Mantaining Access Flashcards
Aprender cosas nuevas
1
Q
What are backdoords?
A
Are programs designed to deny or disrupt the operation, gather information that leads to exploitation or loss of privacy.
2
Q
What are crackers?
A
Are components of software or programs designed for cracking a code or passwords.
3
Q
What does do keyloggers?
A
They record each keystroke made on the computer keyboard.
4
Q
What does do spywares?
A
They capture screenshots and send them to a specified location defined by the hacker.
5
Q
How does software become vulnerable to variuous attacks?
A
Because developers employ unsecure coding practices.
6
Q
What is the remote code execution technique “exploitation for client execution”?
A
Attackers employ vulnerabilities in software through exploitations with an objective of arbitrary code execution.
7
Q
Can you explain Web-Browser-Based Exploitation and Office-Applications-Based Exploitation?
A
Attackers target web browsers through spear phishing links and drive-by compromise.
Attackers target common office applications such as Microsoft Office through different variants of spear phishing.
8
Q
What are system services?
A
Are programs that run and operate at the backend of an operating system.
9
Q
Explain the remote code execution technique “service execution”?
A
Attackers run binary code that use system services such as “service control manager” to mantain access.
10
Q
What is Windows Management Instrumentation?
A
Is a feature in Windows administration that provides a platform for accessing windows system resources locally and remotely.
11
Q
What is Component Object Model (COM)?
windows
A
Is a Microsoft-developed technology that allows software components to communicate and interact within the same system or across different applications.
12
Q
Tell port number and explain Distributed Component Object Model (DCOM)
Extends COM.
A
Is a Microsoft technology that allows software components to communicate over a network. It extends COM (Component Object Model) by enabling applications to interact remotely across different machines.
Port 135.
13
Q
How attackers interact with Windows Management Instrumentation?
A
WMI helps attackers gain both local and remote access through WMI remote services such as the Distributed Component Object Model (DCOM) via port 135 and Windows Remote Management (WinRM) via HTTP port 5985 and HTTPS port 5986.
14
Q
What is Windows remote management?
A
Is a windows-based protocol designed to allow a user to run an executable file, modify system services, and the registry on a remote system.
15
Q
How does attackers use the windows remote management for hacking?
A
They execute a payload on the remote system as part of lateral movement.
16
Q
Name an application for remote windows administration with admin tools and AD administration tools.
A
Dameware remote support.
17
Q
What are the main two types of keystroke loggers?
A
Hardware keyloggers and software keyloggers.
18
Q
What is the primary function of a keystroke logger?
A
Capture and store every keystroke made by a user
19
Q
A penetration tester installs a device between a victim’s keyboard and computer to capture keystrokes. What type of keystroke logger is being used?
A
Hardware keylogger
20
Q
What is a key feature of a software-based keystroke logger?
A
Can be installed remotely via malware
21
Q
An attacker installs a keylogger that specifically records keystrokes entered in a web browser. What type of keylogger is this?
A
Application keylogger
Application keyloggers operate at the application level, targeting specific software like web browsers, office applications, or messaging apps.
22
Q
What is the primary characteristic of a kernel-based keylogger?
A
It hooks into the OS kernel to log keystrokes
23
Q
A keylogger is found embedded within the BIOS of a compromised machine. What is the major security risk of this type of keylogger?
A
It persists even after reinstalling the operating system
24
Q
A security researcher finds a malicious keyboard that logs keystrokes before transmitting them wirelessly. What is this attack vector known as?
A
Keylogger keyboard
25
A cybercriminal installs a small USB device to capture keystrokes on a victim’s workstation. What type of keylogger is this?
USB keylogger
26
How does a hypervisor-based keylogger function?
It operates at the virtualization layer to monitor keystrokes
27
What is the primary limitation of a PS/2 keylogger compared to a USB keylogger?
PS/2 keyloggers require physical installation and cannot be remotely accessed
28
How does an acoustic keylogger function?
It captures keystrokes based on their sound signature
29
What is a major risk of Bluetooth keyloggers?
They can transmit captured keystrokes wirelessly over Bluetooth
30
¿Qué función tiene el módulo lockout_keylogger en Metasploit?
Registrar todas las pulsaciones de teclado incluso cuando el sistema está bloqueado
31
En una sesión de Meterpreter, ¿qué información proporciona el comando ps?
Lista los procesos en ejecución en el sistema comprometido
32
Después de comprometer un sistema con Meterpreter, ¿qué información proporciona el comando getpid?
El ID del proceso actual en el que se está ejecutando Meterpreter
33
¿Cuál es el propósito del comando migrate < pid > en una sesión de Meterpreter?
Mover el payload de Meterpreter a otro proceso en ejecución
34
¿Qué efecto tiene el comando keyscan_start en una sesión de Meterpreter?
Inicia un keylogger para capturar todas las pulsaciones de teclado en el sistema comprometido
35
Después de ejecutar keyscan_start, ¿qué hace el comando keyscan_dump en Meterpreter?
Muestra las pulsaciones de teclado capturadas desde que se inició el keylogger
36
Nombre un keylogger para Windows y Mac
Spyrix y Refog
37
Menciona un Spyware usado en laboratorio
Spytech SpyAgent y Power Spy
38
What are Rootkits?
Rootkits are software programs designed to gain access to a computer without being detected. It's goal is to gain root privileges to a system.
39
¿Qué función tiene GetFileAttributesExA() en Windows en relación con la detección de rootkits?
GetFileAttributesExA() es una API de Windows utilizada para obtener información sobre los atributos de un archivo. Los rootkits pueden alterar estos atributos para ocultar su presencia en el sistema.
40
¿Cómo puede la función GetFileInformationByHandle() ser utilizada en la detección de rootkits en Windows?
GetFileInformationByHandle() proporciona detalles sobre archivos abiertos, lo que permite detectar inconsistencias en archivos ocultos por rootkits. Comparar sus resultados con herramientas como dir o ls ayuda a detectar anomalías.
41
¿Qué utilidad tiene el comando ATTRIB.exe en la identificación de archivos ocultos por rootkits?
ATTRIB.exe permite cambiar y visualizar atributos de archivos, como oculto o de solo lectura. Algunos rootkits establecen atributos de oculto para evitar detección, por lo que este comando puede ser útil para revelar archivos sospechosos.
42
¿Cuál es la característica principal de un rootkit a nivel de hipervisor (Hypervisor-Level Rootkit)?
Opera en un nivel más bajo que el sistema operativo, controlando su ejecución
43
¿Qué hace que un rootkit de hardware o firmware sea especialmente peligroso?
Se almacena en el firmware de dispositivos, persistiendo incluso tras reinstalar el sistema operativo
44
¿Cuál de las siguientes afirmaciones describe mejor a un rootkit a nivel de kernel?
Modifica funciones del kernel para ocultar procesos y archivos maliciosos
45
¿Qué característica define a un rootkit de nivel de bootloader?
Infecta el sector de arranque del disco duro para ejecutarse antes del sistema operativo
46
¿Cuál de las siguientes es una técnica utilizada por los rootkits a nivel de aplicación?
Ocultar archivos y procesos dentro de programas legítimos
47
¿Qué técnica utilizan los rootkits de nivel de biblioteca para ocultar su presencia?
Reemplazan o alteran bibliotecas dinámicas del sistema para interceptar llamadas a funciones
Estos rootkits modifican bibliotecas como ntdll.dll para alterar respuestas de funciones del sistema y ocultar archivos o procesos maliciosos
48
¿Qué técnica se utiliza en inline system hooking para modificar el comportamiento de funciones del sistema en Windows?
Opciones:
A. Se inyecta código directamente en funciones de la API de Windows para redirigir llamadas
B. Se manipulan estructuras del kernel para modificar permisos de archivos
C. Se utiliza un hipervisor para interceptar todas las llamadas del sistema operativo
D. Se reemplazan ejecutables del sistema con versiones modificadas
Se inyecta código directamente en funciones de la API de Windows para redirigir llamadas
49
¿Por qué los rootkits suelen manipular las Core System DLLs en Windows?
Porque contienen funciones clave del sistema operativo que pueden ser interceptadas para ocultar actividades maliciosas
Las Core System DLLs, como ntdll.dll y kernel32.dll, contienen funciones esenciales utilizadas por el sistema operativo y las aplicaciones.
50
¿Qué papel juega kernel32.dll en la ejecución de rootkits en Windows?
Contiene funciones esenciales para la gestión de memoria, procesos y archivos que pueden ser manipuladas por rootkits
51
¿Qué función tiene ntdll.dll en la ejecución de rootkits?
Proporciona la interfaz entre el espacio de usuario y el kernel en Windows, permitiendo la manipulación de llamadas del sistema
52
Name a Popular Rootkits
Purple Fox Rootkit (malicious Telegram installer), MoonBounce (malicious code concealed within UEFI firmware in the SPI flash)
53
What is UEF?
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system.
54
What makes Demodex Rootkit special?
Allows attackers to retain access to the victim device even after the OS is reinstalled.
55
What is NTFS?
New Technology File System is a file system that Microsoft developed for Windows operating systems.
56
What is NTFS ADS?
Allows users to attach a second data stream to a file, which is invisible to most applications and users. Allows an attacker to inject malicious code.
57
How attackers take advantage of NTFS ADS?
After an ADS file is attached to the original file, the size of the original file does not change.
58
What is Steganography?
Is a technique of hiding a secret message within an ordinary message and extracting it at the destionation to matain confiedntiality of data.
59
What is Whitespace Steganography?
Used to conceal messages in ASCII text by adding whitespaces to the ends of the lines.
60
What makes this code:
snow [ -CQS ] [ -p passwd ] [ -l line-len ] [ -f file | -m message ] [ infile [ outfile ]]
Hide messages in a text file using Snow.
61
How image file steganography Least-Sgnificant-Bit Insertion is made?
The least significant bit (LSB) of each pixel helps hold secret data. The LSB doesn not reult in a visible difference.
62
What is masking image steganography?
Adjust the liminosity and opacity of the image to hide secret messages.
63
What is algorithms and transformation image steganography?
Involves hiding secret information during image compression.
64
What are registry run keys?
Windows has registry keys that define programs that execute at startup or upon user login.
65
What is the startup folder?
Is a folder on a computer that contains programs that run when the computer starts.
66
Name one of the two methods used for abusing boot or logon autostart execution.
Registry Run Keys, Startup Folder
67
How does attackers use registry run keys for privilege escalation?
Attackers can conduct persistence attacks or privilege escalation if they identify a service with all the necessary permissions that is connected with the registry key. When any authorized user attempts to log in, the service link associated with the registry runs automatically.
68
How does attackers ennumerate assign permissions for registry run keys privilege escalation?
Attackers can use the WinPEAS script to search for the possible paths that can be leveraged to perform privilege escalation within Windows.
`winPEASx64.exe quiet applicationinfo`
69
Name one of two methods used for ennumerate permissions for Startup Folder privilege escalation.
*icacls:
```
icacls Menu\Programs\Startup"
```
*accesschk.exe (part of Sysinternals):
```
accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
```
70
What is domain dominance?
Taking control over critical assets such as domain controllers through social engineering techniques.
71
What is remote code execution?
Attackers attempt to execute malicious code on the target domain controller through CLI to launch a domain dominance attack.
72
What is WMI?
Windows Management Instrumentation (WMI) is a set of tools that allows users to manage Windows operating systems. It provides access to information about the status of local and remote computers.
73
What is WMIC?
The Windows Management Instrumentation Command-line (WMIC) utility is a command-line interface for working with Windows Management Instrumentation (WMI), a framework for managing data and operations on a Windows computer.
74
How does attackers do for remote code executing using WMI?
Create a dummy process and user on the target DC using WMI
`wmic /node: process call create "net user /add PiratedProcess Du^^Y01"`
Once the use is created, add the user to the "Admins" group.
`PsExec.exe \\< DomaincontrollerName> -accepteula net localgroup "Admins" PiratedProcess /add`
75
What is DPAPI?
DPAPI (Data Protection API) is a built-in Windows encryption mechanism that allows applications and users to securely store and retrieve sensitive data like passwords, encryption keys, and credentials.
DPAPI is a unified location in Windows environments where all the cryptographically secured files, passwords of browsers, and other critical data are stored. Windows domain controllers (DCs) contain a master key to decrypt DPAPI-protected files.
76
Explain:
`
dpapi::masterkey /in:"C:\Users\spotless.OFFENSE\AppData\Roaming\Microsoft\Protect\ S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /sid:S-1-5-21-2552734371-813931464-1050690807-1106 /password:******* /protected
`
## Footnote
recover the master key
✔ Decrypts a DPAPI Master Key from the specified file.
✔ Uses the user's Security Identifier (SID) and password to unlock the Master Key.
✔ Allows access to all DPAPI-encrypted secrets, such as saved passwords, browser credentials, and private keys for that user.
✔ "Protected" mode ensures that additional decryption layers are handled properly (useful for protected DPAPI blobs).
77
Retrieve all local master keys with compromised admin credentials
`sekurlsa::dpapi`
78
Explain:
`
lsadump::backupkeys /system:dc01.offense.local /export
`
## Footnote
backup master keys
✔ Extracts DPAPI backup keys from the specified Domain Controller (dc01.offense.local).
✔ Allows decryption of DPAPI-protected secrets, including browser passwords, saved credentials, and private keys of users in the domain.
✔ Stealthy attack – If an attacker gains these keys, they can decrypt any DPAPI-encrypted data across the domain.
✔ Requires high privileges (e.g., Domain Admin or equivalent).
79
What the hell is krbtgt?
The krbtgt (Kerberos Ticket Granting Ticket) account is a critical system account in Active Directory (AD) used by the Kerberos authentication protocol. This account encrypts and signs all Kerberos tickets within the domain.
80
What is malicious replication?
It enables attackers to create an exact copy of user data using the admin credentials.
Attackers often attempt to replicate sensitive accounts such as “krbtgt”
81
Explain:
`
Invoke-Mimikatz -command '"lsadump::dcsync /domain: /user:\" Module
`
## Footnote
replication using mimikatz
✔ Performs a DCSync attack – asks the Domain Controller to replicate password hashes as if it were another DC.
