CNIT 471 Final
Defender task #1
Identify every single device, including fancy coffee machine that's connected to your network
Pivoting
Identify information on compromised systems to further elevate access
Nikto is used to
Identify security flaws on a target website and provide detailed referencing for each issue found
-port <port number>
If the server uses a non-standard port (80, 443), we may want to use Nikto with this option
theHarvester
This tool allows us to quickly and accurately catalog e-mail addresses, subdomains, virtual hosts, open ports / banners, and employee names related to a domain from different public sources that are directly related to our target.
Use the icacls command
To check for a folder/file permissions
url.txt
URLs, typically found in browser caches, email messages, and pre-compiled into executables
how to use a non-alpha encoder
Use -e switch followed by the encoder's name
Google Dorks
Used in Google advanced search operators to extract sensitive information about their target, such as vulnerable servers, error messages, sensitive files, login pages, and website
Hashing
Used to validate passwords and most are cracked by brute force
Hash format
Username : Security Identifier (SID) : LM hash : NTLM hash
url_searches.txt
a histogram of terms used in Internet searches from services such as: Google, Bing, Yahoo, etc.
url_services.txt
a histogram of the domain name portion of all the URLS found on the media
wordlist.txt
a list of all 'words' extracted from the disk, useful for password cracking
Once the OSVDB ID has been obtained
a partial list of references for the OSVDB IDs associated with CVE entries are available at http://cve.mitre.org/data/refs/refmap/source-OSVDB.html.
auxiliary metasploit
a piece of code specifically written to perform a task
module
a piece of software that can be used by the metasploit framework
NVTs (Network Vulnerability Tests)
a process that helps review and analyze endpoint and device networks for security issue
In practice, the file is put in the root of a website and comes into play when
a robot or bot visits a site in an attempt to catalog content
Data Breach
a security protocol violation fora company or an individual in which private data is copied, sent, viewed, and stolen by an unauthorised person.
Wifiphisher
a security tool used often by the red team in penetration testing that mounts automated phishing attacks against Wi-Fi networks
meterpreter includes
a series of built in commands
powershell attack vector
a series of code attacks that can be executed once you have already compromised a system
Rainbow Tables
a set of precomputed hashes that this then uses to try for a possible match these get defeated if hashes are salted
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organisations such as governments
Master File Table
a special file located at the root of the file system (\$Mft),which stores critical information about all other files on the partition
CVEs
a standardised list of known security vulnerabilities, exploits, and malware
vulnerability for CVE
a state in a computing system (or set of systems) that allows an attacker to: - execute commands as another user - access data that is contrary to the specified access restrictions for that data - pose as another entity - conduct a denial of service attack
_stopped.txt
a stop list AKA a list of items that do not need to brought to the user's attention
MetaGooFil
a tool that scours the Internet looking for documents that belong to your target
in response to a POST request
a web server could send an email, update a database, or change a file
The Web Server and the Data Store just need to be
accessible to each other via a network connection
enterprise administrator
accounts that have the most privileges for maintaining the entire forest in an Active Directory
In the SPARTA 1.0.3 GUI, click on the left pane to
add your host or hosts to the scope
SPARTA takes the scanning, enumeration, and vulnerability assessment another step further by
allowing the penetration tester to actually perform various network penetration testing functions
Netcat Banner Grabbing
allows an operator to establish a socket to a specific port to potentially identify the operating system, service, version, and other tidbits of information necessary to enumerate the purpose and/or potential weaknesses in the service
Cyber Security Enhancement Act of 2002
allows life sentences for hackers who recklessly endanger lives of others
Impacket is a Swiss army knife in that it
allows penetration testers to parse data into networking services running on host systems across a network
allintitle:index of
allows us to view a list of any directories that have been indexed and are available via the webserver
sessions command
allows you to list, interact with, and kill spawned sessions
Netcat File Transfer
allows you to transfer files between computers without the need to install a full-blown FTP server we used netcat in class for our ICA to send a file over
\x00
almost universal bad character -- null byte
reconnaisance
also known as information gathering
A HTTP GET Method does not
alter the state of the data
For each security issue found
an Open-Source Vulnerability Database (OSVDB) reference ID is associated with the issue
Meterpreter
an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
exploit-db.com
an archive of exploits for the purpose of public security
target meaning 3
an attack vector present within a service listening on a host
post-exploitation modules
an be run on compromised targets to gather evidence, pivot deeper into a target network
net user admin
an example where you can choose the user you want to target and get their information
Each point on the output is
an indication of an issue
what is LM authentication
an old authentication mechanism that predates NTLM authentication
Netcat Chat/Messaging Server
an operator can redirect simple text between two computers in a simplistic chat or in an instant message interface
ethical hackers goal
analyse network security and identify and possibly exploit any weaknesses to determine if a compromise is possible
Nikto identified the server version
and some issues in the response header
In practice, robots.txt is supposed to be read by
any robot visiting the site to catalog its content
The actual robots.txt file can be viewed by
anyone as it is publicly accessible by default
GET parameters are
appended to the URL using ? and are available askey=value pairs
global variables
applicable across the framework and can be reused when required
ExifTool
are designed to allow you to quickly and easily view document metadata
normal user
are either local users or domain users with limited system access to perform only tasks that are allowed for them
delegated administrator
are local user accounts with administrator privileges
stages
are payload components that are downloaded by Stagers modules
local admin
are system account holders who have the privilege to run system configuration changes
domain administrator
are users who can administer the domains that they are a member of
schema administrator
are users who can configure the schema of the forest
If we have access to a suspect system's disk
artifacts from file-system-related actions are replicated in RAM
The robots.txt file can be viewed by anyone
as it is publicly accessible by default
compliance based assessment
assessment where pen tester must verify and audit security posture (comply with PCI-DSS, HIPAA, FedRAMP)
delivery
attack delivers malware to the target
Direct Access
attacker essentially knows the IP of the target system and connects remotely
CKC installation
attacker uses initial access provided by malware to get permanent or persistent access to the target system
first step in creating a reverse shell in metasploit
attacker will set a multi-handler in Metasploit
CKC Reconnaissance
attackers gather OSINT and conduct initial scans of a target environment to detect exploitation avenues
lateral movement (pivoting)
attackers move from device to device after initial attack with the goal of accessing high-value data
MITRE ATT&CK TTP (Tactics, Techniques, and Procedures)
attackers use TTP to evade technical controls ex of a tactic: a threat group uses this to compromise a target -- such as phishing attacks
windows authentication mechanisms allow users to
authenticate without providing a clear-text password
Sparta is very easy to use an
automates a lot of information-gathering processes
Use _____ commands on the old legacy Windows system
cacls
Mimikatz
can be used to extract clear-text passwords directly from the virtual memory space of a compromised Windows target
AV Physical
can only be exploited with physical access ex: cold boot attack
AV Adjacent
cannot be exploited beyond network boundary but can be exploited within the same physical or logical network ex: bluejacking, ARP flooding
script kiddies
casual hackers who use prebuilt tools
meterpreter lcd command
change the local working directory
HTTP is typically used when a client only wants to
check if a resource exists or to read the metadata
metasploit show targets command
check if a system is vulnerable to a particular exploit
Parsero reads the robots.txt file of a web server, looks at theDisallow entries, and then
checks to see whether the location is accessible
clear the event logs using the _______ command
clearev
shellcode
code that is designed to give a shell access of the target system
msfvenom
combination of msfpayload and msfencode making it a single framework
meterpreter download command
command downloads a file from the remote machine note the use of the double-slashes when giving the Windows path
meterpreter webcam_snap command
command grabs a picture from a connected webcam on the target system, and saves it to disc as a JPEG image. By default, the save location is the local current working directory with arandomized filename
meterpreter sysinfo command
command will provide system information about the target machine including computer name, operating system, service pack level, and more
running bulk_extractor on a computer with twice the number of cores typically makes it
complete a run in half the time
The data store can reside on a
completely different computer than the web server is running on
Focused penetration
compromise vulnerable hosts (exploit missing patches, deploy custom executable payloads, access remote management interfaces)
Receiver (RHOST)
compromised system that's waiting for instructions from the LHOST once that system has been exploited This will be the target's IP address
set command metasploit
configure framework options and parameters
hacker vs ethical hacker
consent
windows/shell/bind_tcp
consists of a stager (bind_tcp) and a stage (shell)
The OSVBD is an independent and open-source database that
contains information about web application security vulnerabilities
what do MFT entries include
contains information such as: 1. name 2. type (hidden, regular file, directory) 3. the locations on the disk where its data can be found
legal vs illegal hacking
context
-DV
controls the display output
ZEH post exploitation
create a more permanent backdoor to the system
POST
create or post a resource(data) for processing
_histogram.txt
creates a histogram of features can be used to rapidly create a pattern of life report
bind shell
creates a payload that 'binds' a command prompt to a listening port on the target machine, which the attacker can then connect
sudo msfdb init
creates and initialises the msf database
What is msfvenom used for
creating a custom shellcode payload
ccn_track2.txt
credit card 'track 2' information, which has previously been found in some bank card fraud cases
ccn.txt
credit card numbers
Services in the Windows system are like
daemons in the Linux OS
four extremely common LHF
default passwords/configurations, sharing credentials across multiple systems, all users having local admin rights, missing patches with publicly available exploits
Defender role
defend organisation from cyber threats
-o and -F
define the scan report to be written in a format
setg
defines global variable
Level 3 of privilege escalation hierarchy
delegated admin/SYSTEM - account operators, backup operator, other groups
Counter measures to CKC
detect, deny, disrupt, degrade, deceive, contain
'/' in payload name
determines whether or not a payload is staged
A more practical approach to crack cached credentials is to use a _________ _____ containing common words and only guess the words in the list
dictionary file
where does bulk extrctor get its information from
digital evidence files
two ways to get remote access to a system
direct access, target behind router
HTTrack is used to
discover and access hidden resources and files that weren't accessible via the online version
Information Gathering
discover network hosts, enumerate listening services, discover vulnerable attack surfaces
metasploit show options
display the settings that are available and/or required for that module
meterpreter lpwd command
display the working directory
metasploit banner command
displays MSF banner info includes: version details, number of - exploits, auxiliaries, payloads, encoders, and nops generators
show metasploit
displays contents of each directory
net user
displays local user accounts
meterpreter help command
displays meterpreter help menu
The Web Server and the Data Store
do not even need to be on the same network
auxiliary modules ________ the use of a payload to run
do not require
Level 4 of privilege escalation hierarchy
domain administrator
Passive Recon methods
domain enumeration, packet inspection, OSINT, Recon-ng, Eavesdropping
netcat -n
dont perform DNS lookup
Exfiltration Methods
downloading, external drives, cloud exfiltration, malware
configure the rootkit .ini file to hide uploaded files, backdoor, newly opened ports using the _______ command
edit
$2a
eksblowfish
email.txt
email addresses
rfc822.txt
email message headers including Date:; Subject: and Message-ID: fields
what type of communications does meterpreter use
encrypted communications
Level 5 of privilege escalation hierarchy
enterprise/schema administrator
where does meterpreter reside
entirely in memory
Active recon methods
enumeration: host, network, user, group, network share, web page, application, service and packet crafting
metasploit connect command
establish a connection with a remote system
Post-exploitation and privilege escalation
establish reliable re-entry, harvest credentials, move laterally (identify privileged user accounts, elevate to domain admin)
ether.txt
ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file segments
SPARTA is an
excellent active information gathering tool
install netcat as a persistent backdoor using _______ command
execute -f
install the rootkit using the _______ command
execute -f
After copying the 64‐bit version of Mimikatz to a remote Windows10 host
execute Mimikatz executable from a command prompt
The robot does checks for the
existence of the robots.txt file
metasploit exit command
exits metasploit console
exploit command
exploit a host, run until completion, and then exit
_______ cannot exist without _______
exploits ; vulnerabilities
The extension of the file determines the
format of the report Other commonformats are .csv (for comma separated file) and .txt (for text files)
Parsero is a
free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries
Crackstation
free service that uses its own word list and look up tables to perform a plaintext search of a has from its database
Gaining Persistence
fully interactive -- through meterpreter or windows cmd prompt non-interactive -- through a webshell or database console that can run individual OS commands
Use the -Impacket-PsExec module -Administrator username - LM and NTLM hashes to
gain access to a remote shell on the target
DNSRecon
gathers DNS information through a number of techniques including zone transfer, dictionary requests, and Google search
generate command
generate shellcode without options
generate -t c
generates a payload in C
generate -t java
generates a payload in java
metasploit help command
gives a list of all available commands
metasploit back command
go back to previous area
ZEH exploitation
goal is to gain root access over a machine, locally or remotely
CKC Command and Control
hackers use stolen data to move laterally, gain unsolicited access, and compromise key infrastructure elements
Once httrack is complete, testers must be able to load the application locally and
harvest information or identify the implementation flaw
dump password hashes and use John to crack passwords by using the _______ command
hashdump
to identify a hash type use
hashid <hash value> command on Kali Linux
encoders
help you generate a wide variety of payloads that can be sent to the target in multiple ways
Password profiling
helps us generate word-lists aligned with the specific pattern
Bulk extractor creates
histograms
Sub-Phase A of information gathering
host discovery
3 main subphases/components of IG phase
hosts, services, vulnerabilites
CVSS Probability
how likely is that this vulnerability will be exploited
CVSS Impact
how much is it going to hurt
engagement scope
how the list of IP address ranges you will probe during a host discovery is determined
Most web servers communicate via
http (port 80) or https (port 443)
white box testing typically requires
identifying loopholes, testing exploits, performing exploits, clean up
ping sweep bash command
if range = 10.0.10.1-254 for octet in {1..254}; do ping -c 1 1.0.10.$octet - W 1 >> pingsweep.txt & done
Impact on Availability (High, Low, None)
impact on the availability of the affected component after successful exploitation of the vulnerability
Impact on Confidentiality (High, Low, None)
impact on the confidentiality of the information after successful exploitation of the vulnerability high - complete access to resources low - confid info is obtained but not complete control none - no impact on confidentiality
db_import
import a saved file from an nmap scan
The owner of a website can make use of the robots.txt file
in an attempt to take control of who sees what within a site
While the intention is for robots.txt to be universally accepted
in reality, robots can ignore your /robots.txt
Action on Objectives
includes: theft of sensitive information, the unauthorised use of computing resources to engage in: DDoS, mine crypto, or the unauthorised modification or deletion of information
User-agent : *
indicates that the information applies to all robots
User interaction (none, required)
indicates the actions that the target user needs to perform (apart from the attacker's action) to successfully exploit the vulnerability
ethical hacker / security researcher
information security professionals who specialise in evaluating, and defending against threats from attackers
what does \x00 do
instructs metasploit to remove this unwanted byte
domain.txt
internet domains found on the drive, including dotted-quad addresses found in text
Finding Master File Table (MFT) records can help with
investigatingmalicious code
LHOST
ip for local machine
Spear Phishing Attack
is a phishing method that targets specific individuals or groups within an organisation. they are specially crafted e-mails with malicious attachments
WHOIS
is a query protocol for identifying IP addresses and domain names on the Internet
Nslookup
is a valuable tool for querying DNS information for host name resolution. example: server 8.8.8.8
'Filtered' Nmap status
is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt
Zone Transfers
is when one DNS "zone" will transfer data to another, think the Primary DNS server transferring to the Secondary DNS server
Medium Rated Vulnerability
it can be exploited remotely, but it is very easy to execute - requires low or normal account privileges impact on CIA is low
Why should we minimise false positives
it can divert resources to investigate a problem that does notreally exist
What is important about 5 iterations
it is slightly larger and our bytes are no where near similar In theory, this version of payload will be less prone to detection
In a time-sensitive investigation
it might be easier to acquire a 4GB of memory sample than a 250GB disk image
Once a security flaw is identified on a target
it provides an associated OSVDB reference ID
When it reads the file
it should process the directives and react accordingly
use the _______ command to disable antivirus
kill
white box (overt)
known environment -- full knowledge, has access to source code, config files, etc.
search by type
lets you filter by type such as auxiliary, post, exploit, etc.
use command
lets you use a module
cache
limit our search results and show only information pulled directly from the Google cache displays googles cached copy of a page
local variables
limited and valid for a single instance
meterpreter features provide
limited forensic evidence and impact on the victim machine.
meterpreter lls command
list local files
port scanning
list of open ports and the potential service running on each target
netcat -l flag
listen
netcat -l
listen mode
Level 2 of privilege escalation hierarchy
local administrator
LHOST
local host
LPORT
local port
netcat -p
local port
netcat -p flag
local port
LPORT
local port for local machine
black box testing typically requires
locating and exploiting a single vulnerability brute forcing areas of authentication, testing exploits in a test environment, performing an exploit, cleanup
Payload
malicious code that we want the remote system to execute
CKC exploitation
malware gains access to targeted system
what can a multi-handler also do
manage multiple sessions between an attacker and multiple victims
PTF
manage your pen-testing toolbox
Reason for multiple vulnerability assessments
measure and determine progress towards overall goal
use the _______ command to move meterpreter to a common process
migrate
migrate <process PID>
migrate to another process
meterpreter payload allows us to
migrating a process to one which is more stable disable or kill antivirus, upload files, execute files, edit, copy, and delete files, escalate privileges, dump hashes, install and display keystrokes disable or kill antivirus, upload files, execute files, edit, copy, and delete files, escalate privileges, dump hashes, install and display keystrokes
jobs in metasploit
modules that are running in the background
what does meterpreter allow you to do
move easily from the exploitation phase to post exploitation
methodolies help you
move through a number of tasks in a systematic manner
command to run netcat from linux terminal
nc
open netcat listener on port 55
nc -nvlp 55
how to use getsystem command
need to load the 'priv' extension
how to list the local groups on a Windows host
net localgroup
To get detailed information about a certain group
net localgroup <enter localgroup name>
use the _______ command to make changes to windows firewall settings
netsh advfirewall firewall
To list the firewall configuration and state, you must use
netsh firewall show state
find open ports in windows
netstat -ab
target meaning 1
network host (computer with an IP on an organisation's network)
level-two targets
newly accessible targets that weren't available on the original attack vector's target list
if too many restricted bytes are given
no encoder may be up for the task
do sessions typically have unlimited user rights
no they have limited most of the time
does meterpreter write anything to the disk
no, it writes nothing
does generate include options
no.
