Module 06 - System Hacking ( EC Mode Part 01 ) Flashcards
Which of the following tools helps an ethical hacker detect buffer overflow vulnerabilities in an application?
A. Medusa
B. OllyDbg
C. Hashcat
D. THC-Hydra
Answer: B. OllyDbg
Explanation:
THC-Hydra: THC-Hydra is a network logon cracker that supports many different services, such as IPv6 and Internationalized RFC 4013. It comes with a GUI and supports HTTP proxy and SOCKS proxy.
Medusa: Medusa is password-cracking tool.
Hashcat: Hashcat is a cracker compatible with multiple OSs and platforms and can perform multihash (MD4, 5; SHA – 224, 256, 384, 512; RIPEMD-160; etc.), multi-device password cracking.
OllyDbg: It is a buffer overflow detection tool and is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable.
Which of the following techniques acts as a defensive measure against buffer overflow attacks?
A. Not allowing the compiler to add bounds to all buffers
B. Allowing the execution of code outside the code space
C. Implementing automatic bounds checking
D. Avoiding code review at the source code level
Answer: C. Implementing automatic bounds checking
Explanation:
The following countermeasures can be adopted to defend against buffer overflow attacks
Develop programs by following secure coding practices and guidelines
Use address space layout randomization (ASLR) technique
Validate arguments and minimize code that requires root privileges
Perform code review at the source code level by using static and dynamic code analyzers
Allow the compiler to add bounds to all buffers
Implement automatic bounds checking
Always protect the return pointer on the stack
Never allow execution of code outside the code space
Regularly patch the applications and operating systems
Perform code inspection manually with a checklist to ensure that the code meets certain criteria
Employ Data Execution Prevention (DEP) to mark memory regions as non-executable
Implement code pointer integrity checking to detect whether a code pointer has been corrupted before it is dereferenced
Given below are the different steps involved in password guessing.
1-Create a list of possible passwords.
2-Rank passwords from high to low probability.
3-Find a valid user.
4-Key in each password until the correct password is discovered.
What is the correct sequence of steps involved in password guessing?
A. 3 -> 1 -> 2 -> 4
B. 4 -> 2 -> 3 -> 1
C. 2 -> 3 -> 1 -> 4
D. 1 -> 2 -> 3 -> 4
Answer: A. 3 -> 1 -> 2 -> 4
Given below are the different steps involved in exploiting vulnerabilities.
1-Develop the exploit.
2-Determine the risk associated with the vulnerability.
3-Determine the capability of the vulnerability.
4-Identify the vulnerability.
5-Gain remote access.
6-Select the method for delivering: local or remote.
7-Generate and deliver the payload.
What is the correct sequence of steps involved in exploiting vulnerabilities?
A. 2 -> 3 -> 6 -> 4 -> 5 -> 1 -> 7
B. 4 -> 2 -> 3 -> 1 -> 6 -> 7 -> 5
C. 3 -> 6 -> 7 -> 4 -> 2 -> 1 -> 5
D. 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7
Answer: B. 4 -> 2 -> 3 -> 1 -> 6 -> 7 -> 5
Explanation:
Steps involved in exploiting vulnerabilities:
Identify the vulnerability
Determine the risk associated with the vulnerability
Determine the capability of the vulnerability
Develop the exploit
Select the method for delivering – local or remote
Generate and deliver the payload
Gain remote access
Which of the following types of stack memory register stores the address of the next instruction to be executed?
A. ESP
B. ESI
C. EIP
D. EDI
Answer: C. EIP
Explanation:
Stack memory includes five types of registers:
EBP: Extended Base Pointer (EBP), also known as StackBase, stores the address of the first data element stored onto the stack
ESP: Extended Stack Pointer (ESP) stores the address of the next data element to be stored onto the stack
EIP: Extended Instruction Pointer (EIP) stores the address of the next instruction to be executed
ESI: Extended Source Index (ESI) maintains the source index for various string operations
EDI: Extended Destination Index (EDI) maintains the destination index for various string operations
Ben is a disgruntled ex-employee of an organization and has knowledge of computers and hacking. He decided to hack the organization and disrupt its operations. In this process, he cracked the passwords of remote systems by recovering cleartext passwords from a password hash dump.
Which of the following types of password attacks did Ben perform on the target organization?
A. Offline attack
B. Active online attack
C. Passive online attack
D. Non-electronic attack
Answer: A. Offline attack
Explanation:
Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc.
Passive Online Attacks: A passive attack is a type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to and from the system.
Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover cleartext passwords from a password hash dump. Offline attacks are often time-consuming but have a high success rate, as the password hashes can be reversed owing to their small keyspace and short length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks.
Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, internal monologue attacks, Markov-chain attacks, Kerberos password cracking, etc.
Gary, a professional hacker, is attempting to access an organization’s systems remotely. In this process, he used a tool to recover the passwords of the target system and gain unauthorized access to critical files and other system software.
Which of the following tools did Gary use to crack the passwords of the target system?
A. BeRoot
B. Hashcat
C. Dependency Walker
D. OllyDbg
Answer: B. Hashcat
Explanation:
OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable. It debugs multithread applications and attaches to running programs. It recognizes complex code constructs, such as a call to jump to the procedure
BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to find a way to escalate privilege
Dependency Walker: Dependency Walker is useful for troubleshooting system errors related to loading and executing modules. It detects many common application problems, such as missing modules, invalid modules, import/export mismatches, circular dependency errors, etc.
Hashcat: Hashcat is a cracker compatible with multiple OSs and platforms and can perform multi-hash (MD4, 5; SHA – 224, 256, 384, 512; RIPEMD-160; etc.), multi-device password cracking.
Tim, a network administrator in an organization, received several complaints about unusual behavior in the network. He implemented a spoofing detection toolkit in the network to quickly detect and isolate attackers on the network.
Which of the following tools did Tim use to detect the attacks on the network?
A. Sherlock
B. OpenStego
C. CCleaner
D. Vindicate
Answer: D. Vindicate
Explanation:
CCleaner: CCleaner is a system optimization, privacy, and cleaning tool. It allows attackers to remove unused files and cleans traces of Internet browsing details from the target PC. With this tool, an attacker can very easily erase his/her tracks.
OpenStego: OpenStego is a steganography application that provides the following functions.
Data Hiding: It can hide any data within a cover file (e.g., images)
Watermarking: Watermarking files (e.g., images) with an invisible signature. It can be used to detect unauthorized file copying.
Vindicate: Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network administrators. Security professionals use this tool to detect name service spoofing. This tool helps them to quickly detect and isolate attackers on their network. It is designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers while avoiding false positives
Sherlock: Attackers use Sherlock to search a vast number of social networking sites for a target username. This tool helps the attacker to locate the target user on various social networking sites along with the complete URL.
How can rainbow tables be defeated?
A. Use of nondictionary words
B. Password salting
C. Lockout accounts under brute force password cracking attempts
D. All uppercase character passwords
Answer: B. Password salting
Explanation:
Password salting is a technique where random strings of characters are added to the password before calculating their hashes. This makes it more difficult to reverse the hashes and defeats precomputed hash attacks.
Rainbow tables can be created for all nondictionary words and uppercase characters. Locking out accounts is not a right answer as the rainbow attacks are passive attacks and not performed on live systems.
A computer science student needs to fill some information into a password protected Adobe PDF job application that was received from a prospective employer. Instead of requesting the password, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Identify the type of password attack.
A. Man-in-the-middle attack
B. Dictionary attack
C. Brute-force attack
D. Session hijacking
Answer: B. Dictionary attack.
Explanation:
Man-in-the-Middle Attack: When two parties are communicating, a man-in-middle attack can take place, in which a third party intercepts a communication between the two parties without their knowledge. Meanwhile, the third party eavesdrops on the traffic, and then passes it along. To do so, the “man in the middle” has to sniff from both sides of the connection simultaneously. In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
Brute Force Attack: In the brute force method, all possible characters are tested, for example, uppercase from A to Z, numbers from 0 to 9, and lowercase from a to z. This method is useful to identify one-word or two-word passwords. If a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password using a brute force attack.
Dictionary Attack: A dictionary attack has predefined file that contains a list of words of various combinations, and an automated program tries entering these words one at a time to see if any of them are the password. This might not be effective if the password includes special characters and symbols. If the password is a simple word, then it can be found quickly.
Session Hijacking: Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers. Since most authentication only occurs at the start of a TCP session, it allows the attacker to gain access to a machine. Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc.
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least eight characters in length. All passwords must also use three of the four following categories: lower-case letters, capital letters, numbers, and special characters. With your given knowledge of users, likely user account names, and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values to get results?
A. Dictionary attack
B. Replay attack
C. Brute-Force attack
D. Hybrid attack
Answer: D. Hybrid attack
Explanation:
Replay Attack: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access. The attacker uses this type of attack to replay bank transactions or other similar types of data transfer, in the hope of replicating and/or altering activities, such as banking deposits or transfers.
Dictionary Attack: In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. This dictionary is the text file that contains a number of dictionary words that are commonly used as passwords. The program uses every word present in the dictionary to find the password. Apart from a standard dictionary, attackers’ dictionaries have added entries with numbers and symbols added to words (e.g., “3December!962”). Simple keyboard finger rolls (“qwer0987”), which many believe to produce random and secure passwords, are thus included in an attacker’s dictionary.
Brute-Force Attack: In a brute force attack, attackers try every combination of characters until the password is broken. Cryptographic algorithms must be sufficiently hardened to prevent a brute-force attack, which is defined by the RSA: “Exhaustive key-search, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified.”
Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also uses symbols and numbers. Password cracking becomes easier with this method. Often, people change their passwords merely by adding some numbers to their old passwords. In this case, the program would add some numbers and symbols to the words from the dictionary to try and crack the password. For example, if the old password is “system,” then there is a chance that the person will change it to “system1” or “system2.”
Henry, a professional hacker, was hired by an organization to crack the password of a target server. For this purpose, Henry employed a Python-based tool that helped him in cracking the passwords of the target server and establishing unauthorized access to the target network.
Identify the tool employed by Henry in the above scenario.
A.StegoStick
B.Scranos
C.DPAT
D.Spytech SpyAgent
Answer: C.DPAT
Explanation:
DPAT: DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking.
Spytech SpyAgent: Spytech SpyAgent is computer spy software that allows you to monitor everything users do on your computer—in total secrecy.
Scranos: Scranos is a trojanized rootkit that masquerades as cracked software or a legitimate application, such as anti-malware, a video player, or an ebook reader, to infect systems and perform data exfiltration that damages the reputation of the target and steals intellectual property.
StegoStick: StegoStick is a steganographic tool that allows attackers to hide any file in any other file.
Which of the following is a password cracking tool that allows attackers to reset the passwords of the Windows local administrator, domain administrator, and other user accounts?
A. OmniHide Pro
B. Secure Shell Bruteforcer
C. Audio Spyware
D. DeepSound
Answer: B. Secure Shell Bruteforcer.
Explanation:
Secure Shell Bruteforcer: It is a password cracking tool that allows you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users instant access to their locked computer without reinstalling Windows.
Audio Spyware: Audio spyware is a sound surveillance program designed to record sound onto a computer. The attacker can silently install the spyware on the computer, without the permission of the computer user and without sending them any notification.
OmniHide Pro: OmniHide PRO allows you to hide any secret file within an innocuous image, video, music file, etc.
DeepSound: DeepSound allows you to hide any secret data in audio files (WAV and FLAC). It also allows you to extract secret files directly from audio CD tracks. In addition, it can encrypt secret files, thereby enhancing security.
Given below are the various steps involved in an exploit chaining attack.
1-Gather exploits one after another.
2-Gain access to root-level services.
3-Combine all the exploits to compromise the system.
4-Initiate reconnaissance.
Identify the correct sequence of steps involved in performing exploit chaining attacks.
Quiz: Identify the correct sequence of steps involved in performing exploit chaining attacks.
A. 2 -> 3 -> 4 -> 1
B. 1 -> 3 -> 4 -> 2
C. 4 -> 3 -> 2 -> 1
D. 4 -> 1 -> 3 -> 2
Answer: D. 4 -> 1 -> 3 -> 2
Which of the following tools allows attackers to collect host information including PowerShell security settings, Kerberos tickets, and items in Recycle Bin?
A. Dylib Hijack Scanner
B. Veracode
C. Robber
D. GhostPack Seatbelt
Answer: D. GhostPack Seatbelt.
Explanation:
Veracode: It is a buffer overflow detection tool that helps security professionals to detect buffer overflow vulnerabilities.
GhostPack Seatbelt: Attackers use Seatbelt to collect host information including PowerShell security settings, Kerberos tickets, and items in Recycle Bin. Using Seatbelt, attackers perform security checks to find insecurities, which can be exploited to launch active attacks on the host network.
Robber: Robber is an open-source tool that helps attackers to find executables prone to DLL hijacking.
Dylib Hijack Scanner: Dylib Hijack Scanner (DHS) is a simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked.
Aster, a professional hacker, was tasked with identifying insecurities in an organizational network. For this purpose, Aster employed a toolset to perform security checks and find insecurities, which can be exploited to launch active attacks.
Which of the following tools did Aster employ in the above scenario?
A. X-Ray
B. xHelper
C. FaceNiff
D. GhostPack Seatbelt
Answer: D. GhostPack Seatbelt
Which of the following practices makes an organization’s network vulnerable to password cracking attacks?
A. Enable account lockout with a certain number of attempts, counter time, and lockout duration.
B. Never perform continuous user behavior analysis and blind-spot analysis.
C. Ensure that password database files are encrypted and accessible only by system administrators.
D. Perform a periodic audit of passwords in the organization.
Answer: B. Never perform continuous user behavior analysis and blind-spot analysis.
Explanation:
The best practices to protect against password cracking are as follows:
Perform a periodic audit of passwords in the organization.
Ensure that password database files are encrypted and accessible only by system administrators.
Enable account lockout with a certain number of attempts, counter time, and lockout duration
Perform continuous user behavior analysis and blind-spot analysis.
Employ geo-lock accounts to restrict users from logging in from different locations or IP addresses.
Which of the following practices helps security experts defend an organizational network against various password cracking attempts?
A. Employ geo-lock accounts to restrict users from logging in from different locations.
B. Always use the same password during a password change.
C. Disable information security auditing.
D. Use passwords that can be found in a dictionary.
Answer: A. Employ geo-lock accounts to restrict users from logging in from different locations.
Explanation:
The best practices to protect against password cracking are as follows:
Employ geo-lock accounts to restrict users from logging in from different locations or IP addresses.
Enable information security auditing to monitor and track password attacks.
Do not use the same password during a password change.
Restrict the use of similar passwords and patterns for multiple accounts.
Do not share passwords.
Do not use passwords that can be found in a dictionary.
Which of the following practices can be adopted by security experts to defend against buffer overflow attacks within an organization?
A. Never use the NX bit to mark certain areas of memory as executable and nonexecutable.
B. Employ the latest OSes that offer high protection.
C. Do not use stack canaries, a random value, or a string of characters.
D. Disallow the compiler to add bounds to all the buffers.
Answer: B. Employ the latest OSes that offer high protection.
Explanation:
The following countermeasures can be adopted to defend against buffer overflow attacks:
Implement Structured Exception Handler Overwrite Protection (SEHOP) to deter attackers from overwriting the exception registration record using the SEH overwrite exploitation technique.
Employ the latest OSes that offer more protection.
Use programming languages such as Python, COBOL, or Java instead of C.
Ensure the function does not perform a write operation when it reaches the end after determining the buffer’s size.
Audit the libraries and frameworks used to develop source code to ensure that they are not vulnerable.
Use stack canaries, a random value or string of characters, which makes it difficult for attackers to overwrite.
Use the NX bit to mark certain areas of memory as executable and nonexecutable.
Allow the compiler to add bounds to all the buffers.
Which of the following practices makes an organization’s network vulnerable to buffer overflow attacks?
A. Audit the libraries and frameworks used to develop source code to ensure that they are not vulnerable.
B. Implement Structured Exception Handler Overwrite Protection (SEHOP).
C. Use C programming language instead of Python, COBOL, or Java.
D. Ensure that the function does not perform a write operation when it reaches the end after determining the buffer’s size.
Answer: C. Use C programming language instead of Python, COBOL, or Java.
Explanation:
The following countermeasures can be adopted to defend against buffer overflow attacks:
Implement Structured Exception Handler Overwrite Protection (SEHOP) to deter attackers from overwriting the exception registration record using the SEH overwrite exploitation technique.
Employ the latest OSes that offer more protection.
Use programming languages such as Python, COBOL, or Java instead of C.
Ensure the function does not perform a write operation when it reaches the end after determining the buffer’s size.
Audit the libraries and frameworks used to develop source code to ensure that they are not vulnerable.
Use stack canaries, a random value or string of characters, which makes it difficult for attackers to overwrite.
Which of the following malware masks itself as a benign application or software that initially appears to perform a desirable or benign function but steals information from a system?
A. Keylogger
B. Worm
C. Virus
D. Trojan
Answer: D. Trojan.
Explanation:
Keylogger: It is a program that records all user keystrokes without the user’s knowledge
Virus: Often an executable program that required an already infected system or OS
Trojan: Deceptive malware program that appears to be legitimate software. A Trojan is a program that masks itself as a benign application. The software initially appears to perform a desirable or benign function but instead steals information or harms the system.
Worm: It is a malware type that sends copies of itself from one system to another.
Which of the following types of password attacks does not lead to any changes in the system and includes techniques such as wire sniffing, man-in-the-middle attacks, and replay attacks?
A. Active online attacks
B. Non-electronic attacks
C. Passive online attacks
D. Offline attacks
Answer: C. Passive online attacks.
Explanation:
Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc.
Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, etc.
Passive Online Attacks: A passive attack is a type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc.
Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover cleartext passwords from a password hash dump. Offline attacks are often time-consuming but have a high success rate, as the password hashes can be reversed owing to their small keyspace and a short length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks.
Greg, an attacker, was hired to perform an attack on an organization. In this process, he gathered all the information about the target’s network and systems. After acquiring the required information, he searched for vulnerabilities in a database that includes details of the latest vulnerabilities.
Which of the following databases did Greg use to search for vulnerabilities?
A. Factiva
B. MITRE CVE
C. Shodan
D. Whois
Answer: B. MITRE CVE.
Explanation:
Factiva: Factiva is a global news database and licensed content provider. It is a business information and research tool that gets information from licensed and free sources and provides capabilities such as searching, alerting, dissemination, and business information management
Shodan: Shodan is a computer search engine that searches the Internet for connected devices (routers, servers, and IoT.).
MITRE CVE: MITRE maintains a CVE database that contains details of the latest vulnerabilities. Attackers can search MITRE CVE to discover vulnerabilities that exist in the target system.
Whois: Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases, which contain the personal information of domain owners.
Jude, a security professional in an organization, decided to strengthen the security of the applications used by the organization. In this process, he used a buffer-overflow detection tool that recognizes buffer overflow vulnerabilities in the applications.
Which of the following tools helps Jude detect buffer overflow vulnerabilities?
A. Splint
B. Infoga
C. Maltego
D. Octoparse
Answer: A. Splint.
Explanation:
Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web data without coding and turns web pages into structured data. As shown in the screenshot, attackers use Octoparse to capture information from webpages, such as text, links, image URLs, or html code
Infoga: Infoga is a tool used for gathering email account information (IP, hostname, country, etc.) from different public sources (search engines, pgp key servers, and Shodan), and it checks if an email was leaked using the haveibeenpwned.com API
Splint: Splint can be used to detect the common security vulnerabilities including buffer overflows.
Maltego: Maltego is a program that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents.
How does the SAM database in Windows operating system store the user accounts and passwords?
A. The operating system stores the passwords in a secret file that users cannot find.
B. The operating system uses key distribution center (KDC) for storing all user passwords.
C. The operating system stores all passwords in a protected segment of volatile memory.
D. The operating system performs a one-way hash of the passwords.
Answer: D. The operating system performs a one-way hash of the passwords.
Explanation:
Windows uses the security accounts manager (SAM) database or active directory database to manage user accounts and passwords in the hashed format (one-way hash). The system does not store the passwords in plaintext format, but in hashed format, to protect them from attacks. The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file. As this file consists of a file system lock, this provides some measure of security for the storage of passwords.
You need to do an ethical hack for BAYARA Company, and the manager says that you need to obtain the password of the root account of the main server to hire you. You are in possession of a rainbow table, what else do you need to obtain the password of the root?
A. Do a vulnerability assessment
B. Inject an SQL script into the database
C. Perform a network recognition
D. The hash of the root password
Answer: D. The hash of the root password.
Explanation:
To do an offline hacking of the password with a rainbow table, you need the hashes of the passwords.
Which of the following is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and generates an HTML report with clickable links?
A. Stegais
B. Power Spy
C. Snow
D. DPAT
Answer: D. DPAT.
Explanation:
Power Spy: Power Spy is PC-user activity-monitoring software. It runs and performs monitoring secretly in the background of a computer system. It logs all users on the system and users will not be aware of its existence.
DPAT: DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking. It also generates an HTML report with clickable links. An attacker can open each link and analyze usernames, current passwords, and other password statistics.
Snow: Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages.
Stegais: Stegais can hide a message in a selected image from the photo library or in a photo taken by the camera.
Which of the following is a cyberattack that combines various vulnerabilities to infiltrate and compromise the target from its root level?
A. Man-in-the-middle attack
B. Exploit chaining
C. TCP/IP hijacking
D. DNS amplification attack
Answer: B. Exploit chaining.
Explanation:
DNS Amplification Attack: Recursive DNS query is a method of requesting DNS mapping. The query goes through DNS servers recursively until it fails to find the specified domain name to IP address mapping. Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in DDoS attacks on the victim’s DNS server.
Exploit Chaining: Exploit chaining, also referred to as vulnerability chaining, is a cyberattack that combines various exploits or vulnerabilities to infiltrate and compromise the target from its root level.
Man-in-the-Middle Attack: Man-in-the-middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and web servers.
TCP/IP Hijacking: In TCP/IP hijacking, an attacker intercepts an established connection between two communicating parties by using spoofed packets and then pretends to be one of those parties.
Identify the PowerView command that allows attackers to identify all the live hosts available within the current domain.
A. Invoke-EnumerateLocalAdmin
B. Get-DomainPolicy
C. Get-NetComputer -Ping
D. Get-DomainSID
Answer: C. Get-NetComputer -Ping.
Explanation:
Here are some PowerShell commands and their descriptions:
Command: Get-DomainSID, Description: Retrieves the security ID (SID) of the current domain. This command is useful for identifying the domain when performing various tasks such as enumerating domain groups or users.
Command: Invoke-EnumerateLocalAdmin, Description: Retrieves users having local administrative privileges in the current domain. This command can be useful for identifying users who have access to sensitive resources on the network.
Command: Get-NetComputer -Ping, Description: Retrieves all the live hosts or pingable host systems available in the current domain. This command can be useful for identifying all the systems that are active on the network.
Command: Get-DomainPolicy, Description: Retrieves the policy used by the current domain. This command can be useful for identifying the security settings and configurations used by the domain controllers in the network.
Which of the following PowerView commands allows attackers to retrieve users having modification rights for an Active Directory (AD) domain group?
A. Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
B. Get-NetForestCatalog
C. Get-NetForestDomain
D. Get-ObjectAcl -SamAccountName “users” -ResolveGUIDs
Answer: A. Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Explanation:
Here are some PowerShell commands and their descriptions:
Command: Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}, Description: Retrieves the users who have modification rights for a group policy object. This command can be useful for identifying users who have the ability to modify GPOs in the network.
Command: Get-NetForestDomain, Description: Retrieves all domains in the current forest. This command can be useful for identifying the structure of the forest and the domains that are present in it.
Command: Get-ObjectAcl -SamAccountName “users” -ResolveGUIDs, Description: Retrieves the details of the access control lists (ACLs) for a specific group, in this case, the “users” group. This command can be useful for identifying the permissions assigned to a particular group in the network.
Command: Get-NetForestCatalog, Description: Retrieves the details of the global catalogs for the current forest. This command can be useful for identifying the servers that are acting as global catalogs in the network.
Which of the following tools is a JavaScript web application that helps attackers identify complex attack paths in the target Active Directory (AD) environment?
A. OmniHide Pro
B. Bloodhound
C. zsteg
D. mimikatz
Answer: B. Bloodhound.
Explanation:
OmniHide Pro: OmniHide PRO allows you to hide any secret file within an innocuous image, video, music file, etc.
