This document provides an overview of soft skills and technical skills relevant to penetration testing. It covers topics such as engagement lifecycles, relevant UK legal issues like the Computer Misuse Act 1990, and technical protocols including IP, TCP, UDP, ICMP, network architectures, routing protocols like RIP and OSPF, and wireless networking standards. It also discusses concepts like collision and broadcast domains as they relate to different networking devices. The document is intended to outline key knowledge for penetration testers regarding both soft skills around compliance and engagement processes, as well as core technical networking and protocol knowledge.

1. Appendix A: Soft Skills and Assessment Management
A1 - Engagement Lifecycle
 Benefits and utility of penetration testing to the client.
 Structure of penetration testing, including the relevant processes and procedures.
 Concepts of infrastructure testing and application testing, including black box and white box formats.
 Project closure and debrief
A2 - Law & Compliance
Knowledge of pertinent UK legal issues:
 Computer Misuse Act 1990
Unauthorised access is key term. It means you need permission.
Under the Computer Misuse Act 1990, the following are offences:
 Unauthorised access to computer material (section 1);
 Unauthorised access with intent to commit or facilitate commission of further offences
(section 2); and
 Unauthorised modification of computer material (section 3).
These offences are potentially wide in scope: even guessing the password to access someone else's webmail
account could be prosecuted as an offence of unauthorised access to computer material.
When companies commission penetration testing, a contract should be signed before testing begins, to
ensure that the testing company's actions are authorised. It should also deal with liability issues: what
happens if the tester takes down a critical part of the organisation's website and the organisation suffers
loss? Ensure you do not go out of scope (follow redirects?).
The Act was amended by The Police and Justice Act 2006, which increased the penalties.
 Human Rights Act 1998
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in
accordance with the law and is necessary in a democratic society in the interests of national security, public
safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection
of health or morals, or for the protection of the rights and freedoms of others.
 Data Protection Act 1998
Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties),
such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal
data.
Ensure you do not keep any records that would fall under the act for longer than is necessary - i.e. prove it is
accessible and do not back up those records. Data controllers may want to employ you to test they have
appropriate measures in place to secure the data.

2.  Police and Justice Act 2006
 Makes amendments to the Computer Misuse Act 1990
 Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall
under extradition)
 Made it illegal to perform DOS attacks. Denial of Service attacks - Such attacks are illegal. They were banned
in Scotland in 2007 and in England and Wales in 2008 when section 3 of the Computer Misuse Act was
amended (by the Police and Justice Act 2006).
 Made it illegal to supply and own hacking tools.
Impact of this legislation on penetration testing activities. Awareness of sector-specific regulatory issues.

3. Appendix B: Core Technical Skills
B1 - IP Protocols
LITA – Link Layer, Internet Layer, Transport Layer, Application Layer
Traceroute
 Traceroute tracks the route packets have taken from an IP network on their way to a given host. It utilizes
the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to the host.
 We start our probes with a TTL of one and increase by one until we get an “ICMP port unreachable" (or TCP
reset), which means we got to the "host", or hit a max (which defaults to 30 hops)
 We don't want the destination host to process the UDP probe packets, so the destination port is set to an
unlikely value (you can change it with the -p flag). There is no such a problem for ICMP or TCP tracerouting
(for TCP we use half-open technique, which prevents our probes to be seen by applications on the
destination host).
 Probe packets are UDP datagrams with so-called "unlikely" destination ports. The "unlikely" port of the first
probe is 33434, then for each next probe it is incremented by one. Since the ports are expected to be
unused, the destination host normally returns "ICMP port unreachable " as a final response.
 Can also use -I ICMP which uses icmp echo packets for probes, or -T tcp (using half-open technique), uses the
constant destination port (default is 80, http)
TTL
 See OS Fingerprinting below. The time-to-live (TTL) is the number of hops that a packet is permitted to travel
before being discarded by a router.
 The TTL is set in an eight binary digit field in the packet header by the sending host and is used to prevent
packets from endlessly circulating on the Internet or other network.
 When forwarding an IP packet, routers are required to decrease the TTL by at least one (to prevent routing
loops). If a packet's TTL field reaches zero, the router detecting it discards the packet and sends an ICMP
message back to the originating host - TTL expired in transit.
 The ping and the traceroute utilities both make use of the TTL. The latter intentionally sends packets with
low TTL values so that they will be discarded by each successive router in the destination path. The time
between sending a packet and receiving the ICMP message that it was discarded is used to calculate the
travel time for each successive hop.
 A specific TTL number can indicate the maximum range for a packet. For example, zero restricts it to the
same host, one to the same subnet, 32 to the same site, 64 to the same region and 128 to the same
continent; 255 is unrestricted.
 Default TLL Values
Linux 64
FreeBSD 64
Windows 128
Cisco 255
IPv4
 IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery
model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate
delivery.
 IPv4 uses 32-bit addresses which limits the address space to 4294967296 (232) addresses.
 IPv4 reserves special address blocks for private networks (~18 million addresses) and multicast addresses
(~270 million addresses).

4. IPv6
 IPv6 uses a 128-bit address, theoretically allowing 2128
, or approximately 3.4×1038
addresses. The actual
number is slightly smaller, as multiple ranges are reserved for special use or completely excluded from use.
The total number of possible IPv6 addresses is more than 7.9×1028
times as many as IPv4, which uses 32-bit
addresses and provides approximately 4.3 billion addresses. The two protocols are not designed to be
interoperable, complicating the transition to IPv6. However, several IPv6 transition mechanisms have been
devised to permit communication between IPv4 and IPv6 hosts.
 Research has shown that the use of fragmentation can be leveraged to evade network security controls. As a
result, RFC 7112 requires that the first fragment of an IPv6 packet contains the entire IPv6 header chain,
such that some very pathological fragmentation cases are forbidden.
TCP
 65535 TCP ports
 TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications
running on hosts communicating by an IP network. Major Internet applications such as the World Wide Web,
email, remote administration, and file transfer rely on TCP.
 Scanning: Vanilla: SYN, SYN/ACK, ACK, Port Closed: SYN, RST/ACK, Half Open: SYN, SYN/ACK, RST
Inverse TCP Scanning
 Stealth Scanning – Use malformed TCP requests because responses are only sent back by closed ports.
 RFC 793 – If a port is closed, an RST/ACK packet should be sent to close the connection (an open port will not
respond (but it will with SYN ACK?), hence if no response then port is open or server is down). MS systems
disregard RFC 793, so it only works against *nix systems.
 Attacker can send:
 A FIN TCP packet
 An XMAS probe with the FIN, URG, and PUSH TCP flags sent
 A NULL probe with no TCP flags set
FTP Bounce Scanning – FTP Port
 Kind of like an old SSRF. There is a flaw in the way some FTP servers handle the PORT command. Once logged
into the server enter passive mode (QUOTE PASV), after which a PORT command is issued telling FTP service
to connect to a specific port on a target server (PORT 144,51,17,230,0,23 will attempt to connect to
144.51.17.230 port 23) followed by a LIST command.
 If a 226 response is received then target host is open, if 425 then the connection has been refused.
UDP
 Applications that do not require reliable data stream service may use the User Datagram Protocol (UDP),
which provides a connectionless datagram service that emphasizes reduced latency over reliability.
 With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on
an Internet Protocol (IP) network. Prior communications are not required in order to set up communication
channels or data paths.
 UDP uses a simple connectionless communication model with a minimum of protocol mechanism. UDP
provides checksums for data integrity, and port numbers for addressing different functions at the source and
destination of the datagram. It has no handshaking dialogues, and thus exposes the user's program to any
unreliability of the underlying network; There is no guarantee of delivery, ordering, or duplicate protection.
 Scanning: Since connectionless, you only have two options. Send a probe to all 65535 ports and wait for
ICMP destination port unreachable to identify ports which are not accessible, or send specific application
requests (SNMP, Dig, TFTP) and await a response (as these responses are processed by the application and
not the TCPIP stack)

5.  Port Open: UDP Probe Packet – No Response. Port Closed: UDP Probe Packet – Host would send ICMP
Destination Port Unreachable – this negative scanning allows to interfere which ports are open (as they don’t
send messages) nmap -sU
ICMP
 The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite.
 The ICMP header starts after the IPv4 header and is identified by IP protocol number '1’. All ICMP packets
have an 8-byte header and variable-sized data section. The first 4 bytes of the header have fixed format,
while the last 4 bytes depend on the type/code of that ICMP packet.
 Code 00 is ping reply, 51 is host redirect.
 Useful ICMP Messages:
o Echo Request – Ping packet (Type 7, Type 0 is reply)
o Timestamp Request – In decimal format representing time elapsed since mid-night GMT (Type 13, 14
is reply)
o Information Request (Type 15) – RARP, BOOP, DHCP
o Subnet Address Mask Request (Type 17, Type 18 is Reply)
o Parameter Problem (Type 12)
o Time Exceeded (Type 11)
o Redirect (Type 5)
o Source Quench (Type 4)
o Destination Unreachable (Type 3)
Awareness that other IP protocols exist.
B2 - Network Architectures
Varying networks types that could be encountered during a penetration test:
CAT 5 / Fibre
 Category 5 cable, commonly referred to as Cat 5, is a twisted pair cable for computer networks. The cable
standard provides performance of up to 100 MHz and is suitable for most varieties of Ethernet over twisted
pair. Cat 5 is also used to carry other signals such as telephony and video.
 Optical fiber works by drawing on light as opposed to electricity as a means of transmitting signals. As we all
know, light is the fastest mode of transmitting any information which is great for businesses with the need
for speed. And because fiber optic cabling has a much cleaner signal than conventional copper cabling, it is
able to transmit signals faster than ever before.
10/100/1000baseT
Definition of: 10/100 Ethernet - An Ethernet network transmitting at 10 and 100 Mbps. Very old computers are
limited to 10 Mbps, and most computers support 10/100 or 10/100/1000 (Gigabit Ethernet).
1000Base-T is a type of gigabit Ethernet networking technology that uses copper cables as a medium. 1000Base-T
uses four pairs of Category 5 unshielded twisted pair cables to achieve gigabit data rates. The standard is designated
as IEEE 802.3ab and allows 1 Gbps data transfers for distances of up to 330 feet.
Fast Ethernet is a collective term for a number of Ethernet standards that carry traffic at the nominal rate of
100 Mbit/s (the earlier Ethernet speed was 10 Mbit/s). Of the Fast Ethernet standards, 100BASE-TX is by far the most
common.
Token ring
Token Ring local area network (LAN) technology is a communications protocol for local area networks. It uses a
special three-byte frame called a "token" that travels around a logical "ring" of workstations or servers. This token
passing is a channel access method providing fair access for all stations and eliminating the collisions of contention-
based access methods.

6. Wireless (802.11)
IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing wireless
local area network (WLAN) computer communication in the 900 MHz and 2.4, 3.6, 5, and 60 GHz frequency bands.
Security implications of shared media, switched media and VLANs.
Collision domain:
It can be defined as a set of LAN devices whose frames could collide with one another.
Broadcast Domain:
Broadcast domain can also be seen as a collision domain. It can be defined as a set of devices such that when one
device sends a broadcast frame all other devices will receive that frame in the same broadcast domain.
 HUB: HUB works on L1 of OSI. Only one data packet can pass through the hub at a time. A lot of collisions are
present, because of only 1 collision domain.
 Switch: It supports simultaneous connections. It sends traffic to the destination port. This is done because of
a feature known as ARP (Address resolution protocol). The main job carried by this protocol is that it
converts IP to MAC address. Access switches or L2 switches operate at L2 (data link layer), source MAC and
destination MAC.
 Routers: Works on L3 of OSI Routers doesn’t propagate broadcast traffic, two different
subnets/LAN/Networks communicate through router via routing protocols. Routers can take and forward
"unicast" traffic. Each interface present on router gives rise to broadcast domain
Bridges and Hubs = 1 broadcast domain and 1 collision domain.
Switch = 1 BC domain per each VLAN and 1 collision domain / port.
Routers = 1 BC domain and 1 collision domain / port.
CAM Table Overflow
Ethernet switches use Content Addressable Memory (CAM) tables to map MAC addresses and VLAN assignments to
individual ports, so that network frames are delivered correctly. The macof utility can be used to flood a switch with
random Ethernet frames resulting in a CAM overflow. The switch will fail open and broadcast them to all ports
(becoming a hub)
B3 - Network Routing
RIP
The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employ the hop
count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a
path from source to destination. The largest number of hops allowed for RIP is 15, which limits the size of networks
that RIP can support.
In RIPv1 router broadcast updates with their routing table every 30 seconds. UDP 520
The hop count 1 denotes a network that is directly connected to the router. 16 hops denote a network that is
unreachable, according to the RIP hop limit.
Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last
standardized in 1998 in RFC 2453. It included the ability to carry subnet information, thus supporting Classless Inter-
Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained.

7. OSPF
Open Shortest Path First (OSPF) uses a link state routing (LSR) algorithm and falls into the group of interior gateway
protocols (IGPs), operating within a single autonomous system (AS). OSPF supports the Classless Inter-Domain
Routing (CIDR) addressing model.
OSPF is a widely used IGP in large enterprise networks.
IGRP
Interior Gateway Routing Protocol (IGRP) is a distance vector interior gateway protocol (IGP) developed by Cisco. It is
used by routers to exchange routing data within an autonomous system.
IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of
only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each
route, including bandwidth, delay, load, and reliability; to compare two routes these metrics are combined together
into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum
configurable hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90
seconds (by default). IGRP uses protocol number 9 for communication.
IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router
assumes that all subnetwork addresses within the same Class A, Class B, or Class C network have the same subnet
mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols
that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP
address space.
EIGRP
Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance-vector routing protocol that is used on
a computer network for automating routing decisions and configuration. The protocol was designed by Cisco
Systems as a proprietary protocol, available only on Cisco routers. Partial functionality of EIGRP was converted to an
open standard in 2013[1] and was published with informational status as RFC 7868 in 2016.
EIGRP is used on a router to share routes with other routers within the same autonomous system. Unlike other well
known routing protocols, such as RIP, EIGRP only sends incremental updates, reducing the workload on the router
and the amount of data that needs to be transmitted.
EIGRP replaced the Interior Gateway Routing Protocol (IGRP) in 1993. One of the major reasons for this was the
change to classless IPv4 addresses in the Internet Protocol, which IGRP could not support.
B4 - Network Mapping & Target Identification
Analysis of output from tools used to map the route between the engagement point and a number of targets.
Traceroute to port
traceroute -T -p 80 x.x.x.x where -p 80 is port, sometimes get different route to 443.
nping --tr, --traceroute Traceroute mode (can only be used with TCP/UDP/ICMP modes).
Nmap -sn (-sP) – No port scans after host discovery; -Pn – No ping after host discovery
Windows tracert - The TRACERT diagnostic utility determines the route to a destination by sending Internet Control
Message Protocol (ICMP) echo packets to the destination.
In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. Because each router along the path is required
to decrement the packet's TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When
the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source
computer. (contrast ICMP message with Traceroute – same?)
Linux traceroute – see above

8. Network sweeping techniques to prioritise a target list and the potential for false negatives.
Ping sweep?
As RPC uses high ephemeral ports some port scanners incorrectly identify the open port as a different service if they
are only doing identification via port number.
You can eliminate this via using nmaps -sR flag
B6 - Filtering Avoidance Techniques
The importance of egress and ingress filtering, including the risks associated with outbound connections.
Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from
leaving your network.
We always do ingress filtering. That is, we only allow trusted and known traffic into the firewall from the
internet. This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal
network. This traffic is allowed only from selected IP addresses and specific ports. Everything else is blocked.
B7 - Packet Crafting
Packet crafting to meet a particular requirement:
Modifying source ports, Spoofing Source (S) IP addresses, Manipulating TTL’s, Fragmentation
Nmap 1
FIREWALL/IDS EVASION AND SPOOFING:
-f --mtu <val>: fragment packets (optionally w/given MTU)
-S <IP_Address>: Spoof source address
-g/--source-port <portnum>: Use given port number
--ttl <val>: Set IP time-to-live field
- D decoy
-sS TCP SYN scan
-sT TCP Connect scan
-sU UDP Scan
-sV Version Detection
-sA TCP ACK Port Scan
-sP: No port scan
-p Port Ranges -p U:53,111,137,T:21-25,80,139,8080 (Exam tried to confuse with -p0)
-Pn No Ping (Exam tried to confuse with -p0, lower vs upper case P)
-sn Host Discovery Only – No Port Scanning
Nmap Proxy Chaining
Create a proxy via SSH to scan from your client to a target located on network which the SSH server can access.
Below command will create a tunnel starting at port 9050 on my local host to the target machine, 192.168.217.144.
The -N and -f indicate that I do not want to run a command and want to fork into the background. I chose port 9050
because it is the default port for the proxychains tool
ssh username@192.168.217.144 -D 9050 -N -f
Now that the tunnel is set up I can scan the internal network looking for webservers:
proxychains nmap -n -sT -p 80 192.168.217.0/24
1
https://nmap.org/book/man-briefoptions.html

9. Generating ICMP packets
Ping generates ICMP. Nmap does is it with more options:
nmap -sP -PE scanme.nmap.org
PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
Ping Broadcast
The last octet is reserved as broadcast address which is used to send traffic to all hosts within a subnet.
ping -b 10.10.5.255
You can also send a broadcast to other subnets:
ping -b 255.255.255.255
B8 - OS Fingerprinting
Remote operating system fingerprinting; active and passive techniques.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
 Active fingerprinting works by sending packets to a target and analysing the packets that are sent back.
 Passive fingerprinting sniffs TCP/IP ports, rather than generating network traffic by sending packets to them.
Hence, it’s a more effective way of avoiding detection or being stopped by a firewall. While sniffing traffic,
passive fingerprinting does its best to determine a target machine’s OS by analysing the initial Time to Live
(TTL) in packet IP headers, and the TCP window size in the first packet of a TCP session, which is usually
either a SYN (synchronize) or SYN/ACK (synchronize and acknowledge) packet.
 Understanding TTL to map OS: 123 is near 128 which is default Windows, so likely a Windows host which is 5
hops away as each hop reduces the TTL (https://subinsb.com/default-device-ttl-values)
When used in Ping, the TTL of the remote host is returned. In below example for theguardian.co.uk ping
returns TTL of 60. (Linux default: 64/255)
Pinging theguardian.co.uk [151.101.0.233] with 32 bytes of data:
Reply from 151.101.0.233: bytes=32 time=15ms TTL=60
…when we trace to same host we see it is 5 hops, but first hop does not count as its from localhost to router
and TTL only decrements from router. Hence 4 hops are added to the 60 we have, hence TTL is 64 meaning a
Unix host.
ping -4 localhost # -4 forces IP4 usage
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
B9 - Application Fingerprinting and Evaluating Unknown Services
Determining server types and network application versions from application banners.
WTF…
Evaluation of responsive but unknown network applications.
More WTF…
B10 - Network Access Control Analysis
Reviewing firewall rule bases and network access control lists.
OK, whatever…final has to be drop all ANY ANY DENY/DROP

