- Scan Active Directory for user accounts with service principal names (SPNs) set.
- Request service tickets using the SPNs.
- Extract the service tickets from memory and save to a file.
- Conduct an offline brute-force attack against the passwords in the service tickets.
Kerberoasting
- Implemented in motherboards made by some manufacturers for diagnostic and testing purposes
- With the right equipment, a penetration tester can connect to this port and capture data directly from the running motherboard.
JTAG Port
Occurs when an attacker manipulates an egress sensor to unlock a door.
Egress sensor bypass
An exploit that causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes’ memory
Ret2libc
A client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.
Cookie manipulation
Assigning an executable on Linux this permission allows it to run with the permissions of the file’s owner.
SUID
Assigning an executable on Linux this permission allows it to run with the permissions of the group owning the asset
SGID
- A process that runs on a Windows system to enforce the security policy on the system
- Verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.
Local Security Authority Subsystem Service (LSASS)
Used to remotely manage Macintosh systems over a network connection using a graphical user interface
Apple Remote Desktop (ARD)
Used to apply rotational pressure to the lock (in the unlock direction)
Tension Wrench
Used to apply rotational pressure to the lock (in the unlock direction)
Tension Wrench
- Attempts to enumerate user accounts through null sessions
- If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating
RID cycling attack
- Protocol loosely based on the DNS packet format
- Allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server
Link-Local Multicast Name Resolution (LLMNR)
- Wireless exploit, an unauthorized Bluetooth connection is established with a wireless device
- Connection is then used to steal information from that device.
Bluesnarfing
- When an attacker sends unsolicited messages over Bluetooth devices
- Allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius
Bluejacking
Occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile
Tailgating
- An extension to X.509 that allows various values to be associated with a security certificate using a ________ field.
- These values include email addresses, IP addresses, URLs, DNS names, and directory names.
Subject Alternative Name (SAN)
- Invokes services/actions on a remote computer
- PsExec – Utility for Windows OS that allows for the execution of processes on remote systems
- WMI (Window Management Instrumentation) – A part of PowerShell used for monitoring Remote Window devices
- Scheduled tasks – When a job run a remote connect
Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM)
- Attacks rely on following employees in through secured doors or other entrances.
Piggybacking
