Some of my clean Windows, Mac, Linux and Cisco notes


netsh wlan show profiles *shows a list of the cached/stored/previous wifi connections you made
netsh wlan show profile name=profilename key=clear **shows cached/stored/previous wifi connection password ie "netsh wlan show profile name=ActionTec7777 key=clear"
rundll32.exe user32.dll,LockWorkStation *cmd to lock workstation
arp -a *show the Mac to IP address exchange, arp means address resolution protocol
nbtstat /* shows protocol statistics using NBT
netstat -boa /* need admin cmd to run this extention, though can run it w just -a or a few others.
netsh /* netsh int ip reset /* example of command
route /* used to manually config routes in routing table
getmac /* shows both local and remote MAC addresses. When ran w getmac /s \\foo displays remote mac. /v shows connection name and net adapter name
pathping ipaddresshere /* provides info about net latency and network loss at intermediate hops
telnet
ftp
ssh
To run a ping sweep on your network without any 3rd party tools you can type the following in cmd, change the ip starting range to where your IP
range starts. to figure this out type ipconfig in cmd then leave the last set blank, though include the period. as below:
Additionally this will pipe out the results to a text file. PS if it runs through very quick you did something wrong
FOR /L %i IN (1,1,254) DO ping -n 1 192.168.0.%i | FIND /i "reply">>c:\ipaddresses.txt
FOR /L %i IN (1,1,254) DO ping -n 1 192.168.0.1.%i | FIND /i "reply">>c:\ipaddresses.txt
FOR /L %i IN (1,1,254) DO nbtstat -a 192.168.0.%i>>nbtstat.txt
Sharepoint Cant save changes? *Clear cache files in office upload center
Sharepoint changes aren't reflecting in the corresponding sharepoint task list? *Create new synced project file for tasks list via the open in project option.
Taskkill /S remoteServer /u userName /PID processID *end remote task or program
exmple: c:\>taskkill /S 10.123.78.23 /u administrator /PID 5000 tap enter (prompted for pw)
To disable sleep mode completely: Launch gpedit.msc
Navigate to Computer COnfiguration>ADministartive templates>system >power management> sleep settings
Open Policy called allow standby states (S1-S3) when sleeping (plugged in_ and set value to Disabled
intl.cpl *change language
whoami *user logged in
hostname * name of computer
quser USERNAME *last time logged in with password
net user /domain USERNAME *shows AD OU's, last time pw set, expiration date, last logon...
All settings icon, make new folder, rename it: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} click enter
runas /user:domain\username cmd *run as self/admin well RDC to another users logon
powershell -Command "Start-Process cmd -Verb RunAs" *additional needed line in many Win10 environments run as self/admin well RDC to another users logon
Fix shortcut icons on desktop that were changed to a Lnk extention or other ext, but not the right ext! *Go to start>Run, type regedit. Press enter.
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\. Delete the user choice folder, close regedit, restart
ipconfig /flushdns *clears dns resolution for websites you visit
ipconfig /displaydns | clip * shows dns resolution for websites you visit
nslookup ls -d testoutdemo.com *or any domain this will show you all devices on network if access not protected, most are tho.
To change the timeout limit for activating the screen saver you can run the below command.
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600 /f
dxdiag && perfmon /rel
Gpupdate /force && gpresult /r
sfc /scannow && restart

Harpy Eagle fist bump

Harpy eagle fist bump
WMIC /NODE:"compnamehere leave commas" COMPUTERSYSTEM GET USERNAME *computer name to user name.

wmic printjob get
wmic printjob list
wmic printjob delete
wmic netlogin
wmic useraccount where name="enteremployeenumberleave commas" get sid

query user
bootrec.exe /fixmbr
bootrec.exe /fixboot
bootrec.exe /RebuildBcd
windows 7 only need: bootrec /rebuildbcd
runas /user:DOMAIN\USERNAME
runas /user:gac\uname cmd resmon or devmgmt.msc appwiz.cpl
netsh interface set interface "Wireless Network Connection" enabled && wmic path win32_networkadapter where NetConnectionID="Wireless Network Connection" call enable

unidentified network fix: ipconfig /flushdns && netsh winsock reset
PsExec \\computername ipconfig /flushdns && netsh winsock reset

ipconfig /allcompartments /all
runas /user:domain\uname cmd
%AppData%\Microsoft\Windows\Recent\ *temp files
net user username /domain

| clip * copies whatever the cmd output is to the clipboard
Gpresult /r *displays cmd gpupdate results in cmd
gpresult /h gpreport *saves the report to the doc folder as a html file
gpresult /r /scope:user
gpresult /r /scope:computer
Gpresult /r > gpresult.txt *makes a text file in doc folder
Gpresult /r |clip *Export output to Windows clipboard

C:\$Recycle.Bin
file explorer paste: "C:\$Recycle.Bin" then tap win key, type show hid>tap enter, uncheck hide protected sys files, now check the admin$hare recycle bin

windirstat *great program to help clean up many hidden gigs of used space, including admin shares
sfc /scannow && exit

Synchronizing machine time with domain controller:
Login as a local account and sync the time with the domain controller using the Net time command.
NET TIME /domain:mydomainname /SET /Y

Remote Desktop Connnection Just open Run from start menu and type mstsc
CMD:control.exe /name Microsoft.NetworkAndSharingCenter
run as admin from user station hold down shift and right click application, run as different user will appear.
Psexec.exe \\compname "C:\ProgramData\NetIQ\Windows Client\AAFCleanConsole.exe" /creds=specifckeycredsgohere== /auto /logpath=C:\Windows\Logs

PsExec \\compname Gpupdate
cmd tsdiscon switch users cmd
psexec -u domain\myemployee# -i -h "\networkdrivepath\Users\myemployee#\Downloads\nVIDIA-Quadro-Series-Graphics-Driver_VFF73_WIN_26.21.14.3206_A11.EXE"
wmic /node:compname product call install true,"" , "\\networkdrivepath\Users\myemployee#\Downloads\HPLaserJetNew.exe"
psexec \\compname -c -i -h \\networkdrivepath\Users\myemployee#\Downloads\HPLaserJetNew.exe
psexec \\compname -u gac\myemployee# -c -f \\networkdrivepath\Users\employee#\Downloads\HPLaserJetNew.exe setup\runmsi.exe /quiet /norestart

netsh interface set interface "Wireless Network Connection" enabled && wmic path win32_networkadapter where NetConnectionID="Wireless Network Connection" call enable
Press Windows+R to open the “Run” box. Type “cmd” into the box and then press Ctrl+Shift+Enter to run the command as an administrator
Reinstall all windows packages from powershell Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

cmd DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH (if sfc isnt working)
type “systemreset” (without quotes). If you want to refresh Windows 10 and install Windows updates, then you should type “systemreset -cleanpc”.
psexec \\compname sfc /scannow
openfiles.exe from cmd can tell if anyone has the shared file open
shutdown /r /m \\comp name
shutdown /r /m /f \\comp name

rdp rdc
CMRC Configuration Manager Remote Control (shared control rdp)

sccm system configuration
Delete Temporary Internet Files:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete just Cookies:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete All + files and settings stored by Add-ons:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

ipconfig /flushdns
If the command was successful, you will see the message "Successfully flushed the DNS Resolver Cache".
Afterwards, type: netsh int ip reset
Once done, restart your computer.
win + d minimize everything
win + e file explorer
WINKEY + ↑ (up arrow) = Make the window full screen
WINKEY + ↓ (down arrow) = Restore a full-screen window
ALT + F4 close window
ALT + F5 refresh
shake a window minimizes the rest of the windows
Alt + Tab task switcher
Ctrl + Alt + Tab task switcher hold
SHIFT + WINKEY + ← (left arrow) or → (right arrow)
WINKEY + CTRL + D create a VD
WINKEY + CTRL + ← (left arrow) OR
WINKEY + CTRL + → (right arrow) = switch between virtual desktops you’ve created
CTRL + Tab = switch between the open tabs to the right
CTRL + Shift + Tab = switch between the open tabs to the left
CTRL + Shift + T open last closed tab
nbtstat
route print
SHOW INTERFACES gI0/1 STATUS
MTR IS LIKE PING AND TRACERT
IPconfig /registerdns DDNS DHCP update
windump windows monitor network traffic note taken laptop
snort works on both win and lin note taken laptop
tcpdump linux note taken laptop
activity history viewer *windows note taken laptop
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
141371110470-81454-46514-82512-99712043140112
09af
a b c d e f
101112131415

Win cmds
cls
ipconfig /allcompartments /all
ipconfig /displaydns
arp -a shows the ip address to mac address mapping table (the address cache)
arp tables allow a system to build frames targeting remote MAC addresses
netsh to clear the arp cache
netstat -a shows detailed info for active conx a way to check for malware...
netstat-s shows tpc/ip statics
netstat -r or route print shows the routing table of the local host

netstat -es interface statistics
nslookup automode look up as many as u want, just type nslookup and enter

how to ping ipv6
ping6 or ping-6
Debian based Linux and Mac terminal
clear
scan a particular port for what applications are using it, example we'll use the standard ssl port: sudo lsof -i:443
to get tcpdump sudo apt-get install tcpdump
help man tcpdump
sudo tcpdump -i eth0 capture everything on netcard
ctrl + c to stop

sudo tcpdump port 21 capture everything on a specific port
switch to win browser to test ftp.hp.com
TCPdump is a packet analyzer that runs in a command line utility. It allows the user to view TCP/IP and other packets as they are transmitted and received over on a computer's network. In this lesson, you will learn about:
Common uses
Options
Expression examples
Common Uses
TCPdump prints the contents of network packets. It can read packets from a network interface card or a previously captured packet file. TCPdump can write packets to standard output or a file.

You can TCPdump to intercept and display the network traffic of another user or computer, including user credentials, the content of packets, and other unencrypted information.
Options
These are some of the many configuration options for TCPdump. For a complete list of options refer to the TCPdump MAN (manual) page.
Option Description
-i any Listen on all interfaces to check for traffic traffic.
-i eth0 Listen on the eth0 interface.
-D Show the list of available interfaces.
-n Don't resolve host names.
-nn Don't resolve host names or port names.
-q Be less verbose (more quiet) with your output.
-t Create a timestamp output humans can read.
-tttt Create a timestamp output that's maximally readable for humans.
-X Show the packet's contents in both hex and ASCII.
-XX Same as -X, but also shows the Ethernet header.
-v, -vv, -vvv Increase the amount of packet information you get back.
-c Only receive a certain number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to capture everything unless you are intentionally capturing less.
-S Print absolute sequence numbers.
-e Retrieve the Ethernet header.
-q Show less protocol information.
-E Decrypt IPsec traffic by providing an encryption key.
Expression Examples
Expressions allow you to filter traffic and find exactly what you need.

There are three main types of expression: type, dir, and proto.

The type options are host, net (the network address), and port.
Direction lets you insert the src (source) and dst (destination) commands.
Protocol lets you designate tcp, udp, icmp, ah, and many more options.
Some examples of uses for TCPdump include the following:

Commands are case sensitive.
TCPdump Example Description
tcpdump -D Display the list of interfaces TCPdump can listen to.
tcpdump -n host 192.168.0.1 Capture any packets that list 192.168.0.1 as the source or destination host. Displays IP addresses and port numbers.
tcpdump -i eth0 Listen on interface eth0.
tcpdump -i any Listen on any available interface.
tcpdump -n dst net 192.168.0.0/24 Capture any packets that list 192.168.0.0/24 as the destination network. Displays IP addresses and port numbers.
tcpdump -n src net 192.168.1.0/24 Capture any packets that list 192.168.1.0/24 as the source network. Displays IP addresses and port numbers.
tcpdump -n dst port 23 Capture any packets that list 23 as the destination port. Displays IP addresses and port numbers.
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)" Capture any packets that list 192.168.0.1 as the destination IP and 80 or 443as the destination port. Displays IP addresses and port numbers.

Common name resolution problems include the following:

The DNS server could be down or otherwise unreachable.
There may be a routing problem between the sending host and the DNS server.
The sending host could be configured with the wrong IP address for the DNS server.
Name resolution problems typically have the following symptoms:

You can ping a destination host using its IP address, but not its host name.
Applications that use hostnames fail. This could include:
Entering a URL into a browser.
Pinging the host using the hostname.
Searching for the host by its name.
To troubleshoot DNS name resolution, use the following tools:

ping
tracert (Windows) or traceroute (Linux)
nslookup
dig (Linux)
host (Linux)
Troubleshoot DNS Name Resolution With Commands
The following table lists several ways to troubleshoot with commands:

Command Purpose Example
ping Contacts the DNS server to see if it responds. Be aware that the firewall protecting the DNS server may be configured to drop ICMP packets
in order to prevent DoS attacks; if the server doesn't respond, it is not necessarily down.
ping 8.8.4.4

tracert or traceroute Tests the route between your workstation and the DNS server.
tracert 8.8.4.4

nslookup [host] Queries the IP address of a host.
nslookup www.mit.edu

nslookup Starts nslookup in interactive mode. The default interactive mode query is for A records, but you can use the set type= command to change the query type.
nslookup set type=ns

dig host name
host host name Queries a host. The default query is for A records. You can change the default search by appending one of the record types below to the end of the command:
a—address records
any—any type of record
mx—mail exchange records
ns—name server records
soa—sort of authority records
hinfo—host info records
axfr—all records in the zone
txt—text records
dig www.vulture.com ns
host www.vulture.com -t ns

dig @IP address or host name domain Queries the root server at the IP address or host name for the domain's A records.
You can change the default query type by appending a different record type to the end of the command.
dig @192.168.1.1 vulture.com ns

dig -x IP address
host IP address Finds the host name for the queried IP address.
dig -x 62.34.4.72
host 62.34.4.72

