IH Flashcards
1
Q
What two documents should your IR plan hook into?
A
COOP, DR
2
Q
Any observable occurrence on a system or network
A
an event
3
Q
Examples of events
A
Anything that you can show happened. (measurable)
System boot sequence
A system crash (could be normal behavior)
Packet flooding (could be legit, bursty apps)
4
Q
Six stages of incident handling
A
Grand Master PI-CERL Preparation Identification Containment Eradication Recovery Lessons Learned
5
Q
Places to share incident information?
A
BUGTRAQ (securityfocus.com)
Internet Storm Center (isc.com)
Dshield sensor network, part of SANS
6
Q
Reviewing contingency plans, DR plans, and testing the technology and user base (phishing) that protect systems/networks from incidents is done during what phase?
A
Preparation
7
Q
Warning banners NEED to include what?
A
- Consent to monitoring the use of its networks and systems
- Prohibits unauthorized access, use, or modification of resources
- If monitoring reveals evidence of criminal activity, the company can provide records to law enforcement.
8
Q
Privacy laws can impact the ability of incident responders to
A
Effectively monitor and record system activity. Can be a problem in Europe.
9
Q
What are some of the broad reasons you may be obligated to notify law enforcement for an incident?
A
- Threat to public safety or health
- Substantial impact to a third party
- Legal requirement for your industry
10
Q
What types of protected data may require notifying the public when breached?
A
PII, PHI
11
Q
What is your obligation to provide evidence to Law enforcement as part of THEIR investigation?
A
None, without a court order; have to balance need to conduct YOUR investigation, with theirs.
(Without any evidence, you’ll significantly hinder their investigation)
12
Q
What SANS resource is available to help with law enforcement coordination?
A
SANS SCORE (sans.org/score/law-enforcement-faq)
13
Q
Smart practice for policy on employees connecting remotely
A
Make sure the VPN banner includes a consent for remote search by the org.
14
Q
How to get management buy in for IR capabilities
A
- Have a formal plan (with “peer” reporting measures)
- Provide monthly or quarterly reports
- Graphically illustrate incidents (cartoons, easy to understand stuff)
- Collect historical support
- Get news articles on similar incidents and how they were handled
15
Q
Membership of a good IR team should include
A
Physical Security Infosec Legal HR DR BCP
16
Q
two key items for benchmarking and recovering systems
A
- A system specific (desktop, file server, app server) build plan/doc
- A windows image backup of these that can be diffed against an infected machine
17
Q
Your incident handling team construction should have what pyramid-like scheme?
A
An emergency communications plan and on-site team construction.
Similar to a command post; identify who is the engagement lead, who is handling which remote site/function, and what the comms plan is. (and backups are)
18
Q
What is important to hammer out regarding procurement before beginning an IR activity?
A
A) What the procurement permission looks like; what happens if something (like an extra H/D) needs to be procured on site (how to make govt purchase card decisions)
and
B) What the secured communications plan is?
B) What is the plan for food/lodging/etc in case of the engagement going longer than expected?
19
Q
Top two training issues for IR responders
A
- Creating forensic images under fire
2. Keyboard skills under fire
20
Q
Some tricks for training the IR team
A
Internal honeypots
“War games” (Surprise pen tests)
Quick “drills” for creating images or finding specific log files
21
Q
Great tool for performing large-scale incident response and hunt team communication/coordination.
Why is this tool good?
A
GRR, by google. Free.
- Works with Rekall,
- can pull relevant data asyncronously as hosts come on and off network. (helps w/Laptops and mobile)
- Can use “flows” (Scripts that run on the server but execute tasks on a host, such as looking for a file with a specific hash)
22
Q
Contents of a good “jump bag” (Flyaway kit)
A
- Fresh/blank media
- Evidence collection suite (DD, Imager)
- Forensics tools (SIFT, EnCase, Flare, etc)
- Network Taps/Montiors
- EVery type of network/connection cable
- PC repair toolkit
- Extra copy of forms
23
Q
_____ should be set as the incident handler(s), and they should have ___ for tasking.
A
one person, usually with a helper…..with a discrete set of events on a specifically scoped system to look at.
24
Q
Why should you control information/need to know for an incident?
