All Appendix 2

Question 1

RIP Port

Answer 1

UDP 520

Question 2

UDP 520

Answer 2

RIP

Question 3

What does rusers stand for

Answer 3

Remote Users Service

Question 4

What does rusers do

Answer 4

rusers displays information about users currently logged into remote systems

Question 5

What is the difference between rusers and rwho

Answer 5

rusers displays information only for the current host while rwho displays information for the entire network

Question 6

How does rusers work

Answer 6

When you run rusers on a network, it sends out a broadcast request to all machines on the network running the rusersd daemon, these machines will respond with a list of currently logged in users along with their idle times

Question 7

Rusers port

Answer 7

UDP 513

Question 8

UDP 513

Answer 8

Rusers and Rwho

Question 9

What does Rwho stand for

Answer 9

Remote Who Service

Question 10

What does rwho do

Answer 10

rwho displays information about users logged into remtoe systems on a network

Question 11

Rwho port

Answer 11

UDP 513

Question 12

How can SMTP be used to enumerate users

Answer 12

Certain SMTP commands such as VRFY and EXPN can be used to validate whether a specific email/username exists on the server through obsering response status codes

Question 13

What are the two commands responsible for SMTP user enumeration

Answer 13

VRFY and EXPN

Question 14

What is Finger

Answer 14

Finger is a utility that provides information about users on a system, it can display details such as full name, home dir, login shell, etc.

Question 15

Where is information from Finger derived from

Answer 15

Lots of the information comes from the /etc/passwd file

Question 16

What happens if no user is specified on a finger query

Answer 16

It can return a list of all users on the system including login names and other details

Question 17

Finger port

Answer 17

TCP 79

Question 18

TCP 79

Answer 18

Finger

Question 19

What is an FTP access control mechanism

Answer 19

/etc/ftpusers

Question 20

What does /etc/ftpusers do

Answer 20

It is a list of users that cannot access the ftp server

Question 21

What is anonymous user on FTP

Answer 21

Anonymous user is used to allow everyone on the internal network to share files and data without accessing each others computer

Question 22

Does Anonymous user require authentication/password for FTP

Answer 22

No

Question 23

What is a security configuration in FTP to prevent identifying authors of files

Answer 23

hide_ids=YES means the UID and GID of files will be overwritten meaning it is more difficult to identify which rights these files have and to prevent user enumeration

Question 24

What is a vulnerability of allow file upload to an FTP server

Answer 24

If we can upload files this may allow for LFI vulnerabilities to make system commands and RCE (remote code execution)

Question 25

FTP Ports

Answer 25

20-21

Question 26

FTP conf file

Answer 26

/etc/vsftpd.conf

Question 27

What is SMTP

Answer 27

SMTP is a protocol used for sending emails in an IP network, it can be used between an email client and an outgoing mail server or between two SMTP servers

Question 28

SMTP Port

Answer 28

TCP 25

Question 29

What do newer SMTP servers listen on

Answer 29

TCP 587

Question 30

What is an essential function of SMTP

Answer 30

Blocking spam by using authentication mechanisms that allow only authorised users to send emails

Question 31

What is ESMTP

Answer 31

It is an extension of SMTP, aptly called Extended STP which uses SSL and TLS

Question 32

How can we enumerate usernames on SMTP

Answer 32

Using the EXPN and VRFY queries

Question 33

What does EXPN do

Answer 33

The client checks if a mailbox is available for messaging

Question 34

What does VRFY query do

Answer 34

The client checks if a mailbox is available for mail transfer

Question 35

What is Code 252 in VRFY

Answer 35

User that does not exist

Question 36

What is Code 250 in VRFY

Answer 36

Requested mail action completed

Question 37

How can we connect to an SMTP server

Answer 37

Telnet 25

Question 38

What is Mail Relaying

Answer 38

Mail Relaying is the process where an SMTP server forwards an email from one server to another that is not directly responsible for either the sender or recipient, such as when emails need to be transferred across different domains and servers

Question 39

In essence what is Mail Relaying

Answer 39

Any transfer of an email that is not directly the recipient or sender but rather an intermediary server

Question 40

What does NFS stand for

Answer 40

Network File System

Question 41

What does NFS do

Answer 41

It is a file system that has the same purpose as SMB - to access file systems over network as if they were local

