Module 06 - System Hacking ( EC Mode Part 02 ) Flashcards
Joseph, a professional hacker, was tasked with compromising the security of an organization’s Active Directory (AD) environment. After gaining access to the target host, Joseph abused the SDProp process to establish persistence. Further, he added a new user account to the ACL to gain GenericAll privileges, which are equivalent to the privileges of the domain administrator.
Which of the following attacks did Joseph perform in the above scenario?
A. Domain persistence through AdminSDHolder
B. Rainbow table attack
C. Cross-site scripting (XSS) attack
D. Persistence by abusing boot or logon autostart executions
Answer: A. Domain persistence through AdminSDHolder
Explanation:
Rainbow Table Attack: A rainbow table attack uses the cryptanalytic time–memory trade-off technique, which requires less time than other techniques.
Cross-Site Scripting (XSS) Attack: In this method, an attacker injects HTML tags or scripts into a target website.
Maintain Domain Persistence Through AdminSDHolder: Attackers having admin privileges on a compromised domain can abuse the SDProp process to establish persistence. Attackers can add a user account to the ACL to gain “GenericAll” privileges, equivalent to the domain administrator. Consequently, with the changes replicated every hour by SDProp, attackers can maintain persistence.
Maintain persistence by Abusing Boot or Logon Autostart Executions: Attackers take advantage of the system boot or logon autostart programs for escalating privileges and performing persistent attacks by applying custom configuration settings on the compromised machine.
Which of the following commands allows an attacker to retrieve all the users who have shell access?
A. ls -la /etc/cron.d
B. /sbin/ifconfig -a
C. egrep -e ‘/bin/(ba)?sh’ /etc/passwd
D. cat /etc/redhat* /etc/debian* /etc/*release
Answer: C. egrep -e ‘/bin/(ba)?sh’ /etc/passwd
Explanation:
During the reconnaissance phase of a cyber attack, attackers use various commands to gather information about the targeted system. Below are some commonly used information-gathering commands:
ps -ef: Displays the current process along with its process ID (PID), which can provide insight into what is running on the system.
mount: Attaches a file system to the directory tree structure and displays currently mounted file systems.
route -n: Displays host/network names in numeric form, which can help attackers identify network infrastructure.
/sbin/ifconfig -a: Displays network configuration details, including IP addresses, network interfaces, and more.
cat /etc/crontab: Displays running cron jobs, which can provide insight into automated tasks and potential vulnerabilities.
ls -la /etc/cron.d: Displays the software package used for the specified cron job, which can provide information about installed software.
cat /etc/exports: Displays directories that can be exported to NFS clients, which can provide information about shared resources.
cat /etc/redhat* /etc/debian* /etc/*release: Displays the OS version details, which can provide insight into potential vulnerabilities and software versions.
ls /etc/rc*: Lists bootup services, which can provide insight into what services are running on the system.
egrep -e ‘/bin/(ba)?sh’ /etc/passwd: Displays all the users who have shell access, which can provide insight into potential targets for further exploitation.
cat ~/.ssh/: Displays SSH relationships and login details, which can provide access to the system.
It’s essential to monitor system logs and implement security measures to protect against reconnaissance attacks. Limiting access to sensitive information and using strong passwords can also help prevent information-gathering attacks.
Which of the following post-exploitation wmic commands allows attackers to retrieve the service name and path of executable files?
A. wmic os where Primary=’TRUE’ reboot
B. wmic /node:”” product get name,version,vendor
C. wmic useraccount get name, sid
D. wmic service get name,displayname,pathname,startmode > wmic_service.txt
Answer: D. wmic service get name,displayname,pathname,startmode > wmic_service.txt
Explanation:
WMIC (Windows Management Instrumentation Command-line) is a powerful tool for managing and querying Windows systems. Below are some commonly used WMIC commands:
wmic os where Primary=’TRUE’ reboot: Reboots Windows, which can be useful for automation or remote administration.
wmic service get name,displayname,pathname,startmode > wmic_service.txt: Retrieves the service name, path of the executable, and other details about installed services. The output is redirected to a file for easy viewing.
wmic /node:”” product get name,version,vendor: Displays the details of installed software on the local or remote system, including the software name, version, and vendor.
wmic cpu get: Retrieves the processor’s details, including its name, architecture, and other information.
wmic useraccount get name,sid: Retrieves the login names and their corresponding Security Identifiers (SIDs).
WMIC commands can provide valuable information for system administrators, but they can also be used by attackers for reconnaissance purposes. It’s important to limit access to the WMIC tool and monitor its usage for any suspicious activity. Regular system updates, antivirus software, and intrusion detection systems can also help protect against malicious WMIC commands.
Which of the following countermeasures allows a security professional to defend against techniques for covering tracks?
A. Ensure that new events overwrite old entries in log files
B. Periodically back up log files to alterable media
C. Leave all unused open ports and services as they are
D. Activate the logging functionality on all critical systems
Answer: D. Activate the logging functionality on all critical systems
Which of the following Windows command-line tools is utilized by an attacker to overwrite data for preventing recovery in the future and also encrypt and decrypt data in NTFS partitions?
A. adslist.exe
B. Cipher.exe
C. ATTRIB.exe
D. Auditpol.exe
Answer: B. Cipher.exe
Explanation:
What can attackers do to clear their online tracks?
adslist.exe: dslist.exe is third-party utilities to show and manipulate hidden streams.
Cipher.exe: Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting them to avoid recovery in the future. This command also assists in encrypting and decrypting data in NTFS partitions
Auditpol.exe: Auditpol.exe is the command-line utility tool to change audit security settings at the category and sub-category levels.
ATTRIB.exe: ATTRIB.exe displays or changes the file attributes of a victim’s files so that the attacker can access them.
Identify the technique used by the attackers to wipe out the entries corresponding to their activities in the system log to remain undetected?
A. Clearing logs
B. Gaining access
C. Escalating privileges
D. Executing applications
Answer: A. Clearing logs
Explanation:
Executing Applications: Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. Installing Rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install Backdoors.
Escalating Privileges: After gaining access to a system using a low-privileged normal user account, attackers may then try to increase their administrator privileges to perform protected system operations, so that they can proceed to the next level of the system hacking phase: to execute applications. Attackers exploit known system vulnerabilities to escalate user privileges.
Gaining Access: In system hacking, the attacker first tries to gain access to a target system using information obtained and loopholes found in the system’s access control mechanism. Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware.
Clearing Logs: To maintain future system access, attackers attempt to avoid recognition by legitimate system users. To remain undetected, attackers wipe out the entries corresponding to their activities in the system log, thus avoiding detection by users.
Which of the following is a sh-compatible shell that stores command history in a file?
A. BASH
B. Zsh
C. Tcsh/Csh
D. ksh
Answer: A. BASH
Explanation:
BASH: The BASH or Bourne Again Shell is a sh-compatible shell which stores command history in a file called bash history. You can view the saved command history using more ~/.bash_history command. This feature of BASH is a problem for hackers as the bash_history file could be used by investigators in order to track the origin of an attack and the exact commands used by an intruder in order to compromise a system.
Tcsh: This is a Unix shell and compatible with C chell. It comes with features such as command-line completion and editing, etc. Users cannot define functions using tcsh script. They need to use scripts such as Csh to write functions.
Zsh: This shell can be used as an interactive login shell as well as a command-line interpreter for writing shell scripts. It is an extension of Bourne shell and includes vast number of improvements.
Ksh: It improved version of the Bourne shell that includes floating-point arithmetic, job control, command aliasing and command completion.
Which of the following technique is used by the attacker to distribute the payload and to create covert channels?
A. Clear online tracks
B. Covering tracks
C. TCP parameters
D. Performing steganalysis
Answer: C. TCP parameters
Explanation:
TCP Parameters: TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP fields where data can be hidden are as follow:
IP Identification field: This is an easy approach where a payload is transferred bitwise over an established session between two systems. Here, one character is encapsulated per packet.
TCP acknowledgement number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet.
TCP initial sequence number: This method also does not require an established connection between two systems. Here, one hidden character is encapsulated per SYN request and Reset packets.
Clear Online Tracks: Attackers clear online tracks maintained using web history, logs, cookies, cache, downloads, visited time, and others on the target computer, so that victims cannot notice what online activities attackers have performed.
Covering Tracks: Covering tracks is one of the main stage during system hacking. In this stage, the attacker tries to hide and avoid being detected, or “traced out,” by covering all “tracks,” or logs, generated while gaining access to the target network or computer.
Steganalysis: Steganalysis is the process of discovering the existence of the hidden information in a medium. Steganalysis is the reverse process of steganography. It is one of the attacks on information security in which attacker called a steganalyst tries to detect the hidden messages embedded in images, text, audio and video carrier mediums using steganography.
Which of the following is used by an attacker to manipulate the log files?
A. Clear_Event_Viewer_Logs.bat
B. Auditpol.exe
C. SECEVENT.EVT
D. clearlogs.exe
Answer: C. SECEVENT.EVT
Explanation:
Auditpol.exe: Auditpol.exe is the command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
Clear_Event_Viewer_Logs.bat/clearlogs.exe: The Clear_Event_Viewer_Logs.bat or clearlogs.exe is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and application logs on the target system. Attackers might use this utility, wiping out the logs as one method of covering their tracks on the target system.
SECEVENT.EVT: Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.
The attacker can manipulate the log files with the help of: SECEVENT.EVT (security): failed logins, accessing files without privileges
SYSEVENT.EVT (system): Driver failure, things not operating correctly
APPEVENT.EVT (applications)
Which of the following registry entry you will delete to clear Most Recently Used (MRU) list?
A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
B. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Answer: D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Explanation:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey stores the hotkeys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts is responsible for file extension association.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 stores the network locations.
Which of the following registry entry you will delete to clear Most Recently Used (MRU) list?
A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
B. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Answer: D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Explanation:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey stores the hotkeys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts is responsible for file extension association.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 stores the network locations.
Answer: B. attrib +h +s +r
Explanation:
Attackers use various commands to hide files, folders, and user accounts on targeted systems to evade detection and maintain persistence. Below are some commonly used commands for this purpose:
attrib +h +s +r : Attackers use this command with administrator privileges to hide any file or folder in a Windows system. The “+h”, “+s”, and “+r” flags hide the file or folder and make it a system file, read-only, and hidden, respectively.
net user /add: Attackers can create a hidden user account on the victim system using this command in the Windows system. This allows them to maintain access to the system even if their primary account is discovered and disabled.
net user /active:no: Attackers can use this command to hide the user account when it’s not required in the Windows system. This allows them to keep the account available for future use while reducing the risk of detection.
mkdir .HiddenMaliciousFiles: This command creates a new hidden folder in a Linux system. The “.” prefix makes the folder hidden, and the name “HiddenMaliciousFiles” can be customized to the attacker’s needs.
It’s essential to monitor system logs and implement security measures to protect against these types of commands. Limiting access to sensitive information, implementing strong passwords, and using intrusion detection systems can also help prevent attackers from using these commands to hide malicious activity.
Carter, a professional hacker, infiltrated a target Windows system and wanted to maintain persistence without being traced. For this purpose, he executed a command to hide his account in the Windows system.
Identify the command executed by Carter in the above scenario.
A. touch MaliciousFile.txt
B. net user /active:yes
C. net user /active:no
D. net user /add
Answer: C. net user /active:no
Explanation:
Attackers use various commands to create files, activate user accounts, and hide their activity on targeted systems to evade detection and maintain persistence. Below are some commonly used commands for this purpose:
touch MaliciousFile.txt: Attackers can use the touch command to create a file within the hidden folder. This allows them to store malicious code or other sensitive information that they don’t want to be easily discoverable.
net user /active:yes: This command activates the user account for exploitation in the Windows system. Attackers can use this command to gain access to the system using the newly created user account.
net user /active:no: Attackers can use this command to hide the user account when it’s not required in the Windows system. This allows them to keep the account available for future use while reducing the risk of detection.
net user /add: Attackers can create a hidden user account on the victim system using this command. This allows them to maintain access to the system even if their primary account is discovered and disabled.
It’s essential to monitor system logs and implement security measures to protect against these types of commands. Limiting access to sensitive information, implementing strong passwords, and using intrusion detection systems can also help prevent attackers from using these commands to hide malicious activity. Regular system updates and patch management can also help prevent exploitation of known vulnerabilities.
Which of the following practices helps security experts defend against covering track attempts?
A. Deactivate the logging functionality on all critical systems.
B. Periodically back up log files to alterable media.
C. Use restricted ACLs to secure log files.
D. Open all unused open ports and services.
Answer: C. Use restricted ACLs to secure log files.
Explanation:
The various countermeasures to overcome covered tracks are as follows:
Activate the logging functionality on all critical systems.
Close all unused open ports and services.
Use restricted ACLs to secure the log files.
Regularly update and patch OSes, applications, and firmware.
Set log files to the “append only” mode to prevent the unauthorized deletion of log entries.
Periodically back up the log files to unalterable media.
Which of the following commands is used by an attacker to delete only the history of the current shell and retain the command history of other shells?
A. cat /dev/null > ~.bash_history && history –c && exit
B. history -w
C. history –c
D. export HISTSIZE=0
Answer: B. history -w
Explanation:
cat /dev/null > ~.bash_history && history –c && exit: This command deletes the complete command history of the current and all other shells and exits the shell.
history -w: This command only deletes the history of the current shell, whereas the command history of other shells remains unaffected
export HISTSIZE=0: This command disables the Bash shell from saving history. HISTSIZE determines the number of commands to be saved, which is set to 0.
history –c: This command is useful in clearing the stored history
Which of the following techniques do attackers use to cover the tracks?
A. Steganography
B. Steganalysis
C. Scanning
D. Disable auditing
Answer: D. Disable auditing
Explanation:
Steganography: This refers to the art of hiding data “behind” other data without the target’s knowledge.
Steganalysis: This is a process of discovering the existence of the hidden information in a medium.
Disable auditing: This is the technique where an attacker disables auditing features of the target system to cover the tracks.
Scanning: This refers to a set of procedures used for identifying hosts, ports, and services in a network
Which of the following techniques is used by the attackers to clear online tracks?
A. Disable LMNR and NBT-NS services
B. Disable auditing
C. Disable the user account
D. Disable LAN manager
Answer: B. Disable auditing
Explanation:
Techniques used for Clearing Tracks
The main activities that an attacker performs toward removing his/her traces on the computer are:
Disable auditing: An attacker disables auditing features of the target system
Clearing logs: An attacker clears/deletes the system log entries corresponding to his/her activities
Manipulating logs: An attacker manipulates logs in such a way that he/she will not be caught in legal actions
Which of the following commands is used to disable the BASH shell from saving the history?
A. history-w
B. shred ~/.bash_history
C. export HISTSIZE=0
D. history –c
Answer: C. export HISTSIZE=0
Explanation:
history –c: This command is useful in clearing the stored history.
export HISTSIZE=0: This command disables the BASH shell from saving the history by setting the size of the history file to 0.
history–w: This command only deletes the history of the current shell, whereas the command history of other shells remain unaffected.
shred ~/.bash_history: This command shreds the history file, making its contents unreadable.
Which of the following types of spyware can record and monitor Internet activities, record software usage and timings, record an activity log and store it at one centralized location, and log users’ keystrokes?
A. GPS spyware
B. Email spyware
C. Audio spyware
D. Desktop spyware
Answer: D. Desktop spyware
Explanation:
Email spyware: Email spyware is a program that monitors, records, and forwards all incoming and outgoing emails.
Audio Spyware: Audio spyware is a sound surveillance program designed to record sound onto a computer.
GPS Spyware: This spyware allows you to track the phone location points, saves or stores them in a log file and sends them to the specified email address.
Desktop spyware: Desktop spyware is software that allows an attacker to gain information about a user’s activity or personal information, send it via the Internet to third parties without the user’s knowledge or consent. It can record and monitor Internet activities, record software usage and timings, record an activity log and stores it at one centralized location and logs users’ keystrokes.
Which of the following best practices should be adopted to defend against spyware?
A. Read all disclosures before installing an application
B. Download open-source music files, screensavers, or emoticons
C. Always use the administrative mode
D. Disable a firewall to enhance the security level of the computer
Answer: A. Read all disclosures before installing an application
Explanation:
Different ways to defend against spyware are as follows:
Enable a firewall to enhance the security level of your computer.
Do not use administrative mode unless it is necessary, because it may execute malicious programs such as spyware in administrator mode. Consequently, attackers may take complete control of your system.
Do not download free music files, screensavers, or emoticons from the Internet because when you do, there is a possibility that are downloading spyware along with them.
Beware of pop-up windows or web pages. Never click anywhere on the windows that display messages such as “your computer may be infected,” or claim that they can help your computer to run faster. If you click on such windows, your system may become infected with spyware.
Carefully read all disclosures, including the license agreement and privacy statement, before installing any application.
Do not store personal or financial information on any computer system that is not totally under your control, such as in an Internet café.
Which of the following rootkit detection techniques compares the characteristics of all system processes and executable files with a database of known rootkit fingerprints?
A. Heuristic/behavior-based detection
B. Alternative trusted medium
C. Integrity-based detection
D. Signature-based detection
Answer: D. Signature-based detection
Explanation:
Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
Heuristic/Behavior- Based Detection: Any deviations in the system’s normal activity or behavior may indicate the presence of a rootkit.
Signature-Based Detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
Alternative Trusted Medium: The infected system is shut down and then booted from an alternative trusted media such as a bootable CD-ROM or USB flash drive to find the traces of the rootkit.
Harper, a security professional in an organization, was instructed to increase the security of the organization. In this process, he trained the employees on the best practices that they should employ to defend against keyloggers.
Which of the following is NOT a countermeasure to defend against keyloggers?
A. Recognize phishing emails and delete them
B. Never update and patch system software
C. Use pop-up blockers and avoid opening junk emails
D. Install antivirus programs and keep the signatures up to date
Answer: B. Never update and patch system software
Explanation:
Different countermeasures to defend against keyloggers are listed as follows:
Use pop-up blockers and avoid opening junk emails.
Install anti-spyware/antivirus programs and keep the signatures up to date.
Install professional firewall software and anti-keylogging software.
Recognize phishing emails and delete them.
Regularly update and patch system software.
Do not click on links in unsolicited or dubious emails that may direct you to malicious sites.
Use keystroke interference software that insert randomized characters into every keystroke.
Quiz: Which one of the following techniques is used by attackers to hide their programs?
A. Footprinting
B. NTFS stream
C. Scanning
D. Enumeration
Answer: B. NTFS stream
Explanation:
Scanning: Scanning is the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker which enables him/her to create a profile of the target organization.
NTFS Stream: Using NTFS data steam, an attacker can almost completely hide files within the system. It is easy to use the streams but the user can only identify it with specific software. Explorer can display only the root files; it cannot view the streams linked to the root files and cannot define the disk space used by the streams. As such, if a virus implants itself into ADS, it is unlikely that usual security software will identify it.
Enumeration: Enumeration is the process of extracting user names, machine names, network resources,shares, and services from a system or network. In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system.
Footprinting: Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.
Which one of the following software program helps the attackers to gain unauthorized access to a remote system and perform malicious activities?
A. Antivirus
B. Keylogger
C. Anti-spyware
D. Rootkit
Answer: D. Rootkit
Explanation:
Anti-Spyware: Anti-spyware provides real-time protection by scanning your system at regular intervals, either weekly or daily. It scans to ensure the computer is free from malicious software.
Keyloggers: A keylogger is a hardware or software program that secretly records each keystroke on the user keyboard at any time. Keyloggers save captured keystrokes to a file for reading later or transmit them to a place where the attacker can access it.
Rootkit: Rootkits are software programs aimed to gain access to a computer without detection. These are malware that help the attackers to gain unauthorized access to a remote system and perform malicious activities. The goal of the rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform any task such as installing software or deleting files, and so on.
Antivirus: Antivirus is a software used to protect, detect, prevent, and remove malicious programs from systems and networks.
In a Windows system, an attacker was found to have run the following command: type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt. What does the above command indicate?
A. Attacker has used Alternate Data Streams to rename SecretFile.txt file to LegitFile.txt
B. Attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt
C. Attacker was trying to view SecretFile.txt file hidden using an Alternate Data Stream
D. Attacker has used Alternate Data Streams to copy the content of SecretFile.txt file into LegitFile.txt
Answer: B. Attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt
