Domain 3: Attacks & Exploits

Question 1

What is social engineering?

Answer 1

using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

Question 2

What is one of the most well known social engineering methods?

Answer 2

Phishing is this

Question 3

What is a smish?

Answer 3

A phishing text

Question 4

What is vishing?

Answer 4

Phishing that occurs over a telephone

Question 5

What is SMS phishing?

Answer 5

This is Short Message service phishing that occurs over text message.

Question 6

What is elicitation?

Answer 6

This usually uses a series of questions to get employees to tell you valuable or sensitive information. All about getting someone to provide something for you.

Question 7

Can you use elicitation with Email?

Answer 7

Yes, this can be used with email. Think of BEC.

Question 8

What is the definition of Elicitation?

Answer 8

To draw out or bring forth; educe; evoke

Question 9

Is Interrogation a type of social engineering?

Answer 9

Yes, this, albeit a moral dilemma, is a type of social engineering.

Question 10

What is impersonation?

Answer 10

Act of pretending someone you aren’t to gain access to locations/systems that you’re not supposed to have access to.

Question 11

What is USB keydrop?

Answer 11

Loading up a USB with malware, backdoors, keyloggers, and dropping it in say a parking lot in hopes someone at an organization plugs it in.

Question 12

What are motivates a user to fall for social engineering attacks?

Answer 12

With respect to attacks:

• Motivation
• Urgency
• Social Proof
• Likeability
• Fear

Question 13

What are some physical security attacks?

Answer 13

• Piggybacking/Tailgating
• Fencing
• Dumpster Diving
• Lock Picking
• Lock Bypass
• Egress Sensor
• Badge Cloning

Question 14

What does NBNS stand for?

Answer 14

Net Bios Name Service

Question 15

What is the host name of a system?

Answer 15

Netbios is the host name of a system

Question 16

What does LLMNR stand for?

Answer 16

Link-local Multicast Name Resolution

Question 17

What is LLMNR?

Answer 17

This is a protocol based on the DNS packet format allowing both IPv4 & IPv6 hosts to perform name resolution for hosts on the same local link.

Question 18

Where will you find LLMNR?

Answer 18

You will find this on Windows Vista and newer operating system. Linux also implements a version of this, called system.

Question 19

When is LLMNR useful as a hacker?

Answer 19

This is helpful when a temporary network is created, such as an ad-hoc wi-fi network.

Question 20

What is SMB?

Answer 20

Transport protocol used by windows machines; file sharing, printer sharing, remote window services. Linux can run using SAMBA.

Question 21

What ports allow SMB?

Answer 21

Ports 139 & 445

Question 22

What well known exploit and well known ransomware utilizes flaws in SMB?

Answer 22

EternalBlue exploit and WannaCry Ransomware both utilize a flaw in this protocol.

Question 23

How many versions of SNMP exist?

Answer 23

There are three versions of this protocol as of Jan 2020.

Question 24

Which version of SNMP uses a shared ‘community string’ sent in clear text when set to public?

Answer 24

SNMPv1 uses this when set to public.

Question 25

Does SNMPv1 use port security?

Answer 25

Yes, this version of SNMP uses port security

Question 26

In SNMPv1, What is the community string valid for?

Answer 26

In this protocol version, the community string is valid for EVERY node on the network.

Question 27

What is the internet standard for electronic mail transmissions?

Answer 27

This is SMTP

Question 28

What can you focus on when attacking SMTP protocol?

Answer 28

There are areas of attacks for this protocol:

• Direct Exploits of the protocol
• Using open relays
• Using local relays
• Phishing Attacks
• SPAM

Question 29

What used to be the internet standard for file sharing?

Answer 29

This was File Transfer Protocol

Question 30

What is the problem with FTP?

Answer 30

This is an insecure protocol that sends data and authentication in cleartext over the network

Question 31

What is pass the hash?

Answer 31

This is an attack against the NT Lan Manager. Attacker steals a hashed user credential and resuses it in the windows authentication system to create a new authenticated system.

Question 32

What are some of the ways you can conduct a man-in-the-middle attack?

Answer 32

These are methods used to conduct this type of attack:

• ARP spoofing
• Replay
• Relay
• SSL Stripping
• Downgrade

Question 33

What is ARP Spoofing?

Answer 33

This is when an attacker sends a falsified ARP message over a local network. This results in the Attackers MAC address being associated with the IP of valid computer.

Question 34

What is replay? What would be an example?

Answer 34

When valid data is captured by the attacker and then repeated or delayed. An example would be an attacker capturing a 3 way wireless network handshake and then replaying it to gain unauthorized access to that network.

Question 35

What is relay?

Answer 35

This type of attack is when the attacker is able to become the man-in-the-middle and acts as the middle man in a communication session.

Question 36

What is SSL Stripping?

Answer 36

This is an attack where a websites encryption is tricked into presenting the user with an HTTP connection instead of an HTTPS connection.

Question 37

What is a downgrade attack? What would be an example?

Answer 37

This is an attack that attempts to have a client or server abandon a higher security mode to use a lower security mode. This attack would cause a session to use SSL 2.0 over TLS 1.2, despite TLS being more secure.

Question 38

What is a Denial of Service called during a pen test? Do we actually do them during a pen test?

Answer 38

This is called a stress test during a pen test. No, we never actually go through with a denial of service attack during a pentest.

Question 39

What is a NAC bypass?

Answer 39

This occurs when an attacker spoofs a MAC address of a VOIP device. This is because VOIP devices are granted exceptions (MACs often whitelisted).

Question 40

Do VOIP Devices support 802.1x?

Answer 40

No, these devices do not support 802.1x.

Question 41

What is VLAN hopping?

Answer 41

This where you attack a host on a different VLAN to gain access. Double Tagging the VLAN in 802.1Q. By double tagging the switch will pull off external VLAN and put you into new VLAN.

Question 42

What is switch spoofing?

Answer 42

Auto negotiation with a switch by setting your device to act as a switch. Switches get copies of all VLAN traffic and separate based off tags.

Question 43

Name three possible wireless-based attacks

Answer 43

• Evil Twin
• Deauthentication Attacks
• Fragmentation Attacks
• Credential Harvesting
• WPS Implementation Weakness
• Bluejacking
• Bluesnarfing
• RFID Cloning
• Jamming
• Repeating

Question 44

What is a Karma attack?

Answer 44

These attack radio machines automatically. These devices listen for SSID requests and respond as if they were the legitimate access point.

Question 45

What is a fragmentation attack?

Answer 45

This type of attack involves the attacker exploiting a network by using a datagram fragmentation mechanism against it. Small amount of keying material is obtained from the packet then attempts to send ARP and/or LLC packets with known content access point. If the packet is successfully echoed back by the AP, then a larger amount of keying information can be obtained from the returned packet.

Question 46

What is credential harvesting? How can it be done?

Answer 46

Attack that focuses on collecting creds from targets. This could be done via social engineering, fake captive portals, MITM attacks

Question 47

What tool can be used to set up a fake captive portal?

Answer 47

ESPortalv2 can be used to set this up and redirect all WiFi devices connected to the portal for authentication.

Question 48

What are common attack tools for WPS weakness?

Answer 48

Reaver and Bully are both common tools used to attack this

Question 49

What are fake cell towers used to capture?

Answer 49

These are used to capture IMSI number.

Question 50

What does IMSI stand for?

Answer 50

This stands for International Mobile Subscriber Identity.

Question 51

What is the most popular Wifi hacking tool?

Answer 51

Aircrack-ng is the most popular of these tools.

Question 52

What can you do with Aircrack-ng?

Answer 52

With this tool, you can:

• monitor
• attack
• Test
• Crack

Question 53

In Kali Linux, how do we check to see which mode our wireless code is in?

Answer 53

iwconfig is the linux command that does this.

Question 54

How do we change the wireless mode from managed to monitor mode?

Answer 54

airmon-ng start wlan0 is the command used to do this.

Question 55

How do we find a list of wireless networks?

Answer 55

airdump-ng wlan0 is the command to do this.

Question 56

In airodump-ng, what is the option to add channels and bssids? What is the command to write to a file?

Answer 56

-c and –bssid. –write is the option to write to a file.

Question 57

what is the tool used to send deauthorizations across a wireless signal?

Answer 57

aireplay-ng –deauth 0 -a -c wlan0mon

Question 58

When running a deauthorization, what does the ‘0’ represent?

Answer 58

This represents the amount of deauth packets we want to send. in this example it would unlimited, until I told it to cancel.

Question 59

How do you view the capture file after a deauth attack?

Answer 59

aircrack-ng -w

Question 60

In Kali Linux, where will you find a common word list?

Answer 60

/usr/share/wordlists/rockyou.txt

Question 61

Name 4 application based vulnerabilities that can be attacked.

Answer 61

• Injections
• Authentication
• Authorization
• Cross-Site Scripting
• Cross-site request forgery
• Click-Jacking
• Security Misconfiguration
• File Inclusion
• Unsecure Coding Practices

Question 62

What is an injection attack?

Answer 62

These come in many forms. Insertion of additional information or code via data input from a client to the application.

Question 63

What is the most common injection attack?

Answer 63

SQL is the most common of this type of attack.

Question 64

What is redirection?

Answer 64

This is where you send someone to a fake login page to have them enter (and thus capture) their credentials.

Question 65

What are the two types of Kerberos tickets? What is the difference?

Answer 65

This authentication method involves golden tickets and silver tickets. Golden can be used to access any kerberos service, silver tickets can only be used for specific kerberos services.

Question 66

How can you attack Kerberos Authentication?

Answer 66

You can run mimikats to attack this.

Question 67

What is parameter pollution?

Answer 67

This is where HTTP parameters are modified in order to conduct a malicious attack.

Question 68

What is insecure direct object reference?

Answer 68

This is where application provides direct access to an object based on the user-supplied input.

Question 69

What is Cross-Site Scripting (XSS)?

Answer 69

Attacker embeddes malicious scripting commands on a trusted website.

Question 70

What are the three ways to conduct XSS attacks?

Answer 70

There are three ways to do these attacks:

1. Stored/persistent , Data provided by attacker saved on server
2. Reflected, non-persistent, activated through link on site
3. DOM, Document Object Model is vulnerable. Victims browser is exploited.

Question 71

What is cross site request forgery (CSRF)?

Answer 71

Attacker forces a user to execute actions on web server which they authenticated.

Question 72

What is directory traversal?

Answer 72

Attack that allows access to restricted directories and for command execution outside of the web server’s root directory.

Question 73

What is http://testsite.com/get.php?f=/var/www/html/get.php an example of?

Answer 73

This is an example of Directory Traversal

Question 74

What is file inclusion? Why does it happen?

Answer 74

This attack includes a file into a target application by exploiting a dynamic file inclusion mechanism. Usually happens because of improper input validation by application.

Question 75

What is a race condition? When does it occur?

Answer 75

Flaw that produces unexpected results when the timing of actions can impact other actions. Two pieces of code are racing to impact. This is occurs while multithreaded operations are occuring on the same piece of data.

Question 76

What is one of the first ways to attack a local host?

Answer 76

Operations systems vulnerabilities is one of the first for this.

Question 77

What is a second common vector of attack for a local host? What are some examples?

Answer 77

The second vector of attack for this is unsecure services and protocol configurations. FTP, Telnet, TFTP, SSHv1, SMPv1, WPA instead of WPA2 are all examples.

Question 78

What is privilege escalation in linux?

Answer 78

Allows a user to run a program or process as a different user with additional permissions.

Question 79

As you get further from the linux kernel, what privilege is provided?

Answer 79

This would allow for the least privilege. Generic User.

Question 80

What does SUID and SGID stand for?

Answer 80

Set-User Identification & Set-Group Identification

Question 81

What is sticky bit?

Answer 81

This is used for shared folders such as /tmp. Allows users to create files, read, and execute files owned by other users. This attack cannot remove files owned by other users.

Question 82

how do you know if sticky bit has been set?

Answer 82

you will see at a -t at the end of the permission.

Question 83

What is SUDO? Who is the other user by default?

Answer 83

This is a program for Unix/Linux systems that allows users to run programs with the privileges of another user. Root is the other user by default.

Question 84

SUDO is similar to what command in windows?

Answer 84

This is similar to the “Run as Administrator’ command in windows.

Question 85

What is Ret2libc? What does it stand for?

Answer 85

This is an attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function. This stands for ‘Return to library call’

Question 86

In Windows, what is the name of the attribute that stores passwords in a group preference item?

Answer 86

This is call CPassword

Question 87

How can you check for insecure LDAP binding? What is the outcome?

Answer 87

This can be checked by running a bind Script in powershell. You will receive a .csv file as output showing which accounts are vulnerable.

Question 88

What is Kerberoasting?

Answer 88

A way to mess with Kerberos ticketing system. Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS).

Question 89

What does LSASS Stand for?

Answer 89

Local Security Authority Subsytem Service

Question 90

What does LSASS do?

Answer 90

This is a process in Windows that enforce the security policy of the system. Verifies a user when logging on. Creates access tokens (ie, Kerberos).

Question 91

What does PXE stand for?

Answer 91

preboot execution environment

Question 92

What does SAM stand for? What does it do?

Answer 92

Security Account Manager. This is a dabase file that stores the user passwords in Windows as an LM hash or NTLM hash.

Question 93

What is DLL?

Answer 93

This provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or re-compiling of the application.

Question 94

What is DLL hijacking?

Answer 94

This is Dynamic Link Library attack where you’re able to load a malicious DLL in the place of an accepted DLL. Commonly used by malware to achieve persistence.

Question 95

What is JTAG?

Answer 95

Remote procedure call is a protocol used in Windows that allows the remote execution of code on a remote computer or server.

Question 96

What is Distributed Component Object Model (DCOM)?

Answer 96

This is a proprietary Microsoft technology for communications between software components on networked computers.

Question 97

What is PsExec?

Answer 97

This is a lightweight telnet-replacement that lets you execute processes on other systems with full interactivity for console applications without manually having to install client software.

Question 98

What is windows management instrumentation (WMI)?

Answer 98

This is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from the windows computing systems.

Question 99

What is PS Remoting?

Answer 99

This allows a computer to receive remote windows powershell commands.

Question 100

What is Windows Remote Management?

Answer 100

This allows admins to remotely run management scripts using the WS-management protocol.

Question 101

What are Windows Remote Management and Windows Remote Shell ran on?

Answer 101

First is run on Servers, the second is run on clients.

Question 102

What is a cross-platform RDP system?

Answer 102

This is called Virtual Network Computing (VNC).

Question 103

What is the Remote GUI for linux?

Answer 103

X11 is this for this OS

Question 104

Why don’t we use telnet to remote into systems?

Answer 104

We don’t use this because all information is sent in plain text.

Question 105

What is a Daemon? What is an example? What are they called in Windows?

Answer 105

This is a background process that exists for the purpose of handling periodic service requests that a computer system expects to receive. sshd is the Daemon for SSH. In windows they are called ‘services’.

Question 106

What is timestomping?

Answer 106

Changing the time of access for files to that of your choosing.