#Quiz 16

1. What are the least amount of privileges required to perform a DCSync attack?
a) Replicating Directory Changes, Replicating Directory Changes All
b) Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes In Filtered Set
c) Domain Admin
d) Enterprise Admin

2. What file controls the security of NFS shares?
a) /etc/resolv.conf
b) /etc/exports
c) /etc/hosts.equiv
d) /etc/netplan

3. When discussing SSL/TLS security, what extra security do "ephemeral" Diffie-Hellman keys provide?
a) The key length is shorter making key exchange quicker
b) Ephemeral keys use their own bespoke encryption algorithm
c) Ephemeral keys don't work with obsolete protocols like SSLv3 meaning you're guaranteeing overall security with modern protocols
d) Ephemeral keys use a random public key each time a connection is made, protecting past communications if the key is compromised

||C,B,D||

||1) A
2) B
3) D||

||
a)
c)
d)
||

||A, B, D||

A new contender! Great to have you with us

||

1. a
2. b
3. d
   ||

||

1. A
2. B
3. D
   ||

||C, D, D||

|| A B D||

Haha, you couldn't resist. Great! 😎

The answers are 1A, 2B, 3D!

1A
DCSync is how, with the necessary permissions, we can obtain all the users and their NTLM hashes from AD. A long time ago, in a galaxy far, far away, Metasploit modules were often used to do this, some of which executing code on the DC in the process (which should generally be avoided wherever possible). DCSync allows us to get hashes without running any code on the box by impersonating a DC and leveraging the Directory Replication Service Remote Protocol (MS-DRSR), which is the normal way domain controllers replicate information amongst themselves.

Option B is true also, but the extra AD permission aren't necessary and the question asked for the least amount of privileges. Options C and D would allow DCSync because by default these groups have the option A permissions assigned to them, however ANY domain user with the option A privileges could perform a DCSync attack even if they're not Domain Admin or higher.

2B
resolv.conf is the file used to specify the DNS server for many Linux distro's. hosts.equiv contains a list of trusted hosts for the very old and legacy rlogin service, and the netplan file is where Ubunutu 18.04+ (and other distro's) stores your network config (i.e. IP address, mask, gateway etc).

The exports file lets you configure, who, and often from where, can access NFS shares and has a variety of security flags that can configured to lock shares down.

3D
Non-ephemeral keys are generated using a static public key. If the server's private key was compromised, an attacker could attempt to decrypt previous/earlier communications, e.g. attacker captures encrypted traffic between client/server, compromises private key at a later stage and would be able to decrypt all recorded communications.

Ephemeral keys are generated using a unique public key for each session a user initiates. By doing this, the compromise of a server's private key for a given communication means the attacker can't decrypt earlier (or future) comms. Using ephemeral keys results in something referred to as 'Perfect Forward Secrecy' (PFS).

4A - Not a lot to sat here, apart from nope!
4B - There isn't any bespoke encryption solely used for key generation.
4C - Nope. Plenty of obsolete SSLv3 configurations that can use ephemeral keys.

https://tenor.com/view/dancing-unicorn-unicorn-chubbicorn-chubbiverse-rave-party-gif-25145066

👏

Woah can't believe I got all correct

There's 15 other quizzes before this one, so 45 more questions you can think about and then check the answers at the bottom 🤓

2/3 ain't bad.

Woop Woop!