Question 42

What are the versions of NFS

Answer 42

NFSv2, NFSv3 and NFSv4

Question 43

What is NFSv2

Answer 43

It is older but supported by many systems and was initially operated over UDP

Question 44

What is NFSv3

Answer 44

It has more features including variable file size and better error reporting, but it is not compatible with NFSv2 clients

Question 45

What is NFSv4

Answer 45

It includes Kerberos, supports ACLs and provides performance improvements and higher security

Question 46

What is the most secure version of NFS

Answer 46

NFSv4

Question 47

What is NFS based on

Answer 47

ONC-RPC / SUN-RPC

Question 48

What does ONC-RPC stand for

Answer 48

Open Network Computing Remote Procedure Call

Question 49

What port does NFS listen on

Answer 49

2049

Question 50

What port does ONC-RPC listen on

Answer 50

111

Question 51

What does NFS rely on for authentication

Answer 51

NFS relies on UID/GID on the client machine which is checked against the local user database to determine user permissions

Question 52

What file contains a table of filesystems on the NFS server

Answer 52

/etc/exports

Question 53

What is Root_Squash / No_Root_Squash

Answer 53

Prevents the root user on the client from having root privileges on the NFS server, if turned on, any requests from the root user will be mapped to an anonymous user

Question 54

What is Nosuid option

Answer 54

Prevents the execution of files with the setuid or setgid set (meaning it won’t execute as the author of the file but rather as the logged in user)

Question 55

What is noexec option

Answer 55

Option that prevents the exectution of binaries on the file system, any attempt to execute a binary file (an executable or script) will fail

Question 56

How can we access files through UID/GID manipulation

Answer 56

If we have access to the system via SSH and want to read files from another folder that a specific user has access to, we can upload a shell to the NFS server that has a SUID of that user and run the shell via the SSH user

Question 57

What are the two access control types in NFS

Answer 57

Host level and File level

Question 58

What is Host level in NFS

Answer 58

The NFS server controls which hosts (devices) can access the shared directories through the NFS server’s /etc/exports file

Question 59

What is File level on NFS

Answer 59

Traditional UNIX model where access to files and directories are controlled based on user IDs (UID) and group IDs (GID)

Question 60

What is HINFO in DNS records

Answer 60

Resource record that provides descriptive information about a host, specifically its hardware and operating system

Question 61

NetBIOS Name Port

Answer 61

UDP 137

Question 62

UDP 137

Answer 62

NetBIOS Name

Question 63

List all of the R Services

Answer 63

rcp, rexec, rlogin, rsh, stat, ruptime, rwho

Question 64

What is R Services

Answer 64

R Services are a suite of services hosted to enable remote access or issue commands between UNIX hosts over TCP/IP

Question 65

Are R Services used now?

Answer 65

No they were replaced by SSH

Question 66

What is a vulnerabiity in R. Services

Answer 66

Much like Telnet, R Services transmits information for client to server (and vice versa) over the network in an unencrypted format, making it possible for attackers to intercept traffic

Question 67

What ports does R Services use

Answer 67

512, 513 and 514

Question 68

What is rcp

Answer 68

Remote Copy

Question 69

What is rexec

Answer 69

Remote Execution

Question 70

W hat is Rlogin

Answer 70

Remote login

Question 71

What is Rsh

Answer 71

Remote Shell

Question 72

What port does rcp listen on

Answer 72

TCP 514

Question 73

What port does rsh listen on

Answer 73

TCP 514

Question 74

What port does rexec listen on

Answer 74

TCP 512

Question 75

What port does rlogin listen on

Answer 75

TCP 513

Question 76

What does rcp do

Answer 76

Copy a file/directory bidirectionally from local machine to remote system, but provides no warning to user for overwriting existing files

Question 77

What does rsh do

Answer 77

Opens a shell on a remote machine without a login procedure, relies upon trusted entries in the /etc/hosts.equiv and .rhosts files

Question 78

How is authentication overwritten in rsh, rexec and rlogin

Answer 78

Passing authentication relies on trusted entries in the /etc/hosts.equiv and .rhosts rule for validation

Question 79

What does rexec do

Answer 79

Enables a user to run shell commands on a remote machine

Question 80

What does rlogin do

Answer 80

Enables a user to login to a remote host over the network similar to Telnet, but can only connect to Unix-like hosts

Question 81

What is the difference between /etc/hosts.equiv and .rhosts

Answer 81

Hosts.equiv is the global configuration of all users on a system, whereas .rhosts provides a per-user configuration

Question 82

What is X11

Answer 82

X11 is a framework for building GUIs on Unix OS, provides tools and protocols to display graphical applications, manage windows, handle input devices, etc.

