All Appendix 11 Flashcards

1
Q

What is a passive OS fingerprinting technique

A

Monitoring network traffic using tools such as Wireshark for information re: the OS, also using p0f which is a tool that listens to network traffic and fingerprints OS based on characteristics of the packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an active OS fingerprinting method

A

Using a port scanner like nmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

nmap flag to get OS details of target

A

-O for Operating System details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is banner grabbing

A

A technique where attackers identify infrastructure details from headers, scans, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can we get application versions from a network

A

We can use a nmap scan with flag -sV to enable version detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can we get server types from banners

A

a cURL -I request will show the response headers which often includes a Server header, e.g: Server: Apache/2.4.41 (Ubuntu)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between encryption and encoding

A

Encryption requires a secret key to be decrypted and is not reversible without it, whereas encoding means it uses a predefined scheme to convert data from one form to another with no key such as base64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is encryption

A

Encryption involves using an algorithm and a key to transform plaintext into ciphertext. The process is reversible only if the correct decryption key is used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is encoding

A

Encoding uses a predefined scheme to convert data from one form to another. The process is reversible without the need for a key\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the key factors that change between encoding and encryption

A

There are differences in reversiblity and levels of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are examples of encryption

A

RSA, AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are examples of encoding

A

Base64, ASCII, URL encoding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a hash

A

A hash is a cryptographic function that takes an input and returns a fixed size string of bytes, the same input will always produce the same output, known as a “digest”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the two most known hashes

A

MD5 and SHA1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Are MD5 and SHA1 considered secure

A

MD5 and SHA1 are considered insecure and unsuitable for most applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bit length of MD5

A

128-bit hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What was MD5 designed for

A

MD5 was designed to be a cryptographic hash function used for integrity checking, digital signatures, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why is MD5 considered insecure

A

Due to collision vulnerabilities, researchers found that MD5 is susceptible to collision attacks where two DIFFERENT inputs result in the same hash output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a collision vulnerability

A

Where two different inputs result in the same hash output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the real world risk of collision vulnerabilities in hashing

A

Being exploited in attacks such as creating malicious certificates that appear legitimate as they have the same MD5 hash as a trusted certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is SHA1 bit size

A

160-bit hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What was SHA1 designed for

A

Used to be widely used in cryptographic applications, including SSL/TLS certificates, file integrity validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why is SHA1 considered insecure

A

SHA1 is considered insecure as researchers demonstrated that two outputs can produce the same hash output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Is SHA1 considered secure

A

SHA1 is considered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Is SHA1 exploitable/breakable

A

SHA1 is breakable as the cost and time required to generate SHA1 collisions have been decreaasing, making it feasible for well-funded attackers to break SHA1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

NIST advice for SHA1

A

NIST advices against using SHA1 in favour of stronger algorithms like SHA256 or SHA3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is HMAC

A

Type of Message Authentication Code that uses a cryptographic hash function along with a secret key to provide data integrity and authenticity, the secret key is only known by the sender and the recipient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What does MAC in HMAC stand for

A

Message Authentication Code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does a HMAC do

A

It verifies that the payload has not been tampered with, like a JWT signature being verified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the OSI Model

A

The OSI Model is a reference model that enables the communication of different technical systems via various devices and technologies and provides compatibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are the layers of the OSI Model (in order)

A

Physical, Data Link, Network, Transport, Session, Presentation, Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the layers of the TCP/IP Model

A

Link, Internet, Transport, Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is Layer 3 of the OSI Model and what does it do

A

L3 layer is the Network layer and it is where data packets are transferred from node to node until they reach their destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

In the postal/mail example of Network, what is the IPv4/IPv6

A

It is the unique postal address and suburb of the receiver’s building

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

In the postal/mail example of Network, what is the MAC Address

A

It is the exact floor and apartment of the receiver

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

How many bit groups are in an IPv4

A

8 bit groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

How many binary numbers in a IPv4 Address

A

32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the number convention of each bit in the IPv4 Address (descending order)

A

128, 64, 32, 16, 8, 4, 2, 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the Subnet Mask

A

Describes which bit positions within the address are the network part and the host part

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Can the bits of the subnet mask reflected in an IPv4 Address ever change (255.255.0.0) can 192.168 part of 192.168.24.2 ever change, and give explanation

A

No, if the subnet mask is 255. that entire section of the IPv4 Address cannot change, if it is something like 192, we have to write out the 8 bit binary notation of that subnet mask (from either the CIDR or the subnet mask) and the bits with 1 can not change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Wht is CIDR

A

Classless Inter-Domain Routing is a method of representing the subnet mask in a suffix form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Give an example of a CIDR suffix and which parts of the IPv4 can and cannot change due to the subnet mask/CIDR suffix

