CYB4 IV

CYB 4302, Cyber Warfare and Application 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

4. Conduct enumeration. 4.1 Describe enumeration. 4.2 Discuss the steps involved in enumerating Windows. 4.3 Demonstrate the steps involved in enumerating Linux.

Required Unit Resources Chapter 4: Enumeration and System Hacking—Read the following sections:

• Foundation Topics • Enumeration • System Hacking • Summary

Unit Lesson

Enumeration and System Hacking In Unit III, you learned about information gathering to learn as much as possible about a target identified for an ethical hacking engagement. In this lesson, you will develop a better understanding of how enumeration is used to create a deeper level of target knowledge. This lesson will also introduce some specifics of the Windows operating system and how it can be targeted during a pentest. After you complete this lesson, you should be able to:

• understand enumeration, • be familiar with enumeration tools, • explain the architecture of Windows systems, • discuss Windows users and groups, and • understand the steps involved in Windows hacking.

Enumeration

Enumeration is the process of developing an in-depth understanding from end to end of the target environment. Scanning identifies where vulnerabilities might be present. Enumeration fills in the details, including user accounts, groups, network connections, and system-level knowledge (Knowledge Hut, 2020). Enumeration is an active process. In summary, enumeration is an in-depth analysis of targeted computers that involves actively connecting to the target systems to identify user accounts, system accounts, services, and other helpful information.

Windows Enumeration It follows then that Windows enumeration is developing a detailed knowledge of Windows servers, clients, and the entire Windows environment for the target. Microsoft produced different versions of the Windows operating system for both client systems and servers. The client versions run on workstations and laptops and

UNIT IV STUDY GUIDE Enumeration and System Hacking

CYB 4302, Cyber Warfare and Application 2

UNIT x STUDY GUIDE Title

have in recent years been designated with numbers: Windows 7,8, or 10. The server operating systems are designated by the year of release: Server 2003, Server 2012 (Melendez, 2018). Regardless of whether intended for the client or server versions, the Windows architecture is essentially the same. Today’s architecture was initially developed for the Windows NT system, which provided both client and server versions. The architecture has evolved in subsequent versions, but the main structure has remained constant. The Windows architecture defines processes into two separate areas. A user area, where the usual user- initiated processes operate, and the kernel, where the core operating system processes operate. Processes that run in the user area have protections to prevent them from interfering with the system’s core operation, including the kernel functions. The kernel or system processes are allowed to execute without restrictions (InformIT, 2001). An ethical hackers’ knowledge of the Windows architecture needs to incorporate the following points.

• The goal is to identify a user or system account to be exploited. • Windows OS is available in client and server versions:

o Windows Vista, 7, and 8 are examples of client systems. o Windows Server 2003, 2008, and 2012 are examples of server systems. o Windows Architecture has two basic modes: o User mode (ring 3):

 Has restrictions  Antivirus tools can detect malicious programs.

o Kernel mode (ring 0):  Allows full access to all resources.  Malicious code can hide and is harder to detect.

Every process that executes on a Windows system runs in the context of an account. Some accounts are system components, and some are executed by a user. Every account in a Windows system is given a unique identifier when it is created. This identifier is called a security identifier or SID for short. This identifier is what allows Windows to identify who is running what process. The displayed name could be “Bob,” but underneath, Bob has a unique SID that the system uses to recognize him (Microsoft, 2017). Windows uses SIDs that incorporate a Relative identifiers (RID) that identifies the account or group relative to where it was created, either locally or in a Windows domain. The ensures that all issued SIDs are unique. The RID points below provide a summary of this information.

• All code runs in a context of an account. • Security identifiers:

o SID: Identifies users, groups, and computer accounts o RID: A portion of SID that identifies a user or group and what authority the user has

CYB 4302, Cyber Warfare and Application 3

UNIT x STUDY GUIDE Title

Windows Security

Windows stores information about accounts and groups in a security account manager (SAM) database. The SAM database is stored locally on a stand-alone Windows machine and stored in active directory if the machine is a member of a windows active directory domain (Threat Hunter Playbook, 2020). Every Windows computer runs a local security authority (LSA) that manages all the user security policy decisions including password verification or password changes. A Windows process called local security authority subsystem service (LSASS) is responsible for implementing the local security policy. The executable for the LSASS is lsass.exe (Gola, 2021). The list below summarizes this information.

• User accounts and passwords are stored in o SAM database on the local machine

 Windows registry – HKLM-SAM o Active Directory in a domain environment

• LSASS o User mode process responsible for local security policy

For reasons of backward compatibility, Windows supports an alternate network protocol, NetBIOS. NetBIOS was developed in the 1980s and adopted by Microsoft, running over TCP/IP networks to support file and printer sharing between computers running on the same local network. NetBIOS uses the server message block (SMB) protocol to allow files and directories to be shared between computers belonging to the same network. The NetBIOS protocol has fallen out of use but is still installed by default to support legacy devices that need NetBIOS to communicate with newer operating systems. SMB functions no longer require NetBIOS and can run natively over TCP/IP networks. NetBIOS and early versions of the SMB protocol were notorious for security issues that were easily exploited. For this reason, NetBIOS is rarely active on Windows computers anymore (Security Check, 2018).

• NetBIOS o A vulnerability found on Windows legacy systems o Used with Secure Message Blocks (SMB) to remotely access shared files and directories

• SMB: o Enables remote access of shared directories and files o Makes it possible for a user to create shares

Windows systems have hidden administrative file shares defined by default. What makes these administrative shares hidden is the $ appended to the share name. These shares are used by applications or administrators and are not intended rfor egular system users. Some of these can be removed if not required as part of Windows system hardening, but some are essential to system operation (Microsoft, 2020).

CYB 4302, Cyber Warfare and Application 4

UNIT x STUDY GUIDE Title

There is one administrative share that is required to exist in facilitating communication and data sharing between applications. The applications using this share could be executing on different computers and using InterProcess Communications (IPC) capabilities to communicate. One method of communication makes use of the IPC administrative share IPC$. This share is used as part of the named pipes process of application-to- application communication (Microsoft, 2018). Summary notes on the IPC share are below.

• InterProcess Communication (IPC): o Offers a default share on Windows system – IPC$

 A hidden share  Enables anonymous connection using the net view and net use command in Windows

2000/XP/2003  IPC$ can be used to enumerate user details, account information, and weak passwords

NetBIOS Enumeration Tools

There are many tools that an ethical hacker can use to enumerate Windows systems. The following subset of tools is particularly useful in working with NetBIOS features (Ubalt.edu, 2017).

• Set up a Null session: o Set up manually using the net use command

 Net use \\target\ipc$ “””” /u:”” o The amount of information collected depends on the version of Windows running and the

configuration.  Older Windows systems reveal more information

• DumpSec: o Windows-based GUI tool o Can connect to a Windows system remotely and obtain user account information, and share

permissions • GetAcct:

o Connect to target by IP or NetBIOS name o Extract account information such as SID, RID, comments, full names

Enumeration Tools

As might be expected, with a platform as popular as Windows, there are many tools that can be used for enumerating a Windows machine. Recall that the goal of enumeration is to develop detailed knowledge of users, groups, and other network features such as shared drives (Infosec Institute, 2021a). The selection of tools listed below is a subset of all that is available.

• SID2USER and USER2SID o Obtain account name from SID and SID from the account name

CYB 4302, Cyber Warfare and Application 5

UNIT x STUDY GUIDE Title

• SuperScan o Retrieve information about any known user from a vulnerable system

• Userinfo o Command-line o Retrieve information for users in NT/2000/XP

• GetAcct o GUI tool used to enumerate Windows systems

• GetUserInfo o Command-line tool that extracts user account info from a computer or domain

• Ldp o Can be used to enumerate all users in built-in groups in AD if port 389 is open

• Nbtstat o Built-in Windows command tool o Used to troubleshoot NetBIOS name resolution problems

Simple Network Management Protocol (SNMP) Enumeration

The Simple Network Management Protocol (SNMP) is a protocol that is used for monitoring and managing computers over a network. The SNMP protocol allows the collection of system information such as CPU or disk usage from computers on the network. This allows a network management tool to provide notifications for events, like high CPU utilization or low available disk space. SNMP agents that can report this information may even be running on network routers and switches. SNMP uses UDP application layer protocol. Beyond collecting data, SNMP allows that same data to be pushed or updated to computers or equipment running as SNMP agents (Panhalkar, 2020). Historically, SNMP-managed devices have maintained two different community strings that are used to authenticate communications. The first is a read-only community that defaults to public, and the second is read-write and by default called private. Password authentications to the SNMP communities in older releases were sent in clear text, allowing them to be intercepted (Grey Campus, 2020). The summary below provides additional detail on SNMP enumeration.

• SNMP is a TCP/IP protocol used for remote management: o Version 3 offers encryption and authentication o Versions 1 and 2 are vulnerable to attacks

• Tools for SNMP enumeration: o snmpwalk o IP Network Browser o SNScan

• Countermeasures: o Turn off SNMP if not in use or use version 3 o Block port 161 o Change community strings and have different community string for each network zone

Linux and UNIX Enumeration

The enumeration process for Linux and Unix has the same goals as described for enumerating Windows machines. This is where detailed information on system users, services, shares, and applications are collected (Boelen, 2018). This process can be more difficult on Linux than Windows, but there are tools and commands that are effective on Linux as well. Some of them are listed below.

• Rpcclient • Showmount • Finger • Rpfinfo • Enum4linux

CYB 4302, Cyber Warfare and Application 6

UNIT x STUDY GUIDE Title

NTP Enumeration The Network Time Protocol (NTP) provides a mechanism for a network of computers to keep their clocks synchronized. This is an essential element for reliable cooperative processing, such as when the database server for an application resides on a separate host from the web front-end. NTP makes use of UDP on port 123. Like all open ports, this provides a potential opportunity to gather more information. The NTP process supports commands that can be used to extract additional information about NTP and connections that participate in synchronization (Zerosuniverse, 2019). The list below contains commands that gather NTP information.

• Ntpdate • Ntptrace • Ntpdc • Ntpq

Like many other ethical hacking tasks, the process of gathering NTP information can benefit from using specialized tools. The list below identifies some tools that are useful for NTP enumeration tasks.

• PresenTense Time Server • NTP Server Scanner • LAN Time Analyzer (Starhackx, 2014)

SMTP Enumeration

Simple Mail Transfer Protocol (SMTP) is a protocol for exchanging email messages. SMTP is another service that, if active, is assigned to a port below 1024. In the case of SMTP, it traditionally operates on port 25. Many organizations block communication on port 25, and some additional ports are sometimes used, including ports 465, 587, and 2525 (Sobowale, 2020). As with other enumerations, an ethical hacker can use tools to obtain additional information from SMTP. The list below identifies some of the tools that will be useful (Hamza, 2021).

• NetScan Tool Pro • Nmap • Telnet

DNS Enumeration The Domain Name System (DNS) should be familiar from the information gathering methods covered in a previous lesson. DNS provides address to name translation allowing computer resources on a network to be located more easily. During enumeration, this is precisely the information we are looking for. DNS can have vulnerabilities and is prone to misconfiguration. Even without any cheating, DNS will provide lots of helpful enumeration information. A partial list of DNS enumeration tools is provided below (Borges, 2021).

• Nslookup • Digdug • WhereIsIp • NetInspector • Men and Mice Management Console

Watch this short video on how DNS records are enumerated using DNSRecon. A transcript and closed-captioning are available once you access the video.

Windows Hacking Windows has a dominant market position for desktop and server operating systems (StatCounter, 2021). As a result, it is a target for hackers, including ethical ones. Many different methods can be used to compromise a Windows platform that range from unsophisticated to very complex. Towards the unsophisticated end of the

CYB 4302, Cyber Warfare and Application 7

UNIT x STUDY GUIDE Title

range are non-technical approaches that include simply asking users for their passwords using social engineering approaches. An example scenario might be impersonating IT support and saying you need a user’s password to check their system for malware. Humans have a habit of writing down important things like passwords. A casual walk around with an eye to sticky notes may yield names and passwords. Perhaps helpful information has been placed in the trashcan. These techniques have worked without requiring any technical hacking. Toward the more sophisticated end, passwords can be guessed using personal information that may have been found, such as the name of a spouse or a pet, and some passwords are just poor (Shibu, 2020). Passwords can often be determined by automated attacks or the installation of keylogging software. Windows can be exploited using vulnerabilities that have been identified during information gathering or enumeration (Cybersecurity & Infrastructure Security Agency, 2020). The list below summarizes the technical and non- technical approaches that might be used to breach a Windows system.

• Non-technical password attacks: o Dumpster diving o Social engineering o Shoulder surfing

• Technical password attacks: o Password guessing o Automated password guessing o Password sniffing o Keyloggers o Exploit a vulnerability

Password Guessing Passwords can be guessed using manual and automated methods. Most of the focus for ethical hacking is on the use of automated tools to determine passwords. This process is enabled by using the list of users that have already been enumerated. Password cracking can take different approaches depending on the tool used. Some will use brute force, and others will use dictionary-style attacks, and some will use a hybrid approach (Infosec Institute, 2021b). Regardless of the tool’s approach, it will make multiple attempts to guess the password of a user account. If the organization being targeted uses an account lockout policy that disables an account after several unsuccessful attempts, the password guessing process could lock a large number of accounts. This may be acceptable or a desirable effect for a malicious hacker, but this is not acceptable for an ethical hacker. The list below identifies some of the popular Windows password cracking tools (Software Testing Help, 2021).

• NetBIOS Auditing Tool (NAT) o Command-line password guessing tool

• Brutus • THC Hydra • Venum

Password Sniffing and Keystroke Loggers

Another method for compromising passwords is to gather them as they are entered rather than try to guess. This approach requires some physical access to a computer or local network. Historically, Windows passwords sent over the network were easy to crack as the encryption and protocols were not very secure (Ssh.com, 2021). In later releases of Windows user authentication uses Kerberos. Kerberos offers better security, but authentication traffic can still be sniffed, and weak passwords can still be compromised (Smith, 2018). Some many ways and tools that can be used to collect passwords or password hashes and attack them. A few are listed below (Grimes, 2018).

• Pass-The-Hash • ScoopLM • KerbCrack

o Used to attack the Kerberos protocol

CYB 4302, Cyber Warfare and Application 8

UNIT x STUDY GUIDE Title

o Two tools in one:  Sniffer  Password cracking program

A keystroke logger, or keylogger, is a type of malware that is ideally suited to obtaining passwords as they are entered. Keystroke loggers can be hardware or software, but the software approach is more common. A keylogger captures everything that is entered through the keyboard of an infected computer. The trick is getting the victim to install the keylogger onto their computer. Malicious emails or websites are a common vector to infect computers with a keystroke logger. Once installed, the logger sends the results of its collection efforts back to the attacker (GeeksforGeeks, 2020). This is one of the oldest categories of hacking tools, so there are many to choose from. The list below identifies some choices.

• ISpyNow • PC Activity Monitor • Spector

Privilege Escalation and Exploiting Vulnerabilities

Previous lessons have described the hacking and ethical hacking process. Having gained access, the next step is to get administrative access to the compromised system. Several techniques can be used on a Windows system. Replacing Dynamic Link Library (DLL) files and hijacking unquoted directory paths are two tactics that are commonly used. If the attacker has physical access to the computer, it can be booted from removable media, and files can be replaced with more malicious versions. The Windows system can be tricked into running the modified program files under the SYSTEM account using its high-level permission to open a more permanent back door (SEC Consult, 2019). These and other common techniques are summarized below.

• Trick users into executing the program • Copy the privilege escalation tool to the target system and schedule to execute it with AT command • Exploit an application • Gain interactive access using PC Anywhere, Terminal Server

As with other ethical hacking steps, there are tools that can be used to make the process easier and quicker. The tools listed below are a subset of ones that might be useful (Cyber Security Research, 2018).

