CY4710 EXAM 1

Ace your homework & exams now with Quizwiz!

Active Assessment

provides a snapshot of the network at a point in time. Can be less accurate in listing all users and services on the network [why?]

Look for default installs

query for "Microsoft-IIS/5.0 server at" or "apache"

Port Scanners

use the TCP 3-way handshake to determine if a service is available...

EXPN

used to see the real address of an alias, good to know where mail is actually going

VRFY

used to verify an entered email address [same as user accounts]

Multi/handler Exploit

useful when you want to execute a backdoor on a victim machine and need to connect back to take control remotely

Metasploit offers a _____ ______, a ___and a ____for MSF

Metasploit offers a console interface, a CLI and a GUI for MSF.

Nessus

Most well-known vulnerability assessment tool, now owned by Tenable Network Security

Nmap Scan Types -sN

Null Scan - here the packet is sent with no flags set

Nmap Scan Types -O

OS detect using TCP/IP stack fingerprinting.

Nmap Scan Types -O

OS detecting

Nmap Scan Types -a

OS detection and more

Metasploit Framework (MSF)

Owned by Rapid7, open source suite of tools used for penetration testing.

Vulnerability Analysis Goal

Port scanning may find port 21 open and more complete vulnerability scanning and analysis. 1. OS fingerprint reveals Linux 2.2 kernel 2. Service query identifies "ftp as wu-ftpd version 2.4.2" 3. Database lookup to find what specific exploits exist for "wu-ftpd 2.4.2" running on a Linux 2.2 system

Active Intelligence Gathering

Port scanning, Banner Grabbing, Target SMB scanning, DNS discovery and Zone transfer, Sweeping target [ping, SSH/FTP/SNMP]

Nmap Scan Types -sA

TCP ACK scan to be used to map out firewall rulesets to see if firewall is stateful or just a packet filter.

zone transfer

asking for information about the entire zone, host maintain on the domain.

Host Based Analysis

assessments/scanning running on individual computers/host over time. Reports can be generated.

popular port scanning tools

available on most every system is nmap and its GUI version Zenmap [more of these later]

External Community Analysis:

business partners, competitors, contractors, suppliers, org crime, nation-states, script kiddies. - How likely are they to act against the organizations?

Footprinting

can be thought of "casing the joint".

MSF can...

can create custom payloads that will not match known AV/IDS signatures [theoretically]

webmail

can help you in that the account username and email addresses are usually the same scheme, so knowing the convention is telling.

keystroke logger

captures keystroke made on the target machine -keystoke start -keystroke stop -dump: returns results

Meterpreter Commands: Core

command to allow access to MSF modules from within a meterpreter shell for session management, etc.

Meterpreter Commands: Interface

commands to allow access to remote target user interface

Meterpreter Commands: File system

commands to allow access, uploading and downloading files to and from the remote target machine

Meterpreter Commands: Network

commands to allow creation of port forwarding connections (similar to SSH) from a local client's machine, through the established meterpreter connection, tunneled to a host on a remote target network

Meterpreter Commands: System

commands to allow examination of target information, as well as process commands to allow listing, executing or killing of processes

telnet into a mail server

interacts directly with a mail server to gen up an email verify and expand are the 2 commands allowed if it is allowed.

whois ip lookup via ARIN

nslookup theonion.com will yield a part of the private block via the non-authoratative IP. Theonion.com IP can further yield an IP block and name servers from the non-authorative response.

Internal DMZ

on the internal LAN contains records on only those hosts accessible from the inside of the DMZ.

Nmap scanning returns

one of 4 port states [actually there are 6, but these are most common]: - open: Service is running - closed: No service running [potentially never see closed, just wil not show up] - filtered: Blocked port - open|filtered: Open w/ No Response, or Filtered (unsure)

MSFvenom...

output is a shell code in some chosen language or an executable file.

Ping Sweeps

perform automated ping sweeps. - Mass ping requests sent in parallel, round-robin - Can ping sweep bulk IPs, or entire CIDR blocks

Vulnerability Scanners

probe a system by sending its data over a network and analyzing the responses - Fingerprint an OS and its patch level - Software installed and services running

Enumeration is

probing identified services more fully for specific weaknesses. It involves active connections to target systems and directed queries.

