All Appendix 2 Flashcards
1
Q
RIP Port
A
UDP 520
2
Q
UDP 520
A
RIP
3
Q
What does rusers stand for
A
Remote Users Service
4
Q
What does rusers do
A
rusers displays information about users currently logged into remote systems
5
Q
What is the difference between rusers and rwho
A
rusers displays information only for the current host while rwho displays information for the entire network
6
Q
How does rusers work
A
When you run rusers on a network, it sends out a broadcast request to all machines on the network running the rusersd daemon, these machines will respond with a list of currently logged in users along with their idle times
7
Q
Rusers port
A
UDP 513
8
Q
UDP 513
A
Rusers and Rwho
9
Q
What does Rwho stand for
A
Remote Who Service
10
Q
What does rwho do
A
rwho displays information about users logged into remtoe systems on a network
11
Q
Rwho port
A
UDP 513
12
Q
How can SMTP be used to enumerate users
A
Certain SMTP commands such as VRFY and EXPN can be used to validate whether a specific email/username exists on the server through obsering response status codes
13
Q
What are the two commands responsible for SMTP user enumeration
A
VRFY and EXPN
14
Q
What is Finger
A
Finger is a utility that provides information about users on a system, it can display details such as full name, home dir, login shell, etc.
15
Q
Where is information from Finger derived from
A
Lots of the information comes from the /etc/passwd file
16
Q
What happens if no user is specified on a finger query
A
It can return a list of all users on the system including login names and other details
17
Q
Finger port
A
TCP 79
18
Q
TCP 79
A
Finger
19
Q
What is an FTP access control mechanism
A
/etc/ftpusers
20
Q
What does /etc/ftpusers do
A
It is a list of users that cannot access the ftp server
21
Q
What is anonymous user on FTP
A
Anonymous user is used to allow everyone on the internal network to share files and data without accessing each others computer
22
Q
Does Anonymous user require authentication/password for FTP
A
No
23
Q
What is a security configuration in FTP to prevent identifying authors of files
A
hide_ids=YES means the UID and GID of files will be overwritten meaning it is more difficult to identify which rights these files have and to prevent user enumeration
24
Q
What is a vulnerability of allow file upload to an FTP server
A
If we can upload files this may allow for LFI vulnerabilities to make system commands and RCE (remote code execution)
25
FTP Ports
20-21
26
FTP conf file
/etc/vsftpd.conf
27
What is SMTP
SMTP is a protocol used for sending emails in an IP network, it can be used between an email client and an outgoing mail server or between two SMTP servers
28
SMTP Port
TCP 25
29
What do newer SMTP servers listen on
TCP 587
30
What is an essential function of SMTP
Blocking spam by using authentication mechanisms that allow only authorised users to send emails
31
What is ESMTP
It is an extension of SMTP, aptly called Extended STP which uses SSL and TLS
32
How can we enumerate usernames on SMTP
Using the EXPN and VRFY queries
33
What does EXPN do
The client checks if a mailbox is available for messaging
34
What does VRFY query do
The client checks if a mailbox is available for mail transfer
35
What is Code 252 in VRFY
User that does not exist
36
What is Code 250 in VRFY
Requested mail action completed
37
How can we connect to an SMTP server
Telnet 25
38
What is Mail Relaying
Mail Relaying is the process where an SMTP server forwards an email from one server to another that is not directly responsible for either the sender or recipient, such as when emails need to be transferred across different domains and servers
39
In essence what is Mail Relaying
Any transfer of an email that is not directly the recipient or sender but rather an intermediary server
40
What does NFS stand for
Network File System
41
What does NFS do
It is a file system that has the same purpose as SMB - to access file systems over network as if they were local
42
What are the versions of NFS
NFSv2, NFSv3 and NFSv4
43
What is NFSv2
It is older but supported by many systems and was initially operated over UDP
44
What is NFSv3
It has more features including variable file size and better error reporting, but it is not compatible with NFSv2 clients
45
What is NFSv4
It includes Kerberos, supports ACLs and provides performance improvements and higher security
46
What is the most secure version of NFS
NFSv4
47
What is NFS based on
ONC-RPC / SUN-RPC
48
What does ONC-RPC stand for
Open Network Computing Remote Procedure Call
49
What port does NFS listen on
2049
50
What port does ONC-RPC listen on
111
51
What does NFS rely on for authentication
NFS relies on UID/GID on the client machine which is checked against the local user database to determine user permissions
52
What file contains a table of filesystems on the NFS server
/etc/exports
53
What is Root_Squash / No_Root_Squash
Prevents the root user on the client from having root privileges on the NFS server, if turned on, any requests from the root user will be mapped to an anonymous user
54
What is Nosuid option
Prevents the execution of files with the setuid or setgid set (meaning it won't execute as the author of the file but rather as the logged in user)
55
What is noexec option
Option that prevents the exectution of binaries on the file system, any attempt to execute a binary file (an executable or script) will fail
56
How can we access files through UID/GID manipulation
If we have access to the system via SSH and want to read files from another folder that a specific user has access to, we can upload a shell to the NFS server that has a SUID of that user and run the shell via the SSH user
57
What are the two access control types in NFS
Host level and File level
58
What is Host level in NFS
The NFS server controls which hosts (devices) can access the shared directories through the NFS server's /etc/exports file
59
What is File level on NFS
Traditional UNIX model where access to files and directories are controlled based on user IDs (UID) and group IDs (GID)
60
What is HINFO in DNS records
Resource record that provides descriptive information about a host, specifically its hardware and operating system
61
NetBIOS Name Port
UDP 137
62
UDP 137
NetBIOS Name
63
List all of the R Services
rcp, rexec, rlogin, rsh, stat, ruptime, rwho
64
What is R Services
R Services are a suite of services hosted to enable remote access or issue commands between UNIX hosts over TCP/IP
65
Are R Services used now?
No they were replaced by SSH
66
What is a vulnerabiity in R. Services
Much like Telnet, R Services transmits information for client to server (and vice versa) over the network in an unencrypted format, making it possible for attackers to intercept traffic
67
What ports does R Services use
512, 513 and 514
68
What is rcp
Remote Copy
69
What is rexec
Remote Execution
70
W hat is Rlogin
Remote login
71
What is Rsh
Remote Shell
72
What port does rcp listen on
TCP 514
73
What port does rsh listen on
TCP 514
74
What port does rexec listen on
TCP 512
75
What port does rlogin listen on
TCP 513
76
What does rcp do
Copy a file/directory bidirectionally from local machine to remote system, but provides no warning to user for overwriting existing files
77
What does rsh do
Opens a shell on a remote machine without a login procedure, relies upon trusted entries in the /etc/hosts.equiv and .rhosts files
78
How is authentication overwritten in rsh, rexec and rlogin
Passing authentication relies on trusted entries in the /etc/hosts.equiv and .rhosts rule for validation
79
What does rexec do
Enables a user to run shell commands on a remote machine
80
What does rlogin do
Enables a user to login to a remote host over the network similar to Telnet, but can only connect to Unix-like hosts
81
What is the difference between /etc/hosts.equiv and .rhosts
Hosts.equiv is the global configuration of all users on a system, whereas .rhosts provides a per-user configuration
82
What is X11
X11 is a framework for building GUIs on Unix OS, provides tools and protocols to display graphical applications, manage windows, handle input devices, etc.
83
What is security with X11 like
X11 communication is unencrypted, making it vulnerable to eavesdropping and MiTM attacks, however it can be tunneled through SSH for secure access
84
What does Xhost + do
Allows all hosts access to the X server
85
What is recommended when using xhost
To use user-based access control and not host-based
86
What is the two types of access control on X11
Host-based and User-based
87
What is host-based access control in X11
The xhost command is used to manage host-based access control, it allows or denies access to the X server for specific hosts
88
What does xhost - do
Denies access for all hosts
89
What is used based access control in X11
Restricts access to the X server based on individual users rather than entire hosts offering finer control.
90
What is the most common user-based authentication method to X server
MIT-MAGIC-COOKIE-1 is a random cookie which is provided to authorised clients and stored in the .Xauthority file
91
Is MIT-MAGIC-COOKIE-1 or SSH tunnelling more secure in X11 and why
SSH tunnelling is more secure as it encrypts the data transmission whereas the magic cookie does not, it leaves it unencrypted still
92
What is RPC
RPC is a protocol that allows a program to request a service or exectute procedures on a remote server as if it were local
93
What does RPC stand for
Remote Procedure Call
94
Name 3 common RPC services
MSRPC, Portmapper and NFS
95
What is MSRPC
MSRPC is used by Windows for various network services such as file sharing, SMB, Active Directory, etc
96
What is Portmapper
The Portmapper service maps RPC services on the appropriate network protocols allowing clients to discover where services are available
97
What is NFS
NFS allows for files to be shared over a network as if they were on a local disk, NFS uses RPC or all communication between the NFS client and NFS server
98
What tool can we use to enumerate RPC services
rpcinfo is a tool that provides information about RPC services running on a Unix system, it can be used to list all registered devices
99
What were two popular vulnerabilities in RPC
EternalBlue which targets the SMBv1 protocol which relies on MSRPC which was exploited in the WannaCry attack and Wordpress xmlrpc
100
RPC Endpoint Mapper (Windows) Port
Port 135
101
Port 135
RPC Endpoint Mapper (Windows)
102
Port 111
Portmapper
103
Portmapper Port
Port 111
104
What does SSH do
SSH enables two computers to establish an encrypted and direct connection within a possibly insecure network on TCP 22
105
Where is SSH native to
Native to Unix so it is preinstalled on Linux and MacOS
106
What protocols can connect to SSH-1.99-OpenSSH_3.9p1
We can connect with SSH-1 and SSH-2
107
What protocols can connect to SSH-2.0-OpenSSH_8.2p1
Only accepts SSH-2 protocol
108
What are the 6 ways of authenticating to SSH
Password, Public Key, Host based, Keyboard, Challenge-Response and GSSAPI
109
What is Public Key authentication for SSH
The server creates a cryptographic problem with the public key and the client decrypts the problem with its own private key and sends back the solution
110
What file is responsible for the OpenSSH server
sshd_config file
111
What is a dangerous setting on SSH
PasswordAuthentication=YES as it allows us to brute-force
112
What is a tool used to footprint SSH
ssh-audit checks the client-side and server-side configuration and shows general information
113
How can we secure SSH
Use key-based authentication, disable password authentication, use SSH-2 and change default SSH port from port 22
114
How to remember what SSH versions can connect to what protocols
1.5 or lower just SSH-1, 1.99 is a mix of SSH-1 and SSH-2 and 2.0 and beyond is just SSH-2
