Exploiting Network Vulnerabilities Flashcards
Charles wants to deploy a wireless intrusion detection system. Which of the following tools is best suited to do that purpose?
a. WiFite
b. Kismet
c. Aircrack-ng
d. SnortiFi
b. Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing. Aircrack-ng provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Chris is conducting an on-site penetration test. The test is a gray-box test, and he is permitted on-site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass?
a. A software client-based system
b. A DHCP proxy
c. A MAC address filter
d. None of the above
c. If the NAC system relies only on MAC filtering, Chris only needs to determine the hardware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop or he may be able to obtain it via social engineering or technical methods.
Chris is conducting an on-site penetration test. The test is a gray-box test, and he is permitted on-site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Chris wants to set up a false AP, which tool is best suited to his needs?
a. Aircrack-ng
b. Kismet
c. Wireshark
d. WiFite2
a. Aircrack-ng has fake-AP functionality built in, with tools that will allow Chris to identify valid access points, clone them, disassociate a target system, and then allow on-path attacks.
Chris is conducting an on-site penetration test. The test is a gray-box test, and he is permitted on-site but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Once Chris has gained access to the network, what technique can he use to gather additional credentials?
a. ARP spoofing to allow an on-path attack
b. Network sniffing using Wireshark
c. SYN floods
d. All of the above
a. Chris can use ARP spoofing to represent his workstation as a legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can conduct on-path attacks. Network sniffing is useful after this to read traffic, but it isn’t useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials; thus, both options C and D are incorrect.
What attack technique can allow the pentester visibility into traffic on VLANs other than their native VLAN?
a. MAC spoofing
b. Dot1q spoofing
c. ARP spoofing
d. Switch spoofing
d. Switch spoofing relies on a switch interface that is configured as either dynamic desirable, dynamic auto, or trunk mode, allowing an attacker to generate dynamic trunk protocol messages. The attacker can then access traffic from all VLANs.
What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?
a. Bluesnarfing
b. Bluesniping
c. Bluejacking
d. Bluesending
c. Bluejacking is an attack technique that attempts to send unsolicited messages via Bluetooth. Bluesnarfing attempts to steal information, whereas bluesniping is a term for long distance Bluetooth attacks, Bluesending is not a common term used for Bluetooth attacks as of this writing.
Cassandra wants to attack a WPS-enabled system. What attack technique can she use against it?
a. WPSnatch
b. Pixie dust
c. WPSmash
d. e-Lint gathering
b. Pixie dust attacks use brute force to identify the key for vulnerable WPS-enabled routers due to poor key selection practices. The other options are made up.
Michelle wants to capture NFC communications as part of a penetration test. What is the most critical factor in her ability to intercept the communication?
a. Encryption
b. Duration of communication
c. Range
d. Protocol version
c. NFC communications occur at a very short range that allows a “tap” to occur. That means that Michelle will need to put a capture device very close to the communications or that she needs specialized capabilities to try to capture the traffic at longer distances. Encryption can make it difficult to read the traffic, but it won’t stop interception. Duration of the transmission and protocol version could potentially add complexity, but the key thing to remember is that NFC is a very short ranged protocol
As part of a penetration test Mariana uses a tool that uses the same username and password from a list on many target systems and then uses the next username and password from its list. Which of the following terms best describes the attack she is using?
a. Brute force
b. Dictionary
c. Hash cracking
d. Password spraying
d. Mariana is conducting a password spraying attack. Password spraying attacks use the same credentials against many systems, then try the next credential pairing. Hash cracking attempts to identify the original password that resulted in a given captured hash. Dictionary attacks use a word list along with a set of rules to modify those words to attempt a brute-force attack. A brute-force attack involves repeated tries using an algorithm or process to attempt to log in. When a question like this has multiple potentially correct answers, remember to answer with the most specific answer rather than broad answer.
Steve has set his penetration testing workstation up for an on-path attack between his target and an FTP server. What is the best method for him to acquire FTP credentials?
a. Capture traffic with Wireshark
b. Conduct a brute-force attack against the FTP server
c. Use an exploit against the FTP server
d. Use a downgrade attack against the next login
a. FTP is an unencrypted protocol, which means that Steve can simply capture FTP traffic the next time a user logs into the FTP server from the target system. A brute-force attack may succeed, but it’s more likely to be noticed. Although an exploit may exist, the question does not mention it, and even if it does exist it will not necessarily provide credentials. Finally, downgrade attacks are not useful against FTP servers
Ian wants to drop a tool on a compromised system that will allow him to set up reverse shell. Which of the following tools should he select?
a. Aircrack-ng
b. Nmap
c. Netcat
d. Censys
c. Netcat is the only tool from this list that can be used as a reverse shell. It can also be used for basic port scanning and a variety of other network attacks and testing purposes. Aircrack-ng is used for network penetration testing, nmap is a port scanner, and Censys is a search engine that can be used for open source intelligence work.
What drives the use of deauthentication attacks during penetration tests?
a. The desire to capture handshakes
b. Bluejacking attacks
c. Network stress or load testing
d. RFID cloning attacks
a. Deauthenticating a system will result in reauthentication, creating the possibility of capturing handshakes from a target. BlueJacking, network stress testing and RFID cloning attacks do not rely on deauthentication.
Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack?
a. Responder
b. Mimikatz
c. Ettercap
d. Metasploit
b. Unlike the other options listed, Mimikatz pulls hashes from the Local Security Authority Subsystem Service (LSASS) process. Since the question specifically notes “over the wire,” Mimikatz is the only tool that cannot be used for that.
For what type of activity would you use the tools HULK, LOIC, HOIC, and SlowLoris?
a. DDos
b. SMB hash capture
c. Dos
d. Brute-force SSH
c. All of these tools are denial-of-service tools. Although some of them have been used for DDoS attacks, they are not DDoS tools on their own.
During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?
a. RFID tagging
b. Tag nesting
c. Meta tagging
d. VLAN hopping
d. Mike is using nested tags inside a packet to attempt to hop VLANs. If he is successful, his packets will be delivered to the target system, but he will not see any response.
