Certified in The Art of Hacking - Day 4


This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning!

The penultimate day. Try not to worry about the upcoming exam!

Today was lots of HTTP, TLS, and other low-ish level stuff like that. But mostly focussed on common website attacks.

Verdict

Bit of a repeat of yesterday's Windows session to make up for the broken labs. The exam requires 50% right answers to pass - so I feel quite relaxed if I fail the Windows portion. I reckon I should be about to get a few correct questions either by guesswork or memorising metasploit commands. With a bit of luck, I'll never have to interact with Windows in my professional life!

Painful start trying to get half-a-dozen students to correctly configure Burp suite. Sort of thing which either needs to be built into the labs, or have fool-proof instructions.

Discussion of OWASP - but only up to 2017. Lots of the stuff is a bit outdated. Tutor seemed to think the 2021 Top 10 was only in draft...

There was a good demo website to attack NotSoSecureApp.com - lots of playing around with Burp and DirBuster.

Again, only a short bit on mitigation. I think that would have been more useful for the target audience.

And, again, lots of trivia. There was one slide on Certificate Authorities. What could have been an interesting discussion on how they work and their weaknesses, was reduced to "they exist".

Similarly - there's an attack called POODLE. What is it? How does it work? Can it be defended against? Nothing.

But, overall, good. It was really focussed on Burp and SSLscan - just learning the tools rather than the underlying problems.

Practice Questions

From the Windows session. Through guesswork, I got 7/10.

  1. What Windows service typically uses UDP port 5353? (This question was wrong. Should be 5355.)
    • Kerberos
    • LLMNBR
    • NBTNS
    • NetBIOS
  2. Responder is often used with the -f switch, but what does that switch do?
    • Perform DNS lookups
    • Enables fast mode
    • Responds with false answers to DNS lookups
    • Enables fingerprinting of hosts that issue LLMNR queries
  3. James has run the nbtstat command against a device and receives a code 1C. what does this code denote?
    • The machine is a File Server Service
    • The machine is a Domain Master Browser
    • machine is a Workgroup member
    • machine is a Domain Controller
  4. What does the RID value 502 denote?
    • The account is an administrator account
    • The account is a guest account
    • The account is a bespoke user account
    • The account is a Kerberos Key Distribution service
  5. A common command when using PowerShell is the IEX command. What does IEX stand for?
    • IEX is an alias for Invoke-Expression
    • IEX stands for Import Executable
    • IEX stands for Interactive Executable
    • IEX is an alias for Import-External module
  6. Simon has PowerShell capabilities on a Windows 10 device and wants to record details about the default program installation paths, etc. What command should Simon use?
    • Get-ChildItem env:
    • ComputerInfo
    • System
    • AppvStatus
  7. Carl has attempted to run enum4linux against a Windows host device and has received the following error message: Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. What is the most likely cause of this error message?
    • The host isn't a Windows host
    • Carl needs to run enum4linux with the -NT switch
    • RestrictAnonymous registry key on the host is most likely set to 1
    • RestrictAnonymous registry key on the host is most likely set to 0
  8. Sandra has access via PowerShell to a Windows 10 host and wants to enumerate the machine to try to identify those users who are members of the Domain Admins group. What does she need to do to do in order to get this information?
    • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroupMember -identity "Domain Admins"
    • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroup -identity "Domain Admins"
    • Use the Get-SmbShare command to access the $IPC share on the domain controller and then run Get-GroupMember -Identity "Domain Admins"
    • Run the Get-DomainAdmins command
  9. Vernon has downloaded a ps1 file he wrote from his server to a Windows Server device, and now wishes to execute the file. What should he check before attempting to run the script?
    • The ExecutionPolicy should be checked to allow Vernon to run the unsigned script which has been downloaded from the Internet
    • That the PowerShell service has been started
    • That windows bitlocker is disabled
    • That he is an administrator
  10. James has gained access to a Windows network and has enumerated a device for SIDs. He has received the following 4 SIDs:
    S-1-5-21-2000478354-1708537768-1957994488-500
    S-1-5-21-2000478354-1708537768-1957994488-502
    S-1-5-21-2000478354-1708537768-1957994488-1000
    S-1-5-21-2000478354-1708537768-1957994488-1001

    • Which of the SIDs is identified as the default admin account?

Notes

HOSTS file manipulation

Basics of HTTP. Statelessness. Requests. Headers. User Agents.

`curl -v -X TRACE http://www.example.com`

Intro to Burp. Would have been better off watching https://www.youtube.com/embed/nECt-0zW0O4

DirBuster. Automated finding of common directories

Passive Scanning with Google.

Bug Bounties (!)

Useful info - defaults, directories, plugins, cms, server version, error messages. Extra methods like WebDAV being enabled.

Google "Dorks" - search for filetypes and common patterns.

2FA, authentication, OAuth.

GitHub info leakage.

OWASP cheat sheet.

Base64 basic auth. Digest MD5. NTLM.

Username enumeration. Login error messages can leak info.

Burp intruder - generates lots of server side logs. Intruder to iterate through usernames and passwords.

Password strength, HaveIBeenPwned. Password recovery. Stored hashed and salted. Poor account recovery questions like Mother's Maiden Name,

Increase security means reduced usability.

Use of sslscan to look for SSL/TLS errors.

Hash collisions. Store above SHA1. Token expiration times and reuse.

Don't store sensitive info in logs etc.

TLS to encrypt in transit. How to share keys? Diffie-Helman!

AES for symmetrical.

TLS stages - asym to start, then sym. Certificate authorities issue certs and validate them.

SSL is obsolete. TLS1.1 also obsolete. Disable old ones. Cupers > 128 bit.

Vertical attack - standard user elevating themselve. Horizontal - accessing someone else's info. Business logic attacks.

Parameter tampering.

WebScarab to check entropy of cookies. Session fixation - copy cookies to get access. Session ID in URl. Can be resused to get access. Use POST for those requests.

Basics of XSS. Reflected (sent by user). Stored (on server). Header manipulation.


Leave a Reply

Your email address will not be published.

%d bloggers like this: