7.2 Win Flashcards
Session layer protocol
allow a program running on one computer to seamlessly execute code on a remote system.
RPC
Endpoint mapper promiscuity
General Denial of Service (DoS) by attacking port 135 itself
Service specific attacks based on information gathered from querying port 135
Escalation of privileges based on information gathered from querying port 135
RPC Vulnerabilities
Session Layer file and print sharing protocol used by legacy systems.
NetBios
used for name resolution and registration (UDP port 137).
The first 15 characters/bytes are for names and the 16th character/byte indicates the function/service.
NetBios Name Service
Workstation service
<00>
Server service
<20>
(UDP port 138) is used for browser and messenger services.
NetBIOS Datagram Service
messaging service
<03>
(TCP port 139) is primarily used for local network file and print sharing.
NetBios Session Service
Application Layer protocol used for file and print sharing.
SMB
provides file and print sharing services to SMB/CIFS clients and allows for seamless interoperability between *NIX servers and Windows clients.
Samba
TCP port 3389 is a method of connecting to a remote system which allows a user to work as if on the remote computer’s desktop.
allows for an actual GUI desktop.
RDP
service that implements the WS-Management protocol for remote management using ports 5985/5986.
using the standard HTTP/HTTPS protocols for transport.
WinRM
Microsoft’s way forward in using networking protocols to connect to and manage network systems.
PS Remoting
performs a function similar to NetBIOS but expands on those capabilities.
uses a variety of methods to gather resource information and may gather IP, MAC, and even OS information if configured appropriately.
Network Discovery
Volumes on a Windows system are shared via hidden administrative shares (i.e., C$, E$, F$, etc.). Requires a privileged account for access.
Drive letter$
The System Root on Windows systems is shared via administrative shares. Requires a privileged account for access.
ADMIN$
Shares named pipes required for communication between computers and programs.
IPC$
Used on Active Directory domain controllers for sharing domain policies and domain public files.
SYSVOL
vulnerability most often found on legacy OSs.
Anonymously call a remote system’s RPC services for possible enumeration of the following:
-SAM accounts
-A list of machines on the system’s network
-A list of shares
A combination of Firewall, Registry, and policy settings may be used to secure null session vulnerabilities.
Null Session
name resolution service that resolves NetBIOS names to IP addresses.
-local networks
WINS
distributed database used on TCP/IP networks to assist in the location of computers and other resources.
DNS
unique name used to identify a particular system in the namespace.
FQDN
represent a discrete portion of the namespace for a particular domain and provide a way to partition the domain namespace into manageable sections.
zone
host primary zones and may host secondary zones for another domain
Primary servers
host secondary zones
Secondary servers
contain only information for previously resolved queries and do not host any zones
Caching-only servers
Contains a read/write copy of the entire namespace; all resource records for the zone. Primary zones are deployed either as standard primary zones or as ADI zones.
Primary Zone
are deployed with various manufacturer DNS servers. There is only one primary server for the zone, which manages all changes to the zone.
Standard primary zones
This integration allows Active Directory to be used as a data storage and replication engine for DNS, providing the capability of using multiple primary servers forthe same zone. Typically, most domain controllers are configured to serve as primary DNS servers for their domain or zone.
ADI zones
Contains a read-only copy of the entire namespace; all resource records for the zone.When a secondary zone needs an update, it requests a zone transfer from a primary server.
Secondary Zone
SOA is the first resource record. It indicates this DNS name server is the best source of information for this domain.
Serial Number
Refresh Time
Zone transfers
Start of Authority (SOA)Record
announces the authoritative name servers for a particular zone,DNS servers that answer queries for their supported zone. Often indicates a secondary server for a domain.
Name Server(NS) Record
maps the service name to the server name offering the service.
Service Location (SRV) Record
Maps a host name to an IPv4 address for forward lookups.
Host (A) Record
Maps a host name to an IPv6 address for forward lookups
Host (AAAA) Record
Creates a pointer that maps an IP address to a host name for reverse lookups.
Pointer (PTR) Record
MX Record specifies a mail exchange server for domain.
Mail Exchanger (MX)Record
Sets an alias for a host name. Often used to associate “www” with the web server name.
Alias (CNAME)Record
the client makes additional DNS queries,if necessary, to other DNS servers to find the requested name to IP resolution.
iterative query
the DNS server make queries to other DNS servers on behalf of the client who made the original name to IP resolution request.
recursive query
- Secure dynamic updates to only allow updates fromsystems authorized to make them
- Limitzone transfers to authoritativename servers andother authorized systems
- Secure against DNS cache poisoning/pollution
ways to secure DNS
set of Internet-based services for servers for use with Windows. By default, it supports FTP on port 21,HTTP on port 80,and HTTPS on port 443.
IIS
This account permits users to connect anonymously to web sites hosted on the server.
IUSR
IIS Admin Service (W3SVC and FTPSVC services depend on the IISADMIN service).
IISADMIN
WWW Publishing Service used for HTTP hosting.
W3SVC
Microsoft FTP Publishing Service used for FTP hosting.
FTPSVC
Web sites are commonly identified and hosted in the following ways:
IP Address
Port Address
Host Header
if a single system goes down, the other systems in the cluster take over the processing load with little to no loss of access or capability.
Windows Clustering
are unique communications that are typically isolated from the traditional network and are used for many things,including computer clusters and load balancing of system resources.
Heartbeat Networks
defines how clients access the directory server and perform database operations over an IP network.
LDAP
TCP 389
Most fundamental item in a directory; these are items such as users, folders, and computers.
Objects
Characteristics of objects (i.e., printer object can have attributes: name, location, model, etc.).
Attributes
Set of rules or structure that defines objects.
Schema
Logical grouping of objects or type of class of object (by organizational structure, groups, etc.).
Classes
Used for organizing objects, but cannot have group policies linked directly to them.
Container
Used for organizing objects and can have group policies linked to them.
Organizational Unit
Contain OUs, containers, and objects and provides the ability to associate a group policy to them as a single entity.
Domains
based on the structure of the directory, which is also known as the schema.
Information Model
May be used as user logon name for the domain. Combines username and DNS name; commonly used as an email address.
User Principal Name (UPN)
Contains the relative distinguished name (RDN) and location within the LDAP directory.
Distinguished Name (DN)
Portion of the name that does not relate to the directory structure. It is unique at each level.
Relative Distinguished Name (RDN)
deals with organization of the data and the objects within a database. The hierarchical structure provides unique uniform naming conventions for objects and an organizational framework.
Naming Model
Provides information that details what can be done with the database.Data modification and searches are the most common.
- Authentication
- Interrogation
- Update
Functional Model
Operations are for initiating and authenticating a session to the LDAP server. The primary operation performed is bind.
Authentication
How the database or directory is searched. Search is the primary operation.
Interrogation
Used for data modification including add, modify, and delete.
Update
primarily focused on how directory information is protected.
Security Model
Flexible querying Integration with DNS Extensibility Policy-based administration Scalability Replication Security Interoperability
Benefits of Active Directory:
used to represent the physical topology of the network. Active Directory uses sites and site links to configure and optimize replication between physically dispersed domain controllers.
Sites
- Enables clients to efficiently discover services (published shares, logon services) that are close to the physical location of the client
- Enables network traffic control to optimize replication between domain controllers and maximize data availability.
- Enables policy application; Group Policy Objects may be linked to sites.
Site configurations
one or more domains sharing a common schema, where the first domain created is the forest’s root domain.
forest
consists of one or more domains that may be grouped together to form hierarchical structures.
Each top-level domain of a tree in a forest may have disjointed namespaces.
Child domains within a tree must have contiguous namespaces that build upon the parent’s.
tree
relationship established between domains to enable users in one domain to access resources in another domain.
trust
When domain Atrusts domain Band domain B trusts domain C, then A can access resources in C if they have the correct permissions. Configured between parent/child domains and between root domains in a forest.
Transitive Trusts
Automatic
Forest- Between two forests, manually created.
Shortcut-Between two distant child domains; used to improve logon.
External- Access between two Active Directory domains located in different forests (no forest trust exists)
Non-transitive Trusts
External trusts configured manually
1) Client queries DNS for LDAP SRV record.
2) Once the LDAP service is identified, client connects to port 389. In Windows Active Directory Domains, the connection is made to a domain controller.
3) Client authenticates and performs the search.
Domain-wide Queries
- A search for a resource in a forest that contains more than one domain
- A UPN logon in a forest that contains more than one domain
- An email address book lookup from the Global Address List (GAL)
forest-wide queries that require the GC service:
1) Client queries DNS for GC SRV record.
2) Once the GC service is identified, client connects to port 3268 or 3269. This connection is made to a domain controller running the GC service.
3) Client authenticates and performs search
Steps for a forest-wide query
is similar to an SSH or Telnet connection providing a CLI on a single remote computer.
1-to-1 remoting
enables commands (or a list of commands) to be sent in parallel to a single computer or a group of remote computers.
1-to-Many remoting
Remoting cmdlets like Invoke-Commandor Enter-PSSession specify a computer name by using the -ComputerName parameter. PS establishes a session, executes commands, and then shuts down the connection.
Ad-Hoc Session
A PS remoting session that persists until manually terminated by the user. The New-PSSession cmdlet establishes a persistent session. The session has a unique ID and may be used repeatedly by referencing the ID. The remove-pssession cmdlet removes the session when no longer needed. To view current persistent PS sessions, use the get-pssession cmdlet
Persistent Session
primary authentication package used in Windows Domain (Active Directory) environments. It is implemented via two .dll files. On the client side,kerberos.dll enables secure communication and authentication with kdcsvc.dll on the server side.
Kerberos
- Provides faster authentication using a ticketing system.
- Supports mutual authentication where the client and server each have to authenticate to each other.
Provides single sign-on between Active Directory systems, including non-Windows OSs that support Kerberos.
Relies on a simpler and faster symmetric keying algorithm where sender and receiver share a single, common key used to encrypt and decrypt messages.
Some advantages of Kerberos:
kdcsvc.dll to provide two main services, Authentication Service and Ticket Granting Service.
Key Distribution Center (KDC)
domain
Realm
verifying the validity of the client computer and the user. The AS issues the Ticket Granting Ticket (TGT)
Authentication Service (AS)
users’ proof that they provided correct credentials during their initial login.
Ticket Granting Ticket (TGT)
responsible for issuing Service Tickets (ST) which allow a user to access specific resources on the network.
Ticket Granting Service (TGS)
verified by a resource provider to allow a user access to specific resources.
Service Ticket (ST)
Krbtgt is the account used by the KDC.
Krbtgt account
is the password hash of the user attempting to login. Additional keys are generated during the exchanges.
Session Key (SK)
Apply policy settings to computers and users in an Active Directory domain.
Group Policy
collection of settings contained in a file that efficiently apply user and computer configurations for the domain.
- Sites
- Domain
- OUs
GPOs
Default Domain Policy
-Policy for the domain and linked to the domain.
Default Domain Controllers Policy
-Domain controller policy and linked to the domain controller’s OU.
two default GPOs:
collection of folders that exist on each domain controller to store elements of GPOs and domain public files.
System Volume (SYSVOL)
- Local policies
- Site GPOs
- Domain GPOs
- OU GPOs
Group Policy Processing Order:
collection of predefined policy settings in a single file. Predefined templates provide a policy starting point and may be customized to meet organizational requirements.
Security templates
WEF provides two advantages: it keeps a backup of log entries from the source systems and minimizes man hours spent on physically accessing those machines and obtaining their logs.
Windows Event Forwarding (WEF)
collects log entries from one or more source systems (forwarders) on the network and is based on the Web Services (WS)-Management protocol, the WinRM service,and the Windows Event collector service (WECSVC).
WEC
