Linux & Security

Question 1

What does writing echo do?

Answer 1

echo Output any text that we provide

Question 2

How do you find out which user you are logged in as?

Answer 2

whoami Find out what user we’re currently logged in as!

Question 3

How do you list contents of directory with privileges? How do you include hidden files?

Answer 3

ls -l
ls listing

ls -a for hidden files

Question 4

How do you move in and out of a directory?

Answer 4

cd
cd ..
cd /dir/

Question 5

How do you list the contents of a file?

Answer 5

cat file.txt

Question 6

How do you show your current working directory?

Answer 6

pwd
print working directory

Question 7

How do you find a specific file in among different directories?

Answer 7

find -name specificfile.txt

Question 8

How do you find a specific TYPE of file in among different directories?

Answer 8

find -name *.txt

Question 9

How do you find a specific entry in a long file, like an IP address in a .log file?

Answer 9

grep “(what you’re looking for)” (file of contents).log

grep “81.143.211.90” access.log

Question 10

How do you write text into an empty file using the command line?

Answer 10

echo (content) > (filename)
cat (content) > (filename)
echo hey > welcome

> > to keep the contents of the file without overwriting them

Question 11

What is SSH and how does it work? How does SSH authenticate users, and how does this authentication work?

Answer 11

Secure Shell is a network communication protocol.

SSH employs encryption to ensure that hackers cannot interpret the traffic between two connected devices.

The ssh command provides a secure encrypted connection between two hosts over an insecure network. This connection can also be used for terminal access, file transfers, and for tunneling other applications. Graphical X11 applications can also be run securely over SSH from a remote location.

AUTHENTICATION

TCP based connection, 3 way handshake.

SSH daemon must be running in order to use this protocol on both sides of the communication. I.E, listening on a port for inbound SSH connections.

SSH authenticates users by using passwords or SSH keys. SSH passwords can be easily breached.

1. SSH keys are a matching set of cryptographic keys which can be used for authentication. Each set contains a public and a private key. The public key can be shared freely without concern, while the private key must be vigilantly guarded and never exposed to anyone.
2. To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user’s home directory at ~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.
3. When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use. The server then checks its authorized_keys file for the public key, generates a random string, and encrypts it using the public key. This encrypted message can only be decrypted with the associated private key. The server will send this encrypted message to the client to test whether they actually have the associated private key.

SIMPLER EXPLANATION

An SSH key relies upon the use of two related keys, a public key and a private key, that together create a key pair that is used as the secure access credential. The private key is secret, known only to the user, and should be encrypted and stored safely. The public key can be shared freely with any SSH server to which the user wishes to connect. These keys are normally managed by an organization’s IT team, or better yet, with the help of a trusted Certificate Authority (CA) to ensure they are stored safely.

Question 12

What is ARP? How does it function (1)? How can it be abused?

Answer 12

ARP stands for Address Resolution Protocol. It is used to discover MAC addresses and map them to IP addresses for LAN communications.

1. WHOIS? ARP request broadcast of a host asking for someone’s MAC address. This is sent to every client on the network, and then discarded if it isn’t the target IP. Target client will send out ARP frame containing their MAC address.
2. Host receives a MAC address, which is stored in an ARP cache. This allows for communication among the network now that both devices know their MAC addresses.
3. ARP request broadcast for 192. is sent to every device on the LAN
4. each device receives the request and discards it if they are not the designated recipient, whereas the target IP will respond with their
   MAC.
5. this MAC address is saved into the senders ARP cache, where MAC addresses are stored in relation to IP addresses for other devices on the network

operating on layer 2 of the OSI7 and TCP/IP as it deals with MAC addressing

ARP can be abused via ARP cache poisoning

1. hacker will send ARP packets containing false information, impersonating the MAC address of a particular device which is the endpoint of
   sensitive data (usually default gateway).
2. target will accept this ARP information and store it in its ARP cache, effectively having it poisoned with the hacker’s spoofed MAC address
3. target will begin sending it’s data to spoofed address of the hacker

You can use bettercap ARP spoof feature which will send arbitrary ARP packets to intended victims, allowing you to impersonate any device on the LAN (default gateway being the prime target to imitate)

Question 13

How do you usually install the requirements for a particular package off github?

Answer 13

Pip.

python3 -m pip install filename.txt

Question 14

How do you quickly view the history of your commands from a terminal session?

Answer 14

History

Question 15

How do you make a new directory?

Answer 15

mkdir *

Question 16

How do you delete a directory? How do you remove a directory if it isn’t empty?

Answer 16

rmdir *

rm -r

Question 17

How do you get the current system details such as OS version?

Answer 17

hostnamectl

Detailed

uname -a

OS version and build of machine

Question 18

How do you display free memory of the system?

Answer 18

free -m

sounds like “free -memory”

Question 19

How do you display the running processes in a system?

Answer 19

top
htop

sounds like “top processes”

Question 20

How do you display all ports the machine is listening on?

Answer 20

netstat

Question 21

How do you list the contents of your current working directory with permissions? How do you do this for a specific file?

Answer 21

ls -l filename

Question 22

How do you allow a file to be ran by every user? How do you allow to read, write and execute?

Answer 22

chmod 777 filename

Question 23

How do you allow a file to be read and written by every user but not executed?

Answer 23

chmod 766 filename

Question 24

How do you add another user?

Answer 24

useradd username

Question 25

How do you list all disk partitions?

Answer 25

fdisk -l

Question 26

How do you create a new disk partition on the sda directory?

Answer 26

fdisk /dev/sda

Question 27

How do you format a particular disk partition?

Answer 27

mkfs.ext4 /dev/sda1

mcfucks.ext4

I mcfuck your partition

Question 28

How do you display all devices connected by USB?

Answer 28

lsusb -tv

Question 29

How do you compress a file into a .zip file?

Answer 29

zip filename.zip filename

Question 30

How do you unzip a .zip file?

Answer 30

unzip filename.zip

Question 31

How do you copy a file or a directory to somewhere else?

Answer 31

cp -r // /**/

Question 32

How do you view the address of the default gateway?

Answer 32

ip r

Question 33

How to view what DNS server your machine is configured to use?

Answer 33

cat /etc/resolv.conf

Question 34

How do you terminate a process?

Answer 34

kill *

Question 35

How do you view all hardware components?

Answer 35

lshw

Question 36

How do you string together several commands in one terminal entry?

Answer 36

;

Question 37

What is a FTP server? How does this protocol work (1)? How are FTP servers usually accessed (2)? How is a connection established for FTP (3)? What are the issues with this protocol (4)? What are the variants of FTP (5)?

Answer 37

File transfer protocol.

FTP uses a client server model, where a server hosts files for a client. Upload, download, delete.

you can use your browser to access, so ftp://22.35.65.123.1, or windows file explorer. Or FTP client.

FTP servers allow access through log ins or anonymously depending on permissions.

FTP uses TCP connections, established through 3 way handshakes.

SYN -> Server
Client <- SYN-ACK
ACK -> Server

FTP connections involve 2 connections over Port 21:

-Control connection: All FTP commands, such as GET
-Data connection to transfer files

FTP connections are open and unencrypted as it is a very old protocol. FTPS is a secure extension of FTP servers through TLS encryption. Regular FTP traffic can be viewed in plaintext if intercepted, which is bad for login details.

Variants of FTP:

-TFTP, trivial file transfer protocol
-SFTP, SSH file transfer protocol
-FTPS, TLS encrypted FTP connection

Question 38

What is the default gateway?

Answer 38

A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet.

Question 39

How do you resolve a website domain to IPV4?

Answer 39

host *.com

Question 40

How do you conceal all traffic including traffic from the terminal?

Answer 40

Conceal traffic by routing it all through tor networks, by downloading Torghost.

TorGhost redirects all internet traffic through SOCKS5 tor proxy. DNS requests are also redirected via tor, thus preventing DNSLeak.

To install TorGhost:
git clone https://github.com/SusmithKrishnan/to…
cd torghost
chmod +x build.sh
./build.sh

Torghost -s to start tor routing.

Question 41

What is SOCKS5? How can it be used by hackers?

Answer 41

What is SOCKS5 proxy? A SOCKS5 proxy is an alternative to a VPN. It routes packets between a server and a client using a proxy server, and potentially a chain of public proxy servers.

It can be used by hackers by routing malicious traffic through their proxy server.

Unlike VPNs, SOCKS5 does not encrypt traffic, and so it can be sniffed and captured through packet analysis as it enters its entry node.

Question 42

Define onion routing (2). What is it often used for (3)? How does tor encryption work (5)?

Answer 42

Onion routing routes your traffic through several different servers for privacy. Data moving to another tor node is called a hop.

It offers end-to-end encryption which is layered for each hop in the TOR circuit. These layers of encryption are removed with each hop (like an onion), which allows the data to be unrecognisable and anonymous between hops. This means that data intercepted between hops cannot be traced back to the original sender, unless the traffic is intercepted at the beginning or end. This is why onion routing is often used for criminal activities, as it makes it difficult to track by law enforcement.

Question 43

What type of device is a WiFi Hub? What does it do (3)? How does it differ from other networking devices (5)?

Answer 43

A Hub connects devices on a network together. Classic Hubs are very old technology, and are largely discontinued, and have been replaced by switches.

A hub repeats data and sends it to every other client on the network, not exclusively to the correct recipient. For this reason, a hub wastes bandwidth. This also comes with security risks as all clients receive all data.

A hub uses a half-duplex, which means it cannot send and receive data at the same time. This would cause a data collision and data loss.

A hub is a Layer 1 device, and it has no knowledge of addresses (1).

Question 44

What type of device is a WiFi Switch? What does it do (3)? How does it differ from other networking devices (5)?

Answer 44

Switches are intelligent devices which act as bridges and hubs put together. Switches connect devices on a network, while simultaneously keeping track of MAC addresses and port numbers. Switches are usually built into modern routers. (1)

Initially the switch will send data to every device on the network to learn the MAC address of the correct recipient, and this MAC address and port number will be stored on the switch. (3)

Layer 2 device. Full duplex. The switch differs to other networking devices because it is able to use MAC and port numbers to forward data directly to the intended recipient after this is stored in the switch MAC address table. (5)

Question 45

What type of device is a WiFi Bridge? What does it do (3)? How does it differ from other networking devices (5)?

Answer 45

Bridges were classically used to combat the shortcomings of Hubs.

Bridges bridge different hubs together and segment LANs, and are Layer 2 devices which store MAC addresses.

Bridges are also old technology which have been replaced by switches.

Question 46

What type of device is a WiFi Router? What does it do (5)?

Answer 46

Routers are intelligent networking devices which have an integrated switch. The router connects the LAN to the WAN, and routes traffic based on DHCP allocated IP addresses. (1)

Layer 3 device because it stores IP addresses, port numbers and MAC addresses.

Question 47

What is a Network Interface Controller (NIC)? What is a Wireless Network Interface Controller?

Answer 47

The ethernet jack on a computer.

Same thing as a NIC, but it uses radio waves to connect to an access point instead of a cable.

Question 48

What is the OSI 7 layer model and how does it work (2)? What are the typical uses of the OSI 7 layer model (3)? What typical protocols are associated with each layer of the model (5)?

Answer 48

It is A THEORETICAL FRAMEWORK ONLY. TCP/IP framework is the internet implementation of the OSI model.

When data is sent, it is sent top down.
When data is received, it is received bottom up.

1. Application Layer

Applications and programs. - HTTP, FTP, SSH, DNS.
Self explanatory. Human interaction with apps and programs.
End User Layer

2. Presentation Layer

Syntax Layer
Presentation of data from/to the application. - SSL, SSH, IMAP, MPEG, JPEG.
Takes data and defines how it should be encoded, encrypted or compressed for the session layer.

3. Session Layer

Establishing communication channels for data communication. - APIs, Sockets.
Syncing sessions, resuming connections if interrupted.
Sync & Send Layer

4. Transport Layer

Assembling data in the correct order. - TCP, UDP.
End-to-end Connec­tions.

5. Network Layer

Routing packets to the correct destinations. - IP, ICMP, IPSec, IGMP
The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network.

6. Data Link Layer

Packets to frames, frames to packets. Logical Link Control to identify network protocols and MAC addresses to find correct devices. - Ethernet, PPP, Switch
Frames

7. Physical Layer

The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices. - Fiber, Access Points, Copper Cabling
Physical Structure

Question 49

What is a shell? What is a terminal?

Answer 49

The shell is a program that takes commands from the keyboard and gives them to the operating system to perform.

This is a program that opens a window and lets you interact with the shell.

Question 50

What is NMAP? How would you use it on a target (2)? What are the different abbreviations for NMAP (4 if you list 4, 5 if you are able to list all of them)?

Answer 50

Nmap is a network reconnaissance tool used to scan for open ports and services run by clients by sending various packets to the given IP range.

Hackers will port scan a network to find services which are vulnerable to known attacks, such as open SSH, or aero blue, etc.

Ports are necessary for making multiple network requests or having multiple services available.

What is the first switch listed in the help menu for a ‘Syn Scan’? SYN scans are a little more difficult to detect because they are just trying to leave a connection open and relying on the timeout to clear the connections.
-sS

Which switch would you use for a “UDP scan”?
-sU

OS detection
-O

Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
-vv

What switch would you use to save the nmap results in a “normal” format?
-oN

If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
-A

Scan with the default nmap scripts
-sC

Port number or all ports
-p or -p-

test

Question 51

What is gobuster? What can it be used for (3)? What are the different abbreviations for gobuster (4 if you list 4, 5 if you are able to list all of them)?

Answer 51

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

/usr/share/wordlists.
gobuster dir -u http://:3333 -w

Question 52

What is Nikto? What can it be used for (3)? What are the different abbreviations for nikto (4 if you list 4, 5 if you are able to list all of them)?

Answer 52

Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

It can be used to find known vulnerabilities of web applications.

sudo nikto -h (IP) -p (port)

Question 53

What is traceroute? What can it be used for?

Answer 53

The logical follow-up to the ping command is ‘traceroute’. Traceroute can be used to map the path your request takes as it heads to the target machine.

Tracks how many hops it takes to reach destination.

traceroute (IP)

Question 54

What is the TCP/IP layer model and how does it work (2)? What are the typical uses of the TCP/IP layer model (3)? What typical protocols are associated with each layer of the model (5)?

Answer 54

TCP/IP model is a real world implementation of the OSI 7 layer model. It uses a TCP three-way handshake connection between two devices.

OSI 7 layer model is not used at all. OSI is just a theoretical model, it has never been implemented 1:1 in a real world scenario. TCP/IP is an “implementation” of the OSI model.

As mentioned earlier, TCP is a connection-based protocol. In other words, before you send any data via TCP, you must first form a stable connection between the two computers. The process of forming this connection is called the three-way handshake.

TCP

SYN
SYN/ACK
ACK

APPLICATION/ Application, presentation and session.
TRANSPORT/ Transport.
NETWORK/ Network.
NETWORK INTERFACE/ Physical and data link.

It is A THEORETICAL FRAMEWORK ONLY. TCP/IP framework is the internet implementation of the OSI model.

When data is sent, it is sent top down.
When data is received, it is received bottom up.

1. Application Layer

Applications and programs. - HTTP, FTP, SSH, DNS.
Self explanatory. Human interaction with apps and programs.
End User Layer

2. Presentation Layer

Syntax Layer
Presentation of data from/to the application. - SSL, SSH, IMAP, MPEG, JPEG.
Takes data and defines how it should be encoded, encrypted or compressed for the session layer.

3. Session Layer

Establishing communication channels for data communication. - APIs, Sockets.
Syncing sessions, resuming connections if interrupted.
Sync & Send Layer

4. Transport Layer

Assembling data in the correct order. - TCP, UDP.
End-to-end Connec­tions.

5. Network Layer

Routing packets to the correct destinations. - IP, ICMP, IPSec, IGMP
The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network.

6. Data Link Layer

Packets to frames, frames to packets. Logical Link Control to identify network protocols and MAC addresses to find correct devices. - Ethernet, PPP, Switch
Frames

7. Physical Layer

The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices. - Fiber, Access Points, Copper Cabling
Physical Structure

Question 55

What is a loopback address?

Answer 55

loopback address: IP shorthand for you — actually, your computer. The loopback is a special IP address (127.0.0.1) that isn’t physically connected to any network hardware. You use it to test TCP/IP services and applications without worrying about hardware problems.

Question 56

What is an intranet?

Answer 56

An organization’s private network. If your intranet is built on TCP/IP protocols, applications, and services, it’s also an Internet.

Question 57

What is subnetting? What is a subnet mask?

Answer 57

Dividing one large Internet into smaller networks (subnets) in which they all share the same network portion of an IP address.

/24
/25
/26
etc…

Question 58

What are the different types of IP addresses?

Answer 58

Internal IP addresses and External IP addresses.

IPv6: 2001:db8::8a2e:370:7334.
IPv4: 192.168.0.1

Question 59

How do you copy files from one directory to another?

Answer 59

Copying and moving files is an important functionality on a Linux machine. Starting with cp, this command takes two arguments:

cp (file) ///(destination)

Question 60

How do you determine the filetype of a file?

Answer 60

file

file *

Question 61

What are the most common directories in a Linux system (2)? Why are each of them important (4)? Can you list them all (5)?

Answer 61

/etc - etcetera

The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.

Local dns conf is stored here. Target for hackers to manually poison DNS.

/var

The “/var” directory, with “var” being short for variable data, is one of the main root folders found on a Linux install.

This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).

This is such a crucial folder on your Linux systems. Open up a terminal window and issue the command cd /var/log. Now issue the command ls and you will see the logs housed within this directory (Figure 1).

Find previous terminal command logs. Can be erased by hackers to conceal their presence.

/root

the /root folder is actually the home for the “root” system user. There isn’t anything more to this folder other than just understanding that this is the home directory for the “root” user.

/tmp

Short for “temporary”, the /tmp directory is volatile and is used to store data that is only needed to be accessed once or twice. Similar to the memory on your computer, once the computer is restarted, the contents of this folder are cleared out.

any file stored in /tmp is actually being stored in memory rather than on your persistent storage devices.

recover critical data by viewing what was being done in the previous session

/bin — Essential User Binaries

Applications such as Firefox are stored in /usr/bin, while important system programs and utilities such as the bash shell are located in /bin.
The ‘/bin’ directory also contains executable files, Linux commands that are used in single user mode, and common commands that are used by all the users, like cat, cp, cd, ls, etc.

like cat, cp, cd, ls, etc.

/boot — Static Boot Files
GRUB boot loader’s files and your Linux kernels are stored here

/sys/

/sys is an interface to the kernel. Specifically, it provides a filesystem-like view of information and configuration settings that the kernel provides, much like /proc . Writing to these files may or may not write to the actual device, depending on the setting you’re changing.

/dev/

/dev/ices

is the location of special or device files. It is a very interesting directory that highlights one important aspect of the Linux filesystem - everything is a file or a directory. Look through this directory and you should hopefully see hda1, hda2 etc…. which represent the various partitions on the first master drive of the system. /dev/cdrom and /dev/fd0 represent your CD-ROM drive and your floppy drive. This may seem strange but it will make sense if you compare the characteristics of files to that of your hardware. Both can be read from and written to. Take /dev/dsp, for instance. This file represents your speaker device. Any data written to this file will be re-directed to your speaker. If you try ‘cat /boot/vmlinuz > /dev/dsp’ (on a properly configured system) you should hear some sound on the speaker. That’s the sound of your kernel! A file sent to /dev/lp0 gets printed. Sending data to and reading from /dev/ttyS0 will allow you to communicate with a device attached there - for instance, your modem.

Question 62

What is a DNS? How does DNS work (5)?

Answer 62

DNS resolves IP addresses to domains which are easy to remember. Domain Name System.

When a client makes a DNS request, cache is checked if the request was made previously for this address. If not, a request will be made to the DNS server.

This DNS server is usually provided by your ISP, but may also be changed by VPN. Once a request for an unvisited address is made, the search is placed for it in internet’s root DNS servers.

Caching DNS requests saves time from having to make new root DNS requests across the internet. All DNS responses come with TTL (time to Live) value, which make all results impermanent before you have to make a new DNS request.

Question 63

What is HTTP? How does web communication work (2)? What are the different requests which can be made to a webserver (5)?

Answer 63

HTTP/HTTPS are web protocols used for internet communication with webservers and clients across the WAN.
The client can make several different requests to a webserver, and the server can respond by sending status codes in response to client requests.

HTTPS is the secure version of HTTP. HTTPS data is encrypted so it not only stops people from seeing the data you are receiving and sending, but it also gives you assurances that you’re talking to the correct web server and not something impersonating it.

A GET request is made to the webserver.
This is used for getting information from a web server.

-“GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/”

POST Request
This is used for submitting data to the web server and potentially creating new records.

PUT Request
This is used for submitting data to a web server to update information

DELETE Request
This is used for deleting information/records from a web server.

RESPONSES FROM WEBSERVER
STATUS CODES

200 - OK
201 - Created
301 - Permanent redirect
400 - Bad request
401 - Not authorised
403 - Forbidden
404 - Page not found

Question 64

What is a user agent?

Answer 64

Browser.

Question 65

What are cookies used for? Why are cookies needed?

Answer 65

Because HTTP is stateless (doesn’t keep track of your previous requests), cookies can be used to remind the web server who you are, some personal settings for the website or whether you’ve been to the website before.

Question 66

What is hydra? What is hydra used for (2)? What are the different hydra switches (4)? Can you provide real world scenarios where hydra would be used via terminal commands (5)?

Answer 66

Hydra is a brute force online password cracking program; a quick system login password ‘hacking’ tool.

Hydra has the ability to bruteforce the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

hydra -l user -P passlist.txt ftp://MACHINE_IP

-l username
-P use a list of passwords

SSH USAGE

hydra -l -P MACHINE_IP -t 4 ssh

Question 67

What is the LHOST and LPORT in msf?

Answer 67

It is the listening host, which would be your IP address (the attacker), and the listening port which is the port the attacker is listening on.

Question 68

What is the /etc directory? What does it contain?

Answer 68

The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.

Configuration file centre.

Local DNS is stored here at /etc/hosts, which is a prime target for DNS poisoning criminals

Question 69

What is the /var directory? What does it contain?

Answer 69

/var variable data

The “/var” directory, with “var” being short for variable data, is one of the main root folders found on a Linux install.

This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).

administrative and logging data, and transient and temporary files. Some portions of /var are not shareable between different systems.

variables accessed by applications, and administrative logging data

Question 70

What it VOIP protocol?

Answer 70

Voice over Internet Protocol (VoIP): Are you spending too much on phone calls? Get rid of your phone service. You can make phone calls from anywhere to anywhere that has a computer, free VoIP software, and a fast Internet connection. Even better, it’s free. You can call from Buenos Aires to Nairobi for free with VoIP. It doesn’t have to be computer to computer, either. You can also use VoIP to call a regular telephone number.

Question 71

What is the /root directory? What does it contain?

Answer 71

/root

the /root folder is actually the home for the “root” system user. There isn’t anything more to this folder other than just understanding that this is the home directory for the “root” user.

Everything on your Linux system is located under the / directory

Question 72

What is the /tmp directory? What does it contain?

Answer 72

/tmp temporary

Short for “temporary”, the /tmp directory is volatile and is used to store data that is only needed to be accessed once or twice. Similar to the memory on your computer, once the computer is restarted, the contents of this folder are cleared out.

Juicy directory for forensics as whatever the user has been doing is stored there from his RAM.

Question 73

What is the /bin directory? What does it contain?

Answer 73

/bin — Essential User Binaries

Applications such as Firefox are stored in /usr/bin, while important system programs and utilities such as the bash shell are located in /bin.

The ‘/bin’ directory also contains executable files, Linux commands that are used in single user mode, and common commands that are used by all the users, like cat, cp, cd, ls, etc.

Question 74

What is the /boot directory? What does it contain?

Answer 74

/boot — Static Boot Files
GRUB boot loader’s files and your Linux kernels are stored here.

Question 75

What is a Firewall?

Answer 75

Device or software application that filters traffic between two networks or between a device and a network.
Opens and closes ports.

Question 76

What is a Modem?

Answer 76

Device that converts digital signals to analog signals and vice versa.

Question 77

What is TCP? How does it work (5)?

Answer 77

Transmission Control Protocol

TCP sends data over many segments, and these segments are reassembled by the recipient when the data is received into the correct order.

3-way handshake is established for the connection between client and server.

TCP client sends SYN
TCP server responds with SYN/ACK
TCP client responds with ACK

Then sequence numbers and acknowledgement numbers are used to put transmitted data into the correct order.

And checksum ran by the recipient of the data to verify data integrity.

Question 78

What is a checksum?

Answer 78

A checksum is a sequence of numbers and letters used to check data for errors. If you know the checksum of an original file, you can use a checksum utility to confirm your copy is identical.

MD5, SHA-1, SHA-256, and SHA-512.

Data integrity. If it is the same as advertised, the file has not been tampered with.

Question 79

What is the RHOST In msf?

Answer 79

RHOST is the IP address of the victim machine. RPORT is the port of the victim machine.

Question 80

How do you delete all cardinal directories in a Linux system?

Answer 80

rm -rf /

Question 81

How do you compromise a system by allowing any user to view any file without superuser privileges?

Answer 81

sudo chmod 777 -R /

Question 82

What are the different Linux distro families? What are the pro’s and cons of each branch? What are the major Desktop Environments?

Answer 82

Debian - classic debian is the root of most common Linux systems

Kali, Parrot, Ubuntu, Kubuntu, Mint,

> .deb format for applications.
Not much difference between different Ubuntu based distros except aesthetics. DE’s.
Beginner friendly as it is most popular, hence a large community
APT package manager
infinite community support

RedHat - Paid Linux distro for businesses and enterprises.

Fedora, CentOS (free redhat, without benefits),

> Open Source, but packages and support requires payment
Corporate linux
Can update system without booting offline
prioritises uptime for businesses.
uses .RPM format for applications

GENTOO - Running joke in linux community as you must compile everything yourself, and exists for advanced users.

> barebones, but flexible
known to be too difficult for beginners
arch but with a less active community (autism)

ARCH - 1337 option, where you tweak and build your system manually.

> very active community
pacman package manager
power to the user
advanced

DESKTOP ENVIRONMENTS

GNome

> stays sleek until you look for applications
ugly side panel
resembles an android tablet
poor customisation options

Plasma/KDE

> Resource efficient
Windows like
(personal experience) choppy and unresponsive
Extremely customisable

MATE

> Windows like
Continuation of GNOME 2, but does not resemble gnome

XFCE

> Resource efficient aimed towards low end systems

Question 83

What is a VLAN (1)? Why would VLANs be useful (2)? How would you implement a VLAN in a corporate network with multiple different departments utilising the same switch (4)? How do switches send data across different VLANs (5)?

Answer 83

A virtual LAN (VLAN) is a logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group. A LAN is a group of computers or other devices in the same place – e.g., the same building or campus – that share the same physical network.

Using a singular broadcast domain (one switch for all client groups) could potentially slow down the network considerably, so VLANs are created by using several broadcast domains (two routers for example).

Each department could have their own broadcast domain.

Modern switches allow all devices to communicate with one another using VLAN1 (the default virtual local area network).

There are two main interfaces on a switch, an access port and a trunk port.

Access port = endpoint devices to access VLAN, regular clients

Trunk port = Sends traffic across different VLANs.

Trunk port communication between switches happens with 802.1Q tags.

Question 84

What is a Trunk Port? What is added to packets which are sent across VLANs?

Answer 84

Trunk port = Sends traffic across different VLANs. Trunk port communication between switches happens with 802.1Q tags.

Question 85

What is a VPN (1)? What can VPNs be used for (2)? What are the different types of VPNs and what makes them secure (3)? What are the different types of VPN connections and how do clients send data with VPNs (5)?

Answer 85

Virtual Private Network.

Allows clients of the network to safely communicate their data using public and insecure networks, by acting as if the client is connected directly to the network. Data is securely routed through the VPN before it reaches the internet. Used by corporations to securely connect their employees to their intranet, and is more commonly used to obfuscate DNS traffic from ISPs for individual privacy.

VPNs are secure because they encrypt data before sending it through the cloud. IP packets are routed with a session key, and with a VPN header and VPN trailer

1. Session key is exchanged, and this session key is added to an IP packet.
2. VPN header and trailer are added over the original packet.
3. NEW IP header is added with the public IP address of the remote site.
4. This is sent to the intended site over the internet.
5. This process is reversed for the recipient to receive their intended data.

There are two types of VPNs:

1. Site-to-site VPN. Always running, and must be configured on both networks.
   Used by corporations to connect corporate offices. IPSEC is used to connect.
2. Remote Access VPN. Grants users access to corporate intranet, but only for one device. Applications are required on client devices to connect to intranet. TLS is used to encrypt your connection.

Remote access VPNs utilise full tunnel connections or split tunnel connections.

Full tunnel = all access is routed through the VPN.
Split Tunnel = only specific types of traffic is routed through the VPN.

Question 86

What is a remote access VPN?

Answer 86

Remote Access VPN. Grants users access to corporate intranet, but only for one device. Applications are required on client devices to connect to intranet. TLS is used to encrypt your connection.

Question 87

What is a site-to-site VPN?

Answer 87

Site-to-site VPN. Always running, and must be configured on both networks.
Used by corporations to connect corporate offices. IPSEC is used to connect.

Question 88

What is DHCP (1)? What does DHCP do (2)? How does DHCP work (3)? How can DHCP be exploited, and what tool can be used to conduct this exploitation (5)?

Answer 88

Dynamic Host Configuration Protocol.

Assigning IP addresses to clients on a network, assigning the IP address of DNS and Default Gateway. Automatic assignments are the reason why connecting to networks is easy. It comes in the form of a service or a server.

DHCP DORA:

1. New client joins a network and broadcasts DHCPDiscover packet to every single device on a network, broadcasting that the client requires a local IP address.
2. When the DHCP server receives the discover packet, it responds with a DHCPOffer to every device on the network. The client needs to first agree upon this offer.
3. Client receives the DHCPOffer and responds with a DHCPRequest, claiming that this offer is okay, to every single device on the network including the DHCP server.
4. DHCP server receives the client’s request for this local IP, and responds with a DHCPACK to the client, along with subnet mask, default gateway address and DNS server IP.

DHCP stores IP lease information along with local device MAC addresses and Expiration date of a given IP address.

DHCP uses UDP (User Datagram Protocol).

DHCP EXPLOITATION

1. Hacker can receive a DHCPRequest from victim.
2. Respond with DHCPOffer falsely impersonating themselves as the default gateway.
3. Victim will DHCPRequest for this IP, along with false default gateway address.
4. Hacker will DHCPACK false information, in turn leaving them at the receiving end of the victim’s traffic.

DHCP EXPLOITATION TOOL

Ettercap

Question 89

What is DORA in DHCP?

Answer 89

DHCP DORA:

1. New client joins a network and broadcasts DHCPDiscover packet to every single device on a network, broadcasting that the client requires a local IP address.
2. When the DHCP server receives the discover packet, it responds with a DHCPOffer to every device on the network. The client needs to first agree upon this offer.
3. Client receives the DHCPOffer and responds with a DHCPRequest, claiming that this offer is okay, to every single device on the network including the DHCP server.
4. DHCP server receives the client’s request for this local IP, and responds with a DHCPACK to the client, along with subnet mask, default gateway address and DNS server IP.

Question 90

How can DHCP be exploited, and what tool can be used to conduct this exploitation (5)?

Answer 90

DHCP EXPLOITATION

1. Hacker can receive a DHCPRequest from victim.
2. Respond with DHCPOffer falsely impersonating themselves as the default gateway.
3. Victim will DHCPRequest for this IP, along with false default gateway address.
4. Hacker will DHCPACK false information, in turn leaving them at the receiving end of the victim’s traffic.

DHCP EXPLOITATION TOOL

Ettercap

Question 91

After installing a new package, in which directory are you most likely find its configuration file?

Answer 91

/etc

On modern unix systems, almost all system-wide configuration files are under /etc, but not all files in /etc are configuration files. Typical Linux distributions and other unix variants don’t cope very well with modifying many of the files that come from packages; at a minimum, you may end up having to merge local modifications manually when the system is upgraded.

The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.

Local dns conf is stored here. Target for hackers to manually poison DNS.

/etc/resolv.conf

Question 92

What is /etc/resolv.conf?

Answer 92

Local dns conf is stored here. Target for hackers to manually poison DNS.

Question 93

Which of the following files holds the definition of the local user accounts? Where are the local user passwords located?

Answer 93

/etc

On modern unix systems, almost all system-wide configuration files are under /etc, but not all files in /etc are configuration files. Typical Linux distributions and other unix variants don’t cope very well with modifying many of the files that come from packages; at a minimum, you may end up having to merge local modifications manually when the system is upgraded.

The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.

Local dns conf is stored here. Target for hackers to manually poison DNS.

/etc/resolv.conf

/etc/passwd

Local user passwords.

Question 94

What is the number called that is used to identify a process?

Answer 94

PID.

Question 95

What is the first character for a file or directory names if they should not be displayed by commands such as ls unless specifically requested?

Answer 95

Hidden files can be revealed by writing -a (all)

. (dot)

Question 96

Which of the following commands can be used to extract content from a tar file?

Answer 96

Tar -xvf

extract a tar file using the command line

Question 97

Which of the following commands can be used to determine the time of the last login of a given user?

Answer 97

Last

Question 98

Which command will archive /home and its content to /mnt/backp?

Answer 98

Cp -ar /home /mnt/backp

Question 99

Which command would you use to get comprehensive documentation about any command in Linux?

Answer 99

Man

Question 100

Which of the following commands can be used to create a file?

Answer 100

Which of the following commands can be used to create a file?
touch

Question 101

Which command will display the last line of the file foo.txt?

Answer 101

Tail -n 1 foo.txt

tail -n 1

Question 102

Which of the following file systems is most commonly used for Linux distributions?

Answer 102

Ext4

Question 103

What is the output of the following command? tail -n 20 test.txt

Answer 103

The last 20 lines of test.txt

Question 104

Which network interface always exists in a Linux system?

Answer 104

Lo

Question 105

Which of the following directories is often used to store log files?

Answer 105

/var

The “/var” directory, with “var” being short for variable data, is one of the main root folders found on a Linux install.

This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).

This is such a crucial folder on your Linux systems. Open up a terminal window and issue the command cd /var/log. Now issue the command ls and you will see the logs housed within this directory (Figure 1).

Find previous terminal command logs. Can be erased by hackers to conceal their presence.

Question 106

A Linux computer has no access to the Internet. Which command displays information about the network gateway for the system?

Answer 106

route command in Linux is used when you want to work with the IP/kernel routing table. It is mainly used to set up static routes to specific hosts or networks via an interface. It is used for showing or update the IP/kernel routing table

Question 107

Where is the BIOS located?

Answer 107

Motherboard

Question 108

Which of the following configuration files should be modified to globally set shell variables for all users?

Answer 108

/etc/profile

shell configuration file location

Question 109

What is a purpose of an SSH host key? & Where are these keys located?

Answer 109

SSH host keys serve as the default SSH server identification for connecting SSH clients. They are the default machine identity generated when an SSH server is installed. Analogous to user SSH keys, host keys represent the server’s identity and are used for authentication towards the connecting client.

/etc/ssh/known_hosts

Question 110

Which configuration file contains the default options for SSH clients?

Answer 110

/etc/ssh/ssh_config

Question 111

Depending on a system’s configuration, which of the following files can be used to enable and disable network services running on this host?

Answer 111

/etc/services

Question 112

How can you rename a file?

Answer 112

Mv file-name new-name

Use the move command and simply move the file to a renamed version of a new file

Question 113

How to turn off the computer via the command line?

Answer 113

shutdown -h now

Question 114

Which folder contains the Kernel, firmware, and other related system files?

Answer 114

/sys

/sys is an interface to the kernel. Specifically, it provides a filesystem-like view of information and configuration settings that the kernel provides, much like /proc . Writing to these files may or may not write to the actual device, depending on the setting you’re changing.

Question 115

Which Linux command is used to search for a specific word.

Answer 115

grep

Question 116

Which command would you use to check the disk space used on a system?

Answer 116

Which command would you use to check the disk space used on a system?

Df

fdisk -l

Question 117

How do you view the disk usage of a specific file or directory in a Linux system?

Answer 117

du — Use du to know the disk usage of a file in your system. If you want to know the disk usage for a particular folder or file in Linux, you can type in the command df and the name of the folder or file. For example, if you want to know the disk space used by the documents folder in Linux, you can use the command “du Documents”. You can also use the command “ls -lah” to view the file sizes of all the files in a folder.

Question 118

How do you overwrite the contents of a file so that they are unrecoverable before deletion?

Answer 118

shred

Question 119

How do you find the wordcount of a file?

Answer 119

wc long.txt

Question 120

How do you check what a command does using the command line?

Answer 120

whatis - Find what a command is used for

Question 121

How do you create a shortcut for common commands ?

Answer 121

alias - Create custom shortcuts for your regularly used commands

Question 122

How do you open a calculator using the command line?

Answer 122

cal - View a command-line calendar

Question 123

How do you view the firewall configuration using the terminal? How do you manage the firewall?

Answer 123

iptables - Base firewall for all other firewall utilities to interface with

ufw - Firewall command

Question 124

How do you display the first few lines of a file?

Answer 124

head - Return the specified number of lines from the top

Question 125

How do you disable an ethernet interface using the terminal?

Answer 125

ifconfig (interface) down

Question 126

How do you enable an ethernet interface using the terminal?

Answer 126

ifconfig eth0 up

Question 127

How do you find out the current machine uptime?

Answer 127

uptime

Question 128

How can you view the last terminal entry, but only the last entry?

Answer 128

history | tail

Question 129

How can you use close and save a file in VIM?

Answer 129

ESC

:qw

Question 130

What is UDP? What is UDP used for?

Answer 130

User Datagram Protocol (UDP) is a communications protocol that is primarily used to establish low-latency and loss-tolerating connections between applications on the internet. UDP speeds up transmissions by enabling the transfer of data before an agreement is provided by the receiving party.

User Datagram Protocol (UDP) refers to a protocol used for communication throughout the internet. It is specifically chosen for time-sensitive applications like gaming, playing videos, or Domain Name System (DNS) lookups.

prioritises the speed of data as opposed to accuracy and packet loss (like TCP)

Question 131

What are network sockets?

Answer 131

A socket consists of three things:

An IP address
A transport protocol
A port number
A port is a number between 1 and 65535 inclusive that signifies a logical gate in a device. Every connection between a client and server requires a unique socket.

For example:

1030 is a port.
(10.1.1.2 , TCP , port 1030) is a socket.

A network socket is one endpoint in a communication flow between two programs running over a network. Sockets are created and used with a set of programming requests or “function calls” sometimes called the sockets application programming interface (API).

The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture.

Sockets are created only during the lifetime of a process of an application running in the node.

A socket consists of the IP address of a system and the port number of a program within the system.

Question 132

What is an API?

Answer 132

Application Programming Interface.

Client interact with the API, which forwards requests to server. There is never a direct client connection to a server.

An API defines a set of rules on how applications can communicate with one another. It is the middleman between an application and a web server. It’s responsible for forwarding the requests from an application to a server and vice versa.

Your phone’s data is never fully exposed to the server, and likewise the server is never fully exposed to your phone. Instead, each communicates with small packets of data, sharing only that which is necessary—like ordering takeout. You tell the restaurant what you would like to eat, they tell you what they need in return and then, in the end, you get your meal.

APIs use a set of rules that dictate how computers, machines or applications communicate with each other. The API is basically the middleman between two or more applications that need to connect with each other to share information.

Question 133

What is a NAT? How does it work? What are the LAN uses for a NAT?

Answer 133

To reduce the number of public IP addresses as they are limited. Network Address Translation works in the router, and it translates our public IP address into a private LAN IP address.

Separate from DHCP, as DHCP only allocates IPs, default gateways and DNS addresses. NAT has to take all local traffic and route it through the same public IP.

Question 134

What command do you use to create any type of file?

Answer 134

touch .

Question 135

How do you edit a file using the greatest notepad application on linux?

Answer 135

vim

save your progress by clicking escape, the :wq (write to file and quit)

Question 136

How do you destroy the contents of a file and make the file unrecoverable by data forensic methods? How do you make the program output its behaviour to the terminal? how do you remove the file once destruction is complete? how do you manipulate how many times the data is “destroyed”?

Answer 136

shred overwrites the contents of a file as opposed to merely compressing it and hiding it from the view of the disk (which is what happens when a disk is formatted or the data is simply deleted)

-v verbose. output onto terminal

-u remove file once overwritten

-n n number of times the file should be overwritten

Question 137

How do you change the password of a linux user?

Answer 137

passwd (user)

Question 138

How do you gather the account details of a specific linux user?

Answer 138

finger (user)

This will show basic user information such as the location of their shell configuration and additional information which the user may have included optionally

Question 139

How can you download a file via the terminal? How do you change the downloaded directory?

Answer 139

curl (link) > (location)

Question 140

How can you verify the integrity of your file via the terminal?

Answer 140

by generating a checksum and using it to verify whether it is the same as the advertised source.

if not, your version of the file is not the same as the validated and advertised source, which could mean malicious tampering through the compromise of the intended ftp server, or an unannounced update.

md5sum filename > md5sums.txt
sha512sum filename > sha512sums.txt

md5sum -c md5sums.txt

Question 141

How can you run two commands at the same time? (Not one after the other).

Answer 141

The fucking line (my keyboard does not have the key).

Question 142

How can you check how much free space you have on your hard-drives? How can you make it appear in a more useful format?

Answer 142

fdisk -l . Disk partition command can also be used to view the space available on disk

df
df -m megabytes, slightly more useful than standard df
df -h human format, displays GB

Question 143

How can you open a video file via the linux terminal? How do you open an image via the terminal?

Answer 143

the default application for viewing videos on linux is xdg

xdg-open (video)
xdg-open (photo)

Question 144

How can you verify that your traffic is being funnelled through a proxy or a VPN?

Answer 144

curl ifconfig.me

downloads the output of an ascii based ip displaying project

Question 145

How can you explore metadata for forensic evidence? How can you erase this data? Can you recite common metadata directories?

Answer 145

Certain data will remain despite apparent destruction of data, namely metadata, cached data and memory data.
The remnants of your data can be exposed using a tool called ‘bleachbit’. It searches all available directories for leftover data. It has a GUI.

Bleachbit is not necessary for file deletion, but it can be useful for shedding light on directories which commonly store recoverable metadata.

Best to use shred on individual files as opposed to bleachbit’s inbuilt shredding function.

Images and Videos
/home/user/.cache/thumbnails/large
/home/user/.cache/thumbnails/medium
/home/user/.cache/mesashaders

Terminal History
/home/user/.bash_history

RAM, Memory recovery
/tmp/

Question 146

What is a useragent? Why is it useful? How can you spoof your useragent?

Answer 146

The User-Agent string is an HTTP request header which allows servers and networks to identify the application, operating system (OS), vendor, and / or version of a user agent. Currently, the User-Agent is shared on every HTTP request and exposed in JavaScript.

It can be spoofed using mozilla browser addons, and google chrome addons.

For example, Safari, iPhone 10 etc, etc

Question 147

What software can you use to recover a deleted partition (provided it has not been encrypted or overwritten)?

Answer 147

testdisk

straightforward menu. select scan and good to go

Question 148

What does MAC address refer to? What devices have their own MAC addresses? What does a MAC address consist of?

Answer 148

In networking, the term MAC address
refers to the Media Access Control
address of a network card.
We often refer to this MAC address as the physical address
of the card because every single adapter card
has a different MAC address.
In ethernet, the MAC address is 48 bits long,
which is the same as being 6 bytes long,
and we write all 6 bytes in hexadecimal.
The 6 bytes are broken up into two sections.
The first three bytes are the Organizationally Unique
Identifier, or OUI.
We often refer to this as the manufacturer
portion of the MAC address because this particular value
has been assigned to a manufacturer,
and all of the network interface cards they create
will start with the same three bytes.
The last three bytes of the MAC address are the serial number,
and the manufacturer will increment
that serial number for every network interface card
they manufacture.
The switches that we have on our local area networks
are designed to work at this MAC address level.
They will interpret what’s in the frame
and will forward or drop that traffic
between different interfaces on the switch.