Appendix E Flashcards

1
Q

What is LDAP

A

Lightweight Directory Access Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What ports are used by LDAP

A

TCP 389 & TCP 636

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Global Catalogue

A

An LDAP based service which stores a logical representation of Users, Servers and Devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is FSMO

A

Flexible Single Master of Operations helps avoid conflicts across networks with multiple Domain Controllers. All AD changes are made through FSMO Schema Master

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an LM Hash

A

LanMan hashing is the old method of hashing passwords in Windows versions prior to NT.

The LM hash is computed as follows:

The user’s password is restricted to a maximum of fourteen characters.

The user’s password is converted to uppercase.

The user’s password is encoded in the System OEM Code page

This password is null-padded to 14 bytes.

The “fixed-length” password is split into two seven-byte halves.

These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a null bit after every seven bits (so 1010100 becomes 10101000).

This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The null bits added in this step are later discarded.)

Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE.

These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is NTLM

A

NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.

First, the client establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

Next, the server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client.

Finally, the client responds to the challenge with an AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

The two are the LM Hash (a DES-based function applied to the first 14 chars of the password converted to the traditional 8 bit PC charset for the language), and the NT Hash (MD4 of the little endian UTF-16 Unicode password). Both hash values are 16 bytes (128 bits) each.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is NTLMv2

A

NTLMv2, introduced in Windows NT 4.0 SP4, is a challenge-response authentication protocol. It is intended as a cryptographically strengthened replacement for NTLMv1.

NTLMv2 sends two responses to an 8-byte server challenge. Each response contains a 16-byte HMAC-MD5 hash of the server challenge, a fully/partially randomly generated client challenge, and an HMAC-MD5 hash of the user’s password and other identifying information. The two responses differ in the format of the client challenge. The shorter response uses an 8-byte random value for this challenge. In order to verify the response, the server must receive as part of the response the client challenge. For this shorter response, the 8-byte client challenge appended to the 16-byte response makes a 24-byte package which is consistent with the 24-byte response format of the previous NTLMv1 protocol. In certain non-official documentation (e.g. DCE/RPC Over SMB, Leighton) this response is termed LMv2.

The second response sent by NTLMv2 uses a variable length client challenge which includes;

The current time in NT Time format

An 8-byte random value

The domain name and some standard format stuff.

The response must include a copy of this client challenge, and is therefore variable length. In non-official documentation, this response is termed NTv2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can you quickly identify an NTLM Hash

A

It begins with the string :

aad3b435b51404eeaad3b435b51404ee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Microsoft SMS / SCCM

A

Microsoft Systems Management Server

System Center Configuration Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the primary functions of Microsoft SMS / SCCM

A

Manages devices across different platforms

Provides remote control, patch management, software distribution, OS deployment, network access protection and hardware / software inventory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is SUS

A

Microsoft Software Update Services
Only delivered hot fixes and patches for Microsoft OS.

Downloads updates from external server on to internal server.

Clients download updates from internal server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is WSUS

A

Microsoft Windows Server Update Services

WSUS uses .NET Framework, Microsoft Management Console and IIS.

WSUS can be used with Group Policy for client-side configuration to ensure end-users can’t disable update policies.

WSUS doesn’t require the use of Active Directory.

Downloads updates from external server on to internal server and can be set to automatically apply updates to servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is MBSA

A

Microsoft Baseline Security Analyser

Security scanner for missing patches and weak accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly