14.1 Test review

Question 1

Anatomy of an Exploit

3 parts

Answer 1

Delivery
Execution
Connection

Question 2

Anatomy of a Masquerade

3 parts

Answer 2

Delivery
Execution
Connection
(Same as Anatomy of an Exploit)

Question 3

Common Exploit techniques

2 Parts

Answer 3

Code-Based Exploit

Masquerade

Question 4

Masquerade

Answer 4

use of credentials (usually stolen of “forged”), to geain access to a service ie SSH, Telnet, RDP

Question 5

Code Based Exploit

Answer 5

Targets a specific vulnerability in an application. Usually ran from an exploit framework (Meteasploit), most common vulnerability is a buffer overflow

Question 6

Buffer Overflow

Answer 6

Overwrites program data in the stack or heap memory to exploit code that allows an exploit of the machine or program

Question 7

No Operation (NOP) Sled

Answer 7

assembly opcode x90 that tells the processor to execute nothing and to just move the instruction pointer forward one. Can be manipulated to create a buffer overflow

Question 8

Types of Shell Code Payloads

2 types

Answer 8

SIngle payload

Staged Payload

Question 9

Are code-based exploits big or small?

Answer 9

Small, the amount of memory a code based exploit can pass is only a few hundred bytes. This means that a small shell can be passed such as in a SINGLE payload, or instructions to set up a STAGED payload in increments to pass larger amounts of data

Question 10

How does Meterpreter avoid forensic detection

Answer 10

By using in-memory DLL injection, which writes nothing to the disk, and using encryption for its network connection

Question 11

What are the 2 stages of a Staged Payload?

Answer 11

Stager (s0); sets up tcp connection back to the attackers host and reads the much larger Stage payload into memory on the targets machine
Stage (s1); Fully functional remote shell loaded by the Stager

Question 12

What are the 2 payload types that create a connection between target and attacker?
(ones –> and ones

Answer 12

Bind TCP; opens a port on the taget machine to listen for incoming connections, often blocked by firewalls
Reverse TCP: Creates a connection (callback) to the attacker, firewalls often allow this as they are more lenient on traffic that is outbound of the network

Question 13

What are the 2 Metasploit interfaces?

2 commands

Answer 13

msfconsole; command line access to all metasploit options

msfpayload; generates shellcode payloads

Question 14

Metasploit Commands

6 of them

Answer 14

search
info
use
show options
show payloads
set

Question 15

mspayload syntax

command part1 part2 part3

Answer 15

msfpayload

Question 16

2 options for output_types in msfpayload

hugs and kisses

Answer 16

x; Creates an executable payload

o; Lists payload with configurable parameters

Question 17

what is the Handler?

Answer 17

The handler is how metasploit connects to remote payloads and is the command line interface used to access the remote computer

Question 18

what are the 2 ways to use the Handler?

Answer 18

Automatic; used in code-based exploits, connects to the shellcode payload the exploit started on the remote machine
Manual; During masquerades, or when connected to a backdoor, a handler can be started by itself to connect to the target. This is often referred to as the multi/handler because the module is using the command use multi/handler

Question 19

what command would allow you to manually connect to a Meterpreter payload?

Answer 19

use multi/handler

Question 20

what are the 5 options that can be changed with most exploits?

Answer 20

RHOST
RPORT
Payload
LHOST
LPORT

Question 21

Meterpreter Commands:
File system commands
(3 of them)

Answer 21

ls
pwd
cd

Question 22

Meterpreter Commands:
Logged on Users and Accounts
(3 of them)

Answer 22

getuid: displays user Meterpreter is running as
getpid: Displays pid for running Meterpreter payload
pwd: displays working directory

Question 23

Meterpreter Commands:
Running Processes
(1 command)

Answer 23

ps: lists running processes

Question 24

Meterpreter Commands:
System and Hardware info:
(1 command)

Answer 24

sysinfo: displays target system info

Question 25

Meterpreter Commands:
Network Information
(2 commands)

Answer 25

route; display/modify routing table info

arp: displays system arp cahce

Question 26

Meterpreter Commands:
File Placement:
(1 command)

Answer 26

upload: uploads files onto target.
syntax: upload

Question 27

Meterpreter Commands:
File Collection
(1 command)

Answer 27

download

syntax; download

Question 28

2 locations you may find WINDOWS user hashes

Answer 28

%systemroot%\system32\config\SAM (local only)

%systemroot%\ntds\ntds.dit (Domain controller)

Question 29

What are the 4 parts of a WINDOWS hash?

Answer 29

UserID; user name
RID: identifies group or account for security/authorization
LM Hash: 14 characters, only uses A-Z 0-9, (36 chars)
NTLM Hash; supports 256-character password with all characters (211

Question 30

4 parts of a UNIX/LINUX hash?

Answer 30

User Id: common name of user account
Hash: obfuscated password
Password Last set: days from Jan 1 1970 since pword change
Password control Fields; max/min pword length, etc.

Question 31

Windows commands for hash collection

2 commands

Answer 31

PWdump (from windows command line)

hashdump (from meterpreter command line)

Question 32

3 modes of operation for John the Ripper (JtR)

Answer 32

Single; fastest mode
Wordlist; (JtR default wordlist is password.lst)
Incremental; (aka brute force)

Question 33

John the Ripper syntax

Answer 33

john

Question 34

what is the syntax and function of the command nslookup?

used in WINDOWS, dig is for UNIX/LINUX

Answer 34

syntax: nslookup
Function: retrieves generally available info on a domain or ip address such as names and sometimes contact info

Question 35

What is the syntax/function of the dig command in UNIX/LINUX?

Answer 35

Syntax: dig
Function: Pulls DNS records of any type

Question 36

what is the syntax for a zone transfer using the dig command in UNIX/LINUX?

Answer 36

dig @ -t axfr

Question 37

what are the entry types for DNS records?

6 of them

Answer 37

SOA 
A
NS
AAAA
MX
CNAME

Question 38

What are the 3 types of traceroute?

Answer 38

ICMP (WINDOWS default)
UDP (UNIX/LINUX default dest port range 33434-3440)
TCP

Question 39

what is the syntax for ping with record route and how should you use it?

Answer 39

syntax: ping -r 9 (WINDOWS)
ping -R (UNIX/LINUX)
Use: you should use ping with traceroute from the target to the Attack platform to get the ip’s on the inside of the routers between the two.

Question 40

Active OS fingerprinting techniques

8 of them

Answer 40

ping
Nmap
Nmap Scripting engine/winscan
Scanline
Banner Grabbing
Telnet
Netcat
Web Enumeration

Question 41

OS Default TTL’s

Answer 41

Cisco 225
LInux 64
Unix (Solaris) 255
Windows 128

Question 42

Ping sweep Syntax using Nmap

Answer 42

nmap -sn -PI

• sn = Ping sweep scan
• PI = ICMP echo request

Question 43

Nmap port scan types

7 of them

Answer 43

• sT: TCP connect scan
• sS: SYN stealth scan
• sA: Ack Stealth Scan
• sF: FIN stealth scan
• sN: TCP null scan
• sX: TCP Xmas Tree Scan

Question 44

nmap -sT

TCP Connect Scan

Answer 44

performs a full TCP connection; completes the 3-way handshake by opening a connection to every open port encountered on the target host. Closed ports respond with RST. If SYN/ACK response happens, port is open

Question 45

nmap -sS

SYN Stealth Scan

Answer 45

Referred to as a half-open scan because it does not complete the three-way handshake even though the SYN control flag is sent to all ports on the target host.

Question 46

nmap -sA

ACK Stealth Scan

Answer 46

Used to map out firewall rule sets and determine if a firewall is stateful or a simple packet filter, that blocks incoming SYN packets. This scan sends an ACK packet to the specified ports. If a RST flag is returned, the port is classified as unfiltered. If nothing comes back (or if an ICMP unreachable is returned) the port is classified as filtered. Nmap does not print unfiltered ports; getting no ports shown in the output implies all probes got through and returned RST’s. This scan NEVER shows ports in OPEN or CLOSED state.

Question 47

nmap -sF

FIN Stealth Scan

Answer 47

Has the ability to pass undetected through some firewalls, packet filters, and scan detection programs that monitor the SYN flag. This scan sends a FIN control flag to all target ports and waits for responses. Open ports ignore the packet, while closed ports respond with RST.

Question 48

nmap -sN

TCP Null Scan

Answer 48

Can bypass some firewalls and boundry routers by sending packets with no control flags set to all target ports and waits for responses. Open ports ignore packets, while closed ports respond with RST.

Question 49

nmap -sX

TCP Xmas Tree Scan

Answer 49

Can get through some firewalls and boundary routers by sending FIN, URG, and PSH control flags set to all target ports and waits for responses. Open ports ignore packets, while closed ports respond with RST.

Question 50

nmap -sU

UDP Scan

Answer 50

Sends UDP requests to a target port. If no replies come back, port is assumed open. If a Destination Unreachable is recieved, port is assumed closed.

Question 51

What is Scanline?

Answer 51

Scanline is a command line port scanner for WINDOWS. Scanline is known as a portable scanner due to the small size (20KB) of its executable.

Question 52

what tools can be used for banner grabbing?

Answer 52

Nmap, Telnet, and Netcat

Question 53

What are 3 commands that allow banner grabbing?

Answer 53

nmap -sV
telnet
nc -v (Netcat)

Question 54

Name an open source web scanner

Answer 54

Nikto

syntax: nikto -host

Question 55

What is the syntax for the UNIX/LINUX command that can manipulate timestamps?

Answer 55

touch -t

Question 56

syntax for scp from local to target

Answer 56

scp @:

Question 57

syntax for scp from target to ap

Answer 57

scp @:

Question 58

what 6 UNIX/LINUX commands show logged on users and account info?

Answer 58

w
who
whodo
logins
finger
rusers

Question 59

what UNIX/LINUX 2 commands allow interactive monitoring of active processes?

Answer 59

UNIX: prstat -e -f
LINUX: top -a

Question 60

what UNIX/LINUX command prints processor information?

Answer 60

psrinfo -v

Question 61

what UNIX/LINUX command displays disk space

Answer 61

df -k

Question 62

what 2 UNIX/LINUX commands display software package info?

Answer 62

pkginfo -l

showrev -p

Question 63

program to remove last entry from WTMP, UTMP, WTMPX, and UTMPX files (binary files)

Answer 63

zap3, must be chmod +x and then ./zap3 once per log entry to delete them

Question 64

UNIX command to see recent logging changes

Answer 64

last

Question 65

forward tunnel use and syntax

Answer 65

syntax: ssh root@ -L
-L = listening
rhp1= should be a port allowed by acl’s
vp= vulnerable port being used by the exploit
This opens a port on the AP an forwards data through the redirector who then send it to the target’s vulnerable port

Question 66

reverse tunnel us and syntax

Answer 66

syntax: ssh root@ -R

opens a port on the redirector and returns data to the AP

Question 67

Syntax and usage for multiple tunnels

Answer 67

syntax: root@ -L -R
this combines forward and reverse tunneling and allows the AP to forward data through the redirector to the vulnerable port on the target the target then talks to the port on the ap by sending to 0.0.0.0 which the redirector knows to forward to the AP, the ap is listening for incoming traffic on the designated rhp2 because the handler has already brought it up into a listening state when i started the exploit.