10. B11 - Cryptography
Differences between encryption and encoding.
Encoding transforms data into another format using a scheme that is publicly available so that it can easily be
reversed. Encoding is for maintaining data usability and uses schemes that are publicly available.
Encoding is the process of transforming data so that it may be transmitted without danger over a communication
channel or stored without danger on a storage medium. For instance, computer hardware does not manipulate text,
it merely manipulates bytes, so a text encoding is a description of how text should be transformed into bytes.
HTML Encoding
Base32/64 are examples are HTML encoding.
To display an HTML page correctly, a web browser must know which character set (character encoding) to use. ASCII
was the first character encoding standard (also called character set). ASCII defined 128 different alphanumeric
characters that could be used on the internet. ANSI (Windows-1252) was the original Windows character set, with
support for 256 different character codes. ISO-8859-1 was the default character set for HTML 4. This character set
also supported 256 different character codes. Because ANSI and ISO-8859-1 were so limited, HTML 4 also supported
UTF-8. UTF-8 (Unicode) covers almost all of the characters and symbols in the world.
The default character encoding for HTML5 is UTF-8.
<meta charset="UTF-8">
Similarly, HTTP does not allow all characters to be transmitted safely, so it may be necessary to encode data using
base64 (uses only letters, numbers and two safe characters) or other encoding schemes such as HTMLEncode.
When encoding or decoding, the emphasis is placed on everyone having the same algorithm, and that algorithm is
usually well-documented, widely distributed and fairly easily implemented. Anyone is eventually able to decode
encoded data.
Base64 is a form of HTML encoding.
Base32 is valid transfer encoder, but not useful due to limited character set. It uses a 32-character set comprising the
twenty-six upper-case letters A–Z, and the digits 2–7.
IIS HTMLEncode converts characters as follows:
 The less-than character (<) is converted to &lt;
 The ampersand character (&) is converted to &amp;
Symmetric / asymmetric encryption
Private(Secret) Key / Public Key
Symmetry – meaning two things are the same. In cryptography it refers to the key, which is used to encrypt and
decrypt the plain text.
Public key use different keys to encrypt and decrypt. It uses key pairs. Each user gets two keys, a public key for the
public and a private key which is kept secret. Anything which is encrypted with one key from that pair can be
decrypted with that pair. Keys must be from the same pair. It is slower but provides manageable key counts for large
organisations.
Block cipher and cipher block chaining (CBC)
A block cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are
applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time. The
main alternative method, used much less frequently, is called the stream cipher.
Cipher block chaining (CBC) is a mode of operation for a block cipher where the cipher text of the previous block
impacts the next block. It uses a chaining mechanism that causes the decryption of a block of ciphertext to depend

11. on all the preceding ciphertext blocks. As a result, the entire validity of all preceding blocks is contained in the
immediately previous ciphertext block. A single bit error in a ciphertext block affects the decryption of all
subsequent blocks. Rearrangement of the order of the ciphertext blocks causes decryption to become corrupted.
Encryption algorithms: DES, 3DES, AES, RSA, RC4.
DES - The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data. DES is
now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small.
3DES - Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key
block cipher, which applies the DES cipher algorithm three times to each data block. Key sizes 168, 112 or 56 bits
(keying option 1, 2, 3 respectively) (multiples of 56)
AES - Advanced Encryption Standard (AES), also known by its original name Rijndael is a specification for the
encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a subset of the Rijndael cipher developed by two Belgian cryptographers. It supersedes the Data Encryption
Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm. Keys:
128, 192 and 256 bits (multiples of 64)
RSA - An asymmetric cryptographic algorithm. It is based on the fact that finding the factors of an integer is hard (the
factoring problem). A user of RSA creates and then publishes the product of two large prime numbers, along with an
auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a
message, but with currently published methods, if the public key is large enough, only someone with knowledge of
the prime factors can feasibly decode the message.
RC4 – (Exam tried to confuse with RC5) In cryptography, RC4 (Rivest Cipher 4) is a stream cipher (as contrasted with
CBC). While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4,
rendering it insecure. RC4 is a symmetric stream cipher that was used widely to encrypt network communications in
the 1980s and 1990s. It was originally not widely used because it was maintained as a proprietary trade secret but
the algorithm has since become public knowledge.
A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit
stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit
of the keystream, to give a digit of the ciphertext stream.
Hashes: SHA1 and MD5
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-
byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long.
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially
designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It
can still be used as a checksum to verify data integrity, but only against unintentional corruption. 32 digits long
Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and
suffers from extensive vulnerabilities.
Message Integrity codes: HMAC (Hashed Message Authentication Code)
In cryptography, an HMAC (sometimes dis-abbreviated as either keyed-hash message authentication code or hash-
based message authentication code) is a specific type of message authentication code (MAC) involving a
cryptographic hash function and a secret cryptographic key. It may be used to simultaneously verify both the data
integrity and the authentication of a message, as with any MAC. Any cryptographic hash function, such as MD5 or
SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the
hash function used (e.g. HMAC-MD5 or HMAC-SHA1). The cryptographic strength of the HMAC depends upon the
cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the
key.

12. Perfect forward secrecy (PFS)
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key
agreement protocols that gives assurances your session keys will not be compromised even if the private key of the
server/host is compromised. Forward secrecy protects past sessions against future compromises of secret keys or
passwords.
Diffie-Hellman Key Exchange
Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be
seen by observing the communication. That's an important distinction: You're not sharing information during the
key exchange, you're creating a key together.
This is particularly useful because you can use this technique to create an encryption key with someone, and then
start encrypting your traffic with that key. And even if the traffic is recorded and later analysed, there's absolutely no
way to figure out what the key was, even though the exchanges that created it may have been visible. This is where
perfect forward secrecy comes from. Nobody analysing the traffic at a later date can break in because the key was
never saved, never transmitted, and never made visible anywhere.
Even though it uses the same underlying principles as public key cryptography, this is not asymmetric cryptography
because nothing is ever encrypted or decrypted during the exchange. It is, however, an essential building-block, and
was in fact the base upon which asymmetric crypto was later built.
Diffie-Hellman is an algorithm used to establish a shared secret between two parties. It is primarily used as a method
of exchanging cryptography keys for use in symmetric encryption algorithms like AES.
Elliptic-curve cryptography (ECC)
A prime number can only be divided by 1 or itself. Prime numbers: 2, 3, 5, 7, 11, 13, and 17
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of
elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois
fields) to provide equivalent security.

13. Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks.
Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme.
The primary benefit promised by elliptic curve cryptography is a smaller key size, reducing storage and transmission
requirements, i.e. that an elliptic curve group could provide the same level of security afforded by an RSA-based
system with a large modulus and correspondingly larger key: for example, a 256-bit elliptic curve public key should
provide comparable security to a 3072-bit RSA public key.
B12 - Applications of Cryptography
SSL
SSL: Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that
provide communications security over a computer network. SSL runs on layer 4 (the transport layer) of the OSI
model, above TCP/IP and below HTTP.
The TLS protocol aims primarily to provide privacy and data integrity between two communicating computer
applications. A client server connection will have one or more of the following properties:
 The connection is private (or secure) because symmetric cryptography is used to encrypt the data
transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are
based on a shared secret negotiated at the start of the session. The server and client negotiate the details of
which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted.
 The identity of the communicating parties can be authenticated using public-key cryptography (typically the
server).
 The connection ensures integrity because each message transmitted includes a message integrity check
using a message authentication code to prevent undetected loss or alteration of the data during
transmission.
IPsec
IPSec: IPsec is typically used in conjunction with IKE (Internet Key Exchange) for key management. IPsec works at
layer 3 (the network layer) of the OSI network model to encapsulate normal IP packets. Once a VPN tunnel has been
established, any application (Web, e-mail, FTP, telnet, even VoIP) can use it without discrimination.
IPsec supports multiple encryption algorithms (AES, DES, 3DES, RC4) and multiple integrity mechanisms (MD5, SHA-
1), as well as authentication via X.509 certificates.
SSH
See SSH.
PGP
PGP: PGP uses symmetric and asymmetric keys to encrypt data being transferred across networks. It was developed
by the American computer scientist Phil Zimmerman, who made it available for non-commercial use for no charge in
1991. To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key.
Common wireless (802.11) encryption protocols: WEP, WPA, TKIP (see below)
B13 - File System Permissions
File permission attributes within Unix and Windows file systems and their security implications.
UNIX: Owner, Group, Other (Everyone) have r(4) w(2) x(1)
 If the file is owned by the user, the user permissions determine the access.
 If the group of the file is the same as the user's group, the group permission determines the access
 If the user is not the file owner, and is not in the group, then the other permission is used.

14. chmod u+rwx test.
$ ls -l
drwxr--r-- 1 fred editors 4096 drafts
In this example, drafts is a directory (denoted by the file descriptor d), and the characters after this indicate the
permissions:
 rwx: the owner (fred) has the right to read (r), write (w) and execute (x)
 r--: group members (users part of the editors group) have read-only permissions; write and execute are
not permitted, as denoted by the hyphen characters (-)
 r--: others (users aside from the owner or members of editors) have read-only permissions; write and
execute are not permitted
Windows Permissions
The system account and the administrator account (Administrators group) have the same file privileges, but they
have different functions. The system account is used by the operating system and by services that run under
Windows.
 When an object is copied into another directory it inherits the access privileges in place at the destination
folder.
 When a file or directory object is moved from one directory to another directory, the NTFS permissions that
have been applied to the file move with it.
The way permissions work is cumulative to give the most restrictive of Share and NTFS the actual access.
If "Tom" who is in the "Sales", "Finance" and "Staff" group has:
Share Permissions: Sales – Read, Staff – Modify, Finance – Read
NTFS Permissions: Sales – Modify, Staff – Modify, Finance - Read
His effective NTFS permissions are "Modify" as it's the least restrictive when looking at NTFS only, and his cumulative
share permissions are "Read" as it's the most restrictive. If we tweak that a little and you have:
Share Permissions: Sales – Read, Staff – Read, Finance – Read
NTFS Permissions: Sales – Modify, Staff – Modify, Finance - Read
His cumulative NTFS permissions are Modify, but his cumulative share permissions are Read.
The exception to this is that the no-access permission overrides all other permissions (both for NTFS and Share). For
example,
 Read (NTFS) + no access (NTFS) = no access (NTFS)
 Read (shared folder) + no access (shared folder) = no access (shared folder)
TrustedInstaller
TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection. Trusted
Installer SID is the ‘owner’ of most system files and registry entries.
If someone with administrative rights attempts to modify or replace a file that is protected by WRP, he will be
presented with the message "Access Denied".
Analysing registry ACLs.
B14 - Audit Techniques
Listing processes and their associated network sockets (if any).
Windows - netstat -nao (aon) -b will list the application

