Midterm

Question 1

Hacking

Answer 1

producing an outcome that the system’s designers never intended or anticipated

Question 2

Penetration Tester

Answer 2

Simulates cyber attacks for the purpose of improving organizational security. Focus on comprehensiveness.

Question 3

Red/Purple Team

Answer 3

Simulates cyber attacks like a pen tester,
however, the focus is more on emulating an adversary and testing an organization’s response.

Question 4

Cyber Operator

Answer 4

Works with or for the military to hunt threats,
protect assets, and provide access to sensitive and secure
environments

Question 5

Vulnerability Researcher

Answer 5

Searches for yet unknown vulnerabilities
in software or hardware products

Question 6

Vulnerability Analyst

Answer 6

Analyzes computer networks and/or systems
for the presence of known vulnerabilities

Question 7

CSIRT (Computer Security Incident Response Team) Analyst or Responder

Answer 7

Respond to and eradicate active threats within an
organization’s computer systems or networks. “Blue” team

Question 8

Cyber Crime Investigator or Forensic Analyst

Answer 8

Collect and analyze data from computer systems and networks to uncover certain actions or behaviors

Question 9

Intelligence Analyst

Answer 9

Mitigate risk by collecting and disseminating
information about threats

Question 10

Software Engineer

Answer 10

Develop and maintain software systems to be resistent to misuse

Question 11

Ethical Hacking

Answer 11

Combining technical skills and understanding of an
attacker’s mindset to simulate a hostile attacker

Question 12

IT security audit

Answer 12

Determine whether an organization’s deployed
controls align with the security policy. Focused more on compliance with policy and best practice than assessment

Question 13

Vulnerability assessment

Answer 13

Survey of a system to identify as many
vulnerabilities as possible. Focused on identifying the vulnerabilities, not necessarily proving that they can be exploited

Question 14

Penetration test

Answer 14

Assess the security posture of a scoped network
or resource by actively trying to exploit it

Question 15

Red team

Answer 15

Assess an organization’s response to an emulated adversary

Question 16

Cyber Operation

Answer 16

Military operation that is an ethical cyber attack or defense

Question 17

What is the difference between an ethical test and an unethical cyber attack?

Answer 17

Consent

Question 18

CIA Triad

Answer 18

Confidentiality
Integrity
Availability

Question 19

Why would a penetration test start from “assumed breach”?

Answer 19

1. To provide a test to the customer in the most cost-effective manner
2. To accurately simulate insider threats

Question 20

What are the steps of the Cyber Kill Chain?

Answer 20

Reconnaissance
Scanning
Infiltration and Escalation
Exfiltration
Access Extension
Assault
Obfuscation

Question 21

CVE

Answer 21

Common Vulnerabilities and Exposures
They represent specific vulnerabilities and exposures.

Question 22

CWE

Answer 22

Common Weakness Enumeration
They are not specific vulnerabilities, but weaknesses that can lead to vulnerabilities.
Ex. CWE-242: Use of Inherently Dangerous Function

Question 23

CAPEC

Answer 23

Common Attack Pattern Enumeration and Classification
It is a catalog of types of attacks
Ex. CAPEC-148: Content Spoofing

Question 24

NVD

Answer 24

National Vulnerability Database
Takes CVEs and pairs them with CVSS severity scores

Question 25

Open Source Intelligence (OSINT)

Answer 25

derived from data and information that is available to the general public

Question 26

Footprinting

Answer 26

An adversary engages in probing and exploration activities to identify constituents and properties of the target

Question 27

Fingerprinting

Answer 27

An adversary compares output from a target system to known indicators that uniquely identify specific details about the target

Question 28

What is the order of Recon?

Answer 28

OSINT Footprinting Fingerprinting

Question 29

Pagodo

Answer 29

A python module which automates performing Google dorks.

