CompTIA Security SY0-601 Exam: Basics of Organizational Security

Objective: Given a scenario, use the appropriate tool to assess organizational security.

Topics:
- tracert/traceroute
- nslookup/dig
- ipconfig/ifconfig
- Nmap
- ping
- hping
- netstat
- Netcat
- ARP
- route
- cURL
- theharvester
- sn1per
- scanless
- dnsenum
- Nessus
- Cuckoo
- head
- tail
- cat
- grep
- chmod
- logger
- Secure Shell (SSH)
- PowerShell
- Python
- OpenSSL
- tcpreplay
- Wireshark
- tcpdump
- dd
- Memdump
- WinHex
- FTK imager
- Autopsy
- exploitation framework
- password cracker
- data sanitization

Shell and Script Environments
Many of the tools covered in this guide are executed from a text-based command-line interface (CLI), also known as a shell. The command line offers a powerful window into local and remote systems to perform and execute commands. In Windows environments, it is known as the Command Prompt. With Apple macOS and most other Linux-based systems, it is commonly known as the terminal and uses the Bash implementation of the Unix shell. When accessing remote computers, organizations use the Secure Shell (SSH) utility, which establishes a session between the client and host computers and uses an authenticated and encrypted connection.

The following command launches SSH from the terminal (see Figure below) and attempts to establish a connection to a remote SSH-enabled system:



Using a command-line interface to access a remote computer by using SSH

ssh example.com

OpenSSH is a common implementation of the SSH protocol. It is based on capabilities provided by OpenSSL for cryptographic operations. OpenSSL provides for secure communications and is used by the majority of websites.

Applications and development environments may also include their own shell environments, which can also be initiated from the command line. For example, these two environments both provide powerful scripting capabilities for automation:
- PowerShell: PowerShell is a command-line shell and scripting interface for Microsoft Windows environments. PowerShell files use the file extension .ps1.
- Python: Python is a general-purpose programming language available on many Linux distributions and Apple’s macOS. The Python file extension is .py.

It is important to be familiar with the basic file manipulation commands described in Table below These commands are often used in the context of security operations and other commands described in this guide.

Command-Line File Manipulation Commands

Adds the message in quotation marks to the log of the remote server at the given IP address.

Tip: Given a scenario, be able to execute the proper file manipulation commands, including head, tail, cat, grep, chmod, and logger.

Network Reconnaissance and Discovery
Port scanners are often part of a comprehensive vulnerability assessment solution. However, a port scanner can also be a standalone utility. A port scanner simply scans a range of specific ports to determine what ports on a system are open. It can scan a single machine or a range of IP addresses and check for responses on service ports. A response on port 80, for example, might reveal the operation of an HTTP host. Port scanners are useful in creating an inventory of services hosted on networked systems. When they are applied to test ports on a single system, it is termed a port scan. A scan across multiple hosts is referred to as a port sweep.
Port scanner results are valuable to system administrators and attackers alike. Port scanners typically identify one of two states for a port: open or closed. In addition, some port scanners can provide other information, such as the type of operating system running on the targeted system and services running over the ports.
Network scanners identify active network hosts. One of the most common network scanning tools is a network mapper, which is a software utility that is used to conduct network assessments over a range of IP addresses. A network mapper compiles a list of all systems, devices, and network hardware present in a network segment. This information can be used to identify simple points of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations. Nmap and Nessus are two of the most common network mapping software utilities used in today’s networks. These tools use Active Discovery to locate network hosts and open ports and identify operating systems.
Many network scanners can do a lot more than simply map a network. For example, they can identify rogue systems, which present a problem for organizations because they are set up or added to the network without approval. Most rogue systems are wireless, but a rogue system can technically be any type of unauthorized system, such as a test system, a voice over IP device, or a printer. Well-meaning insiders might use rogue access points with the best of intentions, so they are not necessarily malicious. Fortunately, detecting rogue access points is possible through the use of network scanners. For example, Nessus and tools from SolarWinds can be used to identify rogue systems. Many network reconnaissance and discovery tools are included with operating systems and can easily be operated from the command line.

