Misc Personal Notes

Question 1

Terms

BIA
MTD
BCP
DRP

Answer 1

Business Impact Analysis (includes MTD)
ID systems and processes critical for business operations

Maximum Tolerable Downtime
Way to prioritize the recovery of assets

Business Continuity Plan (includes DRP)
plans and procedures to get business back up and running

Disaster Recovery Plan
plan for recovering lost data or services

Question 2

what does this nmap line indicate?

nmap –script http-methods –script-args some system.com

Answer 2

it’s looking to find out what HTTP Methods the target website support. So you can see if you can POST, PUT or GET

Question 3

SOAP is used to package and exchange information for web services. What does SOAP use to format this information?

Answer 3

XML

Question 4

What is CSRF, besides a form of session riding?

Answer 4

Cross Site Forgery Request

Forces logged on victim’s browser to send a forged HTTP request to a vulnerable web application, allowing attacker to force the victim’s browser to generate requests

Question 5

What is CSPP

lookup paper from Blackhat 2010, Alonso Chema

Answer 5

connection string parameter pollution

injection attack, using semicolons to separate parameters in database communication

Question 6

are SOAP messages usually one-way?

Answer 6

yes

Question 7

An attacker inputs the following into the Search text box on an entry form:

   alert("It Worked");

The attacker then clicks the Search button and a pop-up appears stating, “It Worked.”

What can you infer from this?

Answer 7

This indicates a cross-site scripting vulnerability

Question 8

A security administrator monitoring logs comes across a user login attempt that
reads UserJoe)(&)

What can you infer from this username login attempt?

Answer 8

)(&)

Indicates an LDAP injection attempt

Question 9

Why would an administrator set the HttpOnly flag in cookies?

Answer 9

This setting prevents cookies from being accessible by a client-side script.

Question 10

Who maintains WebGoat?

What platforms can you install it on?

What does it do?

Answer 10

OWASP

almost any, including windows and linux

has lessons showing how vulnerabilities work on a system. For black box testing practice

Question 11

know dig command line arguments

what does axfr do in a dig command?

Answer 11

performs a zone transfer

Question 12

What do these commands do?

netsh

netstat -s

sc query

wmic bios get services

Answer 12

netsh
modifies network configuration locally or remotely

netstat -s
shows NIC statistics

sc query
sc communicates with service control manager. query command gets status for a service(s)

wmic
manages WMI

Question 13

which tool allows pen testers to analyze links between personnel and/or hardware using graphs and link analysis?

metasploit
maltego

Answer 13

maltego shows complexity and severity of single points of failure and trust relationships in your infrastructure

Question 14

Are these OSSTMM process controls?

nonrepudiation
confidentiality
privacy
integrity
alarm

Answer 14

Yes

Question 15

What does ICMP Type 3, Code 13 indicate?

Answer 15

administratively prohibited (firewall or ACL)

Question 16

Is a smurf attack a DoS attack using target’s spoofed IP address as a ping?

Answer 16

yes

Question 17

Is bloover a blue bugging tool?

Answer 17

yes

Question 18

is btCrawler a discovery tool?

Answer 18

yes

Question 19

are bbproxy and phonesnoop blackberry tools?

Answer 19

yes

Question 20

practice / learn nmap flags. -sV and -O

Answer 20

• O can provide more detail than a simple banner grab

- sV does standard service detection

Question 21

if a hacker has both plain text and cipher text, what is the name of the attack he can do?

Answer 21

known plaintext attack

attacker compares plain and cipher texts to each other to find useful patterns

Question 22

In NIST cloud architecture, what does the Cloud Broker do?

NIST-SP 500-292

Answer 22

acts to manage the use, performance, delivery of cloud services and relationships between providers and subscribers

It’s the intermediary between consumer and provider, helps consumer through complexity of cloud offerings and may create value added cloud services

Question 23

Are these components of Kerberos?

KDC
AS
TGS
TGT

Answer 23

Yes

Key distribution center
authentication service
ticket granting service
ticket granting ticket

Question 24

Does heartbleed take advantage of data echoing acks in SSL, where attacker sends a single byte while telling server it sent 64KB. and sender returns 64KB of random stuff from memory?

Answer 24

yes

Question 25

Does Key Escrow allow a 3rd party to access sensitive data if the need arises?

Answer 25

yes

Question 26

learn ping flags for windows

• l
• a
• s

Answer 26

• l changes default packet size
• a resolves hostnames
• s provides timestamp

Question 27

is tcp port 515 frequently used for printing?

Answer 27

yes

Question 28

Do you set HttpOnly flag in cookies to mitigate XSS attacks?

Answer 28

yes

Question 29

Does POODLE act as a MITM exploring TLS fallback?

Answer 29

yes

Question 30

Is heart bleed an OpenSSL vulnerability

Answer 30

yes

Question 31

Is FREAK used as a MITM to downgrade RSA

Answer 31

yes

Question 32

Does DROWN allow attackers to break SSLv2

Answer 32

yes

Question 33

Does a CNAME record let you alias multiple services to the same IP address?

Answer 33

yes

Question 34

nmap flags

-sn

Answer 34

ping scan disable port scan

Question 35

nmap flags

-sS/sT/sA/sW/sM:

Answer 35

TCP SYN/Connect()/ACK/Window/Maimon scans

Question 36

What component of IPSEC performs protocol level functions to encrypt and decrypt packets?

Answer 36

IPSEC Driver

Question 37

What component of IPSEC performs protocol level functions to encrypt and decrypt packets?

Answer 37

IPSEC Driver

Question 38

Is the TCP Connect / Full Open Scan

considered one of the most reliable forms of TCP Scanning?

Answer 38

yes