Index. Mike O Leary 2015 M. O Leary, Cyber Operations, DOI /

Transcription

1 Index A Active Directory group policy, groups and delegation, installation, 195 organizational unit (OU), remote administration, running commands remotely, second domain controller, Windows DNS, Adobe Flash installation on CentOS, 32 installation on Mint, 36 installation on OpenSuSE, 34 installation on Ubuntu, 35 installation on Windows, 42 versions, Apache configuration, control program, 413 installation, LoadModule, 416 Logs, and ModSecurity (see ModSecurity) appcmd.exe, 463 Armitage, 50, 87 89, 93 B Barnyard2, automatic start, configuration, BASE, Basic authentication, , 504 BIND, , BIND and Windows DNS, configuration, , forward zone, installation, loopbacks, nameserver control, namespaces, reverse zone, root hints, 150 scripting, Bokken, , 399, 402, 409 Browser software CentOS systems, Mint, OpenSuSE, Ubuntu, 35 Windows, Brute force attacks Burp Suite, detection, MySQL, John the Ripper, 263 Joomla, phpmyadmin, prevention (phpmyadmin), prevention (SSH), , 361, 363 prevention (Web servers), SSH, Web servers, Windows domain controllers, , WordPress, Burp Suite web proxy, C Certificate authority (CA), 432, , 491 Common Gateway Interface (CGI) scripts, Community ENTerprise Operating System (CentOS), 1 3, 9 10, 17 20, 30 33, , 146, , 156, 166, 279, , , , 323, 412, 420, 424, 429, 436, 439, 442, 448, , 513, 515, , , 602 Apache installation, 411 Java installation, 30 ModSecurity, 443 PCRE package, 611 Mike O Leary 2015 M. O Leary, Cyber Operations, DOI /

2 index Community ENTerprise Operating System (CentOS) (cont.) Samba service, 353 VirtualBox Guest Additions, 15 CustomLog, 425 Custom password attacks. See Brute force attacks D Default Web Site, 415, 460 Document-based malware, Domain Name System (DNS), 18, 23 24, 38 39, 127, 129, , 209, 232, 235, 323, 355, 412, 430, 432, 461, , 509, 522, 525, , 532, namespaces, querying DNS, recursion and amplification attacks, root hints, 150 E Egress filters and proxies, , 541 Ettercap, , 485, Exploits Adobe Flash Player Shader Buffer Overflow, 65 68, , 243, 545 bypassing enhanced protected mode, Firefox, 59 60, Firefox XCS Code Execution, 60 64, , 237, 276, Flash, 64 65, 93 Heartbleed (see Heartbleed) Internet Explorer, 51 53, 92, Java, Java Applet ProviderSkeleton Insecure Invoke Method, Java Applet Rhino Script Engine Remote Code Execution, 270, 276, Java JAX-WS Remote Code Execution, 70 74, , Kerberos golden tickets (see Kerberos golden tickets) Linux local privilege escalation, , 281 Man in the middle SSHv1, SSL/TLS, sslstrip, Microsoft Office, Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution attack, MS MSCOMCTL ActiveX Buffer Overflow, MS CAnchor Element, 53 59, , MS Registry Symlink IE Sandbox Escape, MySQL, Oracle MySQL for Microsoft Windows FILE Privilege Abuse, passwords hash gathering, , 262, , John the Ripper (see John the Ripper) PHP PHP CGI Argument Injection, remote includes, phpmyadmin Authenticated Remote Code Execution via preg_replace(), psexec, , Shellshock (see Shellshock) Slowloris (see Slowloris attack) sticky keys (see Sticky keys) SYSRET, 253 udev Netlink Local Privilege Escalation attack, Windows local privilege escalation, incognito, , 259 Mimikatz, Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei), , Windows TrackPopupMenu Win32k NULL Pointer Dereference, WordPress Plugin Advanced Custom Fields Remote File Inclusion, F, G Federal Computer Fraud and Abuse Act, Firefox attacks, 59 63, , 541, 549 installation (Linux), 30 installation (Windows), 41 versions, 45 Firewalls bypassing, DMZ attack, internal network attack, IPFire, Shellshock, virtual networking, FTP servers, 311, , , 619 H Heartbleed, 485, HeidiSQL, 575, , 654 Hydra,

3 Index I IIS. See Internet Information Services (IIS) Individual file shares, Internet Explorer attacks 51 59, 92, proxies, 536 Internet Information Services (IIS) access control, command-line tools, configuration, installation, logging, ModSecurity, PHP on, PowerShell, settings, SSL, web sites, Intrusion detection system, Snort. See Snort IPFire egress filters and proxies, features, initial configuration, installation, network configuration, network traffic rules, J Java attacks, 69 77, , installation (CentOS), installation (Mint), 35 installation (OpenSuSE), installation (Ubuntu), 35 installation (Windows), malware, 374, versions, John the Ripper, 263, 281 basic authentication (see MD5) Linux, 279 MD5, 440 MySQL, Windows cached credentials (mscash2), 265 Windows NETNTLM, 268 Windows NTLM hashes, Joomla, 565, 679 attacking, defending, installation process, range of versions, 700 K Kali 9 installation 15, 17, 47 networking, 30 Kerberos golden tickets, 367, , L Linux systems CentOS (see Community ENTerprise Operating System) Kali (see Kali) Mint (see Mint) OpenSuSE (see OpenSuSE) Ubuntu (see Ubuntu) Logging in Apache, in IIS, in IPFire, 528, 535 in Linux, in MySQL, in OpenSSH, 319, in Samba, in Snort, 611 in vsftpd, 339 in Windows, Windows and Linux system integration, M Malware analysis, creation, defense, document-based malware, persistence scripts, Malware Tracker, 391, 409 Mandiant Redline, Metasploit, 50 Adobe Flash Player Shader Buffer Overflow, 65 68, Armitage (see Armitage) bypassing enhanced protected mode, Firefox, 59 60, Firefox XCS Code Execution, 60 64, , 237 Flash, 64 65, 93 Internet Explorer, 51 53, 92, Java, Java Applet ProviderSkeleton Insecure Invoke Method, Java JAX-WS Remote Code Execution, 70 74, Kerberos golden tickets (see Kerberos golden tickets) 741

4 index Metasploit (cont.) Microsoft Office, MS CAnchor Element, 53 59, MS Registry Symlink IE Sandbox Escape, MySQL, passwords, , 262, , PHP CGI, remote includes, Windows local privilege escalation, incognito, , 259 Mimikatz, Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei), Windows TrackPopupMenu Win32k NULL Pointer Dereference, Meterpreter, 50, Microsoft Internet Information Services (IIS). See Internet Information Services (IIS) Microsoft management console (MMC), 469 Mint, 15, 28 30, 35 36, 97, 151, , 315, 415, , 515 ModSecurity, , and IIS (see Internet Information Services (IIS)) installation, rules, starting, MultiViews, 420 MySQL and MariaDB, 565 auxiliary/scanner/mysql/mysql_login, 595 auxiliary/scanner/mysql/mysql_version, 593 configuration, database password, 577 default included version of, 602 HeidiSQL, hostname, 576 installation, , 575 management of, 589 mysql database, /.mysql_history, 591 NMap scan, 594 -p flag, 576 status command, 577 user logs, 600 users and privileges, , 585 N NameVirtualHost, National Institute of Science and Technology (NIST), , 363, 454 Network firewalls. See Firewalls Network services FTP servers, , remote desktop (see Remote desktop) Secure Shell (SSH) server, Windows file sharing, , Network tools, NMap, O OpenSuSE, 20 25, 33 34, , 326, 646 PHP, 646 Organizational units (OUs), , 341, 349 OWASP ModSecurity Core Rule Set (CRS), P, Q Password attacks Burp Suite brute force password attacks, Burp Suite web proxy, custom password attacks, Windows password attacks, , PasswordFox, , 490 PHP, applications, configuration and security, attacking, configuration, installation, ModSecurity, vulnerabilities, XAMPP (see XAMPP) phpmyadmin, 654, 656, 659, , 736 attacking, defending, installation process, PowerShell script, 217, , , 476, 478 ProcDot, PuTTY, , 330, 362, 376, 398 Python malware, , 397, 409 R Radare, 392, 399 REMnux, 367, 392, 396, 399 Remote desktop Group Policy, 357 on Linux, 358 sticky keys program, on Windows 7, on Windows 8,

5 Index S Samba servers, , 365 Secure Shell (SSH) server, Security identifier (SID), 36 37, 48, 242, 381 ServerRoot, 414, 423, 513 Shellshock, , 563 Signing certificates, Slowloris attack, Snort, arpspoof, 623 ARP spoof attacks, 628 Barnyard2 (see Barnyard2) 64-bit OpenSuSE system, 621 CentOS 6.0 system, 624 default policy, 621 default Snort configuration, 622 /etc/init.d/snortd, 624 /etc/snort/etc/snort.conf, 620 /etc/sysconfig/snort, 624 Firefox XCS Code Execution, 628 installation, querying, database, rule set, 629 SDF-sensitive data preprocessor, 623 snort.conf, 619, 623, 625 snort/ /doc/readme.decode, 620 SSH and FTP servers, 619 /usr/local/lib/ snort_dynamicrules/, 620.xpi, 626 Snort Report, interface, 683 JpGraph, older PHP convention, 680 snortreport-1.3.4/srconf.php., 681 web page snortreport/alerts.php, 682 SSH server. See Secure Shell (SSH) server Sticky keys, , 409 Syslog, , 624, 627 T TransferLog, 425 U Ubuntu, 12 13, 25 28, 35, 43 44, 47 48, , 145, 151, 156, , 213, 284, , , 309, 315, , 353, , 365, 412, , 424, 428, , 446, , 452, , 586, 591, , 602 Server, User access controls (UAC), 460, 477 V Veil-Framework, , 409 VirtualBox, 5 9, 523, 596 VirtualBox Guest Additions, 9, 15 17, 47, 135, 392, 606 Virtual hosts, Virtual networking, 17 30, VMWare tools, 4, 15, 47 VMWare Workstation, 2 5, 523, 596 W Web attacks Heartbleed attack, man in the middle attack, password attacks (see Password attacks) pillaging browser, server reconnaissance, Slowloris attack, Windows domain attacks, , 280 Windows Firewall, 40, 219, 302, 304, 357 Windows local privilege escalation administrative/system privileges, bypass Enhanced Protected Mode, Windows password attacks, cached credentials, direct attacks, hash gathering, Windows reconnaissance, Windows Server 2008, 44 Active Directory, 195, share and storage management, 346 Windows Server 2012, 44 Active Directory, share and storage management, Windows SIDs. See Security identifier (SID) Windows tools, command tasklist, 112 network location, 110 Process Explorer, 116 Process Monitor, 117 PSLoggedOn, 110 sc command, 113 svchost.exe, 113 Sysinternals programs, 111 Sysinternals tool Process Explorer, 115 Sysinternals tool Process Monitor (procmon.exe), 117 Sysinternals tool TCPView (tcpview.exe), Windows Task Manager, Wireshark, WordPress,

6 index X XAMPP, , 678 control panel, MySQL client, , 656 OpenSSL binary, 657 phpmyadmin, 654, 656, 659 pma@localhost, status page, 653, 655 Y YaST, 25, 152, 315, 412, 429, 571, 617 Z Zen Cart,