Chapter 6 - Web-Based Hacking: Servers & Apps

Question 1

IETF

Answer 1

Internet Engineering Task Force - Creates engineering documents to help make the internet work better

Question 2

W3C

Answer 2

World Wide Web Consortium - A standards-developing community

Question 3

OWASP

Answer 3

Open Web Application Security Project - Organization focused on improving the security of software.

Question 4

Web Server attack Methodology

Answer 4

Information Gathering (Whois), Footprinting (banner grab), Website mirroring, Vulnerability Scanning, Session Hijacking, Password Cracking

Question 5

Banner Grab

Answer 5

Method for web server footprinting

Question 6

Netcraft

Answer 6

Web server footprinting tool

Question 7

HTTPRecon

Answer 7

Web server footprinting tool

Question 8

ID Serve

Answer 8

Web server footprinting tool

Question 9

nmap

Answer 9

Powerful footprinting tool

Question 10

nmap -script http-trace -p80 localhost.

Answer 10

Detects vulnerable TRACE method

Question 11

nmap -script http-google-email

Answer 11

Lists email addresses

Question 12

nmap -script hostmap-*

Answer 12

Discovers virtual hosts on the IP address you are tryingto footprint; * is replaced by online database

Question 13

nmap -script http-enum -p80

Answer 13

enumerates common web apps

Question 14

nmap -p80 -script http-robots.txt

Answer 14

Grabs the robots.txt file

Question 15

Nikto

Answer 15

Vulnerability scanner specifically suited for web servers

Question 16

Wget

Answer 16

Website mirroring tool

Question 17

Black Widow

Answer 17

Website mirroring tool

Question 18

HTTrack

Answer 18

Website mirroring tool

Question 19

WebCopier Pro

Answer 19

Website mirroring tool

Question 20

Web Ripper

Answer 20

Website mirroring tool

Question 21

SurfOffline

Answer 21

Website mirroring tool

Question 22

HTTPrint

Answer 22

Website mirroring tool

Question 23

What is N-Tier Architecture?

Answer 23

Distributes processes across multiple servers; normally as three tier: Presentation (web), logic (application), and data (database)

Question 24

What is WebGoat

Answer 24

Project maintained by OWASP which is an insecure web app meant to be tested.

Question 25

Http request: GET

Answer 25

retrieves whatever information is in the URL; sending data is done in URL

Question 26

Http Request: HEAD

Answer 26

identical to get except for no body in return

Question 27

Http Request: POST

Answer 27

sends data ia body - data not shown in URL or in history

Question 28

Http Request: PUT

Answer 28

Requests data be stored at the URL

Question 29

Http Request: DELETE

Answer 29

Requests origin server delete resource

Question 30

Http Request: TRACE

Answer 30

Requests application layer loopback of message

Question 31

Http Request: CONNECT

Answer 31

Reserved for use with proxy (Post and Get can be manipulated by proxy)

Question 32

HTTP Error: 1xx

Answer 32

Informational - request received, continuing

Question 33

HTTP Error: 2xx

Answer 33

Success - Action received, understood and accepted

Question 34

HTTP Error: 3xx

Answer 34

Redirection - Further action must be taken

Question 35

HTTP Error 4xx

Answer 35

Client Error - Request contains bad syntax or cannot be fulfilled

Question 36

HTTP Error 5xx

Answer 36

Server Error.- server failed to fulfill an apparently valid request

Question 37

Web Server Attack: DNS Amplification

Answer 37

Uses recursive DNS to DoS a target; Amplifies DNS answers to target until it can’t do anything.

Question 38

Web Server Attack: Directory Transversal

Answer 38

requests file that should not e accessible from web server. Example: http://www.example.com/etc/passwd

Question 39

Web Server Attack: Parameter Tampering (URL Tampering)

Answer 39

Manipulating parameters within URL to achieve escalation or other changes.

Question 40

Web Server Attack: Hidden Field Tampering

Answer 40

Modifying hidden form fields producting unintended results (Example: Look at source code and change price of item to $0.00

Question 41

Web Server Attack: Web Cache Poisoning

Answer 41

Replacing the cache on a box with a malicious version of it

Question 42

Web Server Attack: Misconfiguration Attack

Answer 42

Same as before - improper configuration of a web server

Question 43

Web Server Attack: Password Attack

Answer 43

Attempting to crack passwords related to web resources

Question 44

Web Server Attack: Connection String Parameter Pollution

Answer 44

Injection attack that uses semicolons to take advantage of databases that use this separation method.

Question 45

Web Server Attack: Web Defacement

Answer 45

Simply modifying a web page to say something else

Question 46

Brutus

Answer 46

Tool for attacking web server. Brute force passwords of HTTP

Question 47

Hydra

Answer 47

Network login cracker

Question 48

WFETCH

Answer 48

Microsoft tool that allows you to craft HTTP requests ot see response data (BURP does this too)

Question 49

Shellshock

Answer 49

Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions.

Question 50

Web App Attacks - Tools for identifying entry points

Answer 50

WebScarab, HTTPPrint, BurpSuite

Question 51

What is “Web 2.0”

Answer 51

Dynamic web application; have a larger attack surface due to simultaneous communication

Question 52

Web App Attack: File Injection

Answer 52

Attacker injects a pointer in a web form to an exploit hosted elsewhere

Question 53

Web App Attack: Command Injection

Answer 53

Attacker gains shell access using Java or similar

Question 54

Web App Attack: LDAP Injection

Answer 54

Exploits applications that construct LDAP statements. Format is )(&)

Question 55

Web App Attack: SOAP Injection

Answer 55

Simple Object Access Protocol - Can inject query strings in order to bypass authentication. Uses XML to format info. Compatible with HTTP and SMTP. Messages are typically “one way” in nature.

Question 56

Buffer Overflow (Smashing the Stack)

Answer 56

Attempts to write data into an application’s buffer area to overwrite adjacent memory, execute code or crash a system

Question 57

What is a canarie?

Answer 57

Used to monitor for buffer overflow attacks. Placed between buffer and control data.

Question 58

Ways to prevent buffer overflow

Answer 58

Secure coding techniques, Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP)

Question 59

Cross-Site Scritping (XSS)

Answer 59

Inputting JavaScript into a web form that alters what the page does. Can be passed via URL: www.google.com/. Can access cookies and send to remote host.

Question 60

Stored XSS (Persistent)

Answer 60

Stores the XSS in a forum or comment field of some sort for multiple people to access.

Question 61

Cross-Site Request Forgery (CSRF)

Answer 61

Forces an end user to execute unwanted actions on an app they’re already authenticated on. Inherits identity and privileges of victim to perform an undesired function on victim’s behalf. Captures session and sends a request based off logged in user’s credentials.

Question 62

Session Fixation

Answer 62

Attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user’s credentials.

Question 63

What does the following expression accomplish: ‘OR 1=1 –

Answer 63

Tells the server if 1=1 (always true) to allow login. The Double-Dash (-) tells server to ignore rest of the query (usually the password)

Question 64

Fuzzing

Answer 64

Inputting random data into a target in order to see what will happen.

Question 65

Tautology

Answer 65

using always true statements to test SQL

Question 66

In-band SQL injection

Answer 66

Uses same communication channel to perform attack. Most common, used with UNION statements.

Question 67

Out-of-Band SQL Injection

Answer 67

Contrary to in-band, this type of SQL injection uses different communication channels for the attack and results. It’s also more difficult to do.

Question 68

Blind SQL Injection (inferrential)

Answer 68

Occurs when attacker knows the database is susceptible to injection, but error messages and screen returns don’t come back to attacker.

Question 69

SQL Injection Tools

Answer 69

Sqlmap, sqlninja, Havij, SQLBrute, Pangolin, SQLExec, Absinthe, BobCat

Question 70

HTTP Response Splitting

Answer 70

adds header response data to an input field so server splits the response.

Question 71

Countermeasure for web app attacks

Answer 71

Input scrubing for injection, SQL parameterized queries, patching servers, turning off unnecessary services, ports, and protocols.

Question 72

Modulation type: OFDM

Answer 72

Orthogonal Frequency-Division Multiplexing (OFDM) - carries waves in various channels (think cable tv)

Question 73

Modulation type: DSSS

Answer 73

Direct-Sequence Spread Spectrum (DSSS) - Combines all available waveforms into a single purpose.

Question 74

802.11 Series

Answer 74

Defines the standards for wireless networks

Question 75

DNS Record Type: SRV

Answer 75

Service - this record defines the hostname and port number of servers providing specific services, such as a Directory Services server.

Question 76

DNS Record Type: SOA

Answer 76

Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

Question 77

DNS Record Type: PTR

Answer 77

Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). Usually associated with e-mail server records.

Question 78

DNS Record Type: NS

Answer 78

Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ request for name resolution

Question 79

DNS Record Type: MX

Answer 79

Mail Exchange - This record identifies your email servers within your domain.

Question 80

DNS Record Type: CNAME

Answer 80

Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.

Question 81

DNS Record Type: A

Answer 81

Address - This record maps an IP address to a hostname and is used most often for DNS lookups.

