8.2 Priviledge Escalation
what does chntpw stand for
'ch' for change 'ntpw' for Windows password.
What if you're locked out of a system, and you need to get back in?
-First, we need to create a bootable Kali Linux installation disk or USB. -Once your bootable Kali Linux installation is created, you'll boot the computer you want to work from. -once Kali linux is has booted up, open terminal -type 'pwd' to verify which directory working in -see list of devices files in root by typing 'ls /dev'. ..... - mount the hard drives to the linux system
What are some countermeasures you can take to help prevent attackers from gaining higher level access?
-tighten up privileges -make sure users ONLY have privileges they need to use their systems effectively -always use encrpytions for sensitive info -use multi-factor authentication and authorization -scan operating system and application coding for bugs and errors regularly -update operating system and applications often -Install auditing tools to continuously monitor file system permissions. -Always use fully qualified paths in Windows applications. -select Always Notify in the UAC settings.
what is Kerberos?
In cybersecurity, Kerberos is a protective protocol that allows authentication over an unsecure network using tickets or service principal names called SPNs.
what is LSASS?
In microsoft, Local Security Authority Subsystem Service is a file in directory that performs the systems security protocol -it's a critical component of authority domain authentication, active directory management on the domain system, and the initial security authentication procedure -ESSENTIAL bcs verifies user logins, creates access tokens, handles password changes.
What is an unattended file?
Unattended file is an XML file and has configuration settings used during the installation, including the settings that determine whether each account is an admin account, making privilege escalation easy on each computer.
How does DLL hijacking occur?
When Windows applications are loading to an external DLL library, they usually search the application directory they were loaded from before they attempt a fully qualified path. If an attacker installs a malicious DLL in the application directory before the application installation begins, the application will search the Windows system directory and choose the malicious DLL, and then the attacker has remote access to the system.
What are SAM database vulnerabilities?
While the SAM file can't be copied to another location, it's possible to dump the hashed passwords to an off-site location, which can then be decrypted through a brute force method.
What counter measures can you take so people can't use bootable media to modify user accounts
You should definitely encrypt the disk. Most Windows systems have Bitlocker already built in; if not, there are other disk encryption programs that work very well. might also configure the systems not to boot from removable media, such as USB or optical drives.
ophcrack
a password cracking and password auditing tool; is used for Windows login password cracking. It uses rainbow tables and has the ability to receive hashes from many formats. It's an open-source program -free to use.
ERD commander
is software designed to correct problems that can occur during a reboot after new software is installed on a Windows NT system. It allows users to access the command prompt to perform basic system maintenance tasks during the boot process.
what are cPasswords?
is the name of the attribute that stores passwords in a Group Policy preference item in Windows. It's easily exploited because Microsoft publishes the public key for the encryption of the account credentials in the Group Policy preferences. -stored in SYSVOL folder on domain controllers in an encrypted XML file
What is kerberoasting?
is the process of exploiting Kerberos where an authorized user can log into an Active Directory domain and request a service ticket or TGS. Then an encrypted ticket will be returned, and an offline brute force attack can crack this ticket to reveal the service account password in plain text. - has no risk of detection -no need for escalated privileges
what does 'ls /dev/sd*' do
it narrows the list to just the hard drives in your device
what is ls/dev?
its the location of our device files
When mounting the hard drive to the linux system what should you do to do this?
pick the two that I think are likely to have the SAM file - use 'mount /dev/sda1 /mnt' and press Enter
When can DLL hacking occur?
this can happen during an application installation
what is LSASS susceptible to?
this file is susceptible to viruses and trojans
Trinity rescue kit
this is a tool that helps with repair and recovery operations on Windows machines. It's a great tool for maintenance. It can reset passwords, scan for viruses, run disk cleanup, and fix bug functions Kali Linux and the Ultimate Boot CD are two additional tools that can be booted from the optical drive or USB.
True or False: most domain controllers allow clear text credentials to be transmitted over the network and even to and from the local directory, or LDAP.
true uncrypted or clear text data transfers are vulnerable to attacks
How do you change directors and verify that the drives are mounted?
type 'cd /mnt && /ls'
What does SSL do?
SSL, or Secure Socket Layer, scrambles data that's being transmitted with an encryption algorithm. This secures data being transferred between servers or between a client and server.
what is SAM database
Security Account Manager is a database that stores user passwords in Windows as an LM hash or an NTLM hash. -used to authenticate local and remote users. -doesn't store the domain system user credentials like the LSASS database does -it stores the system's administrator recovery account information and passwords