Mod 14
Running Processes
ps -ef, prstat, and top are all commands of what category
System and Hardware Information
psrinfo uname, and df are all commands of what category
Exploit
In cyber operations this is a software tool, script, program or technique that takes advantage of a vulnerable system to provide command execution
use multi/handler
Metasploits command will load the handler module
download
Meterpreter command enables downloading target files or directories of iinterest
cd
Meterpreter command to change directory on target
pwd
Meterpreter command to display present working directory on target
getpid
Meterpreter command to display process ID for running meterpreter payload
ps
Meterpreter command to display running processes
arp
Meterpreter command to display system ARP cache
sysinfo
Meterpreter command to display target system information
getuid
Meterpreter command to display user meterpreter is running as
route
Meterpreter command to display/modify routing table information
ls
Meterpreter command to list files or contents of a directory
upload
Meterpreter command to upload files onto target.
Cyber Security Enhancement of 2002
Modernized US cybercrime legislation and mandates life sentences for offenders who knowingly or recklessly cause or attempt to cause death
nuclear option
Most intrusive way to clear logs is to overwrite the file to nothing.
open port
Network services are reachable across a network via their _________________
netstat -a
Network services command and option to print all network connections and listening ports
netstat -n
Network services command and option to print network connections with IP instead of interfaces
netstat -o
Network services command and option to print network connections with associated PID for all connections and ports
netstat -r
Network services command and option to print network connections with routing information
arp -a
Network services command to print ARP cache
netstat
Network services command to print network connections
Bourne Shell (sh)
No history file supported, nothing is recorded and nothing needs to be cleaned are all characteristics of what shell
Return Pointer
One part of the exploit code is a memory address used to overwrite the return address memory slot
Forward Tunnel
Opens a port on the AP and forwards data through the redirector when then sends to the target port. SSH client opens a listening port on AP
Online
Password cracking is a method to gain access to a target system or application when hashes are unobtainable. Tools include THC Hydra and L0phtCrack
Offline
Password cracking occurs after an operator has possession of password hashes. Tools include John and Ripper or Cain & Abel
Shellcode
Payload program is also known as
Reverse TCP
Payload type that creates a connection back to that attacker. Known as "Callback". Firewalls often allow this connections
Bind TCP
Payload type that opens a port on the target system and listens for incoming connections. Is often blocked by firewalls. Known as "Call In"
df
System and Hardware information command to display amount of disk space by file system
df -k
System and Hardware information command to display amount of disk space by file system in block sizes
uname
System and Hardware information command to display current system information
Buffer Overflows
Target vulnerabilities in programs by overwriting data in the stack or heap memory
Volume Shadow Copy
This form of hash collection creates a backup copy of computer files. Often includes the SECURITY and NTDS.DIT files
PWDump
This form of hash collection injects DLL into LSASS.exe; retrieves account hashes from memory
NTDSUTIL
This form of hash collection is an active directory management tool that enables creating copies of NTDS.DIT file
Manual
This handler is used during masquerading or when connecting to a backdoor. is often referred to as multi/handler
Automatic
This handler will connect to the shellcode payload that the exploit started on the target machine
dig
This is a Linix/UNIX tool used to perform DNS zone transfers. Will pull "A" records by default.
nikto -host
command and option to specific a target host when running the nikto tool
-sA (ACK Stealth Scan)
namp port scan type used to mapout firewall rules or filters. Will never show ports in open or closed state
Timing
nmap has the ability to manipulate throttling and timeouts to help go undetected
-sS (SYN Stealth Scan)
nmap port scan type referred to as half open because it does not complete the 3 way handshake even though SYN control flag is sent
-sN (TCP Null Scan)
nmap port scan type that can bypass firewalls by sending packets with no control flags. Open ports will ignore closed will respond with RST
-sF (FIN Stealth Scan)
nmap port scan type that can pass undetected through firewalls, packet filters, and scan detection.
-sT (TCP Connect Scan)
nmap port scan type that performs a full TCP connection
-sX (TCP Xmas Tree Scan)
nmap port scan type that sends FIN, URG, and PSH to all ports. Open ports will ignore closed will respond with RST
-sU (UDP Scan)
nmap port scan type that sends UDP packets. If no response port is assumed open. If a destination unreachable is received port is assumed closed
Reverse tunnel
opens a port on the redirector and returns data to the AP. SSH opens a listening port on the redirector
Software Packages
pkginfo, showrev, and showrev -p are all commands of what category
john --show
Command to show previously successful password cracks
ping -r 9
Windows command to run a ping with record route documenting 9 hops
Payloads
Metasploit module category containing code that exploits run on targets, such as command shell access
Post
Metasploit module category containing modules to use after target access
Exploits
Metasploit module category containing service-side and client-side exploits
Encoders
Metasploit module category used to alter payloads and avoid detection
/usr/share/Metasploit-framework/modules
Metasploit modules are located in
-p
Bourne shells must be invoked with this option
nmap -sn -PI
Command and options to perform a Ping sweep
Connection - Code Based
A client program that has been specifically designed to interact with payload programs will make a connection with the payload running on target
msfpayload
A command used to generate and output various types of shellcode payloads
set payload
Command to assign a specific payload to the exploit
show options
Command to display target parameters that can be modified
Code injection
A lack of input validation, due to either insufficient bounds checking or improper syntax, and other programming errors, exposes applications to
Connection - Masquerade
A payload executed requires a manual connection from the client program
Remote Exploit
A program that runs o an attacker computer, establishes a connection with a remote target computer
Title 18
Addresses crimes and criminal procedures.
Deliver / Execute / Connection
All exploitation methods need to accomplish three main things, they are?
Incremental
Also known as the Brute Force mode for JtR. It is the most powerful mode, tries all character combinations within a defined boundary
msfconsole
An all in one centralized console that allows command line access to all options available in the metasploit framework
Execution - Masquerade
An executable payload placed on the target's file system will require manual execution, from command line or a scheduled job
port forwarding
Another term for tunneling because any data received at the tunnel entrance port on one host is sent through to the remote target
Man in the middle
Attacker position is between communication systems. Attacker can observe and/or modify messages
Man on the side
Attacker sees messages pass by but is unable to modify them. Can inject new messages
.bash_history
Bash shell keeps an in memory history of all command run, usually named _______________. Deleting or disabling this file is a means of avoiding detection
/root/.john/john.pot
By default John the Ripper stores cracked passwords in a pot file located here...
HISTFILE
By unsetting this variable, the current session's command history is blocked from being written to the bash_history
nmap -PI
Command and option for a ping type where ICMP echo is an option that uses an ICMP Echo (request) packet
telnet <IP><port>
Command and option to complete a banner grab via telnet (generic IP and port numbers)
nc -r
Command and option to direct netcat to scan selected ports in random fashion
nmap -Pn
Command and option to disable host discovery. Does not ping hosts at all before scanning them, allows for scanning through firewalls that block ICMP
nikto -H
Command and option to list all options for the nikto tool
nmap -O
Command and option to optimize host discovery by activating remote host identification via TCP/IP fingerprinting to detect the scanned OS
nmap -sV
Command and option to optimize host discovery for version detection communicates with ports to determine what is actually running. "Banner Grabbing"
nmap -p
Command and option to optimize host discovery where only the specified ports will be scanned
nc -h
Command and option to provide all available netcat options
nc -e
Command and option to run netcat and execute command after connection
nc -p
Command and option to run netcat and identify the specific TCP port to listen on
nc -vv
Command and option to run netcat and report all responses within the specified range
nc -u
Command and option to run netcat to conduct a UDP port scan
nc -l
Command and option to run netcat with listening mode enabled
nc -n
Command and option to run netcat with no DNS resolution
nc -v
Command and option to run netcat with verbose details
sl -p
Command and option to run scanline and do not ping before scanning
sl -b
Command and option to run scanline and get port banners
sl -z
Command and option to run scanline and randomize IP and port scan order
sl -t
Command and option to run scanline and specify what TCP ports to scan
sl -u
Command and option to run scanline and specify what UDP ports to scan
nmap -T 4
Command and option to set timing to Aggressive
nmap -T 5
Command and option to set timing to Insane
nmap -T 3
Command and option to set timing to Normal
nmap -T 2
Command and option to set timing to Polite
nmap -T 0
Command and option to set timing to paranoid
nmap -T 1
Command and option to set timing to sneaky
nmap -PP
Command and option where ICMP Timestand uses an ICMP Timestand Request packet to find listening hosts
nmap -PT
Command and option where TCP ACK ping uses TCP ping to determine what hosts are up. Sends a TCP ACK packet to port 80 and waits for a response
255
Default TTL for Cisco and UNIX
64
Default TTL for Linux
128
Default TTL for Windows
psrinfo
System and Hardware Information command to display processor information (type, processor and chip)
NTDS.DIT
Domain controllers will store the domain user hashes in this file
/etc
During collection configuration files are normally found in this location
Return Address
During program execution this is stored in the stack frame anytime a subroutine is called the calling routines _______________ is stored
Execution - Code Based
Execute the payload in the memory space of the target application
Masquerade
Exploit technique that employs the use of credentials to gain access to a service and involves impersonating a user logon
Client Side
Exploit that attacks client applications on the target machine (adobe, Firefox, etc)
USerID
First component of the Windows Hash used to identify the common name of a user account. Is also the first component of the UNIX/Linux hash.
Function Call
First step of program execution ... when a program needs to perform a specific procedure it calls out to a subroutine
Auxiliary
Metasploit module category containing advanced scanners and server modules
NT LAN Manager (NTLM) Hash
Fourth component of the WIndows Hash a significantly more secure asymmetric algorithm. Supports 256 character password
Bourne Again Shell (bash)
History file is located in user's home directory as .bash_history this is a characteristic of what shell
Browser Host Announcement
Identifies the host's Windows OS version, hostname, and domain name.
@loghost
If remote logging is set up, ___________ syntax will be present
uname -a
System and Hardware information command to display all system information
Tradecraft
Includes activities taken to minimize the exploitation footprint in a target network, discovering and documenting information about targets of interest, and remaining undetected
Einstein
Intrusion Detection and Prevention System to analyze federal agencies network traffic
No Operation Sled (NOP)
Is the assembly opcode x90 that tells the processor to execute nothing, just move the instruction pointer forward
pot file
JtR deploys this file where it stores successfully cracked passwords
/etc/john.conf
JtR's primary configuration file is located at
/etc/shadow
Linus and UNIX hashes are stored in this file
ping -R
Linux command to complete a ping with record reoute
who
Logged on User and Account information command to display logged in username, terminal, login time, and where user is logged in from
w
Logged on User and Account information command to display summary of system and user activity
help
Metasploit command available to view information about available commands
Search
Metasploit command to display any modules related to a key term used
Show Options
Metasploit command to display exploit and payload module parameters
Show Payloads
Metasploit command to display the payloads compatible with the exploit
info
Metasploit command to list out exploit module details
use
Metasploit command to load a specific exploit module
Set
Metasploit command to set exploit parameters
%systemroot%\ntds\ntds.dit
Primary NTDS File location
%systemroot%\system32\config\SAM
Primary SAM File location
Code Based Exploit
Programs designed to target a specific vulnerability in an application. Most common is buffer overflow
Exploitation Methodology
Provides structure and serves as a road map for analysts and operators
find
Recently updated files command to search for files across the filesystem
find -mmin
Recently updated files command to search for files across the filesystem searching modified file time range in minutes
find -name
Recently updated files command to search for files across the filesystem using a filename search
find -type
Recently updated files command to search for files across the filesystem using a type of file search
Delivery - Masquerade
Rely on authentication as a trusted user to put an executable payload file on the target system
Password Control Fields
Remaining components of the Linux/UNIX hash , pertain to password setting options
%systemroot%\system32\ntds.dit
Repair NTDS File Location
%systemroot%\repair\SAM
Repair SAM File location
ps -ef
Running Processes command to output full, long list of active processes. Snapshat
prstat -a
Running process command to provide interactive monitoring of active processes and users on UNIX
top
Running process command to provide interactive monitoring of active processes on LINUX
prstat
Running process command to provide interactive monitoring of active processes on UNIX
Service Side
Runs from an attacker machine and exploits a vulnerable network service on the target machine via a listening port
Local Exploit
Runs on a system after access to the target is already established. Typically associated with escalating user privileges to a higher level
RST
Scanning against Microsoft hosts using -sF, -sX and -sN will always result in _____ regardless if the port is open or closed
crontab -e
Scheduled jobs command to edit the crontab jobs
crontab -l
Scheduled jobs command to list all cron jobs
crontab
Scheduled jobs command to manage job scheduling
Hash
Second component of the Linux/UNIX hash, obfuscated output of the password text
Relative Identifier (RID)
Second component of the Windows hash that is part of the security ID and uniquely identifies an account
Stack Frame
Second step of program execution ... Subroutines store temporary data on the stack, each time a subroutine runs the required memory is allocated on the stack in a unit call?
Single
Shellcode category for a self contained and standalone exploit that delivers a payload in one shot
Stager (s0)
Shellcode category that sets up a TCP connection with the attackers machine and reads the larger STAGE payload into memory
Stage (s1)
Shellcode category that's fully functional remote shell loaded by the stager. Offers ability to run commands on the target system through remote shell. Typically include more functionality than singles
showrev
Software packages command to display all system hardware and software revisions information
showrev -p
Software packages command to display only patch revision information
pkginfo
Software packages command to display software package information
logins
Solaris only Logged on User and Account information command to display information on all users (logged in or not) and system accounts.
whodo
Solaris only Logged on User and Account information command to display logged in username, active process/CPU time owned by user, login time, machine name, and time of day
history -c
Syntax to clear the history file in a bash shell
grep
Syntax to search inside text files for matching patterns
Return to Main
The last step of program execution ... When the subroutine completes its work, the pointer jumps to the address stored in the stack frame which returns the control back to the main routine
9
The number of hops recorded in a ping with record route is limited to ?