Local computers have a cache of recently resolved DNS names. The cache holds the DNS name and its IP address.
When you use a DNS name, the computer first checks its cache. If the name is in the cache, the corresponding IP
address is used. This can cause problems if a host's IP address has changed. Old values in the cache might continue

to be used temporarily, making communication via the DNS name impossible. To correct this problem on a Windows computer,
run ipconfig /flushdns to delete the local DNS name cache.

putty cisco switch cmd interface

enter global config mode conf t
enter interface config more int fa0/1
set the speed of the interface speed auto
set the duplex setting for the interface duplex auto






Some of my Cisco Networking and Security plus notes:


Van-Eck-Phreaking at the simplest level can be done w a AM portable radio. More effective w a yagi antenna hooked up to airspy R2, you can get clear picture from a hdmi cable, the cable effectively is a antenna youtube.com/watch?v=BpNP9b3alfY
This is also known as a tempest attack and a faraday cage is what the gov uses to protect their data from such a attack. Also fiber, STP (shielded
twisted pair) prevents this and same w HDMI2 and Digital display ports. I imagine usb 3 is the same, though would have to look it up.
You have a small network at home that is connected to the internet. On your home network, you have a server w the ip address of 192.168.55.199/16.
You have a single public adddress that is shared by all hosts on your private network.
You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website. What should you use to allow this type of access?

Static Nat maps an internal IP address to a static port assignment. Static NAT is typically used to take a server on the private network (such as a
web server) and make it available on the internet. External hosts contact the internal server using the public IP address and the static port.
Using a static mapping allows external hosts to contact internal hosts.
Dynamic NAT automaticallys maps internal IP addresses with a dynamic port assignment. On the NAT device, the internal device is identified by the
public IP address and the dynamic port number. Dynamic NAT allows internal(private) hosts to contact external(public) hosts,, but not vice versa.
External hosts cannot initiate communications with internal hosts.
When using PPP authentication, the following conditions must be met for authentication to succeed:
Both routers must accept the same authentication method (CHAP or PAP).
Each router must have a username statement that identifies the other router. For example, on RouterA, configure a user name of RouterB.
The password used in both username statements must be identical.
Use the following commands on RouterA:
Press Enter
RouterA>enable
RouterA#config t
RouterA(config)#interface s0/0/0
RouterA(config-if)#encapsulation ppp
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#exit
RouterA(config)#username RouterB password cisco
(Press Ctrl + Z)
RouterA#copy run start
Press Enter
Press Enter again to save changes
Use the following commands on RouterB:
Press Enter
RouterB>enable
RouterB#config t
RouterB(config)#interface s0/0/1
RouterB(config-if)#encapsulation ppp
RouterB(config-if)#ppp authentication chap
RouterB(config-if)#exit
RouterB(config)#username RouterA password cisco
(Press Ctrl + Z)

RouterB#copy run start
Press Enter
Press Enter again to save changes
file recovery forensics:
AccessData FTK imager used to create a copy of a drive
Autospy extract data that was deleted
Highly recommended to use a writeblocker/foensic bridge when extracting or creating copy for forensic investigation.

vulnerability scanners:
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools.
https://www.arachni-scanner.com/
Arachni is a free one w limited features, all features availble in paid version
retina community is a free vulnerability scanner for network and end point, now called beyondtrust and is no longer free and appears bought out by Tenable...
Nessus is a paid popular vulnerability scanner costs around $2300 for a years subscription, has a free 7 day trial, owned by Tenable (Sipping out of a nice insulated cup w their name on it...)
CVE common vulnerability exposed

protocal analyzer
network scanners

virus types
stealth, macro, polymorphic, retro, armored, companion
malware types
virus, worms, trojans, zombies bots, rootkids (UEFI prevents rootkids w secured boot feature)
logic bomb (time or object activity related((click on))
spyware, adware, crimeware

crackstation.net | converts hashes to passwords
browserling.com | alo can calculate hashes to passwords and vica versa

ophcrack.sourceforge.net | cloudbased password cracker, rainbow dictionary. FYI vista will work for win10 passwords, both use NTML hash
key point, longer passwords are harder to crack, every other character adds at least a gig of needed rainbow dictionary.
Hash_suite_64 | password cracker

check for a typical key logger called refog ctrl alt shift k
find password from inspect web page, change =password to =input, and pw will be displayed

linux
chkconfig //old way to check whats running
systemctl list-unit-files //new way to check running services

nmap scan open ports on linux
TCP:nmap-sT host_ip_address
UDP:nmap-sU host_ip_address
netstat -a
netstat -i
netstat -l
netstat -s
netstat -r

software updates
yum update //redhat
apt-get dist-upgrade //debbian

host firewall
systemctl status firewalld //debian, fedora
firewall-cmd--state
firewall-cmd--get-active-zones
firewall-cmd--permanent--zone=name--add-port=port/protocol //(80/tcp) or next line
firewall-cmd--permanent--zone=name--add-service=service_name //(http)
systemclt restart firewalld

su - //run as sudo on redhat, fedora
systemclt -a //show ports w running services
systemclt disable //service name
rpm -qi nmap
yum install nmap
nmap -sT localhost //tcp scan
nmap -sU localhost //udp scan
nmap -sT //ipaddress