Bloodhound: Bloodhound is a JavaScript web application that is built on top of Linkurious and compiled using Electron, with a Neo4j database fed by a C# data collector. Attackers use Bloodhound to easily identify complex attack paths in AD environments.
Mimikatz: Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. The tool also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
zsteg: The zsteg tool is used to detect stegano-hidden data in PNG and BMP image files.
Which of the following practices helps security professionals defend against LLMNR/NBT-NS poisoning attacks on an organizational network?
A. Enable NBT-NS
B. Allow changes to the DWORD registry
C. Implement SMB signing
D. Enable LMBNR
Answer: C. Implement SMB signing.
Explanation:
Some countermeasures to defend against LLMNR/NBT-NS poisoning are as follows:
Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.
Implement SMB signing to prevent relay attacks.
Disabling LMBNR
Disabling NBT-NS
Deploy an LLMNR/NBT-NS spoofing monitoring tool.
Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic.
Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay attacks.
Monitor any changes made to the DWORD registry located in HKLM\Software\Policies\Microsoft\Windows NT\DNSClient.
Identify the practice that makes an organizational network susceptible to LLMNR/NBT-NS poisoning attacks.
A. Implement SMB signing to prevent relay attacks.
B. Never monitor the host on UDP ports 5355 and 137.
C. Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay attacks.
D. Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.
Answer: B. Never monitor the host on UDP ports 5355 and 137.
Explanation:
Some countermeasures to defend against LLMNR/NBT-NS poisoning are as follows:
Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.
Implement SMB signing to prevent relay attacks.
Disabling LMBNR
Disabling NBT-NS
Deploy an LLMNR/NBT-NS spoofing monitoring tool.
Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic.
Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay attacks.
Monitor any changes made to the DWORD registry located in HKLM\Software\Policies\Microsoft\Windows NT\DNSClient.
In which of the following password attacks does an attacker gather a password database, split each password entry into two- and three-character syllables to develop a new alphabet, and then match it with the existing password database?
A. PRINCE attack
B. Markov chain attack
C. Combinator attack
D. Fingerprint attack
Answer: B. Markov chain attack
Explanation:
Markov-Chain Attack: In Markov-chain attacks, attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database
PRINCE Attack: A PRobability INfinite Chained Elements (PRINCE) attack is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words.
Combinator Attack: In a combinator attack, attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words.
Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password.
Which of the following countermeasures should be followed to protect systems against password cracking?
A. Using the same password during a password change
B. Always using system default passwords
C. Imposing no restriction on the password change policy
D. Avoiding the use of passwords that can be found in a dictionary
Answer: D. Avoiding the use of passwords that can be found in a dictionary.
Explanation:
Some of the best practices to protect against password cracking are listed as follows:
Enable information security audit to monitor and track password attacks
Do not use the same password during the password change
Do not share passwords
Disallow the use of passwords that can be found in a dictionary
Do not use cleartext protocols and protocols with weak encryption
Set the password change policy to 30 days
Avoid storing passwords in an unsecured location
Do not use any system default passwords
Make passwords hard to guess by requiring 8-12 alphanumeric characters consisting of a combination of uppercase and lowercase letters, numbers, and symbols
Ensure that applications neither store passwords in memory nor write them to disks in clear text
What statement is true regarding LAN Manager (LM) hashes?
A. LM hashes consist in 48 hexadecimal characters.
B. LM hashes are based on AES128 cryptographic standard.
C. LM hashes limit the password length to a maximum of 14 characters.
D. Uppercase characters in the password are converted to lowercase.
Answer: C. LM hashes limit the password length to a maximum of 14 characters.
Explanation:
LAN Manager uses a 14-byte password. If the password is less than 14 bytes, it is concatenated with zeros. After conversion to uppercase, it is split into two 7-byte halves. From each 7-byte half an 8-byte odd parity DES key is constructed. Each 8-byte DES key is used to encrypt a fixed value. The results of these encryptions are concatenated into a 16-byte value. The value obtained is the LAN Manager one-way hash for the password.
