Chapter 6 - Web-Based Hacking: Servers & Apps Flashcards

1
Q

IETF

A

Internet Engineering Task Force - Creates engineering documents to help make the internet work better

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

W3C

A

World Wide Web Consortium - A standards-developing community

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

OWASP

A

Open Web Application Security Project - Organization focused on improving the security of software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Web Server attack Methodology

A

Information Gathering (Whois), Footprinting (banner grab), Website mirroring, Vulnerability Scanning, Session Hijacking, Password Cracking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Banner Grab

A

Method for web server footprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Netcraft

A

Web server footprinting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

HTTPRecon

A

Web server footprinting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ID Serve

A

Web server footprinting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

nmap

A

Powerful footprinting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

nmap -script http-trace -p80 localhost.

A

Detects vulnerable TRACE method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

nmap -script http-google-email

A

Lists email addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

nmap -script hostmap-*

A

Discovers virtual hosts on the IP address you are tryingto footprint; * is replaced by online database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

nmap -script http-enum -p80

A

enumerates common web apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

nmap -p80 -script http-robots.txt

A

Grabs the robots.txt file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Nikto

A

Vulnerability scanner specifically suited for web servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Wget

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Black Widow

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

HTTrack

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

WebCopier Pro

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Web Ripper

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SurfOffline

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

HTTPrint

A

Website mirroring tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is N-Tier Architecture?

A

Distributes processes across multiple servers; normally as three tier: Presentation (web), logic (application), and data (database)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is WebGoat

A

Project maintained by OWASP which is an insecure web app meant to be tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Http request: GET

A

retrieves whatever information is in the URL; sending data is done in URL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Http Request: HEAD

A

identical to get except for no body in return

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Http Request: POST

A

sends data ia body - data not shown in URL or in history

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Http Request: PUT

A

Requests data be stored at the URL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Http Request: DELETE

A

Requests origin server delete resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Http Request: TRACE

A

Requests application layer loopback of message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Http Request: CONNECT

A

Reserved for use with proxy (Post and Get can be manipulated by proxy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

HTTP Error: 1xx

A

Informational - request received, continuing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

HTTP Error: 2xx

A

Success - Action received, understood and accepted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

HTTP Error: 3xx

A

Redirection - Further action must be taken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

HTTP Error 4xx

A

Client Error - Request contains bad syntax or cannot be fulfilled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

HTTP Error 5xx

A

Server Error.- server failed to fulfill an apparently valid request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Web Server Attack: DNS Amplification

A

Uses recursive DNS to DoS a target; Amplifies DNS answers to target until it can’t do anything.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Web Server Attack: Directory Transversal

A

requests file that should not e accessible from web server. Example: http://www.example.com/etc/passwd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Web Server Attack: Parameter Tampering (URL Tampering)

A

Manipulating parameters within URL to achieve escalation or other changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Web Server Attack: Hidden Field Tampering

A

Modifying hidden form fields producting unintended results (Example: Look at source code and change price of item to $0.00

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Web Server Attack: Web Cache Poisoning

A

Replacing the cache on a box with a malicious version of it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Web Server Attack: Misconfiguration Attack

A

Same as before - improper configuration of a web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Web Server Attack: Password Attack

A

Attempting to crack passwords related to web resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Web Server Attack: Connection String Parameter Pollution

A

Injection attack that uses semicolons to take advantage of databases that use this separation method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Web Server Attack: Web Defacement

A

Simply modifying a web page to say something else

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Brutus

A

Tool for attacking web server. Brute force passwords of HTTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Hydra

A

Network login cracker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

WFETCH

A

Microsoft tool that allows you to craft HTTP requests ot see response data (BURP does this too)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Shellshock

A

Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions.

50
Q

Web App Attacks - Tools for identifying entry points

A

WebScarab, HTTPPrint, BurpSuite

51
Q

What is “Web 2.0”

A

Dynamic web application; have a larger attack surface due to simultaneous communication

52
Q

Web App Attack: File Injection

A

Attacker injects a pointer in a web form to an exploit hosted elsewhere

53
Q

Web App Attack: Command Injection

A

Attacker gains shell access using Java or similar

54
Q

Web App Attack: LDAP Injection

A

Exploits applications that construct LDAP statements. Format is )(&)

55
Q

Web App Attack: SOAP Injection

A

Simple Object Access Protocol - Can inject query strings in order to bypass authentication. Uses XML to format info. Compatible with HTTP and SMTP. Messages are typically “one way” in nature.

56
Q

Buffer Overflow (Smashing the Stack)

A

Attempts to write data into an application’s buffer area to overwrite adjacent memory, execute code or crash a system

57
Q

What is a canarie?

A

Used to monitor for buffer overflow attacks. Placed between buffer and control data.

58
Q

Ways to prevent buffer overflow

A

Secure coding techniques, Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP)

59
Q

Cross-Site Scritping (XSS)

A

Inputting JavaScript into a web form that alters what the page does. Can be passed via URL: www.google.com/. Can access cookies and send to remote host.

60
Q

Stored XSS (Persistent)

A

Stores the XSS in a forum or comment field of some sort for multiple people to access.

61
Q

Cross-Site Request Forgery (CSRF)

A

Forces an end user to execute unwanted actions on an app they’re already authenticated on. Inherits identity and privileges of victim to perform an undesired function on victim’s behalf. Captures session and sends a request based off logged in user’s credentials.

62
Q

Session Fixation

A

Attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user’s credentials.

63
Q

What does the following expression accomplish: ‘OR 1=1 –

A

Tells the server if 1=1 (always true) to allow login. The Double-Dash (-) tells server to ignore rest of the query (usually the password)

64
Q

Fuzzing

A

Inputting random data into a target in order to see what will happen.

65
Q

Tautology

A

using always true statements to test SQL

66
Q

In-band SQL injection

A

Uses same communication channel to perform attack. Most common, used with UNION statements.

67
Q

Out-of-Band SQL Injection

A

Contrary to in-band, this type of SQL injection uses different communication channels for the attack and results. It’s also more difficult to do.

68
Q

Blind SQL Injection (inferrential)

A

Occurs when attacker knows the database is susceptible to injection, but error messages and screen returns don’t come back to attacker.

69
Q

SQL Injection Tools

A

Sqlmap, sqlninja, Havij, SQLBrute, Pangolin, SQLExec, Absinthe, BobCat

70
Q

HTTP Response Splitting

A

adds header response data to an input field so server splits the response.

71
Q

Countermeasure for web app attacks

A

Input scrubing for injection, SQL parameterized queries, patching servers, turning off unnecessary services, ports, and protocols.

72
Q

Modulation type: OFDM

A

Orthogonal Frequency-Division Multiplexing (OFDM) - carries waves in various channels (think cable tv)

73
Q

Modulation type: DSSS

A

Direct-Sequence Spread Spectrum (DSSS) - Combines all available waveforms into a single purpose.

74
Q

802.11 Series

A

Defines the standards for wireless networks

75
Q

DNS Record Type: SRV

A

Service - this record defines the hostname and port number of servers providing specific services, such as a Directory Services server.

76
Q

DNS Record Type: SOA

A

Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

77
Q

DNS Record Type: PTR

A

Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). Usually associated with e-mail server records.

78
Q

DNS Record Type: NS

A

Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ request for name resolution

79
Q

DNS Record Type: MX

A

Mail Exchange - This record identifies your email servers within your domain.

80
Q

DNS Record Type: CNAME

A

Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.

81
Q

DNS Record Type: A

A

Address - This record maps an IP address to a hostname and is used most often for DNS lookups.

82
Q

802.15.1

A

Bluetooth Standards

83
Q

802.15.4

A

Zigbee - Low power, low data rate, close proximity ad-hoc networks

84
Q

802.16

A

WiMAX - broadband wireless metropolitan area networks. 40 Mbps

85
Q

Wireless Standard - 802.11a

A

Mbps - 54 Frequency - 5 GHz Modulation Type: OFDM

86
Q

Wireless Standard - 802.11b

A

Mbps - 11 Frequency - 2.4 GHz Modulation Type: DSSS

87
Q

Wireless Standard - 802.11d

A

Mbps - Variation of a & b. Frequency - Global Use

88
Q

Wireless Standard - 802.11e

A

Mbps - QoS Initiative Frequency - Data and Voice

89
Q

Wireless Standard - 802.11g

A

Mbps - 54 Frequency - 2.4 GHz. Modulation Type: OFDM and DSSS

90
Q

Wireless Standard - 802.11i

A

Mbps - WPA/WPA2 Encryption

91
Q

Wireless Standard - 802.11n

A

Mbps - 100+ Frequency: 2.4 - 5. Modulation Type: OFDM

92
Q

Wireless Standard - 802.11ac

A

Mbps - 1000 Frequency: 5 GHz Modulation Type: QAM

93
Q

Orthogonal Frequency - Division Multiplexing (OFDM)

A

Carries waves in various channels

94
Q

Direct-Sequence Spread Spectrum (DSSS)

A

Combines all available waveforms into a single purpose.

95
Q

Basic Service Set Identifier (BSSID)

A

MAC address of wireless access point.

96
Q

Three types of Authentication are:

A

Open System - No authentication Shared Key Authentication - authentication through shared key (pw) Centralized Authentication - Authentication through something like RADIUS

97
Q

Assocation vs Authentication

A

Association is the act of connecting; Authentication is the act of identifying the client.

98
Q

Spectrum Analyzer

A

Verifies wireless quality, detects rogue access points and detects attacks

99
Q

Directional Antenna

A

Signals in one direction; Yagi antenna is a type

100
Q

Omnidirectional Antenna

A

Signals in all directions

101
Q

WEP

A

Wired Equivalent Privacy - Encryption: RC4. IV Size: 24 bits. Key Length: 40/104. Integrity Check: CRC-32

102
Q

WPA

A

Wi-Fi Protected Access - Encryption: RC4 + TKIP IV Size: 48 bits. Key Length: 128 bits. Integrity Check: Michael/CRC-32

103
Q

WPA2

A

Encryption: AES-CCMP IV Size: 48 bits Key Length: 128-bits Integrity Check: CBC-MAC (CCMP)

104
Q

WPA2 Enterprise vs WPA2 Personal

A

Enterprise: Can tie an EAP or RADIUS server into authentication. Personal: Uses a pre-shared key to authenticate.

105
Q

Message Integrity Code (MIC)

A

Hashes for CCMP to protect integrity.

106
Q

Cipher Block Chaining Message Authentication Code (CBC-MAC)

A

Integrity process of WPA2

107
Q

WIGLE

A

Tool for network discovery that can map for wireless networks

108
Q

NetStumbler

A

Tool for network discovery

109
Q

Kismet

A

Wireless packet analyzer/sniffer that can be used for discovery. Works passively and can detect access points.

110
Q

NetSurveyor

A

Tool for Windows that does network discovery

111
Q

pcap vs libcap

A

pcap - driver library for Windows libcap - Drivery library for Linux

112
Q

Rogue Access point

A

Places an access point controlled by an attacker

113
Q

Evil Twin

A

Rogue AP with a SSID similar to the name of a popular network

114
Q

Honeyspot

A

Fakinga well known hotspot with a rogue AP

115
Q

Ad Hoc Connection Attack

A

Connecting directly to another phone via ad-hoc network. User must accept connection

116
Q

Aircrack-ng

A

Sniffer, detector, traffic analysis tool and password cracker. Uses Dictionary attacks for WPA and WPA2.

117
Q

Cain & Abel

A

Sniffs packets and cracks passwords. Relies on Statistical measures and the PTW technique to break WEP

118
Q

KisMAC

A

MacOS tool to brute force WEP or WPA passwords

119
Q

KRACK

A

Key Installation Attack (KRACK) - Method for cracking WPA. Replay attack that uses third handshake of another device’s session.

120
Q

OmniPeek

A

Provides data like Wireshark in addition to network activity and monitoring.

121
Q

AirMagnet WiFi Analyzer Pro

A

Sniffer, traffic analyzer and network-auditing suite

122
Q

WiFi Pilot

A

Wireless sniffer