Module 06 - System Hacking ( EC Mode Part 01 ) Flashcards

Question

How does the SAM database in Windows operating system store the user accounts and passwords? A. The operating system stores the passwords in a secret file that users cannot find. B. The operating system uses key distribution center (KDC) for storing all user passwords. C. The operating system stores all passwords in a protected segment of volatile memory. D. The operating system performs a one-way hash of the passwords.

Answer 1

Answer: D. The operating system performs a one-way hash of the passwords. Explanation: Windows uses the security accounts manager (SAM) database or active directory database to manage user accounts and passwords in the hashed format (one-way hash). The system does not store the passwords in plaintext format, but in hashed format, to protect them from attacks. The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file. As this file consists of a file system lock, this provides some measure of security for the storage of passwords.

Answer 2

Answer: D. The hash of the root password. Explanation: To do an offline hacking of the password with a rainbow table, you need the hashes of the passwords.

Answer 3

Answer: D. DPAT. Explanation: Power Spy: Power Spy is PC-user activity-monitoring software. It runs and performs monitoring secretly in the background of a computer system. It logs all users on the system and users will not be aware of its existence. DPAT: DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking. It also generates an HTML report with clickable links. An attacker can open each link and analyze usernames, current passwords, and other password statistics. Snow: Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. Stegais: Stegais can hide a message in a selected image from the photo library or in a photo taken by the camera.

Answer 4

Answer: B. Exploit chaining. Explanation: DNS Amplification Attack: Recursive DNS query is a method of requesting DNS mapping. The query goes through DNS servers recursively until it fails to find the specified domain name to IP address mapping. Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in DDoS attacks on the victim’s DNS server. Exploit Chaining: Exploit chaining, also referred to as vulnerability chaining, is a cyberattack that combines various exploits or vulnerabilities to infiltrate and compromise the target from its root level. Man-in-the-Middle Attack: Man-in-the-middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and web servers. TCP/IP Hijacking: In TCP/IP hijacking, an attacker intercepts an established connection between two communicating parties by using spoofed packets and then pretends to be one of those parties.

Answer 5

Answer: C. Get-NetComputer -Ping. Explanation: Here are some PowerShell commands and their descriptions: Command: Get-DomainSID, Description: Retrieves the security ID (SID) of the current domain. This command is useful for identifying the domain when performing various tasks such as enumerating domain groups or users. Command: Invoke-EnumerateLocalAdmin, Description: Retrieves users having local administrative privileges in the current domain. This command can be useful for identifying users who have access to sensitive resources on the network. Command: Get-NetComputer -Ping, Description: Retrieves all the live hosts or pingable host systems available in the current domain. This command can be useful for identifying all the systems that are active on the network. Command: Get-DomainPolicy, Description: Retrieves the policy used by the current domain. This command can be useful for identifying the security settings and configurations used by the domain controllers in the network.

Answer 6

Answer: A. Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} Explanation: Here are some PowerShell commands and their descriptions: Command: Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}, Description: Retrieves the users who have modification rights for a group policy object. This command can be useful for identifying users who have the ability to modify GPOs in the network. Command: Get-NetForestDomain, Description: Retrieves all domains in the current forest. This command can be useful for identifying the structure of the forest and the domains that are present in it. Command: Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs, Description: Retrieves the details of the access control lists (ACLs) for a specific group, in this case, the "users" group. This command can be useful for identifying the permissions assigned to a particular group in the network. Command: Get-NetForestCatalog, Description: Retrieves the details of the global catalogs for the current forest. This command can be useful for identifying the servers that are acting as global catalogs in the network.

Answer 7

Answer: B. Bloodhound. Explanation: OmniHide Pro: OmniHide PRO allows you to hide any secret file within an innocuous image, video, music file, etc. Bloodhound: Bloodhound is a JavaScript web application that is built on top of Linkurious and compiled using Electron, with a Neo4j database fed by a C# data collector. Attackers use Bloodhound to easily identify complex attack paths in AD environments. Mimikatz: Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. The tool also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. zsteg: The zsteg tool is used to detect stegano-hidden data in PNG and BMP image files.

Answer 8

Answer: C. Implement SMB signing. Explanation: Some countermeasures to defend against LLMNR/NBT-NS poisoning are as follows: Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools. Implement SMB signing to prevent relay attacks. Disabling LMBNR Disabling NBT-NS Deploy an LLMNR/NBT-NS spoofing monitoring tool. Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic. Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay attacks. Monitor any changes made to the DWORD registry located in HKLM\Software\Policies\Microsoft\Windows NT\DNSClient.

Answer 9

Answer: B. Never monitor the host on UDP ports 5355 and 137. Explanation: Some countermeasures to defend against LLMNR/NBT-NS poisoning are as follows: Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools. Implement SMB signing to prevent relay attacks. Disabling LMBNR Disabling NBT-NS Deploy an LLMNR/NBT-NS spoofing monitoring tool. Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic. Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay attacks. Monitor any changes made to the DWORD registry located in HKLM\Software\Policies\Microsoft\Windows NT\DNSClient.

Answer 10

Answer: B. Markov chain attack Explanation: Markov-Chain Attack: In Markov-chain attacks, attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database PRINCE Attack: A PRobability INfinite Chained Elements (PRINCE) attack is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words. Combinator Attack: In a combinator attack, attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words. Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password.

Answer 11

Answer: D. Avoiding the use of passwords that can be found in a dictionary. Explanation: Some of the best practices to protect against password cracking are listed as follows: Enable information security audit to monitor and track password attacks Do not use the same password during the password change Do not share passwords Disallow the use of passwords that can be found in a dictionary Do not use cleartext protocols and protocols with weak encryption Set the password change policy to 30 days Avoid storing passwords in an unsecured location Do not use any system default passwords Make passwords hard to guess by requiring 8-12 alphanumeric characters consisting of a combination of uppercase and lowercase letters, numbers, and symbols Ensure that applications neither store passwords in memory nor write them to disks in clear text

Answer 12

Answer: C. LM hashes limit the password length to a maximum of 14 characters. Explanation: LAN Manager uses a 14-byte password. If the password is less than 14 bytes, it is concatenated with zeros. After conversion to uppercase, it is split into two 7-byte halves. From each 7-byte half an 8-byte odd parity DES key is constructed. Each 8-byte DES key is used to encrypt a fixed value. The results of these encryptions are concatenated into a 16-byte value. The value obtained is the LAN Manager one-way hash for the password. LM hashes limit the length of the password to a maximum of 14 characters. What makes the LM hash vulnerable is that an attacker has to go through just 7 characters twice to retrieve passwords up to 14 characters in length. There is no salting (randomness) done. For instance, if the password is 7 characters or less, the second half will always be a constant (0xAAD3B435B51404EE). If it has over 7 characters such as 10, then it is split up into a password hash of seven variable characters and another password hash of three characters. The password hash of three variable characters can be easily cracked with password crackers such as LOphtCrack. It is easy for password crackers to detect if there is an 8-character when the LM password is used. The challenge response can then be brute-forced for the LM-hash. The number of possible combinations in the LM password is low compared to the Windows NT password.

Answer 13

Answer: D. A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications. Explanation: Advantages of Single Sign On (SSO) system: A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications. A reduction in system administration overhead since any user login problems can be resolved at the SSO system. Improves usability and user satisfaction through automatic login functionality. Users need not maintain multiple passwords and since authentication is performed at a centralized server it improves security. Improves productivity through single sign in functionality as it reduces the login time. Improves auditing as the SSO system provides easy way of tracking application usage, shared resources usage, etc. Improves account management such as account disabling (Disabling hardware and network accounts).

Answer 14

Answer: D. Mask attack. Explanation: Combinator Attack: In a combinator attack, attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words. Attackers use this wordlist to crack a password on the target system and gain unauthorized access to the system files. Mask Attack: Mask attack is like brute-force attack but recovers passwords from hashes with a more specific set of characters based on information known to the attacker. Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password. Wire Sniffing: Packet sniffing is a form of wire sniffing or wiretapping in which hackers sniff credentials during transit by capturing Internet packets. Attackers rarely use sniffers to perform this type of attack. With packet sniffing, an attacker can gain passwords to applications such as email, websites, SMB, FTP, rlogin sessions, or SQL.

Answer 15

Answer: C. ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q. Explanation: ./hashcat.bin -m 3000 -a 3 users.ntds -1 ?a ?1?1?1?1?1?1?1 –increment Run the above command to crack LM hashes of users.ntds in the hashcat.pot format. john --format=LM users.ntds To crack LM hashes using John the Ripper, run the above command. ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q Run the above command to dump the password hashes from the domain controller (DC). This requires sufficient space in the C drive to store the output. Set-MpPreference -DisableRealtimeMonitoring $true Attackers can disable the security monitoring option using the above command before performing enumeration using the PowerView tool.

Answer 16

Answer: D. Return-oriented programming attack. Explanation: Shoulder Surfing: Shoulder surfing is a technique of stealing passwords by hovering near legitimate users and watching them enter their passwords. Dumpster Diving: “Dumpster diving” is a key attack method that employs significant failures in computer security in the target system. The sensitive information that people crave, protect, and are devotedly secure can be accessed by almost anyone willing to perform garbage searching. Return-Oriented Programming (ROP) Attack: Return-oriented programming is an exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection. Using this technique, an attacker hijacks the target program control flow by gaining access to the call stack and then executes arbitrary machine instructions by reusing available libraries known as gadgets. Dictionary Attack: In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password.

Answer 17

Answer: A. Get-NetDomain. Explanation: Here are some PowerShell commands and their descriptions: Command: Get-DomainSID, Description: Retrieves the security ID (SID) of the current domain. This command is useful for identifying the domain when performing various tasks such as enumerating domain groups or users. Command: Get-NetDomain, Description: Retrieves information related to the current domain including domain controllers (DCs). This command can be useful for identifying the domain controllers in the network and their properties. Command: (Get-DomainPolicy)."SystemAccess", Description: Retrieves information related to the policy configurations of the domain’s system access. This command can be useful for identifying the security settings and configurations used by the domain controllers in the network. Command: Get-NetGroup -UserName <"username">, Description: Retrieves the group name of the specified domain user. This command can be useful for identifying the groups that a particular user belongs to in the network.

Answer 18

Answer: D. Bloodhound. Explanation: Bloodhound: Bloodhound is a JavaScript web application that is built on top of Linkurious and compiled using Electron, with a Neo4j database fed by a C# data collector. It uses graph theory to reveal hidden and often unintended relationships within an AD environment. Attackers use BloodHound to easily identify complex attack paths in AD environments. Bluesnarfing: Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, PDAs, and other devices. This technique allows an attacker to access the victim’s contact list, emails, text messages, photos, videos, and business data, stored on the device. Bluebugging: Bluebugging involves gaining remote access to a target Bluetooth-enabled device and using its features without the victim’s knowledge or consent. One Click Root: One Click Root is an Android rooting software that supports most devices. It comes with extra fail-safes (such as instant unrooting) and offers full technical support.

Answer 19

Answer: A. Fuzzing Explanation: Perform Spiking: Allows attackers to send crafted TCP or UDP packets to the vulnerable server in order to make it crash. Generate shellcode: Attackers use the msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target vulnerable server. Perform Fuzzing: Allows to send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register. Overwrite the EIP Register: Overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode.

Answer 20

Answer: D. hashcat. Explanation: linpostexp: The linpostexp tool obtains detailed information on the kernel, which can be used to escalate privileges on the target system. Dependency Walker: Dependency Walker is useful for troubleshooting system errors related to loading and executing modules. It detects many common application problems, such as missing modules, invalid modules, import/export mismatches, circular dependency errors, etc. hashcat: Attackers use the hashcat tool to perform password attacks such as brute-force attacks, dictionary attacks, and mask attacks. To perform mask attacks, an attacker must know the flags used for the built-in charset, custom charset, and attack mode to create an appropriate pattern for the password. Dylib Hijack Scanner: Dylib Hijack Scanner (DHS) is a simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked.

Answer 21

Answer: D. hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d. Explanation: hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d Run the above command to crack passwords that contain six characters, in which the first three are lowercase alphabets and the last three characters are numbers. run post/windows/gather/arp_scanner RHOSTS An attacker uses the above command to detect live hosts in the target network: usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337 Run the above command to find the exact offset of the random bytes in the EIP register: msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f c -a x86 -b “\x00” Run the above msfvenom command to generate the shellcode.

Answer 22

Answer: B. 4 -> 1 -> 3 -> 2 Explanation: The working of a GPU attack is as follows: 1- The attacker lures or forces the victim into visiting an insecure site or downloading a malware-loaded application onto their system. 2- When the victim installs the malware-loaded application, the malware starts accessing the browser’s OpenGL API. 3- The malware on OpenGL API sets up a spy on the device to track activities on the browser. 4- When the victim accesses any website via the browser, attackers can copy every character entered by the victim on the password field of the website.

Answer 23

Answer: D. Kerberos authentication Explanation: NTLM authentication: NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy. NTLM authentication protocols use different hash methodologies to store users’ passwords in the SAM database. Security Accounts Manager (SAM) Database: Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in hashed format (a one-way hash). LM authentication: It is a part of NTLM authentication. Kerberos Authentication: Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM. Kerberos employs the Key Distribution Center (KDC), which is a trusted third party. This consists of two logically distinct parts: an authentication server (AS) and a ticket-granting server (TGS). Kerberos uses “tickets” to prove a user’s identity.

Answer 24

Answer: A. Insufficient input sanitization Explanation: Why Are Programs and Applications Vulnerable to Buffer Overflows? Lack of boundary checking Using older versions of programming languages Using unsafe and vulnerable functions Lack of good programming practices Failing to set proper filtering and validation principles Executing code present in the stack segment Improper memory allocation Insufficient input sanitization

Answer 25

Answer: C. Brute-force attack Explanation: Combinator Attack: Attackers combine the entries of the first dictionary with those of the second dictionary to generate a new wordlist to crack the password of the target system Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts. Brute-Force Attack: The program tries every combination of characters until the password is broken. Rule-based Attack: This attack is used when the attacker gets some information about the password.

Answer 26

Answer: B. Man-in-the-middle attack Explanation: Man-in-the-Middle: In an MITM attack, the attacker acquires access to the communication channels between the victim and server to extract the information. This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks owing to the TCP sequence numbers and the speed of the communication Rainbow Table Attack: A rainbow table attack uses the cryptanalytic time–memory trade-off technique, which requires less time than other techniques. It uses already-calculated information stored in memory to crack the encryption. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance. Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password. For example, for a word ‘password’, this technique would create fingerprints “p”, “a”, ”s”, ”s”, ”w”, ”o”, ”r”, “d”, “pa” , “ss”, “wo”, “rd”, etc. Dictionary Attack: In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password

Answer 27

Answer: A. ESP Explanation: Stack memory includes five types of registers: EBP: Extended Base Pointer (EBP), also known as StackBase, stores the address of the first data element stored onto the stack ESP: Extended Stack Pointer (ESP) stores the address of the next data element to be stored onto the stack EIP: Extended Instruction Pointer (EIP) stores the address of the next instruction to be executed ESI: Extended Source Index (ESI) maintains the source index for various string operations EDI: Extended Destination Index (EDI) maintains the destination index for various string operations

Answer 28

Answer: D. Passwords Explanation: John the Ripper is a password cracker, which is currently available for many flavors of UNIX, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords.

Answer 29

Answer: C. https://vulners.com Explanation: Vulners (https://vulners.com): Vulners.com is a security database containing descriptions for a large amount of software vulnerabilities in a machine-readable format. Cross-references between bulletins and continuously updating databases helps one keep abreast of the latest security threats. http://foofus.net is an advanced security services forum that provides various tools for cyber security. http://project-rainbowcrack.com provides RainbowCrack software used for cracking password hashes with rainbow tables. https://www.tarasco.org is a website that contains security-related tools and published exploit codes.

Answer 30

Answer: D. Combinator attack Explanation: Fingerprint Attack: In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password. For example, for a word ‘password’, this technique would create fingerprints “p”, “a”, ”s”, ”s”, ”w”, ”o”, ”r”, “d”, “pa” , “ss”, “wo”, “rd”, etc Markov-Chain Attack: In Markov-chain attacks, attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database. Combinator Attack: In a combinator attack, attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words. Attackers use this wordlist to crack a password on the target system and gain unauthorized access to the system files Toggle-Case Attack: In a toggle-case attack, attackers try all possible upper-case and lower-case combinations of a word present in the input dictionary.

Answer 31

Answer: B. Bloodhound Explanation: Bloodhound: Bloodhound is a JavaScript web application that is built on top of Linkurious and compiled using Electron, with a Neo4j database fed by a C# data collector. It uses graph theory to reveal hidden and often unintended relationships within an AD environment. Attackers use BloodHound to easily identify complex attack paths in AD environments. Bluesnarfing: Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, PDAs, and other devices. This technique allows an attacker to access the victim’s contact list, emails, text messages, photos, videos, and business data, stored on the device. Bluebugging: Bluebugging involves gaining remote access to a target Bluetooth-enabled device and using its features without the victim’s knowledge or consent. One Click Root: One Click Root is an Android rooting software that supports most devices. It comes with extra fail-safes (such as instant unrooting) and offers full technical support.