LM hashes limit the length of the password to a maximum of 14 characters. What makes the LM hash vulnerable is that an attacker has to go through just 7 characters twice to retrieve passwords up to 14 characters in length. There is no salting (randomness) done. For instance, if the password is 7 characters or less, the second half will always be a constant (0xAAD3B435B51404EE). If it has over 7 characters such as 10, then it is split up into a password hash of seven variable characters and another password hash of three characters. The password hash of three variable characters can be easily cracked with password crackers such as LOphtCrack. It is easy for password crackers to detect if there is an 8-character when the LM password is used. The challenge response can then be brute-forced for the LM-hash. The number of possible combinations in the LM password is low compared to the Windows NT password.
Which of the following is the advantage of adopting a single sign-on (SSO) system?
A. Impacts user experience when an application times out the user needs to login again reducing productivity
B. A reduction in overall risk to the system since network and application attacks can only happen at the SSO point
C. Decreased security as the logout process is different across applications
D. A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications
Answer: D. A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications.
Explanation:
Advantages of Single Sign On (SSO) system:
A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications.
A reduction in system administration overhead since any user login problems can be resolved at the SSO system.
Improves usability and user satisfaction through automatic login functionality.
Users need not maintain multiple passwords and since authentication is performed at a centralized server it improves security.
Improves productivity through single sign in functionality as it reduces the login time.
Improves auditing as the SSO system provides easy way of tracking application usage, shared resources usage, etc.
Improves account management such as account disabling (Disabling hardware and network accounts).
Which of the following attacks is similar to a brute-force attack but recovers passwords from hashes with a specific set of characters based on information known to the attacker?
A. Combinator attack
B. Fingerprint attack
C. Wire sniffing
D. Mask attack
Answer: D. Mask attack.
Explanation:
Combinator Attack: In a combinator attack, attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words. Attackers use this wordlist to crack a password on the target system and gain unauthorized access to the system files.
Mask Attack: Mask attack is like brute-force attack but recovers passwords from hashes with a more specific set of characters based on information known to the attacker.
Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password.
Wire Sniffing: Packet sniffing is a form of wire sniffing or wiretapping in which hackers sniff credentials during transit by capturing Internet packets. Attackers rarely use sniffers to perform this type of attack. With packet sniffing, an attacker can gain passwords to applications such as email, websites, SMB, FTP, rlogin sessions, or SQL.
Which of the following commands helps an attacker dump the password hashes from the target domain controller (DC) using the DPAT tool?
A. ./hashcat.bin -m 3000 -a 3 users.ntds -1 ?a ?1?1?1?1?1?1?1 –increment
B. john –format=LM users.ntds
C. ntdsutil “ac in ntds” “ifm” “cr fu c:\temp” q
D. Set-MpPreference -DisableRealtimeMonitoring $true
Answer: C. ntdsutil “ac in ntds” “ifm” “cr fu c:\temp” q.
Explanation:
./hashcat.bin -m 3000 -a 3 users.ntds -1 ?a ?1?1?1?1?1?1?1 –increment
Run the above command to crack LM hashes of users.ntds in the hashcat.pot format.
john –format=LM users.ntds
To crack LM hashes using John the Ripper, run the above command.
ntdsutil “ac in ntds” “ifm” “cr fu c:\temp” q
Run the above command to dump the password hashes from the domain controller (DC). This requires sufficient space in the C drive to store the output.
Set-MpPreference -DisableRealtimeMonitoring $true
Attackers can disable the security monitoring option using the above command before performing enumeration using the PowerView tool.
Which of the following is an exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection?
A. Dumpster diving
B. Shoulder surfing
C. Dictionary attack
D. Return-oriented programming attack
Answer: D. Return-oriented programming attack.
Explanation:
Shoulder Surfing: Shoulder surfing is a technique of stealing passwords by hovering near legitimate users and watching them enter their passwords.
Dumpster Diving: “Dumpster diving” is a key attack method that employs significant failures in computer security in the target system. The sensitive information that people crave, protect, and are devotedly secure can be accessed by almost anyone willing to perform garbage searching.
Return-Oriented Programming (ROP) Attack: Return-oriented programming is an exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection. Using this technique, an attacker hijacks the target program control flow by gaining access to the call stack and then executes arbitrary machine instructions by reusing available libraries known as gadgets.
Dictionary Attack: In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password.
