Lesson 9 - Exploiting the LAN and Cloud

Question 1

Once you have scanned for vulnerabilities what is the next step in the attack phase

Answer 1

Establish a connection by Enumerating Open Ports, Services and AD Objects

Question 2

What are the services and ports that Microsoft OS uses for File and Print Services

Answer 2

Server Message Block (SMB) protocol via TCP port 139 or 445

Question 3

What is the service and ports that Linux hosts use for file sharing

Answer 3

Network File System (NFS) daemon using TCP and UDP 2049

Question 4

Name tool tools for launching attack and enumerating network shares

Answer 4

Metasploit
ShareEnum - Sysinternals - most effective from domain admin account

Question 5

What native tools inside of Windows can be used for enumerating Windows hosts

Answer 5

Net View
Arp -a
net user
Ipconfig /displaydns

Question 6

Describe the structure of Windows AD

Answer 6

From Top Down
Forest
Tree
Domain
Sub Domain
Organizational Units (OU)

Question 7

What are some of the PowerShell cmdlets available for enumeration

Answer 7

Get-NetDomain
Get-NetLoggedon
Get-NetGroupMember

Question 8

Within Linux what are some of the Bash Commands for enumerating

Answer 8

Finger - Users home directory, login time
cat /etc/passwd - list all users on system
uname -a -OS name and version
env - output a list of all the environmental variables

Question 9

What is the name of the attack on a MAC table on a switch so that it behaves like a hub, repeating all frames out all ports

Answer 9

Macof attack

Question 10

What is an On-Path attack where the malicious actor sits between web client and server and creates an HTTPS session with server then forces client to accept that

Answer 10

SSL/TLS downgrading/stripping

Question 11

What is a key requirement for an On-Path attack to be able to be successful

Answer 11

by either spoofing for cache poisoning strategy such as

DNS Cache Poisoning
ARP Spoofing
MAC Address Spoofing

Question 12

Name two name resolution services (not DNS) in a Windows environment to resolve network addresses

Answer 12

LLMNR is the initial one and then
NetBIOS Name Services (NBT-NS)

Question 13

What is the command line tool used to poison responses to NetBIOS, LLMRN and MDNS resolution requests

Answer 13

Responder

Question 14

What is the network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on

Answer 14

Pass the Hash

Question 15

What is the name of the hash attack where the attacker gets user Service Principal Names (SPN) and then gets a server to dump out the service ticket with the NTLM hash of a requested service account

Answer 15

Kerberoasting

Question 16

What is the act of using multiple exploits to form a larger attack

Answer 16

Chaining Exploits

Question 17

What company developed Metasploit and what are the 3 versions

Answer 17

Rapid7
Metasploit Framework - Free open source CLI
Metasploit Express - simplified commercial version for validation
Metasploit Pro - Full featured GUI with quick start wizards

Question 18

What are two popular GUI spin offs to Metasploit

Answer 18

Armitrage
Cobalt Strike

Question 19

Name the modules that Metasploit are grouped by Tyupe

Answer 19

Exploits - attack software that delivers a payload

Payloads - code that runs remotely

Post - Additional tasks you can perform on a compromised host

Auxiliary - scanners, sniffers, fuzzers, spoofers and other not exploit features.

Encoders - ensures that payloads make it to their destination intact and undetected.

Nops - keeps payload sizes consistent across exploit attempts.

Question 20

What is the most popular payload in Metasploit and describe the features

Answer 20

Meterpreter
Interactive menu-based list of commands you can run on a target during a PenTest exercise

Question 21

What is a CharGEN attack and what was this originally? intended for

Answer 21

good for a packet for a DoS attack. CharGEN is a legacy protocol that was developed as a testing tool

Question 22

Name some other Tools that can be used to launch an effective attack

Answer 22

Impacket Tools - an open-source collection of tools used when PenTesting in a Windows environment.

Responder - Kali CLI used to poison NetBIOS, LLMRN and MDNS name resolution requests

mitm6 - IPv6 hijacking tool that works by replying to DHCPv6 messages and set the malicious actor as a DNS Server

Question 23

Where can I find the collection of of public exploits and vulnerable software in a searchable database

Answer 23

ExploitDB

You can use SearchSploit to search that database. found in Kali Linux

Question 24

What is the combination of cloud infrastructure, platform services, and software referred to as

Answer 24

Cloud Federation

Question 25

What are dormant VM’s and why do they pose a risk

Answer 25

A VM that is created and configured for a particular purpose and then shut down or even left running without being properly decommissioned. They can be possible entry points

Question 26

What is the term for OS virtualization deployment containing everything required to run a service

Answer 26

Container

Question 27

What is the term for how users and devices are represented in the organization

Answer 27

Identity and Access Management (IAM)

Question 28

What are the two most common Malware Injection attacks

Answer 28

SQL Injection (SQLi)
Cross Site Scripting (XSS)

Question 29

What type of attack takes advantage of the shared nature of Cloud Infrastructure especially in a PaaS model

Answer 29

Side-channel attack - AKA sidebar or implementation attacks

hardware leaks sensitive info such as crypto keys via a covert channel

Question 30

What is the type of attack that circumvents a DDOS attack

Answer 30

Direct-to-origin attacks (D2O) circumvent protection by identifying the origin network or IP and then launching a direct attack

Question 31

What is the name of the attack that is specifically designed to steal username and passwords

Answer 31

Harvesting Credentials

Email Phishing
Social Engineering
MITM, DNS Poisoning

Question 32

What is the primary objective of any exploit

Answer 32

Privilege Escalation

Security Account Manager - Dump SAM to get hashed password

Local UAC - bypass

Weak Process permissions

Shared Folders

DLL Hijacking - weak folder permissions allowing for DLL replacement.

Writable Services - modify startup parameters

Missing Patches/MisConfig

Question 33

What is the purpose of Denial of Service (DoS) attack and name the attack types that focus on crashing the system.

Answer 33

Resource Exhaustion

Amplification or volumetric attacks focus on saturating bandwidth

Denial of Sleep - attack that drains a devices battery

A slow HTTP attack send fragmented requests and can stress the server .

Question 34

Name the automated Cloud Vulnerability Scanning Tools

Answer 34

ScoutSuite - written in Python and for multi cloud. Collect data from cloud using API Calls

Prowler - AWS Only and benchmarks against CIS plus GDRP and HIPAA compliance.

Pacu - designed as an exploitation tool for AWS. Uses modules for exploits such as API keys. Focuses on post-compromise phase so a team can drill down into the system to escalate privilege, launch additional attacks, or install a backdoor

Cloud Custodian - Open Source cloud security Governance and management tool.

Question 35

What cookie is native to PHP Web Applications and enables web apps to store, manage and communicate serialized data

Answer 35

PHPSESID

this is discarded when browser is closed