Question 82

802.15.1

Answer 82

Bluetooth Standards

Question 83

802.15.4

Answer 83

Zigbee - Low power, low data rate, close proximity ad-hoc networks

Question 84

802.16

Answer 84

WiMAX - broadband wireless metropolitan area networks. 40 Mbps

Question 85

Wireless Standard - 802.11a

Answer 85

Mbps - 54 Frequency - 5 GHz Modulation Type: OFDM

Question 86

Wireless Standard - 802.11b

Answer 86

Mbps - 11 Frequency - 2.4 GHz Modulation Type: DSSS

Question 87

Wireless Standard - 802.11d

Answer 87

Mbps - Variation of a & b. Frequency - Global Use

Question 88

Wireless Standard - 802.11e

Answer 88

Mbps - QoS Initiative Frequency - Data and Voice

Question 89

Wireless Standard - 802.11g

Answer 89

Mbps - 54 Frequency - 2.4 GHz. Modulation Type: OFDM and DSSS

Question 90

Wireless Standard - 802.11i

Answer 90

Mbps - WPA/WPA2 Encryption

Question 91

Wireless Standard - 802.11n

Answer 91

Mbps - 100+ Frequency: 2.4 - 5. Modulation Type: OFDM

Question 92

Wireless Standard - 802.11ac

Answer 92

Mbps - 1000 Frequency: 5 GHz Modulation Type: QAM

Question 93

Orthogonal Frequency - Division Multiplexing (OFDM)

Answer 93

Carries waves in various channels

Question 94

Direct-Sequence Spread Spectrum (DSSS)

Answer 94

Combines all available waveforms into a single purpose.

Question 95

Basic Service Set Identifier (BSSID)

Answer 95

MAC address of wireless access point.

Question 96

Three types of Authentication are:

Answer 96

Open System - No authentication Shared Key Authentication - authentication through shared key (pw) Centralized Authentication - Authentication through something like RADIUS

Question 97

Assocation vs Authentication

Answer 97

Association is the act of connecting; Authentication is the act of identifying the client.

Question 98

Spectrum Analyzer

Answer 98

Verifies wireless quality, detects rogue access points and detects attacks

Question 99

Directional Antenna

Answer 99

Signals in one direction; Yagi antenna is a type

Question 100

Omnidirectional Antenna

Answer 100

Signals in all directions

Question 101

WEP

Answer 101

Wired Equivalent Privacy - Encryption: RC4. IV Size: 24 bits. Key Length: 40/104. Integrity Check: CRC-32

Question 102

WPA

Answer 102

Wi-Fi Protected Access - Encryption: RC4 + TKIP IV Size: 48 bits. Key Length: 128 bits. Integrity Check: Michael/CRC-32

Question 103

WPA2

Answer 103

Encryption: AES-CCMP IV Size: 48 bits Key Length: 128-bits Integrity Check: CBC-MAC (CCMP)

Question 104

WPA2 Enterprise vs WPA2 Personal

Answer 104

Enterprise: Can tie an EAP or RADIUS server into authentication. Personal: Uses a pre-shared key to authenticate.

Question 105

Message Integrity Code (MIC)

Answer 105

Hashes for CCMP to protect integrity.

Question 106

Cipher Block Chaining Message Authentication Code (CBC-MAC)

Answer 106

Integrity process of WPA2

Question 107

WIGLE

Answer 107

Tool for network discovery that can map for wireless networks

Question 108

NetStumbler

Answer 108

Tool for network discovery

Question 109

Kismet

Answer 109

Wireless packet analyzer/sniffer that can be used for discovery. Works passively and can detect access points.

Question 110

NetSurveyor

Answer 110

Tool for Windows that does network discovery

Question 111

pcap vs libcap

Answer 111

pcap - driver library for Windows libcap - Drivery library for Linux

Question 112

Rogue Access point

Answer 112

Places an access point controlled by an attacker

Question 113

Evil Twin

Answer 113

Rogue AP with a SSID similar to the name of a popular network

Question 114

Honeyspot

Answer 114

Fakinga well known hotspot with a rogue AP

Question 115

Ad Hoc Connection Attack

Answer 115

Connecting directly to another phone via ad-hoc network. User must accept connection

Question 116

Aircrack-ng

Answer 116

Sniffer, detector, traffic analysis tool and password cracker. Uses Dictionary attacks for WPA and WPA2.

Question 117

Cain & Abel

Answer 117

Sniffs packets and cracks passwords. Relies on Statistical measures and the PTW technique to break WEP

Question 118

KisMAC

Answer 118

MacOS tool to brute force WEP or WPA passwords

Question 119

KRACK

Answer 119

Key Installation Attack (KRACK) - Method for cracking WPA. Replay attack that uses third handshake of another device’s session.

Question 120

OmniPeek

Answer 120

Provides data like Wireshark in addition to network activity and monitoring.

Question 121

AirMagnet WiFi Analyzer Pro

Answer 121

Sniffer, traffic analyzer and network-auditing suite

Question 122

WiFi Pilot

Answer 122

Wireless sniffer