A
Details change quickly
incomplete or inaccurate details could get posted online
Folks who are “in the know” might have to testify, and will have an incomplete set of information
Insider threats can be tipped off
25
Out of Band communications options in the event the system is compromised
Off-network phones (no VOIP)
Encrypted email (PGP or GnuPG, Gail Webcast)
Encrypted text
Faxes
Ham radios/walkie talkies
Encrypted cloud storage (Tresorit/Securesafe)
*Share keys in advance!*
26
Application logs are most useful from
Web apps
App Servers for thick-clients
Cloud based-services
27
"Net" commands used to look for suspicious activities
Net view: look at shares
Net session: look at inbound connections/smb sessions
net use: look at outbound smb sessions
nbstat -S: NetbBIOS over TCP, sorted by IP connection to our machine
28
Net commands for looking at TCP/IP activity
Netstat -na: Unusual TCP activity (continuous refresh)
netstat -naob: important: shows owning process id and associated DLL/executables
netstat -naob 5: same, but with auto refresh every 5 sec
netsh advfirewall show currentprofile: show built in firewall rules
29
commands to examine windows processes
WMIC
wmic process list (brief|full)
wmic process get name,parentprocessid, processid
wmic process where processid=pid, get commandline
30
commands to examine services on a windows machine
services.msc
net start: running services
sc query | more: get more details about each service
tasklist /svc: MAP EVERY SERVICE TO A PROCESS
31
command to map which services are running out of each process on your system
tasklist /svc
32
What are the registry and file locations that start software automatically
HKLM\Software\Microsoft\Windows\CurrentVersion:
Run
RunOnce
RunOnceEx
33
Settings for a registry key can be checked on the command line using
reg query regkey
34
Manipulating the computer and financial infrastructure of a target for political reasons
hacktivism
35
Allowing political dissidents to communicate on covert channels can be a form of
hacktivism
36
Some ways to use malicious code for profit
```
Scraping CC numbers out of RAM for POS terminals
Keystroke loggers stealing financials
DoS Extortion
Cryptomining
Spam advertising
Ransomware
```
37
Breakout time is
The time from initial compromise to privilege escalation to additional internal network targets
38
Average time for APTs to breakout
20-309 mins
39
Average time to respond to a breach before you've got compromises
3.5 hrs
40
Cumulative (Collective representation) data known about a target online (person, org, etc)
OSINT
41
WHOIS data stopped being as useful in 2016 with the introduction of
European requirements for General Data Protection Regs (GDPR)
42
Used to gather limited domain info (name, creation data, registrar) using registrant name or email address
reverse whois (such as viewdns.info)
43
Who must publish the logs of all issued certificates, and what is this called?
CAs, via Certificate Transparency
44
How does certificate Transparency help attackers?
helps them collect information on an organization, such as the hostname/cname published in the cert. Clues you in on additional target data.
45
Open Source, GPL based OSINT data collection and analysis tool
Spiderfoot
46
When recon crosses the line into the target site (tools that start sending requests directly to the target organization)
Direct recon
47
tool to interrogate dns server (deprecated in Linux)
nslookup
48
Easiest way to get as much info from the DNS server as possible
zone transfer
49
Command to do a zone transfer and get all data
nslookup, set type any (will grab A, MX, HINFo, and NS records)
dig AXFR
DO against all associated name servers in an org
50
How to brute force DNS zone transfers
using nmap with the dns-brute switch, and using a word list
51
DNS Recon defenses
Dont allow zone transfers from any system
Limit XFR to DNS servers only
Secondary and Tertiary name servers should reject all xfrs
use split dns
Harden all DNS servers
Look for zone transfer in DNS logs
52
What is Split DNS?
Publish external name info to only external servers, internal name info to only internal servers
53
to identify DNS zone xfr activity in logs
look for packets going to and from TCP port 53 on DNS servers. (Queries use UDP port 53, transfers only use TCP)
54
The SEC has what tool that's useful for OSINT
EDGAR: Data on publicly traded US companies (addresses, financial statements, etc)
55
Site that allows you to identify which social networking sites a target user account may be using
namechk
56
Powerful site that allows you to correlate internet presence of an identity
pipl.com
57
Social media geolocation tool that uses flickr, twitter and google photo metadata
pushpin
58
defense against website searching
tell your admins to look for aggro web spider/crawler activity
limit info available
make employment ads more general
determine what other sites are linked to your company
59
Current version of google hacks/dorks queries is stored at
exploit db
60
Difference in how google cache and archive.org handle images
Google cache does NOT save the images; it will load them from where they currently are stored, if they can.
Archive.org keeps a copy and uses the cached copy if they're not located on the current site. If they're on the current site, it will load them.
61
Tool that automates process of discovering files w/accessible metadata (pdf, xls, ppt) while also folding support for google hacking, sqli scanning, brute forcing subdirectories, and versions of vulnerable software
FOCA/GOCA
62
Tool used for combining google hacking with bing hacking, shodan, etc into one framework. Also includes modules for searching a site to see if it's hosting malware, or if its vulnerable to data leakage (DLP)_
Search Diggity
63
Defenses against automated search engine recon, such as google dorks
Have google remove you
look for information leakage by using google hacks against yourself
remove pages, snippits, cahed pages via metadata tags (noindex, nofollow, nosnippit)
robots.txt
64
Tools for web based recon
Shodan
dnsstuff
network-tools.com
securityspace.com
65
What does network-tools.com do?
Web based tool that does dns lookups, email checkers, domain name conversion, internet ping, spam blacklist checker for domain names, whois, etc.
66
WarVOX is a tool for ______ that requires ________.
War dialing VOIP, IAX protocol
67
Tool that records MP3 audio files associated witern matchingth each number dialed and answered, for pat
Warvox
68
Defense against war dialing VOIP
war dial yourself
conduct training on effective phone passwords
find out-of-band or unlisted numbers
set a policy for out-of-band access. (Make sure you have a full inventory of all remote routers)
secure modems with strong authentication (token, crypto)
use scanning-detection functionality for a PBX system
69
difference between active and passive WIFI scanning
In active scan, the attacker sends probe requests on all channels of an SSID and observes responses;
Passive, the attacker just listens for beacon frames outbound from the AP.
Both return network info, encryption and auth methods, channels, and manufacturer info.
70
Difference between Kismet and SSIDer
Kismet is completely passive.
71
PCAP and WiFi analysis is found in what tool
Kismet; will produce full packets, pcap can be dumped into wireshark
72
What is Galois Counter Mode
A mode of encrypting data in WPA3 that is easy to accelerate in hardware
73
What are the 3 modes of authentication for WIFI
PSK (pre shared key)
EAP/TLS (Enterprise auth)
SAE (Simultaneous Auth of Equals: PSK, but eliminates offline password-guessing)
74
Why is PSK authentication for WIFI dangerous?
EVeryone uses the same pre-shared key for auth, so a stolen device compromises all devices)
Even without the device, offline password guessing attacks can be used on PSK.
75
How to offline guess a PSK password
Capture some packets with Kismet, try to match the hash with a password list
76
Best tool for password guessing wifi
Aircrack-ng
77
Impersonate and steal creds for WPA2 enterprise networks with a linux machine using
Hostpad WFE
Will "dumb down" auth attempts
78
tool for hijacking mouse and keyboards (and what it requires)
Jackit ; a crazyradio PA USB stick, or similar)
79
defense against wireless ap hacking
use WPA2+
deploy EAP/TLS auth or cert based auth
use TLS for critical data
80
NMAP 4 packets to identify up hosts
ICMP echo
TCP SYN to 443
TCP ACK to 80
ICMP timestamp
81
defense against network mapping (4)
Disable incoming ICMP echo requests
Disable outgoing ICMP time exceeds
IDS signatures for ping sweeps/tracert
temporarily block a frequent ping sweep
82
TCP RESET flag does
tears down a connection
83
TCP PUSH flag does
Data should be pushed through the TCP stack(?)
84
NMAP ack scans are useful to
Do network mapping instead of a ping sweep; good for finding sensitive internal servers.
CANNOT DO PORT SCAN
85
Tool that takes screenshots of websites and tries to quickly identify the purpose of it to find interesting stuff
Eyewitness. Looks for things like RDP, servers, indexed web directories, etc.
86
Four options for disabling a windows service listening on a port
kill the process with task manager
kill the process with WMIC
disable the service in control panel
disable the service using sc cmd (best, versatile)
87
Best two ways to see listening ports on linux
lsof
| netsat -nap
88
disable linux processes listening on ports (5 methods)
first, try to stop it with systemctl
then try to kill it if you cant use the first command
disable the service in /etc/rc.d
disable service using systemd
disable service in inetd/xinetd (/etc/*.conf)
89
Excellent bypass for IDS uses a ______ packet in the middle of an attack
TCP reset; tricks the way a target OS/firewall handles TCP checksums.
90
Defense against IDS/IPS evasion (5)
```
Up to date/resourced devices
Implement behavioral analytics
used Host-based systems as well
block odd packet fragments
harden ports
```
91
Nessus client-server comm port, language
8834, HTML 5 (uses HTTPS)
92
Nessus plugin to block dangerous plugins
Safe checks
93
SMB ports (2 kinds)
445
| used to use netbios ports, TCP/UDP 135-139
94
Establishing an SMB session from cmd line
net use \\targetIP
95
Can connect to most SMB shares as long as you
Have a non-admin username and password. (Can use this to connect to IPC$)
96
command to get a list of smb shares once you're connected to an IP
net use \\ip
| net view \\ip
97
command to get the list of all domain users
net user /domain > output.txt
98
Tool to bypass authentication and hijack password libraries so that they accept any password
Konboot
99
Attack a computer that it's suspended or hibernate state with this tool to unlock it it. (Requires firewire/thunderbolt)
Inception
100
Use this hardware dongle to surreptitiously steal logs using responder, for these services.
Lan Turtle
Steals things like kerberos traffic, LLMNR, DNS, etc.
101
Physical attack medium that Looks like a use thumb drive, but can act as a keyboard and inject strings, scripts, malware
Rubber ducky
102
defense against physical access attacks
```
Full disk encryption
Train users to power down systems
Restrict access to USB ports to only pre approved devices
Password protect BIOS
Disable USB boot
Disable LLMNR
```
103
Takes original netcat tool and makes it capable of communicating over pipes. devices, sockets, SSL, and Raw IP
Socat
104
Netcat that can communicate over data frames
Linkat
105
Client mode Netcat traffic is passed by:
Send ______ to standard in
Send ______ to standard out
Send _______ to standard err
Keyboard, redirect data from a file or piped from an application to standard in (input)
All data sent back across the network to standard out (response)
All messages from the tool sent to standard err
106
Listener mode netcat traffic is passed by:
Send _____ to standard in
Send ______ to standard out
Send ______ to standard err
Sends received data to standard in
Sends data to client over standard out
all messages from the tool are sent to standard err
107
Uses of netcat
```
Data transfer
Port scanning
Vuln SCanning
Making connections to open ports
Backdoors
relays
```
108
How to backpipe a netcat relay
use the mknod command (common to linux and unix) to create a special FIFO (first in, first out) file as a "backpipe" for information to flow through. Acts as intermediary, carry data back and forth on the command line.
the 0backpipe at the end (receiver sending data to standard in) is important! drawing on 3:19
109
For name resolution, systems will use ARP, and then what series of name resolution services?
ARP --> Dns --> LLMNR --> Netbios Name Service (NBT-NS)
110
Tool that scrapes images out of network flow/PCAP
netminer
111
DNS spoofing is possible as long as you (the attacker) are located
on a network somewhere between the attacker and the DNS server
112
How does SSLSTRIP work?
It intercepts the request (via MITM positioning) of a server redirecting http traffic to "jump" to HTTPS, and interprets all HTTP traffic, sniffs it, and then sends it out to where it goes VIA SSL connection the attacker establishing its own SSL tunnel.
113
Responder is capable of hijacking what types of requests
Netbios Name Service (NBT-NS), DNS, and Proxy requests
114
Why does responder try to force a victim onto LANMAN authentication methods?
Easier to crack auth creds
115
What is a PAC file, and why do we want to hijack it?
A PAC file is something the browser uses to easily identify a Proxy server. Once manipulated, it will cause a browser to send requests through the victims machine
116
defenses against hijacking attacks
Active port security on switches
use dynamic arp inspection w/DHCP snooping
Disable LLMNR
Disable WPAD
Encrypt sessions w/strong auth (SSH ver 2+)
117
Buffer Overflows give an attacker the ability to
execute arbitrary commands on a system
| take over system or escalate priv
118
Buffer overflows must be executed locally (T/F)
False; some work over network, too
119
The cyber equivalent of stuffing too much into a box that isn't large enough to fit it
Buffer overflows. Cramming too much data into parts of memory that aren't sized/conditioned to accept it. (Non-validated input)
May include overflowing integer types or storing the wrong kind of data (string when expecting #'s, etc)
120
A memory stack stores and returns things from memory in what fashion?
Push/Pop, LIFO.
Push things onto the stack, pop things from the top of the stack.
121
Variable space that's allocated in memory to store function variables as part of subroutines
The Buffer. (sits on top of the return pointer; when a subroutine is called, it sticks a bookmark (Return pointer) at that place in the stack and then allocates a buffer above it for the subroutine's function)
122
Two metasploit modules that can scan code, looking for patterns that are sometimes weak to buffer overflow type attacks (string copy, scanf, fgets, get, etc)
Msfelfscan
msfpescan
Those commands are usually used for moving data around between memory buffers
123
Finding a buffer overflow vuln in ____________ on linux or _____ on windows is a premium, because....
root/SUID/UID 0 level in *nix, and SYSTEM level for Windows. Let sht euser run with the admin level priv, not just program privs.
124
Exploits are tailored for
the processor and OS type. Intel (Linux) or Sparc (Solaris) etc
125
Why should buffer overflow exploit code be kept small?
to fit in the buffer
126
These characters will be filtered by the OS and wont be loaded fully into the stack for a buffer overflow exploit
filtered characters. (Something that, when translated into ASCII, that means something. For example, a 0x00 code is a null characyer, and drops everything received after in the function)
127
What is it when an attacker uses NOPs in front of exploit code, so that if the pointer lands on a NOP, it funnels down to the correct pointer?
NOP sled
128
What is the NOP sled, attacker machine code, and return pointer called, when all together
an egg
129
4 parts of metasploit
exploit
payload
auxillary modules (scanning, DoS, Fuzzing)
post module (post exploitation)
130
MSF can sometimes be used just to check if vulnerability and scan (T/F)
true
131
General purpose metasploit payload that carries a DLL to the target box to give specialized command level access
meterpreter
132
Why is meterpreter nice?
Doesnt create a separate process when executing a shell; runs on the exploited process
Doesnt touch the HD, stays in memory
Incloudes its own set of commands, so doesnt use the target systems commands
Can load new modules and dynamically cahnge its functionality all from the memory of the affected process
133
Meterpreter works on what OS?
Windows, PHP (web server, web client w/php) JRE and Linux. MacOSX is under dev.
134
what application discussed in class can generate NOP sleds?
Metasploit
135
What application can generate wrappers for shellcode?
metasploit
136
Marks certain pages, such as the stack, as non-excutable as well as marking memory areas where legit code is present as non-excutable
MS Data Execution Prevention (DEP)
Helps agaionst buffer overflows
137
Two kinds of Data Execution Prevention
Hardware based- only works on machines that support it.
Software based - works in essential windows programs and services, such as RPC locator.
138
Little chunks of OS code an attacker wants to execute as part of a buffer overflow is called a _____-
gadget
Used to orchestrate attack steps using legit OS libraries instead of trying to insert code into the stack.
139
3 types of code canaries
Random - uses random values to protect the return pointer
Terminator - Throws null bytes to protect return pointers, because it will render payloads moot when appended to them`
XOR - Uses non-predictable values for return pointers
140
Grab data from the network (such as python scraping tool) and parse it for an application.
Protocol parsers: dangerous
141
Why are protocol parsers dangerous?
Its hard to get right
The code that breaks the data down into fields is rife with buffer overflows
Lot of coping things around in memory
Bad bounds checking
142
How can protocol parsers "lie in wait"
An attacker can flood a bunch of machines with an exploit for a service that the parser is vulnerable to, and wait for the application to use the protocol parser to view data grabbed from the network
143
Defense against protocol parser vulns
Use protocol parsers as little as possible
| Pay extra attention to sniffer tools (Wireshark, Snort, Bro, Suricata, tcpdump, etc) Patch these regularly!
144
How do you inject malicious macros in PPT?
Key is to have them run the macro when the file opens and when a user interacts with the presentation.
145
How do we trick users with malicious powerpoints?
Inject the code we want to run via "Veil-Evasion" MSF module, broken up into digestible bites (macrosafe.py) and then enable the script to run when the user interacts with a slide, using "Run_on_open" or "on mouse click" or "on mouse over" actions. Boom. Evades AV, too.
146
what is ghost writing?
Changing assembly code (adding junk) to change signatures and evade AV
147
Easy way to change a files code signature via assembly
Create an exe
Convert it to an .asm file
edit the .asm file (add anything)
convert it back to .exe`
148
Easiest thing to add to assembly to just add something (avoiding AV signatures)
add a push, pop any time something XOR's itself (meaning the register is empty)
would look like this:
push eax
pop eax
xor eax, eax
149
Using lesser known languages to write payloads may help them execute because...
signatures are more common against known payloads
150
What is an environmentally keyed payload?
Where malware searches the runtime environment for strings, such as a directory name, and attempts to decrypt the binary with each, which makes the signature unique.
151
Whats an example of adjusting how malware is executed that can evade AV?
Have the malware payload trigger on uninstall, not by execute.
152
Sharpview and Enum tools do what?
Enumerate users, groups, etc via SMB/findstr
153
What is Powershell empire?
Backdoor for Powershell
| Post-exploit; can scan for vulnerabilities and systems to compromise. Enumerate shares and users across domains.
154
What is bloodhound?
Tool that finds the quickest way to get domain admin privileges. GRAPHICS!
155
Defenses against manipulation of SMB
Block at boundaries/local firewall:
TCP 445, 135, 137, 139
UDP 445, 137, 138
Explicitly allow SMB only from specific places you want it to come from
Check IDS/IPS logs
156
Trying to guess a small number of potential passwords against a large number of target machines (1-2 passwords against a large user base)
password spraying
157
determining a password when you only have the password file/ciphertext representation
password cracking
| matching output of guess+algorithm and comparing against encrypted passwords
158
Unix/Linux friendly password guessing tool
Hydra
159
Fastest method for cracking passwords
Dictionary
160
3 methods of password cracking
Brute force
Dictionary
Hybrid (dictionary with numeric/symbols) baked in
161
Why you shouldn't use password cracks for migrating users to new platforms
non-repudiation. (cant prove its only the user w/a password)
162
Weak password hashing mechanism still in regular use
Windows LANMAN. converts everything to UC, padded with null bytes to a fixed length (14 bytes)
Split and used for keys for DES, a weak encryption al;g.
163
Replacement for LANMAN
NT Hash: still not great.
164
Why is NT Hash better than LANMAN (2 reasons)
Case is preserved
| Doesn't store a LANMAN hash if it's greater than 14 chars**
165
Why are NT Hashes and LANMAN both inherently insecure?
They don't use salts
166
What is a password Salt
A short, randomly selected string added to a password before hashing, adding randomness to the hash
167
Feature that defeats ranbox tables attack
Salts
168
built in windows tool that lets you get a backup of AD, which can be used to get hashes (exec and command)
ntdsutil.exe
| activate instance ntds, ifm
169
What is in NTDS.dit? How is it decrypted?
DC Hashes, use the registry hive keys to extract the hashes
170
Empty values in password dumps are easy to recognize by
Specific values
aadbb (first letters, LANMAN): Am All Day Baffled By
dcfed (first letters, nthash) Difficult Choices for Encrypted Data
171
The password hash is ______ in /etc/passwd or /etc/shadow
How do you know what hash type is used?
The second field, colon delimited
Will be $#, and the number corresponds to a specific type. ($1 is MD5, $5 is SHA-256, no indicator is DES)
172
Order of fields in /etc/shadow
user:
$hash type
salt (4 or 8 chars)
hash value.
173
Hashing is still insecure if it doesn't feature
Multiple rounds, salts
174
How to mitigate GPU based powerful password crackers
Use PBKDF2, BCRYPT, SCRYPT
Uses multiple rounds, HMAC,
175
Little used powerful (new) hashing algorithm
Argon2
176
You must feed John a...
encrypted password file
177
For Linux systems you're cracking with John, if they use /etc/shadow, you must...
merge /etc/passwd and /etc/shadow via "unshadow" command
178
How to handle LANMAN hashes being stored
Stop storing LANMAN hashes by changing the LSA registry key. (add a "NoLMHash" key. LANMAN goes away next password change)
179
Audit passwords with....
Group policy, DOmain Password Audit tool
180
Adds password complexity and additional capability to *Nix systems
PAM modules. Works with Kerberos, Radius, etc. Enforces password complexity.
181
Rather than cracking a original passwords once the hashes are stolen, this technique lets you just reuse the hash to authenticate via Challenge/Response, NTLM, or NTLM V2
Pass the Hash
182
Pass the hash attacks are usable once the attacker loads the hashes into his memory space and then utilizes....
SMB based access, like net use
183
Windows Credential Editor gives you what capability upgrade from a standard from Pass the Hash
Pass-the-Ticket
184
Windows 10 defense against pass-the-hash and hash theft
Credential guard; virtualization containers abstract from the main operating system.
185
Can do what locally to disable PTH style attacks?
Change the TokenFilterPolicy in HKLM\Software\MS\etc to '0' which denies remote users the ability to execute commands on a target system.
Disable the local admin account.
186
What is kerberoasting?
Kerberoasting is a technique which exploits a weakness in the Kerberos protocol when requesting access to a service. (Such as IIS)
Doesn't need to be an active service, just needs to have a service account. (Uses the SPN: Service Principal Name)
Attack gets you a service ticket, which has a portion of the service accounts password hash included.
187
What's the important artifact to get in a kerberoasting attack?
the important part is that the service ticket is encrypted with the hash of the service account, which allows any authenticated user on a Windows domain with the ability to request a service ticket from the TGS to perform an offline bruteforce attack.
188
Tool to extract password hashes from service tickets gained from kerberoasting
Impacket and Mimikatz
189
Defenses against pass the hash/kerberoasting
Host Firewalls to block SMB in client/client comms (restrict inbound to admins)
Use LAPS to manage unique and complex local admin passwords. (Keeps one admin hash from being used on multiple machines)
Use TPM
Use Credential guard
Look for unusual admin activity/use of Net (use, sessions) commands
190
attack tools that carry multiple exploits and can spread themselves using all of them (and an example)
Multi exploit worms, such as Conficker
191
Mechanisms for Conficker to spread
Buffer overflow for Windows
Copying itself to a thumb drives
guessing passwords for SMB shares and moving between shares
192
Why was Stuxnet considered a multi platform worm
Attacked Windows, but pivoted to Siemens ICS sW, Scada systems
193
Worm that exploited Windows LSASS vulns
Sasser
194
Exploits a UPnP flaw
Zotob
195
Uses for Bots
```
Maintaining Backdoor control of a machine
Controlling an IRC channel*
Mail Relays
Providing anonymizing HTTP proxies
DoS floods
```
196
Collection of bots under the control of a single attacker is called a
botherder
197
Bots are particularly useful for spreading through
infected web sites that can compromise browser vulnerabilities
198
Attackers communicate with bots via
IRC (6667 standard, but can use anything)
HTTPs
DNS
Social networking sites
199
Modern bot comms techniques utilize
Non standard IRC ports
3rd party websites (http)
Social networking sites via HTTP (bot surfs to popular sites over port 80 and parses commands from specific profiles)
DNS
200
Bots stay persistent/hidden by (6 methods)
```
Morphing the code for infection
Run commands with system privs
add/remove file shares
FTP files
add autostart
scan for other vulnerable systems
```
201
What is GRE?
Generic route Encapsulation: lets you set up a direct PTP tunnel, like IPSEC. (used by bots)
202
Defense against bots
1. Harden systems
2. Set specific plans for quick patching/testing patches
3. Encrypt hard drives (so stolen data cant be read easily)
4. EDR tool
5. App whitelist
6. Host based IPS
203
Defense against account harvesting
Auth messages should be consistent as to not give away whether accounts are valid
Use account lockouts (times
Have "canaries" for multiple bad passwords on different accounts being hit in succession
204
Time inference confirmation is what?
Looking at the time delay on command injection when you cant see the response
205
Defense against command injection
```
Fix flaws in code
Use a WAF
Dont have applications launch shells or execute commands
Validate input
Sanitize input
```
206
Filter output characters from a website output with this tool
Modsecurity for Apache, IIS, and Nginx
207
Server defenses against XSS
HttpOnly flag set (limits cookie accessibility)
use COntent Security Policy (CSP) to set what dynamic resources are allowed to load in the browser
Report sanitized content to a specific url if detected
208
What browser is vulnerable due to a lack of content security policy (CSP)
IE
209
Where and how can you support browser XSS flaws with CSP turned on?
