CPSA
Minimum password age.
Here you can enforce the minimum period that any password must be used, before it can be changed. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The default is 1 on domain controllers and 0 on stand-alone servers. While this setting may not go towards strengthening your password policy, if you wish to prevent users from changing passwords too frequently, you may set this policy.
PGP
PGP is a rival to S/MIME and achieves the exact same thing. It is a little more complicated to use because it is not part of the mail client software like S/MIME: it is available as a plug-in that you can download and install from the Internet. It is less flexible than S/MIME as it only allows one type of security processing. And, signatures are computed on unencrypted data. PGP-processed data is base64 encoded and carried inside an RFC822 message body. PGP supports DES, 3DES, AES and others for bulk data encryption with symmetric algorithms. It uses RSA and ElGamal for public key encryption of session keys, and SHA-1, MD5, and others for hashing. Signature algorithms are RSA, DSS, Elliptic Curve Digital Signature Algorithms, and others.
Active Operating System Fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case a finger printer act as a sniffer and doesn't put any traffic on the network. Tools: · NetworkMiner · P0F · Satori
Network Sweeping Techniques to prioritise a target list and potential for false positive
Ping sweep $ nmap -sn [ip] / (previously) $nmap -sP [ip] TCP Port Scan $ nmap -sT [ip] UDP Port Scan $ nmap -sU [ip] Top 10 ports $ nmap --top-ports 10 [ip] Service Scan $ nmap -sV [ip] No Ping Scan $ nmap -Pn [ip] Scan All Ports $ nmap -p1-65535 [ip] / $ nmap -p- [ip] Script Scan $ nmap --script=... [ip]
DNS Zone Transfer
Replicate DNS databases across a group of DNS servers DNS services are primarily accessed through UDP port 53 when serving answers to DNS requests. Authoritative name servers also listen on TCP port 53 to serve DNS zone transfers and other high-volume queries. A DNS zone file contains all the naming information stored by the name server regarding a specific DNS domain. A DNS zone transfer can often be launched to retrieve details of nonpublic internal networks and other useful information that can help build an accurate map of the target infrastructure. The most effective method to issue a DNS zone transfer request against a specific DNS server is to use DiG.
Telnet
Telnet is a plaintext remote management service that provides command-line shell access to multiple server operating systems including Unix and Windows, and to devices such as Cisco routers and managed switches. From a security perspective, the Telnet protocol is weak because all data (including authentication details) is transmitted in plaintext and can be sniffed by determined attackers. Once authenticated users are connected through Telnet, their sessions can also be hijacked and commands injected to the underlying operating system by attackers with access to the same network segment.
Finger
This specific command will enumerate all user accounts that have the string user.Alternatively you can use other words instead of user like admin,account and project.
TCP
Transmission Control Protocol
SMTP
Using VRFY and EXPN you can get users on the network
Enforce password history
Using this policy, you can ensure that users do not use old passwords again and again after a while. This setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. You can set any value between. The default is 24 on domain controllers and 0 on stand-alone servers.
RSA (Rivest, Shamir and Adleman)
asymmetric encryption To make things more efficient, a file will generally be encrypted with a symmetric-key algorithm, and then the symmetric key will be encrypted with RSA encryption.
Networking Protocols
· ARP: resolving mac addresses · DHCP: hands out IPs on the network · CDP is a proprietary Data Link Layer protocoldeveloped by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address · HSRP is a routing protocol that provides backup to a router in the event of failure. · VRRP The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) · VTP VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. · STP spanning tree protocol · TACACS+ AAA solution by Cisco
Desktop Lockdown
· Gain Access to a Dialog Box o cmd o shortcuts (ftp) o Help dialogs · Abuse the dialog box to gain access to command execution · Abuse command execution to escalate privileges https://www.gracefulsecurity.com/windows-desktop-breakout/
Windows vulnerabilities Exploits
· MS08-67 · MS09-050 · MS10-054 · MS14-060 Microsoft Windows OLE Package Manager Code Execution Author:metasploit Release Date:2014-10-20 (win32) local · MS15-078 font driver · MS16-032 Secondary Logon Handle Privilege Escalation · MS16-016 mrxdav.sys WebDav Local Privilege Escalation
NetBIOS Name
$ nbtstat -A [ip]
Double encapsulation VLAN hopping attack
As basic VLAN hopping sttack hs been defeated. Attackers has found a new way to implement VLAN Hopping
Minimum password length.
You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. The default is 7 on domain controllers and 0 on stand-alone servers.
