C-COI Week 7

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

ServicePrincipleName

A SPN is the name by which a client uniquely identifies an instance of a service

Domain Controller

A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.

Silver Ticket

All-access pass for a single service or computer account. Forged using a dumped computer account hash and can impersonate any user for that system.

DCE/RPC

Distributed Computing Environment / Remote Procedure Calls used for domain replication

PsExec

Execute process remotely - runs on port 135 RPC

Kerberos Attacks

Golden Ticket Pass-the-ticket silver-ticket

Two Types of Trust Relationships

Implicit Trust - two way transitive trust explicit trust - one way non-transitive

LAPS

Local Administrator Password Solution - provides management of local admin passwords

LSASS

Local Security Authority Subsystem Service passwords stored here in hash or plaintext

LDAP (Lightweight Directory Access Protocol)

Port 389 A communications protocol that defines how a client can access information, perform operations, and share directory data on a server.

Kerberos Change Password Protocol

Port 464

Kerberos

Port 88 An authentication system used to verify the identity of networked users.

Delegation

capability of Active Directory, delegation of administration. Constrained or unconstrained.

netsh advfirewall show allprofiles

command to show firewall settings on a box

whoami /groups

displays groups user is a member of, group name, type, sid, and attributes

ffuf

https://github.com/ffuf/ffuf A fast web fuzzer written in Go.

Domain vs. Workgroup

1. Domain :Domain is a client/server network where user can login from any device of the office. Also known as Remote login. It has a centralized administration and all devices can be managed from a centralized device. It prefers a centralized storage and all the users data is stored at a centralized storage device which can be NAS or SAN. 2. Workgroup :Workgroup is a peer to peer windows computer network, where users can use his login credentials only on his or her system and not others. It holds an distributed administration wherein each user can manage his machine independently. Most storage is distributed. Each device has its own dedicated storage.

Golden Ticket

A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs). This gives the attacker access to any resource on an Active Directory Domain (thus: a "Golden Ticket"). Golden ticket attack needs: The FQDN (Fully Qualified Domain Name) of the domain The SID (Security Identifier) of the domain The username of the account they want to impersonate The KRBTGT password hash

net localgroup

A Windows TCP/IP command that adds, displays, or modifies local user groups. shows all groups accessible on a workstation, some of these groups could be empty.

Active Directory

A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.

Universal Group

A group scope that can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest.

Global Group

A group that can contain user accounts and other global groups. Global groups are designed to be "global" for the domain. After you place user accounts into global groups, the global groups are typically placed into domain local groups or local groups.

domain local group

A group that contains global groups and universal groups, even though it can also contain user accounts and other domain local groups. It is usually in the domain with the resource to which you want to assign permissions or rights.

rainbow table

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.

Pass the Ticket Attack

A technique used for authenticating a user to a system that is using Kerberos tickets without providing the user's password. Kerberos authentication allows users to access services provided by remote servers without the need to provide passwords for every requested service. To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools

Pass the Hash Attack

An expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

API

Application Programming Interface - software that allows two applications to talk to each other Think of a rideshare app like uber, they leverage data from google maps, and bring it into their native application using APIs.

Authentication vs session

Authentiction - I am who I say I am Session - running actions

Bloodhound

BloodHound (https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours. It can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access control lists (ACLs), users, groups, trust relationships and unique AD objects. The tool can be leveraged by both blue and red teams to find different paths to targets. The subsections below explain the different and how to properly utilize the different ingestors.

CrackMapExec

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

net users

Displays all users in the Windows system, LOCAL ACCOUNTS

systeminfo

Displays machine specific properties and configuration.

Windows Enumeration Cheatsheet

Get-Service -Name *ssh* Start-Service ssh-agent whoami /groups systeminfo net users net users Administrator net localgroup ipconfig /all route print sc query windefend netstat -ano netsh firewall show state reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" wmic service list brief wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ driverquery

Guacamole Server

Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP). Guacamole is also the project that produces this web application, and provides an API that drives it. This API can be used to power other similar applications or services.

inveigh

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided

Multi/handler

Located within the exploit modules, used to connect to a listener. Used when a payload is delivered to the target outside the metasploit framework

NTHash

Method for storage on modern windows systems sam database or mimikatz hashes are actually nonces, each nonce is different nonce used to prevent attacks in ntlm NET NTLMv2 is the authentication protocol that uses the NT or LM hashes

ntds.dit

Primary Active Directory database file. Big target. Ntds.dit is the main AD database file. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain. c:\windows\system32\ntds.dit

TCP 135

RPC , seen on Domain Controllers

Password Salt

Random number added to the password before being hashed to make pre-computed dictionary attack (rainbow table) difficult.

SID history

SID History is an attribute that supports migration scenarios. Every user account has an associated Security IDentifier (SID) which is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one.

SQL

Structured Query Language SQL, or Structured Query Language, is a data management language used to handle data in relational databases. With the help of SQL, you can create and modify the structure of databases and tables. You can also store, manipulate, and retrieve data from databases and tables using SQL. It is a non-procedural or declarative query language, which means that the user specifies which data is required without specifying how to retrieve it.

SAM

The Security Account Manager (SAM) is a registry file for Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores local user's account passwords. The file is stored on your system drive at C:\WINDOWS\system32\config

Pagefile.sys

The Windows swap file that is used to hold the virtual memory that is used to enhance physical memory installed in a system.

Tokenization

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. security measure in NTLM

NTLM (New Technology LAN Manager)

Used for authenticating in a Windows domain, was replaced by Kerberos for the most part.

Impacket

__ is a collection of Python classes for working with network protocols. ▪ Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. ▪ Collection of Python classes for working with network protocols ▪ Focused on low-level program access for SMB and MSRPC protocol implementation

IPC$ share

__ is used to provide information about the domain, but can be accessed through null sessions (i.e., anonymously). __ also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares.

msfvenom

is a combination of msfpayload and msfencode, putting both of these tools into a single framework. It can be used to generate malware as a standalone .exe file. We use this to build payloads

Kerberoasting

is a method used to steal service account credentials. ▪ Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS) ▪ Ticket can be requested by any user in the domain and allows for offline cracking of the service account plaintext password ● Privilege Escalation (Windows)

Mimikatz

one of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory.

zero knowledge proof

prove knowledge of a fact to a third party without revealing the fact itself


Kaugnay na mga set ng pag-aaral

Ch. 7: Bacterial and Viral Genetic System

View Set

Social Psychology Chapters 9,10,11

View Set

Chapter 9 9.2.9 Practice Questions

View Set

Unit 5 - Bond and Stock Valuation and Capital Budgeting

View Set

mental health exam 2 practice questions

View Set

Test 3 study guide (ch. 12, 13, 14, 15)

View Set

Chapter 6: Health, Wellness, and Models of Health

View Set

Medical surgical neurosensory (adaptive quizzes)

View Set