PenTest+ Study Notes 8 Flashcards
LoTL (living off the land) attacks are called fileless malware as there are no viruses used. Instead, the attack will use the tools that are part of the OS or administration tools to launch an attack.
LoTL attacks are stealthy and are being used for a variety of malicious purposes including using software deployment tools to deliver ransomware. Because there is no discrete signature, a more proactive approach to fileless malware is to use a blend of behavioral-based detection and monitoring strategies.
info
??? removing specific entries, changing log entries = Instead of removing an entry or an entire log, it may be more beneficial to simply alter the log entries. For example, with some effort you can modify a user logon entry in Windows security logs which can frame another individual. However, you can also steal a privileged user’s token and then perform a malicious task. This type of attack is called Incognito, which allows you to impersonate user tokens after you have compromised a system. Using Metasploit’s meterpreter you can list available tokens and then impersonate one of the tokens to assume its privileges, modifying timestamps = Changing time-based values is not just limited to event logs. You can also alter a file’s modification, access, created, and entry modified (MACE) metadata. Changing the MACE values is possible by using Metasploit’s meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files.
Clearing your tracks after a Pentest :
Clearing your Tracks #2 after Pentesting -> Removing the commands history = you can cover your tracks by setting the command history to zero before executing the commands. For a Bash shell, this command is as follows: export HISTSIZE=0 .
Shredding or overwriting a file : (1) On a Linux system, you can use the command shred. For example, to overwrite the file with zeros and hide evidence that the file was shredded and completely remove the file, you would use the command: shred -zu /root/keylog.bin. (2) Windows has a built in command, called cipher.exe, that can securely delete a file. By using cipher.exe /w:C:\path\to\file.ext”, you can securely delete it. However, it must be over 1kb in size for cipher to work.
info
(Kali Linux) Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data using images such as JPEG and BMP, along with audio files using Waveform Audio File Format (WAV) and audio (AU) formats.
OpenStego
info
NTFS Alternate Data Streams were originally designed to provide compatibility with non-Windows file systems. However, this method can also be used to allow data to be stored in hidden files that are linked to a regular visible file. The streams are not limited in size and there can be more than one stream linked to the visible file. This allows an attacker to hide their tools and data on a compromised system and retrieve them later.
Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format. Data can either be concealed using plaintext, or the message can be encrypted.
Coagula / Sonic Visualizer = can hide messages w/audacity in a sound wav file to be read later on.
info
??? a social engineering attack such as a phishing email requesting data, Downloading data to an insecure device, such as a USB drive, Fileless malware such as a PowerShell-based attack using custom payloads, Transmitting data to non-secured cloud resources.
Data Exfiltration ex.’s :
??? is a command-line utility used to read from, or write to, a TCP or UDP network connection. It can create or connect to a TCP server, act as a simple proxy or relay, transfer files, launch executables (such as a backdoor shell) when a connection is made, test services and daemons, and even scan ports. The basic syntax of Netcat is nc [options] [target address] [port(s)].
NetCat :
??? this provides an extra layer of protection by forcing a specific TCP connection so that websites do not see your real IP address. ProxyChains4 is included with Kali Linux, as well as any other version of Linux. ProxyChains4 is a command-line tool that enables PenTesters to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. In order to stay anonymous during port scanning, you can use The Onion Router (TOR) through the ProxyChains4 utility, which will redirect connections through proxy servers.
ProxyChaining :
In addition to services, most organizations make files available on the internal network for users to access. This is typically done through the use of network shares, which are directories that can be accessed by using a network sharing protocol. These network shares might hold sensitive files or information that is otherwise useful to the PenTesting team. Ex.’s of network shares -> Microsoft hosts: Microsoft File and Print service, using Server Message Block (SMB) protocol via TCP ports TCP 139 or 445. Linux/Unix (*nix) hosts: Network File System (NFS) daemon using the NFS protocol via TCP and UDP 2049.
info
ShareEnum is a Sysinternals GUI tool that can scan a domain, workgroup, or IP address range for file and print shares along with their security settings.
LLMNR and NetBIOS are two name resolution services used in a Windows environment to resolve network addresses. During name resolution, if a Windows host cannot resolve a domain or host name via a DNS server, it will query other hosts on the local segment. By default, the process will first use LLMNR, and if that fails, it will try the NetBIOS Name Service (NBT-NS).
info
