Mod 14

Ace your homework & exams now with Quizwiz!

Running Processes

ps -ef, prstat, and top are all commands of what category

System and Hardware Information

psrinfo uname, and df are all commands of what category

Exploit

In cyber operations this is a software tool, script, program or technique that takes advantage of a vulnerable system to provide command execution

use multi/handler

Metasploits command will load the handler module

download

Meterpreter command enables downloading target files or directories of iinterest

cd

Meterpreter command to change directory on target

pwd

Meterpreter command to display present working directory on target

getpid

Meterpreter command to display process ID for running meterpreter payload

ps

Meterpreter command to display running processes

arp

Meterpreter command to display system ARP cache

sysinfo

Meterpreter command to display target system information

getuid

Meterpreter command to display user meterpreter is running as

route

Meterpreter command to display/modify routing table information

ls

Meterpreter command to list files or contents of a directory

upload

Meterpreter command to upload files onto target.

Cyber Security Enhancement of 2002

Modernized US cybercrime legislation and mandates life sentences for offenders who knowingly or recklessly cause or attempt to cause death

nuclear option

Most intrusive way to clear logs is to overwrite the file to nothing.

open port

Network services are reachable across a network via their _________________

netstat -a

Network services command and option to print all network connections and listening ports

netstat -n

Network services command and option to print network connections with IP instead of interfaces

netstat -o

Network services command and option to print network connections with associated PID for all connections and ports

netstat -r

Network services command and option to print network connections with routing information

arp -a

Network services command to print ARP cache

netstat

Network services command to print network connections

Bourne Shell (sh)

No history file supported, nothing is recorded and nothing needs to be cleaned are all characteristics of what shell

Return Pointer

One part of the exploit code is a memory address used to overwrite the return address memory slot

Forward Tunnel

Opens a port on the AP and forwards data through the redirector when then sends to the target port. SSH client opens a listening port on AP

Online

Password cracking is a method to gain access to a target system or application when hashes are unobtainable. Tools include THC Hydra and L0phtCrack

Offline

Password cracking occurs after an operator has possession of password hashes. Tools include John and Ripper or Cain & Abel

Shellcode

Payload program is also known as

Reverse TCP

Payload type that creates a connection back to that attacker. Known as "Callback". Firewalls often allow this connections

Bind TCP

Payload type that opens a port on the target system and listens for incoming connections. Is often blocked by firewalls. Known as "Call In"

df

System and Hardware information command to display amount of disk space by file system

df -k

System and Hardware information command to display amount of disk space by file system in block sizes

uname

System and Hardware information command to display current system information

Buffer Overflows

Target vulnerabilities in programs by overwriting data in the stack or heap memory

Volume Shadow Copy

This form of hash collection creates a backup copy of computer files. Often includes the SECURITY and NTDS.DIT files

PWDump

This form of hash collection injects DLL into LSASS.exe; retrieves account hashes from memory

NTDSUTIL

This form of hash collection is an active directory management tool that enables creating copies of NTDS.DIT file

Manual

This handler is used during masquerading or when connecting to a backdoor. is often referred to as multi/handler

Automatic

This handler will connect to the shellcode payload that the exploit started on the target machine

dig

This is a Linix/UNIX tool used to perform DNS zone transfers. Will pull "A" records by default.

nikto -host

command and option to specific a target host when running the nikto tool

-sA (ACK Stealth Scan)

namp port scan type used to mapout firewall rules or filters. Will never show ports in open or closed state

Timing

nmap has the ability to manipulate throttling and timeouts to help go undetected

-sS (SYN Stealth Scan)

nmap port scan type referred to as half open because it does not complete the 3 way handshake even though SYN control flag is sent

-sN (TCP Null Scan)

nmap port scan type that can bypass firewalls by sending packets with no control flags. Open ports will ignore closed will respond with RST

-sF (FIN Stealth Scan)

nmap port scan type that can pass undetected through firewalls, packet filters, and scan detection.