• Billybastard.c • ANI Exploit • Getad • ERunAs2X

Owning the Box

After gaining access to a system and escalating privileges to a local administrator, the system’s remaining accounts can be compromised. The compromise can consist of breaking the passwords or using the administrator account to reset the passwords. Having a high privilege account allows the attacker to obtain the entire Security Account Manager (SAM) database of accounts and passwords. A copy of this can be taken to a separate system to attempt cracking (Ethical Hacking and Penetration Testing, 2021). If required, the local administrator can reset account passwords, and there will be no more inaccessible accounts on that computer. The process of “owning the Box” is summarized below.

• Obtain SAM database: o Stores user passwords in hashed form o Encrypted

• Reset passwords

CYB 4302, Cyber Warfare and Application 9

UNIT x STUDY GUIDE Title

Authentication Types Windows has supported different methods and versions of authentication protocols during its history. The earlier versions, such as LM, NTLM, and NTLM v2, are examples based on LANMAN and are considered less secure than Kerberos (CrowdStrike, 2021). A summary of Windows authentication methods is below.

• LM authentication: o Used by Windows 95/98/Me o Based on DES o Easy to crack o Could still be used for backward compatibility

• NTLM authentication: o Used by Windows NT before service pack 3 o Based on DES and MD4

• NTLM v2: o Based on MD5 and MD5

• Kerberos: o Windows 2000 and later

Password Cracking

This lesson discussed many passwords cracking approaches and tools. As a reminder, password attacks come in three basic types. A brute force method attempts multiple passwords on an account, trying each unique combination of characters, numbers, and symbols until one unlocks the account. Dictionary attacks use a predefined list of words as passwords to unlock an account, and a hybrid approach uses a combination of both approaches (Netacea, 2021). Some programs can execute these strategies for cracking Windows passwords. Two of them are summarized below L0phtcrack and Pwdump.

• L0phtcrack: o Can extract hashes from local or remote machines o Can sniff passwords from local network if used with an admin account

• Pwdump: o Command-line tool that can bypass SYSKEY encryption o Needs admin rights

Covering Tracks

The last steps in a successful hacking engagement are securing future access and covering any evidence that the system has been compromised. Ongoing access is secured by installing a Windows rootkit that will allow the attacker to continue to access the compromised computer. There are many available that can fill that role (Microsoft, 2021). Two examples are FU and Vanquish. An attacker wants to remove all traces of their exploits. This includes cleaning up event logs, removing temporary files and command histories. Some commands and tools are used to disable logging of security events, clearing event logs, and removing other system information that would raise suspicions. A summary of commands and tools for performing these actions include.

• Disable logging: o Auditpol command-line tool

• Clear the log file: o Winzapper, Evidence Eliminator, and Elsave

Hackers may wish to hide information on the compromised system away from prying eyes. A simple way is to mark the file as hidden. This will keep the file from being listed or viewed, but it is not a very robust way to hide files (Gibb, 2017). Another method is to hide information in the unused space in existing file allocations. This additional space is referred to as slack space and is an artifact of how Windows allocates disk space to files (Alleyne, 2021). Another tactic is to use an Alternate Data Stream (ADS), a specific file attribute that can exist in the Windows NTFS file system. ADS allows additional text to be placed inside a file that is not usually

CYB 4302, Cyber Warfare and Application 10

UNIT x STUDY GUIDE Title

seen. Powershell and other tools can be used to expose the information placed in the ADS attribute (Arntz, 2016). The list below summarizes these data hiding approaches.

• File Hiding o Locate hidden attributes. o Use Alternative Data Streams (ADS). o Hide in slack space

Summary

In this lesson, you learned about enumerating Windows computers to obtain detailed information on users, groups, and system attributes. This included using enumeration capabilities against many standard services such as NTP, SMTP, and SNMP. In addition, this lesson described how the Windows architecture is composed of the User system and the Kernel system that has processes that have a higher level of access. Finally, this lesson has also described how ethical hackers can compromise a Windows system using various tools, commands, and approaches.

References Alleyne, N. (2021, June 10). Hiding data in slack space: USB drive. Learning by Practicing.

https://www.securitynik.com/2014/10/hiding-data-in-slack-space-usb-drive.html Arntz, P. (2016, March 30). Introduction to alternate data streams. Malwarebytes Labs.

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ Boelen, M. (2018, June 29). Understanding linux privilege escalation and defending against it. Linux Audit.

https://linux-audit.com/understanding-linux-privilege-escalation-and-defending-against-it/ Borges, E. (2021, June 9). DNS enumeration: Top DNS recon tools and techniques. SecurityTrails.

https://securitytrails.com/blog/dns-enumeration Cybersecurity & Infrastructure Security Agency. (2020). Critical vulnerabilities in microsoft windows operating

Ssystems. https://us-cert.cisa.gov/ncas/alerts/aa20-014a CrowdStrike. (2021, March 12). NTLM explained: Definition, protocols & more.

https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/ Cyber Security Research. (2018, September 9). GHR 104 – Windows Hacking.

https://gingsoft.com/?page_id=1791 Ethical Hacking and Penetration Testing. (2021). How to hack a windows password - Ethical hacking and

penetration testing. https://miloserdov.org/?p=4129 GeeksforGeeks. (2020, August 13). Ethical hacking - Keyloggers. https://www.geeksforgeeks.org/ethical-

hacking-keyloggers/ Gibb, T. (2017, July 11). Make a superhidden folder in windows without any extra software. How-To Geek.

https://www.howtogeek.com/104825/make-a-super-hidden-folder-in-windows-without-any-extra- software/

Grey Campus. (2020). SNMP enumeration. https://www.greycampus.com/opencampus/ethical-hacking/snmp-

enumeration Grimes, R. (2018, October 15). Types of password attacks. IT Pro. https://www.itprotoday.com/security/types-

password-attacks

CYB 4302, Cyber Warfare and Application 11

UNIT x STUDY GUIDE Title

Gola, N. (2021, April 4). What is isass.exe in windows 10 and how to know if it is a virus? The Windows Club. https://www.thewindowsclub.com/what-is-lsass-exe-in-windows-10

Hamza, M. (2021, January 8). SMTP enumeration technique. Medium.

https://hamzamhirsi.medium.com/smtp-enumeration-technique-20c7aab1887a InformIT. (2001). Windows 2000 architecture. https://www.informit.com/articles/article.aspx?p=21122 Infosec Institute. (2021a, May 13). What is enumeration? [updated 2021]. Infosec Resources.

https://resources.infosecinstitute.com/topic/what-is-enumeration/ Infosec Institute. (2021b, May 27). Ethical hacking: Breaking windows passwords. Infosec Resources.

https://resources.infosecinstitute.com/topic/ethical-hacking-breaking-windows-passwords/ Knowledge Hut. (2020, November 2). What Is enumeration in ethical hacking?

https://www.knowledgehut.com/blog/security/enumeration-in-ethical-hacking Melendez, S. (2018, August 8). Different types of windows operating systems.

https://smallbusiness.chron.com/different-types-windows-operating-systems-48440.html Microsoft. (2017, April 19). Security identifiers (Windows 10) - Microsoft 365 Security. Microsoft Docs.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security- identifiers

Microsoft. (2018, May 31). Interprocess communications - Win32 apps. Microsoft Docs.

https://docs.microsoft.com/en-us/windows/win32/ipc/interprocess-communications Microsoft. (2020, October 12). Remove administrative shares - Windows Server. Microsoft Docs.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative- shares

Microsoft. (2021, April 13). Rootkits - Windows security. Microsoft Docs. https://docs.microsoft.com/en-

us/windows/security/threat-protection/intelligence/rootkits-malware Netacea. (2021, May 11). Everything you need to know about password cracking.

https://www.netacea.com/glossary/password-cracking/ Panhalkar, T. (2020, September 4). What is SNMP enumeration? Infosavvy. https://info-savvy.com/what-

snmp-enumeration/ SEC Consult. (2019, April 18). Windows privilege escalation – An approach for penetration testers.

https://sec-consult.com/blog/detail/windows-privilege-escalation-an-approach-for-penetration-testers/ Security Check. (2018). Security check. iweb. https://kb.iweb.com/hc/en-us/articles/115000274491-Securing-

Windows-SMB-and-NetBios-NetBT-Services Shibu, S. (2020, November 18). 2020’s Most common passwords are laughably insecure. PCMAG.

https://www.pcmag.com/news/2020s-most-common-passwords-are-laughably-insecure Smith, R. F. (2018, October 1). Access denied: Cracking Kerberos Packets. IT Pro.

https://www.itprotoday.com/strategy/access-denied-cracking-kerberos-packets Sobowale, O. (2020, April 21). Which SMTP port to use? Port 25, 465, 587 or 2525. SparkPost.

https://www.sparkpost.com/blog/what-smtp-port/ Software Testing Help. (2021). 11 Password cracker tools (Password hacking software 2021).

https://www.softwaretestinghelp.com/password-cracker-tools/

CYB 4302, Cyber Warfare and Application 12

UNIT x STUDY GUIDE Title

SSH. (2021). Password sniffing attack. https://www.ssh.com/academy/attack/password-sniffing Starhackx. (2014). Top ten NTP enumeration tools to download. https://starhackx.blogspot.com/2014/02/top-

ten-ntp-enumeration-tools-to.html StatCounter. (2021). Operating system market share worldwide. StatCounter Global Stats.

https://gs.statcounter.com/os-market-share Threat Hunter Playbook. (2020). Security account manager (SAM) database.

https://threathunterplaybook.com/library/windows/security_account_manager_database.html Ubalt. (2017). Enumeration tools. http://home.ubalt.edu/abento/453/enumeration/enumerationtools.htm Zerosuniverse. (2019, December 1). What is NTP enumeration and its properties [2021 Edition].

https://www.zerosuniverse.com/ethical-hacking/what-is-ntp-enumeration/ Suggested Unit Resources In order to access the following resources, click the links below. Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network.

CSU-IDT. (2021, August 2). Scanning for vulnerabilities using Nessus [Video]. Cielo24.

https://c24.page/pz5w27y3nst4xer8gz689gsf89 A transcript and closed-captioning are available once you access the video. Enumeration is defined as the process of extracting usernames, machine names, network resources, shares, and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered data identifies the vulnerabilities or weak points in system security and tries to exploit them in the system gaining phase. CSU-IDT. (2021, August 2). Enumerating active directory using PowerShell Empire [Video]. Cielo24.

https://c24.page/crafxpuhmzcp8qa8y87dwd6p7m A transcript and closed-captioning are available once you access the video. In this video, you will learn how to perform post-exploitation of a Microsoft Windows target using Metasploit. The Metasploit Framework comes with several useful scripts that can aid you in exploiting a Microsoft target. These scripts are made by third parties and eventually become part of the subversion repository. CSU-IDT. (2021, August 2). Post-exploitation of Microsoft Windows using Metasploit [Video]. Cielo24.

https://c24.page/zc7nnr4uxtfxtbessd5zc3nzf4 A transcript and closed-captioning are available once you access the video. In this short video, you will see how we can easily capture the username and the hashed credentials for a Microsoft Windows domain member using Responder. CSU-IDT. (2021, August 2). Exploiting active directory using LLMNR/NBT-NS poisoning [Video]. Cielo24.

https://c24.page/8etxhe2prdmgd8fgefpjkky5hn A transcript and closed-captioning are available once you access the video.

CYB 4302, Cyber Warfare and Application 13

UNIT x STUDY GUIDE Title

Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. uCerify Lab Assignments As an additional learning opportunity, students can complete several short labs using the online learning environment provided by uCertify. These labs help bridge the gap between conceptual knowledge and help students gain real-world network security skills. This activity is ungraded. You will need to make sure you have read Lessons 6 and 7 and worked through the knowledge checks at the end of each reading to prepare for the labs fully.