System Hacking

Question 1

Name 3 log-related methods of covering your tracks on a system hack

Answer 1

Disabling auditing
Clearing logs
Manipulating logs

Question 2

What technique for covering tracks on network is Target system sends a request to the remote system to act on the response.

Answer 2

Reverse shell

Question 3

What technique for covering tracks on network is Adding data payload to the target’s DNS server to create a back channel to steal information?

Answer 3

DNS tunneling

Question 4

What technique for covering tracks on network is Using TCP parameters for payload distribution?

Answer 4

TCP parameters

Question 5

What fields can you use to hide data in a TCP packet?

Answer 5

IP identification field
TCP acknowledgement number
TCP initial sequence number

Question 6

What does the Privacy.sexy tool do?

Answer 6

Open source tool that can cleanup logs and personal activities.

Question 7

What does the Auditpol tool do?

Answer 7

Microsoft tool to manipulate audit policies.

Question 8

What does the MRU-blaster tool do?

Answer 8

Find and remove 30,000 Most Recently Used(MRU) lists.

Question 9

What is the activity of Recovering passwords from the transmitted or stored data on computer systems?

Answer 9

Password Cracking

Question 10

What is the non-electronic, passive method of password attack is Collecting information from the target’s trash bins?

Answer 10

Dumpster diving

Question 11

What is the non-electronic, passive method of password attack is Observing the target while they type in their passwords?

Answer 11

Shoulder surfing

Question 12

What is the non-electronic, passive method of password attack is Interacting with the target to trick them into revealing their passwords?

Answer 12

Social engineering

Question 13

What kind of password attack is Load a dictionary file into a password cracking program and The program checks the passwords against user accounts?

Answer 13

Dictionary attack

Question 14

What kind of password attack is Running every combination of characters until the password is cracked?

Answer 14

Brute-force attack

Question 15

What kind of password attack is Taking a dictionary and expanding it with guesses using brute-force?

Answer 15

Hybrid attack

Question 16

What kind of password attack is when Attacker combines several other attacks to crack the password and Used when the attacker has some information about the password?

Answer 16

Rule-based Attack

Question 17

What kind of password attack is when attacker Guess passwords either by humans or by automated tools using dictionaries and Requires the attacker to manually attempt to log into the target’s machine?

Answer 17

Password guessing

Question 18

Installed in target machine to get the target’s passwords and usernames.

Answer 18

Trojan/spyware/keylogger

Question 19

What kind of attack can be performed against systems that use hash functions for the user authentication?

Answer 19

Hash injection

Question 20

What kind of attack can take place when DNS fails to resolve name queries, the host sends a UDP broadcast message to other hosts asking them to authenticate themselves which can allow an attacker can listen for a NTLM has to crack?

Answer 20

LLMNR/NBT-NS poisoning

LLMNR = Link Local Multicast Name Resolution

NBT-NS = NetBIOS Name Service

Question 21

What kind of passive online attack is when Attackers sniff credentials by capturing packets that are being transmitted?

Answer 21

Wire sniffing

Question 22

What kind of passive online attack is when Attacker gains access to the communication channel between the target and server and then extracts information and data they need to gain unauthorized access?

Answer 22

Man-in-the-middle (MITM) attack

Question 23

What kind of passive online attack is when an attacker can replay information using e.g. extracted authentication token or hashed password after using a sniffer to capture packets and authentication tokens?

Answer 23

Replay attack

Question 24

What kind of attack is when Attacker never attempts to login to the application server that can be logged and attempts Cracking efforts on a separate system?

Answer 24

Offline attacks

Question 25

What kind of attack uses the power of machines across the network to decrypt passwords often Used for recovering passwords from hashes?

Answer 25

Distributed network attack (DNA)

Question 26

What kind of hash attack is faster than brute-force however the trade-off is that it takes a lot of storage to hold these kind of tables?

Answer 26

Rainbow table attack

Question 27

what kind of hash attack where attacker Tries to find two inputs resulting in same hash value?

Answer 27

Collision attack

Question 28

What kind of attack tries every possible combination of characters to break the encryption?

Answer 28

Brute-force attack

Question 29

What kind of attack is a brute-force attack that depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations?

Answer 29

Birthday Attack - Exploits birthday problem in probability theory

Question 30

What is the countermeasure where the longer the random string, the harder it becomes to break or crack the password and Generates different hashes for the same password?

Answer 30

Password Salting - Hash is used with salt (collection of random bits) to obscure the hash

Question 31

What is it called when attackers acquire the privileges of the same level of different users?

Answer 31

Horizontal privilege escalation

Question 32

What is Vertical privilege escalation?

Answer 32

Acquiring higher privileges

Question 33

What is Horizontal privilege escalation?

Answer 33

Acquiring the privileges of the same level

Question 34

What is pivoting in system hacking?

Answer 34

Using a compromised system as a launching point into other systems.

E.g. in Metasploit you can add route to first compromised system to access the network beyond it.

Question 35

What are some techniques on Windows to escalate privileges?

Answer 35

Access token manipulation

File system permissions weakness

Windows application shimming

Windows application shimming

Scheduled tasks

Question 36

What are some techniques on Mac OS to escalate privileges?

Answer 36

OS X applications dynamic library vulnerability

Launch Daemon

Meltdown vulnerability

Spectre vulnerability

Question 37

Name 5 Privilege escalation countermeasures

Answer 37

Apply least-privilege: Never grant more privileges than needed!

Use encryption and MFA

Run services as unprivileged accounts

Patch and update regularly

Ensure all executables are write-protected

Question 38

What does User Access Control (UAC) do on Windows?

Answer 38

Prompts user for potentially dangerous software in Windows

Limits softwares to user privileges until an administrator authorizes an elevation.

Question 39

Name 3 Privilege escalation tools

Answer 39

BeRoot to check common misconfigurations to find a way to escalate privileges on Linux and Windows

linpostexp: Linux post exploitation enumeration and exploit checking tools

Windows Exploit Suggester & Linux Exploit Suggester

Question 40

What are 4 classes of remotely executed malicious programs designed to steal information?

Answer 40

Programs that attackers install include:

Backdoors are designed to collect information and gain unauthorized access to the system

Crackers are designed to crack passwords

Keyloggers are designed to record keystrokes

Spyware are designed to capture screenshots and send them to the attacker

Question 41

What creates backdoor to the system to enable the attacker to access to the system? Hides itself, replaces certain system calls and does not spread by themselves

Answer 41

Rootkits

Question 42

what are the three Rootkit levels?

Answer 42

Ring 0 - Kernel level
Ring 1/2 - Device Drivers
Ring 3 - Applications