TestOut Ethical Hacker Pro - Chapter 6
The Five main Metasploit Modules
-Auxiliary -Encoders -Exploit -Payload -Post
Creator group
A Windows 2000-specific group, the Creator group is used to grant permissions to users who are members of the same group as the creator of a directory or file.
Attack directory services
A directory service is a database of information that is used for network administration. Some directories are vulnerable to input verification deficiencies. Because of this, they are susceptible to brute force attacks. These attacks are usually automated. The program tries different combinations of usernames and passwords until it finds something that works.
Payload
A packet containing code that helps you achieve the goal of exploiting a vulnerability. A payload in Metasploit refers to an exploit module.
Exploit
A sequence of commands that takes advantage of vulnerability. This is often used to gain control of, create privileged escalation, or create a denial of service attack.
Username
A username and user ID (UID) are used to identify users. When a username is created, it is given a UID. This number is selected from a range of numbers, typically above 500.
Use default passwords
All devices have default passwords. These passwords are often left in place, providing an easy access point for an attacker.
Everyone
All users are members of this group. It is used to provide wide-range access to resources.
Network
All users that access a system through a network are members of this group. It provides all remote users access to a specific resource.
Extract email IDs
An email address contains two parts, the username and the domain name.
Monitor SNMP ports
Block or monitor activity on ports 161 and 162 and any other ports that you have configured for SNMP traffic.
Change default passwords
Change default passwords on all devices and services.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures, or CVE. is a list of publicly know vulnerabilities that contain an identification number, a description, and at least one public reference for cybersecurity vulnerabilities.
DNS zone restriction
DNS zone restriction ensures that a server provides copies of zone files to only specific servers.
Perform DNS zone transfers
DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to DNS servers. This type of structural data could be valuable to a hacker. It could be used to provide a mapping of the network.
Password
Each account has a password that is encrypted and saved on the computer or on the network.
Groups
Groups are used to manage permissions and rights. Group identification numbers (GIDs) are stored in the /etc/passwd file. All users are assigned to the default primary group and can be assigned to additional groups that are called secondary groups. Secondary groups are listed in the /etc/group file.
Enumerate IPsec
IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) endpoints. Using enumeration tools, hackers can pull sensitive information such as the encryption and hashing algorithm, authentication type, and key distribution algorithm.
Vulnerability
It is a flaw, hole, or weakness in the design or code of the target that makes it vulnerable to exploitation leading to the possible disclosure of confidential information.
Retrieve system policies
Large networks, especially enterprise environments, frequently have policy settings in place to determine how security matters are handled. If you're able to gain access to these settings, you will know more about your target. The technique will vary depending on the operating system that you are targeting.
Digital signatures
Modern systems include digital signatures that help with DNS zone restriction.
NULL session
Null sessions are created when no credentials are used to connect to a Windows system. They are designed to allow clients access to limited types of information across a network. These sessions can be exploited to find information about users, groups, machines, shares, and host SIDs.
TCP 135 RPC
Port 135 is used by the Remote Procedure Call service in Windows for client-server communications.
TCP 137 NetBIOS
Port 137 is used by the NetBIOS Name Server (NBNS.) NBNS is used to associate names and IP addresses of systems and services.
TCP 139 NetBIOS
Port 139 is used by the NetBIOS Session Service (SMB over NetBIOS.) SMB over NetBIOS allows you to manage connection between NetBIOS clients and applications.
TCP 21 FTP
Port 21 is used for the File Transfer Protocol (FTP). FTP is used by all operating systems to transfer files between client and server machines.
TCP 23 Telnet
Port 23 is used for the Telnet protocol/software. Telnet is used to connect to and run services on remote systems. Because of security concerns, Telnet is not used as frequently as it once was.
TCP 25 SMTP
Port 25 is used for the Simple Mail Transfer Protocol (SMTP). SMTP is used to send emails between client and server and between server and server.
TCP/UDP 3268 Global Catalog Service
Port 3268 is used by the Global Catalog Service. The Global Catalog Service is used by Windows 2000 and later systems to locate information in Active Directory.
TCP/UDP 389 LDAP
Port 389 is used by the Lightweight Directory Access Protocol (LDAP.) LDAP is an internet protocol for accessing distributed directory service. If this port is open, it indicates that Active Directory or Exchange may be in use.
TCP 445 SMB over TCP
Port 445 is used by SMB over TCP. SMB over TCP also known as Direct Host is a service used to improve network access. This service is available in Windows 2000 and newer.
TCP 53 DNS
Port 53 is used for DNS zone transfers. DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to the DNS servers.
UDP 53 DNS
Port 53 is used for UDP queries about IP-to-name and name-to-IP mappings.
TCP 80 HTTP
Port 80 is used for Hypertext Transport Protocol. HTTP is used by all web browsers and most web applications.
UDP 161 and 162 SNMP
Ports 161 and 162 are used by the Simple Network Management Protocol (SNMP.) SNMP is a standard method of managing devices and software from most manufacturers.
PsTools
PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, or view and control services.
Enumerate RPC
Remote Procedure Call (RPC) allows client and server to communicate in distributed client/server programs. Enumerating RPC endpoints enable hackers to identify any vulnerable services on these service ports. You can use the following nmap scan commands to identify RPC services running on the network: nmap -sR IP/network map -T4 -A IP/network
Remove SNMP agent
Remove the SNMP agent or turn off the SNMP service completely.
Exploit SMTP
Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages. Scanning tools and commands can be used to verify the existence of specific email addresses. They can even provide a list of all users on a distribution list.
Split DNS
Splitting the DNS into internal and external groups provides an added layer of security.
SuperScan
SuperScan can be used to enumerate information from a Windows host. Information can be gathered on the following: NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups.
finger
The Linux finger command provides information about a user. Use finger -s username to obtain the specified user's login name, real name, terminal name and write status, idle time, login time, office location, and office phone number. You can use finger -s to obtain the same information about all users on a system. Use finger -l user@host to obtain information about all users on a remote system.
Exploit SNMP
The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station. The agent is found on the device that is being managed, and the SNMP management station serves as the communication point for the agent.
Administrator
The administrator account has gone through quite a few changes as the operating system has evolved. In earlier versions of Windows, the administrator account was enabled by default. However, in more recent releases, Windows Vista and beyond, the administrator account has been disabled by default. This change was made primarily for security purposes.
Creator owner
The file or directory creator is a member of this group. By default, all releases after Windows 2000 use this group to grant permissions to the creator of the file or directory.
Guest
The guest account has been part of Windows for quite some time. By design, this account has remained pretty much the same and is meant to be used only in very limited circumstances. Although included in the Windows installation, it is not enabled by default.
System
This account provides almost unlimited access to the local machine.
Local service
This account provides high-level access to the local machine, but only limited access to the network.
Network service
This account provides normal access to the network, but provides only limited access to the local machine.
Batch
This group is used to run scheduled batch tasks.
Anonymous logon
This group provides anonymous access to resources, typically on a web server or web application.
Run SNScan
Use SNScan, a utility that detects network SNMP devices that are vulnerable to attack.
Update SNMP
Verify that you are running the most recent version of SNMP at all times.
Enumerate VoIP
VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5060, 5061.