netstat -a
ssh 10.0.0.3 -l root //connect shell to any ipaddress l=L
netstat -a | grep ssh //show specific session type
netstat -i //statics
netstat -s | more /kind of more statistics
netstat -r //routing paths, table
WireShark
ip addr==192.168.0.50 (this filter will focus in on traffic from this IP only)
tcp port==443 full list in gui
Nmap open source security scanner that maps network and devices
neotrace is like traceroute or tracert, shows path and ip of devices between 2 devices
samspade identify the source of spam emails
nslookup resolves ip addresses to host names and DNS servers in use
Null scan turns off all the flags in a TCP header, creating a lack of TCP flags that should never occur in the real world.
Null session is the ability to log on using a blank username and password.
Fin scan sends TCP packets to a device w/o first going thru the normal TCP handshaking, thus preventing non-active TCP sessions from being formally closed.
Stealth scan sends a single frame to a TCP port wthout any TCP handshaking or additional packet transfers with the expectation of receiving a single response.
Christmas tree scan sends a TCP frame to a remote device with the URG, PUSH and FIN flags set
Ping flooding: is when the attacker overwhelms the victim w ICMP echo Requests(ping) packets. This works when the attacker has more bandwidth than the victim. If this happens to you, you can turn off ICMP echo responses in your router. Though then legitimate ping requests would fail also.
Ping of death: aka long ICMP attack. Uses a ping w very large packets. This can also be used to stress test a network. packet size is over 65536 bytes
Fragmentation attacks contaminate IP packet fragments that inflitrate the system
LAND attack floods the victim's system with packets that have forged headers. SYN packet has the exact same address for both the sender and receiver, which is the address of the server. Land attack is a type of SYN flood.
Teardrop attack: fragmented UDP packets with overlapping offsets are sent. THen when the victim system re-builds the packets and invalid UDP packet is created, causing the system to crash or reboot.
A Negative Acknowledgment (NACK) attack denies a LAN/WAN client access to resources.
A Banana attack uses a router to change the destination address of a frame.
A Deauthentication (Deauth) attack denies wireless clients access to resources
Syn flood: Type of DOS attack. Exploits the ACK packet of the TCP three-way handshake. By not sending the final ACK packet, the server holds open and incomplete session, consuming system resources. If the attacker can cause the server to open numerous sessions in this manner, all system resources are consumed and no legitimate connections are established.
Session Hijacking: taking over logon session from a legitmate client, impersonating the user and taking adv of their established communication link and user privilages.
Smurf attack is a form of DOS that uses spoofed ICMP packets to flood a victim w echo requests using a bounce/amplification network
Fingerprinting is the act of identifying an operating system of network service based upon ICMP message quoting charactertistics.
Fraggle attack used spoofed UDP packets to flood a victim w echo requests using a bounce network. Similar to smurf.
Best counter measure for MITM attacks (man in the middle): IPsec is one of the best counter measures because it encrypts data in a VPN tunnel as it passes between two communications parties. Even if someone intercepts the traffic, they will not be able to extract the contents of the messages (without the right decrypt key)
Ip Spoofing protection on a private network: Apply Ingress and Egress filters. These examine packets going into and out of the network. Any packets suspected of being spoofed are dropped.
DNS cache poisoning/pharming example: You enter a web site name in the URL and it takes you somewhere completely different. Though when you enter the IP address it takes you to the right place. I tested this by editing my computers DNS table and changed the name yahoo.com to google.com, though yahoo was smart enough to block the change on their end and wouldn't let it redirect to google.
Evil Twin: access point that in configured to mimic a valid access point to obtain logon credentials...
ARP poisoning/ ARP spoofing: associates the attackers MAC address w the IP of the victims device. When computers send an ARP request to get the MAC address of a known IP, the attacking system responds w their MAC instead.
Replay attacks capture Authentication traffic. If successful the attack can gain same access as the user. To prevent this, time stamps are used and dynamic challenge response mechanisms.
Sniffing: common network monitoring or diagnostic activity tho can also be a passive malicious attack. When performed properly it is impossible to detect. solution encryption.
What causes the most interference with WAPs(note this doesn't cover the ethernet degratation concepts before the WAP such as span, insulated or not, running over fluorescent ballasts ect): Cordless phones or microwaves, backup generators and wireless tv's
Bluetooth and 802.11g also use 2.4GHz, same as cordless phones. Which these may cause interference with each other.
802.11a uses 5GHz so not affected by 2.4GHz traffic
802.11n uses 5GHz
wireless phones often run on 900MHz-5.8GHz
Disrupt Wi-fi Networks
Spark Jamming: Repeatedly blasts receiving equipment with high-intensity, short-duration RF bursts at a rapid pace
Random Noise Jamming: Produces RF signals using random amplitudes and frequencies
Random Pulse jamming: Uses radio signal pulses of random amplitude and frequency

NFC relay attack: attacker captures NFC data in transit and then uses that info to masquerade as the original device.
NFC jamming is possible. NFC Man in the middle is also possible and similar to relay attack.
Bluesnarfing is the use of a bluetooth connection to gain unauthorized access to an existing bluetooth connection between phones and computers.
Snarfing allows the attacker to view calendars, emails, messages and contacts.
Bluejacking is rather harmless practice that entails an unknown sender sending business cards anonymously to a bluetooth recipient within 100 meters.
Tend to be offensive msgs to see response/reaction in crowd to identify whose device it is. Set device to non discoverable mode to prevent.
Bluebugging is when the attacker gets full access to all mobile phone commands that use bluetooth including initiating phone calls, sending and receiving msgs, eavesdropping, changing phone contacts...
War driving and war chalking, mostly outdated concepts of tagging/marking areas where wifi is present and certain specifications of network for hacking attempts
War driving can even be walking around on foot w a pda,phone or notebook scanning for available networks
Slamming refers to unauthorized or fraudulent changes to a telephone or DSL service
WPS PIN mode is suseptible to brute force attacks, not to confuse WPS press button mode, which is more secure because the person has to reach the button...

How to find a Rogue access point: Check the MAC addresses of devices connected to your wired network and conduct a site survey to identify hosts and AP's on the wifi.
Also can conduct a RF noise analysis to detect a malicious rogue AP that is using jamming to force wireless clients to connect to it instead of the legit AP. Also analyzing wireless traffic...
Privilege escalation: allows a user to take adv of a software bug or design flaw in a app to gain access to sys resources or additional privileges that wouldnt typically be available to the EU
buffer overflow: occurs when the operating system or an application does not properly enforece boundaries for how much and what type of data can be inputted. Can also mean well writing data to a memory buffer, overruns the buffer and writes partly over other memory.
buffer overflow CONTINUED: When software code receives more input than it was designed to handle. Or when the designer didnt include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with security context of the system itself.
in other words IOW, a buffer overflow attack often allows the attacker to perform any operation on a system.

backdoor is a unprotected access method or pathway. May include hard coded passwords or hidden service accounts. added during development and generally suppose to be removed before deployment.
rainbow table applies hashing algorithms to every word in a dictionary symptoms including hybrids or passwords accumulated in brute force techniques it in saves the results in a table for matrix encrypted password is compared to the precomputed hashed passwords in the matrix until a match is found.
dictionary attack: is what it sounds like brute force attack that uses dictionary words, not very effective if GPO has lockout policies after 5 failed attempts.
SMTP relay is an email server that accepts mail and forwards it to other mail servers. An open SMTP relay allows anyone to forward mail. If your mail server has an open SMTP relay, spammers can use it to send mail and make it appear as though its coming from you or elsewhere, soon your email will be blacklisted.
configure mail server to accpet mail only from authenticated users or specific email servers that you authorize. And require TLS encryption to connect to the server.
Javascript commands can be harmful, so disabling client side scripting resolves this if you want to really lock it down. I found a text-glow script from a reputible source (W3). Though, on this site its hidden/disabled because it will freeze up my smart phone for 10 seconds loading the script portions! so probably most peoples smartphones... and on my computer it uses 70% of my 8th gen I5 processors! so I disabled it because I didn't want to scare anyone away, but if you go to my test page of my main page its active there :)

