EJPT Flashcards

Question

where is the hosts file for linux stored ?

Answer 1

/etc/hosts

Answer 2

-T0 is the slowest all the way up to -T5 which is the fastest

Answer 3

-oN test.txt

Answer 4

Netbios sets up the session for smb and runs on port 139

Answer 5

--script smb=security.mode

Answer 6

--script smb-enum-shares

Answer 7

With smb IPC$ is a null session

Answer 8

Smb is also used to share printer information

Answer 9

--script smb-enum-users

Answer 10

--script smb-enum-groups

Answer 11

--script smb-enum-services

Answer 12

FTP runs on port 21 and we want to check if anonymous access is allowed

Answer 13

a weakness in the computational logic found in software and hardware components that when exploited results in a negative impact to confidentiality, integrity, or availability

Answer 14

- software -operating system

Answer 15

NIST which stands for National Vulnerability Database

Answer 16

TLS encrypts data in transmission open SSL allows for that encryption

Answer 17

--script ssl-heartbleed

Answer 18

this vulnerability would leak to much information in the packets when it was exploited

Answer 19

Part of the wannacry Ransome attack, this was a 0 day exploit that took advantage of SMB version 1 and was a buffer overflow

Answer 20

Applications used log4j for logging, this was a java library

Answer 21

- Personally Identifiable Information - Healthcare Information - Financial Data - Intellectual Property - Business Secrets Business Operations

Answer 22

- Criminals - Competitors - Insider threats Malicious Actors

Answer 23

- PCI DSS - HIPAA - GDPR - CPPA SOX

Answer 24

- Mandated by card brands - Administered by the Payment Industry Security Standards Council - Created to increase controls around cardholder data to reduce credit card fraud

Answer 25

- US regulations for the use and disclosure of PHI - The final rule on security standards was issued February 20, 2003 - Standards and Specifications ○ Administrative Safeguards ○ Physical Safeguards - Technical Safeguards

Answer 26

- Data protection and privacy law in the EU - Controllers and processors of personal data must put in place appropriate technical and organization measures to implement the data protection principles

Answer 27

- Intended to enhance privacy rights and consumer protection for residents of California - Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages

Answer 28

- Us federal law mandates certain practices in financial record keeping and reporting for corporations - Requires strong internal control processes

Answer 29

- ISO/IEC 27000 - COBIT - NIST - CIS - CMMC - ASD

Answer 30

- Deliberately broad in scope - Covering more than just privacy, confidentiality and IT Technical cybersecurity issues - Applicable to organizations of all shapes and sizes 27001 is the guidelines

Answer 31

- Control objectives for information and related technologies - Created by ISACA for information technology management and IT governance - Business focused and defines a set of generic processes for the management of IT

Answer 32

- Catalog of security and privacy controls for all US federal information systems except those related to national security - Agencies are expected to be compliant with NIST security standards and guidelines - NIST provides a set of baseline security control and privacy controls for information systems and organizations

Answer 33

- Center for internet security - Set of 18 prioritized safeguards to mitigate the most prevalent cyber attacks - A defense in depth model to help prevent and detect malware Offers a free hosted software product called the CIS controls Self-Assessment tool

Answer 34

- A training certification and third party assessment program of cybersecurity in the united stated government defense industrial base - Requires a third party assessor to verify the cybersecurity maturation level - There is 5 levels Anyone working with the DOD

Answer 35

- Information disclosure - vulnerability that allows an attacker to access confidential information - Buffer overflows - caused by a programming error, allows attackers to write data to a buffer and overrun the allocated buffer, consequently writing data to allocated memory addresses - Remote Code Execution - vulnerability that allows an attacker to elevate their privileges after initial compromise - Denial of Service DOS - vulnerability that allows an attacker to consume a system/host resources consequently preventing the systems from functioning normally

Answer 36

Microsoft IIS / TCP ports 80-443 / proprietary web server software developed by Microsoft that runs on Windows

Answer 37

WebDav / TCP ports 80-443 / HTTP extension that allows clients to update, delete, move and copy files on a web server, WebDav is used to enable a web server to act as a file server

Answer 38

SMB-CIFS / TCP port 445 / Network File sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network

Answer 39

RDP / TCP port 3389 / proprietary GUI remote access protocol developed by Microsoft and is used to remotely authenticate and interact with a windows system

Answer 40

WinRM / TCP ports 5986-443 / windows remote management protocol that can be used to facilitate remote access with windows systems

Answer 41

- IIS internet information services is a proprietary extensible web server software developed by Microsoft for use with the Windows NT Family - It can be used to host websites/web apps and provides administrators with a robust GUI for managing websites - IIS can be used to host bother static and dynamic web pages developed in ASP.NET and PHP - Typically configured to run on ports 80/443 - Supported executable file extensions - Asp - Aspx - Config - Php

Answer 42

- Is a set of extensions to the HTTP protocol which allows uses to collaboratively edit and manage files on remote web servers - Webdav essentially enables a web server to function as a file server for collaborative authoring - Webdav runs on top of Microsoft IIS on ports 80/443 - In order to connect to a webdav server you will need to provide legitimate credentials, this is because WebDav implements authentication in the form of username and password

Answer 43

- The first step of the exploitation process will involve identifying weather webdav has been configured to run on the IIS webserver - We can perform a brute-force attack on the WebDav server in order to identify legitimate credentials that we can use for authentication - After obtaining legitimate credentials we can authenticate with the WebDav server and upload a malicious asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target

Answer 44

- Davtest, used to scan, authenticate and exploit a WebDav server Cadaver - cadaver supports file upload, download, and on screen display, in place editing, namespace operations, collection creation, deletion and resource locking

Answer 45

- Server message block is a network file sharing protocol that is used to facilitate the sharing of files and peripherals printers between computers on a local network - Smb uses port 445 TCP however originally SMB ran on top of NetBIOS using port 139 SAMBA is the open source linux implementation of SMB and allows Windows systems to access linux shares and devices

Answer 46

- The smb protocol utilizes two levels of authentication namely: ○ User auth ○ Share authentication User authentication - users must provide a username and password in order to authenticate with the SMB server in order to access a share Share authentication - users must provide a password in order to access a restricted share

Answer 47

- Psexec is a lightweight telnet replacement developed by Microsoft that allows you execute processes on remote windows systems using any users credentials - Psexec authentication is performed via smb - We can use PsExec utility to authenticate with the target system legitimately and run arbitrary commands or launch a remote command prompt It is very similar to RDP however instead of controlling the remote system via GUI commands are sent via CMD

Answer 48

- In order to utilize Psexec to gain access to a windows target we will need to identify legitimate user accounts and their respective passwords or password hashes - This can be done by leveraging various tools and techniques however the most common technique will involve performing an smb login brute force attack - We can narrow our attack down to only include usernames like administrator Then we can authenticate with Psexec or get a reverse shell

Answer 49

- is the name given to a collection of windows vulns and exploits that allow attackers to remotely execute arbitrary code and gain access to a windows system and consequently the network that the target system is a part of - Developed by the NSA leaded to the public in 2017 by the shadow brokers Takes advantage of a vulnerability in the windows SMBv1 protocol that allows attackers to send specially crafted packets that cause the execution of arbitrary commands

Answer 50

- The RDP protocol is a proprietary GUI remote access protocol developed by Microsoft and is used to remotely connect and interact with a windows system - RDP uses TCP port 3389 by default and cam also be configured to run on any other TCP port - RDP authentication requires a user account on the target system as well as a password We can perform an RDP Brute force attack to identify legitimate user accounts

Answer 51

- RDP vuln in windows that could potentially allow attackers to remotely execute arbitrary code and gain access to a windows system and consequently the network that the target system is a part of - Made public in may 2019 -Takes advantage of a vuln in windows RDP protocol that allows attackers to gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication

Answer 52

- Windows remote management protocol that can be used to facilitate remote access with windows systems over HTTPS - Microsoft implemented WinRm to windows in order to make life easier on system admins - WinRm is typically used in the following ways ○ Remotely access and interact with windows hosts on a local network ○ Remotely access and execute commands on windows systems ○ Manage and configure windows systems remotely WinRM typically uses TCP port 5985 and 5986

Answer 53

- WinRM implements access control and security for communication between systems through various forms of authentication - We can utilize a utility called crackmapexec to perform a brute force on WinRm in order to identify users and their passwords as well as execute commands on the target system We can also utilize a Ruby script called evil-winrm to obtain a command shell session on the target system

Answer 54

Crackmapexec winrm -u administrator -p

Answer 55

- Privilege escalation is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to a user with admin or root access on a system - Privilege escalation is a vital element of the attack life cycle and is a major determinant in the overall success of a pen test - After gaining an initial foothold on a target system you will be required to elevate your privileges in order to perform tasks and functionality that require admin privs The importance of priv esc in the pentest process cannot be overstated or overlooked. Developing your priv esc skills will mark you out as a good pentester

Answer 56

A kernel is a computer program that is the core of an operating system and has complete control over every resource and hardware on a system it acts as a translation layer between hardware and software and facilitates the communications between these two layers

Answer 57

- Windows NT is the kernel that comes packaged with all versions of Microsoft windows and operates as a traditional kernel with a few exceptions based on user design philosophy. It consists of two main modes of operation that determine access to system resources and hardware - User mode - programs and services running in user mode have limited access to system resources and functionality - Kernel mode - kernel mode has un-restricted access to system resources and functionality with the added functionality of managing devices and system memory

Answer 58

Kernel exploits on windows will typically target vulnerabilities in the windows kernel to execute arbitrary code in order to run privileged system commands or to obtain a system shell

Answer 59

- identifying kernel exploits - downloading, compiling, and transferring kernel exploits onto the target system

Answer 60

Windows exploit suggester a python script is good at getting the OS level and finding corresponding vulnerabilities

Answer 61

User account control is a windows security feature introduced in windows vista that is used to prevent unauthorized changes from being made to the operating system

Answer 62

UAC is used to ensure that changes to the operating system require approval from the administrator or a user account that is part of the local administrators group

Answer 63

A non-privileged user attempting to execute a program with the UAC credential prompt whereas a privileged user will be prompted with a consent prompt

Answer 64

In order to successfully bypass UAC we will need to have access to a user account that us part of the local admin group on the windows target system

Answer 65

UAC has various integrity levels ranging from low to high if the UAC protection level is set below high windows programs can be executed with elevated privileges without prompting the user for confirmation

Answer 66

Windows access tokens are a core element of the authentication process on windows and are created and managed by the Local Security Authority Subsystem Service LSASS

Answer 67

A Windows Access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network resource without having to provide credentials each time a process is started or a system resource is accessed

Answer 68

Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process after which all child processes started by the user will inherit a copy of the access token from their creator and will run under privileges of the same token

Answer 69

Impersonate level tokens are created as a direct result of a non interactive login on windows typically through specific system services or domain logons Impersonate level tokens can be used to impersonate a token on the local subsystem and not on any external systems that utilize the tokens

Answer 70

Delegate level tokens are typically created through an interactive login on windows, primarily through a traditional login or through remote access protocols such as RDP Delegate level tokens pose the largest threat as they can be used to impersonate tokens on any system

Answer 71

The process of impersonating access tokens to elevate privileges on a system will primarily depend on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available

Answer 72

SeAssignPrimaryToken: this allows a user to impersonate tokens SeCreateToken: this allows a user to create an arbitrary token with admin privileges SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with admin privs

Answer 73

Incognito is a built in meterpreter module that was originally a standalone application that allows you to impersonate user tokens after successful exploitation We can use the incognito module to display a list of available tokens that we can impersonate

Answer 74

ADS is an NTFS New Technology File System file attribute and was designed to provide compatibility with the MACOS HFS hierarchical file system

Answer 75

- Any file created on an NTFS formatted drive will have two different forks/streams Data stream - default stream that contains the data of the file Resource stream - typically contains the metadata of the file

Answer 76

Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection This can be done by storing the malicious code or executable in the file attribute resource stream of a legitimate file This technique is usually used to evade basic signature based AV's and static scanning tools

Answer 77

The windows OS stores hashed user account passwords locally in the SAM database

Answer 78

Hashing is the process of converting a piece of data into another value. A hashing function or algorithm is used to generate the new value. The result of the hashing algorithm is known as a hash or hash value

Answer 79

Authentication and verification of user credentials is facilitated by the local security authority or LSA

Answer 80

LM and NTLM hashing

Answer 81

Windows disables LM hashing and utilizes NTLM hashing from windows vista onwards

Answer 82

SAM security account manager is a database file that is responsible for managing user accounts and passwords on Windows. All user account passwords stored in the SAM database are hatched The SAM database file cannot be copied while the operating system is running The Windows NT Kernel keeps the SAM database file locked and as a result attackers typically utilize in memory techniques and tools to dump SAM hashes from the LSASS process In modern versions of windows the SAM database is encrypted with a syske

Answer 83

Elevated or Admin privileges ?

Answer 84

LM is the default hashing algorithm that was implemented in Windows operating system prior to NT 4.0 The protocol is used to hash passwords and the hashing process can be broken down into the following steps ○ The password is broken down into seven character chunks ○ All characters are then converted into uppercase ○ Each chunk is then hashed separately with the DES algorithm LM hashing is generally considered to be a weak protocol and can easily be cracked, primarily because the password hash does not include salts consequently making brute force and rainbow table attacks effective against LM hashes

Answer 85

- NTLM is a collection of authentication protocols that are utilized in windows to facilitate authentication between computers. The authentication process involves using a valid username and password to authenticate successfully - From windows vista onwards windows disables LM hashing and utilizes NTLM hashing - When a user account is created it is encrypted using the MD$ hashing algorithm while the original password is disposed of NTLM improves upon LM in the following ways

Answer 86

Windows can automate a variety of repetitive tasks such as the mass rollout or installation of Windows on many systems This is typically done through the use of the Unattended windows setup utility which is used to automate the mass installation/deployment of windows on systems This tool utilizes configuration files that contain specific configurations and user account credentials specifically the administrator password If the unattended windows setup configuration files are left on the target system after installation they can reveal user account credentials that can be used by attackers to authenticate with the windows target legitimately

Answer 87

- C:\Windows\Panther\Unattended.xml C:\Windows\Panther\Autounattend.xml As a security precaution the passwords stored in the unattended Windows setup configuration file may be encoded in base64

Answer 88

Whoami /priv

Answer 89

Mimikatz is a windows post exploitation tool. It allows for the extraction of clear text passwords hashes and kerberos ticket from memory

Answer 90

The SAM database is a database file on windows systems that stores hashed user password

Answer 91

Mimkatz can be used to extract password hashes from the lsass.exe process memory where hashes are cached We can utilize the pre compiled mimikatz executable if we have access to a meterpreter sessions on a windows target we can utilize the inbuilt meterpreter extension kiwi Mimikatz will require elevated privileges in order to run correctly

Answer 92

Pass the hash is an exploitation technique that involves capturing or harvesting NTLM hashes or clear text password and utilizing them to authenticate with the target legitimately

Answer 93

Metasploit PsExec module Crackmpaexec

Answer 94

- Shellshock is the name given to a family of vulnerabilities in the bash shell that allow an attacker to execute remote arbitrary commands via bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell - The shellshock vulnerability is cause by a vulnerability in Bash where bash mistakenly executes trailing commands after a series of characters - In the context of remote exploitation apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to attack - CGI common gateway interface scripts are used by apache to execute arbitrary commands on the linux system after which the output is displayed to the client - In order to exploit this vulnerability you will need to locate an input vector or script that allows you to communicate with bash - In the context of an apache web server we can utilize any legitimate CGI scripts accessible on the web server - Whenever a CGI script is executed the web server will initiate a new process and run the CGI script with bash

Answer 95

- FTP is a protocol that uses TCP port 21 and is used to facilitate file sharing between a server and client/clients - It is also frequently used as a means of transferring files to and from the directory of a web server - FTP authentication requires a username and password combination as a result we can perform a brute force attack on the FTP server in order to identify legitimate credentials In some cases you can gain anonymous access to FTP servers

Answer 96

- SAMBA utilizes username and password authentication in order to obtain access to the server or a network share - We can perform a brute force attack on the SAMBA server in order to obtain legitimate credentials - After obtaining credentials we can use a utility called smbmap in order to enumerate samba share drives list the contents of the shares as well as download files and execute remote commands on the target We can also utilize a tool called smbclient. It communicates with a LAN manager server, offering an interface similar to that of the FTP program. It can be used to download files from the server to the local machine, upload files from the local machine to the server as well as retrieve directory information from the server

Answer 97

- Smb is a network file sharing protocol that is used to facilitate the sharing of file and peripherals between computers on a local network - Smb uses port 445 however originally smb ran on top of Netbios using port 139 - Samba is the linux implementation of SMB and allows Windows systems to access linux shares and devices

Answer 98

- SAMBA utilizes username and password authentication in order to obtain access to the server or a network share - We can perform a brute force attack on the SAMBA server in order to obtain legitimate credentials - After obtaining credentials we can use a utility called smbmap in order to enumerate samba share drives list the contents of the shares as well as download files and execute remote commands on the target

Answer 99

We can also utilize a tool called smbclient. It communicates with a LAN manager server, offering an interface similar to that of the FTP program. It can be used to download files from the server to the local machine, upload files from the local machine to the server as well as retrieve directory information from the server

Answer 100

Banner grabbing is an information gathering technique used by penetration testers to enumerate information regarding the target operating system as well as the services that are running on its open ports.

Answer 101

The primary objective of banner grabbing is to identify the service running on a specific port as well as the service version

Answer 102

- Performing a service version detection scan with Nmap - Connecting to the open port with netcat - Authenticating with the service

Answer 103

Nmap -sV --script=http-enum

Answer 104

Netcat is a networking utility used to read and write data to network connections using TCP or UDP

Answer 105

- Client mode - netcat can be used in client mode to connect to any TCP/UDP port as well as a netcat listener (server) - Server mode - netcat can be used to listen for connections from clients to a specific port

Answer 106

A bind shell is a tpye of remote shell where the attacker connects directly to a listener on the target system, consequently allowing for execution of commands on the target system

Answer 107

A reverse shell is a type of remote shell where the target connects directly to a listener on the attackers system, consequently allowing for execution of commands on the target system

Answer 108

- host discovery - port scanning and enumeration - vulnerability detection/scanning - exploitation - manual - automated - Post Exploitation - privilege escalation - persistence - dumping hashes

Answer 109

asp and aspx

Answer 110

Information gathering enumeration exploitation post exploitation reporting

Answer 111

passive -osint active - network mapping - host discovery - port scanning - service detection and OS detection

Answer 112

- service and OS enumeration - Service enumeration - user enumeration - share enumeration

Answer 113

vulnerability analysis vulnerability identification developing and modifying exploits service exploitation

Answer 114

- local enumeration - privilege escalation - credential access - persistence - defense evasion - lateral movement

Answer 115

- report writing - recommendations

Answer 116

in computer networks hosts communicate with each other through the use of network protocols

Answer 117

API's, netbios, and RPC

Answer 118

ssl tls JPEG GIF SSH IMAP

Answer 119

HTTP FTP IRC SSH DNS

Answer 120

The network layer of the osi model is responsible for logical addressing, routing, and forwarding data packets between devices across different networks its primary goal is to determine the optimal path for data to travel from the source to the destination even is the devices are on separate networks

Answer 121

ICMP messages include ping echo requests and echo replies

Answer 122

IP enables communication between devices on different network by providing a standardized way to identify and locate hosts

Answer 123

- IP allows for the fragmentation of large packets into smaller fragments when traversing network with varying MTU sizes - the receiving host reassembles these fragments to reconstruct the original packet

Answer 124

- one to one communication - broadcast one to all communication - Multicast one to many communication

Answer 125

the transport layer is the fourth layer of the OSI model and it plays a crucial role in facilitating communication between two devices across a network this layer ensure reliable end to end communication, handling tasks such as error detection, flow control, and segmentation of data into smaller units

Answer 126

the transport layer is responsible for providing end to end communication and ensuring the reliable and ordered delivery of data between two devices on a network

Answer 127

- establishes a connection between the sender and receiver before any data is exchanged making sure it is reliable - TCP guarantees reliable delivery of data it achieves this through mechanisms such as ack and retransmission of lost or corrupted packets - TCP ensures that data is delivered in the correct order

Answer 128

Discovery of live hosts identification of open ports and services network topology mapping OS fingerprinting and detection service version detection identifying filtering and security measures

Answer 129

ping sweeps - sending icmp echo requests to a range of IP addresses to identify live hosts ARP scanning - using ARP requests to identify hosts on a local network ARP scanning is effective in discovering hosts within the same broadcast domain

Answer 130

ping sweep is a network scanning technique used to discover live hosts within a specific IP address range on a network

Answer 131

the basic idea is to send a series of ICMP echo requests messages to a range of IP address’s and observe the responses to determine which addresses are active or live

Answer 132

ping sweeps work by sending one or more specifically crafted ICMP packets if the destination host replies with an ICMP echo reply then the host is alive

Answer 133

Wireshark can be helpful in determining why a host is not responding to ping ?

Answer 134

- Exploit - Payload - Encoder - Nop - Auxiliary

Answer 135

exploit - a module that is used to take advantage of a vulnerability and is typically paired with a payload

Answer 136

Payload - code that is delivered by MSF and remotely executed on the target after exploitation.

Answer 137

Encoder - used to encode payloads in order to avoid av detection

Answer 138

NOPS - used to ensure that payloads sizzes are consistent and ensure the stability of the payload when executed

Answer 139

Auxiliary - a module that is used to perform additional functionality like port scanning and enumeration

Answer 140

non staged payload - a payload that is sent to the target system as is along with the exploit

Answer 141

2. staged payload - a staged payload is sent to the target in two parts 1. the first part stager contains a payload that is used to establish a reverse connection back to the attacker download the second part of the payload then execute it

Answer 142

Stagers - stagers are typically used to establish a stable communication channel between the attacker and the target after which a stage payload is download and executed on the target system

Answer 143

stage - payload components that are downloaded by the stager

Answer 144

- remotely access and interact with windows hosts on a local network - remotely access and execute commands on windows systems on the internet - manage and configure windows systems remotely

Answer 145

5989 and 5986

Answer 146

to scan a host on a different subnet from a compromised host you have to add a metasploit route: run autoroute -s

Answer 147

a client side attack is an attack vector that involves coercing a client to execute a malicious payload on their system that connects back to the attacker when executed

Answer 148

client side attacks utilize various social engineering techniques like generating malicious documents or portable executbales

Answer 149

msfvenom - a command line utility that can be used to generate and encode MSF payloads for various OS’s as well as web servers

Answer 150

- we can utilize msf to identify WinRM users and their passwords as well as execute commands on the target system - we can also utilize a MSF winRM exploit module to obtain a meterpreter session on the target system

Answer 151

- apache tomcat is a free and open source java web server - it is used to build and host dynamic websites and web applications based on the java software platform - apache tomcat utilizes the HTTP protocol to facilitate the underlying communication between the server and the clients - apache tomcat uses port 8080 by default

Answer 152

the standard Apache HTTP web server is used to host static and dynamic websites or web applications typically developed in PHP the apache tomcat web server is primarily used to host dynamic websites or web applications developed in Java

Answer 153

- the meterpreter payload is an advanced multi-functional payload that operates via DLL injection and is executed in memory on the target system consequently making it difficult to detect - it communicates over a stage socket and provides an attacker with an interactive command interpreter on the target system - meterpreter also allows us to load custom scripts and plugins dynamically

Answer 154

background

Answer 155

sessions -u

Answer 156

show_mount

Answer 157

net users net localgroup admins

Answer 158

a windows access token is responsible for identifying and describing the security context of a process or thread running on a system.

Answer 159

access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process

Answer 160

incognito is a built in meterpreter module that was originally a standalone application that allows you to impersonate user tokens after successful exploitation We can use the incognito module to display a list of available tokens that we can impersonate

Answer 161

load incognito

Answer 162

list tokens -u

Answer 163

impersonate_token "token"

Answer 164

we can use the PsExec module to legitimately authenticate with the target system via SMB

Answer 165

- hostname - os name - os build and service pack - os architecture x/64 x/86 - installed updates and hotfixes

Answer 166

- current user & privileges - Additional user information - other users on the system - groups - members of the built in admin group

Answer 167

whoami /priv

Answer 168

see all the accounts on the system: net users

Answer 169

- current ip-address and network adapter - internal networks - TCP/UDP services running and their respective ports - other hosts in the network - routing table - windows firewall state

Answer 170

a process is an instance of a running exe or program.

Answer 171

a service is a process which runs in the background and does not interact with the desktop

Answer 172

authentication and verification of user credentials in a windows system is facilitated by the local security authority LSA

Answer 173

sam is a databse file that is responsible for managing user accounts and passwords in windows all user account passwords stored in the sam database are hashes

Answer 174

the Windows NT kernel keeps the SAM database file locked and as a result attackers typically utilize in memory techniques and tools to dump SAM hashes from the LSASS process

Answer 175

NTLM is a collection of authentication protocols that are utilized in Windows to facilitate authentication between computers the authentication process involves using a valid username and password to authenticate successfully

Answer 176

- does not split the hash in two chunks - case sensitive - allows the use of symbols and unicode characters

Answer 177

- the inbuilt meterpreter hashdump command - Mimikatz

Answer 178

Pivoting is a post exploitation technique that involves utilizing a compromised host that is connected to multiple networks to gain access to systems within other networks after gaining access to one host we can use the compromised host to exploit other hosts on a private internal network to which we could not access previously in the context of pivoting we can forward a remote port on a previously inaccessible host to a local port on our kali linux system so that we can remotely interact/exploit the service running on the port

Answer 179

port forwarding is the process of redirecting traffic from a specific port on a target system to a specific port on our system

Answer 180

run autoroute -s

Answer 181

once we know what port is open on the internal system we need to perform port forwarding to get a better idea of what is running

Answer 182

If we click the green ribbon we can view a list of available filters

Answer 183

ip.addr ==

Answer 184

ip.src == and ip.dst ==

Answer 185

- end user layer - HTTP - FTP - IRD - SSH - DNS

Answer 186

- Syntax layer - SSL - SSH - IMAP - FTP - MPEG - JPEG

Answer 187

- Synch and send to port - API’s - sockets - WinSock

Answer 188

- end to end communications - TCP - UDP

Answer 189

- Packets - IP - ICMP - IPSEC - IGMP

Answer 190

- Frames - Ethernet - PPP - Switch - Bridge

Answer 191

- Physical structure - topology - coax - fiber - wireless - hubs - repeaters

Answer 192

ARP or Address Resolution protocol is a layer 2 protocol that is used to connect IP address’s with MAC address’s

Answer 193

xss is classified as an injection attack where malicious Javascript gets injected into a web application with the intention of being executed by other users