-sT (TCP Connect Scan)

nmap port scan type that performs a full TCP connection

-sX (TCP Xmas Tree Scan)

nmap port scan type that sends FIN, URG, and PSH to all ports. Open ports will ignore closed will respond with RST

-sU (UDP Scan)

nmap port scan type that sends UDP packets. If no response port is assumed open. If a destination unreachable is received port is assumed closed

Reverse tunnel

opens a port on the redirector and returns data to the AP. SSH opens a listening port on the redirector

Software Packages

pkginfo, showrev, and showrev -p are all commands of what category

john --show

Command to show previously successful password cracks

ping -r 9

Windows command to run a ping with record route documenting 9 hops

Payloads

Metasploit module category containing code that exploits run on targets, such as command shell access

Post

Metasploit module category containing modules to use after target access

Exploits

Metasploit module category containing service-side and client-side exploits

Encoders

Metasploit module category used to alter payloads and avoid detection

/usr/share/Metasploit-framework/modules

Metasploit modules are located in

-p

Bourne shells must be invoked with this option

nmap -sn -PI

Command and options to perform a Ping sweep

Connection - Code Based

A client program that has been specifically designed to interact with payload programs will make a connection with the payload running on target

msfpayload

A command used to generate and output various types of shellcode payloads

set payload

Command to assign a specific payload to the exploit

show options

Command to display target parameters that can be modified

Code injection

A lack of input validation, due to either insufficient bounds checking or improper syntax, and other programming errors, exposes applications to

Connection - Masquerade

A payload executed requires a manual connection from the client program

Remote Exploit

A program that runs o an attacker computer, establishes a connection with a remote target computer

Title 18

Addresses crimes and criminal procedures.

Deliver / Execute / Connection

All exploitation methods need to accomplish three main things, they are?

Incremental

Also known as the Brute Force mode for JtR. It is the most powerful mode, tries all character combinations within a defined boundary

msfconsole

An all in one centralized console that allows command line access to all options available in the metasploit framework

Execution - Masquerade

An executable payload placed on the target's file system will require manual execution, from command line or a scheduled job

port forwarding

Another term for tunneling because any data received at the tunnel entrance port on one host is sent through to the remote target

Man in the middle

Attacker position is between communication systems. Attacker can observe and/or modify messages

Man on the side

Attacker sees messages pass by but is unable to modify them. Can inject new messages

.bash_history

Bash shell keeps an in memory history of all command run, usually named _______________. Deleting or disabling this file is a means of avoiding detection

/root/.john/john.pot

By default John the Ripper stores cracked passwords in a pot file located here...

HISTFILE

By unsetting this variable, the current session's command history is blocked from being written to the bash_history

nmap -PI

Command and option for a ping type where ICMP echo is an option that uses an ICMP Echo (request) packet

telnet <IP><port>

Command and option to complete a banner grab via telnet (generic IP and port numbers)

nc -r

Command and option to direct netcat to scan selected ports in random fashion

nmap -Pn

Command and option to disable host discovery. Does not ping hosts at all before scanning them, allows for scanning through firewalls that block ICMP

nikto -H

Command and option to list all options for the nikto tool

nmap -O

Command and option to optimize host discovery by activating remote host identification via TCP/IP fingerprinting to detect the scanned OS

nmap -sV

Command and option to optimize host discovery for version detection communicates with ports to determine what is actually running. "Banner Grabbing"

nmap -p

Command and option to optimize host discovery where only the specified ports will be scanned

nc -h

Command and option to provide all available netcat options

nc -e

Command and option to run netcat and execute command after connection

nc -p

Command and option to run netcat and identify the specific TCP port to listen on

nc -vv

Command and option to run netcat and report all responses within the specified range