Answer 32

Answer: B. 2 -> 4 -> 3 -> 1

Answer 33

Answer: B. Unattended installs Explanation: Service Object Permissions: A misconfigured service permission may allow an attacker to modify or reconfigure the attributes associated with that service. Unquoted Service Paths: In Windows OSs, when a service starts running, the system attempts to find the location of the executable file to launch the service successfully. Generally, the executable path is enclosed in quotation marks “”, so that the system can easily locate the application binary. Unattended Installs: Unattended installs allow attackers to deploy Windows OSs without the intervention of an administrator. Administrators need to manually clean up the unattended install details stored in the Unattend.xml file. Modifiable registry autoruns: Attackers can exploit misconfigured autoruns in registries.

Answer 34

Answer: B. Robber Explanation: BCTextEncoder: The BCTextEncoder utility simplifies the encoding and decoding of text data. It compresses, encrypts, and converts plaintext data into text format, which the user can then copy to the clipboard or save as a text file. It uses public key encryption methods as well as password-based encryption. CrypTool: The CrypTool project develops e-learning programs in the area of cryptography and cryptanalysis Robber: Robber is an open-source tool that helps attackers to find executables prone to DLL hijacking. Attackers use Robber to find out which DLLs are executable requests without an absolute path (triggering this search process); attackers can then place their malicious DLL high up the search path so it gets invoked before the original DLL VeraCrypt: VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted just before it is saved and decrypted just after it is loaded without any user intervention

Answer 35

Answer: C. Run services with least privileged accounts and implement multifactor authentication and authorization. Explanation: The following are the best countermeasures to defend against privilege escalation: Restrict the interactive logon privileges Use encryption technique to protect sensitive data Run users and applications on the least privileges Reduce the amount of code that runs with particular privilege Implement multi-factor authentication and authorization Perform debugging using bounds checkers and stress tests Run services as unprivileged accounts Test operating system and application coding errors and bugs thoroughly Implement a privilege separation methodology to limit the scope of programming errors and bugs Change UAC settings to “Always Notify”, so that it increases the visibility of the user when UAC elevation is requested Restrict users from writing files to the search paths for applications Continuously monitor file system permissions using auditing tools Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions Use fully qualified paths in all the Windows applications Ensure that all executables are placed in write-protected directories In MAC operating systems, prevent plist files from being altered by users making them read-only Block unwanted system utilities or software that may be used to schedule tasks Patch and update the web servers regularly

Answer 36

Answer: B. Horizontal privilege escalation Explanation: Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. This provides mutual authentication, in that both the server and the user verify each other’s identity. Messages sent through Kerberos protocol are protected against replay attacks and eavesdropping. Horizontal Privilege Escalation: In a horizontal privilege escalation, the unauthorize user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online banking user A can easily access user B’s bank account. A rainbow table attack is a type of cryptography attack where an attacker uses a rainbow table for reversing cryptographic hash functions. A rainbow table attack uses the cryptanalytic time memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance. Vertical Privilege Escalation: In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site using administrative functions.

Answer 37

Answer: A. Application shimming Explanation: The Windows operating system uses Windows application compatibility framework called Shim to provide compatibility between the older and newer versions of Windows. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on.

Answer 38

Answer: A. showmount -e Explanation: §nmap -T4 –A : Attackers use this Nmap scan commands to identify the RPC service running on the network. showmount -e : Attackers uses this command to check if any share is available for mounting on the target host. sudo mount -t nfs :/ /tmp/nfs: Attackers uses this command to mount the nfs directory on the target host. ldns-walk @ : Attackers use this query to enumerate a target domain using the DNS server to obtain DNS record files.

Answer 39

Answer: A. Network logon scripts Explanation: Logon Script (Windows): Once a user or a user group is signed into a Windows system, the OS allows the execution of logon scripts. These scripts are used by attackers to create persistence and escalate privileges on a system by embedding the path to their script. RC scripts: Attackers abuse RC scripts to escalate privileges and create persistence during the startup process of Unix-based systems. These scripts are executed during system startup and allow the mapping and initializing of custom startup services. These custom services can be used by an attacker for various run levels. Network Logon Scripts: Attackers leverage network logon scripts for escalating privileges and maintaining persistence. These scripts are allocated using AD or GPOs. Such logon scripts are executed using any valid user’s credentials. The initialization of a network logon script can be utilized for different systems based on the networked systems. For this reason, attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration to escalate their privileges. Startup Items: In macOS systems, startup items run at the last stage of the booting process and include different executable files or shell scripts along with their configuration information, which is used to determine the order of execution for the startup items.

Answer 40

Answer: C. \SYSVOL\ Explanation: C:\Windows\system32>nltest /domain_trusts: Attackers use this utility to collect information about trust domains and use the gathered information to add a domain trust or modify the settings of existing domain trusts to escalate privileges through Kerberoasting and pass-the-ticket attacks. C:\Windows\Panther\ UnattendGC\: Unattended installs allow attackers to deploy Windows OSs without the intervention of an administrator. In Windows systems, the Unattend.xml file is stored in the above location. \\SYSVOL\\Policies\: Attackers use this path to access the domain group policies and modify them to perform unintended activities such as creating a new account, disabling or modifying internal tools, ingress tool transfer, unwanted service executions, and modifying the policy to extract passwords in plaintext. C:\Windows\System32\osk.exe: Attackers create persistence and escalate privileges by embedding and running malicious code within Windows accessibility features. On-screen keyboard is an accessibility feature abused by attackers.

Answer 41

Answer: B. Mimikatz Explanation: Stream Armor: Stream Armor is a tool used to discover hidden ADSs and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs that may be present. Mimikatz: Mimikatz is a command-line tool that allows attackers to obtain credentials from registry memory locations. Attackers leverage mimikatz to perform DCSync attacks. Mimikatz includes a DCSync command that utilizes the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to replicate the behavior of a legitimate DC. OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable. Robber: Robber is an open-source tool that helps attackers to find executables prone to DLL hijacking.

Answer 42

Answer: D. Parent PID spoofing Explanation: SID-History Injection: Attackers abuse Windows Security Identifier (SID) feature to inject the SID value of an administrator or equivalent account containing higher privileges into the compromised user account’s SID-history attribute. Abusing SUID and SGID permissions: Set User Identification (SUID) and Set Group Identification (SGID) are access permissions given to a program file in UNIX-based systems. In Linux, there are some commands and binaries that can be executed by the attackers to elevate their privileges from non-root users to root users, if flags of SUID and SGID rights are set. Parent PID Spoofing: Attackers attempt to bypass the internal process or service that tracks security measures and to escalate privileges by spoofing the parent process ID (PPID) of a recently added process. These new processes are derived directly from their parent if they are not specified precisely. An explicit specification can be made by providing a PPID for the new process via the CreateProcess API. Usually, this API call process consists of specific arguments to determine the particular PPID to be used. The appropriate PPID can be set to the process that is derived from the system through system processes such as svchost.exe or consent.exe using Windows User Account Control (UAC). Access token manipulation: In Windows OSs, access tokens are used to determine the security context of a process or thread. Windows administrators have to log on as normal users and need to run their tools with admin privileges using token manipulation command “runas.” Attackers can exploit this to access the tokens of other users, or generate spoofed tokens, to escalate privileges and perform malicious activities while evading detection.

Answer 43

Answer: B. crontab -r Explanation: Here are some commands related to crontab and their descriptions: Command: crontab , Description: Installs or modifies the crontab file with the content of the specified file. Command: crontab -l, Description: Displays currently running crontabs. This command can be useful for identifying the cron jobs that are scheduled to run on the system. Command: crontab -r, Description: Deletes the crontab file of the current user. This command can be useful for removing the cron jobs that are no longer needed. Command: crontab -r , Description: Deletes the crontab file of the specified user. This command can be useful for removing the cron jobs that are no longer needed for a particular user. Command: crontab -e, Description: Schedules software updates or modifies the crontab file of the current user. This command can be useful for adding or modifying cron jobs for the current user. Command: crontab -u -e, Description: Modifies the crontab of the specified user. This command can be useful for adding or modifying cron jobs for a particular user.

Answer 44

Answer: C. BeRoot Explanation: rtgen: RainbowCrack is a general-purpose implementation that takes advantage of the time–memory trade-off technique to crack hashes. This project allows you to crack a hashed password. Attackers use the rtgen tool of this project to generate the rainbow tables. CCleaner: CCleaner is a system optimization, privacy, and cleaning tool. It allows attackers to remove unused files and cleans traces of Internet browsing details from the target PC. With this tool, an attacker can very easily erase his/her tracks. L0phtCrack: L0phtCrack is a tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password. BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to find a way to escalate privilege.

Answer 45

Answer: B. Turn on password caching by setting timestamp_timeout to 10. Explanation: Defend against the Abuse of sudo Rights Implement a strong password policy for sudo users. Turn off password caching by setting timestamp_timeout to 0 so that users must input their password every time sudo is executed. Separate sudo-level administrative accounts from the administrator’s regular accounts to prevent theft of sensitive passwords. Update user permissions and accounts at regular intervals. Test sudo users with access to programs containing parameters for arbitrary code execution.

Answer 46

Answer: C. Path interception Explanation: Path interception is a method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target. Attackers can take advantage of several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.

Answer 47

Answer: A. RedirectEXE Explanation: RedirectEXE: Shims like RedirectEXE, injectDLL, and GetProcAddress can be used by attackers to escalate privileges, install backdoors, disable Windows Defender, etc. Schtasks: The Windows OS includes utilities such as ‘at’ and ‘schtasks.’ A user with administrator privileges can use these utilities in conjunction with the Task Scheduler to schedule programs or scripts that can be executed at a particular date and time. launchd: During the MacOS and OS X booting process, launchd is executed to complete the system initialization process. WinRM: Attackers can use the winrm command to interact with WinRM and execute a payload on the remote system as a part of lateral movement.

Answer 48

Answer: A. Path interception Explanation: Path Interception: Path interception is a method of placing an executable in a particular path in such a way that the application will execute it in place of the legitimate target. Attackers can exploit several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Kernel Exploits: Kernel exploits refer to programs that can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges. By successfully exploiting kernel vulnerabilities, attackers can attain superuser or root-level access to the target system. Web Shell: A web shell is a web-based script that allows access to a web server. Web shells can be created in all OSs like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject a malicious script on a web server to maintain persistent access and escalate privileges. Application Shimming: Shims run in user mode, and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress), etc. An attacker can use these shims to perform different attacks including disabling Windows Defender, privilege escalation, installing backdoors, etc.

Answer 49

Answer: C. macOS Explanation: macOS provides several legitimate methods, such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to automatically load malicious libraries into a target running process. macOS allows the loading of weak dylibs (dynamic libraries) dynamically, which in turn allows an attacker to place a malicious dylib in the specified location.

Answer 50

Answer: B. Privilege escalation using network file system Explanation: Privilege Escalation Using Network File System (NFS): Attackers often attempt to enumerate misconfigurations in the Network File System (NFS) to exploit and gain root-level access to a remote server. NFS is a protocol used to share and access data and files over a secured intranet. It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC). A misconfigured NFS paves the way for attackers to gain root-level access through a regular user account or low-privilege user. Privilege Escalation Using Windows Sticky keys: In Windows, the sticky keys feature allows users to use a combination of keys including Ctrl, Alt, and Shift instead of pressing three keys simultaneously. Attackers exploit this feature to perform privilege escalation. Privilege Escalation by Bypassing User Account Control (UAC): When attackers fail to escalate privileges using a simple payload, they attempt to evade Windows security features such as UAC and to gain system-level access. Privilege escalation Using DLL Hijacking: Most Windows applications do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application will execute the malicious DLL in place of the real DLL.

Answer 51

Answer: C. 3 -> 7 -> 5 -> 1 -> 8 -> 6 -> 2 -> 4 Explanation: The DCSync attack is performed in the following eight stages, which start from lower privileges and proceed to higher privileges. Stage 1: Performs external reconnaissance Stage 2: Compromises the targeted machine Stage 3: Performs internal reconnaissance Stage 4: Escalates local privileges Stage 5: Compromises credentials by sending commands to DC Stage 6: Performs admin-level reconnaissance Stage 7: Performs malicious remote code execution Stage 8: Gains domain admin credentials

Answer 52

Answer: A. C:\Windows\System32\AtBroker.exe In a Windows environment, attackers can exploit accessibility features to gain escalated privileges and obtain system-level access. These features are stored at the location C:\Windows\System32\ and can be launched by pressing specific keys during a system reboot. The accessibility features that are often abused by attackers include the On-screen Keyboard (C:\Windows\System32\osk.exe), Magnifier (C:\Windows\System32\Magnify.exe), Narrator (C:\Windows\System32\Narrator.exe), Display Switcher (C:\Windows\System32\DisplaySwitch.exe), App switcher (C:\Windows\System32\AtBroker.exe), and Sticky Keys (C:\Windows\System32\sethc.exe). Attackers can replace one of these accessibility features with cmd.exe or replace binaries in the registry to gain backdoor access when a key combination is pressed at the login screen. This technique allows attackers to gain privileged access and execute malicious commands on the compromised system.

Answer 53

Answer: C. linpostexp Explanation: linpostexp: The linpostexp tool obtains detailed information on the kernel, which can be used to escalate privileges on the target system. CrackMapExec: Attackers use the CrackMapExec tool to automate the password cracking process of an entire domain or workgroup member passwords using a small set of commonly used passwords stored in a .txt file. pwdump7: pwdump7 is an application that dumps the password hashes (one-way functions or OWFs) from NT’s SAM database. pwdump extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database. clearev: Type clearev command in the Meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.

Answer 54

Answer: D. hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d. Explanation: hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d Run the above command to crack passwords that contain six characters, in which the first three are lowercase alphabets and the last three characters are numbers. run post/windows/gather/arp_scanner RHOSTS An attacker uses the above command to detect live hosts in the target network: usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337 Run the above command to find the exact offset of the random bytes in the EIP register: msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f c -a x86 -b “\x00” Run the above msfvenom command to generate the shellcode.

Answer 55

Answer: B. Web shell. Explanation: Scheduled task: The Windows operating system includes utilities such as “at” and “schtasks.” A user with administrator privileges can use these utilities in conjunction with the task scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, he can also schedule a task from a remote system using RPC. An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc. Web shell: A web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user’s privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc. Launch daemon: At the time of MacOS and OS X booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemonsand/Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into concerned directories. The weak configurations allow an attacker to alter the existing launch daemon’s executable to maintain persistence or to escalate privileges. Access token manipulation: In Windows operating system, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access token. Every process the user executes makes use of this access token. The system verifies this access token when a process is accessing a secured object.

Answer 56

Answer: C. Meltdown. Explanation: Privilege escalation: In a privilege escalation attack, attackers first gain access to the network using a non-admin user account, and then try to gain administrative privileges. Attackers take advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications. Dylib hijacking: OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc. Meltdown: Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. For example, an attacker requests to access an illegal memory location. He/she sends a second request to conditionally read a valid memory location. In this case, the processor using speculative execution will complete evaluating the result for both requests before checking the first request. When the processor checks that the first request is invalid, it rejects both the requests after checking privileges. Even though the processor rejects both the requests, the result of both the requests remains in the cache memory. Now the attacker sends multiple valid requests to access out of bounds` memory locations. DLL hijacking: Most Windows applications do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application will execute the malicious DLL in place of the real DLL.

Answer 57

Answer: C. Security Identifier (SID). Explanation: Security Identifier (SID): In Windows, Windows Security Identifier (SID) is a unique value assigned to each user and group accounts issued by the domain controller (DC) at the time of creation. Service set identifier (SSID): An SSID is a 32-alphanumeric-character unique identifier given to a wireless local area network (WLAN) that acts as a wireless identifier of the network. Uniform Resource Identifier (URI): A uniform resource identifier (URI) provides a means to identify a resource. It is a global identifier for Internet resources accessed remotely or locally. Basic service set identifier (BSSID): It is the media access control (MAC) address of an access point (AP) or base station that has set up a basic service set (BSS).

Answer 58

Answer: B. crontab -e. Explanation: Attackers escalate system privileges by making changes to the scripts executed by cron located at /etc/crontab. By modifying these scripts, attackers can force malicious scripts to be executed automatically during system reboot for gaining root privileges. Commands: crontab : Installs or modifies the crontab file. crontab -l: Displays currently running crontabs. crontab -r: Deletes the crontab file. crontab -r : Deletes the crontab of the specified user. crontab -e: Schedules software updates/modifies the crontab file of the current user. crontab -u -e: Modifies the crontab of the specified user.

Answer 59

Answer: D. Run users and applications with the lowest privileges. Explanation: Privilege escalation attacks can have devastating consequences, which is why it's essential to implement countermeasures to prevent them. Below are some of the best countermeasures to defend against privilege escalation: Restrict interactive logon privileges: By limiting interactive logon privileges to only those who need them, you can significantly reduce the risk of privilege escalation attacks. Run users and applications with the lowest privileges: One of the most effective ways to prevent privilege escalation attacks is to ensure that users and applications are running with the lowest possible privileges. Implement multi-factor authentication and authorization: By requiring users to authenticate using multiple factors, such as a password and a smart card, you can make it much more difficult for attackers to gain unauthorized access. Run services as unprivileged accounts: Services that run with elevated privileges are often a target for privilege escalation attacks. Running services as unprivileged accounts can help mitigate this risk. Implement a privilege separation methodology: By separating privileged code into distinct components and limiting the scope of programming errors and bugs, you can minimize the risk of privilege escalation attacks. Use encryption to protect sensitive data: By encrypting sensitive data, you can prevent attackers from accessing it, even if they do manage to gain elevated privileges. Reduce the amount of code that runs with a particular privilege: By reducing the amount of code that runs with a particular privilege, you can minimize the impact of a privilege escalation attack. Perform debugging using bounds checkers and stress tests: By using bounds checkers and stress tests during the debugging process, you can identify potential vulnerabilities and fix them before they can be exploited.

Answer 60

Answer: A. Library-level rootkit. Explanation: A rootkit is a type of malware that allows an attacker to gain administrative-level access to a computer system, enabling them to perform various malicious activities. Below are some common types of rootkits: Boot Loader Level Rootkit: This type of rootkit replaces the original boot loader with one controlled by a remote attacker. This enables the attacker to gain control of the system at boot time and load their own code before the operating system loads, providing them with complete control of the system. Hardware/Firmware Rootkit: This type of rootkit hides in hardware devices or platform firmware that are not inspected for code integrity. It can be very difficult to detect and remove since it resides in the firmware or hardware. Hypervisor Level Rootkit: This type of rootkit acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine. This enables the attacker to control the virtual machine and monitor or modify its operations. Library Level Rootkit: This type of rootkit replaces the original system calls with fake ones to hide information about the attacker. This enables the attacker to hide their presence and activities from system administrators and security software. Rootkits are a serious threat to the security of computer systems and can be difficult to detect and remove. It's essential to implement a comprehensive security strategy that includes regular system updates, antivirus software, and intrusion detection systems to protect against rootkit attacks.

Answer 61

Answer: A. Adhere to the least privilege principle. Explanation: Some of the best practices to defend against rootkits are as follows: Reinstall OS/applications from a trusted source after backing up critical data Maintain well-documented automated installation procedures Perform kernel memory dump analysis to determine the presence of rootkits Harden the workstation or server against the attack Educate staff not to download any files/programs from untrusted sources Install network- and host-based firewalls and frequently check for updates Ensure the availability of trusted restoration media Update and patch OSs, applications, and firmware Regularly verify the integrity of system files using cryptographically strong digital fingerprint technologies Regularly update antivirus and anti-spyware software Keep anti-malware signatures up to date Avoid logging into an account with administrative privileges Adhere to the least privilege principle Ensure that the chosen antivirus software possesses rootkit protection Do not install unnecessary applications, and disable the features and services not in use Refrain from engaging in dangerous activities on the Internet

Answer 62

Answer: A. Distortion techniques. Explanation: Spread Spectrum Techniques: In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data. Transform Domain Techniques: The transform domain technique hides the information in significant parts of the cover image, such as cropping, compression, and some other image processing areas. Substitution Techniques: In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message. Distortion Techniques: In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message.

Answer 63

Answer: B. Natural text steganography. Explanation: Natural Text Steganography: Natural text steganography is the process of converting sensitive information into user-definable free speech such as a play. Web Steganography: In whitespace steganography, the user hides the messages in ASCII text by adding whitespaces to the end of the lines. Spam/Email Steganography: One can use spam emails for secret communication by embedding the secret messages in some way and hiding the embedded data in the spam emails. Document steganography: In document steganography, the user adds whitespaces and tabs at the ends of the lines.

Answer 64

Answer: A. Snow. Explanation: pwdump7: pwdump7 is an application that dumps the password hashes (one-way functions or OWFs) from NT’s SAM database. pwdump extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable. It debugs multithread applications and attaches to running programs. It recognizes complex code constructs, such as a call to jump to the procedure BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to find a way to escalate privilege. Snow: Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent 0s and 1s.

Answer 65

Answer: D. Chosen-stego attack

Answer 66

Answer: A. Explanation: theHarvester: theHarvester is a tool designed to be used in the early stages of a penetration test. It is used for open-source intelligence gathering and helps to determine a company's external threat landscape on the Internet Netcraft: The technique of obtaining information about the target network operating system is called OS fingerprinting. Open https://www.netcraft.com in the browser and type the domain name of the target network in the What's that site running? field. Attackers use the Netcraft tool to identify all the sites associated with the target domain along with the operating system running at each site Zsteg: The zsteg tool is used to detect stegano-hidden data in PNG and BMP image files. Sherlock: Attackers use Sherlock to search a vast number of social networking sites for a target username. This tool helps the attacker to locate the target user on various social networking sites along with the complete URL

Answer 67

Answer: B. Install malicious programs Explanation: Executing Applications: Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. Installing Rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install Backdoors. Hiding Files: Attackers use Rootkits and steganography techniques to attempt to hide the malicious files they install on the system, and thus their activities. Covering Tracks: To remain undetected, it is important for attackers to erase all evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence. Gaining Access: In system hacking, the attacker first tries to gain access to a target system using information obtained and loopholes found in the system’s access control mechanism. Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware. At this stage, attackers use techniques such as password cracking and social engineering tactics to gain access to the target system.

Answer 68

Answer: B. Hypervisor level D. Kernel level F. Application level Explanation: Hypervisor-level rootkit: Attackers create hypervisor-level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits run in Ring-1, host the operating system of the target machine as a virtual machine, and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system’s boot sequence and gets loaded instead of the original virtual machine monitor. Kernel-level rootkit: The kernel is the core of the operating system. Kernel-level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit’s code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operating systems. Application-level rootkit: Application-level rootkit operates inside the victim’s computer by replacing the standard application files (application binaries) with rootkits or by modifying behavior of present applications with patches, injected malicious code, and so on.

Answer 69

Answer: D. Kernel-level rootkit Explanation: Hardware/firmware rootkit: Uses device/platform firmware to create persistent malware image in hardware, such as HDD, system BIOS, network card. Code integrity tool does not inspect the integrity of firmware. Application rootkit: This replaces standard application files by modifying behavior of present applications with patches, injected malicious code. Hypervisor rootkit: The hypervisor hosts operating system of the target machine as a virtual machine and intercepts all hardware calls made by the target operating system. Kernel-level rootkit: The kernel is the core of the operating system. Kernel-level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit’s code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operating systems.

Answer 70

Answer: B. Write critical data to alternate data streams Explanation: You should do the following to defend against malicious NTFS streams: To delete hidden NTFS streams, move the suspected files to FAT partition Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain Integrity of NTFS partition files against unauthorized ADS Use third-party utilities such as EventSentry or adslist.exe to show and manipulate Hidden streams Avoid writing important or critical data to alternate data streams Use up-to-date antivirus software on your system. Enable real-time antivirus scanning to protect against execution of malicious streams Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory) to help detect creation of additional or new data streams.

Answer 71

Answer: B. Microdots Explanation: Microdots: A microdot is text or an image considerably condensed in size (with the help of a reverse microscope), up to one page in a single dot, to avoid detection by unintended recipients. Microdots are usually circular, about one millimeter in diameter, but are changeable into different shapes and sizes. Computer-based methods: A computer-based method makes changes to digital carriers to embed information foreign to the native carriers. Communication of such information occurs in the form of text, binary files, disk and storage devices, and network traffic and protocols, and can alter the software, speech, pictures, videos or any other digitally represented code for transmission. Invisible ink: Invisible ink, or “security ink,” is one of the methods of technical steganography. It is used for invisible writing with colorless liquids and can later be made visible by certain pre-negotiated manipulations such as lighting or heating. For example, if you use onion juice and milk to write a message, the writing will be invisible, but when heat is applied, it turns brown and the message becomes visible. Spread spectrum: This technique is less susceptible to interception and jamming. In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data.

Answer 72

Answer: D. Do not install anti-tracking-based browser extensions. Explanation: Different ways to defend against spyware are as follows: Carefully read all disclosures, including the license agreement and privacy statement, before installing any application. Avoid storing personal or financial information on any computer system that is not totally under your control, such as a computer in an Internet café. Avoid connecting to unknown/rogue devices or networks. Install anti-tracking-based browser extensions for private browsing. Check an app’s legitimacy before providing permissions such as location, camera, and microphone. Bookmark frequently visited websites for safe browsing.

Answer 73

Answer: B. Purple Fox rootkit Explanation: §njRAT: njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it can access a victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. PoisonIvy: PoisonIvy gives the attacker practically complete control over the infected computer. The PoisonIvy remote administration tool is created and controlled by a PoisonIvy management program or kit. The PoisonIvy kit consists of a graphical user interface, and the backdoors are small (typically, <10 kB). Necurs: The Necurs botnet is a distributor of many pieces of malware, most notably Dridex and Locky. It delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself. Necurs is distributed by spam e-mails and downloadable content from questionable/illegal sites. It is indirectly responsible for a significant portion of cyber-crime. Purple Fox Rootkit: The Purple Fox rootkit enables attackers to conceal malware on targeted devices, making it difficult for security solutions to detect and remove the malware. It is a sophisticated malware attack that targets Windows machines and spreads its infection from one machine to another. The Purple Fox rootkit can be distributed via a fake malicious Telegram installer.

Answer 74

Answer: A. Mimikatz Explanation: got-responded: got-responded helps security professionals to check for LLMNR/NBT-NS spoofing. This tool starts in the default mode and checks for both LLMNR and NBT-NS spoofing but does not send fake SMB credentials. clearev: The logs of the target system will start being wiped out. Mimikatz: Attackers use tools such as mimikatz to perform OPtH attacks. The mimikatz tool allows attackers to obtain and store different authentication credentials such as Kerberos tickets. It assists attackers in stealing credentials and performing privilege escalation. KFSensor: KFSensor is a host-based IDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than that achieved using firewalls and NIDS alone.

Answer 75

Answer: A. Golden ticket attack Explanation: Golden Ticket Attack: A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the entire AD. Attackers perform this attack by leveraging the Kerberos authentication protocol, using which they forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various resources. This attack allows attackers to maintain persistence and obtain more information within the AD by masquerading as privileged users. Insertion Attack: Insertion is the process by which the attacker confuses the IDS by forcing it to read invalid packets (i.e., the system may not accept the packet addressed to it). An IDS blindly trusts and accepts a packet that an end system rejects. Directory Traversal Attack: An attacker may be able to perform a directory traversal attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to a directory traversal attack. Mask Attack: Mask attack is similar to brute-force attacks but recovers passwords from hashes with a more specific set of characters based on information known to the attacker.

Answer 76

Answer: D. Silver ticket attack Explanation: Password Spraying Attack: Password spraying attack targets multiple user accounts simultaneously using one or a small set of commonly used passwords. Silver Ticket Attack: A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Granting Service (TGS) ticket. This attack allows an attacker to acquire permissions to only a single service in an application, unlike the golden ticket attack, in which the attackers acquire permissions over the entire AD. To initiate a silver ticket attack, the attacker must hold access to the credentials gathered from a local service account or the system’s SAM database. Then, the attacker forges or creates a silver ticket without any intermediary such as a domain controller (DC), which makes it easier for the attacker to intrude and become untraceable for monitoring solutions. HTTP Response Splitting Attack: An HTTP response-splitting attack is a web-based attack in which the attacker tricks the server by injecting new lines into response headers, along with arbitrary code. SSH Brute Force Attack: Attackers use SSH protocols to create an encrypted SSH tunnel between two hosts to transfer unencrypted data over an insecure network. Usually, SSH runs on TCP port 22. To perform an attack on SSH, an attacker scans the entire SSH server using bots (performs a port scan on TCP port 22) to identify possible vulnerabilities.