Answers to EH_20_00_quiz
Q. What is the full name of ‘admin’ in Windows
A. administrator, which RID ( relative ID) is 500
Read more : https://en.wikipedia.org/wiki/Security_Identifier
Q. Which username you would try when first login into a unknown FTP server
A. anonymous
https://attack.mitre.org/techniques/T1078/001/
• rockyou
The industry standard wordlist for password cracking
History:
https://en.wikipedia.org/wiki/RockYou
Further reads:
There are some errors inside the worldlist, are you able to find them ? hint: macromedia
• www-data
www-data: Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data.
Thus, when you successfully exploit a process that is running under www-data, the security context will be www-data ( it’s also a good security practice to run public facing applications with lower privilege accounts)
Try $ps -ef –forest to show process tree in command line
• 4444
The default port used by Metasploit as default TCP handler, and share by many malares
https://www.speedguide.net/port.php?port=4444
• F12 mode
Browser’s default hotkey to access debug mode
https://developers.google.com/web/tools/chrome-devtools/javascript
• .htpasswd
The text file to support basic authentication HTTP request
Htpasswd cmd: https://httpd.apache.org/docs/2.4/programs/htpasswd.html
Demo: https://www.youtube.com/watch?v=CbAkQ05OSJo
• LSASS
Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system
https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
Password hash dump from memory:
https://www.youtube.com/watch?v=nIUtvHWr6fQ
Stuxnet analysis
https://techcommunity.microsoft.com/t5/windows-blog-archive/analyzing-a-stuxnet-infection-with-the-sysinternals-tools-part-1/ba-p/724029
• zone.identifier
if you download a file from internet (or local network), e.g. office.zip, a ADS file that was named office.zip.zone.identifier would be created to help identify where this file was downloading from
https://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_(ADS)
Similar to MAC OS (not zone.identifier) that recording the origin of file before saving to disk.
• Wp-config.php
A file contains credentials / configurations for the wordpress
• access.log
Apache logs, there are two formats, common and combined.
https://httpd.apache.org/docs/1.3/logs.html
further reading:
https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
• mimikatz
Industrial standard tool for password hash dump / pass the hash (PTH) attack
https://github.com/gentilkiwi/mimikatz
• argv[0]
command name [0] and parameters (starting from 1, can be multiple parameters)
https://docs.python.org/3/library/sys.html#:~:text=argv%5B0%5D%20is%20the%20script,0%5D%20is%20the%20empty%20string.
• Crontab
Config file variates based on linux disto, it’s per user
mi h d m w user command
09,39 * * * * root [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm
47 */8 * * * root rsync -axE –delete –ignore-errors / /mirror/ >/dev/null
17 1 * * * root /etc/cron.daily/apt
17 1 * * * root /etc/cron.daily/aptitude
17 1 * * * root /etc/cron.daily/find
17 1 * * * root /etc/cron.daily/logrotate
17 1 * * * root /etc/cron.daily/man-db
17 1 * * * root /etc/cron.daily/ntp
17 1 * * * root /etc/cron.daily/standard
17 1 * * * root /etc/cron.daily/sysklogd
27 2 * * 7 root /etc/cron.weekly/man-db
27 2 * * 7 root /etc/cron.weekly/sysklogd
13 3 * * * archiver /usr/local/bin/offsite-backup 2>&1
32 3 1 * * root /etc/cron.monthly/standard
36 4 * * * yukon /home/yukon/bin/do-daily-stuff
5 5 * * * archiver /usr/local/bin/update-logs >/dev/null
• /etc/shadow
Stores the authentication hash of users, default permission is 640, owned by root.
Being noted that /etc/shadow was only being used when the ‘authentication via shadow’ mark was turned on (x or *)
https://en.wikipedia.org/wiki/Passwd
• Iptables
Default firewall for linux.
https://linux.die.net/man/8/iptables
• WoW64
In computing on Microsoft platforms, WoW64 (Windows 32-bit on Windows 64-bit) is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows
https://en.wikipedia.org/wiki/WoW64
• LoadLibraryA
• VirtualAllocEx
Advanced topic in Reverse Engineering:
LoadLibrary will auto switch between LoadLibraryA – ascii version and LoadLibraryW – Unicode version
To load libraires upon start instead of statically defined in IAT (Import Address Table)
VirtualAllocEx is used in DLL injection
https://en.wikipedia.org/wiki/DLL_injection
• NOP
No Operation, machine code 0x90
• C:\Windows\System32\Drivers\etc\
Stores file hosts, that was being used for DNS name resolution at the highest priority (static resolution)
• getElementById()
Commonly used by HTML, to locate element of a HTML page
https://www.w3schools.com/jsref/met_document_getelementbyid.asp