Question 30

WHOIS

Answer 30

allows us to figure out information about a domain and provides contact information for that domain

Question 31

RIR

Answer 31

Regional Internet Registry

Question 32

Nslookup and Dig

Answer 32

query nameservers for DNS records from a particular domain

Question 33

Hunter.io

Answer 33

used to find emails and contact info from people at a company

Question 34

DNSDumpster

Answer 34

Online tool that compiles information from multiple sources to get a better picture of domain information leakage. Uses multiple sources to find subdomains that you might not know about

Question 35

Attack Surface

Answer 35

number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data

Question 36

Vulnerability

Answer 36

A weakness that can be exploited to gain unauthorized access to a computer system

Question 37

Order of Scanning

Answer 37

Host Discovery Port Scanning OS Identification Service Identification Vulnerability Scanning

Question 38

ICMP Host Discovery Techniques

Answer 38

ICMP Echo Request Ping - Expect ICMP Type 0 Echo Reply if up ICMP Address Mask Request - Expect ICMP Type 18 Address Mask Reply if up ICMP Timestamp Request - Expect ICMP Type 14 Timestamp Reply if up

Question 39

TCP Host Discovery Techniques

Answer 39

TCP SYN Ping - Expect SYN/ACK if up TCP ACK Ping - Expect RST if up

Question 40

Other Host Discovery Techniques

Answer 40

UDP Ping - Expects an 'ICMP port unreachable' message if up ARP Ping - Expect to receive ARP reply if up

Question 41

System Ports

Answer 41

Ports 0-1023 Assigned to specific service by IANA Usable only by privileged programs

Question 42

User Ports

Answer 42

Ports 1024-49151 Assigned to specific service by IANA Usable by unprivileged programs

Question 43

Dynamic Ports

Answer 43

Ports 9152-65535 used by client programs for source ports

Question 44

What are the 3 port states?

Answer 44

Open Closed Filtered

Question 45

TCP Port Scanning Techniques

Answer 45

TCP Connect Scan - Open: Connection, Closed: RST TCP SYN Scan - Open: SYN/ACK, Closed: RST TCP ACK Scan - Unfiltered: RST, Filtered: No Response

Question 46

Less Common TCP Port Scanning Techniques

Answer 46

TCP NULL Scan TCP FIN Scan TCP Xmas Scan Open: No response Closed: RST

Question 47

UDP Port Scan

Answer 47

Open: Response from service (unlikely) or No response (could also mean filtered) Closed: ICMP Type 3 Port unreachable error message

Question 48

Banner Grabbing

Answer 48

Connecting to a service as if we are going to use it, but instead we’re interested in what the service tells us about itself

Question 49

Masscan

Answer 49

tool for host discovery on large subnets blasts SYNs without waiting for a reply. When it gets a reply, it

Question 50

EyeWitness

Answer 50

tool that allows you to collect screenshots from a list of hosts or from other scan results

Question 51

Dirbuster

Answer 51

tool that allows you to brute-force enumeration of web addresses based on a wordlist

Question 52

FFUF

Answer 52

Guesses web addresses based on a wordlist

Question 53

Vulnerability Management

Answer 53

Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems

Question 54

What is Nessus used for?

Answer 54

Vulnerability Scanning

Question 55

Intrusion Detection Systems (IDS)

Answer 55

monitor for threats by looking at network traffic; near real-time

Question 56

Intrusion Prevention Systems (IPS)

Answer 56

prevents threats found through looking at network traffic; real-time

Question 57

TAPs

Answer 57

Test Access Points mirror all packets using an inline device, detection is run on copies Slow but don't drop packets Prefered

Question 58

SPAN ports

Answer 58

Switch or router copies packets and sends them out another port to the security tool Fast but drop lots of packets

Question 59

Vulnerability

Answer 59

A weakness in a system or network which can be exploited to cause the system to act in an unintended way

Question 60

Exploit (verb)

Answer 60

Using a vulnerability to cause a system to act in an unintended way

Question 61

Exploit (noun)

