Attacking a System

Question 1

LM Hashing

Answer 1

Takes a password and converts it to uppercase. If less than 14 characters will add blank spaces to make it 14. The 14 character password is split into two 7 character strings and each string separately hashed.

Question 2

If a LM password is 7 or less characters, the second half of padded blanch characters would always be:

Answer 2

AAD3B435B51404EE, the hash value of 7 blank characters

Question 3

In a Windows Vista or later SAM file a LM password shows up as:

Answer 3

Blank. The NTLM hash will show in the second part of the line.

Question 4

Salting

Answer 4

Adding random data as additional input before a password is hashed.

Question 5

Active Directory database

Answer 5

%SYSTEMROOT%\System32\Ntds.dit

Question 6

Kerberos

Answer 6

Uses both symmetric and asymmetric encryption technologies to securely transmit passwords and key across a network. Made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS) and the Ticket Granting Ticket (TGT)

Question 7

LM Authentication Levels

Answer 7

0 - Windows XP Default

2 - Windows 2003 Default

Question 8

Active Directory Database

Answer 8

Stored on domain controllers in %SYSTEMROOT%\NTDS\NTDS.dit or %SYSTEMROOT%\System32\NTDS.dit

Question 9

Tools used to crack Kerberos

Answer 9

Kerbsniff, KerbCrack

Question 10

Password Security

Answer 10

The length of password is more important that the complexity of a password

Question 11

Golden Ticket

Answer 11

Creating your own Kerberos TGT. Can be created by Mimikatz or Cobalt Strike using provided domain name, domain admin name, domain SID a Kerberos TGT hash

Question 12

Pass the Hash

Answer 12

Password hashes stored in memory and passed to a requesting remote computer for authentication. Hashes are loaded by LSASS, Tools: mimikatz which can steal hashes, PIN codes, and Kerberos tickets from memory. Mimikatz is also included by Metasploit as a meterpreter script

Question 13

Windows Registry - HKEY_LOCAL_MACHINE (HKLM)

Answer 13

Contains hardware information and software

Question 14

Windows Registry - HKEY_CLASSES_ROOT (HKCR)

Answer 14

Contains information on file associations and Object Linking and Embedding (OLE) classes

Question 15

Windows Registry - HKEY_CURRENT_USER (HKCU)

Answer 15

Contains profile information for the user currently logged on Includes preferences for the OS and applications

Question 16

Windows Registry - HKEY_USERS (HKU)

Answer 16

Contains specific user configuration information for all currently active users on the computer

Question 17

Windows Registry - HKEY_CURRENT_CONFIG (HKCC)

Answer 17

Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Current\ to make access and editing this profile information easier

Question 18

Registry Character String

Answer 18

REG_SZ

Question 19

Registry Expandable String

Answer 19

REG_EXPAND_SZ

Question 20

Registry Binary Value

Answer 20

REG_BINARY

Question 21

32 bit unsigned integer

Answer 21

REG_DWORD

Question 22

Symbolic link to another key

Answer 22

REG_LINK

Question 23

Registry MultiValue

Answer 23

REG_MULTI_SZ

Question 24

Startup keys

Answer 24

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Question 25

Linux - File System - Root

Answer 25

Designated by a /

Question 26

Linux - File System - /bin

Answer 26

Holds numerous Linux commands a lot like C:\WINDOWS\SYSTEM32

Question 27

Linux - File System - /dev

Answer 27

Contains pointers to storage and I/O systems to mount such as optical drives and additional hard drives. Everything in Linux is a file

Question 28

Linux - File System - /etc

Answer 28

Contains all administrative files and passwords. The password and shadow file are found here

Question 29

Linux - File System - /home

Answer 29

User home folders

Question 30

Linux - File System - /mnt

Answer 30

Holds the access locations that are mounted

Question 31

Linux - File System - /sbin

Answer 31

System binaries - holds more admin commands and Linux daemons

Question 32

Linux - File System - /usr

Answer 32

Holds information, commands and files unique to users

Question 33

Common Linux commands

Answer 33

adduser - adds a user to the system
cat - displays the content of a file
cp - copies a file
ifconfig - Like Windows ipconfig
kill - kills a running process
ls - displays the content of a folder
man - display the manual pages of acommand
passwd - used to change your password
ps - process status command -ef will show all processes
rm - removes files -r will also remove directories
su - perform functions as another user.
SUDO - run programs as super user
pwd - print current working directory

Question 34

Run a program in Linux in the background

Answer 34

Add an ampersand to the end of the command. The process will end when the user logs out. To make the process persistent and survive logout, add nohup to the beginning of the command.

Question 35

Linux Users and Groups

Answer 35

Each user is assigned a unique Id called a UID and each group is assigned a unique Id called a GUID. These can be seen in /etc/passwd file and /etc/group files respectively as the third field.

