CNIT 471 Final

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Defender task #1

Identify every single device, including fancy coffee machine that's connected to your network

Pivoting

Identify information on compromised systems to further elevate access

Nikto is used to

Identify security flaws on a target website and provide detailed referencing for each issue found

-port <port number>

If the server uses a non-standard port (80, 443), we may want to use Nikto with this option

theHarvester

This tool allows us to quickly and accurately catalog e-mail addresses, subdomains, virtual hosts, open ports / banners, and employee names related to a domain from different public sources that are directly related to our target.

Use the icacls command

To check for a folder/file permissions

url.txt

URLs, typically found in browser caches, email messages, and pre-compiled into executables

how to use a non-alpha encoder

Use -e switch followed by the encoder's name

Google Dorks

Used in Google advanced search operators to extract sensitive information about their target, such as vulnerable servers, error messages, sensitive files, login pages, and website

Hashing

Used to validate passwords and most are cracked by brute force

Hash format

Username : Security Identifier (SID) : LM hash : NTLM hash

url_searches.txt

a histogram of terms used in Internet searches from services such as: Google, Bing, Yahoo, etc.

url_services.txt

a histogram of the domain name portion of all the URLS found on the media

wordlist.txt

a list of all 'words' extracted from the disk, useful for password cracking

Once the OSVDB ID has been obtained

a partial list of references for the OSVDB IDs associated with CVE entries are available at http://cve.mitre.org/data/refs/refmap/source-OSVDB.html.

auxiliary metasploit

a piece of code specifically written to perform a task

module

a piece of software that can be used by the metasploit framework

NVTs (Network Vulnerability Tests)

a process that helps review and analyze endpoint and device networks for security issue

In practice, the file is put in the root of a website and comes into play when

a robot or bot visits a site in an attempt to catalog content

Data Breach

a security protocol violation fora company or an individual in which private data is copied, sent, viewed, and stolen by an unauthorised person.

Wifiphisher

a security tool used often by the red team in penetration testing that mounts automated phishing attacks against Wi-Fi networks

meterpreter includes

a series of built in commands

powershell attack vector

a series of code attacks that can be executed once you have already compromised a system

Rainbow Tables

a set of precomputed hashes that this then uses to try for a possible match these get defeated if hashes are salted

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organisations such as governments

Master File Table

a special file located at the root of the file system (\$Mft),which stores critical information about all other files on the partition

CVEs

a standardised list of known security vulnerabilities, exploits, and malware

vulnerability for CVE

a state in a computing system (or set of systems) that allows an attacker to: - execute commands as another user - access data that is contrary to the specified access restrictions for that data - pose as another entity - conduct a denial of service attack

_stopped.txt

a stop list AKA a list of items that do not need to brought to the user's attention

MetaGooFil

a tool that scours the Internet looking for documents that belong to your target

in response to a POST request

a web server could send an email, update a database, or change a file

The Web Server and the Data Store just need to be

accessible to each other via a network connection

enterprise administrator

accounts that have the most privileges for maintaining the entire forest in an Active Directory

In the SPARTA 1.0.3 GUI, click on the left pane to

add your host or hosts to the scope

SPARTA takes the scanning, enumeration, and vulnerability assessment another step further by

allowing the penetration tester to actually perform various network penetration testing functions

Netcat Banner Grabbing

allows an operator to establish a socket to a specific port to potentially identify the operating system, service, version, and other tidbits of information necessary to enumerate the purpose and/or potential weaknesses in the service

Cyber Security Enhancement Act of 2002

allows life sentences for hackers who recklessly endanger lives of others

Impacket is a Swiss army knife in that it

allows penetration testers to parse data into networking services running on host systems across a network

allintitle:index of

allows us to view a list of any directories that have been indexed and are available via the webserver

sessions command

allows you to list, interact with, and kill spawned sessions

Netcat File Transfer

allows you to transfer files between computers without the need to install a full-blown FTP server we used netcat in class for our ICA to send a file over

\x00

almost universal bad character -- null byte

reconnaisance

also known as information gathering

A HTTP GET Method does not

alter the state of the data

For each security issue found

an Open-Source Vulnerability Database (OSVDB) reference ID is associated with the issue

Meterpreter

an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.

exploit-db.com

an archive of exploits for the purpose of public security

target meaning 3

an attack vector present within a service listening on a host

post-exploitation modules

an be run on compromised targets to gather evidence, pivot deeper into a target network

net user admin

an example where you can choose the user you want to target and get their information

Each point on the output is

an indication of an issue

what is LM authentication

an old authentication mechanism that predates NTLM authentication

Netcat Chat/Messaging Server

an operator can redirect simple text between two computers in a simplistic chat or in an instant message interface

ethical hackers goal

analyse network security and identify and possibly exploit any weaknesses to determine if a compromise is possible

Nikto identified the server version

and some issues in the response header

In practice, robots.txt is supposed to be read by

any robot visiting the site to catalog its content

The actual robots.txt file can be viewed by

anyone as it is publicly accessible by default

GET parameters are

appended to the URL using ? and are available askey=value pairs

global variables

applicable across the framework and can be reused when required

ExifTool

are designed to allow you to quickly and easily view document metadata

normal user

are either local users or domain users with limited system access to perform only tasks that are allowed for them

delegated administrator

are local user accounts with administrator privileges

stages

are payload components that are downloaded by Stagers modules

local admin

are system account holders who have the privilege to run system configuration changes

domain administrator

are users who can administer the domains that they are a member of

schema administrator

are users who can configure the schema of the forest

If we have access to a suspect system's disk

artifacts from file-system-related actions are replicated in RAM

The robots.txt file can be viewed by anyone

as it is publicly accessible by default

compliance based assessment

assessment where pen tester must verify and audit security posture (comply with PCI-DSS, HIPAA, FedRAMP)

delivery

attack delivers malware to the target

Direct Access

attacker essentially knows the IP of the target system and connects remotely

CKC installation

attacker uses initial access provided by malware to get permanent or persistent access to the target system

first step in creating a reverse shell in metasploit

attacker will set a multi-handler in Metasploit

CKC Reconnaissance

attackers gather OSINT and conduct initial scans of a target environment to detect exploitation avenues

lateral movement (pivoting)

attackers move from device to device after initial attack with the goal of accessing high-value data

MITRE ATT&CK TTP (Tactics, Techniques, and Procedures)

attackers use TTP to evade technical controls ex of a tactic: a threat group uses this to compromise a target -- such as phishing attacks

windows authentication mechanisms allow users to

authenticate without providing a clear-text password

Sparta is very easy to use an

automates a lot of information-gathering processes

Use _____ commands on the old legacy Windows system

cacls

Mimikatz

can be used to extract clear-text passwords directly from the virtual memory space of a compromised Windows target

AV Physical

can only be exploited with physical access ex: cold boot attack

AV Adjacent

cannot be exploited beyond network boundary but can be exploited within the same physical or logical network ex: bluejacking, ARP flooding

script kiddies

casual hackers who use prebuilt tools

meterpreter lcd command

change the local working directory

HTTP is typically used when a client only wants to

check if a resource exists or to read the metadata

metasploit show targets command

check if a system is vulnerable to a particular exploit

Parsero reads the robots.txt file of a web server, looks at theDisallow entries, and then

checks to see whether the location is accessible

clear the event logs using the _______ command

clearev

shellcode

code that is designed to give a shell access of the target system

msfvenom

combination of msfpayload and msfencode making it a single framework

meterpreter download command

command downloads a file from the remote machine note the use of the double-slashes when giving the Windows path

meterpreter webcam_snap command

command grabs a picture from a connected webcam on the target system, and saves it to disc as a JPEG image. By default, the save location is the local current working directory with arandomized filename

meterpreter sysinfo command

command will provide system information about the target machine including computer name, operating system, service pack level, and more

running bulk_extractor on a computer with twice the number of cores typically makes it

complete a run in half the time

The data store can reside on a

completely different computer than the web server is running on

Focused penetration

compromise vulnerable hosts (exploit missing patches, deploy custom executable payloads, access remote management interfaces)

Receiver (RHOST)

compromised system that's waiting for instructions from the LHOST once that system has been exploited This will be the target's IP address

set command metasploit

configure framework options and parameters

hacker vs ethical hacker

consent

windows/shell/bind_tcp

consists of a stager (bind_tcp) and a stage (shell)

The OSVBD is an independent and open-source database that

contains information about web application security vulnerabilities

what do MFT entries include

contains information such as: 1. name 2. type (hidden, regular file, directory) 3. the locations on the disk where its data can be found

legal vs illegal hacking

context

-DV

controls the display output

ZEH post exploitation

create a more permanent backdoor to the system

POST

create or post a resource(data) for processing

_histogram.txt

creates a histogram of features can be used to rapidly create a pattern of life report

bind shell

creates a payload that 'binds' a command prompt to a listening port on the target machine, which the attacker can then connect

sudo msfdb init

creates and initialises the msf database

What is msfvenom used for

creating a custom shellcode payload

ccn_track2.txt

credit card 'track 2' information, which has previously been found in some bank card fraud cases

ccn.txt

credit card numbers

Services in the Windows system are like

daemons in the Linux OS

four extremely common LHF

default passwords/configurations, sharing credentials across multiple systems, all users having local admin rights, missing patches with publicly available exploits

Defender role

defend organisation from cyber threats

-o and -F

define the scan report to be written in a format

setg

defines global variable

Level 3 of privilege escalation hierarchy

delegated admin/SYSTEM - account operators, backup operator, other groups

Counter measures to CKC

detect, deny, disrupt, degrade, deceive, contain

'/' in payload name

determines whether or not a payload is staged

A more practical approach to crack cached credentials is to use a _________ _____ containing common words and only guess the words in the list

dictionary file

where does bulk extrctor get its information from

digital evidence files

two ways to get remote access to a system

direct access, target behind router

HTTrack is used to

discover and access hidden resources and files that weren't accessible via the online version

Information Gathering

discover network hosts, enumerate listening services, discover vulnerable attack surfaces

metasploit show options

display the settings that are available and/or required for that module

meterpreter lpwd command

display the working directory

metasploit banner command

displays MSF banner info includes: version details, number of - exploits, auxiliaries, payloads, encoders, and nops generators

show metasploit

displays contents of each directory

net user

displays local user accounts

meterpreter help command

displays meterpreter help menu

The Web Server and the Data Store

do not even need to be on the same network

auxiliary modules ________ the use of a payload to run

do not require

Level 4 of privilege escalation hierarchy

domain administrator

Passive Recon methods

domain enumeration, packet inspection, OSINT, Recon-ng, Eavesdropping

netcat -n

dont perform DNS lookup

Exfiltration Methods

downloading, external drives, cloud exfiltration, malware

configure the rootkit .ini file to hide uploaded files, backdoor, newly opened ports using the _______ command

edit

$2a

eksblowfish

email.txt

email addresses

rfc822.txt

email message headers including Date:; Subject: and Message-ID: fields

what type of communications does meterpreter use

encrypted communications

Level 5 of privilege escalation hierarchy

enterprise/schema administrator

where does meterpreter reside

entirely in memory

Active recon methods

enumeration: host, network, user, group, network share, web page, application, service and packet crafting

metasploit connect command

establish a connection with a remote system

Post-exploitation and privilege escalation

establish reliable re-entry, harvest credentials, move laterally (identify privileged user accounts, elevate to domain admin)

ether.txt

ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file segments

SPARTA is an

excellent active information gathering tool

install netcat as a persistent backdoor using _______ command

execute -f

install the rootkit using the _______ command

execute -f

After copying the 64‐bit version of Mimikatz to a remote Windows10 host

execute Mimikatz executable from a command prompt

The robot does checks for the

existence of the robots.txt file

metasploit exit command

exits metasploit console

exploit command

exploit a host, run until completion, and then exit

_______ cannot exist without _______

exploits ; vulnerabilities

The extension of the file determines the

format of the report Other commonformats are .csv (for comma separated file) and .txt (for text files)

Parsero is a

free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries

Crackstation

free service that uses its own word list and look up tables to perform a plaintext search of a has from its database

Gaining Persistence

fully interactive -- through meterpreter or windows cmd prompt non-interactive -- through a webshell or database console that can run individual OS commands

Use the -Impacket-PsExec module -Administrator username - LM and NTLM hashes to

gain access to a remote shell on the target

DNSRecon

gathers DNS information through a number of techniques including zone transfer, dictionary requests, and Google search

generate command

generate shellcode without options

generate -t c

generates a payload in C

generate -t java

generates a payload in java

metasploit help command

gives a list of all available commands

metasploit back command

go back to previous area

ZEH exploitation

goal is to gain root access over a machine, locally or remotely

CKC Command and Control

hackers use stolen data to move laterally, gain unsolicited access, and compromise key infrastructure elements

Once httrack is complete, testers must be able to load the application locally and

harvest information or identify the implementation flaw

dump password hashes and use John to crack passwords by using the _______ command

hashdump

to identify a hash type use

hashid <hash value> command on Kali Linux

encoders

help you generate a wide variety of payloads that can be sent to the target in multiple ways

Password profiling

helps us generate word-lists aligned with the specific pattern

Bulk extractor creates

histograms

Sub-Phase A of information gathering

host discovery

3 main subphases/components of IG phase

hosts, services, vulnerabilites

CVSS Probability

how likely is that this vulnerability will be exploited

CVSS Impact

how much is it going to hurt

engagement scope

how the list of IP address ranges you will probe during a host discovery is determined

Most web servers communicate via

http (port 80) or https (port 443)

white box testing typically requires

identifying loopholes, testing exploits, performing exploits, clean up

ping sweep bash command

if range = 10.0.10.1-254 for octet in {1..254}; do ping -c 1 1.0.10.$octet - W 1 >> pingsweep.txt & done

Impact on Availability (High, Low, None)

impact on the availability of the affected component after successful exploitation of the vulnerability

Impact on Confidentiality (High, Low, None)

impact on the confidentiality of the information after successful exploitation of the vulnerability high - complete access to resources low - confid info is obtained but not complete control none - no impact on confidentiality

db_import

import a saved file from an nmap scan

The owner of a website can make use of the robots.txt file

in an attempt to take control of who sees what within a site

While the intention is for robots.txt to be universally accepted

in reality, robots can ignore your /robots.txt

Action on Objectives

includes: theft of sensitive information, the unauthorised use of computing resources to engage in: DDoS, mine crypto, or the unauthorised modification or deletion of information

User-agent : *

indicates that the information applies to all robots

User interaction (none, required)

indicates the actions that the target user needs to perform (apart from the attacker's action) to successfully exploit the vulnerability

ethical hacker / security researcher

information security professionals who specialise in evaluating, and defending against threats from attackers

what does \x00 do

instructs metasploit to remove this unwanted byte

domain.txt

internet domains found on the drive, including dotted-quad addresses found in text

Finding Master File Table (MFT) records can help with

investigatingmalicious code

LHOST

ip for local machine

Spear Phishing Attack

is a phishing method that targets specific individuals or groups within an organisation. they are specially crafted e-mails with malicious attachments

WHOIS

is a query protocol for identifying IP addresses and domain names on the Internet

Nslookup

is a valuable tool for querying DNS information for host name resolution. example: server 8.8.8.8

'Filtered' Nmap status

is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt

Zone Transfers

is when one DNS "zone" will transfer data to another, think the Primary DNS server transferring to the Secondary DNS server

Medium Rated Vulnerability

it can be exploited remotely, but it is very easy to execute - requires low or normal account privileges impact on CIA is low

Why should we minimise false positives

it can divert resources to investigate a problem that does notreally exist

What is important about 5 iterations

it is slightly larger and our bytes are no where near similar In theory, this version of payload will be less prone to detection

In a time-sensitive investigation

it might be easier to acquire a 4GB of memory sample than a 250GB disk image

Once a security flaw is identified on a target

it provides an associated OSVDB reference ID

When it reads the file

it should process the directives and react accordingly

use the _______ command to disable antivirus

kill

white box (overt)

known environment -- full knowledge, has access to source code, config files, etc.

search by type

lets you filter by type such as auxiliary, post, exploit, etc.

use command

lets you use a module

cache

limit our search results and show only information pulled directly from the Google cache displays googles cached copy of a page

local variables

limited and valid for a single instance

meterpreter features provide

limited forensic evidence and impact on the victim machine.

meterpreter lls command

list local files

port scanning

list of open ports and the potential service running on each target

netcat -l flag

listen

netcat -l

listen mode

Level 2 of privilege escalation hierarchy

local administrator

LHOST

local host

LPORT

local port

netcat -p

local port

netcat -p flag

local port

LPORT

local port for local machine

black box testing typically requires

locating and exploiting a single vulnerability brute forcing areas of authentication, testing exploits in a test environment, performing an exploit, cleanup

Payload

malicious code that we want the remote system to execute

CKC exploitation

malware gains access to targeted system

what can a multi-handler also do

manage multiple sessions between an attacker and multiple victims

PTF

manage your pen-testing toolbox

Reason for multiple vulnerability assessments

measure and determine progress towards overall goal

use the _______ command to move meterpreter to a common process

migrate

migrate <process PID>

migrate to another process

meterpreter payload allows us to

migrating a process to one which is more stable disable or kill antivirus, upload files, execute files, edit, copy, and delete files, escalate privileges, dump hashes, install and display keystrokes disable or kill antivirus, upload files, execute files, edit, copy, and delete files, escalate privileges, dump hashes, install and display keystrokes

jobs in metasploit

modules that are running in the background

what does meterpreter allow you to do

move easily from the exploitation phase to post exploitation

methodolies help you

move through a number of tasks in a systematic manner

command to run netcat from linux terminal

nc

open netcat listener on port 55

nc -nvlp 55

how to use getsystem command

need to load the 'priv' extension

how to list the local groups on a Windows host

net localgroup

To get detailed information about a certain group

net localgroup <enter localgroup name>

use the _______ command to make changes to windows firewall settings

netsh advfirewall firewall

To list the firewall configuration and state, you must use

netsh firewall show state

find open ports in windows

netstat -ab

target meaning 1

network host (computer with an IP on an organisation's network)

level-two targets

newly accessible targets that weren't available on the original attack vector's target list

if too many restricted bytes are given

no encoder may be up for the task

do sessions typically have unlimited user rights

no they have limited most of the time

does meterpreter write anything to the disk

no, it writes nothing

does generate include options

no.

Often times web servers will run on

non standard ports

Level 1 of privilege escalation hierarchy

normal user - local user, domain user

types of user accounts

normal user, local admin

Low Attack Complexity

nothing that can hinder an attacker from successfully exploiting a vulnerable component repeatedly

Clicking on the Information tab displays host information gathered, including IP information;

number of ports open, closed, and filtered(if any); as well as the operating system and version with an accuracy rating

redteam

offensive security professionals

MFT contains

one entry for every file and directory on the file system

Shodan

one of the most popular security search engines and provides pre-built searches as well as categories of search for industrial control systems, databases, and other common search queries

Hashing Algorithms

one way, non-invertible functions such as MD5 and SHA1

meterpreter edit command

opens a file located on the target host

grep command

output text in searchable format

netcat -n flag

overlooks host discovery

DDoS

overwhelms a systems capabilities

Medusa

parallel login brute forcer that attempts to gain access to remote authentication services needs: target IP, username, password list/dictionary file, and the name of the service you want to authenticate with ex- 10.0.1.15, vij1, passwords.txt, ssh

bulk extractor gets useful information without

parsing the file system or filesystem structures

Attack Vector

particular entry point inside an attack surface

site: zoom+meeting+passcode

passive reconnaissance

Word lists can be useful for

password cracking

John the Ripper

password-cracking program -runs automated dictionary attacks -takes large dictionary file, runs an enc function on them, then looks for matches

Low Hanging Fruit

path of least resistance for an attacker

singles

payloads that are self-contained and completely standalone

CFAA 1984

penalties of hacking are often severe, applies to cases of computer-related crimes relevant to federal law

Exploit Pack

penetration testing framework

grey box pentesting

pentester is given partial and limited information, like any normal user

HIPAA

pentesting not required but does require risk analysis which requires vulnerability scanning and pentesting

PTH-WinExe tool allows penetration testers to

perform pass the hash during security testing

meterpreter kill command

pid_number command will stop (kills) the specified process the process ID can be found by running the "ps" command

hacktivist

politically motivated hacker

HTTPS

port 443 tcp

HTTP

port 80 tcp

gaining persistence on a target system

post exploitation

what modules can help pentester dump OS credentials, execute Powershell scripts, and escalate user privileges

post modules

Hydra

powerful and efficient password cracking tool used to crack protocols such as FTP, SSH, HTTP, etc.

PTH-WinExe is

pre-installed on Kali machine

OpenVAS has several _________ _______ _______

predefined scan profiles

meterpreter shell command

present you with a standard shell on the target system

the process of going from a relatively low level of access rights to gaining the privileges of an administrator,the system, or even greater access privileges

privilege escalation

Bulk extractor can

process compressed data

vuln scanning

process of identifying weaknesses in the services our target is running

Weaponisation

process where tools are built or used to attack their victims

alert.txt

processing errors

netcat -e

program to execute after a connection has been established

ECPA 1986

protects against: 1. government surveillance without court order 2. third parties without legitimate authorisation accessing messages 3. illegal interception from carriers (ISPs)

Sarbanes-Oxley Act

protects investors from fraudulent financial reportings

meterpreter search command

provides a way of locating specific files on the target host

metasploit info command

provides information on a specific module such as options, targets, etc.

GET parameters are also known as

query strings they are visible in the URL

GET

read data or retrieve a source from the server; safe method (no action on server)

modify the registry to ensure netcat is persistent by using the _______ command

reg

RPORT

remote port (target)

RHOST

remote/target host

RPORT

remote/target port if the vulnerability is on FTP, we set the port to 21

unset metasploit

removes a parameter configured with set

unset all metasploit

removes all assigned variables

unsetg

removes the global variable

The maintainers of the Open-Source Vulnerability Database (OSVDB) decided to

shut down permanently due to the lack of support from the industry.

get out of jail card

signed by high-level manager and is enough to get you out of trouble

Pentester

simulate an attack on the company's infrastructure

Sparta is removed from Kali Linux

since version 2019.4

windows/shell_bind_tcp

single payload with no stage

3 different types of metasploit payload modules

singles, stagers, and stages

nmap -Pn

skips host discovery

modules

software packages that can launch our exploits, scan remote systems, and enumerate remote system

payload

something we want the system to execute and is delivered by the framework

What does the MFT include

special metadata files used for organising and tracking other files

Use the -h option to (Nikto)

specify the target host

CVSS

standard system for scoring vulnerabilities

sudo setoolkit

start set tool kit

openvas-start

starts all services involved in openvas

sudo system ctl start postgresql

starts the postgresql server

what is a good reason for an iteration switch

stealth/anti-virus evasion

Cyber Kill Chain (CKC)

step-by-step description of how hackers attack and how a cyberattack generally plays out

openvas-stop

stops all services involved in openvas

true negative

successfully ignoring acceptable behavior

run an nmap scan on 192.168.1.2, 192.168.1.3, 192.168.1.4 UDP ports

sudo nmap -sU 192.168.1.2 192.168.1.3 192.168.1.4

What does the iteration switch do

tells the framework how many encoding passes it must do before producing the final payload

Disallow: /

tells the robot not to visit any pages on the website

obtaining some access privileges will allow

testers to control all systems across a network

The file only serves to suggest the sections of the site

that shouldn't be visited; it doesn't enforce them

Robots can crawl everything except

the /wp-admin/ folder

what can a user also use to access a Windows system

the 32-character NTLM hashed equivalent of a password

With the target in this case being a Linux web server

the Nikto webscanning tool was also run as part of the process.

what does limiting access restrict

the ability to perform certain operations on a remote machine ex: dumping passwords, manipulating the registry, installing backdoors, etc.

social engineering

the art of manipulating people so they give up confidential information

Pass the Hash Attack

the attacker discovers the hash of the user's password and then uses it to log on to the system as the user

compare output

the byte size is larger than the first the more iterations one does, the larger the payload will be

POST is used when

the client needs to send information to the server

HEAD is used when

the client only wants information about the resource instead of the resource itself

GET is used when

the client wants to download a resource

msfconsole

the console within metasploit framework

Parsero is specifically designed to look at

the contents of the file with attention paid to the disallow entries that are used to keep bots from visiting those locations

LHF attack vectors are

the easiest to remediate

$DATA attribute contains

the file contents for resident files

what decides whether a particular attribute is resident or nonresident

the file system

Impact on Integrity (High, Low, None)

the impact on integrity after a successful exploitation of the vulnerability high - hacker can modify all files protected by an affected component low - attacker doesn't have full control over modification none - no impact on integrity

the more iterations one does

the larger a payload will be

Procedures

the manner, or order, in which an attack is carried out

exploit metasploit

the means by which an attacker/pen tester takes advantage of a flaw within a system, an application, or a service

bulk extractor histograms show

the most common email addresses URLs domains search terms and other kinds of information on the drive

When we click on the Tools tab, Sparta displays

the numerous tools that we can apply to this target system, including the following

what does privilege escalation allow

the penetration tester to own all aspects of a system's operations

Privilege Required (none, low, high)

the privilege an attacker must have to exploit a vulnerability successfully

find.txt

the results of specific regular expression search requests

SPARTA automates

the scanning, enumeration, and vulnerability assessment processes within one tool

The file only serves to suggest

the sections of the site that shouldn't be visited; it doesn't enforce them

wordlist_*.txt

the wordlist with duplicated removes, formatted in a form that can be easily imported into a popular password-cracking program

what are generate, pry, and reload

these 3 are added by metasploit when you use a certain payload

post

these are modules that we can use after the system has been compromised

(Nikto switch) -update

this updates plugin databases

insider threat

threat actors motivation can be revenge on a company

All web-based database applications have

three primary components:

netcat -w(N)

timeout for connections waits for N seconds to make a connection ex: w1 or w2

show sessions command

to manipulate sessions

metasploit history command

to see the commands you operated so far

show advanced command

to show the module's advanced options

social engineering toolkit (SET)

tool that helps automate some insanely complex techniques and make your attacks believable

Attack Surface

total number of potential harmful entry points

disk artifacts

traces in memory because Windows is specifically designed to cache content

Phishing

tricking users into entering their credentials or stealing credentials from them

netcat -u

udp mode

AV (Attack Vector) Network

vulnerability can be exploited remotely over the network ex: DDoS caused by sending a specifically crafted TCP packet

Sub-Phase C of information gathering

vulnerability discovery

False Negative

vulnerability is present, but the vulnerability assessment fails to identify it -- worse case scenario for an organisation

What does artifact replication of file-system related actions allow

we can leverage them as a strong source of corroborating evidence

-o switch ex: generate -o LPORT=1234 .....

we can use this to change the port from the default 4444

Dictionary Attack

we feed the password cracker a bunch of words the password cracker then tries all words from the supplied file and if matched we are presented with the correct password

Brute-force Attack

we specify the min length, max length, and a custom char set the password cracker tries all permutations and combinations formed out of this char set as a probable password on the target

What does the -b switch do in this command generate b '\x00'

we want \x00 to be disallowed during the generation process it removes the null bytes in this case

CVSS Scope

what parts of the vulnerable component are affected by the vulnerability

final report

what you did in detail and hopefully mitigations and solutions

meterpreter webcam_list command

when run from the Meterpreter shell, will display currently available web cams on the target host

Each entry's attributes also include timestamps that indicate

when the associated file was created, modified, and accessed

If the file exists, it reads the file to see

whether it is allowed to proceed, and if so, where

whoami

who you are logged in as

meterpreter clearev command

will clear the Application, System, and Security logs on a Windows system. There are no options or arguments

SET Credential Harvester

will clone a website and based on your attack, send an e-mail to a victim and attempt to collect their credentials

meterpreter idletime command

will display the length of time that the machine has been inactive/idle

meterpreter getuid command

will display the user that the Meterpreter server is running as on the host

meterpreter hashdump command

will dump the contents of the SAM database

meterpreter resource command

will execute meterpreter instructions located inside a text file

Active Reconnaissance

will interact with the system

meterpreter load python command

will load the extension giving us access to new commands

meterpreter migrate command

will move your meterpreter shell to another running process

meterpreter ps command

will print a list of all of the running processes on the target

why s listing users and groups important

will provide great insight about how to switch from a limited user to another user with administrator privileges

"-a" switch on a host

will provide with verbose output and possibly reveal additional information about a target

meterpreter reboot/shutdown command

will reboots or shutdown the target machine

The malicious web crawlers

will tend to ignore the Robots.txt file

TTL = 128. Which o/s?

windows

where are payloads generated in metasploit

within the msfconsole

Passive Reconnaissance

without interacting with the system

Vulnerability scoring

without this, it would be impossible to prioritise vulnerability mitigation and closure

metasploit makerc command

writes out all the command history for a session to a user defined output file

Can metasploit create payloads in different coding formats

yes

can bulk extractor process incomplete or partial data

yes

how to send a payload to a victim

you must find a way to convince your victim to download and run that payload

what happens if you try to run system-level commands when initially gaining system access

you will receive the response access denied or no privilege available to run the commands on the target system

post-exploitation modules allow us to

-escalate user privileges -dump OS credentials -steal cookies and saved passwords -get key logs from target system -execute powershell scripts -make our access persistent

whoami /priv

/priv command shows you what permissions you have - if you see it, you can do it

They are allowed to crawl one file in the

/wp-admin/ folder called admin-ajax.php

executive summary

1-2 page nontechnical overview of the findings

Two ways to nmap scan all 65536 ports

1. -p- 2. -p 0-65535

purple team

A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.

payload

A payload is malicious code that we want the remote system to execute

Metasploit

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.

meterpreter keyscan_start command

Begins keystroke logging on victim

$2$

Blowfish

attributes that the mftparser plugin currently supports include

$FILE_NAME ($FN) $STANDARD_INFORMATION ($SI) $DATA

iteration switch

'-i'

Payload is represented by _____ in the payload name

'/'

-evasion

(help avoid or bypass detection by Web Application Firewalls and Intrusion Detection Systems.)

-mutate

(to guess subdomains, files, directories, and usernames)

why are schema admins the most privileged account

because attackers cannot add users to any other groups: that would limit the access level to modifying the Active Directory forest

why are disk artifacts created

because users constantly open, read, write, and delete files

social engineering attacks have to be

believable enough that no negativeperceptions are created on the recipients end

By default Metasploit will select the _______________ to accomplish the task at hand

best encoder

3 pentesting approaches

black box, white box, grey box

identified_blocks.txt

block hash values that match has values in a hash database that the scan was run against

Attacker role

break into the company—to compromise the network in some way and gain unauthorised access to restricted systems or information

openvas 'high severity task'

brings up scan results

Apart from its scanning and enumeration capabilities, SPARTA also has a

built-in brute-force tool for cracking passwords

targets.txt / target list

IPs you test throughout engagement

show options

This command shows available options to set

Set payload windows/meterpreter/reverse_tcp

This sets the payload to be used

Kerberos tickets

This ticket is used mainly by Windows systems for single sign‐on

Which one has a stager 1. windows/shell_bind_tcp 2. windows/shell/bind_tcp

2 -- bind_tcp is the stager

CompTIA Penetration Testing Process

1. Planning and Scoping 2. Reconnaissance and Vulnerability Identification 3. Attacking and Exploiting 4. Reporting and Communicating Results

Penetration Testing and Execution Standard (PTES)

1. Pre-engagement Interactions 2. Recon 3. Threat Modeling 4. Vuln Analysis 5. Exploitation 6. Post Exploitation 7. Reporting

two additional files may be created

1. _stopped.txt 2. _histogram.txt

two possible conditions that would need social engineering

1. all systems are hardened and patched 2. attacker cant find any vulnerabilities

when getsystem fails

1. background the session 2. and manually try some additional exploits that Metasploit has to offer

To properly use a Google directive, you need

1. directive name 2. a colon 3. term you want to use example: site:domain term(s)

bulk extractor operates on

1. disk images 2. memory images 3. files or a directory of files

bulk extractor features such as

1. email addresses 2. credit card numbers 3. URLs 4. etc.

Hiding Trails

1. encryption 2. modifying system logs 3. tunneling: create a secure tunnel through which they send data (encrypted) from the victims network to another location 4. Wiping drives - makes it impossible to tell if malicious activities were performed

3 commonly targeted sets of credentials

1. local use account password hashes 2. domain cached credentials 3. clear-text config files with DB credentials

mftparser plugin does these things

1. parses the attributes 2. builds the file path for the file 3. outputs the pertinent information

steps of ethical hacking

1. talk with the client 2. prepare nda 3. prepare an ethical hacking team 4. conduct test 5. analyse results 6. deliver report to the client

default "verbose" mode output includes

1. the MFT entry's path 2. file type 3. timestamps 4. record number 5. and resident data (if any)

Each MFT entry takes up ___ bytes.

1024

MD5 - Message Digest 5

128-bit hash based on variable-length plaintext

HTTrack

A command-line and GUI utility Widely used to make a local copy of any website

Listener (LHOST)

A listener is a component in Metasploit that waits for an incoming connection of any sort after the remote system is exploited This will be your host IP address

Attack Complexity Metric

A metric that describes the difficulty of exploiting a vulnerability.

-sA

ACK Scan

Acceptula

Accept Agreement

salting

Adding a random string at the end of password to ensure a hash has a unique value

Reverse Shell

An attacker opens a listening port on the remote host and causes the infected host to connect to it

Password guessing

An attempt to gain access to a computer system by methodically trying to determine a user's password

exploit

An exploit is how an attacker takes advantage of a flaw within a system, application, or service

Changed Scope

An exploited vulnerability may impact resources beyond the boundary of the vulnerable component

Unchanged Scope

An exploited vulnerability would affect only the resources managed by the affected component

Dig

Another great tool for extracting information from DNS

Exploit

How an attacker takes advantage of a flaw within a system, application, or service

most common type of engagement

INPT (Internal Network Penetration Test)

ip.txt

IP addresses found through the IP packet carving

Host specific info

IP, DNS, OS

location

Find information for a specific location.

Defender task #4

Apply every security patch and hotfix issued by the individual software vendors as soon as they become available

AV Local

Attacker must be locally logged in to exploit a vulnerability ex: privilege escalation

High Attack Complexity

Attacker needs to put considerable effort to prepare for the attack

nonresident attributes

Attributes whose values are stored in runs rather than in the MFT

DNSEnum

Can provide a lot of switches (tool options) to further automate the DNS enumeration process.

Attack Complexity

Can the attack be done at any time, or at only under specific conditions?

CVE

Common Vulnerabilities and Exposures

ignore.txt / exclusion list

IPs you avoid touching in any way

Common Attack Vectors Include

Compromised Credentials Weak and Stolen Credentials Malicious Insider Missing or Poor Encryption Mis-configuration Ransomware Phishing Trust Relationship

Graham Leach Bliley Act (GLBA)

Consumer protection law that ensures the protection of a consumer's non-public information.

meterpreter keyscan_dump command

Displays the currently captured keystrokes from the target's computer

Phase 4

Documentation

exif.txt

EXIFs from JPEGs and video segments this feature file contains all of the EXIF fields, expanded as XML records

Defender task #2

Every application running on those devices is properly restricted using strong passwords (preferably with two-factor authentication)

Execute the httrack command

Execute the httrack command

(T/F) Bulk extractor cannot carve JPEGS, office docs, and other files out of fragments of compressed data

F

(T/F) Nikto cannot detect default files, insecure files and programs

F

(T/F) Nikto cannot detect server and software misconfigurations

F

(T/F) Nikto is not capable of identifying installed applications via headers and files on a target

F

(T/F) Nikto is stealth-oriented

F

(T/F) Bulk extractor builds word lists based on all the words found within the data, but not those in compressed files that are in unallocated space

F -- first part true, second part false

UL2900-2-1

FDA adopted consensus standard for pen tests as part of regular evaluation of a security standard

Common Target Protocols

FTP, SSH, SMB, SMTP, HTTP, MySQL, etc.

allintext:

Finds all provided terms in the text of a page -- dont use it

Filetype

Finds specific types of files based on file extension

inurl:admin

Finds strings in the URL of a page

Phase 2

Focused penetration

bulk extractor

Forensics investigation tool, especially useful in malware and intrusion investigations

Three Common HTTP requests

GET, HEAD, POST

SPARTA is a

GUI network infrastructure penetration testing tool

Documentation

Gather evidence/screenshots, Create linear attack narratives, create final deliverable

footprinting

Gathering information about a systems computer profile in a methodological manner

intitle:"index of"

Google Dorking

Defender task #3

Hardened to conform to the current standards and best practices for each respective device

Phase 1

Information Gathering

WHOIS - Extracting Domain Information

It is a TCP service that is used to extract information about the domain and the associated contact information

Password Cracking Tools

John the Ripper, RainbowCrack, Brutus, etc.

LM hashes are used by

LAN manager (LM) authentication

TTL = 64 Which o/s?

Linux

netcat -L

Listen harder

port 3389

RDP

net share

Lists, creates, and removes network shares on the local computer.

$1$

MD5

-sM

Maimon Scan

Fundamental objectives of post exploitation

Maintaining reliable re-entry, Harvesting credentials, Moving laterally

getsystem

Meterpreter command that attempts to elevate privileges to local system

If the attribute's value later grows ex: appending data to a file

NTFS allocates another run for the additional data

-sN

NULL scan

CVSS Scores

None 0.0 Low 0.1 -3.9 Medium 4.0 - 6.9 High 7.0 - 8.9 Critical 9.0 - 10

OSINT

Open Source INTelligence; gathered from publicly available sources

OpenVAS

Open source framework of several tools and services that offer powerful vulnerability scanning and management systems

Nikto

Popular open-source web vulnerability scanner Command-line tool and preinstalled in Kali Linux

Phase 3

Post-exploitation and privilege escalation

Two Metasploit editions

Pro and Framework

CVSS Risk =

Probability x Impact

ZEH Pentesting Methodology

Recon, Scanning, Exploitation, Maintaining Access

Host

Reconnaissance efforts will result in host names rather than IP addresses ex: host target_hostname ex: host ns1.dreamhost.com

(Nikto switch) -format

This defines the output format; it may be CSV, HTM, NBE (Nessus), SQL, TXT,or XML

SOX Section 404

Requires the annual report of every public company to include information on internal controls to secure the integrity of financial info

-sU

Runs an nmap scan on UDP ports

Use LEGION as it's a fork of

SECFORCE's Sparta

two common settings that should allow us to override a service

SERVICE_CHANGE_CONFIG SERVICE_ALL_ACCESS allows us to get a remote shell

$5$

SHA-256

$6$

SHA-512

Services in Windows execute with

SYSTEM privileges

link

Searches for links to a site or URL

Ideally web applications will run on

Secure Socket Layer (SSL) webservers

-Plugins

Select what plugins to use in the scan (default: ALL)

SHODAN

Sentient Hyper Optimized Data Access Network - Indexes service banners and service headers

Miss_svc

Service running on the remote machine

Once the Nmap scan is complete, SPARTA provides several tabs in the main window, such as

Services, Scripts, Information, Notes, Nikto, and Screenshot tabs, all with very useful information

Define

Shows various definitions of a provided word or phrase

5 iterations

The change is significant when comparing to all previous outputs

use exploit/multi/handler

This command handles incoming connections

3 different payload modules in the MSF

Singles, Stagers, and Stages

TTL = 255

Solaris

-sS

Stealth Scan

meterpreter keyscan_stop command

Stops recording user keystrokes

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT

(T/F) Nikto can check for any outdated components on a web server

T

(T/F) Nikto can detect subdomains and directories in the website structure

T

(T/F) Nikto can generate output reports in several forms such as HTML, CSV, XML, and text

T

(T/F) Nikto can identify index files and HTTP methods

T

(T/F) Nikto can offer SSL support

T

(T/F) Nikto can only detect well-known vulnerabilities

T

(T/F) Nikto uses signatures to detect vulnerabilities

T

(T/F) bulk extractor is multithreaded

T

(T/F) bulk extractor will detect encrypted RAR files

T

SSH

TCP 22

RDP

TCP 3389

-sT

TCP Connect scan

-sF

TCP FIN scan

tcp.txt

TCP flow information found through IP packet carving

RHOST

The IP address of the target

blue team

The defensive team in a penetration test or incident response exercise.

LowPrivUser

The existing user name on the remote machine

what is a non-alpha encoder

The payload does not contain any alphanumeric characters.

receiver (RHOST)

The receiver is the compromised system that's waiting for instructions from the LHOST once that system has been exploited. This will be the target's IP address.

DNS

The service that translates URLs to IP addresses.

True positive

The successful identification of a security attack or a malicious event.

Exfiltration

The unauthorized transfer of information from an information system.

DNSdumpster

There are a number of online tools to enumerate domain information

netstat -ano

To list all the current connections established from the Windows host (e.g., web server, SMB, RDP, etc.)

-list-plugins

To view the available testing plugins

report.xml

a file that captures the provenance of the run report includes 1. source media info 2. how the program was compiled and ran 3. etc.

Critical Rated Vulnerability

Very easy to execute and doesn't require any specific account privileges or user interaction impact on CI is high and on A is low

Cached Websites

Wayback Machine is a service that stores static copies of internet sites and keeps a record of their updates and versions

False positive

When a scanner reports a vulnerability that does not exist, this is known as a false positive error -also known as type 1 error

resident attributes

When the value of an attribute is stored directly in the MFT its called a

Patator

__ is a multi-purpose brute-forcer, with a modular design and a flexible usage. ▪ Multi-purpose brute-force attack tool ▪ Supports modules for different target services

MITRE ATT&CK Framework

a collection of different matrices of tactics, techniques, and sub-techniques - used by offensive security professionals (red teamers, pentesters, etc.)

listener (LHOST)

a component in Metasploit that waits for an incoming connection of any sort after the remote system is exploited This will be your host IP address

listener

a component within metasploit that waits for an incoming connection of some sort

Data Store is typically

a database But it could be anything: -flat files -command output basically anything that application accesses to retrieve or store data

zip.txt

a file containing information regarding every ZIP file component found on the media

openvas severity column

shows scan summary

TTL = 32

Windows 95/98/ME

NTLM and Kerberos use

Windows NT hashes AKA Unicode hashes -- considerably more secure

-sW

Windows Scan

What can Mimikatz extract

Windows hashed passwords Plaintext passwords Kerberos tickets

An IP address disclosed the lack of some protection headers, such as

X-Frame-Options and X-XSS-Protection, and that the session cookie does not include the HttpOnly flag

-sX

XMAS scan

Are GET requests common

Yes, the most common

netcat -z

Zero I/O mode (useful for scanning)

Mimikatz is a Swiss Army knife that can

extract stuff from memory

mftparser plugin

extracts MFT entries from memory samples by scanning the physical address space

multihander purpose

facilitate communication between the attacker's device and the victim's device

netcat

feature rich backend network debugging and exploration tool with the ability to create almost any type of connection you would need designed to read and write data across TCP and UDP using TCP/IP

getg command metasploit

fetches global variables

get command metasploit

fetches local variables

Windows reads the MFT to find all or part of the

file in memory at any given time

password dictionary

file with a list of potential passwords

name keyword metasploit

filters out searches in metasploit

findstr

find all the files on a FS that contain a given string such as "password="

Allinurl

finds all terms in page url

Allintitle

finds all terms in the title of a page

Inurl

finds strings in a page url

Intitle

finds strings in the title of a page

If a file is small, all its attributes and their values

fit in the file record

Specify -evasion or -e switch with 1

for random encoding

-W 1

force timeout to be only one second on non live hosts

HEAD

response returns a header information without the body content; safe method (no action on server)

cleanup files

restore the compromised target to its original state

the output file can be

retrieved through script code

HTTP HEAD method

returns without the body content

To run a full port scan or unicorn scan

right-click the host

default output format when generating payloads

ruby

metasploit is based on

ruby

what can local admins do

run system configuration changes

Services in Windows

run tasks in the background

meterpreter execute command

runs a command on the target

save metasploit command

save current environment

-f switch

saves generated payload to a file instead of displaying it on the screen example: generate -b '\x00' -e x86/shikata_ga_nai -f /root/msfu/filename.txt

openvas is customisable for

scan configuration

openvas: to generate a report in the required format, go to

scans -> reports

metasploit search command

search for anything from exploits to payloads

where command

search for specific filename

netsh firewall show state

see firewall status

check metasploit command

see if a target is exploitable -- aren't many exploits that support it

show missing command

see what values we need to fill in to use to exploit

ping sweep scan

send a ping to every possible IP address within a given scope and determine which ones are up and live

HTTP works by first having the web client

send an HTTP request tothe web server

A GET request is used when the WebClient simply wants the Web Server to

send it a document, image, file, web page, and so on

meterpreter background command

sends current meterpreter session to background and return you to the msf prompt

Sub-Phase B of information gathering

service discovery

target meaning 2

service listening on a host

Shellcode

set of instructions used as a payload when exploitation occurs

sudo gvm-setup

sets up OpenVAS, downloads latest rules, creates an admin user, and starts up the various services

stagers

setup a network connection between the attacker and victim and are designed to be small and reliable

use the _______ command to access a command prompt on the target machine

shell

Target Behind Router

target system has private IP and isn't directly accessible over the internet

Level-2 host

targets that were not initially accessible during focused penetration phase

two primary outputs

targets.txt, ignore.txt

hacker

unauthorised user who attempts to or gains access to an information system

black box (covert)

unknown environment, zero knowledge, much more realistic

sudo greenbone-feed-sync

updates OpenVAS before running a scan

apt update

updates package lists for upgrades

meterpreter upload command

uploads a file to the remote machine

search by platform name

use platform to narrow down your search to modules that affect a specific platform

SSO allows a user to

use their domain credentials on other systems without reentering their password

grep

used to display all the info you want

Skip Host Discovery Scan

useful when pingsweep returns nothing

netcat -v

verbose

netcat -v flag

verbose

netcat -vv

very verbose

you can probably obtain clear passwords from the _______ ________ of a compromised Windows target

virtual memory


Ensembles d'études connexes

MIS 307 Exam 2 Student Questions

View Set

Lord of the Flies - Character Identification

View Set

Chapter 5: Social Interaction, Groups, and Social Structure

View Set

Chapter 11 - Cell Communication, A.P. Bio. Chapt. 11, Chapter 11

View Set

EAQ 57 Stroke and Stroke Management (2EAQ)

View Set

[psych] Exam 3 Practice Questions

View Set