Domain 3: Attacks & Exploits Flashcards
1
Q
What is social engineering?
A
using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker
2
Q
What is one of the most well known social engineering methods?
A
Phishing is this
3
Q
What is a smish?
A
A phishing text
4
Q
What is vishing?
A
Phishing that occurs over a telephone
5
Q
What is SMS phishing?
A
This is Short Message service phishing that occurs over text message.
6
Q
What is elicitation?
A
This usually uses a series of questions to get employees to tell you valuable or sensitive information. All about getting someone to provide something for you.
7
Q
Can you use elicitation with Email?
A
Yes, this can be used with email. Think of BEC.
8
Q
What is the definition of Elicitation?
A
To draw out or bring forth; educe; evoke
9
Q
Is Interrogation a type of social engineering?
A
Yes, this, albeit a moral dilemma, is a type of social engineering.
10
Q
What is impersonation?
A
Act of pretending someone you aren’t to gain access to locations/systems that you’re not supposed to have access to.
11
Q
What is USB keydrop?
A
Loading up a USB with malware, backdoors, keyloggers, and dropping it in say a parking lot in hopes someone at an organization plugs it in.
12
Q
What are motivates a user to fall for social engineering attacks?
A
With respect to attacks:
- Motivation
- Urgency
- Social Proof
- Likeability
- Fear
13
Q
What are some physical security attacks?
A
- Piggybacking/Tailgating
- Fencing
- Dumpster Diving
- Lock Picking
- Lock Bypass
- Egress Sensor
- Badge Cloning
14
Q
What does NBNS stand for?
A
Net Bios Name Service
15
Q
What is the host name of a system?
A
Netbios is the host name of a system
16
Q
What does LLMNR stand for?
A
Link-local Multicast Name Resolution
17
Q
What is LLMNR?
A
This is a protocol based on the DNS packet format allowing both IPv4 & IPv6 hosts to perform name resolution for hosts on the same local link.
18
Q
Where will you find LLMNR?
A
You will find this on Windows Vista and newer operating system. Linux also implements a version of this, called system.
19
Q
When is LLMNR useful as a hacker?
A
This is helpful when a temporary network is created, such as an ad-hoc wi-fi network.
20
Q
What is SMB?
A
Transport protocol used by windows machines; file sharing, printer sharing, remote window services. Linux can run using SAMBA.
21
Q
What ports allow SMB?
A
Ports 139 & 445
22
Q
What well known exploit and well known ransomware utilizes flaws in SMB?
A
EternalBlue exploit and WannaCry Ransomware both utilize a flaw in this protocol.
23
Q
How many versions of SNMP exist?
A
There are three versions of this protocol as of Jan 2020.
24
Q
Which version of SNMP uses a shared ‘community string’ sent in clear text when set to public?
A
SNMPv1 uses this when set to public.
25
Does SNMPv1 use port security?
Yes, this version of SNMP uses port security
26
In SNMPv1, What is the community string valid for?
In this protocol version, the community string is valid for EVERY node on the network.
27
What is the internet standard for electronic mail transmissions?
This is SMTP
28
What can you focus on when attacking SMTP protocol?
There are areas of attacks for this protocol:
- Direct Exploits of the protocol
- Using open relays
- Using local relays
- Phishing Attacks
- SPAM
29
What used to be the internet standard for file sharing?
This was File Transfer Protocol
30
What is the problem with FTP?
This is an insecure protocol that sends data and authentication in cleartext over the network
31
What is pass the hash?
This is an attack against the NT Lan Manager. Attacker steals a hashed user credential and resuses it in the windows authentication system to create a new authenticated system.
32
What are some of the ways you can conduct a man-in-the-middle attack?
These are methods used to conduct this type of attack:
- ARP spoofing
- Replay
- Relay
- SSL Stripping
- Downgrade
33
What is ARP Spoofing?
This is when an attacker sends a falsified ARP message over a local network. This results in the Attackers MAC address being associated with the IP of valid computer.
34
What is replay? What would be an example?
When valid data is captured by the attacker and then repeated or delayed. An example would be an attacker capturing a 3 way wireless network handshake and then replaying it to gain unauthorized access to that network.
35
What is relay?
This type of attack is when the attacker is able to become the man-in-the-middle and acts as the middle man in a communication session.
36
What is SSL Stripping?
This is an attack where a websites encryption is tricked into presenting the user with an HTTP connection instead of an HTTPS connection.
