Eksamen

Question 1

What kind of services do we have to face from outside a network?

Answer 1

Web, Ftp, ssh, dns, mail (SMTP, POP3, IMAP, Exchange), VPN and many others

Question 2

What kind of services do we have to face from inside a network?

Answer 2

Netbios, SMB, Printer, RDP, DB services, LDAP, etc.

Question 3

What kind of errors (vulnerabilities) can we expect?

Answer 3

Configuration related errors & Software vulnerability related error

Question 4

Give examples of Configuration related errors

Answer 4

– Default credentials
– Easy to guess credentials (we had information gathering before)
– No or inappropriate protection against guessing (brute-force)
– Unnecessary function
– Privilege misconfigurations
– Other configuration errors

Question 5

Give examples of Software vulnerability related error

Answer 5

– No input validation
– Memory handling errors
– Several others (see later)

Question 6

What are you looking for when you start compromising and firstly use in the service in a normal way?

Answer 6

– Is there any information disclosure?
– Error messages, etc.
– Restrictions

Question 7

Give examples of ways to force a service to error and obtain information

Answer 7

– Provide invalid data

– Use it in an invalid way

Question 8

What are the 5 other ways to start compromising?

Answer 8

• Try factory defaults
• Brute-forcing
• Search for known exploits
• Service specific exploitations
• Unique ways

Question 9

What is brute forcing?

Answer 9

• Trying out multiple combinations
• How to generate the options? – Random
– Trying out all combinations – Using a list or dictionary

Question 10

What are som brute forcing tools?

Answer 10

– THC Hydra (ssh, ftp, http)
Hydra was created by a hacker group The Hacker’s choice. It is an universal brute-force tool that can be used for several protocols.
– Ncrack – Medusa

Question 11

What is an exploit?

Answer 11

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.

Question 12

What are some ways of attacking a FTP service?

Answer 12

The ftp server configuration file declares what is enabled.

If anonymous is enabled, we can log in to see what we can do We can also brute-force the credentials or use exploits

Question 13

What is SMTP?

Answer 13

(Simple Message Transfer Protocol) is a standard for email transmission in widespread today.

Question 14

What are the main SMTP commands?

Answer 14

HELO: Sent by a client to identify itself
EHLO: The same as HELO but with ESMTP (multimedia support)
MAIL FROM: Identifies the sender of the message
RCPT TO: Identifies the message recipients
DATA: Sent by a client to initiate the transfer of message content
Note there are no Subject, CC, BCC fields. All these data are placed in the data section (these are not part of the smtp)
VRFY: Verifies that a mailbox is available for message delivery. If it’s allowed user enumeration is possible.

Question 15

When attacking SMTP, what is open relay access?

Answer 15

In case of open-relay settings, the user doesn’t need to provide credentials. Anyone can send a mail with arbitrary fields. DEMO..

Question 16

How to find open-relay SMTP?

Answer 16

• If one of the client’s SMTP allows open-relay access then any email can be written unseeingly
• Spamboxes will probably contain some open-relay SMTP server 

Question 17

How can the users make sure that an email arrived from the right person?

Answer 17

• Check the email header

* There’s no 100% guarantee, use PGP (mail encryption)! 

Question 18

What is a DNS service?

Answer 18

• DNS servers are all around the world
• Organized in tree structure (13 root servers)
• The top level domains (.com, .net, .edu, .no, .de, etc.) are directly under the root servers
• DNS data are stored redundantly (master and slave
server)

Question 19

Get in touch with services, what’s the order?

Answer 19

The order of the investigation is the following:
• Manual analysis (initial)
• Automatic analysis
(several prewritten scripts) There are several tools to analyze the services automatically. E.g. Nessus, OpenVAS, Qualys, etc..
• Manual analysis (to check for false positives)

Question 20

What is HTTP response splitting?

Answer 20

HTTP response splitting is an old vulnerability (still appears in 2018). In case of inappropriate validation of the requests, the client can provide misleading input (two new lines in the header indicates the end of the header). The attacker can force the server to cache a wrong server answer.

Question 21

HTTP operates with several web methods. What are the main methods in use?

Answer 21

• GET - to download data
• POST - to send data (e.g. I posted something on facebook )
Other methods in use:
• HEAD – to obtain the HTTP header
• PUT – to place content on the server (e.g. restful services)
Further existing methods:
DELETE (to remove content), TRACE, DEBUG, OPTIONS (to see the available webmethod list)

Question 22

How do you proceed in compromising a website?

Answer 22

• First use it in a normal way (find the linked subsites, contents, input fields)
• Decide whether it is a simple static site or it has complex dynamic content (server side scripts, database behind)
• Try to find not intended content (comments in source code
• Try to find hidden content without link (factory default folders, user folders, configuration files)
• Try to obtain as much info as it is possible (information disclosures)
• Force the site to error (invalid inputs) and see the result

Question 23

What is Client side filtering?

Answer 23

Input filtering can be done on the client side. Client side input filtering is not input validation! Any data on the client side can be modified (it’s my browser I can decide what data will be sent out). Typical input filtering:
• Form elements with restrictions (max length of input, restriction for special characters, only special characters are allowed, predefined input option e.g. radiobutton, combo)
• Javascript filtering (the javascript is running on client side, more complex validation can be done)
Client side filtering can be bypassed easily, that practically
means no additional security

Question 24

What is the reason for having so many security issues?

Answer 24

• Computer systems have several security problems
• Lack of money
• Lack of time
• Lack of expertise
• Negligence
• Convenience
• Old systems
• Too complex systems • 3rd party components • And many others…

Question 25

Give a detailed account of the steps of hacking

Answer 25

1. Generalinformationgathering:collectingallavailable information from the target and systemize the information
2. Technicalinformationgathering:collectingnetworkand system specific information like target ip ranges
3. Identifyingavailablehostsinthetargetnetwork(which computer can be attacked)
4. Identifyingavailableservicesinthetargetnetwork (which service can be attacked)
5. Manualmappingoftheservices(tocheckhowitlooks like, the impressions, system reactions, mitigations, etc.)
6. Automaticvulnerabilityscanning(intelligenttoolswith huge vulnerability database)
7. Manualverificationofthefindings(tocheckifthe previous findings are real – true positive)
8. Exploitation
9. Lateralmovements(tomovethroughthenetwork)
10. Ensure access until the end of the project 11. Achieve primary and secondary goals 12. Remove clues
11. Reporting and presentation
12. Removing the attacking files!!! (tools, data, script created temporarily during the pentest)

Question 26

What is a Domain name?

Answer 26

A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet.

Example:

www. mn.uio.no
hostname. thirdlevel.secondlevel.TLD

Question 27

What is an IP?

Answer 27

• IP addresses are for the identification of computers during the communication
• In order to be easy to memorize it, 8bit (byte) blocks are used for ipv4 e.g. 129.240.171.52
• For ipv6 addresses are represented as eight groups of four hexadecimal digits e.g. 2001:0db8:0000:0042:0000:8a2e:0370:7334

Question 28

What type of computers are usually found in the network?

Answer 28

• Servers
• Network device (router, switch)
• Firewall (stateless, statefull), Ids, Ips
• Printers
• User desktops
• User laptops
• Mobil devices
• IOTs

Question 29

What is ICMP?

Answer 29

Internet Control Message Protocol (ICMP)
• To check if a host is responding
• Echo request – Echo reply to make sure a host is turned on

Question 30

What are the answer options you can receive when Network mapping?

Answer 30

• Positive answer
In case of icmp we get an echo reply for our
echo request
• Negative answer
In case of icmp we get destination unreachable / host unreachable message
• No answer
In case of icmp, we have no response from the
host that was addressed by the echo request

Example: ping

Question 31

What is ttl?

Answer 31

ttl means time-to-live. Since ICMP contains the ttl value, it is possible to guess the receiver host’s operating system by its ttl.
Initial ttl values:
Windows: 128
Linux: 64
Solaris: 255

Question 32

What is Nmap

Answer 32

Nmap is an universal port scanner, it is able to carry out ordinary and specific host and service discoveries

Question 33

Mention some TCP typical services

Answer 33

• TCP 80: web http
• TCP 443: web https
• TCP 20,21: ftp
• TCP 22: ssh
• TCP 25: smtp
• TCP 137,139,445: netbios
• TCP 3306: mysql
• TCP 3389: remote desktop
• TCP 5900: VNC

Question 34

What is a TCP handshake?

Answer 34

TCP handshake is the process when a connection is about to be established in a specific port.

Sender sends SYN
Reciever sends SYN + ACK
Sender sends ACK

Question 35

What is XSS?

Answer 35

Cross Site Scripting (XSS) is a frequently appearing web related vulnerability. If the website accepts input from the user without proper validation or encoding then the attacker can inject client side code to be executed in the browser.

Without validation the attacker can provide
• Html elements
• Javascripts

Javascript can overwrite the website content, redirect the page or access browser data e.g. the cookies.

Question 36

What is possible through XSS, and what is not?

Answer 36

• Attacker can provide any html element including javascript
• Redirect the page to another site to mislead the user
• Rewrite the document content (defacing the site) to mislead the user
• Get the cookie variables (if they’re not protected with HTTPOnly), e.g. the session variables for session hijacking, authentication cookies
• Keylogging: attacker can register a keyboard event listener using addEventListener and then send all of the user’s keystrokes to his own server
• Phishing: the attacker can insert a fake login form into the page to obtain the user’s credentials
• Launch browser exploits
  BUT
• Local files of the clients are NOT accessible

Question 37

What can you do to prevent against XSS?

Answer 37

• Escaping user input
• Filtering
• Input validation
• Sanitizing input

Question 38

What are some Session related attacks?

Answer 38

Session related attacks
The session can be compromised in different ways:
• Predictable session token
The attacker finds out what is the next session id and sets his own session according to this.
• Session sniffing
The attacker uses a sniffer to capture a valid session id
• Client-side attacks (e.g. XSS)
The attacker redirects the client browser to his own website and steals the cookie (Javascript: document.cookie) containing the session id
• Man-in-the-middle attack
The attacker intercepts the communication between two
computers (see later: internal network hacking)
• Man-in-the-browser attack