Often times web servers will run on
non standard ports
Level 1 of privilege escalation hierarchy
normal user - local user, domain user
types of user accounts
normal user, local admin
Low Attack Complexity
nothing that can hinder an attacker from successfully exploiting a vulnerable component repeatedly
Clicking on the Information tab displays host information gathered, including IP information;
number of ports open, closed, and filtered(if any); as well as the operating system and version with an accuracy rating
redteam
offensive security professionals
MFT contains
one entry for every file and directory on the file system
Shodan
one of the most popular security search engines and provides pre-built searches as well as categories of search for industrial control systems, databases, and other common search queries
Hashing Algorithms
one way, non-invertible functions such as MD5 and SHA1
meterpreter edit command
opens a file located on the target host
grep command
output text in searchable format
netcat -n flag
overlooks host discovery
DDoS
overwhelms a systems capabilities
Medusa
parallel login brute forcer that attempts to gain access to remote authentication services needs: target IP, username, password list/dictionary file, and the name of the service you want to authenticate with ex- 10.0.1.15, vij1, passwords.txt, ssh
bulk extractor gets useful information without
parsing the file system or filesystem structures
Attack Vector
particular entry point inside an attack surface
site: zoom+meeting+passcode
passive reconnaissance
Word lists can be useful for
password cracking
John the Ripper
password-cracking program -runs automated dictionary attacks -takes large dictionary file, runs an enc function on them, then looks for matches
Low Hanging Fruit
path of least resistance for an attacker
singles
payloads that are self-contained and completely standalone
CFAA 1984
penalties of hacking are often severe, applies to cases of computer-related crimes relevant to federal law
Exploit Pack
penetration testing framework
grey box pentesting
pentester is given partial and limited information, like any normal user
HIPAA
pentesting not required but does require risk analysis which requires vulnerability scanning and pentesting
PTH-WinExe tool allows penetration testers to
perform pass the hash during security testing
meterpreter kill command
pid_number command will stop (kills) the specified process the process ID can be found by running the "ps" command
hacktivist
politically motivated hacker
HTTPS
port 443 tcp
HTTP
port 80 tcp
gaining persistence on a target system
post exploitation
what modules can help pentester dump OS credentials, execute Powershell scripts, and escalate user privileges
post modules
Hydra
powerful and efficient password cracking tool used to crack protocols such as FTP, SSH, HTTP, etc.
PTH-WinExe is
pre-installed on Kali machine
OpenVAS has several _________ _______ _______
predefined scan profiles
meterpreter shell command
present you with a standard shell on the target system
the process of going from a relatively low level of access rights to gaining the privileges of an administrator,the system, or even greater access privileges
privilege escalation
Bulk extractor can
process compressed data
vuln scanning
process of identifying weaknesses in the services our target is running
Weaponisation
process where tools are built or used to attack their victims
alert.txt
processing errors
netcat -e
program to execute after a connection has been established
ECPA 1986
protects against: 1. government surveillance without court order 2. third parties without legitimate authorisation accessing messages 3. illegal interception from carriers (ISPs)
Sarbanes-Oxley Act
protects investors from fraudulent financial reportings
meterpreter search command
provides a way of locating specific files on the target host
metasploit info command
provides information on a specific module such as options, targets, etc.
GET parameters are also known as
query strings they are visible in the URL
GET
read data or retrieve a source from the server; safe method (no action on server)
modify the registry to ensure netcat is persistent by using the _______ command
reg
RPORT
remote port (target)
RHOST
remote/target host
RPORT
remote/target port if the vulnerability is on FTP, we set the port to 21
unset metasploit
removes a parameter configured with set
unset all metasploit
removes all assigned variables
unsetg
removes the global variable
The maintainers of the Open-Source Vulnerability Database (OSVDB) decided to
shut down permanently due to the lack of support from the industry.
get out of jail card
signed by high-level manager and is enough to get you out of trouble
Pentester
simulate an attack on the company's infrastructure
Sparta is removed from Kali Linux
since version 2019.4
windows/shell_bind_tcp
single payload with no stage
3 different types of metasploit payload modules
singles, stagers, and stages
nmap -Pn
skips host discovery
modules
software packages that can launch our exploits, scan remote systems, and enumerate remote system
payload
something we want the system to execute and is delivered by the framework
What does the MFT include
special metadata files used for organising and tracking other files
Use the -h option to (Nikto)
specify the target host
CVSS
standard system for scoring vulnerabilities
sudo setoolkit
start set tool kit
openvas-start
starts all services involved in openvas
sudo system ctl start postgresql
starts the postgresql server
what is a good reason for an iteration switch
stealth/anti-virus evasion
Cyber Kill Chain (CKC)
step-by-step description of how hackers attack and how a cyberattack generally plays out
openvas-stop
stops all services involved in openvas
true negative
successfully ignoring acceptable behavior
run an nmap scan on 192.168.1.2, 192.168.1.3, 192.168.1.4 UDP ports
sudo nmap -sU 192.168.1.2 192.168.1.3 192.168.1.4
What does the iteration switch do
tells the framework how many encoding passes it must do before producing the final payload
Disallow: /
tells the robot not to visit any pages on the website
obtaining some access privileges will allow
testers to control all systems across a network
The file only serves to suggest the sections of the site
that shouldn't be visited; it doesn't enforce them
Robots can crawl everything except
the /wp-admin/ folder
what can a user also use to access a Windows system
the 32-character NTLM hashed equivalent of a password
With the target in this case being a Linux web server
the Nikto webscanning tool was also run as part of the process.
