Mod 14 Flashcards
PORT 445
SMB Direct | TCP
WINDOWS HASH:
___ - A secure asymmetric algorithm. Passwords up to 256 characters (all ASCII characters, 211 unique characters).
NT LAN Manager (NTLM) Hash
NETCAT Options:
__ = Help; provides all options
-h
PAYLOAD TYPES:
___ - Opens a port on the target system and listens for incoming connections. The attacker initiates the connection (call-in) to the target. Firewalls often block the connection.
Bind TCP
___ gathers information about a target of interest without actually probing the target.
Passive Analysis
Syntax for Nikto
nikto -host
- host = specific target host
- H = list all options
PORT 110
POP3 | TCP
___ ties directly into the target development aspect of the Target Research/SIGINT Analysis Module.
Information Gathering
___ - Designed to target a specific vulnerability in an application. Most common method of execution in use is the Buffer Overflow.
Code-Based Exploit
Active Exploitation skills are also employed in the civilian sector by network security professionals who perform ___.
Penetration Tests (pentests)
SCAN EXTENSIONS:
___ = Version detection communicates with ports to determine what is actually running.
-sV
___ is a technique that involves connecting to common applications on target host to identify version of running applications. Can be done suing Nmap, Telnet, and Netcat.
Banner Grabbing
PORT 513
RLOGIN | TCP
PAYLOAD TYPES:
Staged systems:
___ - Fully functional remote shell loaded by the Stager. Offers the availability to run commands on the target system through a remote shell.
Stage (s1)
NETCAT Options:
__ = Indicates verbose details; it only reports open ports.
-v
___ is a command used to generate and output various types of shellcode payloads. Used for standalone custom payloads, used outside of Metasploit framework.
msfpayload
HOST DISCOVERY:
___ = Disable host discovery. Does not ping hosts at all before scanning them; allows scanning of networks through firewalls that block ICMP.
-Pn
PORT 3389
RDP | TCP
PORT 53
DNS | TCP & UDP
Exploits used through ___ do not use encryption so, when traversing a hop, the exploit and payload is vulnerable to exposure and capture.
Satellite Hops
Linux:
Syntax for ping with record route.
ping -R
-R = invokes record route option
United Stated Codes (USC)
Title 18 ___ - Store Wire and Electronic Communications and Transactional Records Access. Unlawful Access to Stored Communications.
Title 18 USC 2701
Cisco IOS Passwords:
Type 7 is ___ and type 5 is ___.
Symmetric
Asymetric
NETCAT Options:
__ = Reports all responses within the range
-vv
OS: Linux
Example: CentOS, Kali
TTL: ___
TTL = 64
UNIX/Linux hashes are store in the ___ file.
/etc/shadow
NORMAL PROGRAM EXECUTION:
___ - When a program needs to perform a specific procedure, the program’s main routine call out a subroutine.
Function Call
PORT 80
HTTP | TCP
The _ program is the purpose of the exploit. It gets execution from the NOP sled and provides access to interact with the OS across the network.
Payload
___ is available in most Unix/Linux variations and can perform zone transfers. ___ take IP addresses or server names as arguments.
dig
PORT 135
RPC | TCP
United Stated Codes (USC)
Title 18 ___ - Fraud and Related Activity in Connection with Computers.
Title 18 USC 1030
___ uses UDP by default for traceroutes.
UNIX/Linux
METERPRETER COMMANDS:
___ - List running processes.
ps
Common tools for online password cracking include: ___ and ___.
THC Hydra
L0phtCrack
PORT 138
NetBios Datagram | UDP
PORT 3306
MYSQL | TCP
The ___ parameter is set to the target IP address where the payload is running (these options may change when using tunnels).
RHOST
Three types of traceroute are:
ICMP, UDP, TCP
___ Includes activites taken to minimize the exploitation footprints in a target network, discovering and documenting information about targets of interest, and remain undetectable by using obfuscation techniques.
Tradecraft
SCANLINE Options:
- n =
- b =
- p =
- t =
- u =
- z =
- ? =
SCANLINE Options:
- n = No port scanning
- b = Get port banners
- p = Do not ping before scanning
- t = TCP ports to scan
- u = UDP ports to scan
- z = Randomize IP and port scan order
- ? = Help
United Stated Codes (USC)
Title 18 ___ - Fraud and Related Activity in Connection with Access Devices.
Title 18 USC 1029
METERPRETER COMMANDS:
___ - Displays target system information.
sysinfo
Metasploit Module Categories:
___ - Contains code that exploits run on targets, such as command shell access.
Payloads
A small assembly program called ___ makes up the payload.
shellcode
Ports:
6667 = ___
Linux
___ is an extremely versatile tool designed for network and password auditing. Uses dictionary and brute force BUT also uses cryptanalysis attacks to break hashing schemes.
Cain and Abel
The ___ modernised US Cybercrime legislation and mandates life sentences for offenders who knowingly or recklessly cause or attempt to cause the death of other by attacking transportation systems, power companies, or other public services or utilities.
Cyber Security Enhancement Act of 2002
Metasploit Module Categories:
___ - Contains advanced scanners and server modules.
Auxiliary
PORT 111
SunRPC PORTMAPPER | TCP
NETCAT Options:
__ = No DNS resolution
-n
___ is an offline password cracker. It’s primary configuration file is located at /etc/john.conf.
John the Ripper
TIMING:
__ - __ = Default scanning method. Runs as quickly as possible without overloading.
3 - Normal
PORT 443
HTTPS | TCP
PORT 25
SMTP | TCP
NETCAT Options:
__ = Specifies port to listen on (TCP by default)
-p
METERPRETER COMMANDS:
___ - List out files or contents of a directory.
ls
Ports:
88, 389, and 445 = ___
2K3
Syntax for Nmap
nmap
FILE PLACEMENT:
___ - places files onto target. Useful for putting tools or modified log files onto the target filesystem.
upload
Metasploit Commands:
___ - Set exploit parameters.
set
WINDOWS HASH:
___ - A weak symmetric algorithm. Passwords are limited to 14 characters (A-Z, 0-9, 36 unique characters).
LAN Manager (LM) Hash
PAYLOAD TYPES:
___ - Creates a connection (callback) back to the attacker. Firewalls often allow this connection.
Reverse TCP
PORT 20/21
FTP | TCP
PAYLOAD TYPES:
___ - Self contained and standalone. Exploit delivers a payload in one shot. Most ___ are functional remote shells that offer the ability to run commands on the target system.
Single
Metasploit Module Categories:
___ - Contains modules to use after target access.
Post
NETCAT Options:
__ = Conducts UDP port scan
-u
FILE COLLECTION:
___ - enables retrieving target files or directories of interest.
download
PORT 88
KERBEROS | TCP
Common tool for offline password cracking include: ___ and ___.
John the Ripper
Cain and Abel
Military members may use active exploitation techniques and tools in support of __ or ___ missions.
USCYBERCOM Cyberspace Operations (CO)
or
NSA/CSS Computer Network Exploitation (CNE)
Syntax for Timing
nmap -T <0-5>
2 ways to use a Handler:
___ During masquerades, or when connecting to a backdoor, a handler can be started by itself to connect to the target. Command used is:
use multi/handler
Manual
WINDOWS HASH:
___ - Part of the SID that uniquely identifies an account (group).
Relative ID (RID)
TIMING:
__ - __ = Reduces network load to prevent crashing systems. 4 second wait between sending.
2 - Polite
TIMING:
__ - __ = Scans very slowly to avoid IDS detection. 5 minutes between sending.
0 - Paranoid
Metasploit Commands:
___ - Load a specific exploit module.
use
Upon execution, John the Ripper (JtR) deploys a (1)__ file where it stores successfully cracked password. By default, it is stored in (2)___.
pot
/root/.john/john.pot
METERPRETER COMMANDS:
___ - Display current working directory on target.
pwd
OS: UNIX
Example: Solaris
TTL: ___
TTL = 255
Ports:
135 and 5000 = ___
WinXP
PORT 161/162
SNMP | UDP
HOST DISCOVERY:
___ = ICMP Timestamp uses an ICMP Timestamp Request (type 13) packet to find listening hosts.
-PP
METERPRETER COMMANDS:
___ - Displays system ARP cache.
arp
Syntax for Ping Sweep
nmap -sn -PI
- sn = ping sweep scan
- PI = ICMP echo request
___ - is a memory address used to overwrite the Return Address memory slot.
Return Pointer
Domain controllers store the domain user hashes in the ___ file.
NTDS.DIT (NT Directory Services Directory Information Tree)
Method: hashdump
Platform: Meterpreter
Description: Allocates memory space in LSASS.exe to load assembly code: ___.
retrieves account hashes from memory.
HOST DISCOVERY:
___ = ICMP Echo is an option that uses an ICMP Echo (Request) packet.
-PI
PORT 23
Telnet | TCP
John the Ripper; 3 modes of operation:
___
___
___
Single
Wordlist
Incremental
the ___ parameter is set to the listening port of the payload (these options may change when using tunnels).
LPORT
___ - The application dynamically allocates heap memory at run-time and memory locations for function will not be static. Exploitation occurs by corrupting the program data at specific points in the process to cause the application to overwrite memory addresses or functions.
Heap Buffer Overflow
OS: Cisco
Example: 12.0
TTL: ___
TTL = 255
___ queries information using the domain name or IP address. Output can vary based on the request submitted. Used in Windows.
Nslookup
Heap Buffer Overflow usually requires a ___ to gain control of execution.
Heap Spray
Ports:
111 = ___
Solaris
Metasploit Module Categories:
___ - Used to alter payloads and avoid detection.
Encoders
OS: Windows
Example: 2K, XP, 7
TTL: ___
TTL = 128
PORT 389
LDAP | TCP
PORT 69
TFTP | UDP
NORMAL PROGRAM EXECUTION:
___ - When the subroutine completes its work, the pointer jumps to the address store in the stack’s frame’s return address.
Return to Main
NETCAT Options:
__ = Execute command after connection
-e
Ports:
NOT 88, NOT 389, BUT 445 = ___
2K8
Metasploit Commands: \_\_\_ - List out exploit module details.
info
PORT 137
NetBios Name | UDP
___ - is the assembly opcode x90 that tells the processor to execute nothing, just move the Instruction Pointer forward.
No Operation (NOP) Sled
METERPRETER COMMANDS:
___ - Display Meterpreter help menu and available commands.
help
TIMING:
__ - __ = Adds a 5 minute timeout per host and never waits more than 1.25 seconds for probe response.
4 - Aggressive
There are 2 categories of password cracking: ___ and ___.
Online
Offline
METERPRETER COMMANDS:
___ - Display/modify routing table information.
route
HOST DISCOVERY:
___ = TCP ACK Ping to determine what hosts are up. Sends TCP ACK packets to port 80 on target networks/hosts and waits for response.
-PT
___ OS Fingerprinting does not involve sending packets to the target network; instead, it involves monitoring network traffic to determine the OS in use.
Passive OS Fingerprinting
2 ways to use a Handler:
___ - Connects to the shellcode payload that exploit started in the target machine.
Automatic
___ uses ICMP by default for traceroutes.
Windows
METERPRETER COMMANDS:
___ - Displays process ID for running Meterpreter payload.
getpid
Metasploit Commands:
___ - Display any modules related to the key term used.
search
The 3 primary methods of collecting credentials are: ___, ___, and ___.
Password Cracking
Memory Injection
Open Source Research
Analysts build ___ and ___ by documenting target information.
Target Templates and Network Maps
PORT 22
SSH | TCP
PORT 139
NetBios (SMB) Session | TCP
Syntax for Scanline
sl -b -t
PORT SCAN TYPES:
- sT = ___
- sS = ___
- sA = ___
- sF = ___
- sN = ___
- sX = ___
- sU = ___
PORT SCAN TYPES:
- sT = TCP Connect Scan
- sS = SYN Stealth Scan
- sA = ACK Stealth Scan
- sF = FIN Stealth Scan
- sN = TCP Null Scan
- sX = TCP Xmas Tree Scan
- sU = UDP Scan
___ - Triggers the vulnerability in a service. ___ is the Delivery mechanism that connects to a service and performs the buffer overflow by writing a Return Pointer, a NOP Sled, and a Payload in the target process’ memory.
Exploit code
NETCAT Options:
__ = Enables listening mode
-l
___ - Technique that employs the use of credentials to gain access to a service and involves impersonating a user to logon (via ssh, telnet, rdp, etc)
Masquerade
PORT 79
Finger | TCP
NETCAT Options:
__ = Directs netcat to scan the selected ports in a random fashion
-r
SCAN EXTENSIONS:
___ = Port Specification. Nmap only scans the ports specified here. This helps limit the number of scanned ports.
-p
The ___ phase of the Active Exploitation Methodology takes advantage of data accumulated during the Information Gathering phase to interact directly with target networks.
Scanning and Enumeration phase
Metasploit Commands:
___ - Display the payloads compatible with the exploit.
show payloads
Metasploit Module Categories:
___ - Contains service-side and client-side exploits.
Exploits
PORT 6667
Unreal IRC Daemon | TCP
NORMAL PROGRAM EXECUTION:
___ - Subroutines store temporary data (buffers) on the stack. Each time a subroutine runs, the required memory is allocated on the stack in a unit called a ___.
Stack Frame
___ OS Fingerprinting involves connecting to a target port and reviewing the resulting TCP packets sent as a response.
Active OS Fingerprinting
Anatomy of a ___:
DELIVERY - rely on authentication as a trusted user to put an executable payload file on the target system.
EXECUTION - an executable payload placed on the target’s file system will require manual execution, from command line or a scheduled job.
CONNECTION - a payload from a ___ requires a manual connection from the client program.
MASQUERADE
___ is a command line port scanner for Windows. ___ is known as a “take it with you” scanner due to the small size (20 KB) of its executable.
Scanline
Syntax for Banner Grabbing:
Nmap =
Telnet =
Netcat =
Syntax for Banner Grabbing:
Nmap = nmap -sV
Telnet = telnet
Netcat = nc -v
___ - Title 46 - Crimes, Chapter 815 - Computer-related Crimes, Section 6 - Offense Against Users of Computer, Computer Systems, Computer Networks, and Electronic Devices.
Florida Computer Crimes Act
METERPRETER COMMANDS:
___ - Change directory on target.
cd
___ Enables script building to automate network scans. The ___ scripts can be run individually or as categories. Banner grabbing, SMB host discovery, and HTTP header are the most commonly used ___ scripts.
Nmap Scripting Engine (NSE)
TIMING:
__ - __ = Only suitable for very fast networks or where data loss is acceptable. Times out hosts in 75 seconds and waits only .3 seconds for probes.
5 - Insane
An ___ in Cyber Operations is a software tool, script, program, or technique that takes advantage of a vulnerable system to provide command executions.
Exploit
PORT 1433
MSSQL | TCP
The ___ is how Metasploit connects to a remote payload and is the command line interface used to access remote computers. ___ is the client software that connects to the backdoor payload program that is running on the target system after an exploit.
Handler
United Stated Codes (USC)
___ addresses Crime and Criminal Procedures; broken into different sections.
Title 18
The ___ provides structure and serves as a road map for analysts and operators.
Exploitation methodology
___ is an open source web scanner designed to perform tests against web servers to identify security problems. ___ looks for configuration files, potentially dangerous files, updates, and software versioning. Not stealthy, easily detectable.
Nikto
On Windows OS’s clients and servers, hashes are stored in the ___ file.
Security Accounts Manager (SAM)
PORT 514
SYSLOG | UDP
___ is a network scanning tool used for identification and enumeration of targets and vulnerable services by performing the following functions:
Ping sweep to find targets, Port scans to identify open/closed ports, OS fingerprinting to determine OS on remote targets, and Banner grabbing to determine application version.
Nmap
___ is a staged payload that provides a command shell interface to an exploited target. It evades forensic detection bu using in-memory DLL injection, which writes nothing to disk, and uses encryption for its network connection.
Meterpreter
Anatomy of a ___:
DELIVERY - Trigger vulnerability in the target service, which allows us to write a payload program, called shellcode, into memory on target.
EXECUTION - Execute the payload in the memory space of the target application.
CONNECTION - a client program that has been specifically designed to interact with payload programs will make a connection with the payload running on a target. ___ automatically start the client software
CODE-BASED EXPLOIT
___ - Overwriting a local variable or data withing the stack can change a programs behavior to an attackers benefit. Overwriting the return address in a stack frame causes a jump to a specified address, where a NOP sled controls execution and passes it to a malicious payload program.
Stack Buffer Overflow
Metasploit Commands: \_\_\_ - Display exploit and payload module parameters (RHOST, RPORT, LPORT)
show options
___ is an all-in-one centralized console that allows command line access to all options available in the Metasploit framework.
msfconsole
Windows:
Syntax for ping with record route.
ping -r -9
- r = invokes record route option
- 9 = variable # (1-9) to indicate # of hops to record
METERPRETER COMMANDS:
___ - Displays user Meterpreter is running as.
getuid
___ involves probing target networks to discover hosts, IP addresses, and running services.
Active Analysis
A ___ determines if an IP address range has live hosts (if hosts can respond to probes). Consists of ICMP echo (requests) sent to multiple hosts. Generally poor tradecraft unless scan is randomized and run slowly.
Ping Sweep
PAYLOAD TYPES:
Staged systems:
___ - Sets up a TCP connection with the attackers machine and reads the larger Stage payload into memory; is small enough to fit into the limited memory spaces available in the buffer overflow exploit.
Stager (s0)
United Stated Codes (USC)
Title 18 ___ - Wire and Electronic Communications Interception and Interception of Oral Communication. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited.
Title 18 USC 2511
TIMING:
__ - __ = 15 second wait between sending.
1 - Sneaky
SCAN EXTENSIONS:
___ = Activates remote host identification via TCP/IP fingerprinting, using numerous techniques to detect the scanned OS. Scan results aid in the effort to determine the target OS type by comparing fingerprints from a database of known OS fingerprints (nmap-os-db).
-o