15. Linux - lsof -i or netstat -lptu List open ports and the processes that own them. To see which process is bound to
say port 22 use: lsof –i :22
Assessing patch levels.
 Linux – uname -a
 Windows Power Shell – Get-Hotfix - Gets the hotfixes that have been applied to the local and remote
computers.
 Systeminfo – will list patches as well as other system info
 wmic qfe – (QFE - Quick Fix Engineering) Can be run with a number of switches:
 wmic qfe list
 wmic qfe list full
systeminfo
Finding interesting files.
Linux: Find all the files whose name is tecmint.txt in a current working directory.
Find . -name -type
# find . -name tecmint.txt
./tecmint.txt
Find all the files under /home directory with name tecmint.txt. Use iname for case insensitivity.
# find /home -name tecmint.txt
/home/tecmint.txt
Find all php files in a directory.
# find . -type f -name "*.php"
./tecmint.php
./login.php
./index.php
Find err files in the /home/username/ directory and all sub-directories:
find /home/username/ -name "*.err"
Find all .jpg files in the /home and sub-directories:
find /home -name *.jpg
-type: Specifies file type: f=plain text, d=directory

16. Appendix C: Background Information Gathering & Open Source
C1 - Registration Records
Information contained within IP and domain registries (WHOIS).
Loads of info there…
WHOIS - A protocol for searching internet registration databases based on RFC 3912 for domain names, IPs,
autonomous systems, etc.
whois example.com
C2 - Domain Name Server (DNS)
DNS zone transfers
AXFR - Asynchronous Full Transfer Zone (DNS request)
dig +short example.com
dig @<name-server-of-target> <target-host-or-address> axfr
dig @ns2.iitk.ac.in iitk.ac.in axfr
The command to lookup a name server through dig goes like:
dig <target-host> ns
For finding the name servers of the target in the last example, we can use:
dig iitk.ac.in ns
nslookup
server <DNS Server Name OR ip address of DNS server>
set type=any
ls -d <DNS Zone Name> > dnstest.txt
exit
Host command can be used to get a list of authoritative name servers for a given domain
Host -l ucia.gov
DNS PTR Records
PTR records are written in reverse. A record for network 198.81.129.0 would be queried (with zone transfer) as:
dig @ns-server 129.81.198.in-addr.arpa axfr
Zone file extract
; forward zone file for example.com
mail IN A 192.168.0.7
www IN CNAME 192.168.0.7
...
# reverse map zone file for 0.168.192.IN-ADDR.ARPA # the IP zone is mapped first
...
7 IN PTR mail.example.com. # the 7 is the last IP, 192.168.0.7
7 IN PTR www.example.com.
You can also point a specific IP address:
1.0.168.192.in-addr.arpa. IN PTR dns1.example.org.
DNS Version Information
Dig @nameserver version.bind chaos txt
Can also be done using nslookup by setting class=chaos

17. DNS queries and responses
DNS zone transfers, Structure, interpretation and analysis of DNS records:
SOA, MX, TXT, A, NS, PTR, HINFO, CNAME
TXT: A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to
provide the ability to associate arbitrary text with a host or other name, such as human readable information about
a server, network, data centre, or other accounting information. The text record can hold arbitrary non-formatted
text string. Typically, the record is used by Sender Policy Framework (SPF) to prevent fake emails to appear to be
sent by you.
HINFO: Host Information - A HINFO-record specifies the host / server's type of CPU and operating system. This
information can be used by application protocols such as FTP, which use special procedures when communicating
with computers of a known CPU and operating system type.
AAAA: IPv6 record
C3 - Customer Web Site Analysis
Analysis of information from a target web site, both from displayed content and from within the HTML source.
Yes, easy one that…
C4 - Google Hacking and Web Enumeration
Google Dorks
 site:paypal.com -www.paypal.com : this removes known domains, keep doing until exhausted all sub
domains
 site.com –www –cdn
 site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457388-2457491
 inurl:slatergordon.com.au $keyword: password, username, sql, filetype:txt,
 inurl:/etc/passwd%00 intext:root
 Sometimes the tools will miss pages, try .php?= or inurl:"?id=“
 site:https://play.esea.net/ ext:php
 filetype:xlsx site:
 intitle:index of site:
 inurl:etc/passwd site:
 intext:
C5 - NNTP Newsgroups and Mailing Lists
C6 - Information Leakage from Mail & News Headers

18. Appendix D: Networking Equipment
D1 - Management Protocols
Weaknesses in the protocols commonly used for the remote management of devices:
Telnet
If you need root access via telnet:
Edit /etc/pam.d/login and /etc/pam.d/remote files to hash out line as below:
#auth required pam_securetty.so
Also mentioned is edit the file /etc/securetty and add the following to the end of the file:
pts/0
Web based protocols
SSH
See SSH
SNMP
UDP ports 161 and 162
SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management
planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device.
SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt
payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the
community string. This compromise could enable a man-in-the-middle or replay attack.
Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could
support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more
securely encoded parameters. SNMP version 3 adds both encryption and authentication, which can be used together
or separately.
Mistakes in the configuration of the read-write mode can make a network susceptible to attacks.
SNMP v1 sends passwords in clear-text over the network.
SNMP v2 allows password encryption (hashing?) with MD5, but this has to be configured.
SNMP v3 uses MD5, Secure Hash Algorithm (SHA) and keyed algorithms to offer protection against unauthorised
data modification and masquerade attacks.
The authentication mechanism in SNMPv3 assures that a received message was, in fact, transmitted by the principal
whose identifier appears as the source in the message header. In addition, this mechanism assures that the message
was not altered in transit and that it was not artificially delayed or replayed.

19. TFTP
TFTP is a minimal file transfer protocol that does not provide subcommands to list remote files, and does not require
authentication. Basic commands are [-i] host [GET | PUT] source [destination] where -i is for binary
transfer. UDP port 69.
It (server) is not installed by default on any Windows platform.
Cisco Reverse Telnet
Reverse telnet is used mostly for connecting to the console port of a router, a switch or other device.
NTP
Implementations send and receive timestamps using the UDP port 123. They can also use broadcasting or
multicasting, where clients passively listen to time updates after an initial round-trip calibrating exchange. NTP is
intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time
(UTC).
NTP uses a hierarchical system of time sources. Each level of this hierarchy is termed a stratum and is assigned a
number starting with zero for the reference clock at the top. Stratum 0 are high-precision timekeeping devices and
are also known as reference clocks. Stratum 3 are computers that are synchronized to stratum 2 servers and can act
as servers for stratum 4 computers, and so on. The upper limit for stratum is 15; stratum 16 is used to indicate that a
device is unsynchronized.
The 64-bit timestamps consist of a 32-bit part for seconds and a 32-bit part for fractional second. NTP uses an epoch
of January 1, 1900. NTPv4 introduces a 128-bit date format: 64 bits for the second and 64 bits for the fractional-
second.
NTP is not human understandable time, as not one time is received.
Synchronizing a client to a network server consists of several packet exchanges where each exchange is a pair of
request and reply. When sending out a request, the client stores its own time (originate timestamp) into the packet
being sent. When a server receives such a packet, it will in turn store its own time (receive timestamp) into the
packet, and the packet will be returned after putting a transmit timestamp into the packet. When receiving the
reply, the receiver will once more log its own receipt time to estimate the travelling time of the packet. The
travelling time (delay) is estimated to be half of "the total delay minus remote processing time", assuming
symmetrical delays.
Only if the replies from a server satisfy the conditions defined in the protocol specification, the server is considered
valid.

20. Reference Timestamp The time the system clock was last set or corrected, in 64-bit time-stamp format.
Originate Timestamp The time at which the request departed the client for the server, in 64-bit time-stamp format.
Receive Timestamp The time at which the client request arrived at the server in 64-bit time-stamp format.
Transmit Timestamp The time at which the server reply departed the server, in 64-bit time-stamp format.
NTP servers can be susceptible to man-in-the-middle attacks unless packets are cryptographically signed for
authentication. NTP message spoofing can be used to move clocks on client computers and allow a number of
attacks based on bypassing of cryptographic key expiration.
 Replay-delay attacks, MITM
D2 - Network Traffic Analysis
Techniques for local network traffic analysis.
Analysis of network traffic stored in PCAP files.
D3 - Networking Protocols
Security issues relating to the networking protocols:
ARP - ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed)
Address Resolution Protocol (ARP) messages onto a local area network.
DHCP - There are two different classes of potential security problems related to DHCP:
Unauthorized DHCP Servers, Unauthorized DHCP Clients.
CDP – The Cisco Discovery Protocol is a proprietary layer 2 protocol that all Cisco devices can use by default. CDP
discovers other Cisco devices that are directly connected.
10:41:55.398940 snap 0:0:c:20:0 CDP v2, ttl: 180s, checksum: 692 (unverified)
Device-ID (0x01), length: 25 bytes: 'MYSWITCH01.net.somecompany.com'
Cisco Discovery Protocol runs on all media that support Subnetwork Access Protocol (SNAP), LAN, Frame Relay, and
ATM media. Cisco Discovery Protocol runs over the data link layer only. Therefore, two systems that support different
network-layer protocols can learn about each other. The Subnetwork Access Protocol (SNAP) is a mechanism for
multiplexing, on networks using IEEE 802.2 LLC. The SNAP header consists of a 3-octet IEEE organizationally unique
identifier (OUI) followed by a 2-octet protocol ID.
CDP may be used between Cisco routers, switches and other network equipment to advertise their software version,
capabilities and IP address. CDP spoofing is the creation of forged CDP packets that impersonate other devices,
either real or arbitrary. CDP cache pollution – CDP table becomes unusable because it contains a lot of false
information

21. HSRP - HSRP provides redundancy for IP networks ensuring that traffic can transparently recover from first hop
failures. Devices which share a common layer 2 domain participate in a virtual router environment ensuring that a
single device assumes the egress routing role. By continually exchanging HSRP messages, eligible devices can
automatically takeover routing responsibilities if issues arise with the active device.
VRRP - The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for
automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability
and reliability of routing paths via automatic default gateway selections on an IP subnetwork.
VTP - VLAN Hopping – Yersinia. The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to make
life easy by automatically propagating VLAN information throughout network. Layer 2 attacks.
Attacks: Sending VTP Packet, deleting all VTP VLANs, deleting one VLAN, adding one VLAN
STP - STP Attack – involves an attacker spoofing the root bridge in the topology bridge in the topology. Spanning tree
functions must be disabled on all user interfaces but maintained for Network to Network Interfaces to avoid a
network loop. Use Ethercap to establish a bridge and Yersinia to send crafted BPDU (Bridge Protocol Data Unit).
TACACS+ - Security principle is known as Authentication, Authorization and Accounting (AAA). The two main AAA
protocols commonly used in enterprise networks today: TACACS+ and RADIUS. Terminal Access Controller Access-
Control System (TACACS) is a protocol set created and intended for controlling access to UNIX terminals. Cisco
created a new protocol called TACACS+
TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the
TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s
IOS CLI. The switch is the TACACS+ client, and Cisco Secure ACS is the server.
Vulnerabilities of TACAS+
1. Lack of integrity checking - Almost no integrity checking exists in TACACS+.
2. Vulnerability to replay attacks - duplicate accounting records can be produced, possibly with forged task_id
fields to avoid detection.
3. Forced session-id collisions - The encryption of reply packets can be compromised.
4. The birthday paradox and session_id's - given enough sessions, encryption of many may be compromised.
Another problem with session_id's is that they're too small to be unique if randomly chosen.
5. Lack of padding -the lengths of user passwords can be determined.
6. MD5 context leak
D4 - IPSec
Enumeration and fingerprinting of devices running IPSec services.
Open UDP port 500 and permit IP protocol numbers 50 (ESP) and 51 (AH) on both inbound and outbound firewall
filters. ESP and AH are layer 4 protocols, on the same level as TCP (IP proto 6) and UDP (IP proto 17)
You can use nmap to identify the ISAKMP service on UDP port 500. After identifying accessible ISAKMP services, you
can probe and investigate these services to fingerprint and identify them.
Remote users who require remote access to internal network resources often use a pre-shared key (PSK) to
authenticate. A serious flaw exists in IPsec, which can be exploited if a VPN gateway supports aggressive mode IKE,
and a PSK is used to provide authentication.
A remote attacker can attempt to authenticate using aggressive mode IKE and obtain a hashed authentication
response from the gateway. When using main mode IKE, this authentication response is protected using a Diffie-
Hellman shared secret, but aggressive mode doesn't provide any protection. If a PSK is in use (as opposed to digital
signatures or public key encryption), the aggressive mode IKE authentication response is the PSK hashed using MD5
or SHA1. This hash can be attacked offline, and the PSK compromised.

22. VPNs can be classified into two primary types. Site-to-Site VPNs, and Remote Access VPNs. We will look at layer-3
IPsec VPNs that require a thick VPN client, as opposed to SSL-based VPNs that require only a browser on the client
machine to establish connectivity to internal resources like file and mail servers.
IPsec is based on symmetric-key encryption and consists of the following primary security components:
 Authentication Header (AH): This is essentially a message authenticity checksum that is appended to every
packet to ensure its authenticity and protect its integrity as it traverses the Internet.
 Encapsulating Security Payload (ESP): This is the encryption mechanism used to protect the confidentiality of
communication between the subjects.
 Internet Key Exchange (IKE): This protocol provides a means to securely exchange the secret key, which is
essential for the effective operation of the AH and ESP between the communicating subjects. While the
secret keys can be manually exchanged, such a solution is not scalable and the keys should be changed
periodically to minimize the probability of their compromise. IKE has two modes - IKE Main Mode and IKE
Aggressive Mode. Main Mode key-exchange uses the Diffie-Helman exchange to generate a mutual shared
key between the client and the server. On the other hand, Aggressive Mode does not use a Diffie-Helman
exchange to protect the authentication data. Therefore, it is possible to capture this authentication data
using a sniffer and crack it offline.
The main objective of this phase is to discover any vulnerabilities in the VPN implementation that an attacker may be
able to exploit. This is usually considered a zero-knowledge test where only the IP address of the VPN server is
known. This phase will be shown using three steps:
1. Reconnaissance: determining open ports and doing VPN fingerprinting
2. Assessment of PSK protocol mode
3. Exploitation of any default user accounts
The first step in the reconnaissance process entails port scanning the VPN server to make an educated guess on the
type of VPN implementation. The following table provides a mapping of open ports to VPN type, using default ports:
PPTP
PPTP uses TCP 1723 and IP protocol 47 (GRE) to encrypt data between peers.
D5 - VoIP
Enumeration and fingerprinting of devices running VoIP services.
Ports 5060 & 5061 - SIP (VoIP) on TCP and UDP, are associated to the Session Initiation Protocol (SIP). Port 5060 is
commonly used for non-encrypted signalling traffic whereas port 5061 is typically used for traffic encrypted with
Transport Layer Security (TLS).
Knowledge of the SIP protocol – (Session Initiation Protocol)
Like HTTP it is client server model, not client to client in that one handset talks to another as communication is done
through the server.
There are two different types of SIP messages: requests and responses.

23.  The first line of a request has a method, defining the nature of the request, and a Request-URI, indicating
where the request should be sent. Example: REGISTER
 The first line of a response has a response code. Example: 200 is success.
 1xx - Provisional Messages.
 2xx - Success Answers.
 3xx - Redirection Answers.
 4xx - Method Failures: 401 – Unauthorised, 403 - Forbidden
 5xx - Server Failures.
 6xx - Global Failures.
You can sniff the traffic and run it through sipcrack suite. Authentication data includes user ID, SIP extension,
password hash (MD5) and victim’s IP address.
There are six basic methods (defined in RFC 254) for the client requests:
HELLO - Fake command, does not exist in SIP.
INVITE: Invites a user or a service to a new session or to modify parameters of an established session. Username
enumeration - The invite message initiates a SIP dialog with the intent to establish a call. It is sent by a user agent
client to a user agent server. (Followed by OK – see diagram above showing flow)
Caller ID Spoofing (Stealth), but the invite method generates the ring at the client side. There are numerous ways to
craft a malformed SIP INVITE messages (scapy, SIPp).
ACK: Sent after a response, the application detects what accounts are defined on the SIP server. Confirms the
session establishment
OPTIONS: Request information about the capabilities of a server.
BYE: End of a session
CANCEL: Cancel a pending request

24. REGISTER (to IP-PBX server): Register the user agent when new client is connected/reconnected to the network by
sending REGISTER request to IP-PBX server for registering the associated user ID/extension number. Also implements
a location service for user agents, which indicate their address information to the server.
sip-enum-users – Nmap script works by sending REGISTER SIP requests to the server with the specified extension and
checking for the response status code in order to know if an extension is valid. If a response status code is 401 or
407, it means that the extension is valid and requires authentication. If the response status code is 200, it means that
the extension exists and doesn't require any authentication while a 403-response status code means that extension
exists but access is forbidden. Is this more stealth as it’ll not generate ring on client?
There are additional methods that can be used. For example, INFO, SUBSCRIBER, etc. (published in other RFCs)
 SUBSCRIBE – Initiates a subscription for notification of events from a notifier.
 PRACK - Provisional acknowledgement.
 NOTIFY - Inform a subscriber of notifications of a new event.
 PUBLISH - Publish an event to a notification server.
 INFO - Send mid-session information that does not modify the session state.
 REFER - Ask recipient to issue SIP request for the purpose of call transfer.
 MESSAGE - Transport text messages.
 UPDATE - Modifies the state of a session without changing the state of the dialog.
The Session Initiation Protocol (SIP) is a communications protocol for signalling and controlling multimedia
communication sessions in applications of Internet telephony for voice and video calls, in private IP telephone
systems, as well as in instant messaging over Internet Protocol (IP) networks.
SIP is only involved for the signalling operations of a media communication session and is primarily used to set up
and terminate voice or video calls. Voice and video media streams are typically carried between the terminals using
the Real-time Transport Protocol (RTP) or Secure Real-time Transport Protocol (SRTP).
Under SIP, each resource, such as a user agent or a voicemail box, is identified by a Uniform Resource Identifier
(URI).
D6 - Wireless
Enumeration and fingerprinting of devices running Wireless (802.11) services.
 airodump-ng wlan0mon - will show surrounding wireless networks along with their statuses.
 airodump-ng wlan0mon -w jdw-1 :: Will output data into jdw-1.csv which can then be opened in visualiser
for easier analysis.
 Wireshark on Wlan interface to view better packet data
Knowledge of various options for encryption and authentication, and the relative methods of each.