An external URL, via report-uri feature
210
Ways web sites track state (sessions)
Sending back a user ID/credential
Hidden form elements on the page
cookies
211
How does a DNS amplification attack work?
Utilizes EDNS, a standard that lets DNS packets be bigger than normal DNS packet size.
Attacker gets DNS server to store a 4000 byte txt file, as part of normal DNS operations. (Recursion)
An attack sends fake (spoofed) DNS requests on behalf of the victim, with the EDNS flags set, which amplifies the size (by sending the 4000 byte txt file) of the response by over 60 times. Floods (and DDoS) the victim.
212
How does a DDoS packet flood work?
Attacker (via compromised client) sends a bunch of spoofed SYN packets to a high-bandwith server; that server then responds w/SYN-ACK to victim.
213
Why are HTTP floods harder to detect than SYN floods?(DDOS)
Syn floods never complete the 3 way handshake, which creates an abormal comms state to track.
HTTP floods (where the attack finishes the request and then executes a command) are normal comms state, and are easier to track (and harder to identify/stop!)
214
Defenses against DoS style attacks
1. Keep DDoS off your machines (IDS/IPS/AV)
2. Antispoof Egress filtering at border routers
3. Ensure adequate BW
4. ISP controls
5. Use traffic shaping tools against floods
215
How do you secure VNC?
Tunnel it through SSH:
ssh -L 5901:localhost:5901 REMOTE_IP
216
VNC servers passively listen on what port, connect outbound on what port?
5900, 59001 (management ports)
VNC servers can also listen on ports 5800, and can shovel a session to clients using a small java applet. Clients can listen on port 5500 for a GUI session to be "shoveled" to them.
217
Two modes for VNC
```
App mode (shows up in tools tray)
Service mode (shows up in service list)
```
218
Standard capabilities of remote control backdoors (like Poison Ivy, Rat, etc) (7)
1. Keystroke logger
2. Create dialogue boxes with customizable text/action
3. Lock up/reboot system
4, Get system info
5. Access files
6. Create VPNs to outbound system
7. Camera and Audio capture
219
What is scareware?
What bob got infected with; "Install our security monitoring software" which is just a trojan.
220
what is a packer?
Originally used to just compress code and deliver more in a smaller package for malware, it's now used to make reversing much harder.
221
Why does a packer make reversing harder?
It cant be directly disassembled and doesn't reveal many interesting strings
222
memory file for virutal vmware hosts
.vmem file
223
things you can look at with Rekall
Network connections
Processes
Map processes (PIDs) to network connections (netscan)
DLL's loaded by a process
224
Rootkits dont let a user GET root access, they let an attacker...
MAINTAIN root access by affecting existing programs/OS modules on the underlying system.
225
Examples of linux rootkit methods
Replace the login, rshd, sshd, inetd, tcpd with ones that have backdoor access built in
Re-write commands to include root level backdoors, like changing the SU process.
226
4 categories of hiding tools found in rootkits
```
Process hiding (changes to processes like ps/top)
Network Hiding
File Hiding (ls/find commands)
Event Hiding (syslogd, to keep attackers activity from producing events)
```
227
How does a rootkit DLL injection attack get its code onto a system (4 steps)
1. Allocates space in the process' memory space, using "VirtualAllocEx" windows process
2. Writing the name and code of the injectable DLL into the memory space of the victim process (writeProcessMemory)
3. Create a thread in the victim process to run the new DLL
4. Free up resources in the victim process after execution (cover tracks)
228
What is API hooking?
When an attacker undermines and running process in its interactions with the Windows itself
229
The memory space that privileged (sensitive) software runs at, where it cannot be accessed by code running at less privileged level
Ring 0 (most sensitive)
Ring 3 is normal user mode
230
To interact with a kernel, user-mode processes use
System calls
231
How do system calls work?
A user level process calls a system library, which is full of code and tables. The tables are just arrays mapping system calls to the corresponding kernel parts needed to handle each call. (Collection of pointers)
232
How do you implement a kernel mode rootkit?
Loadable kernel modules (*nix) and device drivers (windows)
Altering kernels in memory
Changing out a kernel file on HD
virtualizing systems** (not seen often
233
Windows defense against loading kernel components via drivers
Mandatory device driver signing
234
How to circumvent windows device driver signing
Steal the private keys for a legitimate software componany
Bypass by manipulating the memory
235
Manipulating the paging file allows what rootkit style attacks?
What does this bypass?
1. Hog system memory
2. System offloads its functionality to the system page file
3. Manipulate page file
4. Release memory, allowing page file to be sucked back up into memory.
(bypasses the driver device signing processes)
236
location of linux and windows kernels. (Where they'd be overwritten by malicious code)
Linux: vmlinuz
Windows: ntoskrnl.exe and win32k.sys
237
What other file must be manipulated to get an altered windows kernel file to load?
