PenTest+ Study Notes 11 Flashcards
Direct Attached Storage (DAS) is storage attached to a system such as a hard drive in a server, instead of being accessed over the network.
Network Attached Storage (NAS) is a group of file servers attached to the network dedicated to provisioning data access.
Storage Area Network (SAN) is a separate sub-network typically consisting of storage devices and servers that house a large amount of data.
info
??? hypervisor is installed onto a host operating system. Any virtual machines that are created are a guest and ride on top of the native operating system.
??? hypervisor is installed directly onto the hardware and manages access to the host hardware without going through a host OS.
A ??? is a location that is used to store VM templates or images and contains the configuration files used to create additional VMs.
Properly manage the secrets such as API keys, tokens, and passwords, to mitigate container security risks and vulnerabilities. Consider using a secrets management tool and make sure deployments mount only the secrets they actually need.
Type II / Type I / VM repository
Virtualization Attacks -> Class 1 = attacks happen outside the VM, Class 2 = attacks directly affect the VM, Class 3 = attack originates within the VM and is the attack source.
VM escape is an attack where malware running in a VM is able to interact directly with the hypervisor or host kernel. For this attack to take place, the malicious actor must detect the presence of a virtualized environment. The next step in is for the attacker to compromise the hypervisor.
Hyperjacking is when a malicious actor takes control of the hypervisor that manages a virtual environment. Once the malicious actor has taken control of the hypervisor, they will have all the required privileges and can take full control of the environment. In addition, they will be able to access every VM along with the data stored on them and can then use any guest OS as a staging ground to attack other guests.
info
??? these occur when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Issues arise if these events fail to execute in the order and timing intended by the developer. For example, an app can check that a file exists and then use it later. You may be able to replace the file after it is checked by the app but not yet used. This can trigger app instability or privilege escalation.
Race Conditions :
??? requires the user to authenticate with a known session identifier that will then be used for impersonation. As an example, this could be done through social engineering and providing a fake login page that will use the known SID.
Session Fixation :
Horizontal Privilege Escalation is obtaining access to a regular user account with different access or permissions than the one currently in use. This approach has great potential for information gathering without raising possible suspicion, as irregular user activity is more likely to stay unnoticed than irregular admin activity.
Vertical Privilege Escalation is obtaining access to an account of higher privilege than the one we currently have to enable resources that the regular user does not have permission for. In some cases we will need vertical PrivEsc, such as when we want to upgrade a “restrictive shell.”
info
Business logic flaws are vulnerabilities that arise from implementation and design issues that lead to unintended behavior.
A null byte is a character with a value of zero that is used in most programming languages to indicate the termination of a string. With a poison null byte, you can use this termination character to exploit a web app that does not properly handle null terminators. The hexadecimal representation of the poison null byte is %00. The poison null byte can support several different attacks, including directory traversal.
info
(“BeEF”) is a tool designed to exploit some functionality or vulnerability within a browser to launch XSS and injection attacks against a website. The goal is to gain access, gather information, use a proxy, and other utilities for the PenTester.
Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux.
Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier.
info
Password Spraying : Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
Hash values : $1 = MD5, $2a = Blowfish, $5 = SHA-256, $6 = SHA-512.
info
The Windows Local Security Authority (LSASS) uses LSA secrets to store a variety of user, service, and application passwords. In some cases, such as with Kerberos or LSA secrets, they can be found in memory after the user logs on, or the computer boots up, and can be dumped using tools like Mimikatz.
BloodHoundAD can quickly explore AD trust relationships, abusable rights on AD objects, security group memberships, SQL admin links, and more.
info