Overt penetration testing

- "White Hat" testing - Usually focused on specific aspects of the network and/or systems security - With full knowledge of organization personnel, IT staff, etc. - Responses may be unrealistic ["practiced"]

The basic steps for exploiting a system in MSF:

- Confirm the intended target system is susceptible to the given exploit. - Choose and configure an exploit. - Choose and configure a payload [e.g., a remote shell, or a meterpreter instance]. - Choose encoding for the target to ensure AV, IDS, and IPS systems ignore payload. - Launch the exploit

Fragmentation Handling

- Don't frag and overlapping frags handled differently

Uses plugins to perform vulnerability tests

- Families of OS specific plugins - Be careful with enabling all plugins [speed] - Dangerous plugins can interrupt or even crash services on target ports Some plugins can break Nessus, may have to restart service

Bogus Flag probe:

- If bogus flag set in SYN packet, Linux will respond with same flag set in its SYN/ACK

Critical

- Internal technical business processes - IT support processes - HR support processes - External integration processes

Avoiding Detection during Exploitation

- Intrusion Detection System - Anti-Virus Software

Vulnerability scanning tools provide:

- Port scanning - Vulnerability assessment - Passwords checkers - General patch level checks

FIN probe:

- RFC793 no response to FIN packet, Win sends FIN/ACK

Host-based Scanning Advantages

1. Speed and Accuracy. 2. Vulnerabilities of a specific system. 3. It takes only a few seconds to fully scan for all patches on a RedHat or Windows 2000 server.

Post Exploitation

1. Target specific additional systems 2. Identify critical infrastructures 3. Discover sensitive information

Mitigation: Internal and External DNS

A smart organization will split their DNS across 2 hosts External and Internal

Threat Community Analysis

Broken down into 2 communities Internal and External.

Most successful footprinting should include:

- Registered names - Range of IP addresses associated with target - Some idea on what the network topology [Routers, host names, etc.] - Idea about user accounts taken from email addresses - General security posture Get creative!

ACK value

- Some send ACK with same number as SYN, others send SYN+1

Nmap Scan Types -sS

- TCP SYN Scan, this is a half open scan. You wait for a syn/ack response or rst. The syn/ack means the port is up, a rst means it is not. - Some sites will not log this query. You need to be root to run this one.

Nmap Scan Types -sT

- TCP connect() scan, a very basic form of scanning. If the port is up the connect() will succeed. - You don't need to be root to do this, the downside is this will logged.

Passive signatures include, among other things

- TTL: OS sets time-to-live on outbound packet - Window Size - Max segment size - DF [Don't Fragment] bit flag - NOP flag bit flag

Network Mapper Tool (nmap.org)

- The "go to" scanner, very popular, native in Unix, preloaded in MSF - Created by Fyodor Vaskovich

TCP Initial Window Size

- Unique size set by implementation

Nmap Options

- Use online help, e.g., nmap.org - $ nmap -h [or just type "nmap"] Gives a quick reference page for most of the common options

Popular ping tools available

- fping [primarily intended for use in scripts] - nmap [option '-sn' to ping scan w/ no port scan] - Pinger! [not to be confused w/ Pinger msg app]

Excluding pages or extensions

-www or -.htm

MSFencode can...

...encode shellcode output by MSFpayload to repair "bad" characters that may trigger antivirus software and IDSs

MSFpayload is used for...

...generating shellcode or an executable payload that can be delivered to a target; its real benefits are realized when developing new exploit modules and testing different types of shellcode with it

Aux modules location

/opt/metasploit/apps/pro/msf3/modules/

Network-based Passive Scanning Advantages

1. A passive scanner operates 24x7, and a scan report can be generated at any time. 2. There is no adverse impact to the network or systems. 3. Can discover client-side vulnerabilities, and vulnerabilities in intranets we don't have permission to scan

Threat Modeling Objectives

1. A representation of threats and their capabilities against an organization. 2. Ability to repeatedly be applied to future tests with the same results. 3. Focuses on 2 elements of traditional threat modeling. 4. Assets, business assets and business processes. 5. Attacker, threat communities and capabilities.

Vulnerability Analysis in PTES

1. Better evaluate the risks from new vulnerabilities in a system. 2. Learn about fixes and patches from a single source [a vulnerability assessment tool]. 3. Avoid unplanned downtime and lost productivity. 4. Minimize the costs associated with security incidents.

Network-based Active Scanning Advantages

1. Provides extremely accurate snapshot of active hosts, services running, and vulnerabilities present. LOUDER. 2. Independent of network management or system administration — provides a more "honest" assessment of the system or network.

What do the processes do?

Business process act upon those accessing those assets.

Advantages Network-based assessment include:

1. Centralized network-wide vulnerability assessing. 2. Assess the vulnerabilities of hosts than attacks from within or outside the network. 3. Discovery of unknown computers and other resources on the network. 4. Vulnerability information about network resources without monitoring agents.

Vulnerability Analysis

1. Determining the best method/exploit to access the target, based on its vulnerabilities 2. Similar to Enumeration and initial part of Gaining Access in the hacking methodology

Pro's of Passive assesment

1. Establish a baseline 2. Get a better evaluation of systems on the network.

Types of Operating System Probes

1. FIN probe 2. Bogus Flag probe 3. TCP Initial Window Size 4. ACK value 5. Fragmentation Handling

Reporting

1. Findings fully documented for the client to gain an understanding of system vulnerabilities, and threats. 2. An executive summary and full report are provided. 3. Hacking methodology has a different focus than pen testing.

Intelligence Gathering

1. Gather all information possible about target system. 2. Slow probing of target to discover its protection mechanisms. 3. Goal is to remain undetected during this phase! 4. Similar to the Footprinting and Scanning sections in the hacking methodology.

Host-based Assessment Advantages include:

1. Greatly reduced numbers of false positive and false negative reports. 2. Superior scalability over network-based products. 3. Increased security over agent less assessments that require administrative privileges. 4. Outdated applications. 5. Available porst and services. 6. Password strength.

Port Scan Objectives

1. Identify the type of OS on the target system. 2. Identify the TCP/UDP services running on the target. 3. Identify specific applications and versions running on the target. 4. All of this leads us toward system enumeration. 5. Nmap uses well known ports to identify OS and version of application.

Determine best attack methods based on vulnerabilities.

1. Information being sought 2. How organization may be attacked

Network-based Active Scanning Disadvantages

1. Information may be outdated as soon as scan is complete. 2. Addition of new hosts will go unnoticed until the next active scan. 3. Must minimize the ports and vulnerabilities scanned to compensate for low speed and potential adverse impact. 4. Can generate excessive firewall/IDS log entries.

Post Exploitation

1. Latter phase of Exploitation, begins after target[s] is/are compromised. 2. Methodical approach to learning about emergent vulnerabilities during ongoing exploitation. 3. Similar to Escalating Privileges and into Pilfering in the hacking methodology.

Exploitation

1. Launching well-researched, well-planned exploits with a high probability of success. 2. Exploitation should be done only when you expect to succeed. 3. Exploits should not harm the target system, need know all outcomes. 4. Similar to gaining access in the hacking methodology.

Some Vulnerability Analysis Tools

1. Linux and/or Mac (*NIX) - Nessus - OpenVAS - Nexpose 2. Windows and/or Mac - Nessus for Windows - Microsoft Baseline Security Analyzer (MBSA) - Retina - LanSpy

Covert Penetration Testing

1. More realistic testing, closely simulates attacker 2. Without knowledge of organization, IT staff 3. Must still have coordination and authorization of leadership 4. More time consuming, usually requires more skill 5. May not find all vulnerabilities

Vulnerability Analysis includes such activities as...

1. Port scans 2. Vulnerability scans 3. Banner grabbing

There are 7 sections which comprise PTES...each section is cumulative, and builds upon information learned during the previous ones

1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting

Microsoft Baseline Security Analyzer

1. Program that analyzes a Windows system for vulnerabilities [host-based] 2. Analyzes in several areas - OS and related utilities - patch levels - Accounts - password content and expiration - Services - whether unneeded services present - Utility security settings [e.g. IIS, SQL Server] - Etc.

Vulnerability Analysis Objectives

1. Understand state of vulnerability within a network, system, or host. 2. After identifying live hosts and running services, we now probe identified services more fully for specific weaknesses. 3. Difference between intel gathering and enumeration is in the level of intrusiveness.

Threat Modeling [focuses on the Assets and the Threats]

1. Use results of intelligence gathering to find existing target vulnerabilities. 2. View target organization as an attacker. 3. Determine best attack methods based on vulnerabilities. 4. Similar to Scanning and initial Enumeration in the hacking methodology

3 weakness in setting up a remote shell

1. hackers create new process on a remote host

listener setup

1. use multi/handler 2. set payload windows/ meterpreter/reverse_tcp 3. set lhost 127.0.0.1 4. set lport <listening port> 5. exploit

Where to put Vulnerability Scanning Tools

1.Don't want them resident on bastion hosts, firewalls • Could be used against you 2. Safer to reside in secure zones, but less useful 3. Best to install on a laptop • Think of scanner as a mobile appliance • Connect to DMZ, insecure zone, secure zone when needed • Disconnect when not being used

3 weakness in setting up a remote shell

2. remote shell is limited by the process you are using, until it can escalate.

3 weakness in setting up a remote shell

3. You only see a portion of the file structure to access a file above your process you are accessing

OpenVAS

A derivative of the Nessus project - Open source, so free to download and use - Preloaded in Kali Linux

Use of Intelligence gathering

A pen-tester or high level attacker will take time to gather intelligence about network/target before proceeding. End result will be thorough understanding of the target [i.e. knowing systems, IP's, domain names, services, etc]

Broken critical processes may be low hanging fruit which ____.

Allow access to assets.

systems command

Allows examination of target information, as well as process commands to allow listing, executing or killing of processes

What does Network based analysis do that host based does not?

Allows us to do assessments on agentless hosts. Looking at the network health as a whole. Communication between hosts. Identify host that are unknowns.

Why don't we go straight to vulnerability analysis?

Allows us to find out information about the ports and service, so we can go straight to the ports and service we know are open, so that we are not detected and blocked by an IDS or IPS.

nmap

Allows users to scan networks and individual computers to determine which ones are up and what services are running on them. One of the most powerful scanners available, as well as one of the most utilized by hackers!

Meterpreter

An advanced MSF payload tool

Business Asset Analysis

Analyze documentation and interview personnel to decide what assets present the largest target for attackers - Policies and procedures - Product and marketing information - Financial records - Personnel data [internal] - Customer data [external]

Threat Modeling Process

At a high level, the threat modeling process is fairly straightforward: 1. Gather relevant documentation 2. Identify and categorize primary and secondary assets 3. Identify and categorize threats and threat communities 4. Map threat communities against primary and secondary assets

Nmap Scan Types -f

Causes the scan to fragment the packets, in an attempt to evade firewall and IDS packet filters.

chroot

Changes the logical root directory for an application (e.g., the meterpreter shell)

Port Scanners

Creates, initiates, or uses TCP flags to evoke a response from a system

Vulnerability assessment

Database must be accessed for comparison against known vulnerabilities

Pre-engagement Interactions

Defines the scope and terms of the penetration test with the client. PTES is often management or organizational leadership. No real equivalent in the hacking methodology, other than general preparations. Stick to the scope of the agreement.

Nmap Scan Types -Pn

Does not ping the hosts prior to scanning. Skips host discovery and assumes all hosts are online [quieter scan].

Network-based Passive Scanning Disadvantages

For a passive scan to work, a detectable host must elicit or respond to a packet — if a server never communicates on the network, the scanner will never see it.

Nmap Scan Types -sn

Essentially a simple ping scan while disabling port scanning. By default, this switch includes a TCP ACK packet to port 80 [HTTP]. If you get a RST back, the machine is up. This helps get by ICMP filters.