The following utilities are network command-line diagnostic tools that are commonly used to assess the security posture of an organization:
- ipconfig/ifconfig/ip: ipconfig displays the TCP/IP settings on a Windows machine. It can display the IP address, subnet mask, default gateway, and Windows Internet Naming Service (WINS), DNS, and MAC information. It is useful for verifying that the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration is correct if connectivity issues arise. ipconfig works on Windows-based systems; ifconfig works on Mac and other Linux-based systems. The newer ip command is used in a manner similar to ipconfig but has more functionality.
- ping: Packet Internet Groper (ping) is a utility that tests network connectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. It is a good troubleshooting tool for determining whether a route is available to a host.
- ARP: ARP provides information from a table that contains a mapping of known MAC addresses to the associated IP addresses. ARP is necessary because the underlying hardware cannot translate IP addresses. The ARP cache maintains a table of MAC-to-IP addresses, so using ARP is a quick way to find a machine’s MAC address.
- tracert/traceroute: These utilities trace the route a packet takes and record the hops along the way. They are good tools to use to find out where a packet is getting hung up. The tracert utility works on Windows-based systems; traceroute works on Mac and other Linux-based systems.
- nslookup/dig: This command-line utility troubleshoots a Domain Name System (DNS) database. It queries the DNS server to check whether the correct information is in the zone database. nslookup is used on Windows-based systems; dig, which stands for Domain Information Groper, is used on Mac and other Linux-based systems.
- netstat/nbtstat: The netstat utility displays all the ports on which the computer is listening and is useful for quickly determining active connections. It can also display the routing table and pre-protocol statistics. nbtstat is a diagnostic tool for NetBIOS over TCP/IP that is primarily designed is to help troubleshoot NetBIOS name resolution problems in Windows operating systems.
- Nmap: Network Mapper (Nmap) is a network scanning tool used for locating network hosts, detecting operating systems, and identifying services. Nmap is most often used in security auditing but can also be useful for routine administrative tasks such as monitoring host uptime or host inventory.
- Netcat: Netcat is a network utility for gathering information from TCP and UDP network connections. It is a versatile tool that can be used for functions such as port scanning, monitoring, banner grabbing, and file copying. Netcat is Linux based, but versions are available for Windows machines.
- hping: hping is a TCP/IP packet assembler and analyzer that provides a number of security capabilities. Common uses include port scanning, path discovery, OS fingerprinting, and firewall testing.
- route: The route command provides the capability to view and make entries into network routing tables.
- cURL: cURL provides the ability to get and send data by using URLs. For example, when you type the curl command followed by any URL, the output returns the HTML source for the web page. Figure 26.2 shows this command against a domain and the results. cURL can also be used to grab banner information from websites.



Using the cURL command to return the source code of a web page

- dnsenum: The dnsenum command enumerates DNS by finding DNS servers and DNS records such as mail exchange servers, domain name servers, and the address records for a domain.
- theharvester: theharvester gathers emails, domains, employee names, ports, banners (from sources such as search engines, Twitter, and Linked-In), and key servers. It can plug into Shodan, which is a searchable database of Internet-connected devices.
- sn1per: sn1per is an automated penetration testing recon scanner that enumerates and scans for vulnerabilities.
- scanless: scanless is a port scanning utility that uses websites to do scanning on your behalf, allowing you to remain anonymous.
- Nessus: Nessus is a well-known vulnerability scanner that has a wide range of capabilities.
- Cuckoo: Cuckoo is a malware analysis tool. Essentially, you provide Cuckoo with a file, and it returns results indicating what the file did when it was executed in an isolated environment.