Question 83

What is security with X11 like

Answer 83

X11 communication is unencrypted, making it vulnerable to eavesdropping and MiTM attacks, however it can be tunneled through SSH for secure access

Question 84

What does Xhost + do

Answer 84

Allows all hosts access to the X server

Question 85

What is recommended when using xhost

Answer 85

To use user-based access control and not host-based

Question 86

What is the two types of access control on X11

Answer 86

Host-based and User-based

Question 87

What is host-based access control in X11

Answer 87

The xhost command is used to manage host-based access control, it allows or denies access to the X server for specific hosts

Question 88

What does xhost - do

Answer 88

Denies access for all hosts

Question 89

What is used based access control in X11

Answer 89

Restricts access to the X server based on individual users rather than entire hosts offering finer control.

Question 90

What is the most common user-based authentication method to X server

Answer 90

MIT-MAGIC-COOKIE-1 is a random cookie which is provided to authorised clients and stored in the .Xauthority file

Question 91

Is MIT-MAGIC-COOKIE-1 or SSH tunnelling more secure in X11 and why

Answer 91

SSH tunnelling is more secure as it encrypts the data transmission whereas the magic cookie does not, it leaves it unencrypted still

Question 92

What is RPC

Answer 92

RPC is a protocol that allows a program to request a service or exectute procedures on a remote server as if it were local

Question 93

What does RPC stand for

Answer 93

Remote Procedure Call

Question 94

Name 3 common RPC services

Answer 94

MSRPC, Portmapper and NFS

Question 95

What is MSRPC

Answer 95

MSRPC is used by Windows for various network services such as file sharing, SMB, Active Directory, etc

Question 96

What is Portmapper

Answer 96

The Portmapper service maps RPC services on the appropriate network protocols allowing clients to discover where services are available

Question 97

What is NFS

Answer 97

NFS allows for files to be shared over a network as if they were on a local disk, NFS uses RPC or all communication between the NFS client and NFS server

Question 98

What tool can we use to enumerate RPC services

Answer 98

rpcinfo is a tool that provides information about RPC services running on a Unix system, it can be used to list all registered devices

Question 99

What were two popular vulnerabilities in RPC

Answer 99

EternalBlue which targets the SMBv1 protocol which relies on MSRPC which was exploited in the WannaCry attack and Wordpress xmlrpc

Question 100

RPC Endpoint Mapper (Windows) Port

Answer 100

Port 135

Question 101

Port 135

Answer 101

RPC Endpoint Mapper (Windows)

Question 102

Port 111

Answer 102

Portmapper

Question 103

Portmapper Port

Answer 103

Port 111

Question 104

What does SSH do

Answer 104

SSH enables two computers to establish an encrypted and direct connection within a possibly insecure network on TCP 22

Question 105

Where is SSH native to

Answer 105

Native to Unix so it is preinstalled on Linux and MacOS

Question 106

What protocols can connect to SSH-1.99-OpenSSH_3.9p1

Answer 106

We can connect with SSH-1 and SSH-2

Question 107

What protocols can connect to SSH-2.0-OpenSSH_8.2p1

Answer 107

Only accepts SSH-2 protocol

Question 108

What are the 6 ways of authenticating to SSH

Answer 108

Password, Public Key, Host based, Keyboard, Challenge-Response and GSSAPI

Question 109

What is Public Key authentication for SSH

Answer 109

The server creates a cryptographic problem with the public key and the client decrypts the problem with its own private key and sends back the solution

Question 110

What file is responsible for the OpenSSH server

Answer 110

sshd_config file

Question 111

What is a dangerous setting on SSH

Answer 111

PasswordAuthentication=YES as it allows us to brute-force

Question 112

What is a tool used to footprint SSH

Answer 112

ssh-audit checks the client-side and server-side configuration and shows general information

Question 113

How can we secure SSH

Answer 113

Use key-based authentication, disable password authentication, use SSH-2 and change default SSH port from port 22

Question 114

How to remember what SSH versions can connect to what protocols

Answer 114

1.5 or lower just SSH-1, 1.99 is a mix of SSH-1 and SSH-2 and 2.0 and beyond is just SSH-2