GPEN Flashcards
What tool could you use to capture and crack LanMAN Challenge/Responses over a network?
Cain and Able supports the capture and cracking of Windows NT LanMAN Challenge/Responses and NTLMv1 authentication exchange over a network.
John the Ripper will crack NT password hashes, but it does not include a sniffer and needs to be used with other tools.
WinCrack is Password Cracker spyware. Finding it on a computer means that is infected with malware. It Cracks files enciphered by the tool WINCRYPT and does not capture network traffic.
Though Wireshark is a sniffer, it does not decode passwords by itself.
While performing a web application assessment, you start to analyze a Base64 encoded authorization cookie. How could you take a closer look at this encoded element if OWASP ZAP was your only available tool?
The hash calculator is immensely useful when analyzing responses that come from websites. For example, suppose a cookie comes back every time the user authenticates to a website. The tester could try to URL, or Base64 decode this cookie’s value to see if it is meaningful. Values can then be re-encoded with the simple click of a button.
An attacker has compromised a Windows workstation using Metasploit and has injected the Meterpreter payload into the svchost process. After modifying some files to set up a persistent backdoor she decides to change the modified and access times of the files to ensure that the administrator can’t see the changes made. Which Meterpreter module would she need to load in order to do this?
Priv
A client has asked that you scan all TCP ports on their entire corporate LAN consisting of about 1,500 hosts, but has only allotted 14 days for the entire penetration test. The client suggests using ScanRand to speed up the process of scanning. What is a potential problem with this technique?
While ScanRand is designed to scan large networks using asynchronous connections, it is possible for it to overwhelm the resources of networking devices that are transporting the packets leading to a denial of service. Nmap is not designed to scan networks of this size quickly, and scanning 1,500 hosts across all ports will take nearly 23 days, even if you are using 100 parallel scans and waiting a maximum of 1 second before moving on to the next service. To help prevent false positives, ScanRand uses a hash-based message authentication code based on a truncated SHA1 hash.
Examine the following command:
PS C:\temp> Get-ChildItem C:\ | Where-Object {$_.mode -match “d”}
What will happen when this command is entered?
The command is first getting a directory listing of the C:\ directory. The output objects are passed to the second command, which is displaying the mode metadata for each object and filtering for the value of “d”, which are directories.
Analyze the command output below. What conclusion can be drawn?
user@desktop:~$ sudo nmap -sU 192.168.116.9
Starting Nmap 4.53 (http://insecure.org) at 2010-10-01 07:27 EDT
Not shown: 1485 closed ports
PORT STATE SERVICE
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1.556 seconds
The source system did not get a response to the packet sent to 137/udp. During an Nmap udp scan, a host may send an ICMP unreachable for closed UDP ports. If that occurs, then the result will be that nmap reports the port as closed. If the target does not respond to the probe packet, the port is reported as open|filtered.
With respect to Metasploit, a full payload consists of what?
Stager + Stage. A full Metasploit payload consists of the stager + the stage. The stagers tend to implement communications code for the later piece of the payload, which implements the payload’s function (a remote shell, GUI control, etc.). The stagers directory contains modules that include listening TCP ports, reverse TCP connections, and others. Stages are payload piece-parts that implement the functionality of a payload, such as a remote shell, GUI control, etc.
How would you execute multiple Windows commands from the command line, the second command executing after the first command?
command1 & command2. Note that [command1] & [command2] will execute command1 followed by command2.
What kind of SSL support is included in OWASP ZAP?
OWASP ZAP works with SSL-based web servers and also supports client-side SSL certificates. OWASP ZAP also supports SSL, using server-side certificates to set up two SSL sessions, one from the browser to ZAP, and the other from ZAP to the server. All information can be altered by ZAP, and, as far as the server is concerned, a valid inbound HTTPS session is occurring. ZAP also supports importing a client-side certificate for testing sites that issue certs to users for importation into their browsers. In such an environment, the tester would import the certificate into his or her browser and into ZAP.
What is better about NT-hashed passwords than LANMAN?
They can be up to 256 characters in length and support upper and lower characters.
You are conducting a penetration test of a company’s web servers and would like a tool that includes a GUI and the ability to look for common errors and problems that you could find with a search engine such as Google. Which web application scanning tool could you use to accomplish this?
Wikto
You have compromised a Windows XP system and injected the Meterpreter payload into the LSASS process. While looking over the system, you notice that there is a popular password management program on the system. When you attempt to access the file that contains the password, you find it is locked. Further investigation reveals that it is locked by the passmgr process. How can you use the Meterpreter to get access to this file.
Ust the migrate command to jump to the passmgr process. That will give you access to the file. The migrate command will allow the Meterpreter DLL to “jump” from one process to another. Once inside the target process, the attacker will have access to all files the process has a read or write lock on.
Where are password representations stored by default on Active Directory domain controllers?
%systemroot%\ntds\ntds.dit. The file ntds.dit is the main Active Directory database. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the ntds.dit right along with the full Domain naming context for its domain.
You are pen testing a Windows system, how would you list all services installed on the system regardless of whether they are currently started?
sc query state= all. The command ‘sc query state= all’ lists all services installed on a Windows system regardless of whether they are currently started.
A site is running a management application that is accessed using SSHv1. You have configured Cain on a Windows system on the same network segment as the management server hosting the application. You want to attempt a MITM attack.
What feature of Cain can you use to capture the login credentials of an administrator on the system?
ARP-Poisoned Routing
Cain also offers a feature called ARP-Poisoned Routing (or APR, for short), which helps sniff in a switched environment and set up man-in-the-middle attacks between other systems on the same subnet as the attacker.
With this feature, Cain sends gratuitous Address Resolution Protocol (ARP) messages to systems on the same subnet as the machine running Cain. These gratuitous ARPs remap the IP address to MAC address mapping in the target machines’ ARP caches so that traffic meant for another system’s IP address on the same subnet gets sent to the attacker running Cain. Then, by forwarding packets to their intended recipient on the LAN, Cain keeps traffic flowing.