Most of these utilities are useful for security operations, but they are also used by adversaries for reconnaissance and attacks. For example, banner grabbing is a technique used to identify what operating system is running on a machine and determine what services are running. Attackers and active vulnerability scanning solutions use banner grabbing to help identify the OS type and running services. This information helps them narrow the list of vulnerability signatures to scan for or footprint an organization. The more you understand about the specific operating systems, applications, and version information, the easier it is to identify vulnerable systems and conduct targeted attacks.

Netcat is a tool that is commonly used for banner grabs. For example, you might type the following at a command shell:

nc www.example.com 80

Then you can simply press Enter to establish a connection, and then you just need to send a bad request. This could be as simple as typing any letter followed by pressing Enter. Depending on the system, the results will likely provide information about the host, including the type and version of web server running and the type and version of operating systems running. For a system administrator, this is a handy way to identify assets. Such information also makes vulnerability management tools more intelligent. Of course, this command can also help an attacker figure out what exploit to use against the system.
Be familiar at a high level with all the tools covered in this guide. You might want to consider opening the command-line interface on your personal computer and experimenting with the commands. Help documentation can often be reached by typing the command followed by a space and -h or by preceding the command with man (for manual).
Many of the command-line utilities in the preceding list rely on underlying technologies. For example, ping and traceroute rely on ICMP. Internet Control Message Protocol (ICMP) is meant to be an aid for other protocols (as well as system administrators) to test connectivity and search for configuration errors in a network. ping uses the ICMP echo function and is the lowest-level test of whether a remote host is alive. A small packet containing an ICMP echo message is sent through the network to a particular IP address. The computer that sent the packet waits for a return packet. If the connections are good and the target computer is up, the echo message return packet is received.

Ping is one of the most useful network tools because it tests the most basic function of an IP network. It also shows the time to live (TTL) value and the amount of time it takes for a packet to make the complete trip, also known as the round-trip time (RTT), in milliseconds (ms). 



Using the ping command-line utility

The traceroute tool uses an ICMP echo request packet to find the path. It sends an echo reply with the TTL value set to 1. When the first router sees the packet with TTL 1, it decreases it by one, to 0, and discards the packet. As a result, it sends an ICMP time exceeded message back to the source address. The source address of the ICMP error message is the first router address. Now the source knows the address of the first router. Generally, three packets are sent at each TTL, and the RTT is measured for each one. Most implementations of traceroute keep working until they have gone 30 hops, but this can be extended to up to 254 routers.

The utility ping relies on ARP to identify IP addresses because 48-bit MAC addresses must be mapped to an IP address in order for devices on different networks to communicate. The following are some of the Layer 3 protocols used to perform MAC-to-IP address mapping:
- Address Resolution Protocol (ARP)
- Reverse ARP (RARP)
- Serial Line ARP (SLARP)
- Inverse ARP
The output from command-line tools can be saved and imported into other tools. For example, the output from tcpdump is often saved and imported into Wireshark for easier interpretation. Command-line tools can also provide some of the same functionality as other tools—without all the overhead. For example, Netcat can establish a TCP connection to a web server and then grab the banner to fingerprint the OS the server is running. Both dig and nslookup can map IP addresses to domain names and other related information, including mail exchanges and name servers.

Exploitation Frameworks
Exploitation frameworks are used often used for penetration testing and risk assessment. They can be used in conjunction with vulnerability scanners such as Nessus. Each exploitation framework contains a set of exploits for known vulnerabilities that are run against a host to determine whether the host is vulnerable to the exploit. Exploitation involves the following steps:

1. Select a target system.
2. Select an exploit.
3. If prior reconnaissance was conducted, determine whether the exploit might work on the target system.
4. Select and configure the exploit payload.
5. Select an encoding method for the payload so it can get through the IDS.
6. Run the exploit.

Some of the most well-known exploitation frameworks are Metasploit, Canvas, and Core Impact. Exploitation frameworks exist for systems as well as for specific web browsers. The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on exploiting vulnerabilities in web browsers by using client-side attacks.