IKE has various security features:
· Authentication: enables both parties to be authenticated and with digital signatures, challenge completion, or the shared key · The shared secret can be used to derive keys for confidentiality and authentication · Perfect forward secrecy: if any of the keys are compromised only the current session is endangered (though it also means shared keys must be refreshed each time) · Anti-clogging: DoS can occur because asymmetric key cryptography requires much processing time - any series of false request will cause delays. This can be avoided by ensuring the responder host does not store state information, recalculating it after the initiator has been verified. Secure negotiation of the algorithms used when running the secure channel, as they hide the true identities of the end points
Analysis of output from tools used to map the route between the engagement point and a number of targets.
· Querying Domain WHOIS Registrars · Querying Netcraft · DNS Querying · Forward DNS Querying - eg. NSLookup · DNS Zone Transfer - eg. Host -t axfr zonetransfer.me nsztm1.digi.ninja.
Check of NMAP for services using aggressive scanning
# nmap -sV -T4 -F insecure.org Starting Nmap ( http://nmap.org ) Nmap scan report for insecure.org (74.207.254.18) Host is up (0.016s latency). rDNS record for 74.207.254.18: web.insecure.org Not shown: 95 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 113/tcp closed auth 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) Service Info: Host: web.insecure.org Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds
Check for UDP connection through Netcat
$ nc -vz -u 10.1.0.100 53 Connection to 10.1.0.100 53 port [udp/domain] succeeded! -z Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.
Check for UDP applications
$ sudo nmap -sU -p 3478 192.168.1.25 Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-13 20:43 EDT Nmap scan report for example.com (192.168.1.25) Host is up (0.096s latency). PORT STATE SERVICE 3478/udp open|filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.17 seconds
NS (Name Server) Record
An NS record or name server record identify which name servers are authoritative for a zone. DNS resolvers will query the servers listed in the NS records of a domain name for specific DNS records such as A, AAAA, MX, TXT. A DNS zone must contain at least one NS record but you can have as many NS records as you would like for your domain name. The benefit of having multiple NS records is the redundancy of your DNS service. In order to have a valid DNS configuration, the NS records configured in the DNS zone must be exactly the same as these configured as name servers at your domain name provider. $ORIGIN example.com. @ 3600 IN NS ns1.dynu.com. @ 3600 IN NS ns2.dynu.com. @ 3600 IN NS ns3.dynu.com. @ 3600 IN NS ns4.dynu.com. @ 3600 IN NS ns5.dynu.com. @ 3600 IN NS ns6.dynu.com.
Network Access Control Analysis
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[1] Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it. #Set "Default Deny" Policy Iptables -P INPUT DROP Iptables -P OUTPUT DROP Iptables -P FORWARD DROP
ICMP
Internet Control Message Protocol
IP
Internet Protocol
LM vs NTLM NTLMv2
LM is using a broken hashing algorithm and any password can be cracked in a relatively low time. NTLM can be broken in 6 hours. NLTMv2 is a challenge response scheme but still vulnerable to PTH. You can crack passwords using john the ripper or rainbow tables. $ cat hashes.txt $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233 $ john hashes.txt $ john --format=netntlm hashes.txt Hydra bruteforcing: hydra -t 4 -V -l IEUser -P /root/Desktop/Password/rockyou.txt rdp://192.168.56.102
Port consider blocking
MSRPC - TCP / UDP 135 NetBIOS - TCP / UDP 137 - 139 SMB / IP - TCP 445 TFTP - UDP 69 Syslog - UDP 514 SNMP - UDP 161 / 162 SMTP - TCP 25
PDC Emulator FSMO Role
The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows domain, the PDC emulator role holder retains the following functions: · Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. · Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. · Account lockout is processed on the PDC emulator. · The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment. The following information describes the changes that occur during the upgrade process: · Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain. · Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests. · Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.
PEAP
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided. PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security.
LEAP
The Lightweight Extensible Authentication Protocol (LEAP) method was developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard. LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright. Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco's current recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.
MBSA (Microsoft Baseline Security Analyzer)
The MBSA can help you stay on top of regular network auditing tasks by scanning both local and remote Microsoft systems for common security misconfigurations. It can also identify missing security updates and service packs available through the various Microsoft Update technologies, helping to ensure all machines are patched correctly. It can run vulnerability assessment checks for the following software: · Client versions of Windows, including Windows 7 · Windows Server, including Windows Server 2008 · SQL Server · Internet Information Server (IIS) · Internet Explorer · Microsoft Office · SMS advanced patch and configuration management · SUS/WSUS Windows update server · MBSA baseline scanning, MBSA only scans for missing security updates. Critical and optional updates are left aside
RC4 (Rivest Cipher 4)
The RC4 Encryption Algorithm, developed by Ronald Rivest of RSA, is a shared key stream cipher algorithm requiring a secure exchange of a shared key. RC4 is no longer considered secure and careful consideration should be taken regarding its use. The symmetric key algorithm is used identically for encryption and decryption such that the data stream is simply XORed with the generated key sequence. The algorithm is serial as it requires successive exchanges of state entries based on the key sequence. Hence implementations can be very computationally intensive. The RC4 encryption algorithm is used by standards such as IEEE 802.11 within WEP (Wireless Encryption Protocol) using 40 and 128-bit keys. Published procedures exist for cracking the security measures as implemented in WEP. SHA1 (Secure Hash Algorithm) and MD5 (Message Digest) 5 160 bits v.s. 128 bits $[ID]$[salt]$[hashed value]
RID Master FSMO Role
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.
Rusers
The Unix rusers service is a Remote Procedure Call (RPC) service endpoint that listens on dynamic ports. The rusers client utility first connects to the RPC portmapper, which returns the whereabouts of the rusersd service. Identify if rusersd is running: $ rpcinfo -p 192.168.0.50 Then, $ rusers -l (small L) 192.168.0.50
Rwho
The Unix rwhod service listens on UDP port 513. If found to be accessible, you can query it using the Unix rwho client utility to list current users who are logged into the remote host. $ rwho [ip]
Domain Naming Master FSMO Role
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.
IPSEC
The first step is to find all the IPsec service endpoints on the target network. This is best done by sending IKE phase one requests and observing which systems respond to them. ike-scan enumerating IPsec servers on the 10.0.0.0/24 network. specify the --quiet option to omit the details of the returned packets from the output, because I am only interested in finding the VPN servers at this stage. IPSec Endpoint Enumeration $ ike-scan --quiet 10.0.0.0/24 IPSec Endpoint Fingerprinting $ ike-scan --showbackoff --multiline 10.0.0.4 10.0.0.11 10.0.0.47 10.0.0.50 10.0.0.254 $ ike-scan --auth=3 --showbackoff --multiline 10.0.0.1 (auth=3 > RSA) Penetration testing an IPsec VPN includes several phases like: 1. Scanning or identifying the VPN gateway. 2. Fingerprinting the VPN gateway for guessing implementation. 3. PSK mode assessment and PSK sniffing. 4. Offline PSK cracking. 5. Checking for default user accounts.
Encoding
The purpose of encoding is to transform data so that it can be properly consumed by a different type of system, eg. Binary data being sent over email. The goal is not to keep information secret. But rather to ensure that it is properly consumed. Encoding transform data into another format using scheme that is publicly available so that it can be easily reverse. It does not require a key as the only thing required to decode it is the algorithm that was used to encode. Examples: ASCII, Unicode, URL encoding, Base64
Encryption
The purpose of encryption is to transform data in order to keep it secret from others. Eg. Sending someone a letter that only they should be only able to read. Encryption transform data into another format in such a way that only specific individual can reverse the transformation. As such the ciphertext, algorithm and key are all required to return to the plaintext. Example: AES, Blowfish, RSA
Schema Master FSMO Role
The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.
VMPS / VPQ Attack
This is a slightly unlikely attack as it requires the network to use VMPS. It is unusual as it imposes a significant load on the administrative resources of a company and Cisco, whose protocol this is, is moving towards 802.1X for the same functionality. However, if implemented, VMPS allows VLANs to be assigned based on the MAC address of the host and these relationships are stored in a database. This database is usually downloaded to the VMPS and then queried using VQP, an unauthenticated protocol that uses UDP (User Datagram Protocol), making it very easy to manipulate by an attacker. As a result, by using VQP, it is very easy to impersonate hosts as there is no authentication, which allows the attacker to join a VLAN that he or she is not authorised to access. The mitigation is to either monitor the network for misbehaviour, send VQP queries out of band or to disable it the protocol.
Obtain password hashes, both from the local SAM and cached credentials
Through compromising the password of a user in the Administrators group, the SAM encrypted password hashes can be dumped directly from memory of the remote host, thus bypassing SYSKEY encryption protecting the hashes stored within the SAM database file. A Windows utility known as pwdump3 can achieve this by authenticating first with the ADMIN$ share and then extracting the encrypted user password hashes. $ pwdump3 192.168.189.1 hashes.txt Administrator To crack hash > Cain & Abel is more advanced, supporting rainbow table cracking of NTLM hashes, whereas John the Ripper is used to perform basic (and quick) dictionary-based attacks. Obtain hashes · Mimikatz for cached credentials · Meterpreter
UDP
User Datagram Protocol
VLAN Trunking Protocol Attack
VLAN Trunking = to extend VLAN across multiple switches. This attack is based on spanning tree. The VTP reduces administration in a switched network. When configuring a new VLAN on one VTP server. The VLAN is distributed through all switches in the domain. This reduces the need of configuring the same VLAN everywhere. VTP is a Cisco proprietary protocol that is available on most Cisco Catalayst family products.
WSUS (Windows Server Update Services)
Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network.A WSUS server provides features that you can use to manage and distribute updates through a management console. A WSUS server can also be the update source for other WSUS servers within the organization. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. As an administrator, you can determine - based on network security and configuration - how many other WSUS servers connect directly to Microsoft Update. Compared to SUS, it can update Office, SQL server, etc.
Maximum password age.
You can force users to change their passwords after a particular number of days. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. The default is set at 42 days.
AES (Advanced Encryption Standard)
advanced encryption standard algorithm must be a block cipher capable of handling 128 bit blocks, using keys sized at 128, 192, and 256 bits; other criteria for being chosen as the next advanced encryption standard algorithm included: · Security: Competing algorithms were to be judged on their ability to resist attack, as compared to other submitted ciphers, though security strength was to be considered the most important factor in the competition. · Cost: Intended to be released under a global, nonexclusive and royalty-free basis, the candidate algorithms were to be evaluated on computational and memory efficiency. · Implementation: Algorithm and implementation characteristics to be evaluated included the flexibility of the algorithm; suitability of the algorithm to be implemented in hardware or software; and overall, relative simplicity of implementation.
Windows Passwords
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Analyzing ACLs in the registry
Grab existing ACL: $ acl = Get-Acl HKLM:\SOFTWARE\powertoe
Google Hacking
· link:url Shows other pages with links to that url. · related:url same as "what's related" on serps. · site:domain restricts search results to the given domain. · define:word provides a definition of the word. · allinurl: shows only pages with all terms in the url. · inurl: like allinurl, but only for the next query word. · allintitle: shows only results with terms in title. · intitle: similar to allintitle, but only for the next word. "intitle:webmasterworld google" finds only pages with webmasterworld in the title, and google anywhere on the page. · cache:url will show the Google version of the passed url. · info:url will show a page containing links to related searches, backlinks, and pages containing the url. This is the same as typing the url into the search box. · spell: will spell check your query and search for it. · stocks: will lookup the search query in a stock index. · filetype: will restrict searches to that filetype. "-filetype:doc" to remove Microsoft word files. · daterange: is supported in Julian date format only. 2452384 is an example of a Julian date. · maps: If you enter a street address, a link to Yahoo Maps and to MapBlast will be presented. · phone: enter anything that looks like a phone number to have a name and address displayed. Same is true for something that looks like an address (include a name and zip code) · site:www.somesite.net "+www.somesite.+net" (tells you how many pages of your site are indexed by google) allintext: searches only within text of pages, but not in the
Domain Wide Roles:
▪ Relative ID (RID) Master Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain. Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles
netstat
-a lists all the computer's connections and listening ports -n displays addresses and port numbers in numerical format -o outputs the process ID (PID) responsible for the connection -b outputs the EXE and its associated DLLs
Network analysis
1. Capture packets from a particular interface tcpdump -i interface-nameE.g. To capture packets from interface eth1 - tcpdump -i eth1 2. Capture only N number of packetstcpdump -c N E.g. To capture 10 packets from interface eth1 - tcpdump -i eth1 -c 10 3. Capture the packets and write into a file tcpdump -w file.pcap tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap for creating a ";" separated file with "source IP" "destination IP" and "Destination Port" from all with SYN initiated connections, you can use following sample Use the options -T , -E and -e (see man pages for infos) tshark -nn -r capturefile.dmp -T fields -E separator=';' -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport '(tcp.flags.syn == 1 and tcp.flags.ack == 0)'
Password must meet complexity requirements.
1. Not contain the user's account name or parts of the user's full name that exceed two consecutive characters 2. Be at least six characters in length Contain characters from three of the following four categories: 3. English uppercase characters (A through Z) 4. English lowercase characters (a through z) 5. Base 10 digits (0 through 9) 6. Non-alphabetic characters (for example, !, $, #, %)
10BaseT
10 Mpbs (10 Mega Buts Per Second)
802.11b
2.4 GHz / 11 Mbps
802.11g
2.4 GHz, 54 Mbps
802.11
2.4GHz / 1 or 2Mbps / DSSS or FHSS / 20 m indoors or 100 m outdoors
802.11n
2.4GHz or 5GHz up to 600mbps
802.11a
5GHz 6-54mbps
Global catalog
A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, as shown in the following figure. In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion. Active Directory is no exception. A limited number of operations are not permitted tooccur at different places at the same time and must be the responsibility of onlyone domain controller in a domain or forest. These operations, and the domaincontrollers that perform them, are referred to by a variety of terms: • Operations masters• Operations master roles• Single master roles• Operations tokens• Flexible single master operations (FSMOs) Regardless of the term used, the idea is the same. One domain controller performsa function, and while it does, no other domain controller performs that function.
