Attacking a System Flashcards

1
Q

LM Hashing

A

Takes a password and converts it to uppercase. If less than 14 characters will add blank spaces to make it 14. The 14 character password is split into two 7 character strings and each string separately hashed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If a LM password is 7 or less characters, the second half of padded blanch characters would always be:

A

AAD3B435B51404EE, the hash value of 7 blank characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In a Windows Vista or later SAM file a LM password shows up as:

A

Blank. The NTLM hash will show in the second part of the line.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Salting

A

Adding random data as additional input before a password is hashed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Active Directory database

A

%SYSTEMROOT%\System32\Ntds.dit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Kerberos

A

Uses both symmetric and asymmetric encryption technologies to securely transmit passwords and key across a network. Made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS) and the Ticket Granting Ticket (TGT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

LM Authentication Levels

A

0 - Windows XP Default

2 - Windows 2003 Default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Active Directory Database

A

Stored on domain controllers in %SYSTEMROOT%\NTDS\NTDS.dit or %SYSTEMROOT%\System32\NTDS.dit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tools used to crack Kerberos

A

Kerbsniff, KerbCrack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password Security

A

The length of password is more important that the complexity of a password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Golden Ticket

A

Creating your own Kerberos TGT. Can be created by Mimikatz or Cobalt Strike using provided domain name, domain admin name, domain SID a Kerberos TGT hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Pass the Hash

A

Password hashes stored in memory and passed to a requesting remote computer for authentication. Hashes are loaded by LSASS, Tools: mimikatz which can steal hashes, PIN codes, and Kerberos tickets from memory. Mimikatz is also included by Metasploit as a meterpreter script

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Windows Registry - HKEY_LOCAL_MACHINE (HKLM)

A

Contains hardware information and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Windows Registry - HKEY_CLASSES_ROOT (HKCR)

A

Contains information on file associations and Object Linking and Embedding (OLE) classes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Windows Registry - HKEY_CURRENT_USER (HKCU)

A

Contains profile information for the user currently logged on Includes preferences for the OS and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Windows Registry - HKEY_USERS (HKU)

A

Contains specific user configuration information for all currently active users on the computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Windows Registry - HKEY_CURRENT_CONFIG (HKCC)

A

Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Current\ to make access and editing this profile information easier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Registry Character String

A

REG_SZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Registry Expandable String

A

REG_EXPAND_SZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Registry Binary Value

A

REG_BINARY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

32 bit unsigned integer

A

REG_DWORD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Symbolic link to another key

A

REG_LINK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Registry MultiValue

A

REG_MULTI_SZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Startup keys

A

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Linux - File System - Root

A

Designated by a /

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Linux - File System - /bin

A

Holds numerous Linux commands a lot like C:\WINDOWS\SYSTEM32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Linux - File System - /dev

A

Contains pointers to storage and I/O systems to mount such as optical drives and additional hard drives. Everything in Linux is a file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Linux - File System - /etc

A

Contains all administrative files and passwords. The password and shadow file are found here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Linux - File System - /home

A

User home folders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Linux - File System - /mnt

A

Holds the access locations that are mounted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Linux - File System - /sbin

A

System binaries - holds more admin commands and Linux daemons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Linux - File System - /usr

A

Holds information, commands and files unique to users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Common Linux commands

A
adduser - adds a user to the system
cat - displays the content of a file
cp - copies a file
ifconfig - Like Windows ipconfig
kill - kills a running process
ls - displays the content of a folder
man - display the manual pages of acommand
passwd - used to change your password
ps - process status command -ef will show all processes
rm - removes files -r will also remove directories
su - perform functions as another user.
SUDO - run programs as super user
pwd - print current working directory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Run a program in Linux in the background

A

Add an ampersand to the end of the command. The process will end when the user logs out. To make the process persistent and survive logout, add nohup to the beginning of the command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Linux Users and Groups

A

Each user is assigned a unique Id called a UID and each group is assigned a unique Id called a GUID. These can be seen in /etc/passwd file and /etc/group files respectively as the third field.

36
Q

Linux password storage

A

Linux can store passwords in either the /etc/passwd file or the /etc/shadow file. An “x” in the passwd file indicates that the password is stored salted and hashed in the shadow file. Only root has access to shadow

37
Q

Tools to crack passwords from Linux shadow files

A

John the Ripper using brute force

38
Q

Linux hacking distros

A

Backtrack, Kali, Phlack, Auditor

39
Q

System Hacking Goals

A
Gaining Access, 
Escalating Privileges, 
Executing Applications, 
Hiding Files, 
Covering Tracks
40
Q

Gaining Access

A

Cracking passwords and escalating privileges

41
Q

CLear tracks methodology

A

In Metasploit use clearev
Clear most recently used (MRU) list in Windows and most recent documents
Can prepend a dot “.” to Linux files to hide them

42
Q

Hacking Phases

A

Reconnaissance
Scanning - Discovery and port scanning, then Enumeration
Gaining Access - Cracking passwords, escalating privileges
Maintaining Access - Executing applications, hiding files
Covering Tracks - Clearing logs

43
Q

Single factor authentication

A

Something you know

44
Q

Two factor authentication

A

Something you know and something you have (biometric)

45
Q

False Rejection Rate (FRR)

A

The percentage of time a biometric device will deny access to a legitimate user

46
Q

False Acceptance Rate (FAR)

A

The percentage of time a biometric device will give an unauthorized user access to a system

47
Q

Crossover Error Rate (CER)

A

Where the False Rejection Rate and the False Acceptance rate of a biometric device intersect

48
Q

Active biometric decice

A

Must be touched. A retina scan is invasive because it send a bean of light into the eye and is therefore considered active.

49
Q

Passive biometric device

A

You don’t have to touch. An iris scan is considered noninvasive because it takes a picture of the eye and is therefore considered passive

50
Q

Biometric or e-passport

A

A token that you carry that holds biometric information identifying you. Still considered single factor authentication

51
Q

Password fatigue

A

Users having to remember too many long and complex passwords.

52
Q

Keyboard walk passwords

A

Using predictable path or pattern of keys on a keyboard as the password

53
Q

Password cracking

A

Non-Electronic - social engineering,, shoulder surfing, dumpster diving
Active Online - direct interaction with the target, includes dictionary and brute force attacks, hash injections, phishing, Trojans, spyware, keyloggers, and password guessing
Passive Online -sniffing
Offline - steal a copy of a password file and crack it using a dictionary attack, hybrid attack or brute-force attack

54
Q

Rule based password attack

A

A dictionary/brute-force attack where the attacker has some knowledge of your password policy

55
Q

Keylogging

A

Using a hardware device or software application to capture a user’s keystrokes. Software keyloggers are easier to spot than hardware keyloggers which are almost impossible to detect.

56
Q

Link-local Multicast Name Resolution (LLMNR) and Netbios Name Server attack

A

LLMNR is based on the DNS host format and allows hosts on the same subnet to perform name resolution for other hosts as a backup for local DNS name resolution. This is subject to DNS poisoning by resolving a LLMNR DNS request to the target of your choice. This could lead to password sniffing of subsequent authentication attempts to the poisoned entry. Tools: NBNSpoof,
Pupy,
Metasploit,
Responder.
You can mitigate by disabling LLMNR through the registry or via GPO

57
Q

LLMNR port

A

UDP 5355 to IP address 224.0.0.252 and FF02::1:3

NBT-NS uses UDP port 137

58
Q

Windows Password Recovery Tools

A
CHNTPW (linux), 
Stellar Phoenix, 
Windows Password Recovery Ultimate, 
ISeePassword, 
Windows Password Recovery Tool, 
Passware Kit, 
PCUnlocker
59
Q

Net commands

A

Net View /domain:domainname
Net view \systemname - list of shares
Net use \target\ipc$ “” /u:” - sets a null session
Net use Z: \target\share /persistence:yes - makes the drive mapping permanent

You can use NETBIOS Auditing Tool and Legion to automate the testing of user IDs and passwords

60
Q

Ferret and Hampster

A

Ferret
This tools use to grab session cookies, running in the background process to capturing session cookies that pass the network at port 80.

Hamster
This tools work as a proxy server to manipulate every data that has been grabbed by Ferret.

61
Q

Online tools for password sniffing

A

Ettercap,
Kerbcrack (specifically looks for port 88 Kerberos traffic), Cain,
ScoopLM (specifically looks for Windows passwords)

62
Q

SSLsniff

A

Acts as a man in the middle for SSL connections on a LAN and dynamically generates certificates for the domains that are being accessed on the fly

63
Q

What is a hybrid offline password attack?

A

A step above the dictionary attack. The tool is smart enough to take a word from a list and substitute numbers and symbols for alpha characters.

64
Q

Rainbow table

A

Precalculated password hashes for easier hash cracking. Can be created with rtgen and winrtgen

65
Q

Offline password cracking tools

A
Cain, 
THC Hydra, 
John the Ripper, 
KerbCrack, 
LC5 (next gen L0phtcrack)
66
Q

Default Password Sites

A

OpenSezMe,
CIRT,
Defaultpassword.com

67
Q

Vertical Privilege Escalation

A

When a lower-level user executes code at a higher privilege level than they should have access to

68
Q

Horizontal Privilege Escalation

A

Executing code at the same user level but from a location that should be protected from access

69
Q

Four ways to gain root (admin) privileges

A
  1. Crack the admin password
  2. Take advantage of an OS vulnerabiliity
  3. Use a tool like Metasploit that will deliver a custom payload
  4. Social engineer the password
70
Q

DLL hijacking

A

Adding a malicious DLL to a path where it is executed before the real DLL. Can do the same on MAC OS with DYLIB

71
Q

Armitage

A

Offers a GUI front end for metasploit

72
Q

Owning a system

A

Gaining access to the machine and escalating privileges

73
Q

Tools for remote execution

A

RemoteExec,
PDQ Deploy,
Dameware Remote Support

74
Q

NTFS Alternate Data Stream

A

An NTFS feature originally included for Apple File System compatibility, allows you to hide data or a file inside of an NTFS file
Type badfile.exe > c:\goodfile.exe:badfile.exe
There are methods for starting the badfile.exe depending on the version of Windows:
Use the start command, for example, START c:\goodfile,exe:badfile.exe or create a link to start it using mklink, for example, mklink innocent.exe goodfile.exe:badfile.exe and execute innocent.exe

75
Q

Tools to find alternate data stream files

A

LNS,
Sfind,
dir /r.
You can also copy the file to a fat partition

76
Q

Hide files with steganography

A
Imagehide, 
Snow, 
MP3Stego, 
Blindside, 
S-tools, 
wbstego, 
stealth
77
Q

Semagram

A

Part of steganography
Visual semagram: Uses everyday objects to convey a message, for example, how objects are arranged on a desk. Semagrams hides information by using symbols,
signs, or visual objects. It is more like an indicator of
a larger, previously agreed upon message. For
example, Bob wants to tell Alice that the party will
take place on Friday. A semagram could be a
postcard with a picture of a Chevrolet car, which Bob
and Alice have already agreed that a Chevrolet car
means affirmative (the party will take place); while, a
Ford car means negative (the party won’t take place).

Text semagram: Obscures a message in text by using things such as font, size, type or spacing

78
Q

Hide tracks by modifying or deleting log files

A
Turning auditing off and back on and deleting all entries in a log file can be discovered. Better to corrupt the log file. Tools for log file manipulation include:
elsave, 
WinZapper, 
EvidenceEliminator, 
Auditpol (to disable log files)
79
Q

Rootkit

A

A collection of software put in place by an attacker designed to obscure system compromise. Replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity. They provide back doors for the attacker to use later and include measures to remove and hide evidence of any activity.

80
Q

Horsepill

A

A Linux kernel rootkit inside initrd with three main parts:

  1. klibc-horsepill.patch - creates a new malicious run-init
  2. horsepill_setopt - moves command line arguments to the malicious run-init
  3. hrsepill_infect - splats files
81
Q

Grayfish

A

A Windows rootkit that injects code in the boot record. creating its own virtual file system

82
Q

Other root kits

A
Sirefef, 
Azazel, 
Avatar, 
Necurs, 
ZeroAccess
83
Q

Six types of root kits

A
  1. Hypervisor Level - modifies the boot sequence to load a virtual machine as the host OS
  2. Hardware (firmware) - Hide in hardware devices or firmware
  3. Boot loader level - replace the boot loader with one controlled by the hacker
  4. Application level - Replace valid application files with Trojan binaries
  5. Kernel level - attack the boot sectors and kernel level of the operating system itself, replacing kernel code with back door code. The most dangerous and difficult to detect and to remove
  6. Library level - use system calls to hide their existence
84
Q

Blue Pill

A

The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.

85
Q

Protection Rings

A

Ring 0 - The kernel
Ring 1 - Drivers
Ring 2 - Libraries
Ring 3 - Applications, also known as user mode

86
Q

Steps for detecting a rootkit

A

First run dir /s /b /ah and dir /s /b /a-h in the potentially infected system and save the results. Boot a clean CD version and run the same commands. Use windiff to compare the two results files