click below
click below
Normal Size Small Size show me how
CEH ch4&5
Certified Ethical Hacker ch 4&5
Term | Definition |
---|---|
syslog port | UDP 514 |
fe80::/10 | IPv6 link-local addressing. |
fc00::/7 | IPv6 unique local. |
FEC0::/10 | IPv6 Prefixes for site local addresses |
Unicast | IPv6 packet addressed for, and intended to be received by, only one host interface |
Multicast | IPv6 packet that is addressed in such a way that multiple host interfaces can receive it |
Anycast | IPv6 packet addressed in such a way that any of a large group of hosts can receive it, with the nearest host (in terms of routing distance) opening it |
Link local | IPv6 scope - Applies only to hosts on the same subnet |
Site local | IPv6 scope - Applies only to hosts within the same organization (that is, private site addressing) |
Global | IPv6 scope - Includes everything |
PRISM (Planning Tool for Resource Integration, Synchronization, and Management) | data tool used to collect foreign intelligence passing through US resources. |
span port (port mirroring) | used for getting a switch to send a message to both the port it was addressed to and the port you’re connected to for sniffing. |
Sniffing Tools and Techniques | WIRESHARK, Ettercap, EtherPeek, Snort |
content addressable memory (CAM) table | switchport address book. if it’s empty, or full, everything is sent to all ports. |
switch port stealing | flood the CAM with unsolicited ARPs to cause race condition |
race condition | flood attack that causes flipping between bad MAC and correct one |
ARP flooding attack tools: | Cain and Abel (www.oxid.it), WinArpAttacker, Ufasoft (ufasoft.com), and dsniff (a collection of Linux tools holding a tool called ARPspoof |
arp -s | command to manually add the default gateway MAC permanently into the ARP cache on each device. |
DHCP starvation | a “sniffing” attack that attempts to exhaust all available addresses from the server |
Packet names for IPv4: | DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK |
Packet names for IPv6: | Solicit, Advertise, Request (or Confirm/Renew), and Reply. |
Wireshark | tool can capture packets from wired or wireless networks with easy-to-use interface. Packet List (top); Packet Detail (middle); hex entries (bottom). Has filters to fine-tune results. Follow a TCP stream to discover passwords in the clear. |
Tcpdump (windump) | a command-line tool that simply prints out a description of the contents of packets on a network interface that match a given filter (Boolean expression). built-in utility for all Unix systems. |
(-i) | tcpdump switch for listening mode, example: tcpdump -i eth1. |
(-w) | tcpdump switch for write to a file, example: tcpdump -w eth1. |
tcptrace | used to analyze files produced by several packet-capture programs and can easily read from tcpdump, WindDump, Wireshark, and EtherPeek. |
Ettercap | is a powerful sniffer and MITM suite of programs. available for Windows but works better in its native Unix platform. can be used as a passive or active sniffer, and an ARP poisoning tool. Considered a serious hacking tool! |
libwhisker | full-featured Perl library used for HTTP-related functions, including vulnerability scanning, exploitation, and, IDS evasion. |
Snort | most widely deployed IDS, open source IDS combines the benefits of signature, protocol, and anomaly-based inspection. The standard for IDS: detects almost every conceivable external attack or probe. Its rule sets are updated constantly. |
Snort Modes: | Sniffer; Packet Logger (saves packets to disk for review); NIDS |
Basic NAT | ia one-to-one mapping, where each internal private IP address is mapped to a unique public address. the packet is changed to use the public IP outbound, and upon return NAT matches it back to the single corresponding internal address. |
PAT | aka “NAT overload,”when NAT takes advantage of the port numbers unique to each web conversation to allow many internal addresses to use one external address. |
HTTP tunneling | a firewall evasion technique -wrapping items within an HTTP shell, as port 80 is rarely filtered by firewalls. port 80 segments can carry payload for protocols blocked by the firewall. HTTP beacons and HTTP tunnels are standard implant for hackers. |
IDS Evasion Techniques - | • Slow down the attack. • Flood the network to hide the attack in traffic. • Session splicing (put payload into packets the IDS usually ignores.) • use of Unicode characters ( confuses the signature-based IDS). |
IDS Evasion tools: | Nessus, ADMmutate, NIDSbench, Inundator, IDS Informer. |
ADMmutate | IDS evasion tool - able to create multiple scripts that won’t be easily recognizable by signature files |
NIDSbench | IDS evasion tool - an older tool used for playing with fragment bits |
Inundator | IDS evasion flooding tool |
IDS Informer | IDS evasion tool - can use captured network traffic to craft, from start to finish, a test file to see what can make it through undetected |
Firewall Evasion | 1. firewalking; 2. use a compromised internal computer (best); 3. firewall-hacking tools: • CovertTCP, • ICMP Shell, and • 007 Shell. |
Packet-crafting and packet-generating tools for evading firewalls and IDSs: | PackETH; Packet Generator; Netscan. All of these allow you to control the fields in frame and packet headers and, in some cases, interject payload information to test the entirety of the security platform. |
PackETH | a Linux tool from SourceForge that’s designed to create Ethernet packets for "security testing." |
Packet Generator | A Linux tool from SourceForge which allows you to create test runs of various packet streams to demonstrate a particular sequence of packets. |
Netscan | Provides a packet generator in its tool conglomeration. |
high-interaction honeypot | simulates all services and applications and is designed to be completely compromised. E.g., Symantec, Decoy Server, and Honeynets. |
low-interaction honeypot | -simulates a limited number of services and cannot be compromised completely (by design). E.g., Specter, Honeyd, and KFSensor. |
Firewalls that work at Layer 5. | Circuit-level firewalls |
Firewall that works at Layers 3 and 4 but can be said to work at Layer 5. | Stateful firewalls |
Firewall that works at Layer 7. | Application level firewalls. |
Ntds.dit | effectively the entire Active Directory in a file. tools can extract all the hashes from that file, and if you get it, you own everything. located in %SystemRoot%\NTDS\Ntds.dit or %SystemRoot%\System32\Ntds.dit |
Extensible Storage Engine (ESE) | the Active Directory's database engine which is based on the Jet database used by Exchange 5.5 and WINS. The database can manipulate information within the AD data store. |
Mimikatz | allows you to extract passwords in plain text, "steal hashes, PIN code and Kerberos tickets from memory [and] can also perform pass-the-hash, pass-the-ticket or build Golden tickets." Also a meterpreter script |
meterpreter script | script that allows easy access to all features without uploading any additional files to the target host. |
Golden ticket –How to create: | 1. From the domain controller obtain the domain name, a domain admin name, the domain SID, and the Kerberos TGT hash. 2. Use “golden_ticket_create” cmd for access. 3. If sec. changes pwds & reboots, use, “kerberos_ticket_use” cmd for domain admin. |
Registry - | a collection of all the settings and configurations that make the system run. Hierarchical in nature, this "database of configuration databases" 2 parts: KEY is a location pointer and the VALUE of the key defines the setting. Hierarchical. |
HKEY_LOCAL_MACHINE (HKLM) | Contains information on hardware (processor type, bus architecture, video, disk I/O, and so on) and software (operating system, drivers, services, security, and installed applications). |
HKEY_CLASSES_ROOT (HKCR) | Contains information on file associations and Object Linking and Embedding (OLE) classes. |
HKEY_CURRENT_USER (HKCU) | Contains profile information for the user currently logged on. Information includes user-level preferences for the OS and applications. |
HKEY_USERS (HKU) | Contains specific user configuration information for all currently active users on the computer. |
HKEY_CURRENT_CONFIG (HKCC) | Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current, designed to make accessing and editing this profile information easier. |
regedit.exe or regedt32.exe | application to view and edit the registry built into every Windows system. |
route print cmd | a Windows cmd that will show your local route table |
Linux / | root directory. |
Linux /bin | holds numerous basic Linux commands (a lot like the C:\Windows\System32 folder in Windows). |
Linux /dev | contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives and additional hard drives or partitions. |
Linux /etc | contains all the administration files and passwords. Both the password and shadow files are found here. |
Linux /home | This folder holds the user home directories. |
Linux /mnt | This folder holds the access locations you’ve actually mounted. |
Linux /sbin | This folder holds administrative commands and is the repository for most of the routines Linux runs (known as daemons). |
Linux /usr | This folder holds almost all of the information, commands, and files unique to the users. |
Adding an ampersand (&) after a Linux process name | indicates that the Linux process should run in the background. |
use the Linux nohup command | If you wish for the Linux process to remain after user logout (that is, stay persistent) |
adduser | Linux cmd - Adds a user to the system. |
cat | Linux cmd - Displays the contents of a file. |
su | Linux cmd - Allows you to perform functions as another user. The sudo command version allows you to run programs with "super user" (root) privileges. |
