504.3

Question 1

Password Spraying

Answer 1

Attackers choose a small number of potential passwords to try. They then spray these potential password guesses across a large number of account names and machines, hoping that one works.

Question 2

THC Hydra

Answer 2

Online password guessing tool. Target a single username and password, list of usernames, or a list of passwords and usernames. Supports many different protocols: SSH, RDP, SMTP, SMB, VNC and more.

Question 3

Credential Stuffing

Answer 3

An adversary will collect username and password lists from popular website breaches, merging them into a single file or other searchable index. Then, when the adversary has a target organization in their sights, they search the breached username and password list for their target organization, identifying valid usernames and passwords that worked for the breached site, and reuse that username and password against the target.

Question 4

Password Guessing

Answer 4

Identify a valid user ID > Create list of possible passwords > Try typing in each password > If system allows you in, success > if not, try again

Question 5

Bucket Finder

Answer 5

requires a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect

Question 6

gcpbucketbrute

Answer 6

identifies and enumerates permissions on google compute buckets. uses a permutation wordlist to create common variations on a single bucket name or searches all bucket names in a supplied file. does not download fles; use gsutil.

Question 7

bucket squatting

Answer 7

an attacker may register a bucket that uses an organization name (or a similar) as part of a phishing attack or other social engineering engagement, or even reuse a bucket name where prior references still exist that point to a deleted bucket

Question 8

netcat

Answer 8

a computer networking utility for reading from and writing to network connections using TCP or UDP.

Question 9

client mode

Answer 9

starts a connection to a listening node ip and port.

Question 10

listening mode

Answer 10

waits for connections on a specific port

Question 11

Domain Password Audit Tool (DPAT)

Answer 11

An analysis tool to characterize password selection in your windows domain. Not a password cracker; it analyzes the cracked data stored in the POT file from John the Ripper and Hashcat to identify systemic problems in how users select their passwords.

Question 12

LANMAN Hash

Answer 12

• The user’s password is restricted to a maximum of fourteen characters.
• The user’s password is converted to uppercase.
• The user’s password is encoded in the System OEM code page.
• This password is NULL-padded to 14 bytes.
• The “fixed-length” password is split into two 7-byte halves.
• These values are used to create two DES keys, one from each 7-byte half
• Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values
• These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
• No salt

Question 13

NT Hash

Answer 13

• ASCII password is converted to Unicode (if necessary)
• Unicode password is hashed using the MD4 function to create a 16 byte hash, which is then stored in SAM
• Case sensitivity is preserved
• Used if password is greater than 14 characters
• no salt

Question 14

Salt

Answer 14

Adds entropy (randomness or lack of probability) to the password before hashing. Makes password cracking much more difficult

Question 15

Rainbow Tables

Answer 15

Pre-calculate hashes and store them in tables for direct comparisons. Each password is generates a unique password hash value. For any given number of passwords (from a wordlist, or an exhaustive list of possible characters for a given character set and length) the attacker generates and stores the hashes such that they can look it up again later. Harder to use when a password Salt is included.

Question 16

ntdsutil

Answer 16

Built in windows tool used for gathering domain hashes. Designed to manage active directory data. Also requires gathering SYSTEM registry hive data. Backup data to new folder.

Question 17

secretsdump.py

Answer 17

Tool used after downloading the NTDS.dit and SYSTEM registry hive data, an attacker needs to decrypt the NTDS.dit data (using the registry hive keys) and extract the password hashes.

Question 18

Meterpreter

Answer 18

attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Deployed using in-memory DLL injection. As a result, it resides entirely in memory and writes nothing to disk.

Question 19

Mimikatz

Answer 19

Tool used to recover password hashes from windows 10.

• retrieve contents of HKLM\sam and HKLM\system registry hives
• make the hives available to tool

Question 20

Am All Day Baffled By Difficult Choices For Encrypted Data

Answer 20

Recognize empty LANMAN and NT hashes as an indicator of disabled accounts, or possible tool failure

Question 21

Single Crack Mode

Answer 21

Creates it’s password guesses by starting with the GECOS field information. It then applies various hybrid alterations of those fields to create it’s guesses.

Question 22

Wordlist Mode

Answer 22

relies on a dictionary as the source of guesses. It then applies hybrid techniques to alter the dictionary terms and use them as guesses.

Question 23

Incremental mode

Answer 23

tries all possible character combinations to determine the password in a brute force attack. this mode could theoretically run virtually forever, as the number of permutations available can take many years.

Question 24

External Mode

Answer 24

John doesn’t formulate its own guesses but instead relies on some separate program to provide guesses. This feature provides john with an added degree of modularity. if you can write a program that creates password guesses better than john, you can integrate it with john

Question 25

John the Ripper

Answer 25

• password cracking tool
• supports (and auto-detects) many password hash formats.
• many more hash formats supported with jumbo patch (windows)
• cracked password stored in pot file
• exfiltrate copies of /etc/passwd and /etc/shadow files from a target system. then merge them into single file using combine command

Question 26

Hashcat

Answer 26

• takes advantage of GPUs for password cracking. will take the hash and try to crack over thousands of GPUs at the same time
• extensive password hash support
• supports brute force, hybrid, wordlist. also supports a wide variety of tuning via a robust rules file

Question 27

combinator

Answer 27

Uses two wordlist files. Each word in the first worldist file is prepended to every word in the second wordlist file (or you can use the same file twice). this is useful to recover passwords where users combine two words

Question 28

Straight

Answer 28

uses a simple wordlist attack. each word in the file is used as a potential password.

Question 29

Brute Force/Mask Attack

Answer 29

Performs a brute force password guessing attack using a pattern that you specify. The syntax for this attack can be complex. but its a powerful attack technique capable of recovering even very complex passwords

Question 30

Hybrid Wordlist + Mask

Answer 30

Combines features of the straight and mask attack, appending the specified mask value to each word in the wordlist file

Question 31

Hybrid Mask + Wordlist

Answer 31

combines features of straight and mask attack. Mask is prepended to each word in the word-list file

Question 32

Pluggable Authentication Modules

Answer 32

Can link UNIX and linux login to various systems. Can enforce password complexity.

Question 33

Named Pipes

Answer 33

used to provide communication between processes on the same computer or between processes on different computers across a network

Question 34

Hashdump

Answer 34

Tool used to obtain Windows ocal password hashes. Used via meterpreter shell, migrate to lsass process then run hashdump

Question 35

$1, $2, $5, $6 (No $)

Answer 35

MD5, Blowfish, SHA-256, SHA-512, DES

Question 36

PBKDF2

Answer 36

Password based key derivation function 2 - password hashing function recommended by NIST. multiple hashing rounds.

Question 37

Bcrypt

Answer 37

hashing function that uses multiple hashing rounds, requires significant memory. password value cannot contain null bytes and has a max value of 72 characters

Question 38

basic blob finder

Answer 38

tool to identify and scan azure blobs. will identify publicly accessible blobs and enumerate its files