Please enable JavaScript.
Coggle requires JavaScript to display documents.
SAN 560.3 - Coggle Diagram
SAN 560.3
Phases
-
-
Situation Awareness
Linux
Account (/etc/passwd) :star:
Group (/etc/group) :star:
Find Interesting Files :star:
Copy/Paste to move files :star:
Local File Pilfering :star:
Password representations (UNIX/Linux: /etc/passwd, Windows: SAM database) :black_small_square:
Crypto keys (SSH keys, PGP and GnuPG keys) :black_small_square:
Windows
Useful Environment Variables (set) :star:
Searching the File System (dir /b /s) :star:
Managing Windows Accounts and Groups :star:
Domain User (net user /domain) :black_small_square:
Local Groups (net localgroup) :black_small_square:
Domain Groups (net group) :black_small_square:
Analyzing a System :star:
Determining Firewall Settings (netsh advfirewall show allprofiles) :black_small_square:
Displaying and Scraping Through Files (type) :black_small_square:
Interacting with the Registry (reg) :black_small_square:
PowerView :star:
Active Directory reconnaissance :black_small_square:
pull a full list of AD user, computer, group objects with all attributes :black_small_square:
AD explorer :star:
signed by Microsoft :black_small_square:
Any domain user can request full AD layout :black_small_square:
Dump contain password in notes fields :black_small_square:
Find passwords in ADExplorer output :black_small_square:
The output can only read by AD Explorer :black_small_square:
-
-
Passwords
-
Representations
Windows (AD)
:star: SAM Database (Windows NT, 2000, XP, 2003)
- Local Windows password representations
- Stored %systemroot%\ntds\ntds.dit
- Two forms
:eight_pointed_black_star:LANMAN (16 bytes)
:eight_pointed_black_star:NT Hash (16 bytes)
:star: SAM Database
- authentication protocols for authentication across the network
- Three forms
:eight_pointed_black_star:LANMAN Challenge/Response (21 bytes)
:eight_pointed_black_star:NTLMv1 (24 bytes)
:eight_pointed_black_star:NTLMv2 (call NTLMv2 One-Way Function (OWF))
:eight_pointed_black_star:Microsoft Kerberos
Linux
:star: Traditional DES-based schemes
:star: MD5 ($1$)
:star: BSDi Extended DES (_)
:star: Blowfish-based ($2$ or $2s$)
:star: SHA-256 ($5$)
:star: SHA-512 ($6$)
Tools
Obtaining Password
:star: Meterpreter hash dump
:star: mimikatz
:star: Volume Shadow Copy Service (VSS) on Domain Controller
:star: Sniff Challenge/response from the network
:star: NTDSUtil (Install from Media Feature)
Cracking
:star: JtR
- Single crack
- Wordlist
- Incremental (brute force attack)
- External (Write your own code)
:star:Hashcat
- specify multiple dictionary
- specify rules files
- Masking
:star: Pcredz
Attack
:star: Responder
- NBNS (NetBIOS Name Service)
- LLMNR (Link-Local Multicast Name Resolution)
- HTTP/SMB
Post-Exploitation
:star: Tactics
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access (password & hash attacks)
- Discovery (find new targets)
- Lateral Movement (move objectives)
- Collection
- Exfiltration
File Transfer
:star: HTTP(s)
- port 80, 443
- using browsers
- allowed outbound
:star: SCP (Secure Copy)
- part of the Secure Shell (SSH)
- TCP port 22 (default)
- encrypts all authentication and data in transit
- allowed outbound SSH
- Linux & Unix have SCP Client built in
:star: FTP
- used ASCII mode
- Two connections
:black_small_square: FTP data (TCP port 20)
:black_small_square: FTP control (TCP port 21)
:star: TFTP (Trivial File Transfer Protocol)
- no authentication between tftp client and tftpd
- UDP port 69
:star: Windows File Sharing
- NetBIOS/SMB protocol
- TCP ports 135-139, 445
- Linux/Unix support this by using Samba
:star: NFS (Network File System)
- most commonly used to UNIX/Linux
- also used Windows NFS implementations
- TCP and UDP port 204
:star: Netcat
:star: Meterpreter:star: echo
Assumptions
Be less certain :star:
Ask "How often does that typically happen?":star:
Think Probabilistically :star: