Day 8

Question 1

null session

Answer 1

unauthenticated SMB sessions that allow for connection to the IPC$ share with null credentials (no username and no password)

Question 2

null sessions allow for the possible enumeration of:

Answer 2

SAM accounts
a list of machines on the system’s network
a list of shares

Question 3

securing null session vulnerabilities

Answer 3

a combination of firewall, registry, and policy settings

Question 4

null session registry key

Answer 4

HKLM\System\CurrentControlSet\Control\LSA and the RestrictAnonymous value controls null sessions

Question 5

RestrictAnonymous value 5* architecture

Answer 5

value security level

0 none, relies on default permissions
1 does not allow enumeration of share names
2 no access without explicit anonymous permissions

Question 6

RestrictAnonymous value 6* architecture

Answer 6

value security level

0 disabled, anonymous users are not restricted
1 does not allow enumeration of SAM accounts

Question 7

named pipes

Answer 7

API functions used for establishing application client-server IPC connections

Question 8

named pipes of interest for null sessions

Answer 8

\pipe\samr: SAM RPC server
\pipe\srvsvc Server service RPC
\pipe\wkssvc workstation service RPC

Question 9

Windows firewall

Answer 9

prevents inbound network attacks by using a host-based system. It was introduced with WIndows XP SP2

Question 10

Windows Internet Naming Service (WINS)

Answer 10

a name resolution service that resolves NetBIOS names to IP addresses.

Question 11

Domain Name System (DNS)

Answer 11

resolves fully qualified domain names (FQDNs) to IP addresses and IP addresses to FQDNs.
Microsoft requires DNS in its implementation of Active Directory

Question 12

DNS Zones

Answer 12

represent a discrete portion of the namespace for a particular domain and provide a way to partition the domain namespace into manageable sections.

Question 13

Primary zone

Answer 13

contains a read/write copy of the entire namespace

found in %systemroot%\system32\dns

Question 14

secondary zone

Answer 14

contains a read-only copy of the entire namespace.
when a secondary zone needs an update, it requests a zone transfer from a primary server
found in %systemroot%\system32\dns

Question 15

Active Directory-integrated zones

Answer 15

stored in Active directory itself.

Question 16

DNS servers

Answer 16

there are primary servers, secondary servers, and caching-only servers

Question 17

Primary servers

Answer 17

host primary zones

Question 18

secondary servers

Answer 18

host secondary zones

Question 19

caching-only servers

Answer 19

contain only information for previously resolved queries

Question 20

Nslookup

Answer 20

a built in command-line tool used for DNS diagnostics, queries, and zone transfers

Question 21

example nslookup commands

Answer 21

ls -d starfleet.local zone transfer for starfleet.local zone
server 192.168.0.20 changes default DNS server to IP or name
exit exits the nslookup shell

Question 22

Start of authority (SOA)

Answer 22

SOA is the first resource record.
it is the best (most authoritative source) of information for this domain.

serial number revision number of zone
refresh time used by secondary servers to control how often the request zone information.
zone transfers initiated by secondary servers

Question 23

Service location (SRV) record

Answer 23

SRV record maps the service name to the server name offering the service.

Question 24

Name Server (NS) record

Answer 24

announces the authoritative name server for a zone who will answer queries for their zone

Question 25

Mail Exchanger (MX) record

Answer 25

specifies a mail exchange server for domain.

Question 26

Host (A) record

Answer 26

maps a host name to an IPv4 address (forward lookups)

Question 27

Host (AAAA) record

Answer 27

maps a host name to an IPv6 address (forward lookups)

Question 28

Alias (CNAME) record

Answer 28

sets an alias for a host name. often used to associate “www” with the web server name.

Question 29

Pointer (PTR) record

Answer 29

creates a pointer that maps an IP address to a host name for reverse lookups

Question 30

DNS name resolution

Answer 30

the client uses the resolver program to initiate DNS name resolution

Question 31

Securing DNS

Answer 31

secure dynamic updates to only allow updates from systems authorized to make them.

limit zone transfers to authoritative name servers and other authorized systems.

secure against DNS cache poisoning/pollution

Question 32

Microsoft Internet Information Services (IIS)

Answer 32

by default supports FTP on port 21, HTTP on port 80 and/or HTTPS on port 443

Question 33

IIS default web and ftp sites

Answer 33

C:\Inetpub\wwwroot or ftproot

Question 34

IUSR_ComputerName

Answer 34

This account permits users to connect anonymously to web sites hosted on the server

Question 35

IWAM_ComputerName

Answer 35

this account is used to run code in a separate memory space from the core web server process (for management)

Question 36

Local System

Answer 36

Service account for the following services:
IISADMIN IIS Admin service
W3SVC WWW publishing service used for http hosting
MSFTPSVC FTP publishing service used for FTP hosting

Question 37

WWW URL

Answer 37

protocol domain path to page
http://www.microsoft.com:8080/urlinfo/docs.htm
host port

Question 38

FTP URL example

Answer 38

Protocol host path to webpage
ftp://admin:abcd1234@ftp.microsoft.com/public/docs.htm
credentials domain

Question 39

web sites

Answer 39

web sites are commonly identified and hosted in the following ways: IP address, port number, host header

Question 40

IP address

Answer 40

configure each web site with a different IP address

Question 41

Port number

Answer 41

the server directs requests based on port number

Question 42

host header

Answer 42

multiple web sites may use the same IP address and port number, but the host header identifies each specific web site

Question 43

IIS Authentication methods

Answer 43

.

Question 44

anonymous access

Answer 44

requires no username or password.

uses the anonymous account IUSR_computername

Question 45

Basic authentication

Answer 45

requires a username and password which is transmitted in plaintext in an encoded format.

Question 46

Integrated Windows authentication

Answer 46

more secure than basic authentication.
uses same credentials as domain logon
cannot be used across firewalls or proxy servers

Question 47

digest authentication

Answer 47

also provides a more secure method than basic authentication.
it can be used across firewalls and proxy servers