书摘: Security Power Tools
“What if you could sit down with some of the most talented security engineers in the world and ask any network security question you wanted? “Security Power Tools” lets you do exactly that! ”
Fri_Jan_17
Refs: 1. Book: Security Power Tools
2. http://blog.csdn.net/magod/article/details/6171633
Chap 1: Law Issue
chap 2: Net Scan
1. imap -> Internet Message Access Protocol
2. TCP / UDP scanning
TCP [6 types]: SYN, ACK, PSH, URG, FIN, RST
UDP [2 types]: empty scan, portocol data scan
3. Three Tools:
1. Nmap: *****
2. Unicornscan: ***
3. Scanrand: ***
4. Ports to Scan: e.g. 80 HTTP, 21 FTP.
5. Target: e.g. 192.175.1.20, 192.15-42.42.1,35,42
6. IDS -> Intrusion Detection System
IPS -> Intrusion Prevention system
7. finger print => the running apps listenning on that port
8. os scan
9. idle scan
chap 3: Hole Scan
1. Nessus: *****
2. WebInspect: *** [only for Windows]
1. Tools:
1. HTTP Editor
2. SPI Proxy
3. SQL Injector
4. SPI Fuzzer
chap 4: LAN Searching
1. map the ethernet
2. Tools:
1. Ettercap
2. Arpspoof
3. p0f
4. tcpdump
5. dsniff
3. ARP poisoning
4. mocof -> MAC Overflow
5. Bridged Sniffing
chap 5: Wireless Searching
1. Wardialing
2. Wardriving
3. 802.11 Newwork Essentials:
1. Types: Infrastructure, Ad hoc
2. BSSID, ESSID, SSID: SSID -> Service Set Identifier
3. frame: 数据帧、控制帧、管理帧(Beacon, Probe Request, Probe Response, Disassociation and Deauthentication…)
4. Tools:
1. Netstumbler: [for windows]
2. Kismet: [bonus: gpsd supported Kismet GPS]
1. Track Loc
2. Build Map
3. Wireshark: *****
4. AirDefense Mobile
5. AirMagnet
6. Airopeek
7. KisMac
chap 6: Create Packet
1. Why? — For testing, etc.
2. e.g.: Ping of Death
[On Win 95]: >>ping -l <A_BIG_NUM> <TARGET>
3. Tools:
1. hping, hping2, tcl
2. Scapy: *****
3.
4. QoS -> Quality of Service
5. ICMP -> Internet Control Management Protocol
6. NAT -> Network Address Translation
7. Firewall <–> Firewalking
chap 7: Metasploit
1. Tools:
1. Metasploit
2. Meterpreter
2. NOP -> [?]: NOP generator
chap 8: Wirelss Penetration
1. Airtap
2. WEP -> Wireless Equivalent Privacy
=> TKIP -> Temporal Key Integrity Protocol
3. WPA -> Wifi Protected Access [WPA-v1]
4. WPA2 -> WPA [?]
5. WPA-PSK -> WPA PreSharedKey
6. Tools:
1. Aircrack: *****
FMS(3 names) Attack, KoreK Attack
Aircrack-ng = aircrack-ng + \
airdecap-ng + \
airmon-ng + \
aireplay-ng + \
airodump-ng + \
some other tools;
2. Airpwn
3. Karma
chap 9: Penetration Framework App:
1. For faster tapping, for easier to use
2. Tools:
1. Core Impact
2. Canvas
3. Metasploit
4. Security Forest [ Open Source ]
chap 10: D.I.Y
chap 11: Backdoor
VNC, BO2k…
chap 12: Rootkit
NAT -> Natwork Address Translation
Inner: 192.168.x.x; 172.16,32.x.x; 10.x.x.x(this 3 ranges of IPs are special reserved for inner net)
chap 13: Host Harden
chap 14:
chap 15: Communication Safety
1. Telnet -> rsh(remote shell) -> rlogin(remote login)
=> SSH(Secure Shell):
1. RSA, DSA; AES, Blowfish, 3DES, CAST128 => encraption(asym,sym)
2. MD5, SHA => check integrity
3. Gzip => compression
2. SSH on Windows:
1. Cygwin
2. PuTTY
3. WinSCP
4. SecureCRT
chap 16: Email Safety and Anti Spam
1. Norton(by Symantec.cop)
2. …
chap 17: Dev Safety Test
1. Tcpreply
2. Traffic IQ Pro
chap 18: Packet Capture
1. tcpdump
2. BPF filtering [?] [Berkeley Packet Filter] or [Band-pass Filter]
3. Ethereal / Wireshark
4. TShark
5.
chap 19: Network Monitor
1. NIDS -> Network Intrusion Detection Sensors
2. Snort
1. Three modes:
1. NIDS
2. NIPS (\’P\’ stands for “Prevention”)
3. Packet Sniff
2. …
3. HoneyPot
4. honeyd as “tar pit”
chap 20: Host Monitoring
1. hash integrity: –> avalanche effect
2. most popular hash function: SHA-1 & MD5
chap 21: Forensic Tools
1. Netstat
2. Forensic Tookit
3. Sysinternal
4. RootkitRevealer: to find Revealer
5. TCPVIew: like “gNetstat”
6. Process Explorer
chap 22: Process Fuzzing
1. Flipper: bit flipper
2. Spike: fuzzing framework
3. Spike API
4.
chap 23: Bit Tracks
1. Interactive Disassembler
2. Sysinternals
3. OllyDbg