A

/26 would be 26 (1) in the subnet mask, which is = 255.255.255.192 would be 1111 1111 . 1111 1111 . 1111 1111 . 1100 0000 so the last 6 digits can be changed, we can find the first and last IP’s of that IP subnet with this information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is IPv6 and how many bits in length

A

IPv6 is the successor of IPv4 and is 128 bits in length

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

How many blocks is a IPv6 address

A

8 blocks of 16 bits each (4 hex numbers)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

How can a IPv6 Address be shortened

A

If the entire block is 0000 we can get rid of that and replace with double colomn (::)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

TCP Telnet

A

23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

TCP SSH

A

22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

TCP SNMP

A

161

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

TCP HTTP

A

80

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

TCP HTTPS

A

443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

TCP DNS

A

53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

TCP FTP

A

20-21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

TCP TFTP

A

69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

TCP NTP

A

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

TCP SMTP

A

25

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

TCP SMB

A

445

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

TCP RDP

A

3,389

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

TCP LDAP

A

389

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

TCP ICMP

A

0-255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

23

A

Telnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

22

A

SSH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

161

A

SNMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

80

A

HTTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

443

A

HTTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

53 TCP

A

DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

69

A

TFTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

123

A

NTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

25

A

SMTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

MySQL

A

3306

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

3306

A

MySQL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

DHCP

A

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

67

A

DHCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What is UDP

A

UDP is a connectionless protocol which means it does not establish a virtual connection before transmitting data, instead it sends data packets and does not check to see if they were received

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What is an example of UDP

A

Video streaming, online gaming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What does UDP stand for

A

User Datagram Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What is TCP

A

TCP is a connection-based protocol that establishes a virtual connection between two devices before transmitting data via a Three-Way handshake, as a result TCP is slower than UDP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is the negative of TCP

A

It is slower than UDP due to the Three-Way Handshake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What does TCP stand for

A

Transmission Control Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is ICMP

A

ICMP is used by devices to communicate with each other on the Internet such as ping request, which tests connectivity between devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What does ICMP stand for

A

Internet Control Message Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What is symmetric encryption

A

A method that uses the same key to encrypt and decrypt the data, meaning the sender and receiver must have the same key to decrypt the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What are examples of symmetric encryiption

A

AES and DES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What does AES stand for

A

Advanced Encryption Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What does DES stand for

A

Data Encryption Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What is considered to be the most secure encryption algorithm nowadays

A

AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What is asymmetric encryption

A

Is a method of encryption that uses two different keys, a public key and a private key. The public key is used to encrypt data and anyone can access it but only the recipient has the private key who can decrypt the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What are examples of asymmetric encryption

A

RSA, PGP, ECC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What does RSA stand for

A

Rivest-Shamir-Adleman

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What does PGP stand for

A

Pretty Good Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What does ECC stand for

A

Elliptic Curve Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

What is 3DES

A

3DES is an extension of DES which encrypts data more securely, the procedure for this usually consists of three keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Which is faster AES or DES and why

A

AES is faster than DES due to its more efficient algorithm structure, as it can be applied to multiple data blocks at once making it faster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What does IKE stand for

A

Internet Key Exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is Diffie-Hellman

A

Diffie-Hellman is a key exchange method which allows two parties to agree on a shared secret keey without any prior communication or shared private information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What is Diffie-Hellman vulnerable to

A

MiTM attacks where the attacker intercepts the communication and pretends to be one of the parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What are Key Exchange Methods

A

Diffie-Hellman, RSA, ECDH, ECDSA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What is RSA

A

RSA uses the properties of large prime numbers to generate a shared secret key, relies on the fact it is easy to multiply large prime numbers but challenging to factor the result back into its prime factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

What does ECDH stand for

A

Elliptical Curve Diffie-Hellman

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

What does ECDSA stand for

A

Elliptic Curve Digital Signature Algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

What are examples of commonly used authentication protocols

A

TLS, SSL, OAuth, HTTPS, 2FA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

What does WEP stand for

A

Wired Equivalent Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

What does WPA stand for

A

WiFi Protection Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

What are security features on a WiFi connection

A

Encryption, Access Control and Firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What does WPA do

A

WPA provides the highest level of security by using a secure authentication method such as a pre-shared key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

What is LEAP and PEAP

A

They are authentication protocols used to secure wireless networks to provide a secure method for authenticating devices and are used in conjunction with WEP/WPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What does LEAP stand for

A

Lightweight Extensible Authentication Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What does PEAP stand for

A

Protected Extensible Authentication Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

Which is more secure, LEAP or PEAP and why

A

PEAP is more secure as it uses a secure authentication method called TLS, whereas LEAP uses a shared key for authentication, which makes it easy to gain access if the key is compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

What is a Disassociation Attack

A

It is a wireless network attack that disrupts communication between a WAP and clients by sending disassociation frames causing the client to disconnect from the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

What is IPSec

A

IPSec is a network security protocol providing encryption and authentication for internet communications, encrypts the dta payload of each IP packet and adding an authentication header (AH) which is used to verify the authenticity of the packet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

What two security protocols does IPSec use

A

Authentication Header and Encapsulating Security Protocol (ESP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

What is ESP

A

Provides encryption and optiinal authentication for IP packets, it encrypts the data payload of each packet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

Internet Key Exchange (IKE) Port

A

UDP 500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

UDP 500

A

Internet Key Exchange (IKE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What is SSL

A

SSL is a cryptographic protocol designed to provide secure communication over a computer network, it was the predecessor of TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

Which is more secure SSL 3.0 or TLS 1.0

A

TLS 1.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

What is the standard protocol for securing communications

A

TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

What is PGP

A

PGP is an encryption program that provides cryptographic privacy and authentication for data communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

What is PGP often used for

A

PGP is often used to secure emails and files encrypting them, ensuring only the intended recipient can read the contents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

What is TKIP

A

TKIP is a security protocol used in wireless networks and was designed as a temporary solution to improve security on existing hardware that initially only supported weaker WEP encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

What does TKIP stand for

A

Temporal Key Integrity Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

Where does TKIP rank amongst WEP and WPA

A

TKIP was an improvement over WEP but still not as secure as the later WPA2 which uses AES encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

What encryption does WPA2 use

A

AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

Why was WEP depracated

A

WEP was depracated due to weak encryption, WEP’s use of RC4 cipher and poor implementation of key management makes it susceptible to a variety of attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

What information can we find in a WHOIS query

A

Domain name, registrar, registrant contact, administrative contact, technical contact, creation/expiration dates, name servers, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

What is a whois query

A

It is like a phonebook for the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

What tool can be make to query DNS information

A

dig

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

What does dig stand for

A

Domain Information Groper

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

What is DNS

A

DNS is like the internet’s GPS system, guiding your journey resolving domain names to precise IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

What is a DNS zone

A

A zone is a distinct part of the domain namespace that a specific entity manages, e.g: example.com and all its subdomains would belong to the same DNS zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

What is a DNS Zone Transfer

A

A DNS Zone Transfer is a blueprint of all DNS records within a zone which is used to recreate in the same formatting from one name server to another

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

What is a DNS Zone Transfer vulnerability

A

If not properly secured, the Zone Transfer file can be downloaded, revealing a complete list of subdomains, their associated IP addresses and other sensitive DNS data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

How to check for a DNS Zone Transfer vulnerability

A

dig axfr @

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

How to find the DNS server

A

dig ns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

What is an A Record

A

It is a mapping to an IPv4 Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

What is an AAAA Record

A

It is a mapping to an IPv6 Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

What is a CNAME

A

Canonical Name, it creates an alias for a hostname, pointing it to another hostname

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

What is an MX Record

A

Mail Exchange Record, specifies the mail server(s) responsible for handling emails for the domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

What is an NS Record

A

Name Server Record, delegates a DNS Zone to a specific authoritative name server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

What is a TXT Record

A

Text Record, stores arbitrary text information, often used for security policies and domain ownership verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

What is a PTR Record

A

Pointer Record, Used for reverse DNS lookups, mapping and IP address to a hostname

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

What is a SOA Record

A

Start of Authority Record, specifies administrative information about a DNS zone, including primary name server, responsible person’s email and other parameters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

What are Search Operators for Google Dorking

A

site: , inurl:, filetype:

144
Q

How can we find a specific extension with Google Dorks

A

Site:example.com ext.conf

145
Q

What is Telnet?

A

Telnet is a protocol used for accessing remote devices over TCP/IP networks, allowing a user to login to another computer remotely, providing a CLI to manage and control the remote device

146
Q

What port is Telnet on?

A

Port 23

147
Q

What is Port 23

A

Telnet

148
Q

Name two vulnerablities in Telnet

A

Lack of encryption and weak authentication

149
Q

What is the lack of encryption in Telnet

A

Telnet transmits all data including usernames and passwords in plaintext

150
Q

What is the weak authentication in Telnet

A

Telnet often lacks from strong authentication mechanisms, making it easier for attackers to gain unauthorised access

151
Q

What is a common Web based protocol

A

HTTP/HTTPS

152
Q

What is HTTP/HTTPS used for

A

HTTP/HTTPS is a method used for transport of information between a client (such as a browser) and a web server

153
Q

What port does HTTP listen on

A

Port 80

154
Q

What port does HTTPS listen on

A

Port 443

155
Q

What is port 80

A

HTTP

156
Q

What is port 443

A

HTTPS

157
Q

What are two vulnerablities on HTTP/HTTPS

A

HTTP lacks encryption and HTTPS is still vulnerable if using older SSL/TLS protocols

158
Q

What is the HTTP vulnerability

A

All data is sent over plaintext as HTTP does not use encryption

159
Q

What is the HTTP S vulnerablity

A

If the web server is configured to use old SSL/TLS protocols such as TLS 1.0, 1.1, 1.2 they could be vulnerable to decryption of data due to various known vulnerabilities

160
Q

What is Secure Shell (SSH)

A

SSH is a cryptographic network protocol used for secure remote login, replacing older protocols like Telnet

161
Q

What port does SSH listen on

A

Port 22

162
Q

What is Port 22

A

SSH

163
Q

What are two vulnerabilities with SSH

A

Brute force attacks and credential theft

164
Q

What is the brute force attack vulnerability in SSH

A

Attackers can try many username/password combinations

165
Q

What is the credential theft vulnerability in SSH

A

If SSH keys or passwords are compromised, an attacker can gain unauthorised access to a system

166
Q

What is SNMP

A

SNMP (Simple Network Management Protocol) is used for managing devices on IP networks, such as routers, switches and servers. It enables monitoring and control of these devices

167
Q

What does SNMP stand for

A

Simple Network Management Protocol

168
Q

What port does SNMP listen on

A

UDP Port 161

169
Q

What are two vulnerabilities with SNMP

A

Lack of encryption and unauthorised access

170
Q

What is the lack of encryption in SNMP

A

SNMP v1 and v2c do not provide encryption, making the traffic vulnerable to interception

171
Q

What is the unauthorised access vulnerablitiy in SNMP

A

If SNMP community strings (password) are known or guessed, an attacker can retrieve/alter configuration data. SNMP also utilises default community strings which if not changed are “public” and “private”

172
Q

What is TFTP

A

TFTP is primarily used to transfer files to and from network devices

173
Q

What does TFTP stand for

A

Trivial File Transfer Protocol

174
Q

What port does TFTP listen on

A

UDP Port 69

175
Q

What are two vulnerabilities with TFTP

A

No authentication and no encryption on transfers

176
Q

What is the no authentication vulnerability on TFTP

A

TFTP does not provide any form of authentication making it vulenrable to unauthorised file access and transfers

177
Q

What is the no encryption on transfers vulnerability in TFTP

A

TFTP transfers files in plaintext, allowing attackers to intercept or tamper with the data

178
Q

What is Cisco Reverse Telnet

A

Cisco Reverse Telnet allows a network device to initiate a Telnet session to another device often used for managing out of-band network devices via serial connection

179
Q

What port does Cisco Reverse Telnet listen on

A

Port 2000 anf above (Port = 2000 + line number)

180
Q

What are two vulnerabilities in Cisco Reverse Telnet

A

Lack of encryption and credential exposure

181
Q

What is the lack of encryption vulnerability in Cisco Reverse Telnet

A

Like regular Telnet, Reverse Telnet lacks encryption making it vulnerable to eavesdropping and interception

182
Q

What is the credential exposure vulnerability in Cisco Reverse Telnet

A

Since authentication is done over plaintext, credentils can easily be intercepted and reused by attackers

183
Q

What is NTP

A

NTP is used to synchronise the clocks of networked devices to ensure all devices have the same correct time

184
Q

What port does NTP listen on

A

UDP Port 123

185
Q

What doe NTP stand for

A

Network Time Protocol

186
Q

What are two vulnerabilities in NTP

A

Time manipulation and NTP amplification attacks

187
Q

What is the time manipulation vulnerability in NTP

A

If an attacker can alter the time provided by the NTP server, this can have significant consequences such as disrupting scheduled tasks or invalidating certificates

188
Q

What is the NTP amplification attack

A

Where small queries result in large responses, which can be directed towards a target to create DDoS attack

189
Q

TACACS+ Port

A

TCP Port 49

190
Q

TCP Port 49

A

TACACS+

191
Q

What does ARP stand for

A

Address Resolution Protocol

192
Q

What does ARP do

A

ARP is used to map IP Addresses to MAC addresses on a local network. When a device wants to communicate with another device on the same network it uses ARP to find the MAC Address for the corresponding target device’s IP Address

193
Q

What vulnerabilities is ARP subject to

A

ARP Spoofing/Poisoning and MiTM attacks

194
Q

What is ARP Spoofing/Poisoning

A

An attacker can send forged ARP messages onto the network, associating their own MAC Address with the IP of another device, allowing the attacker to intercept traffic