nc -u

Command and option to run netcat to conduct a UDP port scan

nc -l

Command and option to run netcat with listening mode enabled

nc -n

Command and option to run netcat with no DNS resolution

nc -v

Command and option to run netcat with verbose details

sl -p

Command and option to run scanline and do not ping before scanning

sl -b

Command and option to run scanline and get port banners

sl -z

Command and option to run scanline and randomize IP and port scan order

sl -t

Command and option to run scanline and specify what TCP ports to scan

sl -u

Command and option to run scanline and specify what UDP ports to scan

nmap -T 4

Command and option to set timing to Aggressive

nmap -T 5

Command and option to set timing to Insane

nmap -T 3

Command and option to set timing to Normal

nmap -T 2

Command and option to set timing to Polite

nmap -T 0

Command and option to set timing to paranoid

nmap -T 1

Command and option to set timing to sneaky

nmap -PP

Command and option where ICMP Timestand uses an ICMP Timestand Request packet to find listening hosts

nmap -PT

Command and option where TCP ACK ping uses TCP ping to determine what hosts are up. Sends a TCP ACK packet to port 80 and waits for a response

255

Default TTL for Cisco and UNIX

64

Default TTL for Linux

128

Default TTL for Windows

psrinfo

System and Hardware Information command to display processor information (type, processor and chip)

NTDS.DIT

Domain controllers will store the domain user hashes in this file

/etc

During collection configuration files are normally found in this location

Return Address

During program execution this is stored in the stack frame anytime a subroutine is called the calling routines _______________ is stored

Execution - Code Based

Execute the payload in the memory space of the target application

Masquerade

Exploit technique that employs the use of credentials to gain access to a service and involves impersonating a user logon

Client Side

Exploit that attacks client applications on the target machine (adobe, Firefox, etc)

USerID

First component of the Windows Hash used to identify the common name of a user account. Is also the first component of the UNIX/Linux hash.

Function Call

First step of program execution ... when a program needs to perform a specific procedure it calls out to a subroutine

Auxiliary

Metasploit module category containing advanced scanners and server modules

NT LAN Manager (NTLM) Hash

Fourth component of the WIndows Hash a significantly more secure asymmetric algorithm. Supports 256 character password

Bourne Again Shell (bash)

History file is located in user's home directory as .bash_history this is a characteristic of what shell

Browser Host Announcement

Identifies the host's Windows OS version, hostname, and domain name.

@loghost

If remote logging is set up, ___________ syntax will be present

uname -a

System and Hardware information command to display all system information

Tradecraft

Includes activities taken to minimize the exploitation footprint in a target network, discovering and documenting information about targets of interest, and remaining undetected

Einstein

Intrusion Detection and Prevention System to analyze federal agencies network traffic

No Operation Sled (NOP)

Is the assembly opcode x90 that tells the processor to execute nothing, just move the instruction pointer forward

pot file

JtR deploys this file where it stores successfully cracked passwords

/etc/john.conf

JtR's primary configuration file is located at

/etc/shadow

Linus and UNIX hashes are stored in this file

ping -R

Linux command to complete a ping with record reoute

who

Logged on User and Account information command to display logged in username, terminal, login time, and where user is logged in from

w

Logged on User and Account information command to display summary of system and user activity

help

Metasploit command available to view information about available commands

Search

Metasploit command to display any modules related to a key term used

Show Options

Metasploit command to display exploit and payload module parameters

Show Payloads

Metasploit command to display the payloads compatible with the exploit

info

Metasploit command to list out exploit module details

use

Metasploit command to load a specific exploit module

Set

Metasploit command to set exploit parameters

%systemroot%\ntds\ntds.dit

Primary NTDS File location

%systemroot%\system32\config\SAM

Primary SAM File location

Code Based Exploit

Programs designed to target a specific vulnerability in an application. Most common is buffer overflow

Exploitation Methodology

Provides structure and serves as a road map for analysts and operators

find

Recently updated files command to search for files across the filesystem

find -mmin

Recently updated files command to search for files across the filesystem searching modified file time range in minutes

find -name

Recently updated files command to search for files across the filesystem using a filename search

find -type

Recently updated files command to search for files across the filesystem using a type of file search

Delivery - Masquerade

Rely on authentication as a trusted user to put an executable payload file on the target system

Password Control Fields

Remaining components of the Linux/UNIX hash , pertain to password setting options

%systemroot%\system32\ntds.dit

Repair NTDS File Location

%systemroot%\repair\SAM

Repair SAM File location

ps -ef

Running Processes command to output full, long list of active processes. Snapshat

prstat -a

Running process command to provide interactive monitoring of active processes and users on UNIX

top

Running process command to provide interactive monitoring of active processes on LINUX

prstat

Running process command to provide interactive monitoring of active processes on UNIX

Service Side

Runs from an attacker machine and exploits a vulnerable network service on the target machine via a listening port

Local Exploit

Runs on a system after access to the target is already established. Typically associated with escalating user privileges to a higher level

RST

Scanning against Microsoft hosts using -sF, -sX and -sN will always result in _____ regardless if the port is open or closed

crontab -e

Scheduled jobs command to edit the crontab jobs

crontab -l

Scheduled jobs command to list all cron jobs

crontab

Scheduled jobs command to manage job scheduling

Hash

Second component of the Linux/UNIX hash, obfuscated output of the password text

Relative Identifier (RID)

Second component of the Windows hash that is part of the security ID and uniquely identifies an account

Stack Frame

Second step of program execution ... Subroutines store temporary data on the stack, each time a subroutine runs the required memory is allocated on the stack in a unit call?

Single

Shellcode category for a self contained and standalone exploit that delivers a payload in one shot

Stager (s0)

Shellcode category that sets up a TCP connection with the attackers machine and reads the larger STAGE payload into memory

Stage (s1)

Shellcode category that's fully functional remote shell loaded by the stager. Offers ability to run commands on the target system through remote shell. Typically include more functionality than singles

showrev

Software packages command to display all system hardware and software revisions information

showrev -p

Software packages command to display only patch revision information

pkginfo

Software packages command to display software package information

logins

Solaris only Logged on User and Account information command to display information on all users (logged in or not) and system accounts.

whodo

Solaris only Logged on User and Account information command to display logged in username, active process/CPU time owned by user, login time, machine name, and time of day

history -c

Syntax to clear the history file in a bash shell

grep

Syntax to search inside text files for matching patterns

Return to Main

The last step of program execution ... When the subroutine completes its work, the pointer jumps to the address stored in the stack frame which returns the control back to the main routine

9

The number of hops recorded in a ping with record route is limited to ?

Payload

The program is the purpose of the exploit. This handles the connection portion. These programs provide access to a target system

msf>

The prompt while in a msfconsole session

Remote Procedure Call (RPC)

Thee services have the most widely exploited UNIX vulnerabilities. These exploits allow an operator to launch a shell with root privleges

Enumeration

These activities start over after gaining access into a target network

Dictionary

These attacks are generally fastest and least computationally expensive but require the most storage

Brute Force

These attacks are the most computationally expensive and require the least storage

system files

These files aid in furthering network access during collection

Information files

These files have intelligence value during collection

SYN

These packets provide the most accurate information, as they are the initial means of communication

Cisco IOS

These passwords are generally limited to MD5 and Type 7

backdoor

These provide an easy means to return to the target after exploitation

Mount / sysfs

These system calls are envoked with the vfs_getvfssw kernel exploit

Password Last Set

Third component of the Linux/UNIX hash displays the number of days since Jan 1, 1970 that the password wwas last changed

LAN Manager (LM) Hash

Third component of the Windows hash, a cryptographiclly weak symmetric algorithm based around DES. Limited to 14 characters only using A-Z and 0-9

Decision tree

This contains a list of operating systems, potential features and applicable exploits, helping to select the best exploit

UnrealIRCd

This daemon contains a backdoor that was added by a malicious user. It targets port 6667 to gain an interactive shell on the target. Leaves no logs

/etc/syslog.conf

This file controls what and where facilities are logged.

