Pentest+ Lesson 9 - Exploiting the LAN and Cloud
Searchsploit
A tool included in the exploitdb package on Kali Linux that is used to search Exploit DB.
Side-channel attacks
Also called a sidebar or implementation attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model. In this attack, the hardware leaks sensitive information such as cryptographic keys, via a covert channel, to a potential attacker.
List a few attacks that can occur in the cloud computing infrastructure.
Answers may vary. The cloud infrastructure can suffer from attacks such as malware injection, side-channel, and direct-to-origin attacks.
Local Windows User Account Control (UAC) bypass
Bypass local UAC. One way is to use process injection to leverage a trusted publisher certificate
Side-channel Attack
Cloud based attack where data or encryption keys are leaked between systems. PaaS systems are the highest risk for this attack.
SYN flood
Create and send massive amounts of TCP SYN packets. hping3, Metasploit auxiliary/dos/tcp/synflood
Security Account Manager (SAM) file
Either dump the contents of the SAM file to get the hashed passwords or copy the file using Volume Shadow Service (VSS) and then crack the passwords offline.
Armitage
Intuitive GUI tool for the Metasploit framework.
finger
Linux command to view a user's home directory along with login and idle time.
Auxiliary
Metasploit module that has scanners, sniffers, fuzzers, spoofers, and other non-exploit features.
- Personnel - Endpoints - Servers - Software - Roles
Name the 5 types of identities that can exist in an IAM solution.
Get-NetLoggedon
PS cmdlet that gets users that are logged onto a given computer.
manage the msf sessions
Press Ctrl+Z to put your current session in the background. msf> sessions -l will list all of the sessions you currently have running. msf> sessions 2 will then switch to session #2.
Shared folders
Search for sensitive information in shared folders, as it is common for them to have few or no restrictions.
cloud federation
The combination of cloud infrastructure, platform services, and software.
Metasploit's features are organized into modules. List three or four of the six basic modules.
The six basic types of Metasploit modules are: Exploits, Payloads, Post, Auxiliary, Encoders, and Nops.
Prowler
an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks for AWS, plus additional GDPR and HIPAA compliance checks
Cloud storage containers
referred to as buckets. A container is created within a specific region and cannot be nested within another container. Each container can host data objects, which is the equivalent of files in a local file system. In addition, a container can have customizable metadata attributes.
Domain Name System (DNS) cache poisoning
sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. That will redirect traffic to the malicious actor's IP address instead of the web server's IP address.
Cobalt Strike
A commercial version of Armitage with advanced features and reporting.
Exploit Database (Exploit DB)
A complete collection of public exploits and vulnerable software in a searchable database.
VLAN hopping is the act of illegally moving from one VLAN to another. Describe one way a malicious actor can launch this attack.
A malicious actor can launch a VLAN hopping attack by using a Macof attack. Another way is to configure the interface of an attacker machine to become a trunk port so the switch will then deliver packets to a restricted VLAN.
Another way to circumvent an authentication process is by grabbing and using password hashes. Describe one way a malicious actor can either use or obtain a password hash.
A malicious actor can use a hash in a pass the hash attack. To obtain a hash, a malicious actor can use Kerberoasting.
Pass the Hash (PtH)
A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on. In this type of attack the malicious actor will: Obtain the hash by inducing the operating system or application to dump them from RAM, the Windows Registry, or a credentials file. Then when logging into the target operating system or application, you provide the username and the hash of the password, rather than the password itself. Once accepted, the malicious actor will be able to access the operating system or application.
Malicious actors target employees as a means of gaining access to the network. One way to avoid an attack is to recognize account management risks. What possible risks can occur when dealing with using either privileged or shared accounts.
A privileged account can be vulnerable for the following reasons: Users often adopt poor credential management habits, such as choosing bad passwords, writing down passwords, and reusing passwords on third-party sites. Administrators are often granted too many privileges or abuse accounts with "super" privileges for routine log-ons. A shared account is when the password (or other authentication credential) is shared with more than one person and a single "Admin" account is used to manage a device. A shared account should be avoided, as it breaks the principle of nonrepudiation and makes an accurate audit trail difficult to establish.
WiFi Pineapple
A rogue wireless access point that attracts Wi-Fi clients to connect to the network.
SearchSploit
A tool included in the exploitdb package on Kali Linux that is used to search Exploit DB.
Active Directory is the directory for a Microsoft environment. List some of the objects that make up the Active Directory.
Active Directory includes the following: Trees, Domains, and Organizational units.
mitm6
An IPv6 DNS hijacking tool that works by first replying to DHCPv6 messages that set the malicious actor as a DNS server. It will then reply to DNS queries with bogus IP addresses that redirect the victim to another malicious host.
Impacket Tools
An open-source collection of tools used when PenTesting in a Windows environment that provides methods for several attacks, such as pass the hash, credential dumping, and packet sniffing.
One type of DoS attack is resource exhaustion, where the focus is on consuming system resources and can lead to a system crash or failure. Describe some of the techniques used to exhaust resource and deny service.
Answers may vary. Resource exhaustion uses various techniques such as: Amplification or volumetric attacks, which will focus on saturating the bandwidth of the network resource. A denial-of-sleep attack will drain a device's battery, which in turn can render the device inactive. A slow HTTP attack sends fragmented requests to the server and can stress the server, as compiling the fragmented request can lead to depletion of processing resources.
Today, there are a number of tools available for the cloud infrastructure to perform automated vulnerability scanning and PenTesting. List a few tools used to PenTest the cloud infrastructure.
Answers may vary. Some of the tools used to test security configurations or perform extensive compliance auditing on cloud assets include ScoutSuite, Prowler, Pacu, and Cloud Custodian.
During discovery, the team will most likely index network services and shares. List some common services to enumerate prior to exploiting the LAN.
Answers will vary. Common services to enumerate include the following: File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) Hypertext Transfer Protocol (HTTP) Server Message Block (SMB)
When enumerating Windows hosts, there are a number of tools you can use, including the built-in tools within the operating system. List some command line tools to enumerate Windows hosts.
Answers will vary. When using the CLI, the team can issue the following commands to enumerate Windows hosts: net view arp -a net user ipconfig /displaydns
Direct-to-Origin (D2O)
Attack where hackers circumvent proxy protections by identifying the origin network and launching a direct attack.
DNS flood attack
Consume all CPU or memory of a DNS server with a flood of requests. Hyenae
Packet flood
Create and send massive amounts of TCP, UDP, ICMP, or random packet traffic to target. Can include different TCP flag variants. hping3, Nemesy, XOIC, Low Orbit Ion Cannon (LOIC)
Incorrect origin settings
Data in cloud storage can be used to serve static web content, such as HTML pages, images, and videos. In this scenario, the content is published from the container to a content delivery network (CDN). The CDN caches the content to edge locations throughout its network to provide faster access to clients located in different geographic locations. When a site is built this way, it must usually use objects from multiple domains, which is normally blocked by client web browsers. A cross origin resource sharing (CORS) policy instructs the browser to treat requests from nominated domains as safe. Weakly configured CORS policies expose the site to vulnerabilities such as XSS.
DNS Amplification Attack
DoS attack that uses multiple public DNS servers to receive spoofed queries and respond to a target.
Metasploit module types
Each type has many modules inside, grouped by sub-type or platform. When using Metasploit, you specify a particular module by its path; Exploits - Attack software that delivers a payload Payloads - Code that runs remotely Post - Additional tasks you can perform on a compromised host Auxiliary - Scanners, sniffers, fuzzers, spoofers, and other non-exploit features Encoders - Ensures that payloads make it to their destination intact and undetected Nops - Keeps payload sizes consistent across exploit attempts
Writable services
Edit the startup parameters of a service, including its executable path and account. You could also use unquoted service paths to inject a malicious app that the service will run run during startup.
Dynamic Link Libraries (DLL) hijacking
Elevate privileges by exploiting weak folder permissions, unquoted service paths, or applications that run from network shares. Additionally, you can replace legitimate DLLs with malicious ones.
VLAN Hopping
Exploiting a misconfiguration to direct traffic to a different VLAN without authorization.
Weak process permissions
Find processes with weak controls and then see if you can inject malicious code into those processes.
There are many tools the PenTest team can use when working on a LAN. Describe the functions of the following: Impacket tools, Responder, and mitm6.
Impacket tools is an open-source collection of tools used when PenTesting in a Windows environment that provides methods for several attacks, such as pass the hash, credential dumping, and packet sniffing. Responder is a command line tool in Kali Linux used to poison NetBIOS, LLMNR, and MDNS name resolution requests. mitm6 is an IPv6 DNS hijacking tool that works by first replying to DHCPv6 messages that set the malicious actor as a DNS server. It will then reply to DNS queries with bogus IP addresses that redirect the victim to another malicious host.
Malware injection attack
In this attack, a malicious actor injects malicious code into an application. Common attacks can include SQL injection (SQLi) and Cross Site Scripting (XSS). In addition, the service can fall victim to a wrapper attack, which wraps and conceals malicious code, in order to bypass standard security methods.
Kerberoasting
In this attack, the malicious actor will do the following: Get user Service Principal Names (SPN), which will identify all accounts that are candidates for Kerberoasting. From the list of SPNs, get the service tickets of an interesting target, such as a server. Dump out the service ticket, which is encrypted with the NTLM hash of the requested service account. Crack the account's plaintext password offline. Once you obtain the password, you can then continue to take control of the system. Kerberoasting is a significant attack as many services have admin privileges, and their passwords are seldom changed.
Slowloris
Keep multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. Slowloris will allow one web server to take down another without impacting other ports or services on the target network. Nmap Slowloris script, R-U-Dead-Yet (RUDY)
Software
Like servers, applications and services can be uniquely identified in the organization through digital certificates. This helps the client verify the software's provenance before installation. As with servers, the security of the entity that issued the certificate is paramount. One unique issue with applications is how to determine which other entities are allowed to run certain apps. Services like Windows AppLocker enforce identity policies that either allow or disallow a client from running a specific app based on the app's identity and the client's permissions.
env
Linux command that outputs a list of all the environmental variables.
uname -a
Linux command to display the OS name, version, and other details.
cat /etc/passwd
Linux command to list all users on a system.
Direct-to-origin attacks (D2O)
Many organizations seek to reduce the threat of a DDoS attack by using methods such as reverse proxies in front of the web servers. This insulates the servers from a possible attack as the malicious actor is unable to penetrate the defenses. However, in a D2O attack, malicious actors circumvent this protection by identifying the origin network or IP address, and then launching a direct attack.
session -l
Metasploit command to list all sessions currently running.
Ctrl + Z
Metasploit command to put current session in the background.
sessions X
Metasploit command to switch to a particular session.
Exploits
Metasploit module that attacks software to deliver a payload.
Encoders
Metasploit module that ensures payloads make it to their destination intact and undetected.
Post
Metasploit module that has additional tasks to perform on a compromised host.
Payloads
Metasploit module that has code that runs remotely.
Nops
Metasploit module that keeps payload sizes consistent across exploit attempts.
Servers
Mission-critical systems can use encryption schemes, like a digital certificate, to prove their identity and establish trust. The most pressing issue with digital certificates is the security of the entity that issued the certificate. If this entity is compromised, then the identity of the server may not be verifiable. This is often why organizations buy certificates from major certificate authorities rather than establish their own public key infrastructure (PKI) or use self-signed certificates. In the case that the organization does run its own PKI, the root certificate authority (CA) and private key must be guarded closely.
DNS amplification attack
Multiple public DNS servers receive spoofed queries and respond to a target. Saddam
- Security Account Manager (SAM) file - hashed passwords - Local UAC Bypass - Weak process controls - Shared folders - DLL Hijacking - Writable Services - startup services - Missing patches/misconfigurations
Name 7 exploits that can be used to elevate privileges.
Macof Attack
Overflows the MAC table on a vulnerable switch so that it behaves like a hub, repeating frames out all ports.
Get-NetGroupMember
PS cmdlet that gets a list of domain members that belong to a given group.
Get-NetDomain
PS cmdlet that obtain's current user's domain.
Meterpreter
Part of the Metasploit Framework, this is an interactive, menu-based list of commands you can run on a target during a PenTest exercise.
When using Metasploit, there may be times you will need to have multiple sessions. What is the command to put your current session in the background? What is the command to list all of the sessions you currently have running? What is the command to switch to session #2?
Press Ctrl+Z to put your current session in the background. msf> sessions -l will list all of the sessions you currently have running msf> sessions 2 will then switch to session #2
Roles
Roles support the identities of various assets such as personnel or software and define the resources an asset has permission to access based on the function that asset fulfills. Roles can be tied to a user's job tasks (i.e., administrator), a server's main functionality (i.e., name resolution), and/or the service an application provides (i.e., publishing). The main issue with role-based identity is that poorly defined roles can lead to privilege creep, violating the principle of least privilege and increasing an entity's chance at being a vector for attack. Thorough and meaningful role definitions are the most important remedy for this issue.
Missing patches and misconfigurations
Search for missing patches or common misconfigurations that can lead to privilege escalation.
NTP amplification
Send spoofed NTP queries to publicly available NTP servers to overwhelm a target. NTPDos, NTPDoser, Saddam
Containers are an efficient and more agile way of handling virtualization. Each image contains everything needed to run a single application or microservice. However, a container image can have several vulnerabilities. List three to four vulnerabilities that can be present in a containerized environment.
Some of the vulnerabilities that can be present in a containerized environment include: Embedded malware Missing critical security updates Outdated software Configuration defects Hand-coded cleartext passwords
ShareEnum
Sysinternals GUI tool that can scan a domain, workgroup, or IP address range for file and print shares along with their security settings
Server Message Block (SMB)
TCP port 139 Retrieve directory information, list, and transfer files.
File Transfer Protocol (FTP)
TCP port 21 Identify FTP servers, versions, and authentication requirements including anonymous logins.
Simple Mail Transfer Protocol (SMTP)
TCP port 25 Extract email addresses. Enumerate SMTP server information. Search for open relays.
Domain Name System (DNS)
TCP port 53 Elicit DNS zone transfers and discover DNS subdomains.
Hypertext Transfer Protocol (HTTP)
TCP port 80 Manually request web pages, enumerate directories, files, WebDAV features, and versions.
VLAN hopping
The act of gaining access to traffic on other VLANs that would not normally be accessible by jumping from one VLAN to another.
Cloud Federation
The combination of cloud infrastructure, platform services, and software.
Endpoints
The devices that people use to gain legitimate access to your network are varied and often difficult to account for. If an employee accesses the network remotely with their personal device, there is no real guarantee that this device is security compliant. Centralized endpoint management solutions can assign identity profiles to known endpoints, which allows validated devices to connect with the requisite privileges and identifying information. Likewise, the solution may assign unknown endpoints to a specific, untrusted profile group that has few privileges. Endpoints are often identified by their MAC address, but keep in mind that this can be easily spoofed. A more secure system issues digital certificates to trusted endpoints, but it is a significant management task to support certificates on all client devices.
To properly control access, it's essential to have a solid understanding of identity and account types along with potential risks involved when managing access. Outline the different types of identities that can exist in an organization.
The different types of identities that can exist in an organization include personnel, endpoints, servers, software, and roles.
Personnel
The most common use for IAM is to define identities for organizational employees. Likewise, personnel identities are among the most popular attack vectors. People are often careless with the privileges they're given and may fail to understand how the personal information attached to their identities can be used against them and the organization. End-user security training is vital to ensure that personnel user accounts are not a major weak point in the IAM system.
To launch an on-path attack, a malicious actor may need to employ protocol spoofing or cache poisoning. List some examples that will help achieve this goal.
To launch an on-path attack, a malicious actor may need to use one or more of the following methods: Domain Name System (DNS) cache poisoning Address Resolution Protocol (ARP) spoofing MAC address spoofing
HTTP flood attack
Use seemingly legitimate HTTP GET or POST requests to attack a web server. Does not require spoofing or malformed packets but can consume a high number of resources with a single request. High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC), GoldenEye HTTP Denial Of Service Tool
Incorrect permissions
When storage containers are created, they may default to public read/write permissions. If the default permissions are not properly configured, any data that is uploaded to the container can be freely accessed. In addition, the container can also be misused as a repository for malware.
ipconfig /displaydns
Windows command to display resolved DNS names.
net user
Windows command to list all users on the machine.
net view
Windows command to view shares from other hosts in the network.
arp -a
Windows command to view the ARP cache.
Responder
a on-path type tool that can be used to exploit name resolution on a Windows network. It is designed to intercept and poison LLMNR and NBT-NS requests
Credential harvesting
an attack specifically designed to steal usernames and passwords. Harvesting can be done in a variety of ways, that include: An email phishing attack armed with links to bogus websites or malicious attachments. Social engineering techniques, digital scamming, and malware MITM attacks, DNS poisoning, and other vectors
Containers
an efficient and more agile way of handling virtualization. Each image contains everything needed to run a single application or microservice. However, a container image can have several vulnerabilities that include: Embedded malware Missing critical security updates Outdated software Configuration defects Hand-coded cleartext passwords Prior to deploying the container, the network administrator should test and mitigate any vulnerabilities and then, once trusted, preserve the image.
Cloud custodian
an open-source cloud security, governance, and management tool designed to help the administrator create policies based on resource types. When run, you'll be able to see which resources will leave you vulnerable then enforce policies to automatically correct the vulnerabilities.
Impacket tools
an open-source collection of tools used when PenTesting in a Windows environment. The Impacket library provides methods for several attacks such as an NTLM and Kerberos authentication attacks, pass the hash, credential dumping, and packet sniffing.
ScoutSuite
an open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, such as AWS, Microsoft Azure, and Google Cloud. ScoutSuite collects data from the cloud using API calls. It then compiles a report of all the objects discovered, such as VM instances, storage containers, IAM accounts, data, and firewall ACLs.
Pacu
designed as an exploitation framework to assess the security configuration of an AWS account. It includes several modules so the team can attempt exploits such as obtaining API keys or gaining control of a VM instance; focuses on the post-compromise phase, so the team can drill down into the system to escalate privileges, launch additional attacks, or install a backdoor.
network shares
directories that can be accessed by using a network sharing protocol. These network shares might hold sensitive files or information that is otherwise useful to the PenTesting team. Microsoft hosts: Microsoft File and Print service, using Server Message Block (SMB) protocol via TCP ports TCP 139 or 445 Linux/Unix (*nix) hosts: Network File System (NFS) daemon using the NFS protocol via TCP and UDP 2049 *tools such as Metasploit and ShareEnum.
AD (Active Directory) enumeration
directory for a Microsoft environment and is a database of objects that stores, organizes, and enables access to other objects. AD also provides essential network services such as DNS and Kerberos-based authentication
Website enumeration
discovering the resources and underlying technology that the web server is using. The information can help you choose more effective vectors to use in an attack, as well as exploit vulnerabilities in specific versions of web server software. You can use several tools to enumerate websites, including a browser, Nmap, Metasploit, and DirBuster
auxiliary/scanner/smb/smb_enumshares (Metasploit)
enumerate any available SMB shares on the remote system. Even without authentication you will be able to collect valuable information, such as share names, OS versions, and service packs.
tools that can be used to launch an on-path attack
ettercap, Bettercap, Netcat, and Nmap. However, in most cases, an on-path attack requires some type of spoofing
VLAN
logical grouping of switch ports that can extend across any number of switches on a network. Each VLAN has its own network address and is logically segmented from the rest of the network. Because each VLAN is its own separate network, they must communicate with other VLANS by using either a Layer 3 switch or router.
MAC address spoofing
modify the MAC address on the malicious actor's NIC card so that it matches the MAC address on the victim's machine. Once done, the traffic can become inconsistent, causing traffic to not deliver correctly or not at all.
Nmap to enumerate website information
nmap --script=http-enum <target> nmap --script=http-drupal-enum <target> nmap --script=http-php-version <target> nmap --script=http-webdav-scan <target> nmap --script=http-wordpress-enum <target>
Metasploit
platform for launching attacks against known software vulnerabilities and includes several modules for enumerating network shares. Additional enumeration modules include: enum_configs enum_network enum_protections enum_logged_on_users post/linux/enum_system
Exploit chaining
the act of using multiple exploits to form a larger attack. Success of the attack will depend on all exploits doing their part. Using multiple forms of attacks in a distributed nature makes them complex and difficult to defend against. can either run consecutively, with each depending on the previous exploit to complete, or they can run in parallel, where each part would have to be in place and complete for the final attack or payload to succeed.
Virtual Machines
the backbone for virtualized computing environments and are managed via a hypervisor. Part of testing should include regular audits of VMs to ensure they are kept within the scope of administrative oversight. Be particularly alert to the risk of VM sprawl and the creation of dormant VMs in the cloud.
resource exhaustion
the focus is on consuming system resources and can lead to a system crash or failure. Resource exhaustion uses various techniques such as: Amplification or volumetric attacks focus on saturating the bandwidth of the network resource. A denial-of-sleep attack will drain a device's battery, which in turn can render the device inactive. A slow HTTP attack sends fragmented requests and can stress the server, as compiling the fragmented requests can lead to depletion of processing resources.
Address Resolution Protocol (ARP) spoofing
transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. Similar to a DNS cache poisoning attack, this will redirect traffic to the malicious actor instead of the victim's MAC address.
LLMNR and NetBIOS
two name resolution services used in a Windows environment to resolve network addresses. During name resolution, if a Windows host cannot resolve a domain or host name via a DNS server, it will query other hosts on the local segment. By default, the process will first use LLMNR, and if that fails, it will try the NetBIOS Name Service (NBT-NS).