Enumerate Enabled SMTP Subsystems and Features
A number of exploitable issues in SMTP services such as Microsoft Exchange depend on support for certain Extended SMTP (ESMTP) features. These subsystems and features are enumerated by issuing an EHLO command upon connecting to the target SMTP server. Poorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers. Below shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email. Increasingly, open SMTP relays exist through the use of weak passwords, which are brute-forced using the mechanisms discussed in the previous section.
Forest Wide Roles:
▪ Schema Master The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema. ▪ Domain Naming When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.
t = sticky bit
A sticky bit is a permission bit that is set on a directory that allows only the owner of the file within that directory, the owner of the directory or the root user to delete or rename the file. No other user has the needed privileges to delete the file created by some other user. This is a security measure to avoid deletion of critical folders and their content (sub-directories and files), though other users have full permissions. drwsr-sr-x 2 root root 4096 Jun 19 06:45 dirname When you execute a program that has the SUID bit enabled, you inherit the permissions of that program's owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program.
VOIP
ACE (Automated Corporate Enumerator) is a simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface. In the same way that the "corporate directory" feature of VoIP hard phones enables users to easily dial by name via their VoIP handsets. Goals are intercepting calls but also fake dialling to increase charges. Session Initiation Protocol (SIP) is one of the most common protocols used in VoIP technology. It is an application layer protocol that works in conjunction with other application layer protocols to control multimedia communication sessions over the Internet. A session is nothing but a simple call between two endpoints. An endpoint can be a smartphone, a laptop, or any device that can receive and send multimedia content over the Internet. Basically SIP is an application layer protocol. It is a simple network signalling protocol for creating and terminating sessions with one or more participants. The SIP protocol is designed to be independent of the underlying transport protocol, so SIP applications can run on TCP, UDP, or other lower-layer networking protocols.
ARP Attacks
ARP is based on ARP spoofing. Gratuitous is used by host to announce their IP address to local network and avoid duplicate IP address
ACL
Access Control List
Active Operating System Fingerprinting
Active Fingerprinting is the process of transmitting of packets to a remote hosts and analysing the corresponding replies. Nmap OS Detection $ nmap -O [ip] Aggressive Scan (equiv. -O -sV -sC --traceroute) $ nmap -A [ip]
Asymmetric Encryption
Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it.
VLAN hopping attack
Based on dynamic trunk protocol. DTP is used for negotiating trunking on a link between 2 devices and for negotiating the type of trunking (802.1Q)
DES (Data Encryption Standard) and 3DES
Both are symmetric block ciphers, meaning that a message is converted into coded (encrypted) text and broken into chunks of data, usually the same size. DES and 3DES break the text into blocks of 64 bits each. Then in order to encrypt the data, a key is generated; in DES, it is the same key that performs both encryption and decryption. DES uses a 56-bit key and runs through 16 cycles of 48-bit subkeys. When decrypting the data, the exact reverse operation is performed, using the same algorithm. The same key is used for the entire process. 3DES expands the size of the key by running the algorithm in succession with three different keys. It makes 48 passes through the algorithm. The resulting key is 168 bits; this can be hard to implement, so there is also a two-key option provided in 3DES that runs through a method called Encrypt-Decrypt-Encrypt (EDE): 1. Encrypt: The encryption is applied to the content using key 1. 2. Decrypt: This encrypted text is decrypted using key 2. 3. Encrypt: Lastly, the decrypted text from step 2 is encrypted again using key 2. In the three-key method (which is much more cumbersome, but also more secure), the text is encrypted three times in succession. The text is encrypted with key 1, then that text is encrypted using key 2, and finally key 3 encrypts the last message/text.
CNAME (Canonical Name) Record
CNAME record (Canonical Name Record) is another commonly used type of DNS entry and is used to maps an alias name to a true or canonical domain name. When a DNS resolver encounters a CNAME record, the DNS lookup will continue by retrying the lookup with true or canonical domain name. One thing that CNAME records are commonly used for is to direct a part of your website to a site set up elsewhere, such as an eCommerce shop or something similar. CNAME records also allow you to point multiple systems to one IP without specifically assigning an A record to each hostname. If that IP were ever to change, you would only have to update one A record. $ORIGIN example.com. shop 3600 IN CNAME myshop.com. clientarea 86400 IN CNAME clientinterface.com.
Ingress Filtering
Ingress filtering is a method of verifying inbound packet arriving at a network from the source computer. Ingress filtering is one method to reduce DDOS attacks which uses forged IP address to be propagated. While ingress traffic reduces the possibility of source address spoofing. It does not include preclude an attacker using a forged source address of another hosts within the permitted prefix filter range. It however ensures that when an attack occurs a network administrator will know where the originating prefixes that are being advertised.
A (Address) Record
DNS records are used to control the location of a resource on the Internet. A Records are the most basic type of DNS record and are used to point a domain or subdomain to an IP address. The 'A' stands for 'address'. For example, if you query the A records of google.com, it currently returns an IP address of 172.217.3.174. 172.217.3.174 is the IP address of the hosting server for Google's website. $ORIGIN example.com. @ 3600 IN A 223.89.20.79 * 3600 IN A 223.89.20.79 ftp 86400 IN A 201.52.12.36
Egress Filtering
Egress filtering is the control of traffic leaving the network. Egress filtering prevents from sending unwanted traffic out of the internet. This could include leaking out private network address space or stopping compromised system attempting to communicate with remote hosts. Egress filtering can help in preventing information leaks due to misconfiguration.
Group Policies GPO
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.
HINFO (Host Information) Record
HINFO records allow you to define the hardware type and Operating System (OS) in use at a host. This information can be used by application protocols such as FTP, which uses special procedures when communicating with computers of a known CPU and OS type. For security reasons, these records are rarely used on public servers. $ORIGIN example.com. testhinfo 90 IN HINFO "INTEL-386" "Windows" MX (Mail Exchanger) Record Mail Exchanger (MX) records tell the world which mail servers accept incoming mail for your domain and where emails sent to your domain should be routed to. You can send emails without the MX record configured for your domain name, but if the MX record is not set up correctly, you will not receive email. $ORIGIN example.com. @ 3600 IN MX 10 mx1.dynu.com. @ 3600 IN MX 20 mx2.dynu.com.
HMAC (Hashed Message Authentication Code)
HMAC, or keyed hashing, is a cryptographic algorithm used to provide authentication and integrity in one go. A key is used to achieve authentication. h(k||h(k||m)) The goal is to detect: · Message modification · Insertion of a false message · Changing the message order · Data origin authentication (anyone can claim having sent a message, but the receiver knows he has only shared keys with one sender)
Hashing
Hashing serves as the purpose of ensuring integrity. Making it so that if something is changed. You can know it is changed. Technically hashing take arbitrary input and produce fixed length string that has the following attributes: · The same input will always produce the same output · Multiple disparate inputs should produce the same output · It should not be possible to go from output to input · Any modification of a given input should result in drastic change to the hash Hashing is used in conjunction with authentication to produce strong evidence given that a message has not been modified.
SUS (Software Update Services)
Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. Microsoft SUS Server alone requires access to the public Internet as it connects to Windows Update.
NTP
Network Time Protocol (NTP) services are usually found running on UDP port 123 of Cisco devices and Unix-based systems. NTP services can be queried to obtain the remote hostname, NTP daemon version, and OS platform details, including processor. Only one remotely exploitable issue is listed in the MITRE CVE list, and that is CVE-2001-0414 (a buffer overflow in ntpd NTP daemon 4.0.99k and earlier (also known as xntpd and xntp3). This allows remote attackers to cause DoS and possibly execute arbitrary commands via a long readvar argument). Other locally exploitable issues exist; you can find information about these at http://cve.mitre.org. GLEG VulnDisco (http://www.gleg.net) includes a zero-day ntpd stack overflow module that affects NTP 4.2.0 running on Linux platforms in a nondefault configuration (authentication must be enabled and NTP must be configured as a broadcast client).
File system permissions UNIX
No permission --- Execute permission --x Write permission -w- Execute and write permission: 1 (execute) + 2 (write) = 3 -wx Read permission r-- Read and execute permission: 4 (read) + 1 (execute) = 5 r-x Read and write permission: 4 (read) + 2 (write) = 6 rw- All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 rwx
PTR (Pointer) Record
PTR records are used for reverse DNS lookups. An IP address can be associated to domain/hostname. This is opposite to what an A/AAAA record does for forward lookup zones. PTR records go into reverse DNS domain which end with '.in-addr.arpa' or '.ip6.arpa' for IPv4 and IPv6 address block respectively. It is used to verify if a server name is actually associated with the IP address. If a PTR record for an IP address points to a hostname and the A/AAAA record for that hostname points back to the same IP address, it is forward confirmed. $ORIGIN 66.23.109.in-addr.arpa. 96 3600 IN PTR mail.myshop.com. $ORIGIN 0.8.1.0.4.0.6.2.ip6.arpa. 3.c.3.0.0.0.0.0 3600 IN PTR mail.myshop.com.
SMS (Systems Management Server)
SMS provides a feature-rich management and servicing solution. You can use SMS 2003 or System Center Configuration Manager 2007 (ConfigMgr) to manage networked Windows Embedded Standard-based devices alongside Windows desktop, Windows Server, and other Windows Mobile systems. SMS supplies an administration console that can be used on a Windows Server 2003 system to remotely perform management functions.Embedded device developers can use SMS or ConfigMgr to manage the deployment of security updates to Windows Embedded Standard-based devices. SMS provides more advanced administrator management features than WSUS. Specifically, SMS includes control over installation and rebooting, an inventory component piece to help with compliance reporting and a customizable interface.
SOA (Start Of Authority) Record
SOA record stands for Start of Authority record and it determines how your zone propagates to the secondary nameservers. Every DNS zone must have a single SOA record and it is the first record in the zone. The DNS hosting provider will normally create a default SOA record for each domain added into their system and usually you do not need to make changes to this record. The SOA record stores information about the name of the server that supplied the data for the zone; the administrator of the zone; the current version of the data file; the number of seconds a secondary name server should wait before checking for updates; the number of seconds a secondary name server should wait before retrying a failed zone transfer; the maximum number of seconds that a secondary name server can use the data before it must either be refreshed or expire; and a default number of seconds for the time-to-live file on resource records that do not have one specified. $TTL 1800 ; $TTL used for all DNS records without explicit TTL value $ORIGIN example.com. ; designates the start of this zone file in the namespace @ 86400 IN SOA ns1.dynu.com. administrator.dynu.com. ( 25101 ; serial 1800 ; refresh 300 ; retry 86400 ; expire 300 ; nxdomain TTL )
SSH
SSH is an implementation of a secure channel at the application layer. It provides the same security services as TLS and IPSEC, but it is of course application-specific. It is widely used for remote access by login and can now also provide a mini-VPN. The protocol assumes that there is a reliable channel provided by IP. A secure channel aims to provide origin authentication, confidentiality and integrity but NOT non-repudiation and security services after receipt of data.
SPANNING TREE Attack
STP is used to maintain loop free topologies in a redundant layer 2 infrastructure. Messages are sent using Bridge Protocol Data Unit (BPDU). The attacker send BPDU which can force a root bridge change and thus create a DOS condition on the network. The attacker also has the ability to see frames he couldn't. There are tools that are used to replay this attack (brconfig + macof). A bad idea, would be to disable STP. Introducing loops would introduce another source of attack. There are two features which are called BPDU Guard and Root Guard. BDPU Guard disables interfaces using portfast upon detection of a BDPU message on the interface (spanning-tree portfast dpguard). Root Guard disables interfaces who become the root bridge due to their BDPU advertisement (spanning-tree guard root).
SNMP
Simple Network Management Protocol (SNMP) services are often run on managed switches, routers, and server operating systems (e.g., Microsoft Windows Server and Linux) for monitoring purposes. SNMP is accessed upon providing a valid community string within a UDP datagram to port 161. Most servers are configured with two community strings: one providing read-only access to the SNMP Management Information Base (MIB), and the other both read and write access. The MIB is a hierarchy of Object Identifier (OID) values.
Store passwords using reversible encryption
Storing passwords using reversible encryption is essentially the same as storing plain-text versions of the passwords.
Symmetric Encryption
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. Example : ROT13, Engima Cipher, XOR Cipher
TXT (Text) Record
TXT records contain text information for sources outside of your domain. TXT records can be used by administrators to insert any arbitrary text data or notes for various services to read. A domain may have several TXT Records and you can put any text you want within a TXT Record. You may have come across a web hosting provider or email service provider who asked you to add a random TXT record for your domain to verify your ownership of the domain name. Another common use of TXT records is to ensure email security through the use of SPF and DKIM record (a form of TXT record). $ORIGIN example.com. ; designates the start of this zone file in the namespace @ 3600 IN TXT "You can put any text" ; A TXT record for example.com. @ 3600 IN TXT "v=spf1 a:mail.example.com -all" ; An SPF record for example.com. mail._domainkey 3600 IN TXT "k=rsa; p=somekey" ; A DKIM public key record.
IPsec
The IPsec Authentication Header (AH) mechanism provides data origin authentication for IP datagrams within IPsec traffic by performing cryptographic hashing. AH provides protection from data modification and replay attacks. The Encapsulating Security Payload (ESP) is a second mechanism, one that encapsulates and encrypts IP datagrams to protect them from sniffing attacks. IPSEC is the most popular VPN protocol and is a documented set of standards. It is mandatory on IPv6. IPSEC provides various services with two different protocols: the authentication header (authentication, data integrity, anti-replay) and encapsulating security payload (authentication, data integrity, anti-replay, confidentiality, traffic flow confidentiality). IPSEC can be implemented for all traffic (tunnel mode) between two gateways, or for each datagram between two hosts (transport mode). It is implemented at the network level, so all traffic at the Internet layer is protected with IPSEC end-to-end and independent of the application. In transport mode we only encrypt the payload, in tunnel mode we can encrypt the whole datagram. In tunnel mode the hosts are unaware of the VPN taking place, while in transport mode they are aware. Both can be used together.
NetBIOS Session
Various tools can enumerate sensitive information from a target Windows host with TCP port 139 open. Information can be collected either anonymously by initiating what is known as a null session, or through knowledge of a valid username and password. A null session is when you authenticate with the IPC$ share of the target host in the following manner: $ net use \\target\IPC$ "" /user: "" By specifying a null username and password, you gain anonymous access to IPC$. By default, Windows hosts allow anonymous access to system and network information through NetBIOS. Enumerate user $ enum [?] [ip] -U: get user list -N: get namelist dump -G: get group and member list $winfo [ip] GetAcct GetAcct is a useful tool that allows you to perform reverse-lookups for Windows server RID values to get user account names (also known as RID cycling ). Standard enumeration tools such as enum and winfo simply use forward-lookup techniques to dump the user list, which administrators can protect against by setting RestrictAnonymous=1 within the system registry. Windows NT 4.0 hosts can only set RestrictAnonymous=1, and are thus susceptible to RID cycling. Windows 2000 hosts have extended anonymous access protection which can be set with RestrictAnonymous=2 , preventing RID cycling from being effective. Using SNMP Many Windows NT and 2000 servers run SNMP services using the community string public for read access. By walking through the 1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, you can enumerate usernames of active accounts on the target host. $ snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 $ nmap -sU -p 161 --script=snmp-win32-users <target> Using LDAP $ ldapsearch -h [ip]
WPA (Wi-Fi Protected Access)
WPA is the successor of WEP. The first version still relied on the classic encryption algorithms in WEP, but they were implemented differently (to be able to update without having to replace hardware). The successor used AES. There are several keys: · Mutual key authentication · Session keys from master key o Encryption key o MAC key o Data encryption key o Data MAC key There are two ways of generating dynamic keys: CCMP and TKIP (Temporal Key Integrity Protocol). CCMP is a CBC MAC protocol used from AES and available for WPA2. TKIP basically works by generating a sequence of WEP keys based on a master key, and re-keying periodically before enough volume of info. could be captured to allow recovery of the WEP key. TKIP changes the Key every 10,000 packets, which is quick enough to combat statistical methods to analyze the cipher.
Infrastructure FSMO Role
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role. For more information, see 6.1.5.5 Infrastructure FSMO Role at http://msdn.microsoft.com/en-us/library/cc223753.aspx
Cisco Deny FTP Traffic
hostname R1 ! interface ethernet0 ip access-group 102 in ! access-list 102 deny tcp any any eq ftp access-list 102 deny tcp any any eq ftp-data access-list 102 permit ip any any
Domain Reconnaissance
n windows machine part of domain: · net user Windows command that displays local user accounts · net localgroup Windows command that displays local group accounts · net use Windows command that displays remote connections · net start Windows command that lists network services · net share lists all shares · net accounts /domain lists the password policy · nmap -sL -oA output_rnds Nmap list scan output can return a list of domains associated with systems on known network segments. · arp -a Windows command that prints the ARP table · route Windows command that manipulates routing table · tasklist Windows command that lists all running processes by name and process ID · systeminfo Windows command that displays detailed configuration and processor information · driverquery Windows command that lists all installed device drivers and their properties · %systemroot%\system32\config\SAM Stores local user password hashes for all users · %systemroot%\ntds\ntds.dit Stores user password hashes for Domain Controllers · RPC Provides inter-process communication by enabling a program on one system to execute code remote systems, handles message exchanges over TCP/IP · DCOM Listens on RPC enabled ports 135, 139, 445, and 593. Exploitation can cause a command shell with SYSTEM level privileges. ms03_026 · Netapi Targets a parsing flaw in the relative path of netapi.dll on port 445. Used by windows and applications when connected to windows-based networks. Exploitation bypasses and disables NX, thus enabling bypass of authentication and execution of code. May crash Windows Server · : net view /domain Displays shared resources and available network domain/workgroups · net view /domain:<specific> Utilized to identify domains/workgroups within local network and hosts within specific domain/workgroup · net view \\<name or IP> Displays shared resources of a remote device, requires authentication · DSQUERY COMPUTER "OU=servers,DC=mydomain,DC=com" -o rdn -limit 1000 > c:\machines.txt to dump all machines