Cisco - Ethical Hacker

Bind Shell 

sets up a listener on the target machine, waiting for an incoming connecting from the attacker system. 

nc -z <IP> <port range>

Used for port scanner

nc -lvp <port>

listen on a given TCP port.

nc -nv <IP> <port>

Connect to a TCP port

nc -lvp <port> > file.txt

Transfer a file

meterpreter - search

used to locate files osystemn the victim

meterpreter - Execute

used to run commands on the victim system

meterpreter - Shell

used to go into a standard shell on the victim system

meterpreter - Resource

used to execute Meterpreter commands listed inside a text file, which can help accelerate the actions taken on the victim system

C2 Utilities

Socat and Netcat

Convert Channel

Created by C2 with a system that has been compromised.

Living-off-the-land to perform directory listing, copy and moving files.

PowerShell

Empire

Open-source Framework to rapidly deploy post-exploitation modules.

WMI

Windows Management Instrumentation manages data and operations on Windows.

PsExec

Can modify Windows registry, execute scripts, and connect a compromised system to another system.(can execute anything that can run on Windows Command Prompt).

Living-of-the-land techniques

Empire, WMI, BloodHound, PowerShell, Sysinternals, WinRM, and PowerSploit

Enable-PSRemoting -SkipNetworkProfileCheck - Force.

WinRM

Vertical Privilege

lower privileged users access functions for higher-privileged users

NIST SP 800-88

A methodology after a penetration testing engagement is complete, all the systems should be cleaned up. Logs should be suppressed, user accounts deleted, and any files that were created as well. A secure deletion method may be preferred.

Wsc2 and TrevorC2

Python based C2 utilites

Mainting a Foothold in compromised system

creating and manipulating scheduled jobs and tasks, creating custom daemons and processes, creating new users, and creating a bind or reverse shell

NetBIOS-NS

for Name registration and resolution.

NetBIOS-DGM

for connectionless communication

NetBIOS-SSN

For connection-oriented communication

UDP Port 138

NetBIOS Datagram Service

UDP Port 137

NetBIOS Name Service

TCP Port 139

NetBIOS Session Service

TCP Port 135

MS-RPC (Microsoft Remote Procedure)

DNS Servers with BIND 9.5.0

Randomization of ports and provision of cryptographically secure DNS transaction identifiers

UDP Port 161

SNMP (Simple Network Management Protocol) used to manage network devices.

DNS Poisoning Attack

Manipulation of the DNS resolver cache by injecting corrupted DNS Data, which the DNS server sends the attacker IP to the victim.

SMTP Command “RSET”

Used to cancel an email transaction

SMTP Command “MAIL”

used to denote the email address of the sender

SMTP Command “EHELO”

used to initiate a conversation with an Extended Simple Mail Transport Protocol server

SMTP Command “DATA”

used to initiate the transfer of the contents of an email message

SMTP Command “STARTTLS”

used to start a Transport Layer Security connection to an email server

SMTP Command “HELO”

used to initiate an SMTP conversation with an email server

Reflected DOS

This attack uses spoofed packets that appear to be from the victim. Then the sources become unwitting participants in the attack by sending the response traffic back to the intended victim.

DNS Amplification

This an attack in which the attacker exploits vulnerabilities in target servers to initially turn small queries into much larger payloads, which are used to bring down the servers of the victim.

Direct DOS

This occurs when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack.

DDOS

This attack uses botnets that can be manipulated from a command and control (CnC, or C2) system.

Route Manipulation Attacks

typically a BGP hijacking attack by configuring or compromising an edge router to announce prefixes that have not been assigned to the organization

Downgrade Attacks

the attacker forces a system to favor a weak encryption protocol or hashing algorithm that may be susceptible to other vulnerabilities

DHCP Starvation

an attacker floods a server with bogus DISCOVER packets until the server exhausts the supply of IP addresses

VLAN Hopping attack

an attacker bypass any layer 2 restrictions built to divide hosts

MAC address spoofing attack

an attacker spoofs the physical address of the NIC device to match the address of another on a network in order to gain unauthorized access or launch a Man-in-the-Middle attack

A characteristic of a Bluesnarfing Attack

An attack that can be performed using Bluetooth with vulnerable devices in range. This attack actually steals information from the victim's device. It can also be used to obtain a device's International Mobile Equipment Identity (IMEI) number.

MFP feature in the 802.11w protects against wireless attack

The 802.11w standard defines the Management Frame Protection (MFP) feature. MFP protects wireless devices against spoofed management frames from other devices that might otherwise deauthenticate a valid user session.

TCP Port 465

IANA (Internet Assigned Numbers Authority) for SMTP over SSL (SMTPS)

TCP Port 587

The Secure SMTP (SSMTP) protocol for encrypted communications, as defined in RFC 2487, using STARTTLS.

TCP Port 143

The default port used by the IMAP protocol in non-encrypted communications.

TCP Port 995

The default port used by the POP3 protocol in encrypted communications.

TCP Port 993

The default port used by the IMAP protocol in encrypted (SSL/TLS) communications.

TCP Port 25

The default port used in SMTP for non-encrypted communications.

TCP Port 110

The default port used by the POP3 protocol in non-encrypted communications.

Need to create a Silver ticket for kerberos silver ticket attack

need the system account (ending in $), the security identifier (SID) for the domain, the fully qualified domain name (FQDN), and the given service (for example, CIFS, HOST).

type of attack IP Spoofing is

The On-path attack intercepts communications between two systems. The attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server.

Common Mitigation for ARP cache Poisoning

Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

Type of attack Reflected DDos

An amplification attack is a form of reflected DoS attack in which the response traffic (sent by the unwitting participant) is made up of packets much larger than those initially sent by the attacker (spoofing the victim). The result is that the victim machine gets flooded by large packets for which it never actually issued queries, causing a denial of services.

best practices to help mitigate FTP server abuse and attacks

Disable anonymous logins.

Require re-authentication of inactive sessions.

Keep back-end databases on a different server than the FTP server.

Use FIPS 140-2 validated encryption ciphers for guidance on secure algorithms.

Keep FTPS/SFTP server software up-to-date.

Lock down admin accounts — limit admins, avoid common usernames, require MFA.

Use encryption at rest for all stored files.

Implement file/folder access controls so users only access what they should.

Use strong passwords and multifactor authentication with good credential management.

Web proxy devices provide

Enables HTTP transfer across firewall and support the caching of HTTP messages.

HTTP Status Code: 400

Related to Client Errors

HTTP Status Code: 500

Related to Server Errors

HTTP 2.0 improve performance over HTTP 1.1

Web Client can send multiple GET messages simultaneously. Multiplexing contributes to performance improvement, by compressing HTTP messages and tokens.

Mitigation for Session fixation attack

Encrypt an entire web session and exchanged only through an encrypted channel.

Persistent Cookie

Max-Age or Expires Attribute that is stored on a disk by the web browser until the expiration time.

Out-of-Band SQL Injection

attacker retrieves data using a different channel like email, text or an instant message that could be sent to the attacker with the query results.

Cookie configure with the HTTPOnly Flag

Forces the web browser to have this cookie processed only by the server, and attempting to access the cookie from client-based code or scripts is strictly forbidden.

mitigate against new deceives

Changing default manufacture password and restricting network access to critical systems to stop default credential attacks.

OWASP 3 prevention for XSS Attacks

Use attribute escape before inserting untrusted data into HTML common attributes, use HTML escape before inserting untrusted data into HTML element content, and use JavaScript escape before inserting untrusted data into JavaScript data values.

Best practice to mitigate lack of proper error handling in an app

Use well-thought-out scheme to provide meaningful error messages to the user but no useful information to an attacker.

watering hole

An attack is targeted when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities.

elicitation

is the act of gaining knowledge or information from people.

The App Asterisk is for what

impersonate caller ID

Piggybacking

An unauthorized person tags along with an authorized person to gain entry to a restricted area, usually with the consent of the authorized person.

Tailgating

An unauthorized person tags along with an authorized person to gain entry to a restricted area, usually without the consent of the authorized person

Access Control mitigates two physical attacks

tailgating and piggybacking

VM Repository Vulnerability

is when a threat actor has found a way to upload fake or impersonated VMs with malicious software and backdoors.

Dagda

is a set of open-source static analysis tools that can help detect vulnerabilities, Trojans, backdoors, and malware in Docker images and container.

VM Escape Vulnerabilities

allows a threat actor to “escape” the VM and obtain access to other virtual machines on the system or access to the hypervisor.

GATTAcker

used to perform on-path attacks in Bluetooth Low-Energy (BLE) implementations.

Anchore’s Grype

An open-source container vulnerability scanner that can be used to find vulnerabilities in a Docker Image.

NIST SP 800-145

defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Account Takeover

Threat actor gains access to a user or application account and uses it to access more accounts and information.

Nimbostratus

used to find vulnerabilities that could lead to metadata service attacks.

Cloud Malware Injection Attack

attacker created a malicious application and injects it into a SaaS, PaaS, or laaS environment.

Common data breaches against cloud assets

Insecure Permission configurations

Side-Chanel Attacks

often based on information gained from implementing the underlying computer system (or cloud environment) instead of a specific weakness in the implemented technology or algorithm.

Needle

Open-source framework used to test the security of IOS applications.

IPMI (Intelligent Platform Management Interface)

is a collection of compute interface specifications (often used by IoT systems) designed to offer management and monitoring capabilities independent of the host system’s CPU, firmware, and operating system.

CDKs (Cloud Development Kits)

help software developers and cloud consumers deploy applications in the cloud and use the resources that the cloud providers offers.

Cloud Providers minimize the impact of DoS or DDoS attacks

uses a distributed architecture