@Jean-Marcel-Belmont great question, the Kali machine does not offer the clipboard or access to the local clipboard. This means that for the Kali exercises you will need to type out the commands. This can be cumbersome at times but will help with memorization of the concepts.

@Donald-Muncy , I hope all is well. The recent update to the NIST password standards (SP) 800-63-3 is all about simplifying password management for users by leaving out overly complex security requirements.

What are the NIST password requirements?

Set an 8-character minimum length.
Change passwords only if there is evidence of compromise.
Screen new passwords against a list of known compromised passwords.
Skip password hints and knowledge-based security questions.
Limit the number of failed authentication attempts.

What are the NIST password recommendations?

Set the maximum password length to at least 64 characters.
Skip character composition rules as they are an unnecessary burden for end-users.
Allow copy and paste functionality in password fields to facilitate the use of password managers.
Allow the use of all printable ASCII characters as well as all UNICODE characters (including emojis).

The idea is that if you are using the totality of the requirements list, then you should/would be implementing policy as part of the approach, as these would be driven via policy.

If an organization is not using policy to drive security practice, there are broader issues that have to be addressed vis-a-vis the risk posture of that organization.

It is not about how long the password may go unchanged; it is about the protective ecosystem taht surrounds the use and management of that password over its lifecycle.

Cheers,

Adam

@Scott-Fenn I do the same thing. It's always a great way to pick up a new technique, tool, or tactic. Again, I'm really glad that you're enjoying my stuff. Cheers!

Congrats! thats kind of a big deal. I suspect that exam will not be easy when I get to it.

@daniel-lowrie87 Thanks my friend, just know what you do everyday changes lives like mine. Many thanks brother..

Brian

I just wrote the beta exam after using the ISC2 materials. I was not that impressed. A good Security+ course (Like ITPro.TV) has better content and their actual video provider is not great either.

The exam was very similar to the Security+, but without the simulation questions, it was just multiple choice.

I now have to wait 8 to 12 weeks to find out how I did :(

Thanks so much, Adam!

I appreciate the information!

Best,
Rahul

@Cassandra-Turner another thing to consider is that CentOS 7 is the last of the traditional CentOS distributions. Moving forward it will be known as CentOS stream and will be closer to the bleeding edge of features (more like Fedora), however, if you would like to download a distribution that allows you to continue to use the RHEL-like features in CentOS, then I would recommend moving over to Alma Linux. You can find this distro here: https://almalinux.org/

Hi Ronnie,

Great question – IMO this one is more of an art than a science, you have to recon the target organisation and tailor your approach based on your best estimation of the tech they’re going to have up against you!
Basically though, you’ve made the key point - less scanning = less noise… here’s some benefit of my experience, I'm sure Dan will also have some great ideas!

I’m assuming you’re talking more about an internal assessment here, so - once you’re inside a target network, one of the best ways to minimise the number of actual connections we make is to thoroughly enumerate the hosts on the network before we start port scanning – by default Nmap will run a ping (ICMP) scan to determine which hosts exist on the network before starting a more intense port scan against the hosts which are then known to exist. If you don’t have nmap on the box (likely) or don’t want to put any of your own binaries on to the machine (sensible) you can also run a simple ping scan from within bash itself.

This does reduce the amount of “noise” on the network and gives you a lot of useful information, but it only works if the hosts respond to pings! By default, windows boxes don’t – but Linux ones do. If we happen to know the environment is all Nix it’s a fair guess that well get a response from most of the machines on the network (of course, they might be configured not to respond)… if it's a mixed or windows environment you could use a tool like hping3, or even better if we have access to a network device perhaps we can listen on the wire and see who’s “talking”. Checking the arp tables on any box you have compromised will also provide you with information on some “live” IP’s on the network. Gathering this information first helps you to establish possible targets, and then use more selective port scanning to reduce “noise” overall.

Once you are as far along as actually doing some port scanning, there’s a few options to make things less obvious – firstly, you can again use a targeted approach. By default, Nmap scans the top 1000 ports (that is to say the top 1000 most used ports, not ports 0-999) but we could be even more selective than this… which services are the most likely to provide an attack vector? HTTP(S)… SMB…FTP… and so on, so you can begin by running a small port scan against only those services – then broaden out from there.

Of course, there’s nothing to say a crafty admin did not bind FTP to another port… but let’s say he did, admins don’t want to make their life harder than it needs to be, so perhaps it’s not on 21… how about on 2121?... SSH on 222 ohhhh, I see what you did there 😉
Working like this takes longer than just running a full blown -p – to scan every port on the machine but it’s also much stealthier.

In theory, using a syn scan, rather than a connect scan is also stealthier (since the syn scan does not complete the TCP handshake, some (very crude) logging systems might not note the connection) – however today this isn’t really true anymore. You’ll also need sudo rights to run nmap in syn scan mode, so you’ll find that in practice you’re often forced into using a connect scan anyway. Options like the FIN scan could also work, perhaps some logging or monitoring software will miss that..might get through a simpler firewall… but against a half way modern IDS/IPS/SIEM system you need to assume the more you do, the greater your chance of getting noticed no matter how crafty you get with your nmap options.

