Chapter 7 - System hacking Flashcards

1
Q

What are the three times that are typically stored as part of file metadata?
A. Moves, adds, changes
B. Modified, accessed, deleted
C. Moved, accessed, changed
D. Modified, accessed, created

A

D.

There are three date and time stamps commonly used in file metadata. When the file
is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file expecting to modify it, but not end up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC, like modified, accessed, and created, those are not tasks associated with file times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is it called when you obtain administrative privileges from a normal user account?
A. Privilege escalation
B. Account migration
C. Privilege migration
D. Account escalation

A

A.

Account migration, privilege migration, and account escalation are vague and don’t have clearly defined definitions, even if they may exist. Privilege escalation, on the other hand, is used to gain elevated privileges when you only have the permissions of a normal user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does John the Ripper’s single crack mode, the default mode, do?

A. Checks every possible password
B. Uses known information and mangling rules
C. Uses a built-in wordlist
D. Uses wordlist and mangling rules

A

B.

Incremental mode in John will run an attack in which it will try every possible pass- word within specified parameters, meaning John will generate the passwords. The default mode in John is single crack mode, which uses information including the username and the home directory to generate a password using mangling rules. Incremental mode does not use wordlists, though John does support the use of wordlists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the trade-off for using rainbow tables?
A. Disk space prioritized over speed
B. Accuracy prioritized over disk space
C. Speed prioritized over accuracy
D. Speed prioritized over disk space

A

D. Rainbow tables use precomputed hashes that are mapped to plaintext passwords in order to speed up the process of obtaining the passwords from stored hashes. Rainbow tables, though, are very expensive when it comes to disk space. Hashes and passwords are stored in the rainbow tables. Accuracy is neither sacrificed nor prioritized using rainbow tables. You will give up disk space to get faster cracking times using rainbow tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of these is a reason to use an exploit against a local vulnerability?
A. Pivoting
B. Log manipulation
C. Privilege escalation
D. Password collection

A

C. Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect pass- words; you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have ele- vated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is it called when you manipulate the time stamps on files?
A. Time stamping
B. Timestomping
C. Meta stomping
D. Meta manipulation

A

B. Manipulating time stamps on files is called timestomping. It is used to set file times, which may be used to throw off investigations or identify intrusions. None of the other answers is a real thing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What would an attacker use an alternate data stream on a Windows system for?
A. Hiding files
B. Running programs
C. Storing PowerShell scripts
D. Blocking files

A

A.

Alternate data streams are a function of the New Technology File System (NTFS), created to support the resource forks of Apple’s file system in Windows NT. Since many of the util- ities and programs in Windows don’t natively understand alternate data streams, they can’t make use of them and won’t show them. The file can be accessed if the user knows how to
display and manipulate the alternate data streams.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of these techniques might be used to maintain access to a system?
A. Run key in the Windows Registry
B. Alternate data stream
C. .vimrc file on Linux
D. PowerShell

A

A.

You may use a PowerShell script to perform functions that could support persistence on
a system, but the PowerShell script alone won’t be used to maintain access. Alternate data streams won’t be of any use for maintaining access, and a .vimrc file is a startup file for the Vi editor. The run key in the Windows Registry, though, could be used to put an entry in that would run a program automatically that could make sure an attacker could get access even after a reboot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

If you were looking for reliable exploits you could use against known vulnerabilities, what
would you use?
A. Tor network
B. Meterpreter
C. msfvenom
D. Exploit-DB

A

D.

While the Tor network may be used to obtain an exploit against a vulnerability, there
is some question as to how reliable that exploit may be. The Tor network may contain malicious content, even in the case of source code. Meterpreter and msfvenom are elements of Metasploit that don’t have anything to do with locating vulnerabilities. Exploit-DB is
a website and repository of exploits that could be searched to locate an exploit targeting specific and known vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What might an attacker be trying to do by using the clearev command in Meterpreter?
A. Run an exploit
B. Manipulate time stamps
C. Manipulate log files
D. Remote login

A

C. The clearev command is a Meterpreter command used to clear the Windows Event Viewer logs. While you may be able to manipulate time stamps and log files in Meterpreter, you wouldn’t use the clearev command for that. The clearev command does not allow an attacker to log in remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You find after you get access to a system that you are the user www-data. What might you
try to do shortly after getting access to the system?

A. Pivot to another network
B. Elevate privileges
C. Wipe logs
D. Exploit the web browser

A

B.

When the Apache web server runs on a Linux system, it will commonly run as the user www-data. This is a privilege-restricted account that would prevent an attacker from doing much on the system. To do anything, like wiping log files or pivoting to another network, you would need to elevate privileges to administrative/root level. Exploiting the web browser wouldn’t be done in this context. A web server more than likely wouldn’t even have a web browser installed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You’ve installed multiple files and processes on the compromised system. What should you
also look at installing?
A. Registry keys
B. Alternate data streams
C. Rootkit
D. Root login

A

C.

Attackers often install extra files and run extra processes on systems. These could easily be detected by manual investigation or, certainly, by automated detection tools. The way around that is to install a rootkit, which may include kernel-mode drivers or replacement system utilities that would hide the existence of these files and processes. Alternate data streams may be used to hide files but not processes. Registry keys could also hide files but not processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does pivoting on a compromised system get you?
A. Database access
B. A route to extra networks
C. Higher level of privileges
D. Persistent access

A

B.

