Day 8 Flashcards
null session
unauthenticated SMB sessions that allow for connection to the IPC$ share with null credentials (no username and no password)
null sessions allow for the possible enumeration of:
SAM accounts
a list of machines on the system’s network
a list of shares
securing null session vulnerabilities
a combination of firewall, registry, and policy settings
null session registry key
HKLM\System\CurrentControlSet\Control\LSA and the RestrictAnonymous value controls null sessions
RestrictAnonymous value 5* architecture
value security level
0 none, relies on default permissions
1 does not allow enumeration of share names
2 no access without explicit anonymous permissions
RestrictAnonymous value 6* architecture
value security level
0 disabled, anonymous users are not restricted
1 does not allow enumeration of SAM accounts
named pipes
API functions used for establishing application client-server IPC connections
named pipes of interest for null sessions
\pipe\samr: SAM RPC server
\pipe\srvsvc Server service RPC
\pipe\wkssvc workstation service RPC
Windows firewall
prevents inbound network attacks by using a host-based system. It was introduced with WIndows XP SP2
Windows Internet Naming Service (WINS)
a name resolution service that resolves NetBIOS names to IP addresses.
Domain Name System (DNS)
resolves fully qualified domain names (FQDNs) to IP addresses and IP addresses to FQDNs.
Microsoft requires DNS in its implementation of Active Directory
DNS Zones
represent a discrete portion of the namespace for a particular domain and provide a way to partition the domain namespace into manageable sections.
Primary zone
contains a read/write copy of the entire namespace
found in %systemroot%\system32\dns
secondary zone
contains a read-only copy of the entire namespace.
when a secondary zone needs an update, it requests a zone transfer from a primary server
found in %systemroot%\system32\dns
Active Directory-integrated zones
stored in Active directory itself.
DNS servers
there are primary servers, secondary servers, and caching-only servers
Primary servers
host primary zones
secondary servers
host secondary zones
caching-only servers
contain only information for previously resolved queries
Nslookup
a built in command-line tool used for DNS diagnostics, queries, and zone transfers
example nslookup commands
ls -d starfleet.local zone transfer for starfleet.local zone
server 192.168.0.20 changes default DNS server to IP or name
exit exits the nslookup shell
Start of authority (SOA)
SOA is the first resource record.
it is the best (most authoritative source) of information for this domain.
serial number revision number of zone
refresh time used by secondary servers to control how often the request zone information.
zone transfers initiated by secondary servers
Service location (SRV) record
SRV record maps the service name to the server name offering the service.
Name Server (NS) record
announces the authoritative name server for a zone who will answer queries for their zone
Mail Exchanger (MX) record
specifies a mail exchange server for domain.
Host (A) record
maps a host name to an IPv4 address (forward lookups)
Host (AAAA) record
maps a host name to an IPv6 address (forward lookups)
Alias (CNAME) record
sets an alias for a host name. often used to associate “www” with the web server name.
Pointer (PTR) record
creates a pointer that maps an IP address to a host name for reverse lookups
DNS name resolution
the client uses the resolver program to initiate DNS name resolution
Securing DNS
secure dynamic updates to only allow updates from systems authorized to make them.
limit zone transfers to authoritative name servers and other authorized systems.
secure against DNS cache poisoning/pollution
Microsoft Internet Information Services (IIS)
by default supports FTP on port 21, HTTP on port 80 and/or HTTPS on port 443
IIS default web and ftp sites
C:\Inetpub\wwwroot or ftproot
IUSR_ComputerName
This account permits users to connect anonymously to web sites hosted on the server
IWAM_ComputerName
this account is used to run code in a separate memory space from the core web server process (for management)
Local System
Service account for the following services:
IISADMIN IIS Admin service
W3SVC WWW publishing service used for http hosting
MSFTPSVC FTP publishing service used for FTP hosting
WWW URL
protocol domain path to page
http://www.microsoft.com:8080/urlinfo/docs.htm
host port
FTP URL example
Protocol host path to webpage
ftp://admin:abcd1234@ftp.microsoft.com/public/docs.htm
credentials domain
web sites
web sites are commonly identified and hosted in the following ways: IP address, port number, host header
IP address
configure each web site with a different IP address
Port number
the server directs requests based on port number
host header
multiple web sites may use the same IP address and port number, but the host header identifies each specific web site
IIS Authentication methods
.
anonymous access
requires no username or password.
uses the anonymous account IUSR_computername
Basic authentication
requires a username and password which is transmitted in plaintext in an encoded format.
Integrated Windows authentication
more secure than basic authentication.
uses same credentials as domain logon
cannot be used across firewalls or proxy servers
digest authentication
also provides a more secure method than basic authentication.
it can be used across firewalls and proxy servers
