All Appendix 11 Flashcards

Question 1

Q

What is a passive OS fingerprinting technique

Answer

A

Monitoring network traffic using tools such as Wireshark for information re: the OS, also using p0f which is a tool that listens to network traffic and fingerprints OS based on characteristics of the packets

Question 2

Q

What is an active OS fingerprinting method

Answer

A

Using a port scanner like nmap

Question 3

Q

nmap flag to get OS details of target

Answer

A

-O for Operating System details

Question 4

Q

What is banner grabbing

Answer

A

A technique where attackers identify infrastructure details from headers, scans, etc.

Question 5

Q

How can we get application versions from a network

Answer

A

We can use a nmap scan with flag -sV to enable version detection

Question 6

Q

How can we get server types from banners

Answer

A

a cURL -I request will show the response headers which often includes a Server header, e.g: Server: Apache/2.4.41 (Ubuntu)

Question 7

Q

What is the difference between encryption and encoding

Answer

A

Encryption requires a secret key to be decrypted and is not reversible without it, whereas encoding means it uses a predefined scheme to convert data from one form to another with no key such as base64

Question 8

Q

What is encryption

Answer

A

Encryption involves using an algorithm and a key to transform plaintext into ciphertext. The process is reversible only if the correct decryption key is used

Question 9

Q

What is encoding

Answer

A

Encoding uses a predefined scheme to convert data from one form to another. The process is reversible without the need for a key\

Question 10

Q

What are the key factors that change between encoding and encryption

Answer

A

There are differences in reversiblity and levels of security

Question 11

Q

What are examples of encryption

Question 12

Q

What are examples of encoding

Answer

A

Base64, ASCII, URL encoding

Question 13

Q

What is a hash

Answer

A

A hash is a cryptographic function that takes an input and returns a fixed size string of bytes, the same input will always produce the same output, known as a “digest”

Question 14

Q

What are the two most known hashes

Answer

A

MD5 and SHA1

Question 15

Q

Are MD5 and SHA1 considered secure

Answer

A

MD5 and SHA1 are considered insecure and unsuitable for most applications

Question 16

Q

Bit length of MD5

Answer

A

128-bit hash

Question 17

Q

What was MD5 designed for

Answer

A

MD5 was designed to be a cryptographic hash function used for integrity checking, digital signatures, etc

Question 18

Q

Why is MD5 considered insecure

Answer

A

Due to collision vulnerabilities, researchers found that MD5 is susceptible to collision attacks where two DIFFERENT inputs result in the same hash output

Question 19

Q

What is a collision vulnerability

Answer

A

Where two different inputs result in the same hash output

Question 20

Q

What is the real world risk of collision vulnerabilities in hashing

Answer

A

Being exploited in attacks such as creating malicious certificates that appear legitimate as they have the same MD5 hash as a trusted certificate

Question 21

Q

What is SHA1 bit size

Answer

A

160-bit hash

Question 22

Q

What was SHA1 designed for

Answer

A

Used to be widely used in cryptographic applications, including SSL/TLS certificates, file integrity validation

Question 23

Q

Why is SHA1 considered insecure

Answer

A

SHA1 is considered insecure as researchers demonstrated that two outputs can produce the same hash output

Question 24

Q

Is SHA1 considered secure

Answer

A

SHA1 is considered

Question 25

Q

Is SHA1 exploitable/breakable

Answer

A

SHA1 is breakable as the cost and time required to generate SHA1 collisions have been decreaasing, making it feasible for well-funded attackers to break SHA1

Question 26

Q

NIST advice for SHA1

Answer

A

NIST advices against using SHA1 in favour of stronger algorithms like SHA256 or SHA3

Question 27

Q

What is HMAC

Answer

A

Type of Message Authentication Code that uses a cryptographic hash function along with a secret key to provide data integrity and authenticity, the secret key is only known by the sender and the recipient

Question 28

Q

What does MAC in HMAC stand for

Answer

A

Message Authentication Code

Question 29

Q

What does a HMAC do

Answer

A

It verifies that the payload has not been tampered with, like a JWT signature being verified

Question 30

Q

What is the OSI Model

Answer

A

The OSI Model is a reference model that enables the communication of different technical systems via various devices and technologies and provides compatibility

Question 31

Q

What are the layers of the OSI Model (in order)

Answer

A

Physical, Data Link, Network, Transport, Session, Presentation, Application

Question 32

Q

What are the layers of the TCP/IP Model

Answer

A

Link, Internet, Transport, Application

Question 33

Q

What is Layer 3 of the OSI Model and what does it do

Answer

A

L3 layer is the Network layer and it is where data packets are transferred from node to node until they reach their destination

Question 34

Q

In the postal/mail example of Network, what is the IPv4/IPv6

Answer

A

It is the unique postal address and suburb of the receiver’s building

Question 35

Q

In the postal/mail example of Network, what is the MAC Address

Answer

A

It is the exact floor and apartment of the receiver

Question 36

Q

How many bit groups are in an IPv4

Answer

A

8 bit groups

Question 37

Q

How many binary numbers in a IPv4 Address

Question 38

Q

What is the number convention of each bit in the IPv4 Address (descending order)

Answer

A

128, 64, 32, 16, 8, 4, 2, 1

Question 39

Q

What is the Subnet Mask

Answer

A

Describes which bit positions within the address are the network part and the host part

Question 40

Q

Can the bits of the subnet mask reflected in an IPv4 Address ever change (255.255.0.0) can 192.168 part of 192.168.24.2 ever change, and give explanation

Answer

A

No, if the subnet mask is 255. that entire section of the IPv4 Address cannot change, if it is something like 192, we have to write out the 8 bit binary notation of that subnet mask (from either the CIDR or the subnet mask) and the bits with 1 can not change

Question 41

Q

Wht is CIDR

Answer

A

Classless Inter-Domain Routing is a method of representing the subnet mask in a suffix form

Question 42

Q

Give an example of a CIDR suffix and which parts of the IPv4 can and cannot change due to the subnet mask/CIDR suffix

Answer

A

/26 would be 26 (1) in the subnet mask, which is = 255.255.255.192 would be 1111 1111 . 1111 1111 . 1111 1111 . 1100 0000 so the last 6 digits can be changed, we can find the first and last IP’s of that IP subnet with this information

Question 43

Q

What is IPv6 and how many bits in length

Answer

A

IPv6 is the successor of IPv4 and is 128 bits in length

Question 44

Q

How many blocks is a IPv6 address

Answer

A

8 blocks of 16 bits each (4 hex numbers)

Question 45

Q

How can a IPv6 Address be shortened

Answer

A

If the entire block is 0000 we can get rid of that and replace with double colomn (::)

Question 46

Q

TCP Telnet

Question 47

Q

TCP SSH

Question 48

Q

TCP SNMP

Question 49

Q

TCP HTTP

Question 50

Q

TCP HTTPS

Question 51

Q

TCP DNS

Question 52

Q

TCP FTP

Question 53

Q

TCP TFTP

Question 54

Q

TCP NTP

Question 55

Q

TCP SMTP

Question 56

Q

TCP SMB

Question 57

Q

TCP RDP

Question 58

Q

TCP LDAP

Question 59

Q

TCP ICMP

Question 60

Q

23

Question 61

Q

22

Question 62

Q

161

Question 63

Q

80

Question 64

Q

443

Answer 44

A

UDP is a connectionless protocol which means it does not establish a virtual connection before transmitting data, instead it sends data packets and does not check to see if they were received

Answer 45

A

Video streaming, online gaming

Answer 46

A

User Datagram Protocol

Answer 47

A

TCP is a connection-based protocol that establishes a virtual connection between two devices before transmitting data via a Three-Way handshake, as a result TCP is slower than UDP

Answer 48

A

It is slower than UDP due to the Three-Way Handshake

Answer 49

A

Transmission Control Protocol

Answer 50

A

ICMP is used by devices to communicate with each other on the Internet such as ping request, which tests connectivity between devices

Answer 51

A

Internet Control Message Protocol

Answer 52

A

A method that uses the same key to encrypt and decrypt the data, meaning the sender and receiver must have the same key to decrypt the data

Answer 53

A

AES and DES

Answer 54

A

Advanced Encryption Standard

Answer 55

A

Data Encryption Standard

Answer 56

A

Is a method of encryption that uses two different keys, a public key and a private key. The public key is used to encrypt data and anyone can access it but only the recipient has the private key who can decrypt the data

Answer 57

A

RSA, PGP, ECC

Answer 58

A

Rivest-Shamir-Adleman

Answer 59

A

Pretty Good Privacy

Answer 60

A

Elliptic Curve Cryptography

Answer 61

A

3DES is an extension of DES which encrypts data more securely, the procedure for this usually consists of three keys

Answer 62

A

AES is faster than DES due to its more efficient algorithm structure, as it can be applied to multiple data blocks at once making it faster

Answer 63

A

Internet Key Exchange

Answer 64

A

Diffie-Hellman is a key exchange method which allows two parties to agree on a shared secret keey without any prior communication or shared private information

Answer 65

A

MiTM attacks where the attacker intercepts the communication and pretends to be one of the parties

Answer 66

A

Diffie-Hellman, RSA, ECDH, ECDSA

Answer 67

A

RSA uses the properties of large prime numbers to generate a shared secret key, relies on the fact it is easy to multiply large prime numbers but challenging to factor the result back into its prime factor

Answer 68

A

Elliptical Curve Diffie-Hellman

Answer 69

A

Elliptic Curve Digital Signature Algorithm

Answer 70

A

TLS, SSL, OAuth, HTTPS, 2FA

Answer 71

A

Wired Equivalent Privacy

Answer 72

A

WiFi Protection Access

Answer 73

A

Encryption, Access Control and Firewalls

Answer 74

A

WPA provides the highest level of security by using a secure authentication method such as a pre-shared key

Answer 75

A

They are authentication protocols used to secure wireless networks to provide a secure method for authenticating devices and are used in conjunction with WEP/WPA

Answer 76

A

Lightweight Extensible Authentication Protocol

Answer 77

A

Protected Extensible Authentication Protocol

Answer 78

A

PEAP is more secure as it uses a secure authentication method called TLS, whereas LEAP uses a shared key for authentication, which makes it easy to gain access if the key is compromised

Answer 79

A

It is a wireless network attack that disrupts communication between a WAP and clients by sending disassociation frames causing the client to disconnect from the network

Answer 80

A

IPSec is a network security protocol providing encryption and authentication for internet communications, encrypts the dta payload of each IP packet and adding an authentication header (AH) which is used to verify the authenticity of the packet

Answer 81

A

Authentication Header and Encapsulating Security Protocol (ESP)

Answer 82

A

Provides encryption and optiinal authentication for IP packets, it encrypts the data payload of each packet

Answer 83

A

Internet Key Exchange (IKE)

Answer 84

A

SSL is a cryptographic protocol designed to provide secure communication over a computer network, it was the predecessor of TLS

Answer 85

A

PGP is an encryption program that provides cryptographic privacy and authentication for data communication

Answer 86

A

PGP is often used to secure emails and files encrypting them, ensuring only the intended recipient can read the contents

Answer 87

A

TKIP is a security protocol used in wireless networks and was designed as a temporary solution to improve security on existing hardware that initially only supported weaker WEP encryption

Answer 88

A

Temporal Key Integrity Protocol

Answer 89

A

TKIP was an improvement over WEP but still not as secure as the later WPA2 which uses AES encryption

Answer 90

A

WEP was depracated due to weak encryption, WEP’s use of RC4 cipher and poor implementation of key management makes it susceptible to a variety of attacks

Answer 91

A

Domain name, registrar, registrant contact, administrative contact, technical contact, creation/expiration dates, name servers, etc.

Answer 92

A

It is like a phonebook for the internet

Answer 93

A

Domain Information Groper

Answer 94

A

DNS is like the internet’s GPS system, guiding your journey resolving domain names to precise IP addresses

Answer 95

A

A zone is a distinct part of the domain namespace that a specific entity manages, e.g: example.com and all its subdomains would belong to the same DNS zone

Answer 96

A

A DNS Zone Transfer is a blueprint of all DNS records within a zone which is used to recreate in the same formatting from one name server to another

Answer 97

A

If not properly secured, the Zone Transfer file can be downloaded, revealing a complete list of subdomains, their associated IP addresses and other sensitive DNS data

Answer 98

A

dig axfr @

Answer 99

A

It is a mapping to an IPv4 Address

Answer 100

A

It is a mapping to an IPv6 Address

Answer 101

A

Canonical Name, it creates an alias for a hostname, pointing it to another hostname

Answer 102

A

Mail Exchange Record, specifies the mail server(s) responsible for handling emails for the domain

Answer 103

A

Name Server Record, delegates a DNS Zone to a specific authoritative name server

Answer 104

A

Text Record, stores arbitrary text information, often used for security policies and domain ownership verification

Answer 105

A

Pointer Record, Used for reverse DNS lookups, mapping and IP address to a hostname

Answer 106

A

Start of Authority Record, specifies administrative information about a DNS zone, including primary name server, responsible person’s email and other parameters

Answer 107

A

site: , inurl:, filetype:

Answer 108

A

Site:example.com ext.conf

Answer 109

A

Telnet is a protocol used for accessing remote devices over TCP/IP networks, allowing a user to login to another computer remotely, providing a CLI to manage and control the remote device

Answer 110

A

Lack of encryption and weak authentication

Answer 111

A

Telnet transmits all data including usernames and passwords in plaintext

Answer 112

A

Telnet often lacks from strong authentication mechanisms, making it easier for attackers to gain unauthorised access

Answer 113

A

HTTP/HTTPS

Answer 114

A

HTTP/HTTPS is a method used for transport of information between a client (such as a browser) and a web server

Answer 115

A

HTTP lacks encryption and HTTPS is still vulnerable if using older SSL/TLS protocols

Answer 116

A

All data is sent over plaintext as HTTP does not use encryption

Answer 117

A

If the web server is configured to use old SSL/TLS protocols such as TLS 1.0, 1.1, 1.2 they could be vulnerable to decryption of data due to various known vulnerabilities

Answer 118

A

SSH is a cryptographic network protocol used for secure remote login, replacing older protocols like Telnet

Answer 119

A

Brute force attacks and credential theft

Answer 120

A

Attackers can try many username/password combinations

Answer 121

A

If SSH keys or passwords are compromised, an attacker can gain unauthorised access to a system

Answer 122

A

SNMP (Simple Network Management Protocol) is used for managing devices on IP networks, such as routers, switches and servers. It enables monitoring and control of these devices

Answer 123

A

Simple Network Management Protocol

Answer 124

A

UDP Port 161

Answer 125

A

Lack of encryption and unauthorised access

Answer 126

A

SNMP v1 and v2c do not provide encryption, making the traffic vulnerable to interception

Answer 127

A

If SNMP community strings (password) are known or guessed, an attacker can retrieve/alter configuration data. SNMP also utilises default community strings which if not changed are “public” and “private”

Answer 128

A

TFTP is primarily used to transfer files to and from network devices

Answer 129

A

Trivial File Transfer Protocol

Answer 130

A

UDP Port 69

Answer 131

A

No authentication and no encryption on transfers

Answer 132

A

TFTP does not provide any form of authentication making it vulenrable to unauthorised file access and transfers

