6 - Network Pen Test Internal Flashcards
1
Q
What is Internal Pen Testing?
A
Involves testing computers and devices within the company or organization. Examines internal IT systems for any weakness that could be used to disrupt the network from the perspective of an inside attacker.
2
Q
Why perform internal Pen Testing?
A
To check internal security measures, what info can be accessed, allow management to understand the level of risk from malicious users, provide complete details of the organization’s internal network, and create a basis for future decisions regarding IT security.
3
Q
What are the Internal Network Pen Testing steps?
A
- Footprinting
- Identify List of Domains: net view /domain
- Identify Hosts: net view /domain [domain name]
- Identify Internal IP Range: arp -a
- Network Scanning
- Scan IP addresses scan, Multiple IP Addresses, and scan Subnets
- Port scans
- OS and Service Fingerprinting
- Identify OS
- Identify Services
- Enumeration
- Performed to create active connections with computer system and perform directed queries to gain more info about the network.
- Identify system attack points and perform password attacks.
- Vulnerability Assessment
- Windows Exploitation
- Unix/Linux Exploitation
- Attempt Replay Attacks
- Attempt ARP Poisoning
- Attempt MAC Flooding
- Conduct Man-In-The-Middle
- Attempt DNS Poisoning
- Attempt to Log into a Console Machine
- Boot the PC Using Alternate OS and Steal the SAM file
- Extract the Password Hashes
- Attempt to Crack Password from Hashes
- Attempt to Break-down the Desktop Lockdown
- Escalate User Privileges
- Reset the Local Administrator or Other User Accounts Passwords
- Attempt to Plant a Software Keylogger to Steal Passwords
- Attempt to Plant a Hardware Keylogger to Steal Passwords
- Attempt to Plant Spyware on Target Machine
- Attempt to Plant a Trojan on the Target Machines
- Attempt to Create a Backdoor Account on Target Machine
- Creating a backdoor for future access
- Attempt to Bypass Antivirus Software
- Attempt to Send a Virus Using Target machine
- Attempt to plant Rootkit on Target machine
- Hide sensitive data on Target machine
- Use various steganography Techniques to Hide Files on Target machines
- Capture Communications between FTP client and server
- Capture HTTPS Traffic
- Spoof MAC address
- Poison the victims IE Proxy server
- Attempt Session Hijacking on Telnet Traffic
- Attempt Session Hijacking on FTP Traffic
- Attempt Session Hijacking on HTTP Traffic
- Test for Stack Overflow Vulnerability using Ollydbg Debugger
- Test for format string vulnerability using IDA pro
- Automating Internal Network Pen Test Effort
- Post Exploitation
4
Q
What are some different scans in NMAP?
A
- Quick Scan: nmap -F [IP]
- Scan for Active Hosts: nmap -sn [IP]
- Port Scan: nmap -p [port] [IP] or nmap -p [port1] [port2] [IP] or nmap -p [port range] [IP]
- Scan Most Common Ports: nmap –top-ports [Number] [IP]
- Scan TCP ports: nmap -sT [IP]
- Scan UDP ports: nmap -sU [IP]
- Display only Open ports: nmap –open [IP]
5
Q
What are some enumeration techniques?
A
- NetBIOS: List of computers of domain, list of shares, Polices and passwords
- SNMP: Info about network resources such as hosts, routers, devices, and shares
- LDAP: Valid user names, addresses, departmental details, etc.
- NTP: List of hosts connected, client IP addresses in a network
- SMTP: List of valid users on the SMTP server
- IPSEC: Encryption and hashing algo, auth type, key distro algo (using ike-scan to enumerate)
- VoIP: VoIP gateway services, IP-PBX systems
- SMB: SMB shares
6
Q
What are some NTP commands/utilities used for enumeration?
A
- Ntptrace: Used to trace a chain of NTP servers back to the primary source
- ntpdc: Used to monitor operation of the NTP daemon, ntpd
- ntpq: Used to monitor NTP daemon ntpd operations and determines performance
7
Q
What are some SMTP commands to use for enumeration?
A
- VRFY: Validates users
- EXPN: Tells the actual delivery addresses of aliases and mailing lists
- RCPT TO: Defines the recipients of the message
8
Q
What are some Linux commands for enumeration?
A
- rusers: view list of users who are logged on to remote machines
- rwho: view list or users who are logged in to hosts on the local network
- Finger: Gain info about system users such as user’s login name, real name, terminal name, idle time, login time, office location and phone numbers
9
Q
What is sniffing and what kind of info is obtained?
A
- Process of turning the NIC of a system to promiscuous mode to listen to all the data transmitted on its segment
- Info obtained:
- DNS Traffic
- POP3/FTP/Telnet passwords
- Email traffic
- Router Config
- Web Traffic
- Telnet passwords
- Chat Sessions
- Syslog traffic
- Info obtained:
10
Q
What are the filters used in Wireshark?
A
- Capture: Applied before starting the capture on the select network interface
- Display: Used to filter already captured traffic packets
11
Q
What is the purpose of a Vulnerability assessment?
A
To determine the maturity of targets security posture. To identify network devices open to vulnerabilities.
12
Q
What are the different vulnerability assessment reports?
A
- Security Vulnerability Report: Gives info about vulnerabilities for open ports and detected services on the network.
- Security Vulnerability Summary: Gives security flaws for a particular server.
13
Q
What are some steps for Windows Exploitation?
A
- Identify Local/Remote Exploit to Gain Access
- Try to Gain Access to Windows using Remote Shell
- Try to exploit Buffer Overflow vulnerability
14
Q
What are some steps for Linux/Unix Exploitation?
A
- Identify Local/Remote Exploit to Gain Root Access
- Try to gain access to Linux using Remote Shell
- Extract User Accounts
- Extract the Password Hashes
- Crack the Password Hashes
- Try to gain unauthorized access through UID/GUID Manipulation
15
Q
What are some common Internal Network Exploitation Techniques?
A
- Replay Attacks: Attacker intercepts and passively listens to the network traffic and resends the stream to one or more of the parties.
- ARP Poisoning: Responds to ARP request posing as legitimate machine
- MAC Flooding: Flooding CAM table on the switch with fake MAC and IP pairs until its full and switch will turn into a hub
- Man-in-the-Middle: Attacker is situated between the customer and real web-based application and proxies all communications between the systems. Can be conducted by:
- DNS cache poisoning
- ARP Spoofing
- DNS Poisoning (DNS cache poisoning): Attacker injects fake records into the cache of a DNS server, corrupts the DNS tables, and redirects a victim to a malicious IP
- Log into a Console Machine: Try logging on to the console using default passwords
- Boot the PC using Alternate OS and Steal the SAM file
- Break Down the Desktop Lockdown: Using application’s context menus, you can try different methods to exploit security.
- Sticky Keys
- Task Manager
- Access Help Manager
- Command Prompt
- Citrix ICA (Independent Content Architecture: Stores network settings) Hotkeys
- Modifying ICA files
- Internal Explorer Breakouts
- Default/Weak Creds
- Escalate User Privileges
- Reset local Admin and User account passwords
- Plant a Software/Hardware Keylogger to Steal Passwords
- Plant Spyware
- Plant Trojan
- Create a Backdoor Account
- Bypass Anti-Virus software
- Send a Virus
- Plant rootkit
- Hide Sensitive Data
- Steganography
- Capture communications between FTP client and server
- Capture HTTPS traffic
- Spoof MAC address
- Poison victim’s IE Proxy Server
- Session Hijack Telnet/FTP/HTTP traffic
- Test Stack Overflow
- Test for Format String Vulnerability