what does limiting access restrict
the ability to perform certain operations on a remote machine ex: dumping passwords, manipulating the registry, installing backdoors, etc.
social engineering
the art of manipulating people so they give up confidential information
Pass the Hash Attack
the attacker discovers the hash of the user's password and then uses it to log on to the system as the user
compare output
the byte size is larger than the first the more iterations one does, the larger the payload will be
POST is used when
the client needs to send information to the server
HEAD is used when
the client only wants information about the resource instead of the resource itself
GET is used when
the client wants to download a resource
msfconsole
the console within metasploit framework
Parsero is specifically designed to look at
the contents of the file with attention paid to the disallow entries that are used to keep bots from visiting those locations
LHF attack vectors are
the easiest to remediate
$DATA attribute contains
the file contents for resident files
what decides whether a particular attribute is resident or nonresident
the file system
Impact on Integrity (High, Low, None)
the impact on integrity after a successful exploitation of the vulnerability high - hacker can modify all files protected by an affected component low - attacker doesn't have full control over modification none - no impact on integrity
the more iterations one does
the larger a payload will be
Procedures
the manner, or order, in which an attack is carried out
exploit metasploit
the means by which an attacker/pen tester takes advantage of a flaw within a system, an application, or a service
bulk extractor histograms show
the most common email addresses URLs domains search terms and other kinds of information on the drive
When we click on the Tools tab, Sparta displays
the numerous tools that we can apply to this target system, including the following
what does privilege escalation allow
the penetration tester to own all aspects of a system's operations
Privilege Required (none, low, high)
the privilege an attacker must have to exploit a vulnerability successfully
find.txt
the results of specific regular expression search requests
SPARTA automates
the scanning, enumeration, and vulnerability assessment processes within one tool
The file only serves to suggest
the sections of the site that shouldn't be visited; it doesn't enforce them
wordlist_*.txt
the wordlist with duplicated removes, formatted in a form that can be easily imported into a popular password-cracking program
what are generate, pry, and reload
these 3 are added by metasploit when you use a certain payload
post
these are modules that we can use after the system has been compromised
(Nikto switch) -update
this updates plugin databases
insider threat
threat actors motivation can be revenge on a company
All web-based database applications have
three primary components:
netcat -w(N)
timeout for connections waits for N seconds to make a connection ex: w1 or w2
show sessions command
to manipulate sessions
metasploit history command
to see the commands you operated so far
show advanced command
to show the module's advanced options
social engineering toolkit (SET)
tool that helps automate some insanely complex techniques and make your attacks believable
Attack Surface
total number of potential harmful entry points
disk artifacts
traces in memory because Windows is specifically designed to cache content
Phishing
tricking users into entering their credentials or stealing credentials from them
netcat -u
udp mode
AV (Attack Vector) Network
vulnerability can be exploited remotely over the network ex: DDoS caused by sending a specifically crafted TCP packet
Sub-Phase C of information gathering
vulnerability discovery
False Negative
vulnerability is present, but the vulnerability assessment fails to identify it -- worse case scenario for an organisation
What does artifact replication of file-system related actions allow
we can leverage them as a strong source of corroborating evidence
-o switch ex: generate -o LPORT=1234 .....
we can use this to change the port from the default 4444
Dictionary Attack
we feed the password cracker a bunch of words the password cracker then tries all words from the supplied file and if matched we are presented with the correct password
Brute-force Attack
we specify the min length, max length, and a custom char set the password cracker tries all permutations and combinations formed out of this char set as a probable password on the target
What does the -b switch do in this command generate b '\x00'
we want \x00 to be disallowed during the generation process it removes the null bytes in this case
CVSS Scope
what parts of the vulnerable component are affected by the vulnerability
final report
what you did in detail and hopefully mitigations and solutions
meterpreter webcam_list command
when run from the Meterpreter shell, will display currently available web cams on the target host
Each entry's attributes also include timestamps that indicate
when the associated file was created, modified, and accessed
If the file exists, it reads the file to see
whether it is allowed to proceed, and if so, where
whoami
who you are logged in as
meterpreter clearev command
will clear the Application, System, and Security logs on a Windows system. There are no options or arguments
SET Credential Harvester
will clone a website and based on your attack, send an e-mail to a victim and attempt to collect their credentials
meterpreter idletime command
will display the length of time that the machine has been inactive/idle
meterpreter getuid command
will display the user that the Meterpreter server is running as on the host
meterpreter hashdump command
will dump the contents of the SAM database
meterpreter resource command
will execute meterpreter instructions located inside a text file
Active Reconnaissance
will interact with the system
meterpreter load python command
will load the extension giving us access to new commands
meterpreter migrate command
will move your meterpreter shell to another running process
meterpreter ps command
will print a list of all of the running processes on the target
why s listing users and groups important
will provide great insight about how to switch from a limited user to another user with administrator privileges
"-a" switch on a host
will provide with verbose output and possibly reveal additional information about a target
meterpreter reboot/shutdown command
will reboots or shutdown the target machine
The malicious web crawlers
will tend to ignore the Robots.txt file
TTL = 128. Which o/s?