CGI common gateway interface: scripting language that is often used to capture data from forms in a web page and pass the data to an external program. CGI runs of the server to process web form data.
XSS Cross-site scripting (XSS) is an attack that injects scripts into web pages. When the user views the web page the malicious scripts run allowing the attacker to capture information or perform other actions
some scripts redirect users to legit sites but run the script in the background to capture info sent to the legit site
scripts can be written to read(steal) cookies that contain id info, such as, session info.
scripts can also be designed to run under the security context of the current user. IE scripts might exe w full priv on the local sys. or the scr can also be designed to run under the security context of the current user.
Drive by download is when software is installed w out the consent of the user.
DLL injection attack: program is foreced to load a dynamic-link library. This DLL then exe under the sec context of the running app and exe malicious code w the injected DLL.



Some more Security plus notes:


firewalking uses traceroute techniques to disover which services can pass through a firewall or router. Common tools are Hping and Firewalk Tear drop attack, is a DDOS attack that sends fragmented UDP packets w overlapping offsets. Then, the victim sys re-builds the packets, an invalid UDP packet is created, causing the system to crash or reboot. NACK attack (Negative Acknowledgement) denies a LAN/WAN client access to resources. Bananna attack uses a router to change the destination address of a frame. Deauth attack denies wireless clients access to resources. OVAL (Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing and reporting the security vulnerabilitties of a system. OVAL is sponsored by the National Cyber Security Division of the US Department of Homeland Security. OVAL identifies the XML format for iding and reporting sys vuln. Above all else, the Private Keys must be protected or the whole networks realm of trust is destroyed. The strength of an asymmetric cryptographic system lies int he secrecy and secuirty of its private keys. A digital certificate and a digital signature are little more than unique applications o fa private key. If the private keys are compromised for a single user, for a secured network, or for a digital certificate authority, the entire realm of trust is destroyed. Side note though, There is such a thing called Key Escrow in a "centralized" key management environment, which means your organization and or the police can basically just hijack into your encrypted communications anyways. So this is kind of all a sham in my opinion... --Symmetric encryption-- (faster than asymmetric) formula to determine how many keys needed in your organization n(n-1)/2. If a message sender encrypts a message w a key and a message receiver decrypts it using the same key it is Symmetric encryption Advanced Encryption Standard AES is an iterative symmetric key block cipher that uses the following: The Rijndael Block Cipher, which is resistant to all known attacks. A variable-length block and key length (128-,192- or 256-bit keys) Ron's Cipher v2 or Ron's Code v2 (RC2) uses 8'128 bit keys in steps of 8 bits. Twofish uses up to 16 rounds of substitution and transposition. The strength of a cryptosystem lies not only in long keys but in the algorithm, initialization vector or method, the proper use of the keyspace and the protection and management of the keys. TwoFish (up to 256 bit keys) IDEA (128 bit keys) DES (56 bit keys) retired AES is the new standard 3DES is an upgrade to DES but AES is still king RC5 is a block cipher that supports variable bit length keys and vaiable bit block sizes. (0-2048 bit keys) RC4 is stream cipher RC2 is limited to 64 bit blocks Elliptical curve is a method of applying other systems to gain greater strength from smaller keys. key stretching can be used to strengthen weak encryption keys against exhaustive key search attacks. The initial key is fed into an algorithm to create a stronger key. The enhanced key usually at least 128 bits long making it almost impossible to crack. Key stretching algorithms: PBKDF2 bcrypt scrypt Other key terms not key stretching but may be confused w: Ephemeral keys are generated everytime the key estblishment process is executed and only exist for the lifetime of a specific communication session. Perfect forward secrecy can be implemented in a public key cryptography system so that random public keys are generated for each session. Uses no deterministic algorithm. DHE refers to a Diffie-Hellman key exchange Asymmetric encryption-- Each pair(party) consists of a public and private key. (slower than symmetric though doesn't share the private keys) Is when the sender and receiver have different keys for encrypt and decryption. Asymmetric can be used to distribute symmetric keys. Diffie-Hellman 1976, but is still used in techs such as, SSL, SSH and IPsec!!! DHE can also be used w DES,AES,IDEA,RC5 or any other symmetric crypto solution. ECDH is an implementation of the Diffie-Hellman using elliptic curve crypto. Allows two parties, each having their own elliptic curve public/private key pair to generate symmetric keys simultaneously over a non-secure channel. El Gamal is based upon DHE RSA (one of the earliest encryp algors) can be used for digital signatures. RSA is not a key generation system. It is a asymmetric crypto sys that can be used for encryption, key exchange and digital signatures EFS is a windows file encryption option that encrypts individual files bitlocker encrypts the entire contents of a harddrive If you want to encrypt email you can use a CSP (cryptographic service provider) = software libraries that can be used to enhance encryption. A Digital signature is a mathematical scheme for demonstrating the authenticitiy of a digital message or document. A valid digital signature gives a message credibility, guaranteeing the recipient that the message has not been tampered w in transit. A digiital signatures are created using the senders private key. Thus only the senders public key can be used to verify and open any data encrypted w the senders private key. Non-repudiation is the ability to prove that the sender sent the message. Digital signatures, are private keys from a asymmetric crypto sys. Only a single person is in possession of their private key. If a message is found w their digital sig, then they are the only user who could of created and sent it. Hashing=algorithm used for signature verification and data integrity checking. If a file is edited the hash will be changed too. A Hash is a function that takes a variable-length string(message) and compresses and transforms it into a fixed-length value. Hashs ensure the data integrity of files and messages in transit. If the hashes match, the file hasnt been altered. Diffusion=simple character changes in the plaintext will cause several characters to change in the cipher text. Collision(not same as networking)=When two different inputs to a function produce the same output. Cryptanalysis is recovering original data that has been encrypted w/o having access to the key. Ciphertext is the encrypted message that is only viewable to the intended party CA Certificate Authority is a trusted 3rd party that issues certificates to organizations Root CA is the top where the trust starts X.509 is that standard most widely used for certificates from CA's. This defines the key elements that must exist in the cert. The X.509 standard is used by SSL, IPsec, DES and many other infrastructure components and technology. HTTP 1.1 is the latest version of the protocol used to transmit web resources from a web server to a web client LDAP uses port 389 for unsecure and 636 for SSL/TLS secured Port 69 is used by TFTP port 161 SNMP port 88 kerberos port 49 Terminal access controller access control system (TACACS) port 1701 Layer 2 tunneling protocol (L2TP) port 1723 Point to point tunneling protocol (PPTP) winkey + ctrl + q for quick assist mutual authentication is a process by which each party in a online communication verifies the identity of each other party. mutual authentication is most common in VPN links SSL connections and E Commerce transactions In each of these situations both parties in the communication want to ensure they know whom they are interacting with. SSO examples SESAME, KERBEROS, Netiq An SSL client first checks the servers certificate validity period. The authentication process stops if the current data and time fall outside of the validity period.
SSL clients verify a server's identity with the following steps:
1 Client checks the servers certifiate validity period. The authentication process stops if the current data nd time fall outside of the validity period
2 The client verifies that the issueing certificate Authority (CA) is on its list of trusted CA's
3 The client uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server cerficicate as a valid certificate issued by a trusted CA.
4 To protect against Man in the Middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate.

VPN work best with SSL because SSL uses port 443 and is opened on almost all firewalls so your VPN clients should be able to connect on almost any
network, when other solutions may not work for everyone in every situation/location. In addition, some NAT solutions do not work well w VPN
Audit Daemon is the trusted utility that runs a background process whenever auditing is enabled.
Audit trails are used to detect security-violating events. Auditing itself is used to prevent security breaches. Audit trails can recreate historical events.
Audit traills are a collection of recorded ata that may include details about logons, object access and other activities deemed important by your security policy that is often used to detect unwanted and unauthorized user activity.
syslog is a standard protocol for recording system events, not user events.
NetBIOS uses ports TCP 135,TCP and UDP 137-138 and TCP 139
DHCP uses ports 67-68
SNMP uses ports 161-162
LDAP uses ports 389 and 636
FTP uses ports 20,21 to establish session, then FTP uses a ramdon higher order port(above 1024) to perform actual file transfers.
HTTP and TLS use port 80
HTTPS SSL and TLS use port 443
TelNET uses port 23
SMTP uses ports 25
POP3 uses ports 110
SSH uses port 22 (most commonly used in Unix and Linux) SSH uses the IDEA algorithm for encryption by default. SSH uses RSA public key cryptography for both connection and authentication. SSH can also use Blowfish or DES.
TFTP (trivial file transfer protocol) port 69
NNTP Network News Transfer protocol uses port 119
IMAP4 Internet Message access protocol version 4 uses port 143
PPTP uses port 1723
L2TP uses ports 500 and 1701
IPsec uses UDP port 500 for the IKE
IPsec is the security implementation that provides secuirty for all other TCP/IP based protocols that operate above the network layer.
IPsec is implemented through two separate protocols. IP authentication header(AH) and IPsec Encapsulating security payload(ESP). IPsec AH provides
authentication and non-repudiation services to verify that the sender is genuine and data has not been modified in transit by a internet key exchange (IKE).
IPsec ESP provides data encrytion services for the data within the packet and includes authentication too.
L2TP Layer 2 tunneling protocol is a used to encapsulate point to point protocol (PPP) traffic.
PGP (pretty good privacy) and S/MIME (secure MIME) can be used to secure email in transit with encryption
Encrypt email using a PKI: Secure-multipurpose internet mail extensions (S/MIME) uses certificates issued by either public or in-house CA's using the x.509 system
TLS uses DIffie-hellman or RSA to exchange session keys
SSL uses RSA or the Key exchange protocol (KEA) for key exchange. IPsec use IKI for key exchange. ECC (ellipic curve cryptography) is a method that can be used in key exchange.
FTPS is FTP Secure, adds SSL or TLS to FTP for secure login and encrypt data transfers. Requires a server certificate.
SFTP is a file transfer protocol that uses SSHv2 to secure data transfers. It is not FTP that uses SSH but rather a secure transfer protocol that is different from FTP.
SCP secure copy protocol uses SSHv1
RCP remote copy protocol is unsecured for file transfer.
PPPoE is used for connections that have an always on state, such as DSL or fiber optic running ethernet.
PPPoE is a modification of PPP that allows for negotiation of additional parameters that aren't typically present on a regular Ethernet network. ISP's typically implement PPPoE to control and monitor internet access over broadband links.
NAP Network access protection is a collection of compents that allows admins to regulate network access based on computer compliance w health requirement policies. IE requiring anti-virus and firewall enabled and latest patches.
Web threat filtering, such as, content filtering or website filtering, prevents users from visint websites with known malicious content. anti-phishing software scans content to id and sipose of phishing attempts, preventing outsiders from accessing confidential info.
gateway email spam blocker:
Filters messages containing specific content, such as ss#'s or false links
Blocks email from specific senders
DLP Data loss prevention is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents in a organization. DLP is used to prevent sensitive data from being disclosed to unauthorized person.
DLP monitors data in 4 ways:
While in use on an endpoint
While in motion as it is transmitted over the net
while at rest on a storage medium
while being transmitted to or from cloud based systems
Does not monitor when a new file is being created.

GPOs are applied in the following order:
1. The local Group policy on the computer
2. GPO linked to the site
3. GPOs linked to the domain that contains the User or Computer object
4. GPOs linked to the organizational unit(s) that contain(s) the user or computer objects (from the highest-level OU to the lowest-level OU)
Individual settings with all GPOs are combined to form the effective Group Policy settings as follows:
If a setting is defined in one GPO and undefined in another, the defined setting is enforced (regardless of the postion of the GPO inn the application order)
If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.
If a setting is defined in the local group policy on the computer and not defined in the GPO linked to the OU, the setting is applied.
Protocol analyzer: Also known as a packet sniffer and is considered a passive device/tool/technique. IE Wireshark and by default is not set up to
modify or retransmit packets(activities common in a attack). Can be used to capture or filter packets from a specific device or packets that use a specfic protocol.
Use a packet sniffer to capture(record) frames that are transmitted on the network. Identify types of traffic on the network. View the exchange of
packets between communicating devices. For example, you can capture frames related to DNS and view the exact exchange of packets for a specific name resolution request.
analyze packets sent to and from a specific device and another example of a protocol analyzer is: view packet contents.
port scanner is used to id protocol ports that are opened in a firewall or active on a device. a port scanner checks individual systems, well a packet sniffer watches traffic on the network.
NMAP is a tool that performs ping scans (finding devices on the network) as well as port scans (looking for open ports on the network)
TDR Time domain reflector is used to measure the length of a cable or to identify the location of a fault in the cable.
Cable certifier is a multi-function tool that verifies that a cable or an installation meets the requirements for a specific architecture implementation.
Multimeter is a device that tests various electrical properties, such as volts, amps and ohms.
Throughput tester measures the amount of data that can be transfred through a network or porcessed by a device (such as the amount of data that can be retrieved from the disk in a specific period of time)
Encryped type 7 passwords on Cisco devices are less secure than those protected w MD5.
For any secure remote communication use SSH, SCP or SFTP (as a few examples) Secure shell protocol SSH. Secure Copy protocol SCP. Secure file transfer protocol SFTP. These use public key cryptography. The most secure way is to physically use the console port though.
For unsecure remote commnication Telnet and TFTP transmit in clear text so packet sniffers can get the login info just by passively(invisibly) sniffing the network.
port security is used to prevent unauthorized people from connecting to a ethernet cable, though allowing authorized devices to use those same ports bonding does the opposite of spanning tree. It allows multiple switch ports to be used at the same time to reach a specific destination.
switch looping is when multiple switches are connected in multiple paths and packets can travel back and forth continuously, slowing down the network and or preventing data from being truly transmitted as intended.
When an active path goes down STP automatically recovers and activates the backup ports necessary.
run the spanning tree protocol STP to precent switching loops. A switching loop ouccs when there are multiple active paths switches.
The STP runs on each switch and is used to select a single path between any two switches.
Switch ports that are apart of that path are placed in a forwarding state. switch ports that are redundant but unused paths are placed in a blocked (non-forwarding) state
Use inter-valn routing to enable devices in different VLANS to communicate. The auto duplex setting allows a switch port to detect the duplex setting of connected devices (either half or full duplex)
CSMA/CD is a method for detecting and recovering from packet collisions.
port authentication: Is kind of like MAC address filtering, though on a corp network. Can be used to prevent visitors from tapping into the network, but allow authorized employees to use those RJ45 ports by using 802.1x to login, much like signing into wifi. By default RJ45 ports allow automatic access, tho in public locations that would be a security risk.
Remote access authentication is handled by remote access servers RAS or a combo of RAS and a RADIUS server for centralized authentication
VPN connections can be controlled by remote access servers or by special devices called VPN concentrators
Trunk port is a member of all VLAN's defined on a switch, and carries traffic between the switches. When trunking is used, frames that are sent over a trunk port are tagged by the first switch w the vlan id so that the receiving switch knows to which VLAN the frame belongs.
Typically uplink ports (that are faster than other switch ports) are used for trunk ports, although any port can be designated as a trunking port.
On a unconfigured switch, ports are members of a default VLAN often designated VLAN 1. When you remove the VLAN membership of a port it is reassigned back to the default VLAN, therefore the port is always a member of one VLAN.
DTP Swtiches have the ability to automatically detect ports that are trunk ports and to negotiate the trunking protocol used between devices.
DTP is not secure and allows unauthorized devices to possibly modify configuration info.
DTP services should be disabled on the switch's end user (access) ports
ARP soofing/posoning associates the attacker's MAC address w the IP address of the victim.
MAC spoofing is changing the source MAC address on frames sent by the attacker. Typically used to bypass 802.1x port-based security, bypass wireless MAC filtering, or hide the identity of the attacker.
Mac flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch w packets, each
containing different source mac addresses. The flood of packets fills up the forwarding table and consumes so much available memory in the switch
that it causes it to enter a state called failopen mode, in which all incoming packets are broadcasted out to all ports (like a hub)
The best protection against sniffing of your network is to use wifi protected access 2 (WPA2) with adv encryption standard (AES) because it uses strong encryption
How to keep your neighbor off your network? two simple steps. Implement MAC address filtering and disable SSID broadcast.
Additional steps that may be possible depending on your SOHO router: Disable DHCP prevents IP addresses from being automatically assigned to wireless
devices. So implementing static IP's and limiting the range of static IP's will make it harder for an attacker to figure out a valid IP address to use.
Use the AP configuration utility to reduce the raio signal strength. Change the default login info for the router and change the default PSK.
And maybe even add a sequence of astrics at the end of the password to make it at least 15 characters so if they got it, it may confuse them, thinking they only had partial decryption and 15 + characters are not yet possible to hash attack to get the real password.
Using RADIUS server: config devices to run in infrastructure mode and install Radius Server. When using wireless access points, configure an
infrastructure network. Having multiple access points and an existing directory service, you can centralize authentication by installing a RADIUS server and using 802.1x authentication
Use AdHOC mode when you need to configure a wireless connection between two hosts.
captive portal requires wireless netowkr users to abide by certain conditions efore they are allowed access to the wilress network.
Agree to acceptable use policy, provide a pin or password, pay for access, view info or advertisements about the organization providing the wireless access. such as a hotel or airport
When a wireless device initially connecst to the wireless netowkrk all traffic to or from that device is blocked until the user opens a browser and
accesses the captive portal webpage. After the user provides the approprate code traffic is unblocked and the host cna access the network.
EAP-TLS Transport layer security is considered one of the most secure EAP standards available. Knowing the password is not enough, the attacker must also have the client's private key.
EAP-MDS offers minimual security and dictionary attacks and man in the middle attacks can get it.
EAP-FAST is a replacement for LEAP that uses a protect access credential (PAC) to establish a TLS tunnel in which client autnetication credentials are transmitted. While more secure than EAP-MD5 and LEAP, EAP-FAST can still be compromised if the attacker intercepts the PAC
LEAP is susceptible to dictionary attacks. LEAP's major weakness is that it used MS-CHAPv1 in an unencrypted form for authentication.
MS-CHAPv1 is vulnerable to offline dictionary attacks against dictionary-based passwords. An attacker can sniff both the challenge and the responce during LEAP authentication.
She can then run through all the words in a dictionary in an attempt to obtain the response that matches the challenge. Using this method, she can guess the pasword and pose as the client. The main countermeasure to dictionary attacks is to use a strong password policy.
LEAP is considered to be the weakest 802.1x protocol. Does not use SSL/TLS to encapsulate authentication data 802.1x authentication uses a user name and passwords, certificates or devices such as a smart card to authenticate wireless clients.
802.1x requires a RADIUS server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same acct info
PKI for issuing certificates. At a minimum, the RADIUS server must have a server certificate. To support mutual authentication, each client must also have a certificate.
RADIUS servers require: configure the server w a certificate and configure all the wireless access points w client certificates. 802.1x is used for port authentication on switches and a authentication server for validating user creds.
