Chapter 5 - Attacking a System Flashcards

1
Q

Characteristics of LM Hashing

A

Splits the password up and all letters converted to uppercase. If it’s over 7 characters, it is padded to 14 characters and split 7 x 7. Easily cracked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Ntds.dit ?

A

It’s a database file on the domain controller that stores passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the steps for Kerberos?

A
  1. Clinet asks Key Distribution Center (KDC) for ticket. 2. Server responsds with Ticket Granting Ticket (TGT). This is a secret key which is hashed and stored on server. 3. If client can decrypt it, the TGT is sent back to the server requesting a Ticket Granting Service (TGS) service ticket. 4. Server sends TGS service ticket which client uses to access resources,.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What tools can you use to crack Kerberos?

A

Kerbsniff, KerbCrack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HKEY_LOCAL_MACHINE (HKLM)

A

Information on hardware and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

HKEY_CLASSES_ROOT (HKCR)

A

Information oon file assocates and OLE classes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

HKEY_CURRENT_USER (HKCU)

A

Profile information for the current user including preferences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HKEY_USERS (HKU)

A

Specific user configuration information for all currently active users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HKEY_CURRENT_CONFIG (HKCC)

A

Pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the RID of the following: S-1-5 21-3623811015-3361044348-30300820 - 1013

A

1013 , RID is the Relative Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

/bin

A

Basic linux commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

/dev

A

Contains pointer locations to various storage and input/output systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

/etc

A

all admin files and passwords. Password and shadow files here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

/home

A

holds user home directories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

/mnt

A

holds the access locations you’ve mounted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

/sbin

A

system binaries folder which holds more administrative commnds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

/usr

A

holds almost all of the information, commands, and files unique to the users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Root has the UID and GID of what?

A

UID and GID of 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The first user has the UID and GID of what?

A

UID and GID of 500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FAR vs FRR vs CER

A

False Acceptance Rate - Rate that a system accepts access for people that shouldn’t have it. False Rejection Rate (FRR) - Rate that a system rejects access for someone who should have it. Crossover Error Rate (CER) - Combination of the two; the lower the CER, the better the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the system hacking goals?

A
  1. Gaining Access 2. Escalating Privilege 3. Executing Applications. 4. Hiding Files 5. Covering Tracks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Password Attack: Non-electronic

A

Social engineering attacks - most effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Password Attack: Active Online

A

Done by directly communicating with the victim’s machine. Includes dictionary, brute-force attacks, hash injection, phishing, trojans, spyware, etc.

24
Q

Password Attack: LLMNR/NBT-NS

A

Attack based off Windows that caches DNS locally. Responding to these poisons local cache. If an NTLMv2 hash is sent over, it can be sniffed out.

25
Q

Offline Password Attack

A

Hacker steals copy of password file and doesthe cracking on a separate system.

26
Q

LLMNR Port Number?

A

UDP 5355

27
Q

NBT-NS Port Number?

A

UDP 137

28
Q

Tool that can be used to automate testing of user IDs and Passwords?

A

NetBIOS Auditing Tool or Legion

29
Q

NBNSpoof

A

Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder

30
Q

Pupy

A

Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder

31
Q

Responder

A

Tool that is used for LLMNR/NBT-NS poisoning.

32
Q

Hydra

A

Password cracking tool

33
Q

What are the four main attack types for password cracking?

A

Non-electronic: Social engineering (most effective). Active Online - Done by directly communicating with vitcim’s machine (trojan, brute-force attack). Passive Online - Sniffing the wire to intercept a password or MITM attack. Offline - When the hacker steals a copy of the password file and does the cracking on a separate system.

34
Q

Examples of an Active Online Attack

A

Done by directly communicating with victim’s machine. Examples: Keylogging, LLMNR/NBT-NS attacks (local dns attack). Tools: NBNSpoof, Pupy, Metasploit, Responder

35
Q

LLMNR port

A

UDP 5355

36
Q

NBT-NS Port

A

UDP 137

37
Q

Cain and Abel (sniffing)

A

Password cracker that can poison ARP and then monitor victim’s traffic

38
Q

Ettercap

A

Similar to cain and abel but also helps against SSL encryption

39
Q

KerbCrack

A

Built-in sniffer and password cracker looking for port 88 Kerberos traffic

40
Q

ScoopLM

A

Specifically looks for Windows authentication traffic on the wire and has a password cracker.

41
Q

Passive Online Sniffing Tools

A

Cain and Abel, Ettercap, KerbCrack, ScoopLM

42
Q

Dictionary vs. Brute Force vs. Hybrid Attack

A

Dictionary: Uses a wordlist to attack the password. Brute Force: Tries every combination of characters to crack a password. Hybrid: Takes a dictionary attack and replaces cahracters or adds numbers at the end.

43
Q

Horizontal vs. Vertical Privilege Escalation

A

Vertical: Lower-level user executes code at a higher privilege level. Horizontal: Executing code at the same user level but from a location that would be protected from that access.

44
Q

DLL Hijacking

A

replacing a DLL in the application directory with your own.

45
Q

Alternate Data Streams (ADS)

A

Hides files. To show: dir /r Example can execute by: readme.txt:badfile.exe

46
Q

How would you hide a file by attributes in Windows?

A

attrib +h filename

47
Q

Tools for hiding files

A

ImageHide, Snow, Mp3Stego, Blindside, S-Tools, wbStego, and Stealth

48
Q

Hypervisor Level Rootkit

A

Rootkits that modify the boot sequence of a host system to load a VM as the host OS

49
Q

Hardware rootkit

A

Hide malware in devices or firmware

50
Q

Boot Loader Level Rootkit

A

Replace boot loader with one controlled by hacker

51
Q

Application Level Rootkit

A

Directed to replace valid application files with Trojans

52
Q

Kernel Level Rootkit

A

Attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous

53
Q

Library Level Rootkit

A

Uses system-level calls to hide themselves . One way to detect is to compare files with known good cd backup.

54
Q

How would you describe an Interrupt

A

A signal that indicates that an event has occurred

55
Q

On Windows, where are authentication credentials stored? Where is the file located?

A

Stored in SAM file. File is located at C:\windows\system32\config