37
What is a downgrade attack? What would be an example?
This is an attack that attempts to have a client or server abandon a higher security mode to use a lower security mode. This attack would cause a session to use SSL 2.0 over TLS 1.2, despite TLS being more secure.
38
What is a Denial of Service called during a pen test? Do we actually do them during a pen test?
This is called a stress test during a pen test. No, we never actually go through with a denial of service attack during a pentest.
39
What is a NAC bypass?
This occurs when an attacker spoofs a MAC address of a VOIP device. This is because VOIP devices are granted exceptions (MACs often whitelisted).
40
Do VOIP Devices support 802.1x?
No, these devices do not support 802.1x.
41
What is VLAN hopping?
This where you attack a host on a different VLAN to gain access. Double Tagging the VLAN in 802.1Q. By double tagging the switch will pull off external VLAN and put you into new VLAN.
42
What is switch spoofing?
Auto negotiation with a switch by setting your device to act as a switch. Switches get copies of all VLAN traffic and separate based off tags.
43
Name three possible wireless-based attacks
- Evil Twin
- Deauthentication Attacks
- Fragmentation Attacks
- Credential Harvesting
- WPS Implementation Weakness
- Bluejacking
- Bluesnarfing
- RFID Cloning
- Jamming
- Repeating
44
What is a Karma attack?
These attack radio machines automatically. These devices listen for SSID requests and respond as if they were the legitimate access point.
45
What is a fragmentation attack?
This type of attack involves the attacker exploiting a network by using a datagram fragmentation mechanism against it. Small amount of keying material is obtained from the packet then attempts to send ARP and/or LLC packets with known content access point. If the packet is successfully echoed back by the AP, then a larger amount of keying information can be obtained from the returned packet.
46
What is credential harvesting? How can it be done?
Attack that focuses on collecting creds from targets. This could be done via social engineering, fake captive portals, MITM attacks
47
What tool can be used to set up a fake captive portal?
ESPortalv2 can be used to set this up and redirect all WiFi devices connected to the portal for authentication.
48
What are common attack tools for WPS weakness?
Reaver and Bully are both common tools used to attack this
49
What are fake cell towers used to capture?
These are used to capture IMSI number.
50
What does IMSI stand for?
This stands for International Mobile Subscriber Identity.
51
What is the most popular Wifi hacking tool?
Aircrack-ng is the most popular of these tools.
52
What can you do with Aircrack-ng?
With this tool, you can:
- monitor
- attack
- Test
- Crack
53
In Kali Linux, how do we check to see which mode our wireless code is in?
iwconfig is the linux command that does this.
54
How do we change the wireless mode from managed to monitor mode?
airmon-ng start wlan0 is the command used to do this.
55
How do we find a list of wireless networks?
airdump-ng wlan0 is the command to do this.
56
In airodump-ng, what is the option to add channels and bssids? What is the command to write to a file?
-c and --bssid. --write is the option to write to a file.
57
what is the tool used to send deauthorizations across a wireless signal?
aireplay-ng --deauth 0 -a -c wlan0mon
58
When running a deauthorization, what does the '0' represent?
This represents the amount of deauth packets we want to send. in this example it would unlimited, until I told it to cancel.
59
How do you view the capture file after a deauth attack?
aircrack-ng -w
60
In Kali Linux, where will you find a common word list?
/usr/share/wordlists/rockyou.txt
61
Name 4 application based vulnerabilities that can be attacked.
- Injections
- Authentication
- Authorization
- Cross-Site Scripting
- Cross-site request forgery
- Click-Jacking
- Security Misconfiguration
- File Inclusion
- Unsecure Coding Practices
62
What is an injection attack?
These come in many forms. Insertion of additional information or code via data input from a client to the application.
63
What is the most common injection attack?
SQL is the most common of this type of attack.
64
What is redirection?
This is where you send someone to a fake login page to have them enter (and thus capture) their credentials.
65
What are the two types of Kerberos tickets? What is the difference?
This authentication method involves golden tickets and silver tickets. Golden can be used to access any kerberos service, silver tickets can only be used for specific kerberos services.
66
How can you attack Kerberos Authentication?
You can run mimikats to attack this.
67
What is parameter pollution?
This is where HTTP parameters are modified in order to conduct a malicious attack.
68
What is insecure direct object reference?
This is where application provides direct access to an object based on the user-supplied input.
69
What is Cross-Site Scripting (XSS)?
Attacker embeddes malicious scripting commands on a trusted website.