Answer 133

A

TFTP transfers files in plaintext, allowing attackers to intercept or tamper with the data

Answer 134

A

Cisco Reverse Telnet allows a network device to initiate a Telnet session to another device often used for managing out of-band network devices via serial connection

Answer 135

A

Port 2000 anf above (Port = 2000 + line number)

Answer 136

A

Lack of encryption and credential exposure

Answer 137

A

Like regular Telnet, Reverse Telnet lacks encryption making it vulnerable to eavesdropping and interception

Answer 138

A

Since authentication is done over plaintext, credentils can easily be intercepted and reused by attackers

Answer 139

A

NTP is used to synchronise the clocks of networked devices to ensure all devices have the same correct time

Answer 140

A

UDP Port 123

Answer 141

A

Network Time Protocol

Answer 142

A

Time manipulation and NTP amplification attacks

Answer 143

A

If an attacker can alter the time provided by the NTP server, this can have significant consequences such as disrupting scheduled tasks or invalidating certificates

Answer 144

A

Where small queries result in large responses, which can be directed towards a target to create DDoS attack

Answer 145

A

TCP Port 49

Answer 146

A

Address Resolution Protocol

Answer 147

A

ARP is used to map IP Addresses to MAC addresses on a local network. When a device wants to communicate with another device on the same network it uses ARP to find the MAC Address for the corresponding target device’s IP Address

Answer 148

A

ARP Spoofing/Poisoning and MiTM attacks

Answer 149

A

An attacker can send forged ARP messages onto the network, associating their own MAC Address with the IP of another device, allowing the attacker to intercept traffic

Answer 150

A

Dynamic Host Configuration Protocol

Answer 151

A

UDP Port 67 and 68

Answer 152

A

DHCP automatically assigns IP addresses and other network configurations to devices on the network

Answer 153

A

Rogue DHCP servers and DHCP starvation attacks

Answer 154

A

When an attacker can exhaust the pool of IP addresses available by rapidly requesting IP addresses, effectively denying new devices from obtaining a valid IP address

Answer 155

A

When an attacker can setup a rogue DHCP server on the network which can assign incorrect IP configurations to devices, leading them to use the attacker’s server as the default gateway

Answer 156

A

CDP is a proprietary protocol used by Cisco devices to share information about otehr directly connected Cisco devices

Answer 157

A

Cisco Discovery Protocol

Answer 158

A

Information disclosure and CDP spoofing

Answer 159

A

Attackers can send fake CDP messages to trick devices into believing they are connected to different devices, potentially disrupting network operations

Answer 160

A

Since CDP broadcasts detail information about the device, an attacker on the same network segment can capture this data and gain insights into the network’s structure and configuration

Answer 161

A

Hot Standby Router Protocol

Answer 162

A

HSRP is a Cisco protocol to provide high availability by allowing two or more routers to work together to present the appearnce of a single virtual router to the hosts of the network

Answer 163

A

UDP Port 1985

Answer 164

A

Lack of authentication and HSRP Spoofing

Answer 165

A

Older implementations of HSRP do not include strong authentication mechanisms making it easier for attackers to inject rogue HSRP messages

Answer 166

A

HSRP Spoofing is when an attacker can send crafted HSRP messages to take over the active router role, leading to traffic being directed through a malicious router

Answer 167

A

VTP is siilar to HSRP but is a standards-based protocol that provides high availability to routers by creating a virtual router as a backup for a group of physical routers

Answer 168

A

Virtual Router Redundancy Protocol

Answer 169

A

Weak authentication and VRRP spoofing

Answer 170

A

VRRP spoofing is when an attacker can send spoofed VRRP messages to become the master router thereby interceepting or disrupting network traffic

Answer 171

A

Without strong authentication, VRRP messages can be easily spoofed allowing an attacker to manipulate the redundancy protocol

Answer 172

A

VLAN Trunking Protocol

Answer 173

A

VTP is a Cisco proprietary protocol that propagates VLAN information within a switched network, simplifying VLAN management by allowing VLAN configurations to be made on one switch and automatically propagated to other switched in the network

Answer 174

A

VLAN trunking issues and VTP Manipulation

Answer 175

A

Misconfigurations or malicious reconfigurations of VTP can cause devices to be placed on unintended VLANs potentially exposing sensitive data

Answer 176

A

When an attacker can configure a rogue switch with a higher VTP revision number causing other switches to adopt the attackers VLAN configuration

Answer 177

A

Spanning Tree Protocol

Answer 178

A

STP ensures a loop-free topology by Ethernet networks by managing redundant links, it prevents network loops by placing certain ports in a blocking state

Answer 179

A

STP Manipulation and Denial of Service

Answer 180

A

By floodign the network with BPDUs an attacker can cause network instability, resulting in performance degradation ofr denial of service

Answer 181

A

An attacker can send fake Bridge Protocol Data Units (BPDUs) to manipulate the STP topology, potentially becoming the root bridge, causing traffic to flow through the attacker’s device

Answer 182

A

TACACS+ is a protocol used to authenticate and authorise users accessing network devices such as routers and switches

Answer 183

A

Terminal Access Controller Access-Control System Plus

Answer 184

A

An nmap scan, first a UDP scan with flags -sU and -p and then a Protocol scan with flags -sO and –protocol, or through banner grabbing although typically IPSec services don’t return verbose banners, attempting to connect to the service might reveal some information

Answer 185

A

Tools like ike-scan can fingerprint through crafted IKE requests to identify the vendor and version of the IPSec implementation

Answer 186

A

VoIP is a technology that allows voice communication and multimedia sessions over IP networks such as the internet

Answer 187

A

Voice over Internet Protocol

Answer 188

A

SIP and RTP

Answer 189

A

Session Initiated Protocol

Answer 190

A

Real-Time Transport Protocol

Answer 191

A

Handles the data transmission and transport of VoIP calls

Answer 192

A

Used to initiate, maintain and terminate voice and video calls

Answer 193

A

Using an nmap scan on common VoIP ports

Answer 194

A

Port 5060

Answer 195

A

By analysing SIP headers such as User-Agent, we can often determine the software version and vendor of the SIP server, additionally tools like sipfinger can automate this process by sending SIP requests and analysing the responses

Answer 196

A

SIP is one of the most widely used protocols for managing multimedia communication sessions, including voice and video calls

Answer 197

A

SIP communications are similar to HTTP as they both rely on request/response transactions

Answer 198

A

INVITE, ACK, BYE, REGISTER and CANCEL

Answer 199

A

Initiates a call

Answer 200

A

Confirms that the client has received a final response to an INVITE request

Answer 201

A

Terminates a call

Answer 202

A

Registers the user’s location (i.e their IP address) with a SIP server

Answer 203

A

Cancels a pending request

Answer 204

A

Eavesdropping and Registration Hijacking

Answer 205

A

Without encryption, SIP signalling can be intercepted by an attacker allowing attackers to listen in on calls

Answer 206

A

An attacker can impersonate a legitimate user by hijacking their SIP registration, enabling them to receive calls intended for the user

Answer 207

A

airodump-ng can capture requests made by devices actively searching for networks, additionally Wireshark and Kismet can be used to scan for available wireless networks, list SSID’s and identify Access Points

Answer 208

A

Through 802.11 frame analysis tools like Wireshark and tshark, which can be used for capturing and analysing wireless frames

Answer 209

A

An SSID is a unqiue name that identifies a specific wireless network, it is broadcast by the Access Point to help devices discover and connect to the network

Answer 210

A

32 characters in length

Answer 211

A

Service Set Identifier

Answer 212

A

Active Directory is a centralised management service for resources including users, computers, groups, network devices, file shares, group policies, etc.

Answer 213

A

AD is essentially a read-only database accessible to all users within the domain, regardless of their privilege

Answer 214

A

A Forest is the top-level container which holds one or more domains, it represents the entire AD environment, where all domains share a common schema and global catalog

Answer 215

A

A domain is a structure within which container objects (users, groups, computers) are accessible

Answer 216

A

An object can be defined as ANY resource present within an Active Directory such as users, computers, OU’s, etc.

Answer 217

A

Every object has an associated set of attributes used to define characteristics of the given object.

Answer 218

A

firstName, fullName, email, username, password

Answer 219

A

We can think of domains in AD like different states or countries

Answer 220

A

A Forest is like the US, and the domains are all the states inside of the US

Answer 221

A

MSBROWSE is a Microsoft protocol that was used to maintain a list of resources such as shared printers and files that were available on the network

Answer 222

A

nbtstat -A

Answer 223

A

A Global Catalogue is a domain controller that stores copies of ALL objects in an AD Forest. The GC allows both users and applications to find information about any object in ANY domain in the forest

Answer 224

A

Schema Master, Domain Naming Master, Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master

Answer 225

A

Flexible Single Master Operations

Answer 226

A

Forest-wide and Domain-wide, Forest-wide roles are for the entire forest but domain-wide is for each domain

Answer 227

A

Schema Master and Domain Naming Master

Answer 228

A

Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master

Answer 229

A

All 5 FSMO roles are assigned to the first DC in the forest root domain, each time a new domain is added to a forest, the first DC in that domain also gets the RID Master, PDC Emulator and Infrastructure Master roles assigned

Answer 230

A

When they do not or can not contain other objects

Answer 231

A

AD DS uses DNS to alow clients (workstations, servers) to locate the Domain Controller and for Domain Controllers that host the directory service to communicate amongst each other

Answer 232

A

Active Directory Domain Services

Answer 233

A

The AD uses DNS to find the IP address of the DC through an SRV record,

Answer 234

A

Lightweight Directory Access Protocol

Answer 235

A

LDAP is a protocol used for authentication against various directory services such as AD

Answer 236

A

LDAP is the language that applications use to communicate with other servers that provide directory services, similar to a user interacting with an SQL DB through SQL queries

Answer 237

A

Symmetric key cryptography

Answer 238

A

Symmetric key cryptography & asymmetric cryptography

Answer 239

A

MD4 hash, random number

Answer 240

A

Encrypted ticket using DES, MD5

Answer 241

A

LAN Manager

Answer 242

A

LANMAN is the oldest hash storage mechanism used by the Windows OS

Answer 243

A

In the SAM database and in the NTDS.DIT database on the Domain Controller

Answer 244

A

Passwords were limited to 14 characters and converted to upper case before hashing, then also split into two 7 character blocks making it easier to crack

Answer 245

A

NTLMv1 performs a challenge/response between a server and a client using the NTLM hash which is used for network authentication

Answer 246

A

Improved security by using MD4 hashing and avoids splitting password into 7 char chunks, also is not vulnerable to PtH attacks

Answer 247

A

Is a protocol that was created as a stronger alternative to v1, it is hardened against spoofing attacks that v1 is susceptible to

Answer 248

A

NTLMv2 sends to responses to the 8-byte challenge, first containing a 16-byte HMAC-MD5 hash of the challenge, randomly generated challenge from the client and a HMAC-MD5 of the user credentials, followed by a second response using a client challenge including the current time 8-byte random value and domain name

Answer 249

A

Much stronger security using HMAC-MD5 and make it more resistant to brute-force attacks and is also compatible with legacy systems

Answer 250

A

An AD feasture that provides admins with advanced settings they can apply to both user and computer accounts in a Windows environment

Answer 251

A

Policies such as screen lock timeouts, disabling USB ports, encforcing custom domain password policies, installed software, managing applications, etc.

Answer 252

A

It is a virtual collection of Group Policy settings that can be applied o user(s) or computer(s)

Answer 253

A

Group Policy Object

Answer 254

A

It is a set of security-related Group Policy settings that are applied to a single computer (not whole OU’s)

Answer 255

A

gpedit.msc

Answer 256

A

In order; Local Security Policy, Site Policy, Domain Policy, Parent OU policy, Child OU policy

Answer 257

A

Default Domain Policy

Answer 258

A

It is used when there is no other Group Policies applied to an object,

Answer 259

A

It is a pre-computed table of hashes and their corresponding plaintext password which is a much faster method than brute-force attack

Answer 260

A

Method is limited by the rainbow table size, bigger the table the more passwords and hashes it can store

Answer 261

A

Definition: A guideline on what the password policy requires - Enforcement: The technology used to make sure users comply with the password policy

Answer 262

A

A set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them based on the company’s definition

Answer 263

A

CIS Password Policy Guide, PCI DSS

Answer 264

A

Min. 8 characters, must include uppercase and lowercase letters, must include symbols and numbers, it should not be the username

Answer 265

A

We can dump files with hashes and proceed to crack them

Answer 266

A

hklm\sam, hklm\system, hklm\security

Answer 267

A

Contains the hashes associated with local account passwords, we will need the hashes to crack them and get the user password in plaintext

Answer 268

A

Contains the system bootkey, which is used to encrypt the SAM database

Answer 269

A

Contains cached credentials (last 10) for domain accounts

Answer 270

A

If we have a GUI, we can use built-in search functions like Windows Search to search terms related to passwords

Answer 271

A

Passwords, Usernames, Pwd, Passkey, Credentials

Answer 272

A

Sift through HTML source code to look for interesting data

Answer 273

A

Hidden form fields, database connection strings, credentials developers may have left, developer comments, etc.

Answer 274

A

wget -r -m -nv

Answer 275

A

MySQL is an open-source relational database management system developed and supported by Oracle

Answer 276

A

MySQL databases are often stored in a single file with the extension .sql (e.g: wordpress.sql)

Answer 277

A

MariaDB is a fork of the original MySQL aas the chief developer of MySQL left and created MariaDB

Answer 278

A

TCP Port 3306

Answer 279

A

select version();

Answer 280

A

MSSQL is a Window’s SQL-based RDMS that was written to run on Windows OS due to its strong native support for Microsoft’s .NET framework, therefore it is most often found on Window’s hosts

Answer 281

A

It will be processed through the local SAM database or the hosting Active Directory

Answer 282

A

If the account is compromised, it could lead to privilege escalation and lateral movement across a Windows domain environment

Answer 283

A

SSMS comes as a feature that can be installed with MSSQL or separately, it allows for initial configuration of a database but also long-term management by admins

Answer 284

A

SQL Server Management Studio

Answer 285

A

locate mssqlclient

Answer 286

A

Port 1433

Answer 287

A

Nmap has a default MSSQL scan

Answer 288

A

Dangerous settings, default nmap MSSQL scans, Metasploit scans, can connect via mssqlclient.py

Answer 289

A

MSSQL clients not using encryption to connect as it is not forced, use of self-signed certificates which can be spoofed, weak and default sa credentials which admins may have forgotten to disable

Answer 290

A

Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications over networks

Answer 291

A

Oracle Transparent Network Substrate

Answer 292

A

Oracle TNS is considered safe and secure as it has built-in encryption mechanisms ensuring the security of data transmitted

Answer 293

A

TCP Port 1521

Answer 294

A

Oracle TNS

Answer 295

A

Oracle 8i/9i but not Oracle 10g/11g

Answer 296

A

Hostname, IP Address, Username, Password

Answer 297

A

tnsnames.ora and listener.ora

Answer 298

A

CHANGE_ON_INSTALL

Answer 299

A

There is no default password for Oracle 10

Answer 300

A

MSSQL in hidden mode

Brainscape's Knowledge GenomeTM

All Appendix 11 Flashcards

Brainscape's Knowledge Genome^TM