Have to manipulate the NTLDR program, which checks the kernel integrity at bootup. (Use a few language instructions to skip the integrity check)
238
How does network forensic tools (like Security Onion) look for patterns reflective of malware activity?
Look for large amounts of client-client traffic, server-server traffic, worm traffic (large bursts of activity)
239
Eradication techniques for rootkits
Wipe/reformat
Reinstall O/S
Apply all patches
change all passwords
240
Easiest way to hide files in *.nix
renaming files space, ., or ..
241
places to hide files on linux systems
/dev
/etc (bad place, usually monitored)
/tmp
OR
Complex/random place on file system, like /usr/man or /usr/src
242
How will sophisticated attackers hide tracks in linux logs?
Edit out individual log entries, vice wiping logs
| Edit shell history/bash history
243
How to completely kill the shell history file
1. Kill the shell, which prevents the recent shell history from being written
Kill all bash shells, to do the same
2. Change the SIZE of the bash history file to zero (unset HISTFILE)
3. add a space before a command to keep bash from logging it in the first place
244
what do you have to do to edit utmp files, and what do they do?
Contain information about logged in users, current and historical
Shows login successes and failures
Need a specific editor that can work with those files, like remove.c or wzap.c, etc.
245
What do tools like wtmped.c, marry.c, cloak.c. ,etc do?
Wipe user activity logs on linux, such as /var/run/utmp(current logins) , var/log/btmp (bad logins)
246
WHat are NTFS file streams?
Extra "drawers" (like a dresser) that you can throw data into, that are attached to a file. Stream 1 is the contents of the file, Stream 2+ is added streams. Stream 1 is the only thing that will show in windows explorer
247
What file structure is required to write data streams in Windows?
NTFS. Doesnt work with FAT, etc.
248
What type of streams does windows store that are visible in windows explorer?
Only the main stream (stream 1, the file contents) Additional streams dont show.
249
Do streams copy with a file?
yes
250
How do you see alternate streams on NTFS systems? (2 ways)
dir /r
Get-Item powershell with -property stream option
some AV can detect it if theres malicious code in it)
251
How do remove an Alternate Data Stream (ADs)
move it to a fat partition
| no built in windows tool
252
Tool dedicated to finding alternate data streams on NTFS
LADS
253
Log file format for windows logs
EVT files (not editable directly)
254
Tools for manipulating windows log files?
NSA Danderspritz tool, with the evetlogsedit
| Metasploit clearev log file wiping utility
255
What is the normal state of windows event logs
Immutable files, write protected and cannot be altered by normal means on a running system (but tools are available to do it)
256
Best way to defend manipulation of event logs
Use a separate logging server
Use Windows event Forwarding to throw logs to an alternate location
Add integrity checking software to keep an eye on windows log file locations
257
Some behavior analytics toools
```
MS Advanced Threat Analytics
Rapid7
InsightIDR
Exabeam
JPCERT (open source)
```
258
Open Source threat hunting tool
LogonTracer from JPCERT
259
Hiding network activity
Carry one protocol on top of another (encapsulate one protocol inside another)
260
How does a reverse HTTP shell work
Connection is established over HTTP from WITHIN the victims network, on a pull basis. At set intervals, the reverse shell reaches out over the internet and tries to connect to the attackers internal machine. Attacker then sends commands back to the origin as HTTP responses.
261
Tools that allow you to tunnel traffic inside ICMP
Ptunnel (TCP over echos/replys: Windows or Linux)
Loki (*linux shell)
PingChat (Windows Chat Program)
ICMPCmd (Windows cmd access)
262
Tool that would let you communicate on a network that heavily filters tcp and udp packets
ICMP comms via PTUNNEL or PingChat
263
Two components to Ptunnel
Client and Proxy
Client listens on a given TCP port, Proxy funnels traffic over ICMP. (has to be reachable by ping)
The proxy sends the ICMP packet outbound with the TCP data in the payload to any TCP based server on the net, and also communicates with the Client on a normal TCP port.
264
Ptunnel uses what for authentication?
MD5 challenge/response
265
SCTP and QUIC are good protocols to use for tunneling covert traffic because...
they are multiplixed/multihomed, which means multiple hosts can be used as failover.
Not many signatures for newer protocols
266
FUll C+C backdoor where all commands flow over gmail
GCAT
267
Defenses against covert channels being used
Investigate odd processes, especially with admin privs
Network IDS set to analyze:
Shell commands over HTTP
unusual ICMP messages/size
Unusual changes in IP ID/Seq/Ack fields for TCP covert tunneling
268
Tool for finding stego
StegExpose - java utility looks at the Least Significant Bit for techniques where this is a tell
269
Defense against stego
get familiar with the tools
File integrity checks
look at hashes for changes in data w/original
270
Netstat command for getting processes and connections
netstat -naob
271
What is lsof -i going to produce?
Find out if a service is running?
272
Using powershell, creates a stacked analysis of the installed software in your environment
Kansa