Payload
The program is the purpose of the exploit. This handles the connection portion. These programs provide access to a target system
msf>
The prompt while in a msfconsole session
Remote Procedure Call (RPC)
Thee services have the most widely exploited UNIX vulnerabilities. These exploits allow an operator to launch a shell with root privleges
Enumeration
These activities start over after gaining access into a target network
Dictionary
These attacks are generally fastest and least computationally expensive but require the most storage
Brute Force
These attacks are the most computationally expensive and require the least storage
system files
These files aid in furthering network access during collection
Information files
These files have intelligence value during collection
SYN
These packets provide the most accurate information, as they are the initial means of communication
Cisco IOS
These passwords are generally limited to MD5 and Type 7
backdoor
These provide an easy means to return to the target after exploitation
Mount / sysfs
These system calls are envoked with the vfs_getvfssw kernel exploit
Password Last Set
Third component of the Linux/UNIX hash displays the number of days since Jan 1, 1970 that the password wwas last changed
LAN Manager (LM) Hash
Third component of the Windows hash, a cryptographiclly weak symmetric algorithm based around DES. Limited to 14 characters only using A-Z and 0-9
Decision tree
This contains a list of operating systems, potential features and applicable exploits, helping to select the best exploit
UnrealIRCd
This daemon contains a backdoor that was added by a malicious user. It targets port 6667 to gain an interactive shell on the target. Leaves no logs
/etc/syslog.conf
This file controls what and where facilities are logged.
/etc/hosts
This file is referenced for hostname resolution
hashdump
This form of hash collection allocates memory space in LSASS.exe to load assembly code; retrieves account hashes from memory
nslookup
This is a windows tool used to perform DNS zone transfer. It queries information using the domain name or IP address
Passive OS fingerprinting
This is also known as TCP stack fingerprinting. Does not involve sending packets but monitoring traffic to determine the OS in use
vi editor
This is the easiest way to edit history files
Single - JtR
This is the first and fastest of all JtR modes. Uses login/GECOS information as passwords, previously guessed passwords and login from other acocunts
Solaris vfs_getvfssw
This kernel exploit takes advantage of insufficient sanitization of user supplied data. Entries can be found in /wtmpx and /su logs
Wordlist
This mode of operation is the JtR Dictionary attack. By default will use the /usr/share/john/password.lst
sadmind_adm_build_path
This module exploits a buffer overflow vulnerability which permits the execution of arbitrary code remotely with super-user privileges against Solaris 7,8, or 9
John the Ripper (JtR)
This offline password cracker has three modes of operation, single, wordlist, and incremental
--format
This option must be used with JtR to define what type of hash should be cracked
X
This output option creates an executable payload
O
This output option lists payload with configurable parameters
Type 7
This password protection is a cipher and is symmetric
Scanning and enumeration
This phase takes advantage of data accumulated during the Information Gathering phase to interact directly with target networks
Delivery - Code Based
This portion of the anatomy trigger vulnerability in the target service, allowing us to write a payload program into memory on the target
User Mode
This root kit replaces system applications with rooted system files
Kernel Mode
This rootkit exploits functionality of Loadable Kernel Module (LKM) to hide itself below the application layer
Fireware
This rootkit modifies or replaces firmwarm to hide below the OS
Title 18 USC 1029
This section is focused on Fraud and Related Activity in Connection with Access Devices
Title 18 USC 1030
This section is focused on Fraud and Related Activity in Connection with Computers. To include the intent to cause harm. Serves as a catch all. Otherwise known as the Computer Fraud and Abuse Act
Title 18 USC 2701
This section is focused on Stored Wire and Electronic Communications and Transactional Records Access. "Data at rest"
Title 18 USC 2511
This section is focused on Wire and Electronic Communications Interception and Interception of Oral Communications. Covers "Data in Motion", Give ISP's authority to monitor networks
Paranoid (0)
This setting scans very slowly to avoid detection, all scans are serialized and have a 5 minute wait between sending packets
Aggressive (4)
This timing setting adds a five minute timeout per host and never waits more than 1.25 seconds for probe responses
Insane (5)
This timing setting is only suitable for very fast networks or where data loss is acceptable. Time out hosts in 75 seconds and waits only 0.3 seconds for individual probes
Normal (3)
This timing setting is the default scanning method. Scans are run as quickly as possible without overloading the network
Polite (2)
This timing setting reduces network load to prevent crashing. The probes are serialized and have a 4 second wait between each
Sneaky (1)
This timing setting waits 15 seconds between each packet
zap3
This tool removes user's last entry from WTMP, UTMP, LASTLOG, WTMPX, and UTMPX. It attempts to remove username from all possible files and binaries.
Ping Sweep
This tool will determine if an IP address range has live hosts by sending an ICMP Echo request to multiple hosts
Exploit Code
This triggers the vulnerability in a service. This is the delivery mechanism that connects to a service and performs the buffer overflow
Heap Buffer Overflow
This type of buffer overflow occurs by corrupting the program data at specific points in the process to cause the application to overwrite memory addresses or functions. "Very volitile - App Crashes likely"
Security Accounts Manager (SAM)
Windows OS's store hashes in this file
Stack Buffer Overflow
This type of buffer overflow occurs when local variables or data within the stack are overwritten, and the return address is changed causing the program to jump to a specified address of the attackers choosing
showmount -e
UNIX/LINUX command and option to display target host NFS shared file system
rpcinfo -p
UNIX/LINUX command and option to display target host RPC services and port numbers
showmount
UNIX/LINUX command to display a target hosts NFS exported file system
rusers
UNIX/LINUX command to display logged in user information (Similar to finger)
rusers -l
UNIX/LINUX command to display logged in user information (similar to finger) in long list format
finger
UNIX/LINUX command to display logged in users information
finger -l
UNIX/LINUX command to display logged in users information in long list format
rpcinfo
UNIX/LINUX command to display target host RPC services by program transport, service name and owner
33434-34400
UNIX/Linux defaults to UDP along with destination port ranges between ____________
Vulnerability identification
Web servers, applications and CGI script enumeration are essential to _______________
HEAD / HTTP/1.0
When conducting an HTTP banner grab it must be followed by ________ and two carriage returns
UDP
When sending traceroutes Linux/UNIX sends this type of packets
ICMP
When sending traceroutes windows sends this type of packets
rootkits
are software programs and files designed to provide continued unauthorized root access to a system and hide any evidence of compromise
Network Services
arp, and netstat are both commands of what category
passive analysis
gathers information about a target of interest without actually probing the target
traceroute
identifies the path a packet traverses on its way to a target by reporting the first interface the packet sees
Active analysis
involves probing target networks to discover hosts, IP addresses, and running services.
nmap
is a network scanning tool used for identification and enumeration of targets and vulnerable services by performing certain functions
Meterpreter
is a staged payload that provides a command shell interface to an exploited target. Has its own built in commands that mimic the function calls of regular windows and linux commands
Banner Grabbing
is a technique that involves connection to common applications on target hosts to identify version of running applications. Can be completed using nmap, telnet, and netcat
Attack Platform
is an OS specifically designed for exploitation, including many tools, programs and scripts.
Situational Awareness
is an essential part of tradecraft, as one must continuously monitor the state of the Operational Environment
netcat
is an extremely versatile networking utility that reads and writes data across network connections
Cain & Abel
is an extremely versatile tool designed for network and password auditing. Is a windows package
Metasploit
is an open source framework containing a variety of penetration testing and security research tools
nikto
is an open source web scanner designed to perform tests against web servers to identify security problems. Looking for configuration files, dangerous files and software versioning. This tool is not stealthy and is easily detected
handler
is how Metasploit connects to remote payloads and is the command line interface used to access remote computers. Controls the network connection
tunneling
is the encapsulation of data for transmission through a network
Active scanning
is used to identify ports and services as well as identifying operating system family and version
SUID
running a shell owned by root with these permissions with the purpose to provide a non-privileged user with the ability to run shell as root
command shell
serves as a means to access and communicate with built in services running on a variety of OS platforms
/etc/inetd.comf
services with well known ports that have trivial functions can be taken advantage of through this file
-L
syntax option to open a forward tunnel
-R
syntax option to open a reverse tunnel
scanline
this is a command line port scanner for Windows only. Known as a "Take it with you" scanner due to its small size
nmap scripting engine (NSE)
this tool enables script building to automate network scans and can be run individually or as categories
PIng with Record Route
this tool store the packet route inside the IP Header options field. It documents the source interface IP as the ICMP Echo Request packet traverses the route
Logged on Users and Account Information
w, who, whodo, and logins are all commands of what category