windows
where are payloads generated in metasploit
within the msfconsole
Passive Reconnaissance
without interacting with the system
Vulnerability scoring
without this, it would be impossible to prioritise vulnerability mitigation and closure
metasploit makerc command
writes out all the command history for a session to a user defined output file
Can metasploit create payloads in different coding formats
yes
can bulk extractor process incomplete or partial data
yes
how to send a payload to a victim
you must find a way to convince your victim to download and run that payload
what happens if you try to run system-level commands when initially gaining system access
you will receive the response access denied or no privilege available to run the commands on the target system
post-exploitation modules allow us to
-escalate user privileges -dump OS credentials -steal cookies and saved passwords -get key logs from target system -execute powershell scripts -make our access persistent
whoami /priv
/priv command shows you what permissions you have - if you see it, you can do it
They are allowed to crawl one file in the
/wp-admin/ folder called admin-ajax.php
executive summary
1-2 page nontechnical overview of the findings
Two ways to nmap scan all 65536 ports
1. -p- 2. -p 0-65535
purple team
A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.
payload
A payload is malicious code that we want the remote system to execute
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.
meterpreter keyscan_start command
Begins keystroke logging on victim
$2$
Blowfish
attributes that the mftparser plugin currently supports include
$FILE_NAME ($FN) $STANDARD_INFORMATION ($SI) $DATA
iteration switch
'-i'
Payload is represented by _____ in the payload name
'/'
-evasion
(help avoid or bypass detection by Web Application Firewalls and Intrusion Detection Systems.)
-mutate
(to guess subdomains, files, directories, and usernames)
why are schema admins the most privileged account
because attackers cannot add users to any other groups: that would limit the access level to modifying the Active Directory forest
why are disk artifacts created
because users constantly open, read, write, and delete files
social engineering attacks have to be
believable enough that no negativeperceptions are created on the recipients end
By default Metasploit will select the _______________ to accomplish the task at hand
best encoder
3 pentesting approaches
black box, white box, grey box
identified_blocks.txt
block hash values that match has values in a hash database that the scan was run against
Attacker role
break into the company—to compromise the network in some way and gain unauthorised access to restricted systems or information
openvas 'high severity task'
brings up scan results
Apart from its scanning and enumeration capabilities, SPARTA also has a
built-in brute-force tool for cracking passwords
targets.txt / target list
IPs you test throughout engagement
show options
This command shows available options to set
Set payload windows/meterpreter/reverse_tcp
This sets the payload to be used
Kerberos tickets
This ticket is used mainly by Windows systems for single sign‐on
Which one has a stager 1. windows/shell_bind_tcp 2. windows/shell/bind_tcp
2 -- bind_tcp is the stager
CompTIA Penetration Testing Process
1. Planning and Scoping 2. Reconnaissance and Vulnerability Identification 3. Attacking and Exploiting 4. Reporting and Communicating Results
Penetration Testing and Execution Standard (PTES)
1. Pre-engagement Interactions 2. Recon 3. Threat Modeling 4. Vuln Analysis 5. Exploitation 6. Post Exploitation 7. Reporting
two additional files may be created
1. _stopped.txt 2. _histogram.txt
two possible conditions that would need social engineering
1. all systems are hardened and patched 2. attacker cant find any vulnerabilities
when getsystem fails
1. background the session 2. and manually try some additional exploits that Metasploit has to offer
To properly use a Google directive, you need
1. directive name 2. a colon 3. term you want to use example: site:domain term(s)
bulk extractor operates on
1. disk images 2. memory images 3. files or a directory of files
bulk extractor features such as
1. email addresses 2. credit card numbers 3. URLs 4. etc.
Hiding Trails
1. encryption 2. modifying system logs 3. tunneling: create a secure tunnel through which they send data (encrypted) from the victims network to another location 4. Wiping drives - makes it impossible to tell if malicious activities were performed
3 commonly targeted sets of credentials
1. local use account password hashes 2. domain cached credentials 3. clear-text config files with DB credentials
mftparser plugin does these things
1. parses the attributes 2. builds the file path for the file 3. outputs the pertinent information
steps of ethical hacking
1. talk with the client 2. prepare nda 3. prepare an ethical hacking team 4. conduct test 5. analyse results 6. deliver report to the client
default "verbose" mode output includes
1. the MFT entry's path 2. file type 3. timestamps 4. record number 5. and resident data (if any)
Each MFT entry takes up ___ bytes.
1024
MD5 - Message Digest 5
128-bit hash based on variable-length plaintext
HTTrack
A command-line and GUI utility Widely used to make a local copy of any website
Listener (LHOST)
A listener is a component in Metasploit that waits for an incoming connection of any sort after the remote system is exploited This will be your host IP address
Attack Complexity Metric
A metric that describes the difficulty of exploiting a vulnerability.
-sA
ACK Scan
Acceptula
Accept Agreement
salting
Adding a random string at the end of password to ensure a hash has a unique value
Reverse Shell
An attacker opens a listening port on the remote host and causes the infected host to connect to it
Password guessing
An attempt to gain access to a computer system by methodically trying to determine a user's password
exploit
An exploit is how an attacker takes advantage of a flaw within a system, application, or service
Changed Scope
An exploited vulnerability may impact resources beyond the boundary of the vulnerable component
Unchanged Scope
An exploited vulnerability would affect only the resources managed by the affected component
Dig
Another great tool for extracting information from DNS
Exploit
How an attacker takes advantage of a flaw within a system, application, or service
most common type of engagement
INPT (Internal Network Penetration Test)
ip.txt
IP addresses found through the IP packet carving
Host specific info
IP, DNS, OS
location
Find information for a specific location.
Defender task #4
Apply every security patch and hotfix issued by the individual software vendors as soon as they become available
AV Local
Attacker must be locally logged in to exploit a vulnerability ex: privilege escalation
High Attack Complexity
Attacker needs to put considerable effort to prepare for the attack
nonresident attributes
Attributes whose values are stored in runs rather than in the MFT
DNSEnum
Can provide a lot of switches (tool options) to further automate the DNS enumeration process.
Attack Complexity
Can the attack be done at any time, or at only under specific conditions?
