Exam Prep Flashcards

Question

skew

Answer 1

skew = interval

Answer 2

Running Hashcat is a process that can take several hours or several days, depending on the resources of the system being used. If the LANMAN password hashes contain the string aad3b435b51404eeaad3b435b51404ee, they are empty. There is no need to run Hashcat against the LANMAN hash type.

Answer 3

SQL injection attackers start by adding string quotation characters to the user data to see how the system reacts when the data is submitted (i.e., ',", and`).

Answer 4

Enumerating blobs = Account and Container names

Answer 5

Nmap has a powerful option called -A. This option enables OS detection, version detection, script scanning, and traceroute. It gives you far more information than a simple syn or TCP connect scan.

Answer 6

Netstat -nap will show local ports, PID, and program name on a Linux/Unix host. Sc query will list local services on a Windows host. Net view will get a list of shares from a Windows host.

Answer 7

Some C2 backdoors have a very strong heartbeat. This is where a backdoor will constantly reconnect to get commands from an attacker at a specific interval. The interval consistency of the heartbeat is the RITA Score, where a value of 1 is a perfect timing repetition for connections between the victim and the server for the duration of the capture period. RITA uses the characteristic of beaconing to identify threats in several ways. One reliable detection mechanism is the presence of a Score value near or at 1. In this case the source IP 10.20.234.50 is likely the victim of an attack and running a C2 backdoor with intermittent (not continuous) beaconing.

Answer 8

PICERL Preparation, Identification, Containment, Eradication (undoing), Recovery (resumption), and Lessons Learned

Answer 9

Dynamic Approach to Incident Response (DAIR) Preparation, Detection and Verification-Triage (waypoints) leads to a loop of scoping, containment, eradication, recovery, and remediation before incident wrap-up. Red Wheel. Waypoints, outcomes, and activities

Answer 10

DFIR - Digital Forensics and Incident Response

Answer 11

Detection = First decision is always verification, mentions DFIR - Digital Forensics and Incident Response, possible response when looking at logs is inconclusive.

Answer 12

Containment = spot attack, requires proper scoping, isolation, patching, etc. Short-term fix

Answer 13

Eradication (undoing) = restoring from backup, assessment Recovery (resume ops) Remediation = root cause, monitor, fixing the cause (long term)

Answer 14

get-process 'power*' | select-object *

Answer 15

get-CimInstance - Class Win32_Process //Provides more info like parent process and execution command

Answer 16

Watch for processes started using -EncodedCommand = CyberChef can be used for decoding

Answer 17

Common encoding are base64, URL encoding, UTF-8, UTF 16 little and big endian

Answer 18

get-NetTCPConnection -State Listen Local address "::" means listening on all interfaces configured with IPv6 (or 0.0.0.0 for IPV4) 127.0.0.1 is loopback meaning local-only Look fop notepad or other local service with outbound (anything other than listening) on port 80 for exam

Answer 19

get-service (or get-CimInstance - Class Win32_Process) //find services

Answer 20

get-childItem 'reg key path' or get-itemProperty 'reg key path'

Answer 21

get-LocalUser or Get-LocalGroup or get-LocalGroupMember Administrators

Answer 22

get-ScheduledTask and export-SchedueldTask and get-scheduledTaskInfo

Answer 23

get-WinEvent -LogName System | where-object -Propeerty Id -EQ 7045

Answer 24

Sysinternals = processExplorer, autoruns, sysmon, procMon, TCPview, and procDump

Answer 25

TCPDump for packet capture or WinDump on Windows tcpdump -i interface tcpdump -i interface -w file tcpdump -r file -n //Don't resolve host, can be -nnr tcpdump -r file -n -A //Don't resolve host and show human readable ASCII

Answer 26

Berkely Packet Filters (BFP) for tcpdump = primitives and operators

Answer 27

Squid, Blue Coat, Forefront TMG

Answer 28

First collect memory with WinPmem run as admin Then analyze with Volatility (python framework) with platform.class.PluginName vol -q -f win10.0.22000.556.raw windows.pslist.PsList

Answer 29

PsList = lists processes PsTree = shows parent tree

Answer 30

NetScan = network connections

Answer 31

CMdLine = process command line

Answer 32

Virus Total and Hybrid Analysis

Answer 33

RegShot - compares registry

Answer 34

Core analysis: IDA Pro and optional Hes-Rays decoder, Ghidra by NSA, FOR610, SEC660, SEC760

Answer 35

ATT&CK Adversarial Tactics, Techniques, and Common Knowledge

Answer 36

Search engine results, using site: modifier

Answer 37

DNS interrogation with Dig or NSlookup

Answer 38

dig ANY domain.com dig @nsztml.digi.ninja AXFR domain.com //DNS zone transfer

Answer 39

Brute force AXFR using nmap with dns-brute script

Answer 40

Certificate transparency for example crt.sh/?q=domain.com

Answer 41

Project discovery Subfinder from https://projectdiscovery.io cn run subdom enumeration subfinder -d domain.com

Answer 42

Perl script to extract Windows file metadata, example exiftool file.pdf

Answer 43

AADInternals

Answer 44

Invoke-AADIntReconAsOutsider -Domain domain.com | Format-Table

Answer 45

DeHashed provides plaintext passwords and PI Ias a service (deper form of HIBP)

Answer 46

Showdan is an advanced domain search, indexing service banners

Answer 47

Disallow search using robots.txt //examples below are pages not indexed //Use high level directories rather than sensitive names Disallow: /registration Disallow: /admin.php Disallow: /app

Answer 48

NMAP is used to discover the network topology (network mapping and port scanning), run as root for best results

Answer 49

Sweeping looks for active hosts using ICMP echo request to an IP range (log the replies) Nmap sweeps before port scanning by default, skip using -Pn Sends TCP SYNC to 443 and TPC ACK to 80 (must be root to ACK to 80) sudo nmap -sn 192.168.1.1-254 //-sn only does discovery. no port scan

Answer 50

TCP and UDP have ports 65,536 each greater than 0

Answer 51

SYN ACK = OPEN and RST ACK = CLOSED Reports open, closed, or filtered (no response)

Answer 52

-sS = Conventional TCP and -sU = UDP -sV = Version scan -oA to specify target host Nmap SNE (Scripting Engine) Scripts = -sC = Use default scripts --script sctiptName (or All) //accepts wildcards

Answer 53

Use builtwith.com to summarize service providers Cloud providers publish IP ranges

Answer 54

Masscan is fire-and forget, better for massive IP ranges masscan 192.168.1.1/24 -p 22,25,80,443,3389

Answer 55

Identify TLS servers on TCP 443 and try to request certificates for recon using OpenSSL (one at a time) or TLS-Scan TLS-Scan (Linux) rolls through a list of IPs listening to 443 (TLS Servers) to gather info from certs

Answer 56

EyeWitness takes website screenshots, run using python python3 /opt/eyewitness/EyeWitness.py --web -f urllist.txt --prepend-https

Answer 57

SMB can be scanned and appears as normal TCP 445 traffic SMBV1 started with XP, SMBV3 with Win8 and SMB3.3.3 with Win10/Win2016 Didn't support encryption until SMB3 with lates including pre-auth verification Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol Block SMB over 445 and TCP/UDP 135 and 139 on firewalls

Answer 58

get-cminstance -class win32_share -ComputerName hostorIP net.exe view \\192.168.1.1 /all //can work on non-windows SMBeagle can be used to search through SMB shares.

Answer 59

SMBeagle can be used to search through SMB shares. smbeagle -c results.csv -n 192.168.1.0/24 -uksmith p pass123 -q SMB also has many CVEs if SMB is not patched. No backoff delay for password guessing

Answer 60

Copernic Desktop Search also indexes SMB files and does keywork search and OCR

Answer 61

Samba smbclient for File Share Access lest you access and browse shares from CMD is you have credentials, even download and upload files Samba rpcclient (Linux) has over 100 commands over authenticated SMB

Answer 62

Identify sessions using get-SmbSession and close-SmbSession The net.exe command is also available like net view, net share, net session, net use

Answer 63

Hayabusa applies sigma to Windows event logs, Velociraptor

Answer 64

Sigma - related to snort, SIEM, Yara, YAML

Answer 65

THC Hydra is an online password guessing tool hydra -L users -P passwords ssh://3.231.163.70

Answer 66

Password spray is a small number of passwords against a large number of accounts

Answer 67

PACK = Password Analysis and Cracking Kit

Answer 68

Credential Stuffing = using leaked passwords to attempt success or improved guessing

Answer 69

MSOLSPray is a PowerShell module/command that uses AADSTS response codes for informed password spray Using AWS API Gateway and AAD Smart Lockout for distribution and anonymity FireProx is a python tool for creating AWS API Gateway instances can be used to automate a platform for MOLSpray

Answer 70

Using valid account to find MFA and CA gaps using MSASweep

Answer 71

get-MsolUSer is PowerShell to inspect individual M365 user license settings for verification

Answer 72

LANMAN = no larger that 7 bytes, split, all caps padded to 14 bytes, based on DES NT Hash keeps case, can use long passwords, but has no salt, based on MD4, meaning same password = same hash

Answer 73

NTDSUTIL can be used to get NTDS.dit and SYSTEM registry hive (used for encryption of the file) They gather both, use activate instance ntdsutil command followed by ifm to create a backup that can be exfilled. Then a script like secretsdump.py can be used to extract the hashes (decrypt)

Answer 74

To obtain hashes from Windows client OS: 1. Use Meterpreter hashdump command against lsass.exe (FROM MEMORY), runs as lsass by running ps -S lsass.exeto get the PD and then migrate into the PID (impersonate) 2. is Mimikatz

Answer 75

Windows hashes show as username:userid:LANMAN:NTHASH Empty hashes are useless and are identifiable, possibly a collection issue or disabled account Example: tom:1002:aad3b435b.....:31d6cfe0d...... Keys being aad_b___b and d_cfe_d

Answer 76

Early Linux is DES with no salt (/etc/password), now stronger like MD5 (/etc/shadow/) Look for 2nd colon delimited field in shadow No $ is DES, $1 is MD5, $2 Blowfish, $5 SHA256, and $6 SHA512

Answer 77

Hash Rounding = increased complexity. MD5 uses 1000, SHA uses 5000

Answer 78

Password Based Key Derivation Function (PBKDF2) to avoid GPU-based password cracking Also Scrypt, Argon2, Yescrypt

Answer 79

Password Cracking = offline decryption (brute force guessing) Hashcat is main cracking tool

Answer 80

Hashcat is main cracking tool -a 0 = wordlist (default) -a 1 = wordlist with append -a 3 = pattern -a 6 = worklist with mask -a 7 = prepend mask Specify -m to define the hash typr or it will try to atuo detect Test the hash type without cracking using --identify hashcat -m 1000 -1 0 hashes.txt words.txt Mask uses ? like ?l for lower case, ?u for upper, ?d for number, and ?s for special Hashcat passwords are sent t the potfile haschcat.potfile You can display cracked with --show, uncreacjed with --left, and user info with --user Hashcat can also use word permutation rules (-r best64.rule)

Answer 81

UNIX has PLuggable Authentication Modules (PAM) for password complexity

Answer 82

Insecure Cloud Storage https://s3.amazonaws.com/bucketname https://www.googleapis.co,/storage/v1/b/bucketname https://accountname.blob.core.windows.net/Containername

Answer 83

Bucket Finder that looks for open AWS buckets

Answer 84

CGPBucketBrute for Google is python = to download from a google bucket use gsutil from Google

Answer 85

Basic Blob Finder is also python for Azure blobs

Answer 86

Netcat reads and writes data across networks (has variants) Client mode starts a connection to a specific port, send input to network and response to output Messages are sent to standard error stderr Listen mode waits for a connection on a specific port (option -l) Listener to client; listener: nc -1 -p port < filename client: nc listenerIP port > filename Push file from client to listener listener: nc -1 -p port > filename client: nc listenerIP port < filename WATCH the <> closely

Answer 87

nc -v -w3 -z targetIP start-endPort Netcat backdoor shell examples (-e is execute): nc -l -p port -e cmd.exe nc -l -p port -e /bin/sh For listening, -l is listedn once and -L on windows will restart

Answer 88

Netcat relay used to hop systems, requires named pipe on pivot system (mkfifo pipname on Linux)

Answer 89

Metasploit Framework - collection of tools, runs on Linux, select exploit and payload to run on target Four modules types: exploits. payloads, aux modules, and post exploit modules Interfaces are console, command, web, and GUI (Armitage) Search is an important command

Answer 90

Merterpreter is a general=purpose Metasploit payload for gaining access

Answer 91

Use SeLinux or AppArmor to protect Linux, patch, use EDR, filter outbound traffic, hunt for long URLs

Answer 92

Drive-by or client-side is attacking normal web browsing, called watering hole if targeted Watering hole may involve Windows files with marcos or fake installers

Answer 93

Metasploit also has MsfVenom that convers any payload into a standalone file (related to templating) MsVenom -X can embed payload into legitimate executable

Answer 94

Msfconsole is used to prepare a reverse TCP connection (listener)

Answer 95

Browser Exploitation Framework (BeEf) used for browser exploits, XSS attacks, and social engineering like fake flash update BeEf runs as sudo on Linux, collection of browser attack tools

Answer 96

Command Injection = web app sends user input to a command shell and attacker can try to appends a 2nd command using ; on Linux or & on Windows. Can arrive sa HPPT Get or Post. Any system that accepts user input. Attack against a server. Might involve -h, ; , & , echo, or 'injected', manipulating value following id= as example, or a command like ping

Answer 97

Cross-Site Scripting XSS is an attack against users, attacks vulnerability in server input or output, changing what is displayed to the user, could tell the client browser to run code or redirect the cookie location, often JavaScript or HTML

Answer 98

Stored XSS Attack = uploads or stores malicious code on server, drive-by (opportunistic) Reflected XSS Attack = uses vulnerability in URL of a page (GET-based), sends URL to victim

Answer 99

XSS demonstrated as page running Test for XSS vulnerability by fuzzing input like

tag or '';!--"=&{()} will return alert('XSS') if bad or something close to the input text if safe

Answer 100

Encode meta character output using (& or &) and limit cookie with HTTPOnly tag Servers set Content Security Policy (CSP) header

Answer 101

SQL Injection exploits input validation to set or retrieve unintended info from DB Test using ' " ` % %% -- /* //) ; for example blake' OR 'a'='a Tautology is always true condition retunes all records like a=a Tripping an error code can also reveal info about the server or files. UNION followed by a new Select is commonly used once vulnerability is verified

Answer 102

Automated options include a python script called sqlmap, Burp Suite Pro, Acunetix Web Vulnerability Scanner Testing can be risky, could delete data, backup before

Answer 103

1. Always us a valid, non-error-generating URL 2. Always put the URL in quotes Possible EXAM question: sqlmap -u https://msn.com //invalid without quotes Also followed by --dbs = enumerate databases and -D dbName --tables to list tables followed by --colums or --dump (display)

Answer 104

Cloud database remain vulnerable to SQL injection attacks, does not escape, no Object Relational Mapping (ORM) system

Answer 105

Server-Side Request Forgery (SSRF) allows attacker to change what is requests from a server to disclose Instance Metadata (IMDS), protected files on the host, URL calls file location, change the file to local path like file:////etc/shadow Can be evaluated using curl Access IMDS using virtual server address = curl http://169.254.169.10/latest/user-data AWS IMDSv1 has a known SSRF vuln used for credential extraction Some like Azure mitigate using special header requirement

Answer 106

Endpoint Security Bypass = evading signature detection, encoding, using permitted tools

Answer 107

DefenderCheck splits file into pieces until it cannot be detected (high/low strategy)

Answer 108

Code wrapping to build legitimate code around malware, possibly using IronPython, often layering among multiple languages

Answer 109

Example provided was using sysinternals procdump to get LSASS dump to use with Mimikatz on another system .\procdump.exe -accepteula -ma lsass.exe lsass dump

Answer 110

Applocker can be bypassed by unusual execution method like InstallUtil /U shellcode.exe (.Net Install Utility)

Answer 111

On Linux search for SETUID files= find / -perm -4000 -uid 0

Answer 112

Pivoting, often setting up a proxy on one system to reach another Merterpreter has portfwd and route that can establish a proxy Merterpreter doesn't have port scanner but can use apr_scanner or Metasploit has nmap, db_nmap, and auxiliary scanner modules. Identify the next hop systems and port scan. Lateral movement is exploiting targets through pivots

Answer 113

On Linux this could be SSH port forwarding using SSH -L port1:IP:port2 Linux can also use netcat named pipes discussed earlier

Answer 114

Windows can use netsh interface portproxy but requires admin

Answer 115

Hijacking attacks (impersonation), exploiting weak protocols, like local MTM, broadcasting service requests and injecting responses

Answer 116

Responder is a python script to exploit (Hijacking) LLMNR, can be used to get NTLMv2 auth hash from network response

Answer 117

Next is persistence to regain access, avoid detection, preserve privileges, and reestablish access at will

Answer 118

Disable; LLMNR and NBT-NS, disable mDNS, and SMB lower than 3.1.1

Answer 119

One options is to create a new user account merterpreter> execute -f 'net user /add accessmgmt password123" merterpreter> execute -f 'net localgroup administators /add accessmgmt" Metasploit and others offer various persistence options like a persistent service WIM can subscribe to events Also discusses golden ticket attack Web shells could provide persistence, mod to web page or file

Answer 120

WIM can subscribe to events and execute code like scheduled tasks using mofcomp.exe and can listen on a port for a specific IP as an event trigger. Merterpreter watched for Sec logon failed event 4625 by default.

Answer 121

Cloud persistence could be new resources like VM function, container, new access keys, cloud accounts

Answer 122

Look for autoruns, events 4624, 4634, 4672, 4732, 4648, 4688, 4697, registry startup, use get-ciminstance to detect event subscribers

Answer 123

Real Intelligence Threat Analytics (RITA) uses statistical data over time for hunting, used for offline assessment, ingests Zeek logs Look for long connection durations, consistent packet size, interval, jitter, etc.

Exam Prep Flashcards

(147 cards)