility, 229–230
UPX packer, 370–372
URG flag, 405
urlmon.dll file, 363
URLs (uniform resource locators)
decoding, 290
parts, 134–135
USB devices, Registry data for, 576–577
USB ports, USB-to-serial converter, 168
USE command in SQL, 498–499
use exploit command, 557
USENIX ethics, 600–601
User Configuration category, 343
User Datagram Protocol (UDP)
DNS, 135–136
port scanning, 414–418
ports, 394
sockets, 419
user EXEC mode. See EXEC mode
USER() function, 508
User IDs (UIDs), 111
user32.dll file, 362–363
userdel command, 56
usermod command, 54
usernames
displaying, 37
passwd file, 111
routers and switches, 196–197
UserPolicy object in execution policies, 519
users
Active Directory, 327–334
adding to groups, 328–329
deleting, 56
deleting from groups, 55
disabling, 331–332
managing, 332–333
Registry data, 575
utility standard in ethics, 596
V
Verizon Data Breach Investigations Report, 20–22, 222
Verkada security company, 329
VERSION() function, 508
vertical organizational units, 317
Vi IMproved text editor (vim), 37–39
virtual labs, building, 10–16
virtual local area network (VLAN) interface, 197
virtual machines (VMs)
malware, 360–361
monitor mode, 260–261
switches, 203
VirusTotal tool, 376–379
VirusTotal website, 360
vishing, 80
VLAN (virtual local area network) interface, 197
vmlinuz line, 166
VMware Workstation Player, 10–11
vulnerabilities
examples, 540–544
incident response, 544–550
patches, 543
W
WampServer, 489–497
incorporating, 493
installing, 490–492
starting, 492
WannaCry ransomware, 541–542
WayBackMachine, 89
web cams, discovering, 620–623
web components, 448
well-known ports, 394
WEP (Wired Equivalency Privacy), 266
whaling, 82
white hat hackers, 540
Whois tool, 456
Wi-Fi 4 (802.11n), 267
Wi-Fi 5 (802.11ac), 267
Wi-Fi 6 (802.11ax), 267
Wi-Fi Protected Access (WPA), 266
Wi-Fi Protected Access 2 (WPA2)
encryption, 260
passwords, 266–272
Wi-Fi routers, Registry data for, 570
Wifite, 269–272
wildcard masks
ACLs, 210–211
routers, 194
Windows
password attacks, 238–243
rainbow table attacks, 243–250
Windows 10
downloading, 12–13
installing, 13–14
Windows Registry. See Registry
Windows Server 2019
downloading, 14–15
installing, 15–16
wininet.dll file, 363
Wired Equivalency Privacy (WEP), 266
wireless security
device detection, 256–260
key term quiz, 273
lab analysis, 272
monitor mode sniffing, 260–266
overview, 254–256
password cracking, 266–272
Wireshark packet sniffer
installing, 282
packet capture, 265–267
packet decryption, 268–269, 271–272
wordlist-probable.txt file, 268–269
wordlists
brute force password attacks, 233–234
dictionary password attacks, 226–227, 230–232
Workstation Player, downloading, 10–11
World Wide Web vs. Internet, 613
WPA Handshake capture attacks, 270
WPA (Wi-Fi Protected Access), 266
WPA2 (Wi-Fi Protected Access 2)
encryption, 260
passwords, 266–272
WPA3, 266–267
Write permissions
files, 39–46
NTFS, 334–335
ws2_32.dll file, 363
wsock32.dll file, 363
X
X-headers, 449
Xmas scans, 405–413
XOR ciphers, 99–103
Y
yescrypt function, 229–230, 237
Your ServiceNow email relay system, 457
Z
Z shell (Zsh), 24
zero-day attacks, 541
Zimmerman, Phil, 123
zone signing keys (ZSKs), 139–141, 143–145
zone transfers, 147–148
zone walking, 152–153
34.203.242.200