Day 7 Flashcards
DACL ACE’s order precedence
explicit deny
explicit allow
inherited deny
inherited allow
Universal Naming Convention
if you are denied access to a folder but given access to a file within the folder, use the UNC path (file path) to access the file
Take ownership
In 6* architecture, the administrator can directly assign a new owner.
In 5* architectures, a user must have the special permission and then exercise that permission
copying files/folders
must have read at the source.
must have write at the destination.
because the copied file is a new instance, permissions are inherited from the parent directory
moving files/folders
must have read and delete at the source.
must have write at the destination.
When moved within the same volume, permissions are retained.
when moved to a different volume, permissions are inherited from the parent folder
exFAT (FAT64)
more storage than FAT16 or FAT32.
less functionality, and less overhead, than NFTS.
best option when you need to save files larger than 4GB.
often used for thumbdrives.
Like older FAT, exFAT still has allocation table, root directory, entries and timestamps.
allocation table
exFAT uses a bitmap to track cluster allocation status.
FAT will still be used to track clusters should data become fragmented
root directory
Root directory tracks files, subdirectories and the bitmap.
32 bytes in length
file directory entries
found within the root directory.
files have a minimum of 3 entries and a max of 19. (directory sets)
contain file attributes (RASH), time stamps (MAC), file name, file size, and cluster information.
timestamps
three main timestamps: created, accessed, and written/modified.
accessed timestamp reflects accurate date and time (unlike FAT).
Remote Procedure Call (RPC)
windows uses RPC to allow a program runninig on one computer to seamlessly execute code on a remote system.
RPC listens on TCP port 135.
RPC vulnerabilities
Endpoint mapper promiscuity
general DoS by attacking port 135
NetBIOS
a session layer file and print sharing protocol.
provides 3 services: Name service, datagram service, and session service
NetBIOS Name Service
NetBIOS name service is used for name resolution and registration (UDP port 137).
Net BIOS names are flat and limited to 16 characters. The first 15 characters are for names and the 16th character indicates the function/service.
<00> workstation
<20> server
Name advertisement
1.client broadcasts NetBIOS info 6-10 times.
2. if the name is already in use, that client sends a broadcast back indicating its use.
3. if there are no in use responses, the original client may use the name.
(a name is unique and goes to the first device that requests it)
name resolution
- Client first checks its cache.
- if not found, client requests resolution from master browser or WINS server.
- if name is not in the master browser or WINS, client sends broadcast looking for it.
- if there are no responses, the name will not be resolved
NetBIOS Datagram Service
UDP port 138
used for browser and messenger services.
<03> indicates messaging is available
NetBIOS session service
NetBIOS session service uses TCP port 139.
primarily used for local network file and print sharing.
NBTSTAT (NetBIOS over TCP/IP Statistics)
NBSTAT is a diagnostic tool for NetBIOS over TCP/IP.
nbtstat -a a used with NetBIOS name
nbtstat -A A used with IP address
nbtstat -n lists local NeteBIOS names
Server Message Block (SMB)
SMB (AKA CIFS) is an application layer protocol used for file and print sharing.
uses TCP port 445.
SMB is transport independent.
Samba
Samba provides file and print sharing services to SMB/CIFS clients and allows for seamless interoperability between *NIX servers and Windows clients
Remote Desktop Protocol (RDP)
RDP on TCP port 3389 is a remote connection system.
RDP allows for an actual GUI desktop.
Typically only enabled on servers and certain administrative workstations.
network discovery
enables a computer to locate any device with an IP address
Netstat
netstat provides information and statistics about protocols in use and current tcp/ip network connections.
netstat -an (most common syntax)
netstat states
Listening-server ready for connection
established-session is established
time_wait-server has closed connection, but still waiting for final timeout value.
PS equivalent to Netstat
get-netTCPConnection
net help
displays a list of commands
net help
net view
displays a list of resources being shared on a computer.
net view lists computers in current domain/network
net view /domain: lists computers in another domain/network
net view \ lists public shares on a remote system
\all option on 6* systems lists all admin and hidden shares
Net use
lists sessions in the form of mapped drives made from the work station
net use displays workstation connections and mapped drives.
net use T: \ Maps a logical T: drive to UNC which is \ \sharename
net use T: /delete deletes logical T: drive
the PS equivalent to Net Use
get-smbConnection
Net share
makes a server’s resources available to network users
net share displays local shares, including admin and hidden
net share utils=c:\tools shares c:\tools directory, naming the share utils
net share utils /delete deletes the share named utils
administrative shares
default shares:
Drive letter$ i.e C$, E$, F$, etc
ADMIN$ the Systemroot on Windows is shared via admin shares.
IPC$ shares named pipes required for communication between computers and programs
SYSVOL used on active directory domain controllers
PS equivalent to net share
Get-smbshare
Net session
command lists recorded sessions made to the machine via the local server service.
net session displays connections made to the local server service
net session \ displays details of a session
net config
displays configuration information of the Workstation or server service
net accounts
updates the user accounts database and modifies password and logon requirement for all accounts
/minpwlen:
/maxpwage:
