CSCI 427 Exam 2

Question 1

what are the goals of enumeration?

Answer 1

extracting information

Question 2

groups can be nested – why is this bad?

Answer 2

accidentally escalate privileges of others without intended to by nesting (ex: putting “everyone” under “admin”)

Question 3

what is SID?

Answer 3

Security Identifier; a string number assigned by the OS to uniquely identify a user, group, or computer object

Question 4

SIDs are unique and never reused (true/false)

Answer 4

true

Question 5

SIDs allow usernames and group names to be changed without changing their assigned permissions because ?

Answer 5

the SID never changes

Question 6

what is SAM?

Answer 6

Security Accounts Manager; service that contains and manages all usernames and passwords for accounts on the local system; integrated with the Registry database

Question 7

passwords in SAM are stored in ? hash format – this is what a ? returns

Answer 7

NTLM (NT Lan Manager); hashdump

Question 8

how can you distinguish the administrator SID?

Answer 8

it ends in 500

Question 9

what is NTLM?

Answer 9

NT Lan Manager hash format

Question 10

is NTLM considered secure?

Answer 10

no; considered weak and easily cracked with brute-force; applies to local user accounts, not to Windows domain accounts using Active Directory

Question 11

UID

Answer 11

user ID

Question 12

GID

Answer 12

group ID

Question 13

what is stored in the Linux file /etc/passwd

Answer 13

keeps the user account and password information; holds the majority of information about accounts on the Unix system

Question 14

what is stored in the Linux file /etc/shadow

Answer 14

holds the encrypted password of the corresponding account

Question 15

what is stored in the Linux file /etc/group

Answer 15

contains the group information for each account

Question 16

what is stored in the Linux file /etc/gshadow

Answer 16

contains secure group account information

Question 17

what is a null session?

Answer 17

occurs when a connection is made to a system without credentials being provided

Question 18

how to connect to a null session from a Windows computer

Answer 18

net use \targetNameOrIP\ipc$ “” “/user:”

Question 19

how to connect to a null session from a Linux computer

Answer 19

rpcclient -U “” < targetIP >

Question 20

what is an SSID?

Answer 20

Service Set Identifier; wireless network’s name; continually broadcast by the wireless router or access point and is used by clients to identify and connect to the wireless network

Question 21

what is a BSSID?

Answer 21

Basic Service Set Identification; the MAC address of an access point; wireless does not work if this is turned off

Question 22

what is WEP?

Answer 22

Wired Equivalent Privacy; oldest and weakest wireless encryption; easy to break

Question 23

what is WPA?

Answer 23

WiFi Protected Access; intended to replace WEP, but was also found to be easily cracked; encryption algorithm is TKIP

Question 24

what is WPA2?

Answer 24

successor to WPA and uses much stronger encryption in form of AES (dependent on password strength in the case of personal use)

Question 25

what is 802.1x?

Answer 25

Enterprise WPA/WPA2 802.1x is more secure than WPA/WPA2 Personal; clients receive unique encryption keys and the keys are automatically updated at regular intervals

Question 26

what is PEAP?

Answer 26

Protected Extensible Authentication Protocol; facilitates secure communication between client and RADIUS backend during authentication

Question 27

what is RADIUS?

Answer 27

Remote Authentication Dial-In User Service; used as the backend authentication method for 802.1x wireless standard

Question 28

enables monitor mode and allows filtering for particular wireless traffic

Answer 28

airmon-ng

Question 29

component used for capturing 802.11 packets; sniffs traffic from SSIDs

Answer 29

airodump-ng

Question 30

used to target a particular device; used to force clients to reconnect and send 4-way handshake; sends out a signal to your target to say they need to reconnect to the AP; during the reconnection process, airmon-ng can capture the pre-shared key

Answer 30

aireplay-ng

Question 31

component of the suite used for actual wireless PSK cracking; decryption

Answer 31

aircrack-ng

Question 32

what is monitor mode?

Answer 32

never actually connects to the access point; all it does is listen to traffic/radio waves

Question 33

what is the Pixie Dust attack?

Answer 33

attack exploiting WPS pins built into the firmware of home routers; used to force the router into dumping WPA/WPA2 credentials

Question 34

what is a token?

Answer 34

a supplemental identifier that is unique per client, essentially to verify that HTTP requests are coming from a particular client

Question 35

what are other terms used interchangeably for "token"?

Answer 35

cookie, session ID

Question 36

cookies

Answer 36

saved to the client’s browser; manually deleting the cookie creates a new session; have an expiration date, after which a new cookie is generated

Question 37

session ID

Answer 37

stored on the server side (in the URL or hidden field on the webpage)

Question 38

pros of cookies

Answer 38

automatically persisted for each page request, remains valid even if the site is left or browser closed

Question 39

cons of cookies

Answer 39

vulnerable to XSS attacks, *only one active session per browser*

Question 40

pros of session ID

Answer 40

*possible to have multiple sessions across tabs*, works even if cookies are disabled by the client

Question 41

cons of session ID stored in URL

Answer 41

lost once you leave the website, *sent in the referrer from the HTTP resource*, could be stored in cache or logs

Question 42

cons of session ID stores in hidden field (outdated and rarely used -- not so important to know)

Answer 42

lost once you leave the website, every request needs to be a HTTP POST, so SID is lost on every GET; because it requires a POST, the page cannot use embedded media such as images or video

Question 43

reflected cross-site scripting (XSS) attack

Answer 43

requires getting the victim to follow a link that either has a malicious script injected in the link itself or embedded in the page it links to

Question 44

steps of a reflected XSS attack (SHORT ANSWER)

Answer 44

1. Attacker creates and socializes malicious URL with XSS to client/victim 2. Client/victim sends an authenticated request with XSS payload to the server 3. Site embeds request to attacker with cookies 4. Browser makes request with session ID

Question 45

? is the name of the document object in javascript that stores a cookie

Answer 45

document.cookie

Question 46

ELMAH

Answer 46

Error Log Modules and Handlers; tool for ASP.net web services; infamous for having unsecured web-facing log interface; simply browsing to the ELMAH URL (someSiteName.com/elmah) and drilling into the error log details will reveal the session ID

Question 47

what is the HTTP referer field used for?

Answer 47

identifies the web page from which a link was clicked (problematic because session ID in link)

Question 48

session fixation attack

Answer 48

type of attack where the attacker generates a pre-made, unauthenticated session ID for the victim, then tricks the victim into using the pre-made session ID to authenticate

Question 49

prevent a session fixation attack by

Answer 49

changing session IDs once a user has authenticated

Question 50

know 3 of the 6 tips for mitigating the risk of session hijacking attacks

Answer 50

1. Strong session IDs (randomly generate, don’t program yourself) 2. Do not persist session IDs in the URL 3. Don’t reuse session IDs for authentication (instead, either transfer the session ID to a new ID after authentication or use an authCookie post-login in addition to the session ID cookie) 4. Flag session ID in HTTP responses from the web app as HTTP Only 5. Flag session ID as secure to prevent pages with both HTTPS and HTTP content from exposing the session ID in GET requests for the HTTP content 6. Force user to re-authenticate before certain key actions

Question 51

what constitutes untrusted data?

Answer 51

integrity not verifiable, intent may be malicious, data may include payloads (SQL injection, XSS, binaries with malware)

Question 52

common sources of untrusted data

Answer 52

the user (URL via a query string or route, posted via form), browser (cookies, request headers), other (external sources, your own database)

Question 53

when considering input sanitization, which has a lower risk, a blacklist or whitelist? why?

Answer 53

whitelist because you explicitly accept only approved characters, so it is more comprehensive

Question 54

easiest way to execute a reflected XSS attack

Answer 54

manipulating parameters in URL query string

Question 55

common feature of server responses (such as a search result) that serves as a potential vector for XSS attacks

Answer 55

response reflects back what you type in to the browser, thus back to the client (“you searched for…”)

Question 56

how does output encoding help reduce the risk of XSS attacks?

Answer 56

make sure user input gets to screen as it was entered, does not allow into markup; translate icon -> encoding (ex: < would be <) – this way, data cannot break out of data context into markup content

Question 57

why is it important to perform output encoding in the proper context for each occurrence of the output?

Answer 57

output encoding has to appear a certain way depending on where you are in the code (HTML, CSS, script)

Question 58

what is the difference between a reflected XSS attack and a persistent XSS attack?

Answer 58

persistent has been uploaded into the website’s database (ex: a comment on a post)

Question 59

what is an auth cookie?

Answer 59

a cookie that persists an authenticated state (identifies and authorizes the user)

Question 60

what is the central idea behind any cross site attack?

Answer 60

want the user to do something on your behalf without them knowing they are doing it

Question 61

how does an anti-forgery token work?

Answer 61

when a user requests a page with a form, the resultant page contains a token in a hidden field and one in a cookie (these are paired when issued and keyed to the current user); then, the browser sends back the hidden form token and the cookie, and the website checks if the tokens are a valid pair for the user

Question 62

how does an anti-forgery token prevent a CSRF (cross site forgery request) attack?

Answer 62

adds randomness to the request pattern (something the attacker can’t reproduce or guess at)

Question 63

what header is used to prevent clickjacking attacks?

Answer 63

X-Frame-Options Header (want to allow frames? no)

Question 64

3 main ways to protect against XSS and CSRF

Answer 64

input sanitization, context sensitive output encoding, anti-forgery token

Question 65

what types of information can be extracted through enumeration?

Answer 65

usernames and groups, machine names, file shares, routing tables, Simple Network Management Protocol strings, DNS details, etc.

Question 66

the Linux version of a SID (security identifier) is a

Answer 66

UID

Question 67

system SID starts with

Answer 67

S-1-5-18

Question 68

local service SID starts with

Answer 68

S-1-5-19

Question 69

network service SID starts with

Answer 69

S-1-5-20

Question 70

non-service or system accounts always start with

Answer 70

S-1-5-21

Question 71

guest SID ends in

Answer 71

501

Question 72

null sessions can only be made to a special location called the

Answer 72

interprocess communication (IPC) share

Question 73

when we talk about SSID and BSSID, we are working with Layer ? of the OSI model

Answer 73

2 (data link)

Question 74

Enterprise WPA/WPA2 802.1x requires two components

Answer 74

1. the authentication protocol | 2. backend authentication service

Question 75

PEAP is the (front/back) end of 802.1x

Answer 75

front

Question 76

RADIUS is the (front/back) end of 802.1x

Answer 76

back