Packet Capture and Replay
Protocol analyzers, also known as packet sniffers, help you troubleshoot network issues by gathering packet-level information across the network. This type of software utility is used on a hub, on a switch supervisory port, or in line with network connectivity to enable the analysis of network communications. Protocol analyzers can identify individual protocols, specific endpoints, and sequential access attempts. These applications capture packets and can conduct protocol decoding, turning the information into readable data for analysis. Protocol analyzers can do more than just look at packets, though. They are useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if a network is running slowly, a protocol analyzer can tell you whether unnecessary protocols are running on the network. You can also filter specific port numbers and types of traffic so that you can keep an eye on indicators that might cause problems. Many protocol analyzers can be run on multiple platforms and do live traffic captures and offline analysis. Software USB protocol analyzers are also available for the development of USB devices and analysis of USB traffic.
You can place protocol analyzers inline or between the devices for which you want to capture the traffic. If you are analyzing storage-area network (SAN) traffic, you can place an analyzer outside the direct link with the use of an optical splitter. The analyzer then is placed to capture traffic between the host and the monitored device.

The following are the common protocol analyzer tools you should be familiar with:
- tcpdump: The tcpdump utility is a command-line packet analyzer tool that captures TCP/IP packets sent and received on a specific interface. The tcpdump tool is used on Mac and other Linux-based systems; Windump is used on Windows-based systems.
- tcpreplay: tcpreplay is a command-line tool used for replaying network traffic from files saved with tcpdump or other utilities that write packet capture library (.pcap) files.
- Wireshark: Wireshark is a well-known packet analyzer that is similar to tcpdump but provides a graphical user interface.

Be familiar with the packet capture and replay tools tcpdump, tcprelay, and Wireshark.
Some operating systems have built-in protocol analyzers. Windows Server operating systems come with a protocol analyzer called Microsoft Message Analyzer. In the Unix environment, many administrators use tools such as ps and vmstat that come with the core operating system. Oracle Solaris has a popular utility called iostat that provides good information about I/O performance.
A sniffer and protocol analyzer are generally accepted as being the same tool. As software packages continue to add features, the lines between the two are blurring. However, a sniffer is a tool that is designed to “sniff” the network and capture packets. In the simplest sense, a sniffer relies on a user to conduct further analysis and interpretation. On the other hand, a protocol analyzer is capable of providing further details and context on the captured packets.
A protocol analyzer is used to capture network traffic and generate statistics for creating reports. After the packets have been captured, you can view the information.

Password Crackers
Weak passwords are easily compromised. Users must be educated about the importance of their access credentials and the potential impact of sharing their passwords and logons, using weak passwords, and using easily guessed passwords. They should also be instructed in how to create a strong password. Even when users are educated about the dangers of using the same password for multiple accounts and when to change passwords, they often don’t follow good practices. As a result, it is imperative to test the passwords that employees use.
Password crackers are software utilities that allow direct testing of user logon password strength. This type of tool conducts a brute-force password test by using dictionary terms, specialized lexicons, or mandatory complexity guidelines.
“Attack Basics” covers various types of password attacks. In addition to using helpful software programs, you can look for online password-cracking tools that enable you to input the hash and get the password returned in plaintext. There is even an online password-cracking tool for WPA-protected Wi-Fi networks that cracks password hashes in a manner similar to other online cracking tools.

Common password-cracking tools include the following:
- Brutus
- Cain and Able
- John the Ripper
- THC Hydra

When used by an organization as an assessment tool, a password cracker should provide only the relative strength of a password and not the password itself to avoid weakening logon responsibility under evidentiary discovery actions.

Forensics and Data Sanitization
Organizations maintain data such as names, addresses, Social Security numbers, and personal health information. User training programs address legal or regulatory requirements for accessing, transporting, storing, and disposing of data and data storage devices. Most times an organization has a legal obligation to protect and dispose of data properly. This includes encryption systems for mobile and removable storage devices, data access logging requirements under laws such as HIPAA, and review of retention and destruction policy.
A data destruction policy spells out what happens when sensitive data contained on a device is no longer needed but the device is being repurposed. Often the device or media is sanitized.
Data sanitization is the process of removing the contents from a device or media as fully as possible, in an attempt to make it extremely difficult to restore. Sanitization can be accomplished using either a software tool or a combination of a software tool and firmware.

Sanitization falls into one of the following categories:
- Clear: Standard read and write commands
- Purge: Physical or logical techniques that make recovery impossible
- Destroy: Physical or logical techniques that render the device useless
Examples of software used to wipe data stored on hard drives include DBAN and BCWipe. Organizations that use self-encrypting drives (SEDs) also use cryptographic erasure (CE). CE takes advantage of the encrypted data by sanitizing the encryption key. This is a quick and effective method that leaves only the ciphertext on the media.
After sanitization, a certificate of media disposition is completed. The certificate can be either a hard copy or an electronic copy stating the process and method used to sanitize the data. NIST Special Publication 800-88, “Guidelines for Media Sanitization,” provides detailed information on how to sanitize media, based on the organization’s categorization of information confidentiality.

Disk wiping capabilities are also provided as part of a number of data forensic utilities. Some basic forensic utilities you should be familiar with include the following:
- dd: dd is a command-line utility that converts and copies files and is useful for transferring data, modifying data, wiping disks, recovering data, generating random files, and benchmarking drive performance.
- Memdump: Memdump is a command-line utility that returns the contents of system memory.
- WinHex: WinHex is a hex editor that also provides data analysis, data recovery, data gathering, and disk wiping capabilities.
- FTK Imager: FTK Imager is a disk imaging tool that is used to save the image of a hard drive. FTK Imager is also part of a complete FTK computer forensics software solution.
- Autopsy: Autopsy is a software tool used to examine hard drives and mobile devices for evidence recovery.

Quiz questions:

1. A security analyst identifies malware that is traced back to the IP address 93.184.216.34. Which one of the following tools might the security analyst use to determine if an active connection to that IP address still resides on the infected system? A. tracert B. ping C. netstat D. nslookup

2. Which of the following commands would you use to look for failure or warning errors in /var/log/secure? A. logger “failure or warning” /var/log/secure B. grep ‘failure\warning’ /var/log/secure C. head -n 15 errors D. cat failure warning

3. Which of the following utilities would result in the following output:
 

HTTP/1.1 400 Bad Request
Date: Thu, 21 May 2020 04:17:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

A. Netcat C. nslookup D. route

4. Which of the following is a software tool used to examine hard drives and mobile devices for evidence recovery? A. tcpdump B. Wireshark C. John the Ripper D. Autopsy

Answer 1: C. netstat is a command-line utility that displays incoming and outgoing network connections. Answer A is incorrect because tracert would show the path or hops taken from the infected system to the IP address. Answer B is incorrect because ping would show the analyst if the remote IP address is potentially still alive and responding to requests. Answer D is incorrect because this is a tool for querying DNS servers.
Answer 2: B. grep searches in files, looking for desired data, based on patterns or regular expressions. In this example, grep is looking for either the word failure or the word warning in /var/log/secure. Answer A is incorrect because logger is used to write to the log file, and in this case it would write to the local log file the text contained between the quotes. Answer C is incorrect because head returns the beginning of a file, and this would return the first 15 lines in the file named errors. Answer D is incorrect because this command would concatenate the two files together.
Answer 3: A. Netcat can be used to grab website banners, and in this case, the website Netcat acquired on port 80 is running Apache web server 2.4.29 on Ubuntu. Answers B, C, and D are incorrect because ping, nslookup, and route would not return this information.
Answer 4: D. Autopsy is a forensics software tool used to examine hard drives and mobile devices for evidence recovery. Answer A is incorrect because the tcpdump utility is a command-line packet analyzer tool that captures TCP/IP packets sent and received. Answer B is incorrect because Wireshark is a well-known packet analyzer that is similar to tcpdump but that provides a graphical user interface. Answer C is incorrect because John the Ripper is a password-cracking tool.