Certified in The Art of Hacking - Day 3

This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning!

Day 3 - the day I was dreading most of all… Windows!

I've been avoiding M$ WinDoze (LOL!!!) since long before it was fashionable. Even at my earliest jobs, I'd find a way to convince the IT department to let me run Linux on their kit. I'm penguin-powered, baby!

So, what can an Ubuntu toting geek learn about the gentle art of cracking Windows wide open?

Not much. It was mostly a whistle-stop tour of various Linux tools and a brief explanation of Windows security models.


The demo Windows network wasn't working, so all a bit theoretical to start. Once it was up, we had another "script kiddie" day. Run nmap, run enum4linux, run metasploit. Vaguely interesting, but not sure what parts we need to remember for the exam.

Some of the tasks weren't possible unless you had a Windows machine. Most people had a "GoToMyPC" instance they could use - but those of us on Linux machines were basically stuck watching the tutor run some demos. Lots of memorising of Windows Powershell commands. But, again, no idea if they'll be on the exam.

Some team exercises which was a nice change. I hosted an exploit, another student executed it. But, in the end, the code didn't work. The labs are a bit broken.

Afternoon descended into farce because GoToMyPC went down and lots of students couldn't get back in. Combined with yesterday's inexplicable half-day, meant a lot of confused and frustrated students.

The course description was:

Unlike [Certified Ethical Hacker], where the focus is to run a tool to achieve an objective which helps attendees pass the exam, we focus on the underlying principles on which tools work and provide attendees an understanding on what is the root cause of the vulnerability and how does the tool work to exploit it. We also talk about how the vulnerability should be mitigated.

But, at the moment, it is just running metasploit and a few other tools. Nothing much about the principles. And only a passing comment on how to defend against things.

Similarly, it says:

we do not talk about hacking windows XP and 2003 servers (unlike CEH) but talk about circumventing controls in Modern OS such as Windows 2012 / 16 servers. High impact vulnerabilities such and or mass compromise vulnerabilities are taught in the class.

Yet there was lots of discussion of Windows 7 and outdated versions of Chrome. Not quite what was advertised.

Turns out the exam isn't on Friday. We have a voucher and we can book the exam in the next 12 months. Think I'll take it sooner rather than later - but will give myself enough time to cram and memorise every command line option in existence.

Practice Questions - Linux Hacking

Here are the test questions from yesterday. Once again, it's mostly "can you remember the exact command line without running --help - which I'm not sure is useful. I got 6/10. This really needs a practical exam. A CTF or similar. Sure, with a bunch of hackers, it could turn into the "Kobayashi Maru" exercise. But that's better than trying to rote learn the command line.

  1. Which of the following is NOT an attack against SSL?
    • Heartbleed
    • POODLE
    • FREAK
    • RowHammer
  2. What is the maximum amount of data retrievable by each Heartbleed heartbeat?
    • 64kb
    • 1Mb
    • 512kb
    • 256kb
  3. True of false, Shellshock affects BASH v 4.4
    • True
    • False
  4. Which command allows you to display the full kernel version on a Linux system?
    • cat /etc/kernel
    • uname -a
    • echo version
    • cat /env/kernel
  5. Jenkins is a popular continuous integration service, often run on Linux servers. What port does Jenkins listen on by default?
    • 80
    • 443
    • 666
    • 8080
  6. True or false - The Jenkins web console is vulnerable to a deserialization attack?
    • True
    • False
  7. Simon has managed to obtain a meterpreter shell on a remote Linux machine by exploiting a weak implementation of WordPress. What command should he run to see what user-instance he is using?
    • sysinfo
    • ps
    • whoami
    • getuid
  8. Rebecca has managed to get a meterpreter payload on a victim machine which is configured with a reverse TCP setting which will attempt to connect to ker Kali machine on She needs to set up a netcat listener on her Kali machine to receive any TCP sessions from the victim machine when the payload is executed. Which of the following commands would do this?
    • nc --listen 4444
    • nc -nlp 4444
    • nc -tup 4444
    • nc -nl 4444
  9. James has obtained a meterpreter shell on a remote machine but only has restricted user access. He decides to try using a post-exploitation command to try to elevate his privilege level, but he needs to return to his msfconsole prompt to load an auxiliary tool. What command should James use to keep the meterpreter session alive, but allow him to return the msfconsole prompt
    • back
    • exit
    • suspend
    • background
  10. James has identified a suitable auxiliary command to use in conjunction with an existing meterpreter instance. How can James identify which meterpreter instance to use?
    • session -i
    • session -l
    • sessions -l
    • meterpreter -l


netbios - old and unused, should probably be disabled. LLMNR useful is DNS resolution has failed. Generates a lot of sniffable traffic. Can force Windows machines to give up data. Set up a fake server to received the LLMR broadcasts.

Some services are blocked on IPv4 but open on IPv6.

If DNS fails to resolve a host, LLMNR and NBT-NS will ask other hosts in the network if they know the IP address. Net NTLMv2 Challenge response hash is sent by the victim, the fake machine intercepts the hash and can start to crack it. Tell john the --format=netntlmv2 to crack it.