Ultimately, if you have to scan off of a “normal” host inside a network which does not normally run those kinds of scans you are always going to be doing something unusual which should be picked up - simply keeping your scanning as minimal as possible, and going “low and slow” (so, let’s not use -T5) is your best bet of staying below the threshold at which some kind of alert triggers. Getting logged is not always a problem - getting logged enough that someone gets an alert is a problem.

It comes back to enumeration, enumeration and enumeration though because perhaps you aren’t operating from a “normal” workstation, web server etc… if you manage to compromise a system which is actually used for something like network administration, it might be totally normal for nmap to be run on that system – windows system with zenmap installed… non security focused linux distro with nmap installed – there’s a good chance that’s there for a reason and a good chance that scanning from that system won’t be unusual. Take it further - If nmap is there for a purpose there’s also a reasonable chance that there are copies of scans already stored on that host somewhere, so perhaps you don’t even need to scan now 😉

Hope at least some of that is helpful – it’s a great question, keep hacking! 😊

Thanks so much for your help Guys! 🙂

@daniel-lowrie87
for instance I have a client that his company called abc.com and if I want to scan over the internet a specific IPs that belong to a company abc.com thier internal network is it possible .
sinerio that could be happaned that my client want to to know if from outside some can attack.
I know that this case it's half work because mosts of the attacks occure from inside for several reason eployee that got fired or his boss made him anger and he want a revange.
but I'm looking from the outside because this case most of the people think that the probability to occurs is the highest one.
finally the job has to be done and I want to having a deal with more companies.
For now I just building myself to work as self empoyed in this field.

Hello @daniel-lowrie87 - thank you so much for your answer! The Metasploitable2 I found on the videos and some of the scans, but forgot about the other two - for sure will help to add to the "stock" of vulnerable devices!

Thank you again for your time and excellent details on the CEH course!

@Taylor-Armstrong , I hope all is well. Short answer here to your question, but feel free to be in touch directly if you would like to discuss further.

While it is hard to say definitively, as CompTIA does not publish specific guidance that indicates one way or the other, it is fair to assume that it would be very hard to pass an exam that has Performance Based Questions without getting some of them right.

The PBQ's/scenarios are tied to exam objectives, as are ALL of the questions in some way. The PBQ's/scenarios are usually tied to exam objective sections that start with "Given a scenario..."

My direct e-mail is: adam@itpro.tv

Good luck !!!

Cheers,

Adam

@daniel-lowrie87
Daniel - many, MANY thanks! (I'm watching you and Wes right now CySA+) I'm a "Noob" so my questions might be confusing. I have Kali set-up on Oracle's "Virtual Box" on my laptop. I've tried downloading the "bee-box" on that but again, no go. I believe my problem is not understanding, "...configure that VM on a private/host-only virtual network"...
Anyway, thank you again for your response, I will try the link you sent...because...well, just maybe...

Hi @Stephen-Ott ,
Which version you take depends on your personal timelines and comfort with the various domains. In the 2022 CISM, the domains will remain largely the same, with some language variation. However, questions will be weighted more heavily in favor of infosec programs and incident management. The 2019 exam expires on May 31st.

If you need to earn the CISM by June, the 2019 CISM course in ITProTV remains relevant and a good preparation resource https://app.itpro.tv/course/cism-2019/overview-cism-2019 . You can begin, or continue your preparation.

The conventional wisdom on exam prep is that if you have already started preparing for an exam, don't stop. If you can be ready to sit the 2019 exam before it expires, continue your preparation. If you do not feel that timeline is realistic, the good news is that exam registration is good for 12 months. Depending on when you registered (if you have registered yet to sit the exam already) you are afforded a good amount of time to work with the new materials.

Greetings, @ronnie-finkel

From the Nmap book about Zombie/Idle scans...

"Idle scan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker."

You can learn more at...

https://nmap.org/book/idlescan.html

I hope that helps!
Daniel

@daniel-lowrie87 thanks

It's from pasting in the forum. In my key file are no newlines.

After some contemplation of this issue I found the following article
how-to-convert-openssh-to-ssh2

Might be that I have to convert it somehow to a standard ssh format in order to log into the machine.

ssh-keygen -e -f path/to/opensshprivate.key > path/to/ssh2privatekey/ssh2privatekey

So I tried to use the formula mentioned in the article to no avail.

ssh-keygen -e-f /home/user/id_rsa > /home/user/standardsshkey.txt
Load key "/home/user/id_rsa": invalid format

Guess the Meta machine at HTB keeps the user flag heavily guarded...

Hi Ronnie,

Labs are only available on the Premium plans, yes. If you have any further questions about upgrading your account, please chat in to our support team via the orange chat bubble on the site.

Tom M
ITProTV Member Services