Chapter 6 - Web-Based Hacking: Servers & Apps Flashcards

Question

Http request: GET

Answer 1

retrieves whatever information is in the URL; sending data is done in URL

Answer 2

identical to get except for no body in return

Answer 3

sends data ia body - data not shown in URL or in history

Answer 4

Requests data be stored at the URL

Answer 5

Requests origin server delete resource

Answer 6

Requests application layer loopback of message

Answer 7

Reserved for use with proxy (Post and Get can be manipulated by proxy)

Answer 8

Informational - request received, continuing

Answer 9

Success - Action received, understood and accepted

Answer 10

Redirection - Further action must be taken

Answer 11

Client Error - Request contains bad syntax or cannot be fulfilled

Answer 12

Server Error.- server failed to fulfill an apparently valid request

Answer 13

Uses recursive DNS to DoS a target; Amplifies DNS answers to target until it can't do anything.

Answer 14

requests file that should not e accessible from web server. Example: http://www.example.com/etc/passwd

Answer 15

Manipulating parameters within URL to achieve escalation or other changes.

Answer 16

Modifying hidden form fields producting unintended results (Example: Look at source code and change price of item to $0.00

Answer 17

Replacing the cache on a box with a malicious version of it

Answer 18

Same as before - improper configuration of a web server

Answer 19

Attempting to crack passwords related to web resources

Answer 20

Injection attack that uses semicolons to take advantage of databases that use this separation method.

Answer 21

Simply modifying a web page to say something else

Answer 22

Tool for attacking web server. Brute force passwords of HTTP

Answer 23

Network login cracker

Answer 24

Microsoft tool that allows you to craft HTTP requests ot see response data (BURP does this too)

Answer 25

Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions.

Answer 26

WebScarab, HTTPPrint, BurpSuite

Answer 27

Dynamic web application; have a larger attack surface due to simultaneous communication

Answer 28

Attacker injects a pointer in a web form to an exploit hosted elsewhere

Answer 29

Attacker gains shell access using Java or similar

Answer 30

Exploits applications that construct LDAP statements. Format is )(&)

Answer 31

Simple Object Access Protocol - Can inject query strings in order to bypass authentication. Uses XML to format info. Compatible with HTTP and SMTP. Messages are typically "one way" in nature.

Answer 32

Attempts to write data into an application's buffer area to overwrite adjacent memory, execute code or crash a system

Answer 33

Used to monitor for buffer overflow attacks. Placed between buffer and control data.

Answer 34

Secure coding techniques, Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP)

Answer 35

Inputting JavaScript into a web form that alters what the page does. Can be passed via URL: www.google.com/. Can access cookies and send to remote host.

Answer 36

Stores the XSS in a forum or comment field of some sort for multiple people to access.

Answer 37

Forces an end user to execute unwanted actions on an app they're already authenticated on. Inherits identity and privileges of victim to perform an undesired function on victim's behalf. Captures session and sends a request based off logged in user's credentials.

Answer 38

Attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials.

Answer 39

Tells the server if 1=1 (always true) to allow login. The Double-Dash (-) tells server to ignore rest of the query (usually the password)

Answer 40

Inputting random data into a target in order to see what will happen.

Answer 41

using always true statements to test SQL

Answer 42

Uses same communication channel to perform attack. Most common, used with UNION statements.

Answer 43

Contrary to in-band, this type of SQL injection uses different communication channels for the attack and results. It's also more difficult to do.

Answer 44

Occurs when attacker knows the database is susceptible to injection, but error messages and screen returns don’t come back to attacker.

Answer 45

Sqlmap, sqlninja, Havij, SQLBrute, Pangolin, SQLExec, Absinthe, BobCat

Answer 46

adds header response data to an input field so server splits the response.

Answer 47

Input scrubing for injection, SQL parameterized queries, patching servers, turning off unnecessary services, ports, and protocols.

Answer 48

Orthogonal Frequency-Division Multiplexing (OFDM) - carries waves in various channels (think cable tv)

Answer 49

Direct-Sequence Spread Spectrum (DSSS) - Combines all available waveforms into a single purpose.

Answer 50

Defines the standards for wireless networks

Answer 51

Service - this record defines the hostname and port number of servers providing specific services, such as a Directory Services server.

Answer 52

Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

Answer 53

Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). Usually associated with e-mail server records.

Answer 54

Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients' request for name resolution

Answer 55

Mail Exchange - This record identifies your email servers within your domain.

Answer 56

Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.

Answer 57

Address - This record maps an IP address to a hostname and is used most often for DNS lookups.

Answer 58

Bluetooth Standards

Answer 59

Zigbee - Low power, low data rate, close proximity ad-hoc networks

Answer 60

WiMAX - broadband wireless metropolitan area networks. 40 Mbps

Answer 61

Mbps - 54 Frequency - 5 GHz Modulation Type: OFDM

Answer 62

Mbps - 11 Frequency - 2.4 GHz Modulation Type: DSSS

Answer 63

Mbps - Variation of a & b. Frequency - Global Use

Answer 64

Mbps - QoS Initiative Frequency - Data and Voice

Answer 65

Mbps - 54 Frequency - 2.4 GHz. Modulation Type: OFDM and DSSS

Answer 66

Mbps - WPA/WPA2 Encryption

Answer 67

Mbps - 100+ Frequency: 2.4 - 5. Modulation Type: OFDM

Answer 68

Mbps - 1000 Frequency: 5 GHz Modulation Type: QAM

Answer 69

Carries waves in various channels

Answer 70

Combines all available waveforms into a single purpose.

Answer 71

MAC address of wireless access point.

Answer 72

Open System - No authentication Shared Key Authentication - authentication through shared key (pw) Centralized Authentication - Authentication through something like RADIUS

Answer 73

Association is the act of connecting; Authentication is the act of identifying the client.

Answer 74

Verifies wireless quality, detects rogue access points and detects attacks

Answer 75

Signals in one direction; Yagi antenna is a type

Answer 76

Signals in all directions

Answer 77

Wired Equivalent Privacy - Encryption: RC4. IV Size: 24 bits. Key Length: 40/104. Integrity Check: CRC-32

Answer 78

Wi-Fi Protected Access - Encryption: RC4 + TKIP IV Size: 48 bits. Key Length: 128 bits. Integrity Check: Michael/CRC-32

Answer 79

Encryption: AES-CCMP IV Size: 48 bits Key Length: 128-bits Integrity Check: CBC-MAC (CCMP)

Answer 80

Enterprise: Can tie an EAP or RADIUS server into authentication. Personal: Uses a pre-shared key to authenticate.

Answer 81

Hashes for CCMP to protect integrity.

Answer 82

Integrity process of WPA2

Answer 83

Tool for network discovery that can map for wireless networks

Answer 84

Tool for network discovery

Answer 85

Wireless packet analyzer/sniffer that can be used for discovery. Works passively and can detect access points.

Answer 86

Tool for Windows that does network discovery

Answer 87

pcap - driver library for Windows libcap - Drivery library for Linux

Answer 88

Places an access point controlled by an attacker

Answer 89

Rogue AP with a SSID similar to the name of a popular network

Answer 90

Fakinga well known hotspot with a rogue AP

Answer 91

Connecting directly to another phone via ad-hoc network. User must accept connection

Answer 92

Sniffer, detector, traffic analysis tool and password cracker. Uses Dictionary attacks for WPA and WPA2.

Answer 93

Sniffs packets and cracks passwords. Relies on Statistical measures and the PTW technique to break WEP

Answer 94

MacOS tool to brute force WEP or WPA passwords

Answer 95

Key Installation Attack (KRACK) - Method for cracking WPA. Replay attack that uses third handshake of another device's session.

Answer 96

Provides data like Wireshark in addition to network activity and monitoring.

Answer 97

Sniffer, traffic analyzer and network-auditing suite

Answer 98

Wireless sniffer