Lesson 9 - Exploiting the LAN and Cloud Flashcards

1
Q

Once you have scanned for vulnerabilities what is the next step in the attack phase

A

Establish a connection by Enumerating Open Ports, Services and AD Objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the services and ports that Microsoft OS uses for File and Print Services

A

Server Message Block (SMB) protocol via TCP port 139 or 445

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the service and ports that Linux hosts use for file sharing

A

Network File System (NFS) daemon using TCP and UDP 2049

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name tool tools for launching attack and enumerating network shares

A

Metasploit
ShareEnum - Sysinternals - most effective from domain admin account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What native tools inside of Windows can be used for enumerating Windows hosts

A

Net View
Arp -a
net user
Ipconfig /displaydns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the structure of Windows AD

A

From Top Down
Forest
Tree
Domain
Sub Domain
Organizational Units (OU)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some of the PowerShell cmdlets available for enumeration

A

Get-NetDomain
Get-NetLoggedon
Get-NetGroupMember

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Within Linux what are some of the Bash Commands for enumerating

A

Finger - Users home directory, login time
cat /etc/passwd - list all users on system
uname -a -OS name and version
env - output a list of all the environmental variables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the name of the attack on a MAC table on a switch so that it behaves like a hub, repeating all frames out all ports

A

Macof attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an On-Path attack where the malicious actor sits between web client and server and creates an HTTPS session with server then forces client to accept that

A

SSL/TLS downgrading/stripping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a key requirement for an On-Path attack to be able to be successful

A

by either spoofing for cache poisoning strategy such as

DNS Cache Poisoning
ARP Spoofing
MAC Address Spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name two name resolution services (not DNS) in a Windows environment to resolve network addresses

A

LLMNR is the initial one and then
NetBIOS Name Services (NBT-NS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the command line tool used to poison responses to NetBIOS, LLMRN and MDNS resolution requests

A

Responder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on

A

Pass the Hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the name of the hash attack where the attacker gets user Service Principal Names (SPN) and then gets a server to dump out the service ticket with the NTLM hash of a requested service account

A

Kerberoasting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the act of using multiple exploits to form a larger attack

A

Chaining Exploits

17
Q

What company developed Metasploit and what are the 3 versions

A

Rapid7
Metasploit Framework - Free open source CLI
Metasploit Express - simplified commercial version for validation
Metasploit Pro - Full featured GUI with quick start wizards

18
Q

What are two popular GUI spin offs to Metasploit

A

Armitrage
Cobalt Strike

19
Q

Name the modules that Metasploit are grouped by Tyupe

A

Exploits - attack software that delivers a payload

Payloads - code that runs remotely

Post - Additional tasks you can perform on a compromised host

Auxiliary - scanners, sniffers, fuzzers, spoofers and other not exploit features.

Encoders - ensures that payloads make it to their destination intact and undetected.

Nops - keeps payload sizes consistent across exploit attempts.

20
Q

What is the most popular payload in Metasploit and describe the features

A

Meterpreter
Interactive menu-based list of commands you can run on a target during a PenTest exercise

21
Q

What is a CharGEN attack and what was this originally? intended for

A

good for a packet for a DoS attack. CharGEN is a legacy protocol that was developed as a testing tool

22
Q

Name some other Tools that can be used to launch an effective attack

A

Impacket Tools - an open-source collection of tools used when PenTesting in a Windows environment.

Responder - Kali CLI used to poison NetBIOS, LLMRN and MDNS name resolution requests

mitm6 - IPv6 hijacking tool that works by replying to DHCPv6 messages and set the malicious actor as a DNS Server

23
Q

Where can I find the collection of of public exploits and vulnerable software in a searchable database

A

ExploitDB

You can use SearchSploit to search that database. found in Kali Linux

24
Q

What is the combination of cloud infrastructure, platform services, and software referred to as

A

Cloud Federation

25
What are dormant VM's and why do they pose a risk
A VM that is created and configured for a particular purpose and then shut down or even left running without being properly decommissioned. They can be possible entry points
26
What is the term for OS virtualization deployment containing everything required to run a service
Container
27
What is the term for how users and devices are represented in the organization
Identity and Access Management (IAM)
28
What are the two most common Malware Injection attacks
SQL Injection (SQLi) Cross Site Scripting (XSS)
29
What type of attack takes advantage of the shared nature of Cloud Infrastructure especially in a PaaS model
Side-channel attack - AKA sidebar or implementation attacks hardware leaks sensitive info such as crypto keys via a covert channel
30
What is the type of attack that circumvents a DDOS attack
Direct-to-origin attacks (D2O) circumvent protection by identifying the origin network or IP and then launching a direct attack
31
What is the name of the attack that is specifically designed to steal username and passwords
Harvesting Credentials Email Phishing Social Engineering MITM, DNS Poisoning
32
What is the primary objective of any exploit
Privilege Escalation Security Account Manager - Dump SAM to get hashed password Local UAC - bypass Weak Process permissions Shared Folders DLL Hijacking - weak folder permissions allowing for DLL replacement. Writable Services - modify startup parameters Missing Patches/MisConfig
33
What is the purpose of Denial of Service (DoS) attack and name the attack types that focus on crashing the system.
Resource Exhaustion Amplification or volumetric attacks focus on saturating bandwidth Denial of Sleep - attack that drains a devices battery A slow HTTP attack send fragmented requests and can stress the server .
34
Name the automated Cloud Vulnerability Scanning Tools
ScoutSuite - written in Python and for multi cloud. Collect data from cloud using API Calls Prowler - AWS Only and benchmarks against CIS plus GDRP and HIPAA compliance. Pacu - designed as an exploitation tool for AWS. Uses modules for exploits such as API keys. Focuses on post-compromise phase so a team can drill down into the system to escalate privilege, launch additional attacks, or install a backdoor Cloud Custodian - Open Source cloud security Governance and management tool.
35
What cookie is native to PHP Web Applications and enables web apps to store, manage and communicate serialized data
PHPSESID this is discarded when browser is closed