Question 36

Linux password storage

Answer 36

Linux can store passwords in either the /etc/passwd file or the /etc/shadow file. An “x” in the passwd file indicates that the password is stored salted and hashed in the shadow file. Only root has access to shadow

Question 37

Tools to crack passwords from Linux shadow files

Answer 37

John the Ripper using brute force

Question 38

Linux hacking distros

Answer 38

Backtrack, Kali, Phlack, Auditor

Question 39

System Hacking Goals

Answer 39

Gaining Access, 
Escalating Privileges, 
Executing Applications, 
Hiding Files, 
Covering Tracks

Question 40

Gaining Access

Answer 40

Cracking passwords and escalating privileges

Question 41

CLear tracks methodology

Answer 41

In Metasploit use clearev
Clear most recently used (MRU) list in Windows and most recent documents
Can prepend a dot “.” to Linux files to hide them

Question 42

Hacking Phases

Answer 42

Reconnaissance
Scanning - Discovery and port scanning, then Enumeration
Gaining Access - Cracking passwords, escalating privileges
Maintaining Access - Executing applications, hiding files
Covering Tracks - Clearing logs

Question 43

Single factor authentication

Answer 43

Something you know

Question 44

Two factor authentication

Answer 44

Something you know and something you have (biometric)

Question 45

False Rejection Rate (FRR)

Answer 45

The percentage of time a biometric device will deny access to a legitimate user

Question 46

False Acceptance Rate (FAR)

Answer 46

The percentage of time a biometric device will give an unauthorized user access to a system

Question 47

Crossover Error Rate (CER)

Answer 47

Where the False Rejection Rate and the False Acceptance rate of a biometric device intersect

Question 48

Active biometric decice

Answer 48

Must be touched. A retina scan is invasive because it send a bean of light into the eye and is therefore considered active.

Question 49

Passive biometric device

Answer 49

You don’t have to touch. An iris scan is considered noninvasive because it takes a picture of the eye and is therefore considered passive

Question 50

Biometric or e-passport

Answer 50

A token that you carry that holds biometric information identifying you. Still considered single factor authentication

Question 51

Password fatigue

Answer 51

Users having to remember too many long and complex passwords.

Question 52

Keyboard walk passwords

Answer 52

Using predictable path or pattern of keys on a keyboard as the password

Question 53

Password cracking

Answer 53

Non-Electronic - social engineering,, shoulder surfing, dumpster diving
Active Online - direct interaction with the target, includes dictionary and brute force attacks, hash injections, phishing, Trojans, spyware, keyloggers, and password guessing
Passive Online -sniffing
Offline - steal a copy of a password file and crack it using a dictionary attack, hybrid attack or brute-force attack

Question 54

Rule based password attack

Answer 54

A dictionary/brute-force attack where the attacker has some knowledge of your password policy

Question 55

Keylogging

Answer 55

Using a hardware device or software application to capture a user’s keystrokes. Software keyloggers are easier to spot than hardware keyloggers which are almost impossible to detect.

Question 56

Link-local Multicast Name Resolution (LLMNR) and Netbios Name Server attack

Answer 56

LLMNR is based on the DNS host format and allows hosts on the same subnet to perform name resolution for other hosts as a backup for local DNS name resolution. This is subject to DNS poisoning by resolving a LLMNR DNS request to the target of your choice. This could lead to password sniffing of subsequent authentication attempts to the poisoned entry. Tools: NBNSpoof,
Pupy,
Metasploit,
Responder.
You can mitigate by disabling LLMNR through the registry or via GPO

Question 57

LLMNR port

Answer 57

UDP 5355 to IP address 224.0.0.252 and FF02::1:3

NBT-NS uses UDP port 137

Question 58

Windows Password Recovery Tools

Answer 58

CHNTPW (linux), 
Stellar Phoenix, 
Windows Password Recovery Ultimate, 
ISeePassword, 
Windows Password Recovery Tool, 
Passware Kit, 
PCUnlocker

Question 59

Net commands

Answer 59

Net View /domain:domainname
Net view \systemname - list of shares
Net use \target\ipc$ “” /u:” - sets a null session
Net use Z: \target\share /persistence:yes - makes the drive mapping permanent

You can use NETBIOS Auditing Tool and Legion to automate the testing of user IDs and passwords

Question 60

Ferret and Hampster

Answer 60

Ferret
This tools use to grab session cookies, running in the background process to capturing session cookies that pass the network at port 80.

Hamster
This tools work as a proxy server to manipulate every data that has been grabbed by Ferret.

Question 61

Online tools for password sniffing

Answer 61

Ettercap,
Kerbcrack (specifically looks for port 88 Kerberos traffic), Cain,
ScoopLM (specifically looks for Windows passwords)

Question 62

SSLsniff

Answer 62

Acts as a man in the middle for SSL connections on a LAN and dynamically generates certificates for the domains that are being accessed on the fly

Question 63

What is a hybrid offline password attack?

Answer 63

A step above the dictionary attack. The tool is smart enough to take a word from a list and substitute numbers and symbols for alpha characters.

Question 64

Rainbow table

Answer 64

Precalculated password hashes for easier hash cracking. Can be created with rtgen and winrtgen

Question 65

Offline password cracking tools

Answer 65

Cain, 
THC Hydra, 
John the Ripper, 
KerbCrack, 
LC5 (next gen L0phtcrack)

Question 66

Default Password Sites

Answer 66

OpenSezMe,
CIRT,
Defaultpassword.com

Question 67

Vertical Privilege Escalation

Answer 67

When a lower-level user executes code at a higher privilege level than they should have access to

Question 68

Horizontal Privilege Escalation

Answer 68

Executing code at the same user level but from a location that should be protected from access

Question 69

Four ways to gain root (admin) privileges

Answer 69

1. Crack the admin password
2. Take advantage of an OS vulnerabiliity
3. Use a tool like Metasploit that will deliver a custom payload
4. Social engineer the password

Question 70

DLL hijacking

Answer 70

Adding a malicious DLL to a path where it is executed before the real DLL. Can do the same on MAC OS with DYLIB

Question 71

Armitage

Answer 71

Offers a GUI front end for metasploit

Question 72

Owning a system

Answer 72

Gaining access to the machine and escalating privileges

Question 73

Tools for remote execution

Answer 73

RemoteExec,
PDQ Deploy,
Dameware Remote Support

Question 74

NTFS Alternate Data Stream

Answer 74

An NTFS feature originally included for Apple File System compatibility, allows you to hide data or a file inside of an NTFS file
Type badfile.exe > c:\goodfile.exe:badfile.exe
There are methods for starting the badfile.exe depending on the version of Windows:
Use the start command, for example, START c:\goodfile,exe:badfile.exe or create a link to start it using mklink, for example, mklink innocent.exe goodfile.exe:badfile.exe and execute innocent.exe

Question 75

Tools to find alternate data stream files

Answer 75

LNS,
Sfind,
dir /r.
You can also copy the file to a fat partition

Question 76

Hide files with steganography

Answer 76

Imagehide, 
Snow, 
MP3Stego, 
Blindside, 
S-tools, 
wbstego, 
stealth

Question 77

Semagram

Answer 77

Part of steganography
Visual semagram: Uses everyday objects to convey a message, for example, how objects are arranged on a desk. Semagrams hides information by using symbols,
signs, or visual objects. It is more like an indicator of
a larger, previously agreed upon message. For
example, Bob wants to tell Alice that the party will
take place on Friday. A semagram could be a
postcard with a picture of a Chevrolet car, which Bob
and Alice have already agreed that a Chevrolet car
means affirmative (the party will take place); while, a
Ford car means negative (the party won’t take place).

Text semagram: Obscures a message in text by using things such as font, size, type or spacing

Question 78

Hide tracks by modifying or deleting log files

Answer 78

Turning auditing off and back on and deleting all entries in a log file can be discovered. Better to corrupt the log file. Tools for log file manipulation include:
elsave, 
WinZapper, 
EvidenceEliminator, 
Auditpol (to disable log files)

Question 79

Rootkit

Answer 79

A collection of software put in place by an attacker designed to obscure system compromise. Replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity. They provide back doors for the attacker to use later and include measures to remove and hide evidence of any activity.

Question 80

Horsepill

Answer 80

A Linux kernel rootkit inside initrd with three main parts:

1. klibc-horsepill.patch - creates a new malicious run-init
2. horsepill_setopt - moves command line arguments to the malicious run-init
3. hrsepill_infect - splats files

Question 81

Grayfish

Answer 81

A Windows rootkit that injects code in the boot record. creating its own virtual file system

Question 82

Other root kits

Answer 82

Sirefef, 
Azazel, 
Avatar, 
Necurs, 
ZeroAccess

Question 83

Six types of root kits

Answer 83

1. Hypervisor Level - modifies the boot sequence to load a virtual machine as the host OS
2. Hardware (firmware) - Hide in hardware devices or firmware
3. Boot loader level - replace the boot loader with one controlled by the hacker
4. Application level - Replace valid application files with Trojan binaries
5. Kernel level - attack the boot sectors and kernel level of the operating system itself, replacing kernel code with back door code. The most dangerous and difficult to detect and to remove
6. Library level - use system calls to hide their existence

Question 84

Blue Pill

Answer 84

The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.

Question 85

Protection Rings

Answer 85

Ring 0 - The kernel
Ring 1 - Drivers
Ring 2 - Libraries
Ring 3 - Applications, also known as user mode

Question 86

Steps for detecting a rootkit

Answer 86

First run dir /s /b /ah and dir /s /b /a-h in the potentially infected system and save the results. Boot a clean CD version and run the same commands. Use windiff to compare the two results files