25. WEP - Wired Equivalent Privacy (WEP) is the original 802.11 pre-shared key mechanism, utilizing RC4 encryption.
WEP is vulnerable to being hacked; the encryption key can be derived by an eavesdropper who sees enough traffic.
WEP used a 64-bit or 128-bit encryption key that must be manually entered on wireless access points and devices
and does not change.
Weakness are:
 Passive attacks to decrypt traffic based on statistical analysis.
 Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
 Active attacks to decrypt traffic, based on tricking the access point.
 Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated
decryption of all traffic.
WEP's major weakness is its use of static encryption keys which can be derived from enough traffic analysis.
WPA – WPA (Wi-Fi Protected Access). WPA was originally meant as a wrapper to WEP to tackle the insecurities
caused by WEP. It was meant as a quick fix until WPA2 became available. The only attack known, besides flaws in
firmware of some routers, is brute forcing the WPA key.
There are two modes in which it can operate:
1. WPA-PSK: Preshared key (password) – also known as Shared authentication, or WPA personal
2. WPA-Enterprise (802.1x authentication (for Wired and Wi-Fi networks) – Supplicant, Authenticator,
Authentication Server) This requires a RADIUS server and can be combined with an Extensible
Authentication Protocol (also known as EAP authentication which establishes a secure tunnel between
participants involved in an authentication exchange).
WPA personal implements the Temporal Key Integrity Protocol (TKIP) with RC4 encryption. TKIP employs a per-
packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of
attacks that compromised WEP.
WPA also includes a Message Integrity Check, which is designed to prevent an attacker from altering and resending
data packets. This replaces the cyclic redundancy check (CRC) that was used by the WEP standard. WPA uses a
message integrity check algorithm called TKIP to verify the integrity of the packets. TKIP is much stronger than a CRC,
but not as strong as the algorithm used in WPA2.
WPA2 - WPA2 uses an encryption device that encrypts the network with a 256-bit key. The most important
improvement of WPA2 over WPA was the usage of the Advanced Encryption Standard (AES) for encryption. WPA2
does not use TKIP but CCMP for cryptographic encapsulation.
At this time the main vulnerability to a WPA2 system is when the attacker already has access to a secured Wi-Fi
network and can gain access to certain keys to perform an attack on other devices on the network.
Enterprise Authentication
802.1X PNAC – Port based Network Access Control can use EAP, as can Wi-Fi.
By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access
point helps a wireless client device and the RADIUS server to perform mutual authentication. WPA2 and WPA use
five different EAP types as authentication mechanisms. There are currently about 40 different methods defined. EAP
choice depends on the level of security you need and your server/client specs. Although there are more than ten EAP
types.
Popular ones are:
 LEAP: A proprietary method by Cisco (light weight extensible authentication protocol) was used early on. It is
based on Microsoft CHAP, which means that the information that’s being sent between these devices has a
few security shortcomings.

26.  PEAP: (Protected Extensible Authentication Protocol) was created by Cisco, Microsoft and RSA Security to
come up with a way to encrypt all communication.
 EAP-TLS: Unlike most TLS implementations of HTTPS, such as on the World Wide Web, the majority of
implementations of EAP-TLS require client-side X.509 certificates. The requirement for a client-side
certificate, gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security
trade-off.
 EAP-MD5: Offers minimal security; (MD5 hash) does not support key generation, which makes it unsuitable
for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it
only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not
providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5
support was first included in Windows 2000 and deprecated in Windows Vista.
 EAP Protected One-Time Password (EAP-POTP) - uses one-time password (OTP) tokens, such as a handheld
hardware device or a hardware or software module running on a personal computer, to generate
authentication keys. EAP-POTP can be used to provide unilateral or mutual authentication and key material
in protocols that use EAP. The EAP-POTP method provides two-factor user authentication, meaning that a
user needs both physical access to a token and knowledge of a personal identification number (PIN) to
perform authentication.
 EAP Pre-Shared Key (EAP-PSK) - Mutual authentication and session key derivation using a pre-shared key
(PSK). It provides a protected communication channel, when mutual authentication is successful, for both
parties to communicate and is designed for authentication over insecure networks such as IEEE 802.11.
 EAP Password (EAP-PWD) - Uses a shared password for authentication. The password may be a low-entropy
one and may be drawn from some set of possible passwords, like a dictionary, which is available to an
attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.
 EAP Tunnelled Transport Layer Security (EAP-TTLS) - EAP Tunnelled Transport Layer Security (EAP-TTLS) is
an EAP protocol that extends TLS. Windows started EAP-TTLS support with Windows 8. The client can, but
does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the
setup procedure since a certificate is not needed on every client (as compared with EAP-TLS). After the
server is securely authenticated to the client via its CA certificate and optionally the client to the server, the
server can then use the established secure connection ("tunnel") to authenticate the client. It can use an
existing and widely deployed authentication protocol and infrastructure, incorporating legacy password
mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping
and man-in-the-middle attack. Note that the user's name is never transmitted in unencrypted clear text,
improving privacy.
D7 - Configuration Analysis
Analysing configuration files from the following types of Cisco equipment:
Cisco HTTP Arbitrary Access vulnerability
Cisco devices have a number of privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly
only the first 15 are used. Level 15 is Privileged EXEC mode, the same as enable mode.
By referring to these levels within the URL of the target device, an attacker could pass commands to the router and
have them execute in Privilege EXEC mode.
Web browse to the Cisco device: http://<IP>
Click cancel to the logon box and enter the following address:
http://<IP>/level/99/exec/show/config
You may have to scroll through all of the levels from 16-99 for this to work. To raise the logging level to only log
emergencies:
http://<IP>/level/99/configure/logging/trap/emergencies/CR
To add a rule to allow Telnet:

27. http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR
Interpreting the configuration of other manufacturers’ devices.
https://www.cisco.com/E-
Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/07_basic_commands_tasks.htm

28. Appendix E: Microsoft Windows Security Assessment
NetBIOS
LOC-SRV 135/TCP Used for RPC client-server communication (DCE endpoint)
LOC-SRV 135/UDP Used for RPC client-server communication (DCE endpoint)
NETBIOS-NS 137/UDP Name Service Name Table (NBT)- Local NetBIOS browser, naming, and lookup services
NETBIOS-DGM 138/UDP Datagram Service used for local NetBIOS browser, naming, and lookup services
NETBIOS-SSN 139/TCP Session Services - used for Authentication and File Sharing
MICROSOFT-DS 445/TCP CIFS Server
MICROSOFT-DS 445/UDP
Windows RPC
Epdump is a MS command line tool to query RPC endpoints. Rpcdump is another useful tool.
Epdump 192.168.0.1
The response will show NetBIOS names and IP addresses. It will also show for example, the Messenger Service is
accessible through UDP port 1028, along with named pipes (PIPEntsvcs). Named pipes are accessible through SMB
upon authenticating.
E1 - Domain Reconnaissance
Identifying domains/workgroups and domain membership within the target network.
echo %userdomain% or as listed in SET will show domain membership
NetBIOS Name Server – Accessible through UDP 137. It provides NetBIOS Name Table (NBT).
nbtstat -n
nbtstat -A remote-ip
net user <userName> /domain - It will list both Local and Global groups that user belongs to.
Adding user: net user username password /add
net config workstation - list domain info
Master Browser
NBTSTAT -A x.x.x.x / -n
__MSBROWSE__.<01> GROUP Registered # Master browser
SUPERMAN <00> UNIQUE Registered # Hostname
ASIA <00> GROUP Registered # Domain/Workgroup
..or UNIQUE 1B (Domain Master Browser), 1D (Master Browser)
Also, can use: browstat getmaster devicenetbt_el59x1 domainname
NetBIOS Datagram Service – Accessible through UDP 138.
NetBIOS Session Service – Accessible through TCP 139 – Facilitates Authentication. Can use null session –
net usetargetIPC$ “” /user: “”
Tools: Enum – By defaults attempts null session but can specify username and password. Winfo is similar tool. Both
of these “forward lookup tools” tools can be restricted if admin sets RestrictAnonymous = 1
RID Cycling
GetAcct performs reverse lookup for Windows Server RID values to get user account names, known as RID cycling.
NT4 can only set RestrictAnonymous = 1 so is susceptible to RID cycling. Windows 2000 Server have extended
anonymous protection and can set RestrictAnonymous = 2, so is not susceptible?

29. By default, Windows 2000 and 2003 servers allow anonymous access to (null session) SMB. If null session not
permitted, a valid username and password must be provided to access the LSARPC and SAMR interfaces.
Rpcclient is part of the Unix Samba package can be used to interact with RPC endpoints across SMB and named
pipes. Useful command as part of rpcclient is lookupsids which allows SIDs to username lookups (RID cycling).
Below it is used against a remote system to perform RID cycling, it first looks up full SID value of chris account using
the WEBSERV account, and then increments the RIF value (1001 to 1007) to enumerate other user accounts through
the LSARPC interface:
rpcclient -I 192.168.0.25 -U=chris%password WEBSERV
rpcclient> lookupnames chris
chris S-1-xxxxx-1003 (User: 1)
rpcclient> lookupsids S-1-xxxxx-1001
Every Windows user, computer, or service account has a unique alphanumeric identifier called the security ID (SID).
Example SID: S-1-5-21-4064627337-2434140041-2375368561-1036
1036 is the RID – The RID uniquely identifies a security principal relative to the local or domain security authority
that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default.
S identifies the following string as a SID. The red text is the domain or local computer identifier. If you create a user
object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.
Through a process of RID cycling it is possible to enumerate all domain users from a Windows 2003 domain
controller. This method will work on Windows 2003 domain controllers, as the SID of the “domain users” group can
then be enumerated; this was done to ensure a good level of compatibility and the same technique will not work on
Windows 2008 domain controllers. With this information it is then possible to iterate through the RIDs to enumerate
users. The following is an example of automated username enumeration using GetAcct from a Windows 2003
domain controller:
LSA brute forcing can be done anonymously against Windows 2000 and requires a guest account or better on other
systems.
This isn't a brute-force technique in the common sense, however: it's a brute-forcing of users' RIDs. A user's RID is a
value (generally 500, 501, or 1000+) that uniquely identifies a user on a domain or system. An LSA function is
exposed which lets us convert the RID (say, 1000) to the username (say, "Ron").
Identifying key servers within the target domains.
Grab list of domain controllers from last step for each domain.
nslookup -type=SRV _ldap._tcp.
Zone transfer _msdcs zone and ad zones.

