Final Exam

Question 1

Reconnaissance

Answer 1

To investigate the target using publicly available information. One key objective is to have a list of the target’s IP.

Question 2

Scanning

Answer 2

To look for openings of target’s system.

Question 3

Port Scanning

Answer 3

Output is a list of open ports and potential services running on the target.

Question 4

Exploitation

Answer 4

Using password cracking and other techniques to gain administrative control over the target machine, but the access may be temporary and non-persistent.

Question 5

Maintaining Access

Answer 5

Creating a more permanent backdoor for subsequent access to the system.

Question 6

Active Reconnaissance

Answer 6

Interacting directly with the target. The target may record your IP address and log your activity.

Question 7

Passive Reconnaissance

Answer 7

Makes use of the vast amount of information available on the web. You do not directly interact with the target and as such, the target has no way of knowing, recording, or logging your activity.

Question 8

Google as a Reconnaissance Tool

Answer 8

Search the Google cache rather than the target’s web site to reduce your digital footprints on the target’s server, and to gain access to files that have been removed from the target’s web site.

Question 9

theharvester

Answer 9

A program to collect email addresses from the Web using google, bing, etc.
Theharvester is intergated into kali.
Username can be used in brute force password cracking.

Question 10

Interrogating DNS Server

Answer 10

Networks may need multiple DNS servers for the sake of redundancy (fault tolerance) or load balancing. These DNS servers need to stay in sync by doing zone transfer (a.k.a. AXFR or Asynchronous Full Transfer Zone), where one DNS server will send all its host-to-IP mappings to another DNS server.
Hackers may attempt zone transfer to acquire all IP address for subsequent scanning.

Question 11

Defence: Interrogating DNS Server

Answer 11

Allow “zone transfer” only for legitimate users such as secondary DNS.
DNS records should not contain operating system type and version information. DO NOT keep host information and text records (HINFO and TXT).

Question 12

METAGooFIL

Answer 12

Microsoft documents such as Word or a PowerPoint contain metadata that describes the file name, the file size, file owner, username, and path of location.
MetaGooFil scours a specific target for such files, download them, and extract useful metadata.

Question 13

Port scanning: Nmap

Answer 13

A port scanner (e.g. Nmap) sends a packet to each port to determine which ports are open.

Question 14

Xmas Scan & Null Scan

Answer 14

X-mas Scan sends packets with FIN, URG and PUSH flags turned on, but SYN,ACK, & RST off.

Null Scan sends a packet with no TCP flags set.
Closed port responds with RESET, and live port sends nothing.

Question 15

Specially Crafted Probes

Answer 15

A specially crafted packet that the remote system can’t understand or deal with
e.g. a packet longer than the expected packet size (548 byte) and thus causes buffer overflow

Question 16

Defense Against Port Scanning

Answer 16

All unneeded ports and their related services must be shut off. Periodically use Nmap to scan (across network) for open ports on each host, and closed all unused ports (e.g. TCP 25 for SMTP on Web server).

Question 17

Vulnerability Scanners and Common Vulnerabilities

Answer 17

Vulnerability scanners keep a database of vulnerabilities of many systems, and automate the process of checking across the network to see if any of these known vulnerabilities are present on the target. Common vulnerabilities are:

(1) Poor configuration settings leave various openings for an attacker to gain access. e.g. files not properly protected
(2) Weak default configuration security settings such as default accounts and passwords.
(3) Well-known system vulnerabilities and new security holes are discovered and published on the Internet, but patching may be slow to catch up.

Question 18

Nessus (pre-installed on kali)

Answer 18

Nessus is a vulnerability scanner. It automates the process of connecting to the target, and checking for:

(a) backdoors, vendor specific vulnerabilities (Cisco, Windows, etc.)
(b) loopholes that let attackers gain command-line access or super-user access remotely
(c) vulnerable cgi (also asp, jsp, php, etc) scripts
(d) misconfigured firewall
(e) missing patching

Question 19

Vulnerable CGI Scripts

Answer 19

Run on the Web-server side to process user input. Many widely used CGI scripts include flaws that accept inputs with embedded malicious commands. The CGI script then allow the attacker to send the embedded malicious commands directly to the command line for execution.

Question 20

Exploitation

Answer 20

Attackers gaining access through
Program loopholes (e.g. stack-based buffer overflows attack)
password attacks
Sniffing network traffic
Or through Web exploitation
SQL injection
Web application attacks

Question 21

Stack-Based Buffer Overflows Attack

Answer 21

stack = a special reserved area for storing information on subroutines and functions
A program writing more data (i.e. exceeding the allocated buffer) to a memory address in the stack causes this data to overflow and corrupt adjacent data on the stack.
Attackers enters input data (containing attack code) into a program through a GUI, or command line. The input data corrupts the stack and cause executable attack code to be run.

Question 22

NOP Command

Answer 22

A command telling the processor to do nothing and move on.

Question 23

Administrators’ Defense Against Stack-Based Buffer Overflows Attack

Answer 23

Keep systems patched. The computer underground and security professionals are constantly discovering new vulnerabilities.
Use a nonexecutable stack (i.e. only read and write). If the system is configured to refuse to execute instructions from the stack, most stack-based buffer overflows won’t work.
Software developers must be trained to understand what buffer overflows are and how to avoid them. Computer code should check size of input against buffer size before writing.

Question 24

Metasploit: an Exploitation Platform

Answer 24

Manually crafting an exploit tool to take advantage of a flaw (e.g. buffer overflow) is a painstaking process. Loading the attack machine code and calculating the return pointer require great care.
Metasploit provides a platform for mass production of exploits.
Metasploit is installed in kali

Question 25

Metasploit Attack 3 Steps

Answer 25

Choosing exploit. A vulnerability (e.g. missing a patch) may be open to zero or multiple exploits (codes to exploit the vulnerability).

Choosing payload (command shell such as meterpreter which stealthily runs entirely in memory without using harddisk, admin user, installing remote control software, etc)

Choosing target

Question 26

Administrator’s use of Metasploit

Answer 26

Some vulnerability scanner (Nessus) may report false alarms/false vulnerabilities (30-40%). Metasploit can confirm if a vulnerability exists.

Use Metasploit in penetration testing of the strength of firewall, IPS/IDS, etc.

Question 27

Encrypt Versus Hash (very simplistic view)

Answer 27

Encrypt: A->C, B->D, C->E;
CAB->ECD

Hash: CAB->log(676566) = 5.8303102…
Note: ASCII value: A=65, B=66, C=67

Hashes are irreversible.

Question 28

User Mode vs Kernel Mode

Answer 28

Applications run in user mode, and core operating system components run in kernel mode. Many drivers run in kernel mode, but some drivers run in user mode.

Question 29

User Mode

Answer 29

In User Mode, when a user enters his or her username and password during the logon process, the Security subsystem sends these entries to SAM (security account manager). The SAM has a user authentication database (SAM database).
SAM database contains two encrypted passwords (i.e. LM lan manager and NT new tech) for each user account.

Question 30

LM Password

Answer 30

LM is calculated for passwords with 14 or fewer characters.
LM representation is calculated only after all characters have been converted to uppercase.
LM is then broken into two 7 character passwords

Question 31

NT Pasword

Answer 31

NT password hashes (i.e. similar to encryption) are far stronger (i.e. using more secure algorithm)
Modem versions of Windows do not use LM passwords by default, but have options to enable LM passwords to support backward compatibility with legacy systems. Enabling LM passwords for legacy systems puts the entire network at risk.
The lesson:
Upgrade and discard old systems (win95, 98).

Question 32

Medusa

Answer 32

Online password guessing tool integrate with kali
user names from theHarvester and metagoofil
Ip addresses from reconnaissance

Question 33

Password Guessing Limitations

Answer 33

Password guessing is slow. Each login attempt could take a few seconds (transmission, encrypting submitted password, looking up real userID and encrypted password, comparison, etc).
The constant attempts to login to the target generate a significant amount of network traffic and log activity, which could easily alert a system administrator or an IDS/IPS. Some systems are configured to disable an account after a fixed numbers of login failures (password throttling). The user must call the help desk or wait for a time out. This account lockout feature helps prevent password-guessing attacks through login scripting.
However, with account lockout in place, an attacker could conduct a denial-of-service attack by locking out all accounts using a script.

Question 34

Password Cracking Tools

Answer 34

Cain (run on Windows)

John the Ripper (run on Unix, Linux, Windows, etc.)

The password cracking software runs on the attacker’s computer, and will not alert the target’s administrator or IDS/IPS.

Question 35

Cain/John the Ripper

Answer 35

Cain supports reverse dictionary guesses, apply mixed case to guesses, and appends numbers to words.

John (part of kali) will append and prepend characters, and attempt dictionary words forward, backward, and typed in twice. It will even truncate dictionary terms and append/prepend characters to the resulting strings.

Question 36

Persistent Cookie

Answer 36

Written to the local file system when the browser is closed, and will be read the next time the browser is executed. Persistent cookies, therefore, are most often used to store long-term user preferences.

Question 37

Netcat

Answer 37

Allows a user to move data across a network, while functioning much like the UNIX “cat” command. While cat just dumps data on the local system, Netcat moves arbitrary data over the network through any TCP or UDP port.

Question 38

2 Modes of Netcat

Answer 38

In listener mode (listener = server, which is invoked with the -l option), Netcat opens any TCP or UDP port on the local system, waiting for data to come in through that port. Netcat listeners send all data gathered from the network to standard output, which could be displayed on the screen or piped through another program.

In client mode, Netcat can be used to initiate a connection to any TCP or UDP port on another machine. Netcat takes its data from standard input (i.e. the keystrokes from keyword) or data from a program (piped into it) and sends the data across the network.

Question 39

Rootkit

Answer 39

Embed themselves deep into the operating system (kernel) and help hackers completely hide malicious processes and programs from users, administrators, and even the operating system.
Rootkits are so effective at hiding files that they are successful at evading even the most finely tuned antivirus software.

Question 40

Hidden Table

Answer 40

Hiding files and folders from explorer and task manager. Admin may check % ls -al

Question 41

Hidden Processes

Answer 41

Hiding processes or programs from a task manager. Admin may check % ps -a

Question 42

Root Processes

Answer 42

Grant processes the right to access hidden folders and processes.

Question 43

Hidden Services

Answer 43

Hiding services from a task manager. Services run in the background. Admin may check % ls /etc/init.d/ or ls rc.d for startup script or running command.