70
What are the three ways to conduct XSS attacks?
There are three ways to do these attacks:
1. Stored/persistent , Data provided by attacker saved on server
2. Reflected, non-persistent, activated through link on site
3. DOM, Document Object Model is vulnerable. Victims browser is exploited.
71
What is cross site request forgery (CSRF)?
Attacker forces a user to execute actions on web server which they authenticated.
72
What is directory traversal?
Attack that allows access to restricted directories and for command execution outside of the web server's root directory.
73
What is http://testsite.com/get.php?f=/var/www/html/get.php an example of?
This is an example of Directory Traversal
74
What is file inclusion? Why does it happen?
This attack includes a file into a target application by exploiting a dynamic file inclusion mechanism. Usually happens because of improper input validation by application.
75
What is a race condition? When does it occur?
Flaw that produces unexpected results when the timing of actions can impact other actions. Two pieces of code are racing to impact. This is occurs while multithreaded operations are occuring on the same piece of data.
76
What is one of the first ways to attack a local host?
Operations systems vulnerabilities is one of the first for this.
77
What is a second common vector of attack for a local host? What are some examples?
The second vector of attack for this is unsecure services and protocol configurations. FTP, Telnet, TFTP, SSHv1, SMPv1, WPA instead of WPA2 are all examples.
78
What is privilege escalation in linux?
Allows a user to run a program or process as a different user with additional permissions.
79
As you get further from the linux kernel, what privilege is provided?
This would allow for the least privilege. Generic User.
80
What does SUID and SGID stand for?
Set-User Identification & Set-Group Identification
81
What is sticky bit?
This is used for shared folders such as /tmp. Allows users to create files, read, and execute files owned by other users. This attack cannot remove files owned by other users.
82
how do you know if sticky bit has been set?
you will see at a -t at the end of the permission.
83
What is SUDO? Who is the other user by default?
This is a program for Unix/Linux systems that allows users to run programs with the privileges of another user. Root is the other user by default.
84
SUDO is similar to what command in windows?
This is similar to the "Run as Administrator' command in windows.
85
What is Ret2libc? What does it stand for?
This is an attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function. This stands for 'Return to library call'
86
In Windows, what is the name of the attribute that stores passwords in a group preference item?
This is call CPassword
87
How can you check for insecure LDAP binding? What is the outcome?
This can be checked by running a bind Script in powershell. You will receive a .csv file as output showing which accounts are vulnerable.
88
What is Kerberoasting?
A way to mess with Kerberos ticketing system. Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS).
89
What does LSASS Stand for?
Local Security Authority Subsytem Service
90
What does LSASS do?
This is a process in Windows that enforce the security policy of the system. Verifies a user when logging on. Creates access tokens (ie, Kerberos).
91
What does PXE stand for?
preboot execution environment
92
What does SAM stand for? What does it do?
Security Account Manager. This is a dabase file that stores the user passwords in Windows as an LM hash or NTLM hash.
93
What is DLL?
This provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or re-compiling of the application.
94
What is DLL hijacking?
This is Dynamic Link Library attack where you're able to load a malicious DLL in the place of an accepted DLL. Commonly used by malware to achieve persistence.
95
What is JTAG?
Remote procedure call is a protocol used in Windows that allows the remote execution of code on a remote computer or server.
96
What is Distributed Component Object Model (DCOM)?
This is a proprietary Microsoft technology for communications between software components on networked computers.
97
What is PsExec?
This is a lightweight telnet-replacement that lets you execute processes on other systems with full interactivity for console applications without manually having to install client software.
98
What is windows management instrumentation (WMI)?
This is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from the windows computing systems.
99
What is PS Remoting?
This allows a computer to receive remote windows powershell commands.
100
What is Windows Remote Management?
This allows admins to remotely run management scripts using the WS-management protocol.
101
What are Windows Remote Management and Windows Remote Shell ran on?
First is run on Servers, the second is run on clients.
102
What is a cross-platform RDP system?
This is called Virtual Network Computing (VNC).
103
What is the Remote GUI for linux?
X11 is this for this OS
104
Why don't we use telnet to remote into systems?
We don't use this because all information is sent in plain text.
105
What is a Daemon? What is an example? What are they called in Windows?
This is a background process that exists for the purpose of handling periodic service requests that a computer system expects to receive. sshd is the Daemon for SSH. In windows they are called 'services'.
106
What is timestomping?
Changing the time of access for files to that of your choosing.
