All Appendix 3 Flashcards
What is the character length of an MD5 hash
32 characters
What is the character length of an SHA1 hash
40 characters
What does NetBIOS stand for
Network Basic Input/Output System
What does SOAP stand for
Simple Object Access Protocol
NetBIOS Session Service Port
139
Port 139
NetBIOS Session Service Port
NetBIOS Datagram Service port
138
Port 138
NetBIOS Datagram Service port
What can you do if you have write permissions on a chrontab
Adding an entry will run it as root
What happens when execute permission is set to “s”
The set user ID is set meaning the person that runs the file has access to system resources as though they are the owner of the file
How can we list processes and their associated network sockets
lsof -l
Where does the finger daemon information derive from
By doing an exact match on the username field in the /etc/passwd file and a partial match in the GECOS field of the /etc/passwd file
How to identify DES algorithm digest
A series of 13 printable ASCII characters (the first two represent the salt itself), max password length is 8 characters
How to identify MD5 algorithm digest
Printable form of MD5 password hashes start with $1$
How to identify SHA1 algorithm digest
Printable form of SHA1 password hashes start with $5$ or $6$ (depending on variant used)
How can we check patch levels on Linux
-rpm -qa
How can we check patch levels on Debian based Linux
dpkg –list
How can we check patch levels on Solaris
pkginfo -x
What port does X11 listen on
6000 to 6063 (depending on the number of concurrent displays)
Port 6000-6063
X11
How can we identify Windows hosts and servers
ntbscan
What is RID Cycling
A technique used in the enumeration of user accounts in Windows environments
What is a RID
A part of the SID in Windows that identifies user or group accounts within a domain
What does RID stand for
Relative Identifier
What does SID stand for
Security Identifier
What is the RID in this SID and where is it located (S-1-5-21-XXXXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-500)
RID is 500 and is located at the end of the SID
How can we enumerate users with RID cycling
By incrementing the RID value to discover other accounts
How do we begin RID cycling
We need to establish a NULL session to the host
How to establish a NULL session to a host
net use \\ipc$ “” /u:””
How can we enumerate users with SNMP
If a community string can be found (default, dictionary, bruteforced) then user names on hosts can be enumerated (community strings should be treated like passwords)
How can we enumerate users with LDAP
Load ldap.exe, connect/bind to the server using anonymous credentials, select VIEW > TREE and we get a drop down of users
What is WSUS
A Windows patching manager which provides integration with AD and a web interface to manage deployment of patches
MSSQL Default SA Password
Default installations of MSSQL do not have a default password for the sa user
What command can be used to execute commands within MSSQL
XP_CMDSHELL
How to get the byte length of IPv4, IPv6, MAC Address, MD5 and SHA1
If we remember the Bit length we can divide by 8 to get the Byte length
IPv4 Bit length
32
IPv6 Bit length
128
MAC Address Bit length
48
MD5 Bit length
128
SHA1 Bit length
160
IPv4 Byte length
32/8 = 4
IPv6 Byte length
128/8 = 16
MAC Address Byte length
48/8=6
MD5 Byte length
128/8= 16
SHA1 Byte length
160/8 = 20