05 Attacking a System Flashcards
- You are examining test logs from the day’s pen test activities and note the following entries on a Windows 10 machine:
C:> net user
User accounts for \ANYPC
—————————————————————————————————–
Administrator Backup DefaultAccount
Guest USER1
The command completed successfully.
C:> net user USER1 user2
Which of the following statements is true regarding this entry?
A. The team member added a user account.
B. The team member switched his login to that of a different user.
C. The team member changed the password of a user.
D. The team member renamed a user account.
C. The net commands in Windows will definitely make an appearance on your exam, and because it’s impossible to tell which syntax or command structure will be thrown at you, you should learn them all. In this example, the net user command lists all users on the machine. Next, the team member used the net user USERNAME PASSWORD command—where USERNAME equates to the user to update and PASSWORD is the password to set for the user. In this example, the user—USER1—had his password updated to user2. Other net user options include ADD, DELETE, TIMES, and ACTIVE. Net commands run in the security context you are logged on as, so ensure you’re actually an administrator on the machine before attempting many of them. As a useful aside, keep in mind you’ll probably see a few tricks like this (using “user2” as a password) on your exam. Syntax matters, and it’ll be manipulated quite a bit on your test.
Net commands have many other uses. For example, net view will display systems in the workgroup, net use lets you create, connect to, and display information on shared resources, net share will list all the shares the user has access to, and net start allows you to start a service.
A is incorrect because this does not match the syntax provided. If the team member wanted to add a user, he’d first ensure he had administrative privileges and would then use the net user /ADD USERNAME command (where USERNAME is the name of the user to be created).
B is incorrect because this command or syntax would not accomplish this action.
D is incorrect because this command or syntax would not accomplish this action.
- Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover their tracks?
A. ISA proxy
B. IAS proxy
C. TOR proxy
D. Netcat
C. I’ve mentioned it before, and I’ll mention it again here: sometimes the CEH exam and real life just don’t match up. Yes, this question may be, admittedly, a little on the “hokey” side, but it’s valid insofar as EC-Council is concerned. The point here is that TOR (The Onion Routing; https://www.torproject.org/) provides a quick, easy, and really groovy way to hide your true identity when performing almost anything online. According to the site, “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” (For the real-world folks out there, just know that without law enforcement and some serious network visibility, you’d probably be successful in tracking to the first hop, but that’d be it.) TOR is dynamic by nature, and a hacker can simply use a different path for each attack. Just remember the question is really about identifying TOR as a means of covering tracks and not necessarily a treatise on how it really works. Were this a discussion based in reality, we’d be more interested in how Amanda would determine the connection was bouncing around proxies in the first place: more realistically, she might detect several similar connections leveraging the same access that were coming from several different countries.
A is incorrect because an Internet Security and Acceleration (ISA) server isn’t designed to bounce between multiple proxies to obscure the original source. Per Microsoft, ISA “is the successor to Microsoft’s Proxy Server 2.0… and provides the two basic services of an enterprise firewall and a Web proxy/cache server. ISA Server’s firewall screens all packet-level, circuit-level, and application-level traffic. The Web cache stores and serves all regularly accessed Web content in order to reduce network traffic and provide faster access to frequently-accessed Web pages. ISA Server also schedules downloads of Web page updates for non-peak times.”
B is incorrect because Internet Authentication Service (IAS) is a component of servers that allows you to provide a Remote Authentication Dial-In User Service (RADIUS) connection to clients. It’s not designed as an obfuscating proxy—its purpose is in authentication.
D is incorrect because, while you can set up a single proxy using Netcat, and it may even be possible to chain several together, it’s simply not designed to work that way (and that’s what this question was all about to begin with). You can set up a listening port with it, but it’s not designed to act as a proxy, and setting one up as a chain of proxies would be insanely complicated and unnecessary with the myriad other options available.
Copyright (c) 1993-2009 Microsoft Corp.
- The following HOSTS file was pulled during an incident response:
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
#space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
220.181.0.16 mybank.com
220.181.0.16 amazon.com
220.181.0.16 google.com
220.181.0.16 gmail.com
220.181.0.16 facebook.com
#localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Which of the following statements best describes the HOSTS file?
A. A user on the machine attempting to go to check their bank account at mybank.com will be directed to a Chinese IP address instead.
B. A user on the machine attempting to go to google.com will receive an HTTP return code of 400.
C. A user on the machine attempting to go to gmail.com will redirect to the local host.
D. Any DNS resolution to IP 220.181.0.16 will be redirected to one of the five sites listed in round-robin fashion.
A. The HOSTS file is a thing of beauty or an instrument of horror and terror, depending on how you look at it. Before any Windows system even bothers to check DNS for an IP matching a name request, it checks the HOSTS file first. For example, when the user types www.mybank.com in their browser and presses ENTER, Windows checks the HOSTS file to see if there is a mapping for mybank.com. If there is one, that’s where the user will go. If there’s not, Windows will ask DNS for an IP to use. Therefore, if you edit your own HOSTS file, you can save yourself from lots of ad stream sites (just redirect them to localhost) and ensure your kids don’t accidentally go somewhere they’re not supposed to. If you get a hold of your target’s HOSTS file, you can send them anywhere you want.
In this example, it appears someone has gotten a hold of this particular machine’s HOSTS file and has edited it to send some common URL requests to a Chinese IP. Maybe they’ve set up fake versions of these sites in order to grab credentials. Or maybe they just want to DoS the user. In any case, any attempt to go to mybank.com, google.com, gmail.com, amazon.com, or facebook.com will immediately get redirected to the Chinese IP listed. The only way the user could avoid this is to use IP addresses instead of named URLs.
Oh, and one more thing: Just how do we know it’s a Chinese IP address? Whois, of course, where you can determine the 220.181.0.0/19 net block is assigned to CHINANET.
B is incorrect because it is impossible to tell if the 400 return code (which means the server cannot or will not process the request due to an apparent client error, such as a malformed request syntax, invalid request message framing, or deceptive request routing) would appear. If the request is valid (it should be) and the server is capable of registering the request as valid (again, that depends on what the bad guy set up on that particular IP), then Code 400 will not be returned.
C and D are incorrect because neither matches the action taken in a HOSTS file entry.
- Which of the following opens the Computer Management MMC in a Windows command line?
A. compmgmt.mmc
B. compmgmt.msc
C. compmgmt.exe
D. computermgmt.exe
B. Admittedly this one is an easy pick—assuming, of course, you’ve studied and know your MMCs in Windows. You have studied them, right? Because if you had, you’d know that the Microsoft Management Consoles can be used for a variety of tasks. Some of these MMCs include Computer Management, Device Management, Event Viewer, Group Policy Editor, and Active Directory Users and Computers. While you can create your own custom MMC, by typing mmc in the command line and then using Add/Remove Snap In from the menu line, you can also just open the individual consoles themselves by using their “msc” command-line option. For example, Computer Management can be a snap-in for a custom MMC, or you can open it by itself using the compmgmt.msc command. Others you may want to know for future reference include AD Users and Computers (dsa.msc), Device Manager (devmgmt.msc), Event Viewer (eventvwr.msc), Local Group Policy Editor (gpedit.msc), and Local Security Settings Manager (secpol.msc).
A, C, and D are all incorrect because they do not match the syntax for opening Computer Management.
- Which of the following will extract an executable file from NTFS streaming?
A. c:> cat file1.txt:hidden.exe > visible.exe
B. c:> more file1.txt | hidden.exe > visible.exe
C. c:> type notepad.exe > file1.txt:hidden.exe
D. c:> list file1.txt$hidden.exe > visible.exe
A. This is the correct syntax. The cat command will extract the executable directly into the folder you execute the command from. NTFS file steaming allows you to hide virtually any file behind any other file, rendering it invisible to directory searches. The file can be a text file, to remind you of steps to take when you return to the target, or even an executable file you can run at your leisure later. Alternate data stream (ADS) in the form of NTFS file streaming is a feature of the Windows-native NTFS to ensure compatibility with Apple file systems (called HFS). Be careful on the exam—you will see ADS and NTFS file streaming used interchangeably. As an aside, the cat command isn’t available on Windows 7 and Windows 10 machines (you’ll need a Linux emulator or something like it to use the cat command on these). What’s more, you can use c:> (more<file1.txt:hidden.exe) > output.txt as another option. This will read the output of the hidden stream and write it to the output.txt file without having to use cat.
B is incorrect because this is not the correct syntax. There is no pipe (|) function in extracting a file, and the more command is used to display the contents of a text file, not extract an executable from ADS.
C is incorrect because this is not the correct syntax. This option would display the contents of a hidden text file—maybe one you’ve stowed instructions in for use later.
D is incorrect because the syntax is not correct by any stretch of the imagination. This is included as a distractor.
- Which command is used on a Linux machine to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file?
A. chmod 411 file1
B. chmod 114 file1
C. chmod 117 file1
D. chmod 711 file1
E. chmod 744 file1
E. You’re going to need to know some basic Linux commands to survive this exam, and one command I can guarantee you’ll see a question on is chmod. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read is equivalent to 4, write to 2, and execute to 1. To accumulate permissions, you add the number: 4 is read-only, 6 is read and write, and adding execute to the bunch results in 7. As an aside, if you think in binary, the numbers are just as easy to define: 111 equates to 7 in decimal, and each bit turned on gives read, write, and execute. Setting the bits to 101 turns on read, turns off write, and turns on execute; and its decimal equivalent is 5.
A, B, C, and D are all incorrect syntax for what we’re trying to accomplish here: 411 equates to read-only, execute, and execute, with 114 being the reverse of that, and 117 equates to execute, execute, and full permissions, with 711 being the reverse.
- Examine the following passwd file:
root:x:0:0: root: /root:/bin/bash
mwalk:x:500:500: Matt Walker, Room 2238, email: /home/mwalk:/bin/sh
jboll:x:501:501: Jason Bollinger, Room 2239, email: /home/jboll:/bin/sh
rbell:x:502:502: Rick Bell, Room 1017, email: /home/rbell:/bin/sh
afrench:x:503:501: Alecia French, Room 1017,email:/home/afrench:/bin/sh
Which of the following statements are true regarding this passwd file? (Choose all that apply.)
A. None of the user accounts has passwords assigned.
B. The system makes use of the shadow file.
C. The root account password is root.
D. The root account has a shadowed password.
E. Files created by Alecia will initially be viewable by Jason.
B, D, E. If there are not two to four questions on your exam regarding the Linux passwd file, I’ll eat my hat. Every exam and practice exam I’ve ever taken references this file—a lot—and it’s included here to ensure you pay attention. Fields in the passwd file, from left to right, are as follows:
* User Name This is what the user types in as the login name. Each user name must be unique.
* Password If a shadow file is being used, an x will be displayed here. If not, you’ll see an encrypted password (in current OS versions), and only if you are root. As an aside, setting this to an asterisk (*) is a method to deactivate an account.
* UID The user identifier is used by the operating system for internal purposes. It is typically incremented by 1 for each new user added.
* GID The group identifier identifies the primary group of the user. All files that are created by this user will normally be accessible to this group, unless a chmod command prevents it (which is the reason for the “initial” portion of the question).
* Gecos This is a descriptive field for the user, generally containing contact information separated by commas.
* Home Directory This is the location of the user’s home directory.
* Startup Program This is the program that is started every time the user logs in. It’s usually a shell for the user to interact with the system.
A is incorrect because the x indicates a shadowed password, not the absence of one.
C is incorrect because the x indicates that root does indeed have a password, but it is shadowed. Could it actually be root? Sure, but there’s no way to tell that from this listing.
- You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)
A. /etc/passwd
B. /etc/shadow
C. c:\windows\system32\config
D. c:\winnt\config
E. c:\windows\repair
C, E. Per Microsoft’s definition, the Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. The SAM file can be found in c:\windows\system32\config. If you’re having problems getting there, try pulling a copy from system restore (c:\windows\repair).
A and B are both incorrect because /etc is a dead giveaway this is a Linux folder (note the forward slash instead of the Windows backward slash). The /etc folder contains all the administration files and passwords on a Linux system. Both the password and shadow files are found here.
D is incorrect because this is not the correct location of the SAM. It’s included as a distractor.
- Which of the following statements are true concerning Kerberos? (Choose all that apply.)
A. Kerberos uses symmetric encryption.
B. Kerberos uses asymmetric encryption.
C. Clients ask for authentication tickets from the KDC in clear text.
D. KDC responses to clients never include a password.
E. Clients decrypt a TGT from the server.
A, B, C, D, E. All answers are correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). A basic Kerberos exchange starts with a client asking the KDC, which holds the AS and TGS, for a ticket, which will be used to authenticate throughout the network. This request is in clear text. The server will respond with a secret key, which is hashed by the password copy kept on the server (passwords are never sent—only hashes and keys). This is known as the TGT. The client decrypts the message, since it knows the password, and the TGT is sent back to the server requesting a TGS service ticket. The server responds with the service ticket, and the client is allowed to log on and access network resources.
- What is the difference between a dictionary attack and a hybrid attack?
A. Dictionary attacks are based solely on wordlists, whereas hybrid attacks make use of both wordlists and rainbow tables.
B. Dictionary attacks are based solely on whole wordlists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.
C. Dictionary attacks use predefined wordlists, whereas hybrid attacks substitute numbers and symbols within those words.
D. Hybrid and dictionary attacks are the same.
C. A hybrid attack is a variant on a dictionary attack. In this effort, you still have a wordlist; however, the cracker is smart enough to replace letters and characters within those words. For example, both attacks might use a list containing the word Password. To have multiple variants on it, the dictionary attack would need to have each variant added to the list individually (P@ssword, Pa$$word, and so on). A hybrid attack would require the wordlist only to include Password because it would swap out characters and letters to find different versions of the same word.
A is incorrect because hybrid attacks don’t use rainbow tables.
B is incorrect because dictionary attacks can use variants of a whole word; they just need to be listed separately in the list.
D is incorrect because hybrid and dictionary attacks are most definitely different.
- Which of the following contains a listing of port numbers for well-known services defined by IANA?
A. %windir%\etc\lists
B. %windir%\system32\drivers\etc\lmhosts
C. %windir%\system32\drivers\etc\services
D. %windir%\system32\drivers\etc\hosts
C. I’ve sat back many times in writing these books struggling to determine why certain specific but not very useful things seem to be so near and dear to the exam question writers, but I can’t find any particular rhyme or reason. Sometimes you just have to memorize and move on, and this example is no exception. If you happen to be out on your real job and completely forget every well-known port number, you’d probably just look up the list on an Internet search. If you’re bored or really nerdy, though, you can pull up a list of them by visiting the services file. It’s sitting right there beside the HOSTS and LMHOSTS files.
A, B, and D are incorrect because these locations do not hold the services file.
- Which of the following SIDs indicates the true administrator account?
A. S-1-5-21-1388762127-2960977290-773940301-1100
B. S-1-5-21-1388762127-2960977290-773940301-1101
C. S-1-5-21-1388762127-2960977290-773940301-500
D. S-1-5-21-1388762127-2960977290-773940301-501
C. The security identifier (SID) in Windows is used to identify a “security principle.” It’s unique to each account and service and is good for the life of the principle. Everything else associated with the account is simply a property of the SID, allowing accounts to be renamed without affecting their security attributes. In a Windows system, the true administrator account always has an RID (relative identifier) of 500.
A and B are incorrect because neither 1100 nor 1101 is the RID associated with the administrator account. RID values between 1000 and 1500 indicate a standard user account.
D is incorrect because 501 is the RID for the guest account.
- In which step of EC-Council’s system hacking methodology would you find steganography?
A. Cracking passwords
B. Escalating privileges
C. Executing applications
D. Hiding files
E. Covering tracks
D. Yes, sometimes you get a question that’s relatively easy, and this is a prime example. Hiding files is exactly what it sounds like: finding a way to hide files on the system. There are innumerable ways to accomplish this, but steganography is one method you’ll most likely see referenced on the exam. Steganography hides things such as passwords, files, or malicious code (let’s just say anything that can be put into a binary format) inside images, video, and such. The other file-hiding technique you’ll most likely see referenced on the exam is NTFS file streaming.
A, B, C, and E are incorrect because you do not hide files in these steps. Cracking passwords is self-explanatory. Escalating privileges refers to the means taken to elevate access to administrator level. Executing applications is exactly what it sounds like, and you’ll probably see remote execution tools referenced (and, for some bizarre reason, keyloggers and spyware). Covering tracks deals with proxies, log files, and such.
- A review of the command history on a Linux box shows the following command entered:
env x= ‘(){ :;};echo exploit ‘ bash –c ‘cat/etc/passwd
Which of the following is the best description of what the attacker is attempting to accomplish?
A. Add a user to the system.
B. Elevate current login privileges.
C. Change passwords for users.
D. Display password file contents.
D. Ever heard of Bashdoor (aka the Shellshock vulnerability)? Of course you have, and that’s what’s being attempted here. Vulnerable versions of the Bash shell (commonly used to process requests) allow an attacker to execute arbitrary commands concatenated to the end of function definitions stored in environment variables. In this case, the attacker is trying to read the contents of the password file using the cat command.
A, B, and C are incorrect because they do not match the command syntax.
- You are examining LM password hashes and see the following:
3A02DF5289CF6EEFAAD3B435B51404EE
Which of the following passwords is most likely to have created the hash?
A. 123456789
B. CEHISHARD
C. c3HisH@RD!
D. CEHhard
D. You will certainly see LM hashes on your exam at least once or twice, and usually in this type of scenario. EC-Council isn’t just going to come out and ask you if you know that the last half of the LM hash is always the same if the password is seven characters or less—they’re going to throw it in a scenario and see if you remember it in the stress of test time. For review purposes, LM splits any password into two seven-character pieces and hashes each piece. If the password is seven characters or less, the last half of the hash is always the value of a hash of nothing (which equates to AAD3B435B51404EE, by the way). In this question, apply the LM “splitting” of passwords into two separate groups of seven characters, and it’s easy to see the answer: the first seven characters are CEHhard and the second seven do not exist, so the hash of CEHhard equals 3A02DF5289CF6EEF, and the hash of the blank characters equals AAD3B435B51404EE.
On a final note, because it’s related here, don’t get hung up on password complexity unless it is explicitly noted in the question. Most people are in a rush during the exam and may not read things carefully. Glancing at the answers, these folks might pick the complex password by mistake. Therefore, use caution in reading the questions—take time to fully understand what they’re asking for before just clicking the choice and moving on.
A is incorrect because this password has nine characters; therefore, the second half of the hash would be different (LM would hash 1234567 and then 89).
B is incorrect because this password also has nine characters; therefore, the second half of the hash would be different (LM would hash CEHISHA and then RD).
C is incorrect because this password has ten characters; therefore, the second half of the hash would be different (LM would hash c3HisH@ and then RD!).