routers and firewalls operate at layer 3 and can use the IP address or port number for filtering decisions. A circuit-level gateway is a firewall thatcan make forwardign decisions based on the session info
switches and waps are layer two devices, meaning they use the MAC address to make forwarding decisions
PAP Password authentication protocol transmits login credentials in cleartext
CHAP challenge handshake autentication protocol protects login credentials using a hash and allows for periodic re-authentication.
PPP point to point protocol and SLIP Serial line interface protocol are not remote access auth protocols. They are used to establish connection, but do not provide authentication.
Extensible authentication protocol EAP is a set of interface standards that allows you to use various authentication methods, including smart cards, biometrics and digital certificates.
MAC address filtering identifies specific MAC addresses that are allowed or disallowed on a WAP.
Can be set to not allow new connections, if you really want to lock down your network. though you'll soon notice how often you'll have to open that up to allow new devices
BSSID broadcast can be turned off in the router GUI to make your network displayed as hidden network. By no means a fool proof protection, but
security is about layers of protection and making yourself a harder target.
IPsec NAP clients must be issued a valid certificate before a connection to the private network is allowed. IPsec enforcement is the only NAP
implementation method that requires certificates.
VPN enforcement uses IP filters defined in netowkr access policies to limit resource access to non-compliant computers. W VPN enoforcement you can
also create a connection request policy on the NAP server that uses PEAP and enables quarantine checks.
DHCP enforcement uses DHCP options to deliver IP configuration values to non-compliant computers.
Network access control NAC controls access to the network by not allowing computer to access network resources and last day meet certain criteria
(predefined). Antivirus software with UpToDate definition files an active personal firewall specific operating system triple updates and patches
are examples of predefined criteria.
A client a client that is determined healthy by the neck is given access to the network and unhealthy client who has not met all the checklist
requirements is either denied access or can be given restricted access to a remedy ation network when limitaciones servers can be contacted to help the client complaint.
NAC can used w 802.1x port authentication on a switch to allow or deny access to the network through the switch port.
A demilitarized zone DMZ is a buffer network or subnet that sits between the private network and a untrusted network aka the Internet.
DMZs are created with routers and firewall rules to allow or block traffic based on info in the packets.
VLAN is a logical grouping of computers based on switch ports. VLAN membership is configured by assigning a switchport to a VLAN. VLAN's are separate
from the rest of the network as far as most users and devices are concerned. The Trunk port is an example of how to access 1 vlan from another and if not configd right in the IDF/MDF/Dmark room could just have it look like they are separate but still really connected and accessible from file explorer for example.
Intrusion detection system IDS is a special network device that can detect attacks in suspicious activity A network based IDS called NIDS scans network traffic looking for intrusion attempts
network address translation NAT modifies the IP addresses in package as they travel from one network such as a private network to any other such as
the Internet NAT allows you to connect a private network to the Internet without obtaining registered addresses for every post hosts on the
private network. Hosts on the private network share the registered IP address also known as the public IP.
How to secure email from viruses? Use blockers on email gateways.
Reverse DNS lookup protects against source address spoofing
PGP is used to sign outbound email but doesn't help w stopping inbound virus.
Limiting attachent size to 1mb is ineffective at stoping email viruses because many viruses are simple scripts that are very small.
Content filter blocks web based access based on website ratings and classifications. Such as online video games, youtube, violence ect.
Internet content filters are software used to monitor and restrict what content is delivered across the web to end users. Companies, schools,
libraries and families commonly use content filters to restrict access based on category and block certain web sites...
Honey pot is a folder, device or virtual machine that entices intruders by displaying a vulnerable trait or flaw or phrase, such as "bank account" or "password list".
Network access protection NAP on a Remote Desktop(RD) gateway server: Edit the properties for the server and select "request clients to send a statement of health"
Certificates are used in IPsec implemention of NAP. System health validator (SVH) compares the statement of health(SoH) submitted by the client to the requirements on the server.
Remediation servers provide the resouces to help non-compliant clients become compliant.
RADIUS clients and a server is required in 802.1x implementations.
Adjust sleep time out at local group policy level(win10 pro/enterprise)> start menu>search for local group policy editor>local security settings> time out due to no input>increase to whatever you'd like
Key clustering attack is when the attacker decrypts an encoded message using a different key than was used during encryption
Statistical attack against a cryptosystem: Exploiting a computers inability to produce true random numbers. Another example is to exploit the floating point errors in a processor. A computers systems inability to produce true random numbers makes the possibility of the re-use of keys probable, if not likely.
Problem with cookies: Cookies do not operate within a security sandbox like java does.Cookies have as much access to a system as the user account
under which they were brought on to the system. Cookies can be used to record info about the comp sys, surfing habits, and much more.Secured
environments should restrict the use of cookies on all web browsers and internet service utilities. They can help a hacker spoof your ID and store session info too.
header manipulation is the proces of including invalid data in a http response header.
zero day attack is when there is a new found application vulerability has been discovered and a patch is required to prevent the weakness
locally shared object(LSO) exploit is also called a flash cookie. Adobe flash uses LSO's to save data locally on a computer, such as, info about the flash game or user preferences. Tho it can also be used to collect info about users browsing habits w/o user permission. Flash player settings
manager can be set to not allow LSO to be saved to device.
URL hijacking/typo squatting occurs when an attacker registers domain names that correlate to common typographical errors mabe by users, such as rbay instead of ebay.
watering hole attack is when an attacker uses reconnaissance to id which sites the target frequently uses. The attacker then compromises one or more of those sites in some way
integer overflow occurs when a computational operation by a running process results in a numeric value that exceeds the maxiumum size of the integer type used to store it in memory. The value will wrap around and start again at its minimum value, in much the same way a mechanical odometer in a car rolls over to zero when the max number of miles is exceeded.
This can allow an attacker to manipulate the value of variables, leading to unintended behavior by the system. Basically you can make a web site purchase order form pay you for your order instead of paying for it and whatever about negative you make it, will be how much money is deposited in your account. This is a good way to get a visit from the police and never be allowed on a computer again.
covert channel exploitation is the user of timing or storage mechanisms to bypass security controls in order to leak information out of a secured environment
TOC/TOU is a logon session replay attack
superzappng attacks are specific attacks using a specialized ulility named superzap to bypass the security of IBM mainframes to perform sys alterations
data didding is usually waged against production machines
birthday attacks are used against hashing algorithms, and thus used in many password and logon attack mechanisms. They exploit collisions.
They exploit the probability that two messages using the same hash algorithm will produce the same message digest.
BIRTHDAY ATTACK CONTINUED: The discovered password will allow the attacker to login as the user, even if the discoverd password is not the same
as the user's password! A collision is when two messages produce the same hash. Collision doesn't guarentee the two messages are the same. Since the authentication system checks only for matching hashes, the attacker could logon w a diff pw as long as it gives same hash.
buffer overflow is the most common attack against web servers
SQL injection attack occurs when an attacker includes database commands within user data input fileds on a form, and those commands subsequently execute on the server.
To prevent SQL injection implement client side validation to identify input errors before the data is ever uploaded to the server. THEN do a server side validation check.
DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then exe under the security context of the running app and exe malicious code w the injected DLL
Trojan horse is a program that masquerades as a legitmate program
drive by download is when malware is downloaded without user consent. Sometimes clicking a link will install software, or a user might know something is being downloaded but it doesn't do what it says it does. ie fake virus checker installing a trojan to allow an attacker access to machine...