Day 8 Flashcards
(47 cards)
null session
unauthenticated SMB sessions that allow for connection to the IPC$ share with null credentials (no username and no password)
null sessions allow for the possible enumeration of:
SAM accounts
a list of machines on the system’s network
a list of shares
securing null session vulnerabilities
a combination of firewall, registry, and policy settings
null session registry key
HKLM\System\CurrentControlSet\Control\LSA and the RestrictAnonymous value controls null sessions
RestrictAnonymous value 5* architecture
value security level
0 none, relies on default permissions
1 does not allow enumeration of share names
2 no access without explicit anonymous permissions
RestrictAnonymous value 6* architecture
value security level
0 disabled, anonymous users are not restricted
1 does not allow enumeration of SAM accounts
named pipes
API functions used for establishing application client-server IPC connections
named pipes of interest for null sessions
\pipe\samr: SAM RPC server
\pipe\srvsvc Server service RPC
\pipe\wkssvc workstation service RPC
Windows firewall
prevents inbound network attacks by using a host-based system. It was introduced with WIndows XP SP2
Windows Internet Naming Service (WINS)
a name resolution service that resolves NetBIOS names to IP addresses.
Domain Name System (DNS)
resolves fully qualified domain names (FQDNs) to IP addresses and IP addresses to FQDNs.
Microsoft requires DNS in its implementation of Active Directory
DNS Zones
represent a discrete portion of the namespace for a particular domain and provide a way to partition the domain namespace into manageable sections.
Primary zone
contains a read/write copy of the entire namespace
found in %systemroot%\system32\dns
secondary zone
contains a read-only copy of the entire namespace.
when a secondary zone needs an update, it requests a zone transfer from a primary server
found in %systemroot%\system32\dns
Active Directory-integrated zones
stored in Active directory itself.
DNS servers
there are primary servers, secondary servers, and caching-only servers
Primary servers
host primary zones
secondary servers
host secondary zones
caching-only servers
contain only information for previously resolved queries
Nslookup
a built in command-line tool used for DNS diagnostics, queries, and zone transfers
example nslookup commands
ls -d starfleet.local zone transfer for starfleet.local zone
server 192.168.0.20 changes default DNS server to IP or name
exit exits the nslookup shell
Start of authority (SOA)
SOA is the first resource record.
it is the best (most authoritative source) of information for this domain.
serial number revision number of zone
refresh time used by secondary servers to control how often the request zone information.
zone transfers initiated by secondary servers
Service location (SRV) record
SRV record maps the service name to the server name offering the service.
Name Server (NS) record
announces the authoritative name server for a zone who will answer queries for their zone
