Appendix E Flashcards
What is LDAP
Lightweight Directory Access Protocol
What ports are used by LDAP
TCP 389 & TCP 636
What is Global Catalogue
An LDAP based service which stores a logical representation of Users, Servers and Devices
What is FSMO
Flexible Single Master of Operations helps avoid conflicts across networks with multiple Domain Controllers. All AD changes are made through FSMO Schema Master
What is an LM Hash
LanMan hashing is the old method of hashing passwords in Windows versions prior to NT.
The LM hash is computed as follows:
The user’s password is restricted to a maximum of fourteen characters.
The user’s password is converted to uppercase.
The user’s password is encoded in the System OEM Code page
This password is null-padded to 14 bytes.
The “fixed-length” password is split into two seven-byte halves.
These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a null bit after every seven bits (so 1010100 becomes 10101000).
This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The null bits added in this step are later discarded.)
Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE.
These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
What is NTLM
NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.
First, the client establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.
Next, the server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client.
Finally, the client responds to the challenge with an AUTHENTICATE_MESSAGE.
The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.
The two are the LM Hash (a DES-based function applied to the first 14 chars of the password converted to the traditional 8 bit PC charset for the language), and the NT Hash (MD4 of the little endian UTF-16 Unicode password). Both hash values are 16 bytes (128 bits) each.
What is NTLMv2
NTLMv2, introduced in Windows NT 4.0 SP4, is a challenge-response authentication protocol. It is intended as a cryptographically strengthened replacement for NTLMv1.
NTLMv2 sends two responses to an 8-byte server challenge. Each response contains a 16-byte HMAC-MD5 hash of the server challenge, a fully/partially randomly generated client challenge, and an HMAC-MD5 hash of the user’s password and other identifying information. The two responses differ in the format of the client challenge. The shorter response uses an 8-byte random value for this challenge. In order to verify the response, the server must receive as part of the response the client challenge. For this shorter response, the 8-byte client challenge appended to the 16-byte response makes a 24-byte package which is consistent with the 24-byte response format of the previous NTLMv1 protocol. In certain non-official documentation (e.g. DCE/RPC Over SMB, Leighton) this response is termed LMv2.
The second response sent by NTLMv2 uses a variable length client challenge which includes;
The current time in NT Time format
An 8-byte random value
The domain name and some standard format stuff.
The response must include a copy of this client challenge, and is therefore variable length. In non-official documentation, this response is termed NTv2.
How can you quickly identify an NTLM Hash
It begins with the string :
aad3b435b51404eeaad3b435b51404ee
What is Microsoft SMS / SCCM
Microsoft Systems Management Server
System Center Configuration Manager
What are the primary functions of Microsoft SMS / SCCM
Manages devices across different platforms
Provides remote control, patch management, software distribution, OS deployment, network access protection and hardware / software inventory.
What is SUS
Microsoft Software Update Services
Only delivered hot fixes and patches for Microsoft OS.
Downloads updates from external server on to internal server.
Clients download updates from internal server.
What is WSUS
Microsoft Windows Server Update Services
WSUS uses .NET Framework, Microsoft Management Console and IIS.
WSUS can be used with Group Policy for client-side configuration to ensure end-users can’t disable update policies.
WSUS doesn’t require the use of Active Directory.
Downloads updates from external server on to internal server and can be set to automatically apply updates to servers.
What is MBSA
Microsoft Baseline Security Analyser
Security scanner for missing patches and weak accounts.