30. Identifying and analysing internal browse lists.
net view May show all computers in network
net view /domain Shows number of domains and workgroups in environment
net view /ALL /Domain:demo.com
View the users and groups of an AD Security group
net group /domain TheGroupName
net localgroup /domain
net localgroup administrators
net localgroup administrators /domain
net group /domain
net group "Domain Admins" /domain
Identifying and analysing accessible SMB shares
net share
SYSVOL - Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on
all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain
members.
By default, SYSVOL includes two folders:
1. Policies - (%SystemRoot%SysvolSysvoldomain_namePolicies) - The “shell” for the GPO is a folder,
which is stored under the Policies folder (GPT).
2. Scripts (shared with the name NETLOGON) - (%SystemRoot%SysvolSysvoldomain_nameScripts)
By default, the SYSVOL share, allows read-only access to the Everyone user context. However, the NTFS permissions
for the SYSVOL folder (C:WindowsSYSVOL be default) restrict read-only access to the Authenticated Users context.
So, by default, only domain authenticated users will be granted read privileges to the SYSVOL share.
E2 - User Enumeration
Identifying user accounts on target systems and domains using NetBIOS, SNMP and LDAP.
https://gist.github.com/its-a-feature/1a34f597fb30985a2742bb16116e74e0
net user Shows local users
net user /domain Shows list of users in domain
net user "account name" /domain Shows user details
snmpwalk -c public -v1 192.168.1.1 1.3.6.1.4.1.77.1.2.25
ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=user)" or objectclass=computer if
enumerating computers
wmic useraccount get
Enumerate all domain user accounts.
auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS= E > domain_users.txt
SNMP: Metasploit
auxiliary/scanner/snmp/snmp_enumusers

31. E3 - Active Directory
Active Directory Roles (Global Catalogue, Master Browser, FSMO)
Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation
(FSMO) role. Currently in Windows there are five FSMO roles:
 Schema master
 Domain naming master
 RID master
 PDC emulator
 Infrastructure master
Flexible Single Master Operation Roles (FSMO) - removes the need for a PDC (primary domain controller) and many
BDCs (backup domain controllers) by spreading tasks among controllers.
The global catalogue is a distributed data repository that contains a searchable, partial representation of every
object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalogue is
stored on domain controllers that have been designated as global catalogue servers and is distributed through multi-
master replication. Searches that are directed to the global catalog are faster because they do not involve referrals
to different domain controllers.
The Master Browser is responsible for the browse list within its respective subnet and portion of the domain on its
subnet. The Domain Master Browser is used to collect information from each of the Master Browsers via the
NetServerEnum API call. Once collected the list is merged with the Domain Master Browsers list for its own subnet.
This merged list forms the enterprise wide browse list for the domain. This merged list is then distributed to the
Master Browsers in each subnet so that the enterprise list can be available to computers requesting services.
Reliance of AD on DNS and LDAP
Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as
Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP).
When you install Active Directory and the DNS Server role on your first Domain Controller in the domain, it
automatically creates two forward lookup zones for your domain. If your AD domain is ad.example.com as in the
example above, you'll have a zone for ad.example.com and the subdomain _msdcs.ad.example.com.
The _msdcs zone holds all of the records that your client machines need to find domain controllers. It includes records
to locate AD sites. It has records for the different FSMO role holders. It hosts only DNS SRV (service) records that are
registered by Microsoft-based services
Global Catalog Service - _gc.tcp
Domain Controllers - _ldap.tcp # domain controllers identified by LDAP
Kerberos Authentication - _kerberos.tcp
The ad.example.com zone holds all of the records for your client computers, member servers, and the A records for
your Domain Controllers. Why is this zone important? So that your workstations and servers can communicate with

32. each other on the network. If this zone didn't exist, you could probably log in, but you wouldn't be able to do much
else except browse the Internet.
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the
TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.
You can query LDAP anonymously using ldp.exe. The ldpsearch tool is a simple Unix-based alternative.
ldpsearch -h 192.168.0.65
An attacker can launch a brute-force, password guessing attack to compromise user accounts. The Unix bf_ldap tool
is useful for this purpose. Windows uses an LDAP service called Global Catalog (GC) on TCP port 3268. GC stores a
logical representation of all the users, servers and devices within a Window AD infrastructure. You can use ldp.exe
and ldapsearch utilities (along with valid username and passwords) to enumerate users, servers, policies and other
information. Just remember to point to port 3268 instead of 389.
Group Policy (Local Security Policy)
net accounts - list account policy
E4 - Windows Passwords
Password policies (complexity, lockout policies)
Kerberos Golden Ticket
 If you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate
Kerberos tickets to get unauthorized access.
 In AD, accounts sign in with a username and password, and get back a Kerberos ticket that contains their
authentication token.
 An attacker needs to log into the DC and dump the password hash for the KRBTGT account to create the
Golden Ticket.
 The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special hidden account
with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass-
the-hash technique to log into any account.
Account Brute Forcing
Hash Storage (merits of LANMAN, NTLMv1 / v2)
 LM hash (also known as LanMan hash or LAN Manager hash) is a compromised password hashing function
that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows
NT used to store user passwords.
 The LM hashing algorithm is very old and is considered very insecure. Windows stored both LM and NTLM
hashes by default until Windows Vista/Server 2008, from which point only NTLM hashes were stored (along
with the empty LM hash AAD3B435B51404EEAAD3B435B51404EE).
 LANMAN Hash:
 Convert all lower case to UPPER CASE
 Pad password to 14 characters with NULL characters
 Split the password to two 7-character chunks
 Create two DES keys from each 7-character chunk
 DES encrypt the string "KGS!@#$%" with these two chunks
 Concatenate the two DES encrypted strings. This is the LM hash.
That 16-byte string is the LANMAN hash that's stored in the SAM file
1. Passwords are not case sensitive. All passwords are converted into uppercase before generating the
hash value. Hence it takes password, PassWord, PaSsWoRd, PASSword and other similar
combinations same as PASSWORD converting all characters to uppercase.

33. 2. Password characters are also limited to a subset of 95 characters in the 256-byte ASCII character set.
3. Password length is limited to maximum of 14 characters
4. A 14-character password is broken into 7+7 characters and the hash is calculated for the two halves
separately.
5. If the password is 7 characters or less, then the second half of hash will always produce same
constant value (0xAAD3B435B51404EE). Therefore, if the length of password is less than or equal to
7 characters, then a password length of 7 characters or less can be identified visibly without using
tools.
6. The hash value is sent to network servers without salting, making it susceptible to man-in-the-
middle attacks such as replay the hash, and also allowing rainbow tables to be constructed.
 NTLM (v1) (NT Hash) is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN).
The algorithm: MD4(UTF-16-LE(password))
 NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in
Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, and
adding the ability for a server to authenticate to the client.
 NTLMv2 is the challenge-response protocol for performing MS Windows password authentication over the
networks. It's used any time a password needs to be provided to a Windows or Samba server and the client
is not part of the Windows Active Directory domain.
 The deeper problem is that NTLMv1-2 provide absolutely no protection against credentials forwarding/relay
or reflection attacks. This means that an active attacker (such as a man-the-middle) is sometimes able to
redirect the login of the legitimate user to authenticate his own session.
 NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack which was
addressed by Microsoft security update MS08-068. For example, Metasploit can be used in many cases to
obtain credentials from one machine which can be used to gain control of another machine.
 NTLM Hash: Generating the NTLM hash is far easier than a LANMAN hash. It is simply an MD4() of the
password (in Unicode).
 Challenge/response - Once the LANMAN and NTLM hashes have been calculated, they can't just be put on
the wire. That would be vulnerable to any number of attacks, the most obvious being replay.
Offline Password Analysis (rainbow tables / hash brute forcing)
 Distinction between SAM database on a Windows system, or the NTDS database on the Domain Controller.
To further protect the password hashes these are encrypted using a key stored in the SYSTEM
(C:WindowsSystem32configSYSTEM) registry hive. This second encryption step is why in order to
perform a password dump for auditing, a copy of both files is needed. Hashes (for AD) are stored at
c:windowsNTDSntds.dit, but is locked due to it being accessed all the time.
 %systemRoot%system32Config
 %systemRoot%repair(pre Windows XP)
 %systemRoot%NTDSntds.dit (Active Directory)
 From registry (requires System Privileges)
 Windows Server 2008-2016 – Use ntdsutil
 Windows Server 2003 - vssadmin create shadow /for=C:
vssadmin list shadows - check whether any shadow copies already exist
vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM
vssadmin delete shadows /shadow=[GUID] - delete the shadow copy
 Cracking the Hashes – Tools: John the Ripper, Cain & Abel is a Windows-based tool with a host of useful
features, including a password cracker. It's normally a good idea to break very weak passwords with a simple

34. dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the
rest.
E5 - Windows Vulnerabilities
Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public
domain.
MS17-010 - nmap -Pn -p445 - open - max-hostgroup 3 - smb-vuln-ms17-010 script <ip_netblock>
Knowledge of local windows privilege escalation vulnerabilities and techniques.
LLMNR, NBT-NS, and, DNS
Microsoft systems use Link-local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for
local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementation use
Multicast DNS (mDNS) to discover systems within a network.
Attackers can exploit the UDP messages and direct users to malicious services. The below example illustrates the
capture NTLMv2 hashes which are saved to disk and then can be cracked with John the Ripper.
Knowledge of common post exploitation activities
 obtain password hashes, both from the local SAM and cached credentials
 obtaining locally-stored clear-text passwords
 crack password hashes
Pwdump3 can remotely authenticate (against ADMIN$ share) and then extract user password hashes from the
Windows 2000 host (?):
Pwdump3 192.168.189.1 hashes.txt Administrator
Please enter the password >secret
Two tools can be used to crack Windows passwords hashes downloaded by Pwdump3:
 Cain & Abel – supports rainbow table cracking of NTLM hashes.
 John the Ripper – performs basic dictionary-based attacks.
 Reversion to previous state
E6 - Windows Patch Management Strategies
• check patch levels – qfe (quick fix engineering) wmic qfe

35. Derive list of missing security patches – MBSA. Knowledge of common windows patch management strategies:
SMS - Microsoft Systems Management Server (SMS) 2003 provides a feature-rich management and servicing
solution. You can use SMS 2003 or System Center Configuration Manager 2007 (ConfigMgr) to manage networked
Windows Embedded Standard-based devices alongside Windows desktop, Windows Server, and other Windows
Mobile systems.
SUS - Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy
security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on
your network. Instead of each workstation having to connect to the Internet to update Windows, each workstation
connects to the Microsoft SUS Server instead and updates from there.
WSUS - Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest
Microsoft product updates.
MBSA - Microsoft Baseline Security Analyzer (MBSA) - The MBSA can help you stay on top of regular network
auditing tasks by scanning both local and remote Microsoft systems for common security misconfigurations. It can
also identify missing security updates and service packs available through the various Microsoft Update
technologies, helping to ensure all machines are patched correctly.
E7 - Desktop Lockdown
Knowledge and understanding of techniques to break out of a locked down Windows desktop / Citrix environment.
Source
 Dialog Boxes – Notepad, File > Save As; Print – will give access to drives which can be used as pivot to create
new files (batch, shortcuts), open new Windows Explorer instances, Exploring Context Menu’s (Open File
Location).
 Help Menus – Similar to above, but some may have click here to open Command Prompt, or use URL link to
open up IE from which you can pivot (see below)
 Environmental Variables / Bypassing Path Restrictions – Use variable as opposed to location, i.e.
%SYSTEMROOT% as opposed to c:windowssystem32
 IE - File protocol handlers (about:, file:, mailto:), UNC paths 127.0.0.1c$WindowsSystem32. Address Bar,
Menus, Right Click in site, Set homepage to cmd.exe, F12 Developer Tools
 Getting Command Prompt – is Run available, try Windows+R. Browse to it, right click and open, Drag and
Drop and invalid extension onto executable – set custom app to view source, so set to cmd.exe, Import
Certificate (abusing Dialog Boxes)
 Microsoft Office applications by using the CTRL+Click option. file:///c:/Windows/System32/cmd.exe. It is
trivial to use msfencode/msfpayload to generate VBA code that will create a reverse shell / Meterpreter
shell on the host. VBA can be used to open CMD.
 MS SQL – xp_cmdshell
 Task Manager – File > New Task (Run)
 Task Scheduler, MSPAINT, FTP – lcd/!dir
 Run32 - There is a vast array of commands that can be run via Rundll32.
Date and Time Properties: RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl
 Shortcuts - Standard shortcuts exist which may be useful. WINDOWS+E – Launch Windows Explorer,
WINDOWS+R – Run, F3 – Search, CTRL+O – Open File, CTRL+S – Save, CTRL+N – New
 Batch Files and Scripts - Batch files such as .BAT and .CMD can be an alternative for executing system
commands when an interactive shell isn’t permitted. Whilst .BAT files can be disabled, the lesser known
.CMD equivalent can sometimes be allowed. Windows Script Hosts (WSH): Can create a .vbs file to launch a
CMD shell.
 ICA Files – Modify ICA file so that InitialProgram=cmd.exe

36.  Citrix – Email, Clipboard. Cached connection information may be available in local application data stores.
Look for the “ICAClient” directory, which is usually found within the %APPDATA% folder. Using “dir /s
ICAClient” from a command line will also work.
 By copying another user’s ICAClient contents into your own folder, it may be possible to hijack their stored
connections.
 Citrix Shortcuts - SHIFT+F1 – Displays Windows Task List,
 As per privilege escalation - Binary Planting, DLL Hijacking
Privilege escalation techniques.
 Depends on from what and to what – example from admin to system? Admin to Domain Admin, User to
Admin
 Clear Text Credentials in Files – Install and Config files – unattended.txt, sysprep.inf, sysprep.xml, vnc.ini,
cached FTP, findstr /si password *.txt *.xml *.ini
 Passwords in Registry – Autologin, SNMP, Putty
 Directory Permissions – Incorrect Permissions often in Program Files for processes running as System
 Default permissions on newly created files.
 Autoruns – Sysinternals tool will highlight start-up executable locations – can trojan these files if the binary
cannot be overwritten directory.
 DLLs - However, can still add data to that directory such as DLL which may get executed as part of binary
(looks in same folder first, then system32). Process Monitor to trace.
 Scheduled Tasks – AT command - Only admin can view, but normal user can view what tasks are running.
 Services – Orphaned Installs, hijack them – Autoruns tools from Sysinternals.
 Token Impersonation
 Impersonate Named Pipe
 Internet Explorer Java Escalation
E8 - Exchange
Knowledge of common attack vectors for Microsoft Exchange Server.
 OWA
 Choose Your Certificates Carefully
 Utilize the Power of Edge Transport Server
 Keep Administrative Access Internal
E9 - Common Windows Applications
Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code
available.
MS17-010 – Eternal Blue

37. Appendix F: Unix Security Assessment
F1 - User enumeration
Discovery of valid usernames from network services commonly running by default:
 Rusers – RPC service endpoint that listens on dynamic ports. If TCP/UDP 111 open the rpcinfo client can check
for presence of rusersd:
rpcinfo -p 192.168.0.10
program vers proto port service
1100002 3 tcp 33180 rusersd
Once found, use ruser to retrieve list of logged in users.
$ rusers -l 192.168.0.50
 Rwho – UDP 513 – rwho 192.168.189.120 – will list current logged in users.
 SMTP – Password brute forcing. Valid user account details can be enumerated by issuing smtp, VRFY, or RCPT
TO:
Telnet host 23
HELO world
VRFY test
VRFY chris
EXPN asks the server for the membership of a mailing list. A VRFY request asks the server to verify an address.
The point of a RCPT request is to add one address to the list of envelope recipient addresses, from which I
suppose you could check for bounces and deduce live accounts.
 Finger – TCP 79. Connect direct or via Finger command. Solaris 8 and below, information leak:
finger ‘1 2 3 4 5 6 7 8 9 0’@192.168.0.10 or finger 'a b c d e f g h'@target.com
Finger works by querying entries in the passwd files, i.e. GECOS fields. Finger can also be used to query "plan" files.
Plan files can be created by users to inform others of their current activity, humour or anything else that the user
may wish to share.
Finger user@192.168.0.10
Finger redirection: finger@192.168.0.10@217.34.17.200
F2 - Unix vulnerabilities
Recent or commonly-found Solaris vulnerabilities, and in particular those for which there is exploit code in the public
domain.
Solaris 10 and 11 impacted by Telnet -f client sequence.
The flaw meant that exploitation could occur if an existing user account name was supplied after the “-f” (e.g. bin),
and could be conducted through the command line with:
telnet -l -f<account> <host>
Recent or commonly-found Linux vulnerabilities, and in particular those for which there is exploit code in the public
domain.
Use of remote exploit code and local exploit code to gain root access to target host
Common post-exploitation activities

38.  exfiltrate password hashes
 crack password hashes
 check patch levels
 derive list of missing security patches
 reversion to previous state
F3 FTP
FTP access control
You can use the following configuration files in the /etc/ftpd directory to control access to the FTP server.
 ftpusers is used to list users who are denied access to the FTP server.
 ftphosts is used to allow or deny login from various hosts to various accounts on the FTP server.
 ftpaccess is the main FTP configuration file. The FTP server only reads the /etc/ftpd/ftpaccess file
if called with the -a option. When the ftpaccess file is used, all users must be members of a class to
be allowed access to the FTP server. You can specify many ftpaccess directives that apply only to a
particular class.
Anonymous access to FTP servers
Risks of allowing write access to anonymous users.
F4 - Sendmail / SMTP
Valid username discovery via EXPN and VRFY
iis6

39. Note above HELO > MAIL FROM: > RCTP TO:
Awareness of recent Send mail vulnerabilities; ability to exploit them if possible
Mail relay vulnerability
Mail relaying
F5 - Network File System (NFS)
NFS security: host level (exports restricted to particular hosts) and file level (by UID and GID).
 The /etc/exports file controls which file systems are exported to remote hosts and specifies options.
 An alternate way to mount an NFS share (as opposed to using mount command) from another machine is to add
a line to the /etc/fstab file.
Use of NFSv4 is recommended over other versions of NFS. NFSv4 security mechanisms are oriented towards
authenticating individual users, and not client machines as used in NFSv2 and NFSv3.
The NFS service is running on port 2049 TCP. The rpcinfo utility can be used to determine if there are any mountd
and NFS services running on the host.
Access control is not possible for users, other than through file and directory permissions. In other words, once a file
system is exported via NFS, any user on any remote host connected to the NFS server can access the shared data. To
limit the potential risks, administrators often allow read-only access or squash user permissions to a common user
and group ID.
Wildcards should be used sparingly when exporting directories via NFS as it is possible for the scope of the wildcard
to encompass more systems than intended.

40. Mount access is achieved by the client machine attempting to attach to the server. The security for this is provided
by the /etc/exports file. This file lists the names or IP addresses for machines that are allowed to access a share
point. If the client's ip address matches one of the entries in the access list then it will be allowed to mount.
It is also possible to restrict access to the portmap service via TCP wrappers. Access to ports used by portmap,
rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules with iptables.
The following command will retrieve the list of the exported folders for a given host.
If there are any files on the exported share that the user doesn’t have permission to read them then it might be
possible to trick the NFS server to believe that the user account that tries to read the file is the owner of the file. This
can be achieved by performing UID (User ID) manipulation.
Use ls -la to get the current user of the file, then create username of same name. The UID can be changed from the
passwd file, then SU as the new user and access the file.
Root squashing
The default behaviour when exporting a file system via NFS is to use root squashing. This sets the user ID of anyone
accessing the NFS share as the root user on their local machine to a value of the server's nfsnobody account. Never
turn off root squashing. This prevents someone using local root to change file permissions on the remote share.
Since the UID of the file will be the same with the UID of the new user, the system will believe that this is the original
owner so it would be possible to read the contents of the file.