195
Q

What does DHCP stand for

A

Dynamic Host Configuration Protocol

196
Q

What port does DHCP listen on

A

UDP Port 67 and 68

197
Q

What does DHCP do

A

DHCP automatically assigns IP addresses and other network configurations to devices on the network

198
Q

What are vulnerabilities DHCP is subject to

A

Rogue DHCP servers and DHCP starvation attacks

199
Q

What is a DHCP starvation attack

A

When an attacker can exhaust the pool of IP addresses available by rapidly requesting IP addresses, effectively denying new devices from obtaining a valid IP address

200
Q

What is a rogue DHCP server

A

When an attacker can setup a rogue DHCP server on the network which can assign incorrect IP configurations to devices, leading them to use the attacker’s server as the default gateway

201
Q

What is CDP

A

CDP is a proprietary protocol used by Cisco devices to share information about otehr directly connected Cisco devices

202
Q

What does CDP stand for

A

Cisco Discovery Protocol

203
Q

What vulnerabilities is CDP subject to

A

Information disclosure and CDP spoofing

204
Q

What is CDP Spoofing

A

Attackers can send fake CDP messages to trick devices into believing they are connected to different devices, potentially disrupting network operations

205
Q

What is information disclosure CDP is subject to

A

Since CDP broadcasts detail information about the device, an attacker on the same network segment can capture this data and gain insights into the network’s structure and configuration

206
Q

What does HSRP stand for

A

Hot Standby Router Protocol

207
Q

What does HSRP do

A

HSRP is a Cisco protocol to provide high availability by allowing two or more routers to work together to present the appearnce of a single virtual router to the hosts of the network

208
Q

What port does HSRP listen on

A

UDP Port 1985

209
Q

UDP Port 1985

A

HSRP

210
Q

UDP Port 67 and 68

A

DHCP

211
Q

What are vulnerabilities HSRP is subject to

A

Lack of authentication and HSRP Spoofing

212
Q

What is the lack of authentication vulnerability HSRP is subject to

A

Older implementations of HSRP do not include strong authentication mechanisms making it easier for attackers to inject rogue HSRP messages

213
Q

What is HSRP Spoofing

A

HSRP Spoofing is when an attacker can send crafted HSRP messages to take over the active router role, leading to traffic being directed through a malicious router

214
Q

What is VRRP

A

VTP is siilar to HSRP but is a standards-based protocol that provides high availability to routers by creating a virtual router as a backup for a group of physical routers

215
Q

What does VRRP stand for

A

Virtual Router Redundancy Protocol

216
Q

What are vulnerabilities VRPP is subject to

A

Weak authentication and VRRP spoofing

217
Q

What is VRRP spoofing

A

VRRP spoofing is when an attacker can send spoofed VRRP messages to become the master router thereby interceepting or disrupting network traffic

218
Q

What is weak authentication in VRRP

A

Without strong authentication, VRRP messages can be easily spoofed allowing an attacker to manipulate the redundancy protocol

219
Q

What does VTP stand for

A

VLAN Trunking Protocol

220
Q

What is VTP

A

VTP is a Cisco proprietary protocol that propagates VLAN information within a switched network, simplifying VLAN management by allowing VLAN configurations to be made on one switch and automatically propagated to other switched in the network

221
Q

What are VTP vulnerabilities

A

VLAN trunking issues and VTP Manipulation

222
Q

What are VLAN trunking issues

A

Misconfigurations or malicious reconfigurations of VTP can cause devices to be placed on unintended VLANs potentially exposing sensitive data

223
Q

What is VTP Manipulation

A

When an attacker can configure a rogue switch with a higher VTP revision number causing other switches to adopt the attackers VLAN configuration

224
Q

What does STP stand for

A

Spanning Tree Protocol

225
Q

What does STP do

A

STP ensures a loop-free topology by Ethernet networks by managing redundant links, it prevents network loops by placing certain ports in a blocking state

226
Q

What are vulnerabilities STP is subject to

A

STP Manipulation and Denial of Service

227
Q

What is DoS that STP is subject to

A

By floodign the network with BPDUs an attacker can cause network instability, resulting in performance degradation ofr denial of service

228
Q

What is STP Manipulation

A

An attacker can send fake Bridge Protocol Data Units (BPDUs) to manipulate the STP topology, potentially becoming the root bridge, causing traffic to flow through the attacker’s device

229
Q

What is TACACS+

A

TACACS+ is a protocol used to authenticate and authorise users accessing network devices such as routers and switches

230
Q

What does TACACS+ stand for

A

Terminal Access Controller Access-Control System Plus

231
Q

Name two ways to enumerate devices running IPSec services

A

An nmap scan, first a UDP scan with flags -sU and -p and then a Protocol scan with flags -sO and –protocol, or through banner grabbing although typically IPSec services don’t return verbose banners, attempting to connect to the service might reveal some information

232
Q

How can we fingerprint IPSec Services

A

Tools like ike-scan can fingerprint through crafted IKE requests to identify the vendor and version of the IPSec implementation

233
Q

What is VoIP

A

VoIP is a technology that allows voice communication and multimedia sessions over IP networks such as the internet

234
Q

What does VoIP stand for

A

Voice over Internet Protocol

235
Q

What are two common VoIP protocols

A

SIP and RTP

236
Q

What does SIP stand for

A

Session Initiated Protocol

237
Q

What does RTP stand for

A

Real-Time Transport Protocol

238
Q

What does RTP do

A

Handles the data transmission and transport of VoIP calls

239
Q

What does SIP do

A

Used to initiate, maintain and terminate voice and video calls

240
Q

How can we enumerate a VoIP Service

A

Using an nmap scan on common VoIP ports

241
Q

SIP Port

A

Port 5060

242
Q

Port 5060

A

SIP Port

243
Q

How can we fingerprint VoIP Services

A

By analysing SIP headers such as User-Agent, we can often determine the software version and vendor of the SIP server, additionally tools like sipfinger can automate this process by sending SIP requests and analysing the responses

244
Q

What is the SIP Protocol

A

SIP is one of the most widely used protocols for managing multimedia communication sessions, including voice and video calls

245
Q

What is SIP communication similar to and how

A

SIP communications are similar to HTTP as they both rely on request/response transactions

246
Q

What are common SIP request methods

A

INVITE, ACK, BYE, REGISTER and CANCEL

247
Q

What is SIP - INVITE

A

Initiates a call

248
Q

What is SIP - ACK

A

Confirms that the client has received a final response to an INVITE request

249
Q

What is SIP - BYE

A

Terminates a call

250
Q

What is SIP - REGISTER

A

Registers the user’s location (i.e their IP address) with a SIP server

251
Q

What is SIP - CANCEL

A

Cancels a pending request

252
Q

What are SIP security issues

A

Eavesdropping and Registration Hijacking

253
Q

What is eavesdropping in SIP

A

Without encryption, SIP signalling can be intercepted by an attacker allowing attackers to listen in on calls

254
Q

What is registration hijacking in SIP

A

An attacker can impersonate a legitimate user by hijacking their SIP registration, enabling them to receive calls intended for the user

255
Q

How can we enumerate devices running Wireless services

A

airodump-ng can capture requests made by devices actively searching for networks, additionally Wireshark and Kismet can be used to scan for available wireless networks, list SSID’s and identify Access Points

256
Q

How can we fingerprint Wireless services

A

Through 802.11 frame analysis tools like Wireshark and tshark, which can be used for capturing and analysing wireless frames

257
Q

What is an SSID

A

An SSID is a unqiue name that identifies a specific wireless network, it is broadcast by the Access Point to help devices discover and connect to the network

258
Q

What is the maximum length of an SSID

A

32 characters in length

259
Q

What does SSID stand for

A

Service Set Identifier

260
Q

What is Active Directory

A

Active Directory is a centralised management service for resources including users, computers, groups, network devices, file shares, group policies, etc.

261
Q

What is AD “essentially”

A

AD is essentially a read-only database accessible to all users within the domain, regardless of their privilege

262
Q

Wht is a Forest

A

A Forest is the top-level container which holds one or more domains, it represents the entire AD environment, where all domains share a common schema and global catalog

263
Q

What is at the top of the AD hierarchy

A

Forest

264
Q

What is a domain in AD

A

A domain is a structure within which container objects (users, groups, computers) are accessible

265
Q

What is an Object in AD

A

An object can be defined as ANY resource present within an Active Directory such as users, computers, OU’s, etc.

266
Q

What are attributes in AD

A

Every object has an associated set of attributes used to define characteristics of the given object.

267
Q

Give example attributes of a user object

A

firstName, fullName, email, username, password

268
Q

What can we think of domains in AD as

A

We can think of domains in AD like different states or countries

269
Q

What can we think of Forest like in AD

A

A Forest is like the US, and the domains are all the states inside of the US

270
Q

What is MSBROWSE

A

MSBROWSE is a Microsoft protocol that was used to maintain a list of resources such as shared printers and files that were available on the network

271
Q

What superceded MSBROWSE

A

SMB

272
Q

How to find the Master Browser

A

nbtstat -A

273
Q

What is a Global Catalog

A

A Global Catalogue is a domain controller that stores copies of ALL objects in an AD Forest. The GC allows both users and applications to find information about any object in ANY domain in the forest

274
Q

What are the five roles of the FSMO

A

Schema Master, Domain Naming Master, Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master

275
Q

What does FSMO stand for

A

Flexible Single Master Operations

276
Q

What are the two groups of FSMO roles and what separates them

A

Forest-wide and Domain-wide, Forest-wide roles are for the entire forest but domain-wide is for each domain

277
Q

What are the Forest-wide FSMO roles

A

Schema Master and Domain Naming Master

278
Q

What are the domain-wide FSMO roles

A

Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master

279
Q

How do the FSMO roles work in terms of delegation

A

All 5 FSMO roles are assigned to the first DC in the forest root domain, each time a new domain is added to a forest, the first DC in that domain also gets the RID Master, PDC Emulator and Infrastructure Master roles assigned

280
Q

What are leaf objects in AD

A

When they do not or can not contain other objects

281
Q

Why is DNS important for AD

A

AD DS uses DNS to alow clients (workstations, servers) to locate the Domain Controller and for Domain Controllers that host the directory service to communicate amongst each other

282
Q

What does AD DS stand for

A

Active Directory Domain Services

283
Q

How do DNS resolutions work in AD

A

The AD uses DNS to find the IP address of the DC through an SRV record,

284
Q

What does LDAP stand for

A

Lightweight Directory Access Protocol

285
Q

What is LDAP

A

LDAP is a protocol used for authentication against various directory services such as AD

286
Q

What specified LDAP

A

RFC 4511

287
Q

What is LDAP essentially

A

LDAP is the language that applications use to communicate with other servers that provide directory services, similar to a user interacting with an SQL DB through SQL queries

288
Q

What cryptographic technique is used for NTLM, NTLMv1 and NTLMv2

A

Symmetric key cryptography

289
Q

What cryptographic technique is used for Kerberos

A

Symmetric key cryptography & asymmetric cryptography

290
Q

What message type (encryption) is used for NTLMv1 and NTLMv2

A

MD4 hash, random number

291
Q

What message type (encryption) is used for Kerberos

A

Encrypted ticket using DES, MD5

292
Q

What does LANMAN stand for

A

LAN Manager

293
Q

What does LANMAN do

A

LANMAN is the oldest hash storage mechanism used by the Windows OS

294
Q

Where are LANMAN hashes stored

A

In the SAM database and in the NTDS.DIT database on the Domain Controller

295
Q

What is the AD Database file

A

NTDS.dit

296
Q

Why was LANMAN vulnerable and not in use anymore

A

Passwords were limited to 14 characters and converted to upper case before hashing, then also split into two 7 character blocks making it easier to crack

297
Q

What is NTMLv1

A

NTLMv1 performs a challenge/response between a server and a client using the NTLM hash which is used for network authentication

298
Q

What are the merits of NTLMv1

A

Improved security by using MD4 hashing and avoids splitting password into 7 char chunks, also is not vulnerable to PtH attacks

299
Q

Why was NTLMv2 created and why is it better than NTLMv1

A

Is a protocol that was created as a stronger alternative to v1, it is hardened against spoofing attacks that v1 is susceptible to

300
Q

What is the process of NTLMv2

A

NTLMv2 sends to responses to the 8-byte challenge, first containing a 16-byte HMAC-MD5 hash of the challenge, randomly generated challenge from the client and a HMAC-MD5 of the user credentials, followed by a second response using a client challenge including the current time 8-byte random value and domain name

301
Q

Merits of NTLMv2

A

Much stronger security using HMAC-MD5 and make it more resistant to brute-force attacks and is also compatible with legacy systems

302
Q

How many hashes does Cached Credentials store

A

Last 10

303
Q

What is AD Group Policy

A

An AD feasture that provides admins with advanced settings they can apply to both user and computer accounts in a Windows environment

304
Q

What are some things that can be configured using Group Policy

A

Policies such as screen lock timeouts, disabling USB ports, encforcing custom domain password policies, installed software, managing applications, etc.

305
Q

What is a GPO

A

It is a virtual collection of Group Policy settings that can be applied o user(s) or computer(s)

306
Q

What does GPO stand for

A

Group Policy Object

307
Q

What is Local Security Policy

A

It is a set of security-related Group Policy settings that are applied to a single computer (not whole OU’s)

308
Q

What file manages the Local Security Policy

A

gpedit.msc

309
Q

What is the GPO order of precedence

A

In order; Local Security Policy, Site Policy, Domain Policy, Parent OU policy, Child OU policy

310
Q

What is the name of the default Group Policy

A

Default Domain Policy

311
Q

When is the Default Domain Policy used

A

It is used when there is no other Group Policies applied to an object,

312
Q

What is a Rainbow Table Attack

A

It is a pre-computed table of hashes and their corresponding plaintext password which is a much faster method than brute-force attack

313
Q

What is the Rainbow Table Attack’s limitations

A

Method is limited by the rainbow table size, bigger the table the more passwords and hashes it can store

314
Q

What is the Definition and Enforcement of a Password Policy

A

Definition: A guideline on what the password policy requires - Enforcement: The technology used to make sure users comply with the password policy

315
Q

What is a Password Policy

A

A set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them based on the company’s definition

316
Q

What are common password policy standards

A

CIS Password Policy Guide, PCI DSS

317
Q

What is a sample password policy

A

Min. 8 characters, must include uppercase and lowercase letters, must include symbols and numbers, it should not be the username

318
Q

How can we attack SAM

A

We can dump files with hashes and proceed to crack them

319
Q

What are the three files that store hashes

A

hklm\sam, hklm\system, hklm\security

320
Q

What does hkln\sam contain

A

Contains the hashes associated with local account passwords, we will need the hashes to crack them and get the user password in plaintext

321
Q

What does hklm\system store

A

Contains the system bootkey, which is used to encrypt the SAM database

322
Q

What does hklm\security store

A

Contains cached credentials (last 10) for domain accounts

323
Q

How can we hunt for plaintext credentials

A

If we have a GUI, we can use built-in search functions like Windows Search to search terms related to passwords

324
Q

What are keywords we can use to search for plaintext passwords

A

Passwords, Usernames, Pwd, Passkey, Credentials

325
Q

What is HTML Source Review

A

Sift through HTML source code to look for interesting data

326
Q

What can we gather from web mark-up

A

Hidden form fields, database connection strings, credentials developers may have left, developer comments, etc.

327
Q

How to download a HTML site

A

wget -r -m -nv

328
Q

What is MySQL

A

MySQL is an open-source relational database management system developed and supported by Oracle

329
Q

What is the MySQL file ext

A

MySQL databases are often stored in a single file with the extension .sql (e.g: wordpress.sql)

330
Q

What is MariaDB

A

MariaDB is a fork of the original MySQL aas the chief developer of MySQL left and created MariaDB

331
Q

What Port does MySQL run on

A

TCP Port 3306

332
Q

TCP Port 3306

A

MySQL

333
Q

How to see MySQL version

A

select version();

334
Q

What is MSSQL

A

MSSQL is a Window’s SQL-based RDMS that was written to run on Windows OS due to its strong native support for Microsoft’s .NET framework, therefore it is most often found on Window’s hosts

335
Q

What is the authentication mechanism for MSSQL if authentication is set to Windows Authentication

A

It will be processed through the local SAM database or the hosting Active Directory

336
Q

What is the issue with Active Directory for MSSQL auth

A

If the account is compromised, it could lead to privilege escalation and lateral movement across a Windows domain environment

337
Q

What is SSMS

A

SSMS comes as a feature that can be installed with MSSQL or separately, it allows for initial configuration of a database but also long-term management by admins

338
Q

What does SSMS stand for

A

SQL Server Management Studio

339
Q

How to fiend the SSMS MSSQL client

A

locate mssqlclient

340
Q

MSSQL Port

A

Port 1433

341
Q

Port 1433

A

MSSQL

342
Q

What does nmap have for MSSQL

A

Nmap has a default MSSQL scan

343
Q

What are MSSQL Attack Vectors

A

Dangerous settings, default nmap MSSQL scans, Metasploit scans, can connect via mssqlclient.py

344
Q

What are dangerous settings in MSSQL

A

MSSQL clients not using encryption to connect as it is not forced, use of self-signed certificates which can be spoofed, weak and default sa credentials which admins may have forgotten to disable

345
Q

What is Oracle TNS

A

Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications over networks

346
Q

What does Oracle TNS stand for

A

Oracle Transparent Network Substrate

347
Q

Why is Oracle TNS considered safe and secure

A

Oracle TNS is considered safe and secure as it has built-in encryption mechanisms ensuring the security of data transmitted

348
Q

What port does Oracle TNS listen on

A

TCP Port 1521

349
Q

TCP Port 1521

A

Oracle TNS

350
Q

Which versions can Oracle TNS be remotely managed

A

Oracle 8i/9i but not Oracle 10g/11g

351
Q

What is the combination used for basic authentication of TNS Listener

A

Hostname, IP Address, Username, Password

352
Q

What are the two configuration file names of Oracle TNS

A

tnsnames.ora and listener.ora

353
Q

What is the default Oracle 9 password

A

CHANGE_ON_INSTALL

354
Q

What is the default Oracle 10 password

A

There is no default password for Oracle 10

355
Q

What is the default Oracle DBSNMP password

A

dbsnmp

356
Q

What is MSSQL port in hidden mode

A

2433

357
Q

Port 2433

A

MSSQL in hidden mode