Pivoting is the process of using a compromised system to move onto other systems and networks within the target environment. Pivoting does not get you higher-level permissions or persistent access. You may ultimately get to a database server by pivoting, but that’s not what pivoting does or is specifically used for. It would be a nice side effect of pivoting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What would you use the program rtgen for?
A. Generating wordlists
B. Generating rainbow tables
C. Generating firewall rules
D. Persistent acces

A

B. The program rtgen is a program that is part of the rcrack suite. rcrack is used to crack passwords with rainbow tables. It is used to generate the rainbow tables that rcrack will use to crack passwords. Rainbow tables are not wordlists but mappings of plaintext passwords to hashes, which makes it much easier to get passwords from hashes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of these would be a way to exploit a client-side vulnerability?
A. Sending malformed packets to a web server
B. Sending large ICMP packets
C. Sending a crafted URL
D. Brute-force password attack

A

C. Malformed packets could potentially cause a failure or trigger a vulnerability on the server side. Large ICMP packets aren’t likely to do anything and certainly wouldn’t exploit a client-side vulnerability. A brute-force password attack isn’t exploiting a vulnerability, even if it is an attack technique. Sending a crafted URL could potentially exploit a client-side vulner- ability in a web browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is one outcome from process injection?
A. Hidden process
B. Rootkit
C. Alternate data streams
D. Steganography

A

A.

Steganography is the process of hiding data inside other data, such as media files like MP3s, WAVs, or video files. An alternate data stream is a secondary data stream attached to a filename in the NT file system. A rootkit can be used to hide processes. It may use process injection but wouldn’t be the outcome from process injection. When you inject into a process, you are putting executable operations you have created into the space of another executable. The end result could be an execution thread running your code without any new process name indicating it was running.

17
Q

What tool would you use to compromise a system and then perform post-
exploitation actions?
A. Nmap
B. John the Ripper
C. searchsploit
D. Metasploit

A

D.

John the Ripper is used for cracking passwords, while nmap is used for port scanning. They could be part of the overall process of system compromise, but neither could be used to compromise a system, in spite of what it suggests in The Matrix. searchsploit is a program used to search a local Exploit-DB repository. Metasploit is an exploit framework that could be used to compromise a system. Once the system is compromised, Metasploit could then be used for post-exploitation actions using modules that come with it.

18
Q

What application would be a common target for client-side exploits?
A. Web server
B. Web browser
C. Web application firewall
D. Web pages

A

B.

Of all of the options presented, only the web browser exists on the client side. By defini- tion, the web server is on the server. A web application firewall is placed with the server to protect the server from Application layer attacks. Web pages are hosted on a web server. They are not a target for client-side exploits, though they would be used to carry out those attacks.

19
Q

What are two advantages of using a rootkit?
A. Installing alternate data streams and Registry keys
B. Creating Registry keys and hidden processes
C.Hiding processes and files
D.Hiding files and Registry keys

A

C.

A rootkit is a piece of malicious software that is used to accomplish several tasks. This may include hiding processes and files through the use of kernel-mode drivers or replaced system utilities. A rootkit may also provide a backdoor for attackers to maintain long-term access to the system after the initial compromise. None of the other answers is a thing that a rootkit does.

20
Q

What could you use to obtain password hashes from a compromised system?
A. John the Ripper
B. Mimikatz
C. Rainbow tables
D. Process dumping

A

B.

John the Ripper and rainbow tables are tools for cracking passwords, not gathering or obtaining password hashes. Process dumping could possibly yield passwords associated with a certain process/application. However, you may not get password hashes, depending on how the passwords are maintained in memory. Process dumping is taking the memory space of a process and writing it out to disk for analysis. Mimikatz is a utility and Metasploit module that could be used to extract passwords from a compromised system.

21
Q

What technique would you use to prevent understanding of PowerShell scripts that had
been logged?
A. Encoding
B. Obfuscation
C. Rainbow tables
D. Kerberoasting

A

B.

You would use obfuscation on a PowerShell script. There may be some encoding that could happen as part of the obfuscation, but you may also use encoding for other, legitimate purposes. Rainbow tables are used to crack passwords and Kerberoasting is a way of gath- ering password information over the network on Windows systems.

22
Q

What technique might you use to gather credentials from a remote system on a Win- dows network?
A. Kerberoasting
B. Fuzzing
C. Rootkits
D. PowerShell scripting

A

A.

You would use Kerberoasting on a Windows network because the protocol used to exchange authentication information between user systems and servers is Kerberos. Fuzzing is a way of sending anomalous data to applications in the hopes of crashing the application. Rootkits are used to maintain access for an attacker and also obscure the existence of the attacker on the system. PowerShell scripting is used for a lot of reasons, but it wouldn’t be the best way to collect passwords from a remote system.

23
Q

What language is commonly used by attackers who live off the land?
A. Ruby
B. Python
C. Cmdlets
D. PowerShell

A

D.

Ruby isn’t common enough to be used, and while Python is common on Unix-like systems like macOS and Linux, PowerShell is more common because it is installed by default on all current Windows systems and there are just more Windows systems around than the other platforms. Cmdlets are part of PowerShell but are not the language.

24
Q

If you wanted to identify vulnerabilities previously undiscovered in an application, including a network service, what tool might you use?
A. Rubeus
B. Ophcrack
C. John the Ripper
D. Peach

A

D.

Rubeus is used to attack the Kerberos protocol on a Windows network. Ophcrack is a rainbow tables tool used for password cracking. John the Ripper is also used for password cracking. Peach is a tool that is used to perform fuzzing, which is the practice of sending anomalous data to an application, hoping to cause it to crash, which would suggest a new vulnerability.

25
Q

What operating system agnostic interface might you use if you had compromised a system?
A. Rubeus
B. Meterpreter
C. Empire
D. Ophcrack

A

B.
Rubeus is a tool used against Kerberos-based networks. Empire is a set of PowerShell scripts used to attack Windows-based systems. Ophcrack is used to crack passwords. Meter- preter is the operating-system-agnostic interface in Metasploit that is used after you have compromised a system.