Daniel Miessler Cyber-Sec Interview Prep

Question 1

How do you change your DNS settings in Linux?

Answer 1

1.) Open a terminal.
2.) Use vim or another text editor to edit the /etc/resolv.conf file.
3.) Add a line of “nameserver x.x.x.x” with x.x.x.x being the IP address of your DNS server.
save the file and you’re done!

Question 2

How do you change your DNS settings in Windows?

Answer 2

There are 2 ways:

“GUI Method”
1.) Navigate to Control Panel -> Network and Sharing Center -> Change adapter settings
2.) Right-click on the adapter you want to configure and select ‘properties.’
3.) Double-Click on TCP/IPv4
Change the DNS settings to the server(s) you want, and apply your changes.

                               -OR-

“PowerShell”

1. ) Run powershell as administrator
2. ) Use the Set-DnsClientServerAddress cmdlet. Be sure to specify the appropriate interface index and server addresses

PS C:> Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses (“10.0.0.1”,”10.0.0.2”)

Question 3

What are your first three steps when securing a Linux server?

Answer 3

STEP 1 - Update your server
Depending on your Linux distribution, your install ISO/DVD could be months or even years old! Running updates on your server immediately will help get any vulnerable packages updated. We can do this in one lines:
sudo apt-get update && sudo apt-get upgrade

STEP 2 - Disable root access via SSH
If you’ve ever watched your SSH logs after starting up a server, you’ll notice one thing very quickly: a lot of people are trying to access your server. The other thing you’ll notice is 95% of them are trying to access it via the root user.

Let’s disable the root login by editing the sshd_config file:
sudo vim /etc/ssh/sshd_config

Find the PermitRootLogin line and change it to “no”:
PermitRootLogin no

STEP 3 - Change your SSH port
After Step 2, you’ll notice your logs still are full of login attempts. Even though they can’t get in as the root user, they’ll still keep trying. Let’s change the OpenSSH server to use a different port. Open the sshd_config file once more and edit the “Port” line to use an atypical number. For example:
Port 5901

Restart your SSH server in order to pickup the changes from Steps 2 and 3

sudo service ssh restart

Question 4

Does TLS use symmetric or asymmetric encryption?

Answer 4

TLS uses a combination of symmetric and asymmetric cryptography, as this provides a good compromise between performance and security when transmitting data securely.

The initial exchange is done using asymmetric and that bulk data encryption requires speed and therefore symmetric algorithms.

Question 5

What’s the difference between symmetric and

public-key cryptography?

Answer 5

Symmetric uses a single key while public-key uses two.

Question 6

In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions.
Which key is used for which function?

Answer 6

You encrypt with the other person’s public key, and you sign with your own private.

Question 7

Describe the process of a TLS session being set up

when someone visits a secure website.

Answer 7

1. ) The ‘client hello’ message: The client initiates the handshake by sending a “hello” message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the “client random.”
2. ) The ‘server hello’ message: In reply to the client hello message, the server sends a message containing the server’s SSL certificate, the server’s chosen cipher suite, and the “server random,” another random string of bytes that’s generated by the server.
3. ) Authentication: The client verifies the server’s SSL certificate with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
4. ) The premaster secret: The client sends one more random string of bytes, the “premaster secret.” The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server’s SSL certificate.)
5. ) Private key used: The server decrypts the premaster secret.
6. ) Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
7. ) Client is ready: The client sends a “finished” message that is encrypted with a session key.
8. ) Server is ready: The server sends a “finished” message encrypted with a session key.
9. ) Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys

Question 8

If someone steals the server’s private key can they

decrypt all previous content sent to that server?

Answer 8

Not if forward Secrecy was implemented. This prevents an attacker from decrypting captured data that was sent to a server in the past, even if the server’s private key was stolen.

Question 9

What is Forward Secrecy?

Answer 9

Forward Secrecy is a system that uses very short lived (ephemeral) session keys to do the actual encryption of TLS data so that even if the server’s private key were to be compromised, an attacker could not use it to decrypt captured data that had been sent to that server in the past.

Question 10

What are some common ways that TLS is attacked,

and/or what are some ways it’s been attacked in the past?

Answer 10

Many known TLS vulnerabilities result from weak cryptographic primitives, which TLS 1.3, thankfully, did away with.

Heartbleed: Caused by a flaw in OpenSSL. Which, in short, a malicious user could easily trick a vulnerable web server into sending sensitive information, including usernames and passwords.

BEAST: Browser Exploit Against SSL/TLS, was an attack that allowed a man-in-the-middle attacker to uncover information from an encrypted SSL/TLS 1.0 session by exploiting a known theoretical vulnerability.

Question 11

Cryptographically speaking, what is the main

method of building a shared secret over a public medium?

Answer 11

Diffie-Hellman.

Question 12

What’s the difference between Diffie-Hellman and RSA?

Answer 12

RSA requires you to have key material beforehand while Diffie-Hellman does not.

Question 13

What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

Answer 13

Man-in-the-middle, as neither side is authenticated.

Question 14

What’s the difference between encoding, encryption, and hashing?

Answer 14

Encoding is designed to protect the INTEGRITY of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it ISN’T primarily a security function. It IS EASILY REVERSIBLE because the system for encoding is almost necessarily and by definition in wide use.

Encryption is designed purely for CONFIDENTIALITY and is reversible only if you have the appropriate key/keys!

With hashing the operation is one-way (NON-REVERSIBLE!), and the output is of a fixed length that is usually much smaller than the input.

Question 15

What is an IV(Initializing Vector) used for in encryption?

Answer 15

An IV is used to initiate encryption by providing an addition (third) input in addition to the cleartext and the key. In general you want IVs that are random and unpredictable, which are used only once for each message. The goal is to ensure that two messages encrypted with the same key do not result in the same ciphertext.

Question 16

What are block and stream ciphers?

What are the differences, and when would you use one vs. the other?

Answer 16

Block-based encryption algorithms work on a block of cleartext at a time, and are best used for situations where you know how large the message will be, e.g., for a file. Stream ciphers work on single units of cleartext, such as a bit or a byte, and they’re best used when you’re not sure how long the message will be.

Question 17

What are some examples of symmetric encryption algorithms?

Answer 17

DES, RCx, Blowfish, Rijndael “Rhine Dahl” (AES)

Question 18

What are some examples of asymmetric encryption algorithms?

Answer 18

Diffie Hellman, RSA, EC, El Gamal, DSAC

Question 19

What are some common block cipher modes?

Answer 19

ECB and CBC.

Question 20

What’s the main difference in security between ECB (Electronic codebook) and CBC (Cipher block chaining)?

Answer 20

ECB just does a one-to-one lookup for encryption, without using an IV (Initialization Vector), which makes it fairly easy to attack using a chosen-plaintext attack. CBC uses an IV for the first block and then propagates the XOR (eXclusive OR) of the previous block onto subsequent ones.

Question 21

What’s more secure, SSL, TLS, or HTTPS?

Answer 21

TLS stands for Transport Layer Security and it ensures data privacy the same way that SSL does. Since SSL is actually no longer used, this is the correct term that people should start using. HTTPS is a secure extension of HTTP.

Question 22

What port does ping(ICMP) work over?

Answer 22

ICMP is a layer 3 protocol (it doesn’t work over a port).

Question 23

Do you prefer filtered ports or closed ports on your firewall?

Answer 23

It depends about the situation.

For small company servers or back-end systems or intranet sites I will choose to close ports (REJECT).

The reason for that is because those server are not usually targeted by DDoS attacks and also because the external apps that requires to consume services hosted in the the servers can quickly report failures instead to hang the connections during minutes.

If your server is used as website that can be targeted by a DDoS attacks then I will choose the “DROP” policy because in this way your firewall is not going to consume CPU and bandwidth answering about the state of the port (Sending back ICMP messages).

Question 24

How exactly does traceroute/tracert work at the protocol level?

Answer 24

They keep sending packets to the final destination; the only change is the TTL (Time to live: Hop limit) that’s used.

Traceroute (tracert) works by sending a packet to an open UDP port on a destination machine. The router then discards the packet and sends off an ICMP notification packet to the original host with the message that the TTL expired from the router. Traceroute transmits packets with small TTL (Time To Live) values.

The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

Question 25

What are your favorite security assessment tools?

Answer 25

I really enjoy reconnaissance so I spend a lot of time on google dorking passively, as much information on my target. It is a quiet way to gather a ton of data that can help me later when I am doing a more active or louder assessments with Nmap or Nikto whether it be looking for open ports or services to exploit or scanning through all directories available to give me a better point of entry I could possibly exploit. I go back and forward from google to Nikto and Nmap mainly doing a lot of crosschecking until I find something of value to me.
Burp suite also, for testing out things I find interesting in real time but only when I have a decent plan of attack.

Question 26

How does a buffer overflow work?

Answer 26

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory (a buffer), than the buffer is allocated to hold. By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.
Using a debugger you can better view how the input fills up the stack. If you input a bunch of the same characters until it is full you can follow the overflow. If you play around with the character input you can get a precise location on where in the code you can compromise it.

Question 27

How can one defend against buffer overflows?

Answer 27

The easiest way to prevent these vulnerabilities is to simply use a language that does not allow for them. C allows these vulnerabilities through direct access to memory and a lack of strong object typing. Languages that do not share these aspects are typically immune. Java, Python, and .NET, among other languages and platforms, don’t require special checks or changes to mitigate overflow vulnerabilities.

Question 28

What are Linux’s strengths and weaknesses vs. Windows?

Answer 28

Linux strengths are that it is mostly free, mostly open source, very stable and has extensive configuration possibilities. Because of that Linux is everywhere!
Linux weaknesses are that it possesses a limited range of software, and has significant barriers to entry for those with little IT knowledge.

Windows strengths are that is beginner friendly, large range of software, preinstalled on many devices yet more frequently targeted by malware, and not open source. More costly!

Question 29

Describe the last program or script that you wrote.

What problem did it solve?

Answer 29

Me and a couple of friends were writing a self replicating worm as our final project for class and I ended up writing the network scanner portion. Using python’s nmap library to scan specifically for IPs with port 22 open and the socket library to make socket connections over the web. It parsed through a network of IPs built the misconfigured ones into a list and made connections with then through ssh.

I am now attempting to expand my coding knowledge with just the simple concept of coding for fun. My next project will be REST API that uses python to fetch memes off of reddit.

Question 30

How would you implement a secure login field on a

high traffic website where performance is a consideration?

Answer 30

firstly, make a separate login page that can only be accessed with https and (of course) submits using https

Secondly, is to use social connectors like login using Facebook, google or another well known domain that many people have

Thirdly, is to use TLS Certificates for secure login.

Also, never build your own framework!

Question 31

What are the various ways to handle account brute forcing?

Answer 31

Account lockouts so that is a log in is attempted too frequently over a period of time it will lock them out after too many attempts.

Question 32

What is Cross-Site Request Forgery?

Answer 32

When an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

Question 33

How does one defend against CSRF?

Answer 33

Cryptographic nonces (an arbitrary number that can be used just once in a cryptographic communication) required by the server for each page or each request.

Question 34

If you were a site administrator looking for incoming

CSRF attacks, what would you look for?

Answer 34

Cryptographic nonces

Question 35

What’s the difference between HTTP and HTML?

Answer 35

HTTP is the networking/application protocol and the other (HTML) is the markup language