Lesson 9 - Exploiting the LAN and Cloud Flashcards
Once you have scanned for vulnerabilities what is the next step in the attack phase
Establish a connection by Enumerating Open Ports, Services and AD Objects
What are the services and ports that Microsoft OS uses for File and Print Services
Server Message Block (SMB) protocol via TCP port 139 or 445
What is the service and ports that Linux hosts use for file sharing
Network File System (NFS) daemon using TCP and UDP 2049
Name tool tools for launching attack and enumerating network shares
Metasploit
ShareEnum - Sysinternals - most effective from domain admin account
What native tools inside of Windows can be used for enumerating Windows hosts
Net View
Arp -a
net user
Ipconfig /displaydns
Describe the structure of Windows AD
From Top Down
Forest
Tree
Domain
Sub Domain
Organizational Units (OU)
What are some of the PowerShell cmdlets available for enumeration
Get-NetDomain
Get-NetLoggedon
Get-NetGroupMember
Within Linux what are some of the Bash Commands for enumerating
Finger - Users home directory, login time
cat /etc/passwd - list all users on system
uname -a -OS name and version
env - output a list of all the environmental variables
What is the name of the attack on a MAC table on a switch so that it behaves like a hub, repeating all frames out all ports
Macof attack
What is an On-Path attack where the malicious actor sits between web client and server and creates an HTTPS session with server then forces client to accept that
SSL/TLS downgrading/stripping
What is a key requirement for an On-Path attack to be able to be successful
by either spoofing for cache poisoning strategy such as
DNS Cache Poisoning
ARP Spoofing
MAC Address Spoofing
Name two name resolution services (not DNS) in a Windows environment to resolve network addresses
LLMNR is the initial one and then
NetBIOS Name Services (NBT-NS)
What is the command line tool used to poison responses to NetBIOS, LLMRN and MDNS resolution requests
Responder
What is the network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on
Pass the Hash
What is the name of the hash attack where the attacker gets user Service Principal Names (SPN) and then gets a server to dump out the service ticket with the NTLM hash of a requested service account
Kerberoasting
What is the act of using multiple exploits to form a larger attack
Chaining Exploits
What company developed Metasploit and what are the 3 versions
Rapid7
Metasploit Framework - Free open source CLI
Metasploit Express - simplified commercial version for validation
Metasploit Pro - Full featured GUI with quick start wizards
What are two popular GUI spin offs to Metasploit
Armitrage
Cobalt Strike
Name the modules that Metasploit are grouped by Tyupe
Exploits - attack software that delivers a payload
Payloads - code that runs remotely
Post - Additional tasks you can perform on a compromised host
Auxiliary - scanners, sniffers, fuzzers, spoofers and other not exploit features.
Encoders - ensures that payloads make it to their destination intact and undetected.
Nops - keeps payload sizes consistent across exploit attempts.
What is the most popular payload in Metasploit and describe the features
Meterpreter
Interactive menu-based list of commands you can run on a target during a PenTest exercise
What is a CharGEN attack and what was this originally? intended for
good for a packet for a DoS attack. CharGEN is a legacy protocol that was developed as a testing tool
Name some other Tools that can be used to launch an effective attack
Impacket Tools - an open-source collection of tools used when PenTesting in a Windows environment.
Responder - Kali CLI used to poison NetBIOS, LLMRN and MDNS name resolution requests
mitm6 - IPv6 hijacking tool that works by replying to DHCPv6 messages and set the malicious actor as a DNS Server
Where can I find the collection of of public exploits and vulnerable software in a searchable database
ExploitDB
You can use SearchSploit to search that database. found in Kali Linux
What is the combination of cloud infrastructure, platform services, and software referred to as
Cloud Federation