Exam Prep Flashcards
CeWL
website data collector can harvest emails
Web crawl and worklist generation using CeWL = collects web pages and common docs
cewl.rb -m 8 -w file.xtx —meta_file meat.txt -e –email_file email.tst domain.com
Nikto
Nikto is a cmd vulnerability scanner
Wappalyzer
Wappalyzer is a website profiler to determine how a site is built
ZAP
ZAP is a web app security scanner
Merterpreter payload
Merterpreter payload injects into a running process, can load new modules into memory of the process to change its functionality, communication to the host is encrypted. Does not interact with hard drive by default and does not require an executable.
Redirecting Cookie?
Redirecting cookie leads to session hijacking
Vloatility
Vloatility netscan looks in memory for listening sockets
svscan is Volatility plugin
Name res order
DNS, then LLMNR, then NBT-NS (Netbois)
BeEf
Browser exploit = BeEf
BeEF hook.js can simulate a fake browser update
Msfvenom
Msfvenom is part of metasploit to create malicious files
RITA
RITA identifies C2 attacks using network anomalies
Responder.py
Responder.py is a script to capture creds using SMB
4732
4732 = account added to local group
4688
4688 = start of a new process
4634
4634 = log off
4768
4768 = kerb token request
Subfinder
Subfinder = passive sub domain finder
Harvester
The harvester is similar to Subfinder (sub dom finder), broader scope, and can be active/passive
Can PSID and PID be the same?
PSID and PID should not be the same
Netcat port scan command
nc -v -w3 -z is a port scan
netstat o
netstat o shows the process ID
Password Stuffing
password stuffing starts with password leaks
Describe a SID
The SID has:
A revision level, 1
An identifier authority, 5 (NT Authority)
A domain identifier, 21-1004336348-1177238915-682003330
A relative identifier, 500
S-1-5-21-1004336348-1177238915-682003330-500
AWS Bucket Tools (3)
GCPbucketBrute does not have the ability to list or download the contents of public Google Compute buckets. Gsutil is a Python application used to perform a wide range of bucket and object management tasks including uploading and downloading content. Bucket_finder enumerates AWS S3 buckets and ntdsutil is used to extract the ntds.dit and system registry hives from a Window domain controller.
skew
skew = interval
Why identify empty LanMan Hash?
Running Hashcat is a process that can take several hours or several days, depending on the resources of the system being used. If the LANMAN password hashes contain the string aad3b435b51404eeaad3b435b51404ee, they are empty. There is no need to run Hashcat against the LANMAN hash type.
SQL injection
SQL injection attackers start by adding string quotation characters to the user data to see how the system reacts when the data is submitted (i.e., ‘,”, and`).
Enumerating blobs - 2 things needed
Enumerating blobs = Account and Container names
nmap -A
Nmap has a powerful option called -A. This option enables OS detection, version detection, script scanning, and traceroute. It gives you far more information than a simple syn or TCP connect scan.
netstat vs sc vs net view
Netstat -nap will show local ports, PID, and program name on a Linux/Unix host. Sc query will list local services on a Windows host. Net view will get a list of shares from a Windows host.
RITA score 1 vs. near 1
Some C2 backdoors have a very strong heartbeat. This is where a backdoor will constantly reconnect to get commands from an attacker at a specific interval. The interval consistency of the heartbeat is the RITA Score, where a value of 1 is a perfect timing repetition for connections between the victim and the server for the duration of the capture period. RITA uses the characteristic of beaconing to identify threats in several ways. One reliable detection mechanism is the presence of a Score value near or at 1. In this case the source IP 10.20.234.50 is likely the victim of an attack and running a C2 backdoor with intermittent (not continuous) beaconing.
PICERL
PICERL Preparation, Identification, Containment, Eradication (undoing), Recovery (resumption), and Lessons Learned
Dynamic Approach to Incident Response (DAIR)
Dynamic Approach to Incident Response (DAIR) Preparation, Detection and Verification-Triage (waypoints) leads to a loop of scoping, containment, eradication, recovery, and remediation before incident wrap-up. Red Wheel. Waypoints, outcomes, and activities
DFIR
DFIR - Digital Forensics and Incident Response
Detection
Detection = First decision is always verification, mentions DFIR - Digital Forensics and Incident Response, possible response when looking at logs is inconclusive.
Containment
Containment = spot attack, requires proper scoping, isolation, patching, etc. Short-term fix
Eradication, Recovery, Remediation
Eradication (undoing) = restoring from backup, assessment
Recovery (resume ops)
Remediation = root cause, monitor, fixing the cause (long term)
PS command to get process starting with power
get-process ‘power*’ | select-object *
get-CimInstance
get-CimInstance - Class Win32_Process //Provides more info like parent process and execution command
EncodedCommand
Watch for processes started using -EncodedCommand = CyberChef can be used for decoding
Types of encoding
Common encoding are base64, URL encoding, UTF-8, UTF 16 little and big endian
PS for listening TCP ports
get-NetTCPConnection -State Listen
Local address “::” means listening on all interfaces configured with IPv6 (or 0.0.0.0 for IPV4)
127.0.0.1 is loopback meaning local-only
Look fop notepad or other local service with outbound (anything other than listening) on port 80 for exam
PS to find services
get-service (or get-CimInstance - Class Win32_Process) //find services
PS for registry
get-childItem ‘reg key path’ or get-itemProperty ‘reg key path’
PS for local users & groups
get-LocalUser or Get-LocalGroup or get-LocalGroupMember Administrators
PS for scheduled tasks
get-ScheduledTask and export-SchedueldTask and get-scheduledTaskInfo
ps for Windws events
get-WinEvent -LogName System | where-object -Propeerty Id -EQ 7045
Sysinternal tools
Sysinternals = processExplorer, autoruns, sysmon, procMon, TCPview, and procDump
TCPDump
TCPDump for packet capture or WinDump on Windows
tcpdump -i interface
tcpdump -i interface -w file
tcpdump -r file -n //Don’t resolve host, can be -nnr
tcpdump -r file -n -A //Don’t resolve host and show human readable ASCII
BFP
Berkely Packet Filters (BFP) for tcpdump = primitives and operators
Web Proxy tools
Squid, Blue Coat, Forefront TMG
Dumping memory passwords
First collect memory with WinPmem run as admin
Then analyze with Volatility (python framework) with platform.class.PluginName
vol -q -f win10.0.22000.556.raw windows.pslist.PsList
List processes using vol
PsList = lists processes
PsTree = shows parent tree
List network connections
NetScan = network connections
CMdLine
CMdLine = process command line
2 online malware analysis tools
Virus Total and Hybrid Analysis
Compare registry settings
RegShot - compares registry
Core Analysis
Core analysis: IDA Pro and optional Hes-Rays decoder, Ghidra by NSA, FOR610, SEC660, SEC760
ATT&CK
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge
Web search as a discovery tool, Web-based recon
Search engine results, using site: modifier
DNS interrogation tools
DNS interrogation with Dig or NSlookup
Using dig
dig ANY domain.com
dig @nsztml.digi.ninja AXFR domain.com //DNS zone transfer
Brute force AXFR
Brute force AXFR using nmap with dns-brute script
Using Certificate transparency
Certificate transparency for example crt.sh/?q=domain.com
SubFinder
Project discovery Subfinder from https://projectdiscovery.io cn run subdom enumeration
subfinder -d domain.com
ExifTool
Perl script to extract Windows file metadata, example exiftool file.pdf
PowerShell can learn about an Azure hosted domain
AADInternals
Recon As Outsider
Invoke-AADIntReconAsOutsider -Domain domain.com | Format-Table
DeHashed
DeHashed provides plaintext passwords and PI Ias a service (deper form of HIBP)
Showdan
Showdan is an advanced domain search, indexing service banners
robots.txt
Disallow search using robots.txt //examples below are pages not indexed //Use high level directories rather than sensitive names
Disallow: /registration
Disallow: /admin.php
Disallow: /app
nmap
NMAP is used to discover the network topology (network mapping and port scanning), run as root for best results
Sweeping using nmap
Sweeping looks for active hosts using ICMP echo request to an IP range (log the replies)
Nmap sweeps before port scanning by default, skip using -Pn
Sends TCP SYNC to 443 and TPC ACK to 80 (must be root to ACK to 80)
sudo nmap -sn 192.168.1.1-254 //-sn only does discovery. no port scan
TCP and UDP port range
TCP and UDP have ports 65,536 each greater than 0
SYN ACK vs. RST ACK
SYN ACK = OPEN and RST ACK = CLOSED
Reports open, closed, or filtered (no response)
nmap switches
-sS = Conventional TCP and -sU = UDP
-sV = Version scan
-oA to specify target host
Nmap SNE (Scripting Engine) Scripts =
-sC = Use default scripts
–script sctiptName (or All) //accepts wildcards
Find service providers
Use builtwith.com to summarize service providers
Cloud providers publish IP ranges
Masscan
Masscan is fire-and forget, better for massive IP ranges
masscan 192.168.1.1/24 -p 22,25,80,443,3389
TLS-Scan
Identify TLS servers on TCP 443 and try to request certificates for recon using OpenSSL (one at a time) or TLS-Scan
TLS-Scan (Linux) rolls through a list of IPs listening to 443 (TLS Servers) to gather info from certs
EyeWitness
EyeWitness takes website screenshots, run using python
python3 /opt/eyewitness/EyeWitness.py –web -f urllist.txt –prepend-https
SMB
SMB can be scanned and appears as normal TCP 445 traffic
SMBV1 started with XP, SMBV3 with Win8 and SMB3.3.3 with Win10/Win2016
Didn’t support encryption until SMB3 with lates including pre-auth verification
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Block SMB over 445 and TCP/UDP 135 and 139 on firewalls
Query SMB shares (3)
get-cminstance -class win32_share -ComputerName hostorIP
net.exe view \192.168.1.1 /all //can work on non-windows
SMBeagle can be used to search through SMB shares.
SMBeagle
SMBeagle can be used to search through SMB shares.
smbeagle -c results.csv -n 192.168.1.0/24 -uksmith p pass123 -q
SMB also has many CVEs if SMB is not patched.
No backoff delay for password guessing
Copernic Desktop Search
Copernic Desktop Search also indexes SMB files and does keywork search and OCR
Samba
Samba smbclient for File Share Access lest you access and browse shares from CMD is you have credentials, even download and upload files
Samba rpcclient (Linux) has over 100 commands over authenticated SMB
Enumerate SMB session
Identify sessions using get-SmbSession and close-SmbSession
The net.exe command is also available like net view, net share, net session, net use
Hayabusa
Hayabusa applies sigma to Windows event logs, Velociraptor
Sigma
Sigma - related to snort, SIEM, Yara, YAML
THC Hydra
THC Hydra is an online password guessing tool
hydra -L users -P passwords ssh://3.231.163.70
Password spray
Password spray is a small number of passwords against a large number of accounts
PACK
PACK = Password Analysis and Cracking Kit
Credential Stuffing
Credential Stuffing = using leaked passwords to attempt success or improved guessing
MSOLSPray & FireProx
MSOLSPray is a PowerShell module/command that uses AADSTS response codes for informed password spray
Using AWS API Gateway and AAD Smart Lockout for distribution and anonymity
FireProx is a python tool for creating AWS API Gateway instances can be used to automate a platform for MOLSpray
MSASweep
Using valid account to find MFA and CA gaps using MSASweep
get-MsolUSer
get-MsolUSer is PowerShell to inspect individual M365 user license settings for verification
Lanman & NT Hash
LANMAN = no larger that 7 bytes, split, all caps padded to 14 bytes, based on DES
NT Hash keeps case, can use long passwords, but has no salt, based on MD4, meaning same password = same hash
NTDSUTIL
NTDSUTIL can be used to get NTDS.dit and SYSTEM registry hive (used for encryption of the file)
They gather both, use activate instance ntdsutil command followed by ifm to create a backup that can be exfilled.
Then a script like secretsdump.py can be used to extract the hashes (decrypt)
Obtain hashes from Windows client
To obtain hashes from Windows client OS:
1. Use Meterpreter hashdump command against lsass.exe (FROM MEMORY), runs as lsass by running ps -S lsass.exeto get the PD and then migrate into the PID (impersonate)
2. is Mimikatz
Break down Windows hash
Windows hashes show as username:userid:LANMAN:NTHASH
Empty hashes are useless and are identifiable, possibly a collection issue or disabled account
Example: tom:1002:aad3b435b…..:31d6cfe0d……
Keys being aad_b___b and d_cfe_d
Identify Linux hash type
Early Linux is DES with no salt (/etc/password), now stronger like MD5 (/etc/shadow/)
Look for 2nd colon delimited field in shadow
No $ is DES, $1 is MD5, $2 Blowfish, $5 SHA256, and $6 SHA512
Hash Rounding
Hash Rounding = increased complexity. MD5 uses 1000, SHA uses 5000
Avoid GPU cracking
Password Based Key Derivation Function (PBKDF2) to avoid GPU-based password cracking
Also Scrypt, Argon2, Yescrypt
Password Cracking
Password Cracking = offline decryption (brute force guessing)
Hashcat is main cracking tool
Hashcat
Hashcat is main cracking tool
-a 0 = wordlist (default)
-a 1 = wordlist with append
-a 3 = pattern
-a 6 = worklist with mask
-a 7 = prepend mask
Specify -m to define the hash typr or it will try to atuo detect
Test the hash type without cracking using –identify
hashcat -m 1000 -1 0 hashes.txt words.txt
Mask uses ?<filter> like ?l for lower case, ?u for upper, ?d for number, and ?s for special
Hashcat passwords are sent t the potfile haschcat.potfile
You can display cracked with --show, uncreacjed with --left, and user info with --user
Hashcat can also use word permutation rules (-r best64.rule)</filter>
PAM
UNIX has PLuggable Authentication Modules (PAM) for password complexity
Cloud storage URLs
Insecure Cloud Storage
https://s3.amazonaws.com/bucketname
https://www.googleapis.co,/storage/v1/b/bucketname
https://accountname.blob.core.windows.net/Containername
Bucket Finder
Bucket Finder that looks for open AWS buckets
CGPBucketBrute
CGPBucketBrute for Google is python = to download from a google bucket use gsutil from Google
Basic Blob Finder
Basic Blob Finder is also python for Azure blobs
Netcat
Netcat reads and writes data across networks (has variants)
Client mode starts a connection to a specific port, send input to network and response to output
Messages are sent to standard error stderr
Listen mode waits for a connection on a specific port (option -l)
Listener to client;
listener: nc -1 -p port < filename
client: nc listenerIP port > filename
Push file from client to listener
listener: nc -1 -p port > filename
client: nc listenerIP port < filename
WATCH the <> closely
Netcat port scanning:
nc -v -w3 -z targetIP start-endPort
Netcat backdoor shell examples (-e is execute):
nc -l -p port -e cmd.exe
nc -l -p port -e /bin/sh
For listening, -l is listedn once and -L on windows will restart
Netcat relay
Netcat relay used to hop systems, requires named pipe on pivot system (mkfifo pipname on Linux)
Metasploit Framework, modules, and interfaces
Metasploit Framework - collection of tools, runs on Linux, select exploit and payload to run on target
Four modules types: exploits. payloads, aux modules, and post exploit modules
Interfaces are console, command, web, and GUI (Armitage)
Search is an important command
Merterpreter
Merterpreter is a general=purpose Metasploit payload for gaining access
Protect Linux
Use SeLinux or AppArmor to protect Linux, patch, use EDR, filter outbound traffic, hunt for long URLs
Drive-by vs. Watering Hole
Drive-by or client-side is attacking normal web browsing, called watering hole if targeted
Watering hole may involve Windows files with marcos or fake installers
MsfVenom
Metasploit also has MsfVenom that convers any payload into a standalone file (related to templating)
MsVenom -X can embed payload into legitimate executable
Msfconsole
Msfconsole is used to prepare a reverse TCP connection (listener)
Browser Exploitation Framework (BeEf)
Browser Exploitation Framework (BeEf) used for browser exploits, XSS attacks, and social engineering like fake flash update
BeEf runs as sudo on Linux, collection of browser attack tools
Command Injection
Command Injection = web app sends user input to a command shell and attacker can try to appends a 2nd command using ; on Linux or & on Windows. Can arrive sa HPPT Get or Post. Any system that accepts user input. Attack against a server.
Might involve -h, ; , & , echo, or ‘injected’, manipulating value following id= as example, or a command like ping
Cross-Site Scripting XSS
Cross-Site Scripting XSS is an attack against users, attacks vulnerability in server input or output, changing what is displayed to the user, could tell the client browser to run code or redirect the cookie location, often JavaScript or HTML
Stored vs. Reflected XSS
Stored XSS Attack = uploads or stores malicious code on server, drive-by (opportunistic)
Reflected XSS Attack = uses vulnerability in URL of a page (GET-based), sends URL to victim
Identify XSS vulnerability
XSS demonstrated as page running
alert('XSS');
Test for XSS vulnerability by fuzzing input like <hr> tag or ‘’;!–“<xss>=&{()} will return alert('XSS') if bad or something close to the input text if safe</xss>
Prevent XSS
Encode meta character output using (& or &) and limit cookie with HTTPOnly tag
Servers set Content Security Policy (CSP) header
SQL Injection
SQL Injection exploits input validation to set or retrieve unintended info from DB
Test using ‘ “ ` % %% – /* //) ; for example blake’ OR ‘a’=’a
Tautology is always true condition retunes all records like a=a
Tripping an error code can also reveal info about the server or files.
UNION followed by a new Select is commonly used once vulnerability is verified
SQL Injection tools
Automated options include a python script called sqlmap, Burp Suite Pro, Acunetix Web Vulnerability Scanner
Testing can be risky, could delete data, backup before
sqlmap
- Always us a valid, non-error-generating URL
- Always put the URL in quotes
Possible EXAM question:
sqlmap -u https://msn.com //invalid without quotes
Also followed by –dbs = enumerate databases and -D dbName –tables to list tables followed by –colums or –dump (display)
Cloud DB vulnerable to SQL attack
Cloud database remain vulnerable to SQL injection attacks, does not escape, no Object Relational Mapping (ORM) system
SSFR
Server-Side Request Forgery (SSRF) allows attacker to change what is requests from a server to disclose Instance Metadata (IMDS), protected files on the host, URL calls file location, change the file to local path like file:////etc/shadow
Can be evaluated using curl
Access IMDS using virtual server address = curl http://169.254.169.10/latest/user-data
AWS IMDSv1 has a known SSRF vuln used for credential extraction
Some like Azure mitigate using special header requirement
Endpoint Security Bypass
Endpoint Security Bypass = evading signature detection, encoding, using permitted tools
DefenderCheck
DefenderCheck splits file into pieces until it cannot be detected (high/low strategy)
Code wrapping
Code wrapping to build legitimate code around malware, possibly using IronPython, often layering among multiple languages
LOTL Example using sysinternals
Example provided was using sysinternals procdump to get LSASS dump to use with Mimikatz on another system
.\procdump.exe -accepteula -ma lsass.exe lsass dump
Bypass AppLocker
Applocker can be bypassed by unusual execution method like InstallUtil /U shellcode.exe (.Net Install Utility)
On Linux search for SETUID files
On Linux search for SETUID files= find / -perm -4000 -uid 0
Pivoting
Pivoting, often setting up a proxy on one system to reach another
Merterpreter has portfwd and route that can establish a proxy
Merterpreter doesn’t have port scanner but can use apr_scanner or Metasploit has nmap, db_nmap, and auxiliary scanner modules.
Identify the next hop systems and port scan.
Lateral movement is exploiting targets through pivots
Linux port forwarding
On Linux this could be SSH port forwarding using SSH -L port1:IP:port2
Linux can also use netcat named pipes discussed earlier
Windows pivoting
Windows can use netsh interface portproxy but requires admin
Hijacking
Hijacking attacks (impersonation), exploiting weak protocols, like local MTM, broadcasting service requests and injecting responses
Responder
Responder is a python script to exploit (Hijacking) LLMNR, can be used to get NTLMv2 auth hash from network response
After pivoting comes…
Next is persistence to regain access, avoid detection, preserve privileges, and reestablish access at will
Prevent Hijacking
Disable; LLMNR and NBT-NS, disable mDNS, and SMB lower than 3.1.1
Persistence method
One options is to create a new user account
merterpreter> execute -f ‘net user /add accessmgmt password123”
merterpreter> execute -f ‘net localgroup administators /add accessmgmt”
Metasploit and others offer various persistence options like a persistent service
WIM can subscribe to events
Also discusses golden ticket attack
Web shells could provide persistence, mod to web page or file
Persist with event subscriptions
WIM can subscribe to events and execute code like scheduled tasks using mofcomp.exe and can listen on a port for a specific IP as an event trigger. Merterpreter watched for Sec logon failed event 4625 by default.
Cloud persistence
Cloud persistence could be new resources like VM function, container, new access keys, cloud accounts
Identify autoruns
Look for autoruns, events 4624, 4634, 4672, 4732, 4648, 4688, 4697, registry startup, use get-ciminstance to detect event subscribers
RITA
Real Intelligence Threat Analytics (RITA) uses statistical data over time for hunting, used for offline assessment, ingests Zeek logs
Look for long connection durations, consistent packet size, interval, jitter, etc.
