Section 6
what is another name for pivoting?
redirection
once a stager communication channel is established what occurs?
upload/download is brokered in the form of the payload or a stage
pivoting allows an attacker to
use an existing session on a dual-homed computer as a proxy in order to exploit computers residing on another
how does the passivex payload work?
uses activex to create a hidden instance of internet explorer
describe the sql injection attack of compromised availability integrity
attacker alters contents of a database which makes the data untrustworthy
describe how a directory traversal attack may be attempted
attacker crafts a url which references directories that should be inaccessible
describe a stored cross-site scripting attack
attacker embeds the malicious code within the page that is stored on the web server
describe a reflected cross-site scripting attack
attacker includes html code within a link to a web address, knowing the linked page will fail to sanitize the html code
describe sql targeted attacks
attacks subvert the original intent of the application by submitting attacker supplied sql statements directly to the back-end database through normal interaction
how can a backslash be encoded in to a url?
by using %255c
how can aslr be bypassed?
by using a technique known as egg-hunter which involves executing a code stub that will identify where the malicious payload from the attacker is located within memory
how is dep performed on a system that supports it?
by using the nx bit
how can dep be circumvented?
by utilizing the heap memory
what is a common small single payload?
netcat
are shellcode attacks hard to detect if they are unencrypted?
no
does meterpreter need to start it's own process?
no
is an unstaged payload subject to the same space limitations as a staged payload?
no
describe a meterpreter payload
payload written specifically for the metasploit framework, sophisticated, and executes directly in to memory
describe a nonx payload
payloads designed to circumvent dep
describe data execution prevention (dep)
prevents the use of the stack memory space for execution
what is shellcode designed to do?
provide the threat actor with command shell access on the system
what is the most recognized remote command injection attack?
uses the xp cmdshell stored procedure (windows) or leverages the external procedure feature on oracle databases
describe how a dns tunneling attack is carried out
-attacker creates a dns server that resolves a domain name for the attack -a logical interface is created on the server -logical interface is created on target to use for tunneling -
what are some consequences of a successful sql injection attack?
-authentication bypass -disclosing confidential info -distributes malicious code to endpoints
sql injection can be used to perform what attacks?
-authentication bypass -information disclosure -compromised data integrity -compromised availability of data -remote command execution
describe some uses of dns tunneling
-command and control -data exfiltration -tunneling of ip traffic
what are the advantages of the ord payload?
-compatible with every flavor and language of windows dating back to windows 9x -extremely small
what are 2 memory based shellcode protection measures?
-data execution prevention -address space layout randomization
what are the methods for detecting dns tunneling attacks?
-examine payloads for unusual content, packet size, frequency of requests -looking for unusual hostnames
what other payload types are available within metasploit?
-meterpreter -passivex -nonx -ord -ipv6 -reflective dll injection
what forms can a stage come in?
-precompiled and configured -customized before deployment
what are disadvantages of the ord payload?
-relies on ws2_32.dll on the target -somewhat less stable than other stagers
what are the 3 basic metasploit payloads?
-singles -stagers -stages
what 2 variations does shellcode come in?
-staged -unstaged
what are the 2 types of cross-site scripting attacks?
-stored -reflected
which payloads make use of the reflective dll injection payload?
-vnc -meterpreter
describe pivoting
a method that allows an attacker to use a compromised computer to attack other computers within the same or other networks
what is the result of a stored cross-site scripting attack?
a persistent attack
describe a nop sled
a segment of no-operation instructions that precedes a section of shellcode
describe a reflective dll injection payload
a stage payload is injected into a compromised host process running in memory
describe punycode
a system for representing unicode characters in an ascii-only format to ensure compatibility with dns
describe the sql injection attack of remote command execution
allows an attacker to compromise the underlying os by exposing potential commands
describe the sql injection attack of compromised availability of data
allows an attacker to delete data, logs, or audit info
describe the sql injection attack of information disclosure
allows an attacker to obtain, directly or indirectly, sensitive information
describe the sql injection attack of authentication bypass
allows attackers to login in to a system without supplying proper credentials
describe a ipv6 payload
allows metasploit and corresponding payloads to function like ipv4 payloads on an ipv6 network
describe dns tunneling
another protocol is tunneled through dns
descrive a passivex payload
developed to circumvent outbound firewalls
what is a useful way of detecting shellcode on a network?
focus on detecting a pattern of code that contains a sequence of no-operation instructions
describe netcat
has a small size and foot print and can be compiled on windows or linux
describe a staged payload
intentionally designed to be very compact to fit within memory space limitations for a particular exploit
describe shellcode
is the payload that is attached to an exploit that will execute the desired actions of the threat actor
how is dep performed on a system that does not support it?
it's emulated via memory segmentation if the cpu does not support it
a shellcode exploit using nop sled will execute as long as
long as the jump lands somewhere along the nop sled memory
what's another name for shellcode?
machine code
what are critical to making an ids work properly?
regular expressions
describe the singles payload type
self-contained payloads that function on their own
describe stagers
set up a network connection between the attacker and the victim
what type of payload is not dependent on the metasploit framework?
singles
describe a directory traversal attack
takes advantage of improper checking or validation of user-supplied input, allowing the threat actor to gain unintended access to a file system
how can a reflected xss attack be used to compromise user credentials?
the cookie of the user is intercepted by the attack and the attacker uses to access the site under the user's account
what do payloads referrer to within the metasploit framework?
the modules utilized during the exploitation events to gain access
describe a stage
the payload that is delivered to the target host
why do exploit authors include nop sleds?
to increase the probability of the success of the exploit
why have many payload types been created within metasploit?
to keep the size, footprint, and detectability to a minimum
describe what sql is used for
to query, operate, and administer database systems such as microsoft sql, oracle, and mysql
what is the primary way a directory traversal attack works?
via a web server
describe a ord payload
window based stager payload
what is the structure of a puny code url?
xn-<ulr minus characters>-<code for special characters>.<tld (.com...net...etc)>
are payload singles easy to detect, block, and log?
yes
can directory traversal be accomplished with scripts?
yes
