Chapter 5 - Attacking a System

Question 1

Characteristics of LM Hashing

Answer 1

Splits the password up and all letters converted to uppercase. If it’s over 7 characters, it is padded to 14 characters and split 7 x 7. Easily cracked

Question 2

What is the Ntds.dit ?

Answer 2

It’s a database file on the domain controller that stores passwords

Question 3

What are the steps for Kerberos?

Answer 3

1. Clinet asks Key Distribution Center (KDC) for ticket. 2. Server responsds with Ticket Granting Ticket (TGT). This is a secret key which is hashed and stored on server. 3. If client can decrypt it, the TGT is sent back to the server requesting a Ticket Granting Service (TGS) service ticket. 4. Server sends TGS service ticket which client uses to access resources,.

Question 4

What tools can you use to crack Kerberos?

Answer 4

Kerbsniff, KerbCrack

Question 5

HKEY_LOCAL_MACHINE (HKLM)

Answer 5

Information on hardware and software

Question 6

HKEY_CLASSES_ROOT (HKCR)

Answer 6

Information oon file assocates and OLE classes

Question 7

HKEY_CURRENT_USER (HKCU)

Answer 7

Profile information for the current user including preferences

Question 8

HKEY_USERS (HKU)

Answer 8

Specific user configuration information for all currently active users

Question 9

HKEY_CURRENT_CONFIG (HKCC)

Answer 9

Pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current

Question 10

What is the RID of the following: S-1-5 21-3623811015-3361044348-30300820 - 1013

Answer 10

1013 , RID is the Relative Identifier

Question 11

/bin

Answer 11

Basic linux commands

Question 12

/dev

Answer 12

Contains pointer locations to various storage and input/output systems

Question 13

/etc

Answer 13

all admin files and passwords. Password and shadow files here

Question 14

/home

Answer 14

holds user home directories

Question 15

/mnt

Answer 15

holds the access locations you’ve mounted

Question 16

/sbin

Answer 16

system binaries folder which holds more administrative commnds

Question 17

/usr

Answer 17

holds almost all of the information, commands, and files unique to the users

Question 18

Root has the UID and GID of what?

Answer 18

UID and GID of 0

Question 19

The first user has the UID and GID of what?

Answer 19

UID and GID of 500

Question 20

FAR vs FRR vs CER

Answer 20

False Acceptance Rate - Rate that a system accepts access for people that shouldn’t have it. False Rejection Rate (FRR) - Rate that a system rejects access for someone who should have it. Crossover Error Rate (CER) - Combination of the two; the lower the CER, the better the system

Question 21

What are the system hacking goals?

Answer 21

1. Gaining Access 2. Escalating Privilege 3. Executing Applications. 4. Hiding Files 5. Covering Tracks.

Question 22

Password Attack: Non-electronic

Answer 22

Social engineering attacks - most effective.

Question 23

Password Attack: Active Online

Answer 23

Done by directly communicating with the victim’s machine. Includes dictionary, brute-force attacks, hash injection, phishing, trojans, spyware, etc.

Question 24

Password Attack: LLMNR/NBT-NS

Answer 24

Attack based off Windows that caches DNS locally. Responding to these poisons local cache. If an NTLMv2 hash is sent over, it can be sniffed out.

Question 25

Offline Password Attack

Answer 25

Hacker steals copy of password file and doesthe cracking on a separate system.

Question 26

LLMNR Port Number?

Answer 26

UDP 5355

Question 27

NBT-NS Port Number?

Answer 27

UDP 137

Question 28

Tool that can be used to automate testing of user IDs and Passwords?

Answer 28

NetBIOS Auditing Tool or Legion

Question 29

NBNSpoof

Answer 29

Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder

Question 30

Pupy

Answer 30

Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder

Question 31

Responder

Answer 31

Tool that is used for LLMNR/NBT-NS poisoning.

Question 32

Hydra

Answer 32

Password cracking tool

Question 33

What are the four main attack types for password cracking?

Answer 33

Non-electronic: Social engineering (most effective). Active Online - Done by directly communicating with vitcim’s machine (trojan, brute-force attack). Passive Online - Sniffing the wire to intercept a password or MITM attack. Offline - When the hacker steals a copy of the password file and does the cracking on a separate system.

Question 34

Examples of an Active Online Attack

Answer 34

Done by directly communicating with victim’s machine. Examples: Keylogging, LLMNR/NBT-NS attacks (local dns attack). Tools: NBNSpoof, Pupy, Metasploit, Responder

Question 35

LLMNR port

Answer 35

UDP 5355

Question 36

NBT-NS Port

Answer 36

UDP 137

Question 37

Cain and Abel (sniffing)

Answer 37

Password cracker that can poison ARP and then monitor victim’s traffic

Question 38

Ettercap

Answer 38

Similar to cain and abel but also helps against SSL encryption

Question 39

KerbCrack

Answer 39

Built-in sniffer and password cracker looking for port 88 Kerberos traffic

Question 40

ScoopLM

Answer 40

Specifically looks for Windows authentication traffic on the wire and has a password cracker.

Question 41

Passive Online Sniffing Tools

Answer 41

Cain and Abel, Ettercap, KerbCrack, ScoopLM

Question 42

Dictionary vs. Brute Force vs. Hybrid Attack

Answer 42

Dictionary: Uses a wordlist to attack the password. Brute Force: Tries every combination of characters to crack a password. Hybrid: Takes a dictionary attack and replaces cahracters or adds numbers at the end.

Question 43

Horizontal vs. Vertical Privilege Escalation

Answer 43

Vertical: Lower-level user executes code at a higher privilege level. Horizontal: Executing code at the same user level but from a location that would be protected from that access.

Question 44

DLL Hijacking

Answer 44

replacing a DLL in the application directory with your own.

Question 45

Alternate Data Streams (ADS)

Answer 45

Hides files. To show: dir /r Example can execute by: readme.txt:badfile.exe

Question 46

How would you hide a file by attributes in Windows?

Answer 46

attrib +h filename

Question 47

Tools for hiding files

Answer 47

ImageHide, Snow, Mp3Stego, Blindside, S-Tools, wbStego, and Stealth

Question 48

Hypervisor Level Rootkit

Answer 48

Rootkits that modify the boot sequence of a host system to load a VM as the host OS

Question 49

Hardware rootkit

Answer 49

Hide malware in devices or firmware

Question 50

Boot Loader Level Rootkit

Answer 50

Replace boot loader with one controlled by hacker

Question 51

Application Level Rootkit

Answer 51

Directed to replace valid application files with Trojans

Question 52

Kernel Level Rootkit

Answer 52

Attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous

Question 53

Library Level Rootkit

Answer 53

Uses system-level calls to hide themselves . One way to detect is to compare files with known good cd backup.

Question 54

How would you describe an Interrupt

Answer 54

A signal that indicates that an event has occurred

Question 55

On Windows, where are authentication credentials stored? Where is the file located?

Answer 55

Stored in SAM file. File is located at C:\windows\system32\config