Lesson 9 - Exploiting the LAN and Cloud Flashcards
Once you have scanned for vulnerabilities what is the next step in the attack phase
Establish a connection by Enumerating Open Ports, Services and AD Objects
What are the services and ports that Microsoft OS uses for File and Print Services
Server Message Block (SMB) protocol via TCP port 139 or 445
What is the service and ports that Linux hosts use for file sharing
Network File System (NFS) daemon using TCP and UDP 2049
Name tool tools for launching attack and enumerating network shares
Metasploit
ShareEnum - Sysinternals - most effective from domain admin account
What native tools inside of Windows can be used for enumerating Windows hosts
Net View
Arp -a
net user
Ipconfig /displaydns
Describe the structure of Windows AD
From Top Down
Forest
Tree
Domain
Sub Domain
Organizational Units (OU)
What are some of the PowerShell cmdlets available for enumeration
Get-NetDomain
Get-NetLoggedon
Get-NetGroupMember
Within Linux what are some of the Bash Commands for enumerating
Finger - Users home directory, login time
cat /etc/passwd - list all users on system
uname -a -OS name and version
env - output a list of all the environmental variables
What is the name of the attack on a MAC table on a switch so that it behaves like a hub, repeating all frames out all ports
Macof attack
What is an On-Path attack where the malicious actor sits between web client and server and creates an HTTPS session with server then forces client to accept that
SSL/TLS downgrading/stripping
What is a key requirement for an On-Path attack to be able to be successful
by either spoofing for cache poisoning strategy such as
DNS Cache Poisoning
ARP Spoofing
MAC Address Spoofing
Name two name resolution services (not DNS) in a Windows environment to resolve network addresses
LLMNR is the initial one and then
NetBIOS Name Services (NBT-NS)
What is the command line tool used to poison responses to NetBIOS, LLMRN and MDNS resolution requests
Responder
What is the network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on
Pass the Hash
What is the name of the hash attack where the attacker gets user Service Principal Names (SPN) and then gets a server to dump out the service ticket with the NTLM hash of a requested service account
Kerberoasting
What is the act of using multiple exploits to form a larger attack
Chaining Exploits
What company developed Metasploit and what are the 3 versions
Rapid7
Metasploit Framework - Free open source CLI
Metasploit Express - simplified commercial version for validation
Metasploit Pro - Full featured GUI with quick start wizards
What are two popular GUI spin offs to Metasploit
Armitrage
Cobalt Strike
Name the modules that Metasploit are grouped by Tyupe
Exploits - attack software that delivers a payload
Payloads - code that runs remotely
Post - Additional tasks you can perform on a compromised host
Auxiliary - scanners, sniffers, fuzzers, spoofers and other not exploit features.
Encoders - ensures that payloads make it to their destination intact and undetected.
Nops - keeps payload sizes consistent across exploit attempts.
What is the most popular payload in Metasploit and describe the features
Meterpreter
Interactive menu-based list of commands you can run on a target during a PenTest exercise
What is a CharGEN attack and what was this originally? intended for
good for a packet for a DoS attack. CharGEN is a legacy protocol that was developed as a testing tool
Name some other Tools that can be used to launch an effective attack
Impacket Tools - an open-source collection of tools used when PenTesting in a Windows environment.
Responder - Kali CLI used to poison NetBIOS, LLMRN and MDNS name resolution requests
mitm6 - IPv6 hijacking tool that works by replying to DHCPv6 messages and set the malicious actor as a DNS Server
Where can I find the collection of of public exploits and vulnerable software in a searchable database
ExploitDB
You can use SearchSploit to search that database. found in Kali Linux
What is the combination of cloud infrastructure, platform services, and software referred to as
Cloud Federation
What are dormant VM’s and why do they pose a risk
A VM that is created and configured for a particular purpose and then shut down or even left running without being properly decommissioned. They can be possible entry points
What is the term for OS virtualization deployment containing everything required to run a service
Container
What is the term for how users and devices are represented in the organization
Identity and Access Management (IAM)
What are the two most common Malware Injection attacks
SQL Injection (SQLi)
Cross Site Scripting (XSS)
What type of attack takes advantage of the shared nature of Cloud Infrastructure especially in a PaaS model
Side-channel attack - AKA sidebar or implementation attacks
hardware leaks sensitive info such as crypto keys via a covert channel
What is the type of attack that circumvents a DDOS attack
Direct-to-origin attacks (D2O) circumvent protection by identifying the origin network or IP and then launching a direct attack
What is the name of the attack that is specifically designed to steal username and passwords
Harvesting Credentials
Email Phishing
Social Engineering
MITM, DNS Poisoning
What is the primary objective of any exploit
Privilege Escalation
Security Account Manager - Dump SAM to get hashed password
Local UAC - bypass
Weak Process permissions
Shared Folders
DLL Hijacking - weak folder permissions allowing for DLL replacement.
Writable Services - modify startup parameters
Missing Patches/MisConfig
What is the purpose of Denial of Service (DoS) attack and name the attack types that focus on crashing the system.
Resource Exhaustion
Amplification or volumetric attacks focus on saturating bandwidth
Denial of Sleep - attack that drains a devices battery
A slow HTTP attack send fragmented requests and can stress the server .
Name the automated Cloud Vulnerability Scanning Tools
ScoutSuite - written in Python and for multi cloud. Collect data from cloud using API Calls
Prowler - AWS Only and benchmarks against CIS plus GDRP and HIPAA compliance.
Pacu - designed as an exploitation tool for AWS. Uses modules for exploits such as API keys. Focuses on post-compromise phase so a team can drill down into the system to escalate privilege, launch additional attacks, or install a backdoor
Cloud Custodian - Open Source cloud security Governance and management tool.
What cookie is native to PHP Web Applications and enables web apps to store, manage and communicate serialized data
PHPSESID
this is discarded when browser is closed
