SY0-601 Operations and Incident Response Study Guide for the CompTIA Security+

Page 1

General Information

Since this section is all about dealing with security incidents in your operation, it makes sense that 60% of the questions begin with a scenario. This study guide will provide vital information for use in making a decision. Questions about operations and response make up less than some other topic areas—only about 16% of the entire CompTIA Security+ test. But don’t take this as license to skip studying these topics. You’ll need knowledge from all five of the subject areas to earn a passing score on this test.

Tools to Assess Organizational Security

The Security+ exam specifies specific tools you should be familiar with. Make sure you have a basic understanding of how these tools are used, what system(s) they are designed for, and what the tools can do from a security standpoint. Questions about this section will be scenario based and require you to give the appropriate tool for the situation.

Network Reconnaissance and Discovery

There are tools specifically designed to provide insight into the activity occurring on a network. These tools provide a method for reconnaissance and discovery of traffic flows on the network.

Note: Many of these commands are available on both Windows and Linux machines. The functionality of specific flags used in conjunction with the commands, however, can vary between systems.

tracert/traceroute—Both the tracert and traceroute commands are route-tracing commands that provide the executor of the command the path the traffic takes through a system, including the IP addresses of each hop in a path. The ‘tracert’ command is used on Windows machines and sends Internet Control Message Protocol (ICMP) packets to each stop along the path, reporting results. The traceroute command is used with Linux machines and uses User Datagram Protocol (UDP) packets to perform the same function.

nslookup/dig—The nslookup and dig commands are both used for discovering Domain Name System (DNS) information, providing either the IP address if a domain name is entered or vice versa. The nslookup command is used on Windows machines, and the dig command is used on Linux machines.

ipconfig/ifconfig—The ipconfig and ifconfig commands show the current Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration of the machine they are run on. Both commands show information such as IPv4 and IPv6 addresses, media access control (MAC) addresses, connection speeds, subnet masks, and broadcast domains. The ipconfig command is used with Windows machines, and the ifconfig command is used on Linux machines.

Nmap—Nmap is a port scanning tool that allows a network technician to identify the devices, services and service versions, and operating systems (OSs) on the network. A basic Nmap scan will show the port, the state of the port (open/closed), and the service running on that port. Nmap is available for use on both Linux and Windows machines as a downloadable tool.

ping/pathping—The ping and pathping commands identify whether a system is on and the latency of the system response. The ping command sends an ICMP echo request packet to the target systems and records response time. The pathping command also uses ICMP echo request packets, but it sends multiple packets of a duration of time to gather additional information on the system’s response. The ping command is available for use on both Windows and Linux machines, while the pathping command is only for use on Windows machines.

hping—The hping command is a TCP/IP packet analyzer tool available for use on both Windows and Linux machines. The hping command works similarly to the ping command, but it allows the additional functionality of creating a custom packet for transmission as well as the ability to spoof the sending IP.

netstat—The netstat command provides network statistics for the TCP protocol and is available on both Linux and Windows machines. Netstat details information such as routing tables, the state of the TCP connection, and the local and remote address of the connection.

netcat—Netcat (the nc command) is a tool available on both Linux and Windows machines that can provide multiple facets of information on a network. Netcat can be used for port scanning, banner grabbing, and port listening, or it can be used for the creation of a local or remote shell for file transfers, raw connections, or even web interactions.

Internet Protocol (IP) scanners—An IP scanner is a generalized term for tools that scan IP traffic on a network to discover information about the traffic flowing through the network. IP scanners can be bundled in a network management solution or they can be standalone.

arp—The arp command shows information about the Address Resolution Protocol (ARP) table on the host machine. The arp command can also be used to modify the ARP table and is available on both Windows and Linux machines.

route—The route command is used for modifying and displaying information about a system’s routing tables. The route command is available on both Linux and Windows machines.

curl—The curl command is a Linux command that is used to transfer data via a URL and is frequently used to manually execute commands, such as HTTP get, or with other protocols that are URL based.

theHarvester—TheHarvester is an open-source information-gathering tool that can be used on both Linux and Windows machines. TheHarvester gathers information on a target, such as email addresses, domains, subdomains, and open ports, from public sources like search engines, public servers, and social media sites.

sn1per—Sn1per is an information-gathering tool that combines the functionality of multiple tools into a single platform, including reconnaissance tools, port scanning, network mapping, and brute-force attempts. Sn1per is designed for the automation of penetration testing.

scanless—The scanless tool can be used on either Linux or Windows machines and is designed to leverage outside port scanners for network information. Scanless provides data similar to Nmap but from an outside-the-network perspective.

DNSenum—DNSenum is used for finding DNS servers and domain entries. DNSenum has the added functionality of being able to target a specific DNS server and is used primarily on Linux machines.

Nessus—Nessus is a vulnerability-scanning tool available on both Windows and Linux machines that performs the functions of Nmap and beyond. Nessus not only identifies open ports and protocols, but it also identifies whether the port is vulnerable and provides insight and suggestions as to the vulnerability.

Cuckoo—Cuckoo (or Cuckoo Sandbox) is a tool used for the automation of malware analysis in a contained environment. Once malware is identified on a Cuckoo-enabled system, Cuckoo automatically analyzes the threat and reports its findings. Cuckoo is available on both Windows and Linux systems.

File Manipulation

File manipulation is the process of making changes or alterations to a file or the permissions attached to the file. There are multiple commands that can be used for file manipulation.

head—The head command shows the first 10 lines of a file and can be used on Linux and Windows machines. The -n flag can be used to alter the number of lines shown. The head command is often used to get an idea of what a file contains.

tail—The tail command functions the same way as the head command, except it shows the last 10 lines in a file. The tail command is often used on frequently changing files, such as logs, and can be used on both Linux and Windows machines.

cat—The cat command, short for concatenate, is used to view the contents of a file and can also be used to append a file to other files, among other functions. The cat command can be used on both Windows and Linux machines.

grep—The grep command is used to search for a specified pattern, such as text or expressions, within files. The grep command can be combined with flags to pull specific information from files as well as a set amount of lines surrounding the text string. The grep command can be used on both Linux and Windows machines.

chmod—The chmod command is used to set permissions on files and directories. The permissions are set using either a symbol, such as - - x, or a numerical representation, such as 1, both of which can be used for execute. The chmod command can be used on both Linux and Windows machines.

logger—The logger command is used to add information to the syslog file and is not as commonly used as the other commands specified. The logger command can be used on Linux and Windows machines.

Shell and Script Environments

A shell is the user interface that provides command-line interactions between the user and the OS. The script is a set of commands used for process automation that would otherwise have to be inputted individually by a programmer. Shell scripts are the types of scripts that can be used within a shell. Put simply, the script is the language the shell understands.

Secure Shell (SSH)

SSH is a secure protocol used to access a system. The term SSH is also used to describe the client using the SSH protocol for connection. Once connected via SSH, the client can communicate with the OS through whatever shell environment the OS is using.


PowerShell is a Windows proprietary command-line tool that provides management and configuration capabilities to the Windows OS.


Python is a scripting language that provides the ability to perform system maintenance and management for compatible OSs. Python can also be used to automate complex tasks. Both Windows and Linux machines can use Python, and many of the tools previously mentioned use the Python language, such as theHarvester and scanless.


OpenSSL is an open-source tool that secures the TLS protocol and is used for protecting HTTPS traffic. OpenSSL is often used when tunneling through SSL or when a VPN is not a viable option.

Packet Capture and Replay

Packet capture is collecting IP packets for analysis or review, while packet replay is sending a captured packet back out, either as it was originally captured or modified. Various tools can be used for packet capture and replay.


Tcpreplay is a tool that can replay collected packet captures, such as captured attack packets. It is commonly used to test security devices to see if security triggers are activated. It is used with Linux systems.


The tcpdump command is used to capture TCP traffic on Linux machines. It also allows you to set filtering and output options for the captured data, storing these captures in a PCAP file.


Wireshark is a tool that provides packet capturing, filtering, and analysis in a user-friendly graphical user interface (GUI). Wireshark is a very common tool in cybersecurity and can be used for more in-depth analysis of network traffic, including the ability to capture and analyze voice over Internet Protocol (VoIP) and wireless packets. Wireshark can be used on both Linux and Windows machines.


Digital forensics is the use of tools and techniques to analyze what has occurred in a network, system, or device. Digital forensics is used in incident response, to meet legal requirements, and for internal investigations.


The dd command is a forensic command-line utility used on Linux machines to create images. This command is combined with an input location, if, and an output location, of, with an additional flag that specifies what you want the command to do with the data collected, such as make a full copy including errors. To ensure a valid image, a hash can be added to the dd command to ensure data integrity.


Memdump is a Linux tool that is part of the Volatility framework for Linux forensics. Memdump captures the physical Linux memory via the command line and dumps it into the standard output stream (outputs on the display).


WinHex is a Windows disk editing tool that provides the ability to view disk data in hexadecimal format as well as search, view, and edit the pulled data. WinHex can also provide cloning capabilities and secure wipes.

FTK Imager

FTK Imager is a third-party forensic image creation tool that is compatible with multiple forensic formats, such as raw (DD) formats, to allow for that information to be used across multiple forensic platforms for analysis. FTK Imager supports physical and logical drives, image files, folders, and CD/DVD volumes, among others.


Autopsy is a digital forensics tool that provides information on data contained in a storage device or image file through a GUI. Autopsy also has the ability to recover and view data and can be used on both Windows and Linux machines.

Exploitation Frameworks

An exploitation framework is a software package that contains tools that can be used to attack a system or network. Exploitation frameworks are often used in cybersecurity to test for vulnerabilities in a system or network. One of the most common exploitation frameworks is Metasploit.

Password Crackers

A password cracker is a tool that attempts to discover a password. Password crackers range from very simple brute-force attacks based on a predefined list to highly complex crackers that use techniques such as rainbow tables. Common password crackers include John the Ripper and Hashcat.

Data Sanitization

Data sanitization is completely removing data from a drive. Data sanitization can be done on an entire drive or on a single file. The goal of data sanitization is to make data completely unrecoverable. Data sanitization can be achieved through physical destruction, erasure, cryptographic erasure, or data masking, with some methods being more effective than others.


All Study Guides for the CompTIA Security+ are now available as downloadable PDFs