Meterpreter

Essentially, it is a super-horsepower remote shell to the target, with its own set of embedded exploitation commands

Hacking methodology includes...

Footprinting, Scanning, Enumeration, Gaining Access, Creating Backdoors, Escalating Privilege and Pilfering

Threat Capability Analysis

For each threat community or agent, their capabilities must be analyzed. Use to develop an accurate threat model that reflects the probability of the threat to successfully target and compromise the organization. Model the motivation of their threat and capability against the organization.

Nessus

GUI or within MSF command line

Intelligence Gathering

Gather all information possible about target system. 1. Open source information [Google hacking]. 2. Social media searches. 3. Footprinting.

Banner grabbing

Getting information about the server by default [the version of http it is using]

Use of Intelligence gathering

Goal is to remain undetected until one needs to be overt to get more information. Script Kiddies, worms, viruses usually do not do this.

Passive Intelligence Gathering

Google hacking, OSINT, WhoIs, Netcraft, NSlookup/Host

Covert Penetration Testing

Harder to do, it takes a lot more work on the pen testers side. Ensure that you are not held liable for damage done. Covert takes more time because each step is more methodical. You maybe able to expoit quickly but the actual payload may not return anything for a while.

Barracuda

IDS which grades the emails in order to let it pass into the network

types of information you look for in fingerprinting

IP ranges, domains, records associated with target, develop a picture/map of the network

Exploitation Goal

Identify the least path of resistance to the target, without being detected, and deliver an attack with the most impact

enumeration

Identifying on the network all the vulnerabilities that can be exploited. Looking at the specifics of the vulnerabilities that exist.

Non-critical

If you get enough small information it could give you a critical process.

What are the 2 categories of attackers?

Insider and outsider threats

chroot

Intended to support PoLP by making it impossible for an application to reference files and directories that exist above its pseudo-root directory

why would you use a scan that gives you minimal information?

It makes you less detectable

Shortcomings of Passive Assessment

It takes too long and you may not see everything on the network. Requires persistance that you may not have to detect changes. DHCP gives you a false sense users or devices as the IPs are leased.

Meterpreter

Its purpose is to provide complex, advanced exploitation features that would otherwise be tedious to implement purely in assembly

What OS comes preloaded with Metasploit?

Kali Linux

Intelligence Gathering

Known as Footprinting and Scanning. Very deliberate and methodical to remain undetected. Everything unknown should be catalogued. Internet evolves so keeping good records is important.

Overt Penetration Testing

Level of overtness is what you worked out with the organization. Leadership doesn't trust their organizations network, and work out to its needs.

Threat Modeling

Look at the threat that might exploit the vulnerabilities to the organization. What is the motivation to penetrate us the organization. The threat is looking to match tools to the vulnerabilities.

In order to run Armitage one must link to ______

MSF PostgreSQL

Two utilities (commands) within MSF

MSFConsole and MSFpayload [MSFencode, MSFvenom, MSFupdate] run at the kernel shell

MSFencode and MSFpayload are being deprecated; each of their functionality is now captured in the single ____.

MSFvenom Utility 10

MSF console

Provides a comprehensive interactive interpreter/interface environment for virtually all MSF functionality. Launched from Linux CLI with msfconsole.

What are the ramifications of being more intrusive?

Ramifications include being detected and another is being louder vice covert.

Intelligence Gathering

Reconnaisance against the target to gather as much information as possible to use later when penetrating vulnerability analysis and exploitation.

port scanning

Sometimes ICMP packets are blocked at the router or firewall, preventing ping replies. In this case, the next step is to go deeper with port scanning.

Host-based Scanning Disadvantages

The biggest disadvantage is that credentials must be known and provided • Often, obtaining these credentials can take time, even in a cooperative overt situation.

Payload

The deliverable. A piece of code to be executed by an attacking exploit; could be a shell script, a few commands, an executable.

What is the difference between intel gathering and enumeration?

The key difference between intel gathering and enumeration is in the level of intrusiveness. Enumeration involves active connections to target systems and directed queries.

Nmap Scan Types -sU

This is a UDP scan. Sends a 0 byte UDP packet to each port; if you get back an ICMP unreachable message, then the port is closed. Otherwise it's assumed to be open. This can be a very slow scan.

Nmap Scan Types -sI

This is a blind port "Zombie" scan, aka Idle scan. No packets are sent to the target from your real IP. You will need a Zombie to perform this scan.

Nmap Scan Types -sF

This is a surprise, unprovoked FIN scan. You should get back a rst from a closed port and perhaps nothing from an open port.

Nmap Scan Types -sO

This is an IP protocol scan to find out what IP protocols are supported by the host. Sends a raw IP packet without any other header info to each IP protocol possibly supported by the target. An ICMP protocol unreachable message means it is not supported. No response means it is.

Nmap Scan Types -sX

This one comes at you lit up like a Christmas tree [thus Xmas scan] with the FIN, URG, and PUSH flags set. It simply is just a malformed packet...

Nmap Scan Types -PA

Use TCP ACK packets through the network to see if any response is seen.

Nmap Scan Types -PS

Use TCP SYN packets. A RST or a SYN/ACK will let you know the host is up.

Penetration Testing Execution Standards (PTES)

Used to define and establish a baseline of fundamental principles required to conduct a penetration test. Flow of activities very similar to the hacking methodology

Nmap Scan Types -PE

Uses ICMP echo for host discovery.

multiencoding of a payload

Uses multiple iterations and various encodings on the way to creating a final encoded payload executable in MSFvenom to circumvent sophisticated AV's

Nessus

Uses nmap for initial port scanning • Two-level architecture - Server: define policies, run scans - Client: control scans, view reports • Nessus can be used externally [Kali Kernal prompt] or internally within the MSF

Use of Intelligence Gathering

Using social media, google, whois, wayback machine and nmap and other passive modes to gather intelligence against a target.

Sysinternals Tools

Vulnerability assessment tool for Windows machines. Many interesting and useful security tools. • Autoruns - shows programs configured to run during system bootup or login • Process Explorer - information about handles and DLL processes that are opened or loaded

Why do we look at the assetsof a Business?

We look at the assets to see what threats might be motivated to act agains them.

Passive Stack Fingerprinting

We may be able to passively listen to network traffic and still determine the OS. TCP/IP stack fingerprinting is the passive collection of network layer-4 attributes. Cost is time spent waiting for a reply.

multi/handler exploit module

You can launch a special listener to initiate a meterpreter session

Listener

a component that "listens" for an incoming connection on the target system, after it has been exploited; typically waits for contact from an attacker machine.

Module

a piece of software used by MSF; may be an exploit module, an auxiliary module; we think in terms of a library of prebuilt MSF modules. The highest level of entity in the framework.

footprinting

a systemic approach to recreate a complete profile of an organization's network and security posture. i.e. internet site, intranet site, remote access and extranet

Shellcode

a type of payload that performs a set of intructions [script] on the target system; usually written in assembly language.

Meterpreter Step 1

able to avoid creation of a new process because it executes in the context of the process that is being exploited

scanners are very noisy

actively attempt connections, query services through ports, etc. ... like the proverbial bull-in-a-china-shop. - easily logged by the target! - There are limited ways to make them more stealthy

MSF modules: Auxiliary

allow us to do other things that aren't strictly related to exploitation of a vulnerability with a payload. Can be used during phases other than exploitation, e.g., Intel Gathering

MSF not only gives you a suite of tools, but...

allows you to develop your own

BL:

an attacker exploits a vulnerability to deliver a payload onto a target

The MSF

an open-source tool that provides a simplified method for launching attacks, it also attracts low-level hackers and script kiddies who can create additional problems for network and IT managers

Meterpreter Step 2

are all executed entirely within memory using the technique described in Remote Library Injection

Network-based Assessment

are conducted from central locations on the network.

MSF payloads...

are designed to run in memory and never to write data to the hard disk thus, when an MSF payload is sent with an exploit, most AV programs will not detect that the payload has been run on the target. Modifying a payload to avoid triggering the AV signature is key.

Payload

are the code or commands that are intended to be executed on the target, upon successful entry via an exploit; payloads allow an attacker to control the exploited system

Exploits

are tools and techniques used to gain access into a target by taking advantage of a vulnerability

Vulnerability Scanners

are tools used for assessing system, network, app vulnerabilities. - They find only known vulnerabilities then you patch them.

Vulnerability Scanners

are very "loud" and create lots of network traffic, so generally not part of covert pen-testing

nslookup on a linux machine

does not yield much information. nslookup itself enters into interactive mode which allows you to enter more commands.

Metasploit Utilities

enable interface with other features of MSF in specific situations, e.g., for new exploit development

Multi/handler Exploit

establishes a local listening server that waits for a connection signal to be sent back from the remote host

Meterpreter Session

executes in the context of the process that is being exploited - Remember that meterpreter is a payload delivered within an exploited process. - Meterpreter is not created as its own new process on the host

Vulnerability Analysis

exposed weaknesses in a target network or system — now we want to take advantage of [i.e., exploit] those weaknesses

• Connect scan (-sT):

full TCP connect

Armitage

fully interactive MSF GUI. MSF PostgreSQL database [and MSF Console] must be running before starting Armitage.

MSF modules: info

get details for a specific module

sessions command

give you a list of running sessions in meterpreter

DNS Zone Transfer

gives you a blueprint of the network to build a DNS database.

Service Fingerprinting

goes a step beyond port scanning to reveal actual services running, and deeper information such as their revision/patch level associated with each port. It is also more time consuming and noticeable because it generates considerably more traffic.

• SYN scan (-sS):

half-open scan [no final ACK]

Command to get help is...

help <command>

MSF CLI

historical, was depricated in favor of msfconsole. Ran at the kernal allowed user more flexibility.

PING

if performed and a host is not alive, what could that mean? It is filtered. Ping sends a controlled package to check if a host is alive. The package is normally 64 bytes, and the most important aspect is that the ping came back.

Banner Grabbing

involves connecting to a remote service and observing the output. may identify "make and model" of a running service, which in many cases is enough to set vulnerability analysis in motion. Common manual techniques for banner grabbing include use of netcat (nc) and telnet.

Scanning

involves scanning the IPs we've identified in footprinting. In scanning we're using the footprinted information to check the network for viabilitiy.

Passive assessment

involves sniffing network traffic to deduce a list of active systems, services, applications, and vulnerabilities over time. - Passive assessment is a continuous effort such that the sniffer monitors the network 24/7 - Can have shortcomings with passive assessment, i.e., consider DHCP server

remote shells

involves the creation of a new process in the target process list

Exploit

is a means by which an attacker [threat]takes advantage of a system. app, service flaw. The goal is an outcome unintended by developer

Meterpreter

is a metaspolit interpreter.

whois

is a query and response tool, which gives domain registry, company name, information such as IP ranges, domain names, site owner manager or sys admins.

The MSF

is an environment for exploit development, as well as a platform for launching exploits on real-world targets

Scanning

is analogous to checking the doors, windows, mail slots, etc., to see if they're unlocked, and how well they're protected...We still are not yet entering the building, but we are looking for vulnerabilities that we can use to get further during the next steps.

The MSF

is packaged with exploits that can provide real damage if not used properly

short coming of ping

is the command, it is a one by one, unless you can script it to ping more hosts at once. NMAP with an option [-sn] can perform a ping sweep.

Meterpreter

is what is running on the target host, the payload

why would you use a scan that has every flag set in a 3 way handshake?

it will detect if a host is filtering, and if anything is returned. This is a loud scan used to figure out ports and services.

Filetype

look for certain file types such as .pdf, .doc, .xls etc

Internal Community Analysis:

management, developers, technicians, staff employees, contractors, general users - what do they all have access to?

Domain Name Server

maps IP addresses to host names

Detection software

relies on known malicious code signatures, so any payload that is custom built has a greater chance of going undetected

Extension walking

replacing .htm with .bak or .old [or others]

MSF modules: search

search for a specific subcategory or module

• FIN scan (-sF):

send FIN, listen for RST

• Xmas scan (-sX):

set FIN/PSH/URG flags to "light packet up like a Christmas tree"

nslookup -d theonion.com Windows OS commands

should list all available DNS record types

host -v theonion.com Linux/Mac OS command

should list all available DNS records, similar to "-a" with verbosity.

Allows you to view available MSF modules and their options for conducting exploitation:

show and search

Meterpreter

small piece of code which executes on the target host that calls back to your host which then allows you to send the meterpreter code back to the signal.

MSFvenom...

takes an MSF payload module, with associated option values and an output type, and generates a standalone payload

Meterpreter Step 3

the meterpreter allows for complete control and automation when it comes to writing payload extensions

Why is foot printing necessary?

to ensure that all pieces of information related to the network and posture fit and are known.

MSFvenom functionality...

transforms raw payload code into a new binary file that ideally doesn't match a known signatures.

whois can be used maliciously

using a wildcard whois -h domainname*, looks at everything with the domainname in the internet db for that site. the domainname.* may or maynot give you anything. gives a hostlookup of everything for registered domain names for sub categories.

webmail

using the headers in emails gives you server information and IPs. Emailing the server even erroneously the email server will give you user agent, path and time stamp and verbiage it uses.

Mail verification

vrfy and expn 2 commands used in a telnet session with a mail server. Neither tool is often enabled.

port scanning

we touch [but still do not enter!] target systems with services that are allowed through the firewall [e.g., web servers].

Exploitation

we want to bypass a target's security mechanisms and maintain stealth - Precision strike, not brute force attack - Countermeasure avoidance (AV, IDS) - Evasion

robots.txt

web crawlers use the file[s] [which are publicly available to everyone] located under the root level of a site. Gives the web crawler information about the site for searchable content. Also known as "robots exclusion protocol". e.g http://www.example.com/robots.txt

webmail

what kind of services it is running, e.g. IMAP, POP

External DMZ

will only contain names of hosts/servers in the external DMZ.

MSFvenom allows...

you to create your own payload to be launched undetected by the target host.

Detecting the OS

• "There are many nuances that vary between one vendor's IP stack implementation and another's... • Vendors often interpret specific RFC guidance differently when writing their TCP/IP stack... • Probing for these differences... [we can] begin to make [an] educated guess as to the exact OS in use..."

Business Process Analysis

• Focus is the business processes that represent and support the organization's mission. • Identify critical and non-critical processes. • An aggregation of non-critical processes can become critical.

Nmap Scan Types -n

• Never do DNS resolution. • Helps speed up scanning. • Alternative is '-R' to always resolve [default is sometimes].

Nmap Timing Options -T#

• Paranoid [0] - Serial scan [one port at a a time] - 5 minutes between packets • Sneaky [1] - Serial scan - 15 seconds between packets • Polite [2] - Serial scan - 0.4 seconds between scans • Normal [3] - Quick without overloading network • Aggressive [4] - 5 minute timeout per host - Waits 1.25 seconds for probe response • Insane [5] - For a very fast network - Only waits .3 seconds for probe response

Port scanning

• Software packages installed, and their versions • Services running on targets, and their patches • Possible vulnerabilities on these combinations

Passwords checkers

• Strength and policy conformance

Nmap Scan Types -D

• This is a decoy scan. It places the real scanning IP in the midst of several decoy IPs. • Thus an IDS might report 5-10 port scans from unique IP addresses, but won't know which IP was scanning them and which were decoys.

Nessus Structure

• User accounts for scan authorization [admin] • Can interactively configure through running server [browser-based access] • Uses plugins to perform vulnerability tests

Nmap Scan Types -v

• Verbose mode [use '-vv' for greater verbosity]. • Scan will tell you what it is doing as it progresses.


Related study sets

Chapter 5 ElasticityElasticity is a measure of responsiveness (sensitivity) of the quantity demanded of a good to a change in some variable

View Set

KOHAKÄÄNE EESSÕNAGA -НА 6. klass

View Set

Prep U module 4 - Cultural Diversity

View Set

Tone Words- English List (Ms. Abbott)

View Set

International Economics Quiz # 1 notes

View Set