All Appendix 2 Flashcards
RIP Port
UDP 520
UDP 520
RIP
What does rusers stand for
Remote Users Service
What does rusers do
rusers displays information about users currently logged into remote systems
What is the difference between rusers and rwho
rusers displays information only for the current host while rwho displays information for the entire network
How does rusers work
When you run rusers on a network, it sends out a broadcast request to all machines on the network running the rusersd daemon, these machines will respond with a list of currently logged in users along with their idle times
Rusers port
UDP 513
UDP 513
Rusers and Rwho
What does Rwho stand for
Remote Who Service
What does rwho do
rwho displays information about users logged into remtoe systems on a network
Rwho port
UDP 513
How can SMTP be used to enumerate users
Certain SMTP commands such as VRFY and EXPN can be used to validate whether a specific email/username exists on the server through obsering response status codes
What are the two commands responsible for SMTP user enumeration
VRFY and EXPN
What is Finger
Finger is a utility that provides information about users on a system, it can display details such as full name, home dir, login shell, etc.
Where is information from Finger derived from
Lots of the information comes from the /etc/passwd file
What happens if no user is specified on a finger query
It can return a list of all users on the system including login names and other details
Finger port
TCP 79
TCP 79
Finger
What is an FTP access control mechanism
/etc/ftpusers
What does /etc/ftpusers do
It is a list of users that cannot access the ftp server
What is anonymous user on FTP
Anonymous user is used to allow everyone on the internal network to share files and data without accessing each others computer
Does Anonymous user require authentication/password for FTP
No
What is a security configuration in FTP to prevent identifying authors of files
hide_ids=YES means the UID and GID of files will be overwritten meaning it is more difficult to identify which rights these files have and to prevent user enumeration
What is a vulnerability of allow file upload to an FTP server
If we can upload files this may allow for LFI vulnerabilities to make system commands and RCE (remote code execution)
FTP Ports
20-21
FTP conf file
/etc/vsftpd.conf
What is SMTP
SMTP is a protocol used for sending emails in an IP network, it can be used between an email client and an outgoing mail server or between two SMTP servers
SMTP Port
TCP 25
What do newer SMTP servers listen on
TCP 587
What is an essential function of SMTP
Blocking spam by using authentication mechanisms that allow only authorised users to send emails
What is ESMTP
It is an extension of SMTP, aptly called Extended STP which uses SSL and TLS
How can we enumerate usernames on SMTP
Using the EXPN and VRFY queries
What does EXPN do
The client checks if a mailbox is available for messaging
What does VRFY query do
The client checks if a mailbox is available for mail transfer
What is Code 252 in VRFY
User that does not exist
What is Code 250 in VRFY
Requested mail action completed
How can we connect to an SMTP server
Telnet 25
What is Mail Relaying
Mail Relaying is the process where an SMTP server forwards an email from one server to another that is not directly responsible for either the sender or recipient, such as when emails need to be transferred across different domains and servers
In essence what is Mail Relaying
Any transfer of an email that is not directly the recipient or sender but rather an intermediary server
What does NFS stand for
Network File System
What does NFS do
It is a file system that has the same purpose as SMB - to access file systems over network as if they were local
What are the versions of NFS
NFSv2, NFSv3 and NFSv4
What is NFSv2
It is older but supported by many systems and was initially operated over UDP
What is NFSv3
It has more features including variable file size and better error reporting, but it is not compatible with NFSv2 clients
What is NFSv4
It includes Kerberos, supports ACLs and provides performance improvements and higher security
What is the most secure version of NFS
NFSv4
What is NFS based on
ONC-RPC / SUN-RPC
What does ONC-RPC stand for
Open Network Computing Remote Procedure Call
What port does NFS listen on
2049
What port does ONC-RPC listen on
111
What does NFS rely on for authentication
NFS relies on UID/GID on the client machine which is checked against the local user database to determine user permissions
What file contains a table of filesystems on the NFS server
/etc/exports
What is Root_Squash / No_Root_Squash
Prevents the root user on the client from having root privileges on the NFS server, if turned on, any requests from the root user will be mapped to an anonymous user
What is Nosuid option
Prevents the execution of files with the setuid or setgid set (meaning it won’t execute as the author of the file but rather as the logged in user)
What is noexec option
Option that prevents the exectution of binaries on the file system, any attempt to execute a binary file (an executable or script) will fail
How can we access files through UID/GID manipulation
If we have access to the system via SSH and want to read files from another folder that a specific user has access to, we can upload a shell to the NFS server that has a SUID of that user and run the shell via the SSH user
What are the two access control types in NFS
Host level and File level
What is Host level in NFS
The NFS server controls which hosts (devices) can access the shared directories through the NFS server’s /etc/exports file
What is File level on NFS
Traditional UNIX model where access to files and directories are controlled based on user IDs (UID) and group IDs (GID)
What is HINFO in DNS records
Resource record that provides descriptive information about a host, specifically its hardware and operating system
NetBIOS Name Port
UDP 137
UDP 137
NetBIOS Name
List all of the R Services
rcp, rexec, rlogin, rsh, stat, ruptime, rwho
What is R Services
R Services are a suite of services hosted to enable remote access or issue commands between UNIX hosts over TCP/IP
Are R Services used now?
No they were replaced by SSH
What is a vulnerabiity in R. Services
Much like Telnet, R Services transmits information for client to server (and vice versa) over the network in an unencrypted format, making it possible for attackers to intercept traffic
What ports does R Services use
512, 513 and 514
What is rcp
Remote Copy
What is rexec
Remote Execution
W hat is Rlogin
Remote login
What is Rsh
Remote Shell
What port does rcp listen on
TCP 514
What port does rsh listen on
TCP 514
What port does rexec listen on
TCP 512
What port does rlogin listen on
TCP 513
What does rcp do
Copy a file/directory bidirectionally from local machine to remote system, but provides no warning to user for overwriting existing files
What does rsh do
Opens a shell on a remote machine without a login procedure, relies upon trusted entries in the /etc/hosts.equiv and .rhosts files
How is authentication overwritten in rsh, rexec and rlogin
Passing authentication relies on trusted entries in the /etc/hosts.equiv and .rhosts rule for validation
What does rexec do
Enables a user to run shell commands on a remote machine
What does rlogin do
Enables a user to login to a remote host over the network similar to Telnet, but can only connect to Unix-like hosts
What is the difference between /etc/hosts.equiv and .rhosts
Hosts.equiv is the global configuration of all users on a system, whereas .rhosts provides a per-user configuration
What is X11
X11 is a framework for building GUIs on Unix OS, provides tools and protocols to display graphical applications, manage windows, handle input devices, etc.
What is security with X11 like
X11 communication is unencrypted, making it vulnerable to eavesdropping and MiTM attacks, however it can be tunneled through SSH for secure access
What does Xhost + do
Allows all hosts access to the X server
What is recommended when using xhost
To use user-based access control and not host-based
What is the two types of access control on X11
Host-based and User-based
What is host-based access control in X11
The xhost command is used to manage host-based access control, it allows or denies access to the X server for specific hosts
What does xhost - do
Denies access for all hosts
What is used based access control in X11
Restricts access to the X server based on individual users rather than entire hosts offering finer control.
What is the most common user-based authentication method to X server
MIT-MAGIC-COOKIE-1 is a random cookie which is provided to authorised clients and stored in the .Xauthority file
Is MIT-MAGIC-COOKIE-1 or SSH tunnelling more secure in X11 and why
SSH tunnelling is more secure as it encrypts the data transmission whereas the magic cookie does not, it leaves it unencrypted still
What is RPC
RPC is a protocol that allows a program to request a service or exectute procedures on a remote server as if it were local
What does RPC stand for
Remote Procedure Call
Name 3 common RPC services
MSRPC, Portmapper and NFS
What is MSRPC
MSRPC is used by Windows for various network services such as file sharing, SMB, Active Directory, etc
What is Portmapper
The Portmapper service maps RPC services on the appropriate network protocols allowing clients to discover where services are available
What is NFS
NFS allows for files to be shared over a network as if they were on a local disk, NFS uses RPC or all communication between the NFS client and NFS server
What tool can we use to enumerate RPC services
rpcinfo is a tool that provides information about RPC services running on a Unix system, it can be used to list all registered devices
What were two popular vulnerabilities in RPC
EternalBlue which targets the SMBv1 protocol which relies on MSRPC which was exploited in the WannaCry attack and Wordpress xmlrpc
RPC Endpoint Mapper (Windows) Port
Port 135
Port 135
RPC Endpoint Mapper (Windows)
Port 111
Portmapper
Portmapper Port
Port 111
What does SSH do
SSH enables two computers to establish an encrypted and direct connection within a possibly insecure network on TCP 22
Where is SSH native to
Native to Unix so it is preinstalled on Linux and MacOS
What protocols can connect to SSH-1.99-OpenSSH_3.9p1
We can connect with SSH-1 and SSH-2
What protocols can connect to SSH-2.0-OpenSSH_8.2p1
Only accepts SSH-2 protocol
What are the 6 ways of authenticating to SSH
Password, Public Key, Host based, Keyboard, Challenge-Response and GSSAPI
What is Public Key authentication for SSH
The server creates a cryptographic problem with the public key and the client decrypts the problem with its own private key and sends back the solution
What file is responsible for the OpenSSH server
sshd_config file
What is a dangerous setting on SSH
PasswordAuthentication=YES as it allows us to brute-force
What is a tool used to footprint SSH
ssh-audit checks the client-side and server-side configuration and shows general information
How can we secure SSH
Use key-based authentication, disable password authentication, use SSH-2 and change default SSH port from port 22
How to remember what SSH versions can connect to what protocols
1.5 or lower just SSH-1, 1.99 is a mix of SSH-1 and SSH-2 and 2.0 and beyond is just SSH-2