Answer 61

Code that uses a vulnerability to cause a system to act in an unintended way

Question 62

Payload

Answer 62

Code which is run on the target system as a result of an exploit

Question 63

Server-side Exploitation

Answer 63

A server is running and there is some misconfiguration or software bug which allows us to cause the server to act in an unintended way. Ex: MS17-010, aka Eternal Blue

Question 64

Client-side

Answer 64

exploit misconfigurations or bugs in software, and exploits the trust relationship between the client and server Ex: Cross-site Scripting (XSS)

Question 65

Social Engineering

Answer 65

Here we attacking the “vulnerability” of trust relationships in and by humans. Ex: Phishing

Question 66

Post-Exploitation

Answer 66

anything we do after running a payload on the target system Ex. Credential theft

Question 67

Access Extension

Answer 67

Making it easier to come back next time

Question 68

Pivoting

Answer 68

Gaining access to previously unreachable systems

Question 69

Obfuscation

Answer 69

Covering our tracks

Question 70

Why do we use reverse shells?

Answer 70

Does not create a new vulnerability on the system for other attackers to use More likely to bypass firewall restrictions Connections can be made out of NAT’d environments but not necessarily in

Question 71

Staged Payload

Answer 71

The original payload fetches another payload and runs it

Question 72

Pros and Cons of a Staged Payload

Answer 72

Pro: The original payload is small, which allows it to be easier to use in an exploit with size requirements. Con: More complicated May be easier to detect on the network Requires additional network connectivity to run the second stage

Question 73

Stageless Payload

Answer 73

The “real” payload is the original payload

Question 74

Pros and Cons of a Stageless Payload

Answer 74

Pro: Simpler. No additional network connectivity required Con: The payload itself is larger

Question 75

Mfsvenom

Answer 75

command line tool that allows you to generate custom payloads which interact with Metasploit

Question 76

What Metasploit module is used to catch a reverse shell from an msfvenom payload?

Answer 76

exploit/multi/handler

Question 77

DNS Domain Hierarchy

Answer 77

Root (.) Top Level Domains (TLD) (ev. .com, .edu) Second Level Domain (ex. google, example)

Question 78

DNS Query Order

Answer 78

Root TLD Second Level Domain

Question 79

How does the Kaminsky attack work?

Answer 79

1. Query: Whats the ip address of qwrqqwe.example.com 2. Local cache sends request to example.com's DNS server 3. Flood the local cache with spoofed replies with your own NS as the authoritative NS for the domain

Question 80

How big is the TID in a DNS request or reply?

Answer 80

2 bytes

Question 81

Username Enumeration

Answer 81

enum4linux - uses NULL sessions RID Cycling 1. Assume that some common names exist. Using the NULL session, request the SID for that username. 2. Get a SID 3. The last part is the RID It’s used to identify different users in a domain 4. Remove the RID and add a new one, checking for existence. So, start with 500 (administrator), 501 (guest/nobody), and work your way up

Question 82

Password Spraying

Answer 82

guess a single (or a few) password(s) across many usernames. Looking for at this point is *any* valid credential

Question 83

Password Cracking

Answer 83

guessing a bunch of passwords, hashed them all, and compared each one to the hash we have

Question 84

Dumps the SAM database

Answer 84

post/windows/gather/hashdump

Question 85

A meterpreter command in the 'kiwi' extension used to inject into LSASS

Answer 85

creds_all

Question 86

Active directory database that cannot be copied with normal file operations

Answer 86

ntds.dit

Question 87

Has hashes that correspond to the users in /etc/passwd

Answer 87

/etc/shadow

Question 88

Salting hashes makes it harder to do what type of password cracking?

Answer 88

Rainbow table attack

Question 89

When cracking a WPA/WPA2 key, why does the attacker perform a deauthentication?

Answer 89

To force an authentication challenge/response

Question 90

What activity is most likely to cause account lockout

Answer 90

Password guessing