✔ Extracts NTLM hashes of the target user (krbtgt or any other domain user).
✔ If krbtgt is targeted, attackers can forge Golden Tickets for persistent domain admin access.
✔ Stealthy attack – does not require code execution on the DC, only replication privileges (like Domain Admin or DC Sync rights)
82
What is skeleton key attack?
Is a form of malware that attackers use to inject face credentials into domain controllers to create a backdoor password.
It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain
Copyright.
This attack necessitates domain administrator rights and DC access.
83
Explain:
`
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -
`
## Footnote
Execute skeleton key attack using mimikatz
✔ Loads Mimikatz and enables debug privileges (privilege::debug).
✔ Activates the Skeleton Key attack (misc::skeleton).
✔ Injects a universal master password ("skeleton key") into LSASS on the target Domain Controller.
✔ Allows attackers to log in as any user using the master password while keeping real credentials intact.
✔ Persists until the DC is rebooted or LSASS is restarted
84
What in the world is LSASS?
LSASS (Local Security Authority Subsystem Service) is a critical Windows process responsible for handling authentication, security policies, and user logins. It manages sensitive information like password hashes, Kerberos tickets, and NTLM credentials.
85
What is the Empire tool?
Empire is a post-exploitation and command & control (C2) framework used by red teams and attackers for maintaining access on compromised systems. It provides stealthy remote access, PowerShell execution, and lateral movement capabilities.
86
What is the attack golden ticket?
A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the entire Active Directory (AD)
87
Explain the setps to carry out Golden Ticket
1.Gathers the domain name and SID and then impersonates the privileged user.
2.Attacker steals the KRBTGT password hash.
3.Forges a TGS ticket.
4.Sends a forged TGS request.
5.TGS response.
6.Attacker accesses resources as a legitimate user.
88
What is SAM?
The Security Account Manager (SAM) is a Windows database that stores local user accounts and password hashes. It is a critical part of Windows authentication and is used to validate user logins.
89
Explain the setps to carry out Silver Ticket
1.Gathers the domain name and SID and then impersonates the privileged user.
2.Extracts the service account's NTLM hashes.
3.Creates a forged TGS ticket.
4.Forged TGS + NTLM
5.Accesses resource as a legitimate user.
90
What is AdminSDHolder?
Is an object of Active Directory that protects user accounts and groups having high privileges against accidental modifications of security permissions
91
What is SDProp?
Security Descriptor Propagation is the process that runs every 60 minutes to reset permissions on protected accounts/groups.
92
What is an ACL?
An Access Control List defines who can do what on an object in Active Directory.
Each object (users, groups, OUs, etc.) has an ACL that contains Access Control Entries (ACEs).
93
Define each ACL permission in AD:
1.GenericAll
2.GenericWrite
3.WriteDACL
4.WriteOwner
5.ReadProperty
6.WriteProperty
1.GenericAll > Full control (read/write/delete)
2.GenericWrite > Modify object attributes
3.WriteDACL > Modify ACLs (change permissions)
4.WriteOwner > Change ownership of the object
5.ReadProperty > Read object attributes
6.WriteProperty > Modify specific properties
94
Can you explain the purpose of this command:
`
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName Martin -Verbose -Rights All
`
## Footnote
AdminSDHolder
✔ Gives full control (All permissions) to the user Martin over AdminSDHolder in Active Directory.
✔ This means Martin will inherit control over all protected accounts, including Domain Admins.
✔ Used for persistence: Even if Martin’s permissions are removed elsewhere, SDProp will reapply them every 60 minutes.
✔ Dangerous in attacks – This can be exploited to maintain admin access stealthily.
95
How does hackers do to mantain persistance using WMI event subscription?
They create a WMI event subscription that triggers a program (ethicalhacker.exe) to run automatically when the system experiences a performance change.
96
How does hackers do to mantain persistance using WMI-persistance?
Attackers also use Wmi-Persistence, a PowerShell script, to perform WMI event subscriptions and acquire persistence. It triggers various actions such as Startup, Logon, Interval, and Timed and allows attackers execute various functions such as the installation, review, and removal of the WMI events.
97
Give 4 examples of malware
Tronajs, backdoors, rootkits, ransonware, adware, viruses, worms, spyware, botnets, crypters
98
Give 6 different ways for malware to enter a system
1.Instant messenger applications
2.Portable hardware media/removable devices
3.Browser and email software bugs
4.Insecure patch management
5.Rogue/decoy applications
6.Untrusted sites and freeware web applications/software
7.Downloading files from the internet
8.Email attachments
9.Network propagation
10.File sharing devices (NetBIOS, FTP, SMB)
11.Installation by other malware
12.Bluetooth and wireless networks
99