/etc/hosts

This file is referenced for hostname resolution

hashdump

This form of hash collection allocates memory space in LSASS.exe to load assembly code; retrieves account hashes from memory

nslookup

This is a windows tool used to perform DNS zone transfer. It queries information using the domain name or IP address

Passive OS fingerprinting

This is also known as TCP stack fingerprinting. Does not involve sending packets but monitoring traffic to determine the OS in use

vi editor

This is the easiest way to edit history files

Single - JtR

This is the first and fastest of all JtR modes. Uses login/GECOS information as passwords, previously guessed passwords and login from other acocunts

Solaris vfs_getvfssw

This kernel exploit takes advantage of insufficient sanitization of user supplied data. Entries can be found in /wtmpx and /su logs

Wordlist

This mode of operation is the JtR Dictionary attack. By default will use the /usr/share/john/password.lst

sadmind_adm_build_path

This module exploits a buffer overflow vulnerability which permits the execution of arbitrary code remotely with super-user privileges against Solaris 7,8, or 9

John the Ripper (JtR)

This offline password cracker has three modes of operation, single, wordlist, and incremental

--format

This option must be used with JtR to define what type of hash should be cracked

X

This output option creates an executable payload

O

This output option lists payload with configurable parameters

Type 7

This password protection is a cipher and is symmetric

Scanning and enumeration

This phase takes advantage of data accumulated during the Information Gathering phase to interact directly with target networks

Delivery - Code Based

This portion of the anatomy trigger vulnerability in the target service, allowing us to write a payload program into memory on the target

User Mode

This root kit replaces system applications with rooted system files

Kernel Mode

This rootkit exploits functionality of Loadable Kernel Module (LKM) to hide itself below the application layer

Fireware

This rootkit modifies or replaces firmwarm to hide below the OS

Title 18 USC 1029

This section is focused on Fraud and Related Activity in Connection with Access Devices

Title 18 USC 1030

This section is focused on Fraud and Related Activity in Connection with Computers. To include the intent to cause harm. Serves as a catch all. Otherwise known as the Computer Fraud and Abuse Act

Title 18 USC 2701

This section is focused on Stored Wire and Electronic Communications and Transactional Records Access. "Data at rest"

Title 18 USC 2511

This section is focused on Wire and Electronic Communications Interception and Interception of Oral Communications. Covers "Data in Motion", Give ISP's authority to monitor networks

Paranoid (0)

This setting scans very slowly to avoid detection, all scans are serialized and have a 5 minute wait between sending packets

Aggressive (4)

This timing setting adds a five minute timeout per host and never waits more than 1.25 seconds for probe responses

Insane (5)

This timing setting is only suitable for very fast networks or where data loss is acceptable. Time out hosts in 75 seconds and waits only 0.3 seconds for individual probes

Normal (3)

This timing setting is the default scanning method. Scans are run as quickly as possible without overloading the network

Polite (2)

This timing setting reduces network load to prevent crashing. The probes are serialized and have a 4 second wait between each

Sneaky (1)

This timing setting waits 15 seconds between each packet

zap3

This tool removes user's last entry from WTMP, UTMP, LASTLOG, WTMPX, and UTMPX. It attempts to remove username from all possible files and binaries.

Ping Sweep

This tool will determine if an IP address range has live hosts by sending an ICMP Echo request to multiple hosts

Exploit Code

This triggers the vulnerability in a service. This is the delivery mechanism that connects to a service and performs the buffer overflow

Heap Buffer Overflow

This type of buffer overflow occurs by corrupting the program data at specific points in the process to cause the application to overwrite memory addresses or functions. "Very volitile - App Crashes likely"

Security Accounts Manager (SAM)

Windows OS's store hashes in this file

Stack Buffer Overflow

This type of buffer overflow occurs when local variables or data within the stack are overwritten, and the return address is changed causing the program to jump to a specified address of the attackers choosing

showmount -e

UNIX/LINUX command and option to display target host NFS shared file system

rpcinfo -p

UNIX/LINUX command and option to display target host RPC services and port numbers

showmount

UNIX/LINUX command to display a target hosts NFS exported file system

rusers

UNIX/LINUX command to display logged in user information (Similar to finger)

rusers -l

UNIX/LINUX command to display logged in user information (similar to finger) in long list format

finger

UNIX/LINUX command to display logged in users information

finger -l

UNIX/LINUX command to display logged in users information in long list format

rpcinfo

UNIX/LINUX command to display target host RPC services by program transport, service name and owner

33434-34400

UNIX/Linux defaults to UDP along with destination port ranges between ____________

Vulnerability identification

Web servers, applications and CGI script enumeration are essential to _______________

HEAD / HTTP/1.0

When conducting an HTTP banner grab it must be followed by ________ and two carriage returns

UDP

When sending traceroutes Linux/UNIX sends this type of packets

ICMP

When sending traceroutes windows sends this type of packets

rootkits

are software programs and files designed to provide continued unauthorized root access to a system and hide any evidence of compromise

Network Services

arp, and netstat are both commands of what category

passive analysis

gathers information about a target of interest without actually probing the target

traceroute

identifies the path a packet traverses on its way to a target by reporting the first interface the packet sees

Active analysis

involves probing target networks to discover hosts, IP addresses, and running services.

nmap

is a network scanning tool used for identification and enumeration of targets and vulnerable services by performing certain functions

Meterpreter

is a staged payload that provides a command shell interface to an exploited target. Has its own built in commands that mimic the function calls of regular windows and linux commands

Banner Grabbing

is a technique that involves connection to common applications on target hosts to identify version of running applications. Can be completed using nmap, telnet, and netcat

Attack Platform

is an OS specifically designed for exploitation, including many tools, programs and scripts.

Situational Awareness

is an essential part of tradecraft, as one must continuously monitor the state of the Operational Environment

netcat

is an extremely versatile networking utility that reads and writes data across network connections

Cain & Abel

is an extremely versatile tool designed for network and password auditing. Is a windows package

Metasploit

is an open source framework containing a variety of penetration testing and security research tools

nikto

is an open source web scanner designed to perform tests against web servers to identify security problems. Looking for configuration files, dangerous files and software versioning. This tool is not stealthy and is easily detected

handler

is how Metasploit connects to remote payloads and is the command line interface used to access remote computers. Controls the network connection

tunneling

is the encapsulation of data for transmission through a network

Active scanning

is used to identify ports and services as well as identifying operating system family and version

SUID

running a shell owned by root with these permissions with the purpose to provide a non-privileged user with the ability to run shell as root

command shell

serves as a means to access and communicate with built in services running on a variety of OS platforms

/etc/inetd.comf

services with well known ports that have trivial functions can be taken advantage of through this file

-L

syntax option to open a forward tunnel

-R

syntax option to open a reverse tunnel

scanline

this is a command line port scanner for Windows only. Known as a "Take it with you" scanner due to its small size

nmap scripting engine (NSE)

this tool enables script building to automate network scans and can be run individually or as categories

PIng with Record Route

this tool store the packet route inside the IP Header options field. It documents the source interface IP as the ICMP Echo Request packet traverses the route

Logged on Users and Account Information

w, who, whodo, and logins are all commands of what category


Related study sets

Supply Chain Management Chapter 1 & Chapter 2

View Set

Lesson 8: Supporting Mobile Devices (CompTIA A+)

View Set

Life & Health Insurance - Alabama

View Set