Day 7

Question 1

DACL ACE’s order precedence

Answer 1

explicit deny
explicit allow
inherited deny
inherited allow

Question 2

Universal Naming Convention

Answer 2

if you are denied access to a folder but given access to a file within the folder, use the UNC path (file path) to access the file

Question 3

Take ownership

Answer 3

In 6* architecture, the administrator can directly assign a new owner.
In 5* architectures, a user must have the special permission and then exercise that permission

Question 4

copying files/folders

Answer 4

must have read at the source.
must have write at the destination.
because the copied file is a new instance, permissions are inherited from the parent directory

Question 5

moving files/folders

Answer 5

must have read and delete at the source.
must have write at the destination.
When moved within the same volume, permissions are retained.
when moved to a different volume, permissions are inherited from the parent folder

Question 6

exFAT (FAT64)

Answer 6

more storage than FAT16 or FAT32.
less functionality, and less overhead, than NFTS.
best option when you need to save files larger than 4GB.
often used for thumbdrives.
Like older FAT, exFAT still has allocation table, root directory, entries and timestamps.

Question 7

allocation table

Answer 7

exFAT uses a bitmap to track cluster allocation status.

FAT will still be used to track clusters should data become fragmented

Question 8

root directory

Answer 8

Root directory tracks files, subdirectories and the bitmap.

32 bytes in length

Question 9

file directory entries

Answer 9

found within the root directory.
files have a minimum of 3 entries and a max of 19. (directory sets)
contain file attributes (RASH), time stamps (MAC), file name, file size, and cluster information.

Question 10

timestamps

Answer 10

three main timestamps: created, accessed, and written/modified.
accessed timestamp reflects accurate date and time (unlike FAT).

Question 11

Remote Procedure Call (RPC)

Answer 11

windows uses RPC to allow a program runninig on one computer to seamlessly execute code on a remote system.
RPC listens on TCP port 135.

Question 12

RPC vulnerabilities

Answer 12

Endpoint mapper promiscuity

general DoS by attacking port 135

Question 13

NetBIOS

Answer 13

a session layer file and print sharing protocol.

provides 3 services: Name service, datagram service, and session service

Question 14

NetBIOS Name Service

Answer 14

NetBIOS name service is used for name resolution and registration (UDP port 137).
Net BIOS names are flat and limited to 16 characters. The first 15 characters are for names and the 16th character indicates the function/service.

<00> workstation
<20> server

Question 15

Name advertisement

Answer 15

1.client broadcasts NetBIOS info 6-10 times.
2. if the name is already in use, that client sends a broadcast back indicating its use.
3. if there are no in use responses, the original client may use the name.
(a name is unique and goes to the first device that requests it)

Question 16

name resolution

Answer 16

1. Client first checks its cache.
2. if not found, client requests resolution from master browser or WINS server.
3. if name is not in the master browser or WINS, client sends broadcast looking for it.
4. if there are no responses, the name will not be resolved

Question 17

NetBIOS Datagram Service

Answer 17

UDP port 138
used for browser and messenger services.
<03> indicates messaging is available

Question 18

NetBIOS session service

Answer 18

NetBIOS session service uses TCP port 139.

primarily used for local network file and print sharing.

Question 19

NBTSTAT (NetBIOS over TCP/IP Statistics)

Answer 19

NBSTAT is a diagnostic tool for NetBIOS over TCP/IP.
nbtstat -a a used with NetBIOS name
nbtstat -A A used with IP address
nbtstat -n lists local NeteBIOS names

Question 20

Server Message Block (SMB)

Answer 20

SMB (AKA CIFS) is an application layer protocol used for file and print sharing.
uses TCP port 445.
SMB is transport independent.

Question 21

Samba

Answer 21

Samba provides file and print sharing services to SMB/CIFS clients and allows for seamless interoperability between *NIX servers and Windows clients

Question 22

Remote Desktop Protocol (RDP)

Answer 22

RDP on TCP port 3389 is a remote connection system.
RDP allows for an actual GUI desktop.
Typically only enabled on servers and certain administrative workstations.

Question 23

network discovery

Answer 23

enables a computer to locate any device with an IP address

Question 24

Netstat

Answer 24

netstat provides information and statistics about protocols in use and current tcp/ip network connections.

netstat -an (most common syntax)

Question 25

netstat states

Answer 25

Listening-server ready for connection established-session is established time_wait-server has closed connection, but still waiting for final timeout value.

Question 26

PS equivalent to Netstat

Answer 26

get-netTCPConnection

Question 27

net help

Answer 27

displays a list of commands | net help

Question 28

net view

Answer 28

displays a list of resources being shared on a computer. net view lists computers in current domain/network net view /domain: lists computers in another domain/network net view \\ lists public shares on a remote system \all option on 6* systems lists all admin and hidden shares

Question 29

Net use

Answer 29

lists sessions in the form of mapped drives made from the work station net use displays workstation connections and mapped drives. net use T: \\ Maps a logical T: drive to UNC which is \\ \sharename net use T: /delete deletes logical T: drive

Question 30

the PS equivalent to Net Use

Answer 30

get-smbConnection

Question 31

Net share

Answer 31

makes a server's resources available to network users net share displays local shares, including admin and hidden net share utils=c:\tools shares c:\tools directory, naming the share utils net share utils /delete deletes the share named utils

Question 32

administrative shares

Answer 32

default shares: Drive letter$ i.e C$, E$, F$, etc ADMIN$ the Systemroot on Windows is shared via admin shares. IPC$ shares named pipes required for communication between computers and programs SYSVOL used on active directory domain controllers

Question 33

PS equivalent to net share

Answer 33

Get-smbshare

Question 34

Net session

Answer 34

command lists recorded sessions made to the machine via the local server service. net session displays connections made to the local server service net session \\ displays details of a session

Question 35

net config

Answer 35

displays configuration information of the Workstation or server service

Question 36

net accounts

Answer 36

updates the user accounts database and modifies password and logon requirement for all accounts /minpwlen: /maxpwage: