Mantaining Access Flashcards
Aprender cosas nuevas
What are backdoords?
Are programs designed to deny or disrupt the operation, gather information that leads to exploitation or loss of privacy.
What are crackers?
Are components of software or programs designed for cracking a code or passwords.
What does do keyloggers?
They record each keystroke made on the computer keyboard.
What does do spywares?
They capture screenshots and send them to a specified location defined by the hacker.
How does software become vulnerable to variuous attacks?
Because developers employ unsecure coding practices.
What is the remote code execution technique “exploitation for client execution”?
Attackers employ vulnerabilities in software through exploitations with an objective of arbitrary code execution.
Can you explain Web-Browser-Based Exploitation and Office-Applications-Based Exploitation?
Attackers target web browsers through spear phishing links and drive-by compromise.
Attackers target common office applications such as Microsoft Office through different variants of spear phishing.
What are system services?
Are programs that run and operate at the backend of an operating system.
Explain the remote code execution technique “service execution”?
Attackers run binary code that use system services such as “service control manager” to mantain access.
What is Windows Management Instrumentation?
Is a feature in Windows administration that provides a platform for accessing windows system resources locally and remotely.
What is Component Object Model (COM)?
windows
Is a Microsoft-developed technology that allows software components to communicate and interact within the same system or across different applications.
Tell port number and explain Distributed Component Object Model (DCOM)
Extends COM.
Is a Microsoft technology that allows software components to communicate over a network. It extends COM (Component Object Model) by enabling applications to interact remotely across different machines.
Port 135.
How attackers interact with Windows Management Instrumentation?
WMI helps attackers gain both local and remote access through WMI remote services such as the Distributed Component Object Model (DCOM) via port 135 and Windows Remote Management (WinRM) via HTTP port 5985 and HTTPS port 5986.
What is Windows remote management?
Is a windows-based protocol designed to allow a user to run an executable file, modify system services, and the registry on a remote system.
How does attackers use the windows remote management for hacking?
They execute a payload on the remote system as part of lateral movement.
Name an application for remote windows administration with admin tools and AD administration tools.
Dameware remote support.
What are the main two types of keystroke loggers?
Hardware keyloggers and software keyloggers.
What is the primary function of a keystroke logger?
Capture and store every keystroke made by a user
A penetration tester installs a device between a victim’s keyboard and computer to capture keystrokes. What type of keystroke logger is being used?
Hardware keylogger
What is a key feature of a software-based keystroke logger?
Can be installed remotely via malware
An attacker installs a keylogger that specifically records keystrokes entered in a web browser. What type of keylogger is this?
Application keylogger
Application keyloggers operate at the application level, targeting specific software like web browsers, office applications, or messaging apps.
What is the primary characteristic of a kernel-based keylogger?
It hooks into the OS kernel to log keystrokes
A keylogger is found embedded within the BIOS of a compromised machine. What is the major security risk of this type of keylogger?
It persists even after reinstalling the operating system
A security researcher finds a malicious keyboard that logs keystrokes before transmitting them wirelessly. What is this attack vector known as?
Keylogger keyboard
A cybercriminal installs a small USB device to capture keystrokes on a victim’s workstation. What type of keylogger is this?
USB keylogger
How does a hypervisor-based keylogger function?
It operates at the virtualization layer to monitor keystrokes
What is the primary limitation of a PS/2 keylogger compared to a USB keylogger?
PS/2 keyloggers require physical installation and cannot be remotely accessed
How does an acoustic keylogger function?
It captures keystrokes based on their sound signature
What is a major risk of Bluetooth keyloggers?
They can transmit captured keystrokes wirelessly over Bluetooth
¿Qué función tiene el módulo lockout_keylogger en Metasploit?
Registrar todas las pulsaciones de teclado incluso cuando el sistema está bloqueado
En una sesión de Meterpreter, ¿qué información proporciona el comando ps?
Lista los procesos en ejecución en el sistema comprometido
Después de comprometer un sistema con Meterpreter, ¿qué información proporciona el comando getpid?
El ID del proceso actual en el que se está ejecutando Meterpreter
¿Cuál es el propósito del comando migrate < pid > en una sesión de Meterpreter?
Mover el payload de Meterpreter a otro proceso en ejecución
¿Qué efecto tiene el comando keyscan_start en una sesión de Meterpreter?
Inicia un keylogger para capturar todas las pulsaciones de teclado en el sistema comprometido
Después de ejecutar keyscan_start, ¿qué hace el comando keyscan_dump en Meterpreter?
Muestra las pulsaciones de teclado capturadas desde que se inició el keylogger
Nombre un keylogger para Windows y Mac
Spyrix y Refog
Menciona un Spyware usado en laboratorio
Spytech SpyAgent y Power Spy
What are Rootkits?
Rootkits are software programs designed to gain access to a computer without being detected. It’s goal is to gain root privileges to a system.
¿Qué función tiene GetFileAttributesExA() en Windows en relación con la detección de rootkits?
GetFileAttributesExA() es una API de Windows utilizada para obtener información sobre los atributos de un archivo. Los rootkits pueden alterar estos atributos para ocultar su presencia en el sistema.
¿Cómo puede la función GetFileInformationByHandle() ser utilizada en la detección de rootkits en Windows?
GetFileInformationByHandle() proporciona detalles sobre archivos abiertos, lo que permite detectar inconsistencias en archivos ocultos por rootkits. Comparar sus resultados con herramientas como dir o ls ayuda a detectar anomalías.
¿Qué utilidad tiene el comando ATTRIB.exe en la identificación de archivos ocultos por rootkits?
ATTRIB.exe permite cambiar y visualizar atributos de archivos, como oculto o de solo lectura. Algunos rootkits establecen atributos de oculto para evitar detección, por lo que este comando puede ser útil para revelar archivos sospechosos.
¿Cuál es la característica principal de un rootkit a nivel de hipervisor (Hypervisor-Level Rootkit)?
Opera en un nivel más bajo que el sistema operativo, controlando su ejecución
¿Qué hace que un rootkit de hardware o firmware sea especialmente peligroso?
Se almacena en el firmware de dispositivos, persistiendo incluso tras reinstalar el sistema operativo
¿Cuál de las siguientes afirmaciones describe mejor a un rootkit a nivel de kernel?
Modifica funciones del kernel para ocultar procesos y archivos maliciosos
¿Qué característica define a un rootkit de nivel de bootloader?
Infecta el sector de arranque del disco duro para ejecutarse antes del sistema operativo
¿Cuál de las siguientes es una técnica utilizada por los rootkits a nivel de aplicación?
Ocultar archivos y procesos dentro de programas legítimos
¿Qué técnica utilizan los rootkits de nivel de biblioteca para ocultar su presencia?
Reemplazan o alteran bibliotecas dinámicas del sistema para interceptar llamadas a funciones
Estos rootkits modifican bibliotecas como ntdll.dll para alterar respuestas de funciones del sistema y ocultar archivos o procesos maliciosos
¿Qué técnica se utiliza en inline system hooking para modificar el comportamiento de funciones del sistema en Windows?
Opciones:
A. Se inyecta código directamente en funciones de la API de Windows para redirigir llamadas
B. Se manipulan estructuras del kernel para modificar permisos de archivos
C. Se utiliza un hipervisor para interceptar todas las llamadas del sistema operativo
D. Se reemplazan ejecutables del sistema con versiones modificadas
Se inyecta código directamente en funciones de la API de Windows para redirigir llamadas
¿Por qué los rootkits suelen manipular las Core System DLLs en Windows?
Porque contienen funciones clave del sistema operativo que pueden ser interceptadas para ocultar actividades maliciosas
Las Core System DLLs, como ntdll.dll y kernel32.dll, contienen funciones esenciales utilizadas por el sistema operativo y las aplicaciones.
¿Qué papel juega kernel32.dll en la ejecución de rootkits en Windows?
Contiene funciones esenciales para la gestión de memoria, procesos y archivos que pueden ser manipuladas por rootkits
¿Qué función tiene ntdll.dll en la ejecución de rootkits?
Proporciona la interfaz entre el espacio de usuario y el kernel en Windows, permitiendo la manipulación de llamadas del sistema
Name a Popular Rootkits
Purple Fox Rootkit (malicious Telegram installer), MoonBounce (malicious code concealed within UEFI firmware in the SPI flash)
What is UEF?
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system.
What makes Demodex Rootkit special?
Allows attackers to retain access to the victim device even after the OS is reinstalled.
What is NTFS?
New Technology File System is a file system that Microsoft developed for Windows operating systems.
What is NTFS ADS?
Allows users to attach a second data stream to a file, which is invisible to most applications and users. Allows an attacker to inject malicious code.
How attackers take advantage of NTFS ADS?
After an ADS file is attached to the original file, the size of the original file does not change.
What is Steganography?
Is a technique of hiding a secret message within an ordinary message and extracting it at the destionation to matain confiedntiality of data.
What is Whitespace Steganography?
Used to conceal messages in ASCII text by adding whitespaces to the ends of the lines.
What makes this code:
snow [ -CQS ] [ -p passwd ] [ -l line-len ] [ -f file | -m message ] [ infile [ outfile ]]
Hide messages in a text file using Snow.
How image file steganography Least-Sgnificant-Bit Insertion is made?
The least significant bit (LSB) of each pixel helps hold secret data. The LSB doesn not reult in a visible difference.
What is masking image steganography?
Adjust the liminosity and opacity of the image to hide secret messages.
What is algorithms and transformation image steganography?
Involves hiding secret information during image compression.
What are registry run keys?
Windows has registry keys that define programs that execute at startup or upon user login.
What is the startup folder?
Is a folder on a computer that contains programs that run when the computer starts.
Name one of the two methods used for abusing boot or logon autostart execution.
Registry Run Keys, Startup Folder
How does attackers use registry run keys for privilege escalation?
Attackers can conduct persistence attacks or privilege escalation if they identify a service with all the necessary permissions that is connected with the registry key. When any authorized user attempts to log in, the service link associated with the registry runs automatically.
How does attackers ennumerate assign permissions for registry run keys privilege escalation?
Attackers can use the WinPEAS script to search for the possible paths that can be leveraged to perform privilege escalation within Windows.winPEASx64.exe quiet applicationinfo
Name one of two methods used for ennumerate permissions for Startup Folder privilege escalation.
*icacls:
~~~
icacls Menu\Programs\Startup”
~~~
*accesschk.exe (part of Sysinternals):
~~~
accesschk.exe /accepteula “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
~~~
What is domain dominance?
Taking control over critical assets such as domain controllers through social engineering techniques.
What is remote code execution?
Attackers attempt to execute malicious code on the target domain controller through CLI to launch a domain dominance attack.
What is WMIC?
How does attackers do for remote code executing using WMI?
Create a dummy process and user on the target DC using WMIwmic /node:<DomaincontrollerName> process call create "net user /add PiratedProcess Du^^Y01"
Once the use is created, add the user to the “Admins” group.PsExec.exe \\< DomaincontrollerName> -accepteula net localgroup "Admins" PiratedProcess /add
What is DPAPI?
DPAPI (Data Protection API) is a built-in Windows encryption mechanism that allows applications and users to securely store and retrieve sensitive data like passwords, encryption keys, and credentials.
DPAPI is a unified location in Windows environments where all the cryptographically secured files, passwords of browsers, and other critical data are stored. Windows domain controllers (DCs) contain a master key to decrypt DPAPI-protected files.
Command to recover the master key using the password of a compromised use using mimikatz:
dpapi::masterkey /in:"C:\Users\spotless.OFFENSE\AppData\Roaming\Microsoft\Protect\ S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /sid:S-1-5-21-2552734371-813931464-1050690807-1106 /password:******* /protected
Retrieve all local master keys with compromised admin credentials
sekurlsa::dpapi
Retrieve all backup master keys
lsadump::backupkeys /system:dc01.offense.local /export
What the hell is krbtgt?
The krbtgt (Kerberos Ticket Granting Ticket) account is a critical system account in Active Directory (AD) used by the Kerberos authentication protocol. This account encrypts and signs all Kerberos tickets within the domain.
What is malicious replication?
It enables attackers to create an exact copy of user data using the admin credentials.
Attackers often attempt to replicate sensitive accounts such as “krbtgt”
How to attempt malicious replication using mimikatz?
Invoke-Mimikatz -command '"lsadump::dcsync /domain:<Target Domain> /user:<krbtgt>\<Any Domain User>" Module
What is skeleton key attack?
Is a form of malware that attackers use to inject face credentials into domain controllers to create a backdoor password.
It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain
Copyright.
This attack necessitates domain administrator rights and DC access.
Execute skeleton key attack using mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' - <target domain controller name>
What in the world is LSASS?
LSASS (Local Security Authority Subsystem Service) is a critical Windows process responsible for handling authentication, security policies, and user logins. It manages sensitive information like password hashes, Kerberos tickets, and NTLM credentials.
What is the Empire tool?
Empire is a post-exploitation and command & control (C2) framework used by red teams and attackers for maintaining access on compromised systems. It provides stealthy remote access, PowerShell execution, and lateral movement capabilities.
