Chapter 5 - Attacking a System Flashcards

1
Q

Characteristics of LM Hashing

A

Splits the password up and all letters converted to uppercase. If it’s over 7 characters, it is padded to 14 characters and split 7 x 7. Easily cracked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Ntds.dit ?

A

It’s a database file on the domain controller that stores passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the steps for Kerberos?

A
  1. Clinet asks Key Distribution Center (KDC) for ticket. 2. Server responsds with Ticket Granting Ticket (TGT). This is a secret key which is hashed and stored on server. 3. If client can decrypt it, the TGT is sent back to the server requesting a Ticket Granting Service (TGS) service ticket. 4. Server sends TGS service ticket which client uses to access resources,.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What tools can you use to crack Kerberos?

A

Kerbsniff, KerbCrack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HKEY_LOCAL_MACHINE (HKLM)

A

Information on hardware and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

HKEY_CLASSES_ROOT (HKCR)

A

Information oon file assocates and OLE classes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

HKEY_CURRENT_USER (HKCU)

A

Profile information for the current user including preferences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HKEY_USERS (HKU)

A

Specific user configuration information for all currently active users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HKEY_CURRENT_CONFIG (HKCC)

A

Pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the RID of the following: S-1-5 21-3623811015-3361044348-30300820 - 1013

A

1013 , RID is the Relative Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

/bin

A

Basic linux commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

/dev

A

Contains pointer locations to various storage and input/output systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

/etc

A

all admin files and passwords. Password and shadow files here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

/home

A

holds user home directories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

/mnt

A

holds the access locations you’ve mounted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

/sbin

A

system binaries folder which holds more administrative commnds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

/usr

A

holds almost all of the information, commands, and files unique to the users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Root has the UID and GID of what?

A

UID and GID of 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The first user has the UID and GID of what?

A

UID and GID of 500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FAR vs FRR vs CER

A

False Acceptance Rate - Rate that a system accepts access for people that shouldn’t have it. False Rejection Rate (FRR) - Rate that a system rejects access for someone who should have it. Crossover Error Rate (CER) - Combination of the two; the lower the CER, the better the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the system hacking goals?

A
  1. Gaining Access 2. Escalating Privilege 3. Executing Applications. 4. Hiding Files 5. Covering Tracks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Password Attack: Non-electronic

A

Social engineering attacks - most effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Password Attack: Active Online

A

Done by directly communicating with the victim’s machine. Includes dictionary, brute-force attacks, hash injection, phishing, trojans, spyware, etc.

24
Q

Password Attack: LLMNR/NBT-NS

A

Attack based off Windows that caches DNS locally. Responding to these poisons local cache. If an NTLMv2 hash is sent over, it can be sniffed out.

25
Offline Password Attack
Hacker steals copy of password file and doesthe cracking on a separate system.
26
LLMNR Port Number?
UDP 5355
27
NBT-NS Port Number?
UDP 137
28
Tool that can be used to automate testing of user IDs and Passwords?
NetBIOS Auditing Tool or Legion
29
NBNSpoof
Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder
30
Pupy
Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder
31
Responder
Tool that is used for LLMNR/NBT-NS poisoning.
32
Hydra
Password cracking tool
33
What are the four main attack types for password cracking?
Non-electronic: Social engineering (most effective). Active Online - Done by directly communicating with vitcim's machine (trojan, brute-force attack). Passive Online - Sniffing the wire to intercept a password or MITM attack. Offline - When the hacker steals a copy of the password file and does the cracking on a separate system.
34
Examples of an Active Online Attack
Done by directly communicating with victim's machine. Examples: Keylogging, LLMNR/NBT-NS attacks (local dns attack). Tools: NBNSpoof, Pupy, Metasploit, Responder
35
LLMNR port
UDP 5355
36
NBT-NS Port
UDP 137
37
Cain and Abel (sniffing)
Password cracker that can poison ARP and then monitor victim's traffic
38
Ettercap
Similar to cain and abel but also helps against SSL encryption
39
KerbCrack
Built-in sniffer and password cracker looking for port 88 Kerberos traffic
40
ScoopLM
Specifically looks for Windows authentication traffic on the wire and has a password cracker.
41
Passive Online Sniffing Tools
Cain and Abel, Ettercap, KerbCrack, ScoopLM
42
Dictionary vs. Brute Force vs. Hybrid Attack
Dictionary: Uses a wordlist to attack the password. Brute Force: Tries every combination of characters to crack a password. Hybrid: Takes a dictionary attack and replaces cahracters or adds numbers at the end.
43
Horizontal vs. Vertical Privilege Escalation
Vertical: Lower-level user executes code at a higher privilege level. Horizontal: Executing code at the same user level but from a location that would be protected from that access.
44
DLL Hijacking
replacing a DLL in the application directory with your own.
45
Alternate Data Streams (ADS)
Hides files. To show: dir /r Example can execute by: readme.txt:badfile.exe
46
How would you hide a file by attributes in Windows?
attrib +h filename
47
Tools for hiding files
ImageHide, Snow, Mp3Stego, Blindside, S-Tools, wbStego, and Stealth
48
Hypervisor Level Rootkit
Rootkits that modify the boot sequence of a host system to load a VM as the host OS
49
Hardware rootkit
Hide malware in devices or firmware
50
Boot Loader Level Rootkit
Replace boot loader with one controlled by hacker
51
Application Level Rootkit
Directed to replace valid application files with Trojans
52
Kernel Level Rootkit
Attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous
53
Library Level Rootkit
Uses system-level calls to hide themselves . One way to detect is to compare files with known good cd backup.
54
How would you describe an Interrupt
A signal that indicates that an event has occurred
55
On Windows, where are authentication credentials stored? Where is the file located?
Stored in SAM file. File is located at C:\windows\system32\config