cp | Linux cmd - Copies. |
ifconfig | Linux cmd - Much like ipconfig in Windows, this command displays network configuration information about your NIC. |
kill | Linux cmd - Kills a running process. (You must specify the process ID number.) |
ls | Linux cmd - Displays the contents of a folder. The -l option provides the most information about the folder contents. |
man | Linux cmd - Displays the "manual" page for a command (much like a help file). |
passwd | Linux cmd - Used to change your password. |
ps | Linux cmd - Process status command. Using the -ef option will show all processes running on the system. |
rm | Linux cmd - Removes files. Using the -r option also recursively removes all directories and subdirectories on the path and provides no warning when deleting a write-protected file. |
ls -l | Linux cmd - will display the current security settings for the contents of the directory you’re in |
*"System Hacking Goals" | Gaining Access, Escalating Privileges, Executing Applications, Hiding Files, and Covering Tracks. |
gaining access phase activities | cracking passwords and escalating privileges. |
maintaining access phase activities | executing applications and HIDING files. |
covering tracks | • CLEARING logs from the meterpreter using Metasploit to wipe, • CLEAR the Most Recently Used (MRU) list in Windows registry, • and appending a dot (.) in front of files in Unix to them. |
LLMNR/NBT-NS (Link-Local Multicast Name Resolution and NetBIOS Name Service) attack | based on DNS, allows hosts on the same subnet/local link to perform name resolution for other hosts, while NBT-NS identifies systems on local network by their NetBIOS name. Attacker spoofs authoritive name then sniffs. LLMNR UDP 5355. NBT-NS uses UDP 137 |
"net" commands for enumeration step: | net view /domain:domainname (Shows all systems in the domain name provided.) net view \\systemname (Provides a list of open shares on the system named) net use \\target\ipc$ "" /u: " ( Sets up a null session). can be automated. |
Password cracking attack types | non-electronic, active online, passive online, offline. |
THC Hydra. | It’s capable of cracking passwords from a variety of protocols using a dictionary attack. |
DLL (or DYLIB for Mac) hijacking | method of privilege escalation. Replace DLLs in the same application directory with your own malicious versions. |
Vertical privilege escalation | occurs when a lower-level user executes code at a higher privilege level than they should have access to. |
Horizontal privilege escalation | executing code at the same user level but from a location that should be protected from access. |
Ways of obtaining administrator (root) privileges – | 1. Crack the password of an administrator or root account, your primary aim ; 2. Exploit a vulnerability found in the OS, or in an app.; 3. Use a tool like Metasploit; 4. Social engineering. Ask user to run the exploit for you. |
three main logs where you need to cover your tracks— | • application log, • system log, • security log. |
visual semagram | uses an everyday object to convey a message. Examples can include doodling as well as the way items are laid out on a desk. |
text semagram | obscures a message in text by using things such as font, size, type, or spacing. |
six types of rootkits: | Hypervisor level; Hardware (firmware); Boot loader level; Application level; Kernel level; Library level |
Hypervisor level rootkit | These rootkits modify the boot sequence of a host system to load a virtual machine as the host OS. |
Hardware (firmware) rootkit | These rootkits hide in hardware devices or firmware. |
Boot loader level rootkit | These rootkits replace the boot loader with one controlled by the hacker. |
Application level rootkit | These rootkits are directed to replace valid application files with Trojan binaries. These kits work inside an application and can use an assortment of means to change the application’s behavior, user rights level, and actions. |
Kernel level rootkit | These rootkits attack the boot sectors and kernel level of the operating systems themselves, replacing kernel code with back-door code. These rootkits are by far the most dangerous and are difficult to detect and remove. |
Library level rootkit | These rootkits basically use system-level calls to hide their existence. |
Steps for Detecting Rootkits: | 1. run the dir /s /b /ah cmd & the dir /s /b /a-h cmd in the infected OS. SAVE. 2. boot a clean CD version and run the same commands for the same drive. 3. use WinDiff ( on both to see hidden malware. |
LAN Manager (LM) authentication | an old authentication system that uses DES for hashing files. It pads a PW with blanks to reach 14 characters, split it into two 7-char parts & hashes them. The hash of 7 blank chars is always AAD3B435B51404EE, exposing when 7 or fewer chars in the PW. |
command syntax to execute a hidden .exe file | start readme.txt:badfile.exe |