If SMB signing is disabled on the target, you can relay the original hash to a new target.

NetBT is netbios over TCP/IP. It does IP to name resolution. A legacy protocol, should probably be disabled.

EPM is End Point Mapping (?). RPC is Remote Procedure Call (an API?). Bunch of other random acronyms and port numbers.

nbtstat on Window, nmblookup on Linux.

1c for domain controllers.

Windows enumeration usually on 135, 137 (UDP), 139, 445. Harder to detect attacks on 135 as it gets lots of traffic. 139 is obsolete from Vista.

Used to be able to connect to InterProcess Communication shares using anon / null session. rpcclient -U "" -N 192.168...

Relative Identified - RID. Unique but sequentially assigned. Can cycle through them, RID also identifies role of the user.

SID is the security ID. Primary key for objects in active directory. Unique. Has relative level, top level authority, the domain, the RID.

RID 500 is Admin, 501 Guest, 502 Kerberos. Everything else 1000+.

RPC can do user to SID and SID to user. ridenum and enum4linux both good tools for this.

Registry key has restrict anonymous usernames. Can be set to default, don't allow enumeration, no access.

RID cycling over NULL doesn't work on Win 2008+. If you can do RID cycling with a valid domain user it might leak interesting information.

Use of hash-identifier to see what sort of hash it is. Online services to check weak MD5 hashes.

Once into a Windows machine, use PowerShell as it runs in memory and isn't detected by antivirus. Use GetExecution Policy to change policies. Powershell is case insensitive. Variables start with $. There are per-user preferences. Can declare arrays $a = 1,2,3 etc.

To execute Import-Module .\scriptname.ext

IEX (iwr 'url') to execute a URL??

Get-ComputerInfo and Get-ChildIntem env to find out about the target. Get-ADDomainControler to find other stuff.

Open Shares an issue - can allow us to read and write.

Default installations of web apps are often insecure.

Printers are highly trusted, they receive all the hashes, so if you can get in with default credentials you can sniff everything. Printers have LDAP - can start malicious LDAP services.

Use of client side attacks. Use metasploit (again) to host the exploit - get the target to access the metasploit server. Can host malicious web pages, documents with macros. Use Metasploit handler to listen to what's going on. Chrome 72-73 are vulnerable to Array.map, buffer overflow, read arbitrary memory. Chrome must be in --no-sandbox

Electron - a shell around Chromium rendering and Node.js runtime - basically a web browser specifically for cross platform apps. Multiple processes.

Joplin, also built on Electron. Can POST to the /notes API to deploy a payload. Can use JS to exec() a local .exe

Looks for Kernel exploits, weak permissions, DLL hijacking etc with post/multi/recon/local_exploit_suggester. Look for PATH environment variable, and place DLLs earlier in the enumeration.

Look for credentials using things like findstr or reg query. Or User Access Controls.

Windows 7 issues. Cleartext creds in memory. No default antivirus. All apps are trusted.

Win10 security features. Device guard - hard and software, locks down device, code integrity, prevents malicious code.
Cred guard. Virtualised, isolates LSASS secrets. Enabled via the registry. Returns encrypted strings rather than NTLM hash.

Local Security Authority (LSA). Prevents memory access to creds.

AMSI - anti malware scan interface. In memory scans for malicious powershell script execution.

whoami /priv to see privileges.

winpeas to automate searching.

CVE against things like IE, AppX, allow you to elevate privs.

CVE against cryptoAPI - crypt32.dll allows you to self sign a malicious executable.

RDP vulns.

EternalBlue (ancient!) and Fuzzbunch.

Microsoft COM RCE with device deserialisation flaws.

AMSI can be bypassed via signatures? And ScanBuffer? and C# version? WHAT?

Mimikatz can register a malicious DLL for a Security Support Provider and get creds. Can also bypass LSA.

ColdFusion - lots of exploits. Directory traversal, misconfiguration, default password, FCK Editor - doesn't sanitise input so can upload and execute.

Metasploit web server can bypass AV.

Post exploitation is vital. Once you're in, what can be done? Dump users, password hashes, escalate, pivot (use as a staging post to get further into the network), replay credentials to masquerade as someone else, persistent access, permanent backdoor.

Windows credential vault can store web passwords in plaintext. LSA has logged in user's passwords.

Security Accounts Manager (SAM) - can't be accessed while system is running. Might be able to grab a backup snapshot. Can be accessed on the Domain Controller.

Meterpreter can run hashdump in memory - so AV isn't triggered.

Previous 10 unique logins are cached if DC not available. This is to allow the user to login to the system. Salted hashs. Salt is the username. Encrypted with LSA NL$KM account (??) cachedump can do this.

LSA protected storage for passwords for users and tasks. System privs needed to extract.

LSASS process memory - cleartext passwords for RDP login.

Mimikatz is the main tool for this.

Adding new accounts to Domain Admin group is very noisy - great way to get noticed.

NTLM challenge response. 16 bit challenge, hashed with the user??

Pass the hash

Leave a Reply

Your email address will not be published.

%d bloggers like this: