Mod 14

Question 1

PORT 445

Answer 1

SMB Direct | TCP

Question 2

WINDOWS HASH:

___ - A secure asymmetric algorithm. Passwords up to 256 characters (all ASCII characters, 211 unique characters).

Answer 2

NT LAN Manager (NTLM) Hash

Question 3

NETCAT Options:

__ = Help; provides all options

Answer 3

-h

Question 4

PAYLOAD TYPES:
___ - Opens a port on the target system and listens for incoming connections. The attacker initiates the connection (call-in) to the target. Firewalls often block the connection.

Answer 4

Bind TCP

Question 5

___ gathers information about a target of interest without actually probing the target.

Answer 5

Passive Analysis

Question 6

Syntax for Nikto

Answer 6

nikto -host

• host = specific target host
• H = list all options

Question 7

PORT 110

Answer 7

POP3 | TCP

Question 8

___ ties directly into the target development aspect of the Target Research/SIGINT Analysis Module.

Answer 8

Information Gathering

Question 9

___ - Designed to target a specific vulnerability in an application. Most common method of execution in use is the Buffer Overflow.

Answer 9

Code-Based Exploit

Question 10

Active Exploitation skills are also employed in the civilian sector by network security professionals who perform ___.

Answer 10

Penetration Tests (pentests)

Question 11

SCAN EXTENSIONS:

___ = Version detection communicates with ports to determine what is actually running.

Answer 11

-sV

Question 12

___ is a technique that involves connecting to common applications on target host to identify version of running applications. Can be done suing Nmap, Telnet, and Netcat.

Answer 12

Banner Grabbing

Question 13

PORT 513

Answer 13

RLOGIN | TCP

Question 14

PAYLOAD TYPES:
Staged systems:
___ - Fully functional remote shell loaded by the Stager. Offers the availability to run commands on the target system through a remote shell.

Answer 14

Stage (s1)

Question 15

NETCAT Options:

__ = Indicates verbose details; it only reports open ports.

Answer 15

-v

Question 16

___ is a command used to generate and output various types of shellcode payloads. Used for standalone custom payloads, used outside of Metasploit framework.

Answer 16

msfpayload

Question 17

HOST DISCOVERY:
___ = Disable host discovery. Does not ping hosts at all before scanning them; allows scanning of networks through firewalls that block ICMP.

Answer 17

-Pn

Question 18

PORT 3389

Answer 18

RDP | TCP

Question 19

PORT 53

Answer 19

DNS | TCP & UDP

Question 20

Exploits used through ___ do not use encryption so, when traversing a hop, the exploit and payload is vulnerable to exposure and capture.

Answer 20

Satellite Hops

Question 21

Linux:

Syntax for ping with record route.

Answer 21

ping -R

-R = invokes record route option

Question 22

United Stated Codes (USC)
Title 18 ___ - Store Wire and Electronic Communications and Transactional Records Access. Unlawful Access to Stored Communications.

Answer 22

Title 18 USC 2701

Question 23

Cisco IOS Passwords:

Type 7 is ___ and type 5 is ___.

Answer 23

Symmetric

Asymetric

Question 24

NETCAT Options:

__ = Reports all responses within the range

Answer 24

-vv

Question 25

OS: Linux
Example: CentOS, Kali
TTL: ___

Answer 25

TTL = 64

Question 26

UNIX/Linux hashes are store in the ___ file.

Answer 26

/etc/shadow

Question 27

NORMAL PROGRAM EXECUTION:

___ - When a program needs to perform a specific procedure, the program’s main routine call out a subroutine.

Answer 27

Function Call

Question 28

PORT 80

Answer 28

HTTP | TCP

Question 29

The _ program is the purpose of the exploit. It gets execution from the NOP sled and provides access to interact with the OS across the network.

Answer 29

Payload

Question 30

___ is available in most Unix/Linux variations and can perform zone transfers. ___ take IP addresses or server names as arguments.

Answer 30

dig

Question 31

PORT 135

Answer 31

RPC | TCP

Question 32

United Stated Codes (USC)

Title 18 ___ - Fraud and Related Activity in Connection with Computers.

Answer 32

Title 18 USC 1030

Question 33

___ uses UDP by default for traceroutes.

Answer 33

UNIX/Linux

Question 34

METERPRETER COMMANDS:

___ - List running processes.

Answer 34

ps

Question 35

Common tools for online password cracking include: ___ and ___.

Answer 35

THC Hydra

L0phtCrack

Question 36

PORT 138

Answer 36

NetBios Datagram | UDP

Question 37

PORT 3306

Answer 37

MYSQL | TCP

Question 38

The ___ parameter is set to the target IP address where the payload is running (these options may change when using tunnels).

Answer 38

RHOST

Question 39

Three types of traceroute are:

Answer 39

ICMP, UDP, TCP

Question 40

___ Includes activites taken to minimize the exploitation footprints in a target network, discovering and documenting information about targets of interest, and remain undetectable by using obfuscation techniques.

Answer 40

Tradecraft

Question 41

SCANLINE Options:

• n =
• b =
• p =
• t =
• u =
• z =
• ? =

Answer 41

SCANLINE Options:

• n = No port scanning
• b = Get port banners
• p = Do not ping before scanning
• t = TCP ports to scan
• u = UDP ports to scan
• z = Randomize IP and port scan order
• ? = Help

Question 42

United Stated Codes (USC)

Title 18 ___ - Fraud and Related Activity in Connection with Access Devices.

Answer 42

Title 18 USC 1029

Question 43

METERPRETER COMMANDS:

___ - Displays target system information.

Answer 43

sysinfo

Question 44

Metasploit Module Categories:

___ - Contains code that exploits run on targets, such as command shell access.

Answer 44

Payloads

Question 45

A small assembly program called ___ makes up the payload.

Answer 45

shellcode

Question 46

Ports:

6667 = ___

Answer 46

Linux

Question 47

___ is an extremely versatile tool designed for network and password auditing. Uses dictionary and brute force BUT also uses cryptanalysis attacks to break hashing schemes.

Answer 47

Cain and Abel

Question 48

The ___ modernised US Cybercrime legislation and mandates life sentences for offenders who knowingly or recklessly cause or attempt to cause the death of other by attacking transportation systems, power companies, or other public services or utilities.

Answer 48

Cyber Security Enhancement Act of 2002

Question 49

Metasploit Module Categories:

___ - Contains advanced scanners and server modules.

Answer 49

Auxiliary

Question 50

PORT 111

Answer 50

SunRPC PORTMAPPER | TCP

Question 51

NETCAT Options:

__ = No DNS resolution

Answer 51

-n

Question 52

___ is an offline password cracker. It’s primary configuration file is located at /etc/john.conf.

Answer 52

John the Ripper

Question 53

TIMING:

__ - __ = Default scanning method. Runs as quickly as possible without overloading.

Answer 53

3 - Normal

Question 54

PORT 443

Answer 54

HTTPS | TCP

Question 55

PORT 25

Answer 55

SMTP | TCP

Question 56

NETCAT Options:

__ = Specifies port to listen on (TCP by default)

Answer 56

-p

Question 57

METERPRETER COMMANDS:

___ - List out files or contents of a directory.

Answer 57

ls

Question 58

Ports:

88, 389, and 445 = ___

Answer 58

2K3

Question 59

Syntax for Nmap

Answer 59

nmap

Question 60

FILE PLACEMENT:

___ - places files onto target. Useful for putting tools or modified log files onto the target filesystem.

Answer 60

upload

Question 61

Metasploit Commands:

___ - Set exploit parameters.

Answer 61

set

Question 62

WINDOWS HASH:

___ - A weak symmetric algorithm. Passwords are limited to 14 characters (A-Z, 0-9, 36 unique characters).

Answer 62

LAN Manager (LM) Hash

Question 63

PAYLOAD TYPES:

___ - Creates a connection (callback) back to the attacker. Firewalls often allow this connection.

Answer 63

Reverse TCP

Question 64

PORT 20/21

Answer 64

FTP | TCP

Question 65

PAYLOAD TYPES:
___ - Self contained and standalone. Exploit delivers a payload in one shot. Most ___ are functional remote shells that offer the ability to run commands on the target system.

Answer 65

Single

Question 66

Metasploit Module Categories:

___ - Contains modules to use after target access.

Answer 66

Post

Question 67

NETCAT Options:

__ = Conducts UDP port scan

Answer 67

-u

Question 68

FILE COLLECTION:

___ - enables retrieving target files or directories of interest.

Answer 68

download

Question 69

PORT 88

Answer 69

KERBEROS | TCP

Question 70

Common tool for offline password cracking include: ___ and ___.

Answer 70

John the Ripper

Cain and Abel

Question 71

Military members may use active exploitation techniques and tools in support of __ or ___ missions.

Answer 71

USCYBERCOM Cyberspace Operations (CO)
or
NSA/CSS Computer Network Exploitation (CNE)

Question 72

Syntax for Timing

Answer 72

nmap -T <0-5>

Question 73

2 ways to use a Handler:
___ During masquerades, or when connecting to a backdoor, a handler can be started by itself to connect to the target. Command used is:
use multi/handler

Answer 73

Manual

Question 74

WINDOWS HASH:

___ - Part of the SID that uniquely identifies an account (group).

Answer 74

Relative ID (RID)

Question 75

TIMING:

__ - __ = Reduces network load to prevent crashing systems. 4 second wait between sending.

Answer 75

2 - Polite

Question 76

TIMING:

__ - __ = Scans very slowly to avoid IDS detection. 5 minutes between sending.

Answer 76

0 - Paranoid

Question 77

Metasploit Commands:

___ - Load a specific exploit module.

Answer 77

use

Question 78

Upon execution, John the Ripper (JtR) deploys a (1)__ file where it stores successfully cracked password. By default, it is stored in (2)___.

Answer 78

pot

/root/.john/john.pot

Question 79

METERPRETER COMMANDS:

___ - Display current working directory on target.

Answer 79

pwd

Question 80

OS: UNIX
Example: Solaris
TTL: ___

Answer 80

TTL = 255

Question 81

Ports:

135 and 5000 = ___

Answer 81

WinXP

Question 82

PORT 161/162

Answer 82

SNMP | UDP

Question 83

HOST DISCOVERY:

___ = ICMP Timestamp uses an ICMP Timestamp Request (type 13) packet to find listening hosts.

Answer 83

-PP

Question 84

METERPRETER COMMANDS:

___ - Displays system ARP cache.

Answer 84

arp

Question 85

Syntax for Ping Sweep

Answer 85

nmap -sn -PI

• sn = ping sweep scan
• PI = ICMP echo request

Question 86

___ - is a memory address used to overwrite the Return Address memory slot.

Answer 86

Return Pointer

Question 87

Domain controllers store the domain user hashes in the ___ file.

Answer 87

NTDS.DIT (NT Directory Services Directory Information Tree)

Question 88

Method: hashdump
Platform: Meterpreter
Description: Allocates memory space in LSASS.exe to load assembly code: ___.

Answer 88

retrieves account hashes from memory.

Question 89

HOST DISCOVERY:

___ = ICMP Echo is an option that uses an ICMP Echo (Request) packet.

Answer 89

-PI

Question 90

PORT 23

Answer 90

Telnet | TCP

Question 91

John the Ripper; 3 modes of operation:
___
___
___

Answer 91

Single
Wordlist
Incremental

Question 92

the ___ parameter is set to the listening port of the payload (these options may change when using tunnels).

Answer 92

LPORT

Question 93

___ - The application dynamically allocates heap memory at run-time and memory locations for function will not be static. Exploitation occurs by corrupting the program data at specific points in the process to cause the application to overwrite memory addresses or functions.

Answer 93

Heap Buffer Overflow

Question 94

OS: Cisco
Example: 12.0
TTL: ___

Answer 94

TTL = 255

Question 95

___ queries information using the domain name or IP address. Output can vary based on the request submitted. Used in Windows.

Answer 95

Nslookup

Question 96

Heap Buffer Overflow usually requires a ___ to gain control of execution.

Answer 96

Heap Spray

Question 97

Ports:

111 = ___

Answer 97

Solaris

Question 98

Metasploit Module Categories:

___ - Used to alter payloads and avoid detection.

Answer 98

Encoders

Question 99

OS: Windows
Example: 2K, XP, 7
TTL: ___

Answer 99

TTL = 128

Question 100

PORT 389

Answer 100

LDAP | TCP

Question 101

PORT 69

Answer 101

TFTP | UDP

Question 102

NORMAL PROGRAM EXECUTION:
___ - When the subroutine completes its work, the pointer jumps to the address store in the stack’s frame’s return address.

Answer 102

Return to Main

Question 103

NETCAT Options:

__ = Execute command after connection

Answer 103

-e

Question 104

Ports:

NOT 88, NOT 389, BUT 445 = ___

Answer 104

2K8

Question 105

Metasploit Commands: 
\_\_\_ - List out exploit module details.

Answer 105

info

Question 106

PORT 137

Answer 106

NetBios Name | UDP

Question 107

___ - is the assembly opcode x90 that tells the processor to execute nothing, just move the Instruction Pointer forward.

Answer 107

No Operation (NOP) Sled

Question 108

METERPRETER COMMANDS:

___ - Display Meterpreter help menu and available commands.

Answer 108

help

Question 109

TIMING:

__ - __ = Adds a 5 minute timeout per host and never waits more than 1.25 seconds for probe response.

Answer 109

4 - Aggressive

Question 110

There are 2 categories of password cracking: ___ and ___.

Answer 110

Online

Offline

Question 111

METERPRETER COMMANDS:

___ - Display/modify routing table information.

Answer 111

route

Question 112

HOST DISCOVERY:
___ = TCP ACK Ping to determine what hosts are up. Sends TCP ACK packets to port 80 on target networks/hosts and waits for response.

Answer 112

-PT

Question 113

___ OS Fingerprinting does not involve sending packets to the target network; instead, it involves monitoring network traffic to determine the OS in use.

Answer 113

Passive OS Fingerprinting

Question 114

2 ways to use a Handler:

___ - Connects to the shellcode payload that exploit started in the target machine.

Answer 114

Automatic

Question 115

___ uses ICMP by default for traceroutes.

Answer 115

Windows

Question 116

METERPRETER COMMANDS:

___ - Displays process ID for running Meterpreter payload.

Answer 116

getpid

Question 117

Metasploit Commands:

___ - Display any modules related to the key term used.

Answer 117

search

Question 118

The 3 primary methods of collecting credentials are: ___, ___, and ___.

Answer 118

Password Cracking
Memory Injection
Open Source Research

Question 119

Analysts build ___ and ___ by documenting target information.

Answer 119

Target Templates and Network Maps

Question 120

PORT 22

Answer 120

SSH | TCP

Question 121

PORT 139

Answer 121

NetBios (SMB) Session | TCP

Question 122

Syntax for Scanline

Answer 122

sl -b -t

Question 123

PORT SCAN TYPES:

• sT = ___
• sS = ___
• sA = ___
• sF = ___
• sN = ___
• sX = ___
• sU = ___

Answer 123

PORT SCAN TYPES:

• sT = TCP Connect Scan
• sS = SYN Stealth Scan
• sA = ACK Stealth Scan
• sF = FIN Stealth Scan
• sN = TCP Null Scan
• sX = TCP Xmas Tree Scan
• sU = UDP Scan

Question 124

___ - Triggers the vulnerability in a service. ___ is the Delivery mechanism that connects to a service and performs the buffer overflow by writing a Return Pointer, a NOP Sled, and a Payload in the target process’ memory.

Answer 124

Exploit code

Question 125

NETCAT Options:

__ = Enables listening mode

Answer 125

-l

Question 126

___ - Technique that employs the use of credentials to gain access to a service and involves impersonating a user to logon (via ssh, telnet, rdp, etc)

Answer 126

Masquerade

Question 127

PORT 79

Answer 127

Finger | TCP

Question 128

NETCAT Options:

__ = Directs netcat to scan the selected ports in a random fashion

Answer 128

-r

Question 129

SCAN EXTENSIONS:

___ = Port Specification. Nmap only scans the ports specified here. This helps limit the number of scanned ports.

Answer 129

-p

Question 130

The ___ phase of the Active Exploitation Methodology takes advantage of data accumulated during the Information Gathering phase to interact directly with target networks.

Answer 130

Scanning and Enumeration phase

Question 131

Metasploit Commands:

___ - Display the payloads compatible with the exploit.

Answer 131

show payloads

Question 132

Metasploit Module Categories:

___ - Contains service-side and client-side exploits.

Answer 132

Exploits

Question 133

PORT 6667

Answer 133

Unreal IRC Daemon | TCP

Question 134

NORMAL PROGRAM EXECUTION:
___ - Subroutines store temporary data (buffers) on the stack. Each time a subroutine runs, the required memory is allocated on the stack in a unit called a ___.

Answer 134

Stack Frame

Question 135

___ OS Fingerprinting involves connecting to a target port and reviewing the resulting TCP packets sent as a response.

Answer 135

Active OS Fingerprinting

Question 136

Anatomy of a ___:
DELIVERY - rely on authentication as a trusted user to put an executable payload file on the target system.
EXECUTION - an executable payload placed on the target’s file system will require manual execution, from command line or a scheduled job.
CONNECTION - a payload from a ___ requires a manual connection from the client program.

Answer 136

MASQUERADE

Question 137

___ is a command line port scanner for Windows. ___ is known as a “take it with you” scanner due to the small size (20 KB) of its executable.

Answer 137

Scanline

Question 138

Syntax for Banner Grabbing:
Nmap =
Telnet =
Netcat =

Answer 138

Syntax for Banner Grabbing:
Nmap = nmap -sV
Telnet = telnet
Netcat = nc -v

Question 139

___ - Title 46 - Crimes, Chapter 815 - Computer-related Crimes, Section 6 - Offense Against Users of Computer, Computer Systems, Computer Networks, and Electronic Devices.

Answer 139

Florida Computer Crimes Act

Question 140

METERPRETER COMMANDS:

___ - Change directory on target.

Answer 140

cd

Question 141

___ Enables script building to automate network scans. The ___ scripts can be run individually or as categories. Banner grabbing, SMB host discovery, and HTTP header are the most commonly used ___ scripts.

Answer 141

Nmap Scripting Engine (NSE)

Question 142

TIMING:
__ - __ = Only suitable for very fast networks or where data loss is acceptable. Times out hosts in 75 seconds and waits only .3 seconds for probes.

Answer 142

5 - Insane

Question 143

An ___ in Cyber Operations is a software tool, script, program, or technique that takes advantage of a vulnerable system to provide command executions.

Answer 143

Exploit

Question 144

PORT 1433

Answer 144

MSSQL | TCP

Question 145

The ___ is how Metasploit connects to a remote payload and is the command line interface used to access remote computers. ___ is the client software that connects to the backdoor payload program that is running on the target system after an exploit.

Answer 145

Handler

Question 146

United Stated Codes (USC)

___ addresses Crime and Criminal Procedures; broken into different sections.

Answer 146

Title 18

Question 147

The ___ provides structure and serves as a road map for analysts and operators.

Answer 147

Exploitation methodology

Question 148

___ is an open source web scanner designed to perform tests against web servers to identify security problems. ___ looks for configuration files, potentially dangerous files, updates, and software versioning. Not stealthy, easily detectable.

Answer 148

Nikto

Question 149

On Windows OS’s clients and servers, hashes are stored in the ___ file.

Answer 149

Security Accounts Manager (SAM)

Question 150

PORT 514

Answer 150

SYSLOG | UDP

Question 151

___ is a network scanning tool used for identification and enumeration of targets and vulnerable services by performing the following functions:

Ping sweep to find targets, Port scans to identify open/closed ports, OS fingerprinting to determine OS on remote targets, and Banner grabbing to determine application version.

Answer 151

Nmap

Question 152

___ is a staged payload that provides a command shell interface to an exploited target. It evades forensic detection bu using in-memory DLL injection, which writes nothing to disk, and uses encryption for its network connection.

Answer 152

Meterpreter

Question 153

Anatomy of a ___:
DELIVERY - Trigger vulnerability in the target service, which allows us to write a payload program, called shellcode, into memory on target.
EXECUTION - Execute the payload in the memory space of the target application.
CONNECTION - a client program that has been specifically designed to interact with payload programs will make a connection with the payload running on a target. ___ automatically start the client software

Answer 153

CODE-BASED EXPLOIT

Question 154

___ - Overwriting a local variable or data withing the stack can change a programs behavior to an attackers benefit. Overwriting the return address in a stack frame causes a jump to a specified address, where a NOP sled controls execution and passes it to a malicious payload program.

Answer 154

Stack Buffer Overflow

Question 155

Metasploit Commands: 
\_\_\_ - Display exploit and payload module parameters (RHOST, RPORT, LPORT)

Answer 155

show options

Question 156

___ is an all-in-one centralized console that allows command line access to all options available in the Metasploit framework.

Answer 156

msfconsole

Question 157

Windows:

Syntax for ping with record route.

Answer 157

ping -r -9

• r = invokes record route option
• 9 = variable # (1-9) to indicate # of hops to record

Question 158

METERPRETER COMMANDS:

___ - Displays user Meterpreter is running as.

Answer 158

getuid

Question 159

___ involves probing target networks to discover hosts, IP addresses, and running services.

Answer 159

Active Analysis

Question 160

A ___ determines if an IP address range has live hosts (if hosts can respond to probes). Consists of ICMP echo (requests) sent to multiple hosts. Generally poor tradecraft unless scan is randomized and run slowly.

Answer 160

Ping Sweep

Question 161

PAYLOAD TYPES:
Staged systems:
___ - Sets up a TCP connection with the attackers machine and reads the larger Stage payload into memory; is small enough to fit into the limited memory spaces available in the buffer overflow exploit.

Answer 161

Stager (s0)

Question 162

United Stated Codes (USC)
Title 18 ___ - Wire and Electronic Communications Interception and Interception of Oral Communication. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited.

Answer 162

Title 18 USC 2511

Question 163

TIMING:

__ - __ = 15 second wait between sending.

Answer 163

1 - Sneaky

Question 164

SCAN EXTENSIONS:
___ = Activates remote host identification via TCP/IP fingerprinting, using numerous techniques to detect the scanned OS. Scan results aid in the effort to determine the target OS type by comparing fingerprints from a database of known OS fingerprints (nmap-os-db).

Answer 164

-o