CVE
Common Vulnerabilities and Exposures
ignore.txt / exclusion list
IPs you avoid touching in any way
Common Attack Vectors Include
Compromised Credentials Weak and Stolen Credentials Malicious Insider Missing or Poor Encryption Mis-configuration Ransomware Phishing Trust Relationship
Graham Leach Bliley Act (GLBA)
Consumer protection law that ensures the protection of a consumer's non-public information.
meterpreter keyscan_dump command
Displays the currently captured keystrokes from the target's computer
Phase 4
Documentation
exif.txt
EXIFs from JPEGs and video segments this feature file contains all of the EXIF fields, expanded as XML records
Defender task #2
Every application running on those devices is properly restricted using strong passwords (preferably with two-factor authentication)
Execute the httrack command
Execute the httrack command
(T/F) Bulk extractor cannot carve JPEGS, office docs, and other files out of fragments of compressed data
F
(T/F) Nikto cannot detect default files, insecure files and programs
F
(T/F) Nikto cannot detect server and software misconfigurations
F
(T/F) Nikto is not capable of identifying installed applications via headers and files on a target
F
(T/F) Nikto is stealth-oriented
F
(T/F) Bulk extractor builds word lists based on all the words found within the data, but not those in compressed files that are in unallocated space
F -- first part true, second part false
UL2900-2-1
FDA adopted consensus standard for pen tests as part of regular evaluation of a security standard
Common Target Protocols
FTP, SSH, SMB, SMTP, HTTP, MySQL, etc.
allintext:
Finds all provided terms in the text of a page -- dont use it
Filetype
Finds specific types of files based on file extension
inurl:admin
Finds strings in the URL of a page
Phase 2
Focused penetration
bulk extractor
Forensics investigation tool, especially useful in malware and intrusion investigations
Three Common HTTP requests
GET, HEAD, POST
SPARTA is a
GUI network infrastructure penetration testing tool
Documentation
Gather evidence/screenshots, Create linear attack narratives, create final deliverable
footprinting
Gathering information about a systems computer profile in a methodological manner
intitle:"index of"
Google Dorking
Defender task #3
Hardened to conform to the current standards and best practices for each respective device
Phase 1
Information Gathering
WHOIS - Extracting Domain Information
It is a TCP service that is used to extract information about the domain and the associated contact information
Password Cracking Tools
John the Ripper, RainbowCrack, Brutus, etc.
LM hashes are used by
LAN manager (LM) authentication
TTL = 64 Which o/s?
Linux
netcat -L
Listen harder
port 3389
RDP
net share
Lists, creates, and removes network shares on the local computer.
$1$
MD5
-sM
Maimon Scan
Fundamental objectives of post exploitation
Maintaining reliable re-entry, Harvesting credentials, Moving laterally
getsystem
Meterpreter command that attempts to elevate privileges to local system
If the attribute's value later grows ex: appending data to a file
NTFS allocates another run for the additional data
-sN
NULL scan
CVSS Scores
None 0.0 Low 0.1 -3.9 Medium 4.0 - 6.9 High 7.0 - 8.9 Critical 9.0 - 10
OSINT
Open Source INTelligence; gathered from publicly available sources
OpenVAS
Open source framework of several tools and services that offer powerful vulnerability scanning and management systems
Nikto
Popular open-source web vulnerability scanner Command-line tool and preinstalled in Kali Linux
Phase 3
Post-exploitation and privilege escalation
Two Metasploit editions
Pro and Framework
CVSS Risk =
Probability x Impact
ZEH Pentesting Methodology
Recon, Scanning, Exploitation, Maintaining Access
Host
Reconnaissance efforts will result in host names rather than IP addresses ex: host target_hostname ex: host ns1.dreamhost.com
(Nikto switch) -format
This defines the output format; it may be CSV, HTM, NBE (Nessus), SQL, TXT,or XML
SOX Section 404
Requires the annual report of every public company to include information on internal controls to secure the integrity of financial info
-sU
Runs an nmap scan on UDP ports
Use LEGION as it's a fork of
SECFORCE's Sparta
two common settings that should allow us to override a service
SERVICE_CHANGE_CONFIG SERVICE_ALL_ACCESS allows us to get a remote shell
$5$
SHA-256
$6$
SHA-512
Services in Windows execute with
SYSTEM privileges
link
Searches for links to a site or URL
Ideally web applications will run on
Secure Socket Layer (SSL) webservers
-Plugins
Select what plugins to use in the scan (default: ALL)
SHODAN
Sentient Hyper Optimized Data Access Network - Indexes service banners and service headers
Miss_svc
Service running on the remote machine
Once the Nmap scan is complete, SPARTA provides several tabs in the main window, such as
Services, Scripts, Information, Notes, Nikto, and Screenshot tabs, all with very useful information
Define
Shows various definitions of a provided word or phrase
5 iterations
The change is significant when comparing to all previous outputs
use exploit/multi/handler
This command handles incoming connections
3 different payload modules in the MSF
Singles, Stagers, and Stages
TTL = 255
Solaris
-sS
Stealth Scan
meterpreter keyscan_stop command
Stops recording user keystrokes
Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT
(T/F) Nikto can check for any outdated components on a web server
T
(T/F) Nikto can detect subdomains and directories in the website structure
T
(T/F) Nikto can generate output reports in several forms such as HTML, CSV, XML, and text
T
(T/F) Nikto can identify index files and HTTP methods
T
(T/F) Nikto can offer SSL support
T
(T/F) Nikto can only detect well-known vulnerabilities
T
(T/F) Nikto uses signatures to detect vulnerabilities
T
(T/F) bulk extractor is multithreaded
T
(T/F) bulk extractor will detect encrypted RAR files
T
SSH
TCP 22
RDP
TCP 3389
-sT
TCP Connect scan
-sF
TCP FIN scan
tcp.txt
TCP flow information found through IP packet carving
RHOST
The IP address of the target
blue team
The defensive team in a penetration test or incident response exercise.
LowPrivUser
The existing user name on the remote machine
what is a non-alpha encoder
The payload does not contain any alphanumeric characters.
receiver (RHOST)
The receiver is the compromised system that's waiting for instructions from the LHOST once that system has been exploited. This will be the target's IP address.
DNS
The service that translates URLs to IP addresses.
True positive
The successful identification of a security attack or a malicious event.
Exfiltration
The unauthorized transfer of information from an information system.
DNSdumpster
There are a number of online tools to enumerate domain information
netstat -ano
To list all the current connections established from the Windows host (e.g., web server, SMB, RDP, etc.)
-list-plugins
To view the available testing plugins
report.xml
a file that captures the provenance of the run report includes 1. source media info 2. how the program was compiled and ran 3. etc.
Critical Rated Vulnerability
Very easy to execute and doesn't require any specific account privileges or user interaction impact on CI is high and on A is low
Cached Websites
Wayback Machine is a service that stores static copies of internet sites and keeps a record of their updates and versions
False positive
When a scanner reports a vulnerability that does not exist, this is known as a false positive error -also known as type 1 error
resident attributes
When the value of an attribute is stored directly in the MFT its called a
Patator
__ is a multi-purpose brute-forcer, with a modular design and a flexible usage. ▪ Multi-purpose brute-force attack tool ▪ Supports modules for different target services
MITRE ATT&CK Framework
a collection of different matrices of tactics, techniques, and sub-techniques - used by offensive security professionals (red teamers, pentesters, etc.)
listener (LHOST)
a component in Metasploit that waits for an incoming connection of any sort after the remote system is exploited This will be your host IP address
listener
a component within metasploit that waits for an incoming connection of some sort
Data Store is typically
a database But it could be anything: -flat files -command output basically anything that application accesses to retrieve or store data
zip.txt
a file containing information regarding every ZIP file component found on the media
openvas severity column
shows scan summary
TTL = 32
Windows 95/98/ME
NTLM and Kerberos use
Windows NT hashes AKA Unicode hashes -- considerably more secure
-sW
Windows Scan
What can Mimikatz extract
Windows hashed passwords Plaintext passwords Kerberos tickets
An IP address disclosed the lack of some protection headers, such as
X-Frame-Options and X-XSS-Protection, and that the session cookie does not include the HttpOnly flag
-sX
XMAS scan
Are GET requests common
Yes, the most common
netcat -z
Zero I/O mode (useful for scanning)
Mimikatz is a Swiss Army knife that can
extract stuff from memory
mftparser plugin
extracts MFT entries from memory samples by scanning the physical address space
multihander purpose
facilitate communication between the attacker's device and the victim's device
netcat
feature rich backend network debugging and exploration tool with the ability to create almost any type of connection you would need designed to read and write data across TCP and UDP using TCP/IP
getg command metasploit
fetches global variables
get command metasploit
fetches local variables
Windows reads the MFT to find all or part of the
file in memory at any given time
password dictionary
file with a list of potential passwords
name keyword metasploit
filters out searches in metasploit
findstr
find all the files on a FS that contain a given string such as "password="
Allinurl
finds all terms in page url
Allintitle
finds all terms in the title of a page
Inurl
finds strings in a page url
Intitle
finds strings in the title of a page
If a file is small, all its attributes and their values
fit in the file record
Specify -evasion or -e switch with 1
for random encoding
-W 1
force timeout to be only one second on non live hosts
HEAD
response returns a header information without the body content; safe method (no action on server)
cleanup files
restore the compromised target to its original state
the output file can be
retrieved through script code
HTTP HEAD method
returns without the body content
To run a full port scan or unicorn scan
right-click the host
default output format when generating payloads
ruby
metasploit is based on
ruby
what can local admins do
run system configuration changes
Services in Windows
run tasks in the background
meterpreter execute command
runs a command on the target
save metasploit command
save current environment
-f switch
saves generated payload to a file instead of displaying it on the screen example: generate -b '\x00' -e x86/shikata_ga_nai -f /root/msfu/filename.txt
openvas is customisable for
scan configuration
openvas: to generate a report in the required format, go to
scans -> reports
metasploit search command
search for anything from exploits to payloads
where command
search for specific filename
netsh firewall show state
see firewall status
check metasploit command
see if a target is exploitable -- aren't many exploits that support it
show missing command
see what values we need to fill in to use to exploit
ping sweep scan
send a ping to every possible IP address within a given scope and determine which ones are up and live
HTTP works by first having the web client
send an HTTP request tothe web server
A GET request is used when the WebClient simply wants the Web Server to
send it a document, image, file, web page, and so on
meterpreter background command
sends current meterpreter session to background and return you to the msf prompt
Sub-Phase B of information gathering
service discovery
target meaning 2
service listening on a host
Shellcode
set of instructions used as a payload when exploitation occurs
sudo gvm-setup
sets up OpenVAS, downloads latest rules, creates an admin user, and starts up the various services
stagers
setup a network connection between the attacker and victim and are designed to be small and reliable
use the _______ command to access a command prompt on the target machine
shell
Target Behind Router
target system has private IP and isn't directly accessible over the internet
Level-2 host
targets that were not initially accessible during focused penetration phase
two primary outputs
targets.txt, ignore.txt
hacker
unauthorised user who attempts to or gains access to an information system
black box (covert)
unknown environment, zero knowledge, much more realistic
sudo greenbone-feed-sync
updates OpenVAS before running a scan
apt update
updates package lists for upgrades
meterpreter upload command
uploads a file to the remote machine
search by platform name
use platform to narrow down your search to modules that affect a specific platform
SSO allows a user to
use their domain credentials on other systems without reentering their password
grep
used to display all the info you want
Skip Host Discovery Scan
useful when pingsweep returns nothing
netcat -v
verbose
netcat -v flag
verbose
netcat -vv
very verbose
you can probably obtain clear passwords from the _______ ________ of a compromised Windows target
virtual memory
