Module 06 - System Hacking ( EC Mode Part 02 )

Question 1

Joseph, a professional hacker, was tasked with compromising the security of an organization’s Active Directory (AD) environment. After gaining access to the target host, Joseph abused the SDProp process to establish persistence. Further, he added a new user account to the ACL to gain GenericAll privileges, which are equivalent to the privileges of the domain administrator.

Which of the following attacks did Joseph perform in the above scenario?

A. Domain persistence through AdminSDHolder
B. Rainbow table attack
C. Cross-site scripting (XSS) attack
D. Persistence by abusing boot or logon autostart executions

Answer 1

Answer: A. Domain persistence through AdminSDHolder

Explanation:
Rainbow Table Attack: A rainbow table attack uses the cryptanalytic time–memory trade-off technique, which requires less time than other techniques.
Cross-Site Scripting (XSS) Attack: In this method, an attacker injects HTML tags or scripts into a target website.
Maintain Domain Persistence Through AdminSDHolder: Attackers having admin privileges on a compromised domain can abuse the SDProp process to establish persistence. Attackers can add a user account to the ACL to gain “GenericAll” privileges, equivalent to the domain administrator. Consequently, with the changes replicated every hour by SDProp, attackers can maintain persistence.
Maintain persistence by Abusing Boot or Logon Autostart Executions: Attackers take advantage of the system boot or logon autostart programs for escalating privileges and performing persistent attacks by applying custom configuration settings on the compromised machine.

Question 2

Which of the following commands allows an attacker to retrieve all the users who have shell access?

A. ls -la /etc/cron.d
B. /sbin/ifconfig -a
C. egrep -e ‘/bin/(ba)?sh’ /etc/passwd
D. cat /etc/redhat* /etc/debian* /etc/*release

Answer 2

Answer: C. egrep -e ‘/bin/(ba)?sh’ /etc/passwd

Explanation:

During the reconnaissance phase of a cyber attack, attackers use various commands to gather information about the targeted system. Below are some commonly used information-gathering commands:

ps -ef: Displays the current process along with its process ID (PID), which can provide insight into what is running on the system.

mount: Attaches a file system to the directory tree structure and displays currently mounted file systems.

route -n: Displays host/network names in numeric form, which can help attackers identify network infrastructure.

/sbin/ifconfig -a: Displays network configuration details, including IP addresses, network interfaces, and more.

cat /etc/crontab: Displays running cron jobs, which can provide insight into automated tasks and potential vulnerabilities.

ls -la /etc/cron.d: Displays the software package used for the specified cron job, which can provide information about installed software.

cat /etc/exports: Displays directories that can be exported to NFS clients, which can provide information about shared resources.

cat /etc/redhat* /etc/debian* /etc/*release: Displays the OS version details, which can provide insight into potential vulnerabilities and software versions.

ls /etc/rc*: Lists bootup services, which can provide insight into what services are running on the system.

egrep -e ‘/bin/(ba)?sh’ /etc/passwd: Displays all the users who have shell access, which can provide insight into potential targets for further exploitation.

cat ~/.ssh/: Displays SSH relationships and login details, which can provide access to the system.

It’s essential to monitor system logs and implement security measures to protect against reconnaissance attacks. Limiting access to sensitive information and using strong passwords can also help prevent information-gathering attacks.

Question 3

Which of the following post-exploitation wmic commands allows attackers to retrieve the service name and path of executable files?

A. wmic os where Primary=’TRUE’ reboot
B. wmic /node:”” product get name,version,vendor
C. wmic useraccount get name, sid
D. wmic service get name,displayname,pathname,startmode > wmic_service.txt

Answer 3

Answer: D. wmic service get name,displayname,pathname,startmode > wmic_service.txt

Explanation:

WMIC (Windows Management Instrumentation Command-line) is a powerful tool for managing and querying Windows systems. Below are some commonly used WMIC commands:

wmic os where Primary=’TRUE’ reboot: Reboots Windows, which can be useful for automation or remote administration.

wmic service get name,displayname,pathname,startmode > wmic_service.txt: Retrieves the service name, path of the executable, and other details about installed services. The output is redirected to a file for easy viewing.

wmic /node:”” product get name,version,vendor: Displays the details of installed software on the local or remote system, including the software name, version, and vendor.

wmic cpu get: Retrieves the processor’s details, including its name, architecture, and other information.

wmic useraccount get name,sid: Retrieves the login names and their corresponding Security Identifiers (SIDs).

WMIC commands can provide valuable information for system administrators, but they can also be used by attackers for reconnaissance purposes. It’s important to limit access to the WMIC tool and monitor its usage for any suspicious activity. Regular system updates, antivirus software, and intrusion detection systems can also help protect against malicious WMIC commands.

Question 4

Which of the following countermeasures allows a security professional to defend against techniques for covering tracks?

A. Ensure that new events overwrite old entries in log files
B. Periodically back up log files to alterable media
C. Leave all unused open ports and services as they are
D. Activate the logging functionality on all critical systems

Answer 4

Answer: D. Activate the logging functionality on all critical systems

Question 5

Which of the following Windows command-line tools is utilized by an attacker to overwrite data for preventing recovery in the future and also encrypt and decrypt data in NTFS partitions?

A. adslist.exe
B. Cipher.exe
C. ATTRIB.exe
D. Auditpol.exe

Answer 5

Answer: B. Cipher.exe

Explanation:
What can attackers do to clear their online tracks?

adslist.exe: dslist.exe is third-party utilities to show and manipulate hidden streams.
Cipher.exe: Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting them to avoid recovery in the future. This command also assists in encrypting and decrypting data in NTFS partitions
Auditpol.exe: Auditpol.exe is the command-line utility tool to change audit security settings at the category and sub-category levels.
ATTRIB.exe: ATTRIB.exe displays or changes the file attributes of a victim’s files so that the attacker can access them.

Question 6

Identify the technique used by the attackers to wipe out the entries corresponding to their activities in the system log to remain undetected?

A. Clearing logs
B. Gaining access
C. Escalating privileges
D. Executing applications

Answer 6

Answer: A. Clearing logs

Explanation:
Executing Applications: Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. Installing Rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install Backdoors.
Escalating Privileges: After gaining access to a system using a low-privileged normal user account, attackers may then try to increase their administrator privileges to perform protected system operations, so that they can proceed to the next level of the system hacking phase: to execute applications. Attackers exploit known system vulnerabilities to escalate user privileges.
Gaining Access: In system hacking, the attacker first tries to gain access to a target system using information obtained and loopholes found in the system’s access control mechanism. Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware.
Clearing Logs: To maintain future system access, attackers attempt to avoid recognition by legitimate system users. To remain undetected, attackers wipe out the entries corresponding to their activities in the system log, thus avoiding detection by users.

Question 7

Which of the following is a sh-compatible shell that stores command history in a file?

A. BASH
B. Zsh
C. Tcsh/Csh
D. ksh

Answer 7

Answer: A. BASH

Explanation:
BASH: The BASH or Bourne Again Shell is a sh-compatible shell which stores command history in a file called bash history. You can view the saved command history using more ~/.bash_history command. This feature of BASH is a problem for hackers as the bash_history file could be used by investigators in order to track the origin of an attack and the exact commands used by an intruder in order to compromise a system.
Tcsh: This is a Unix shell and compatible with C chell. It comes with features such as command-line completion and editing, etc. Users cannot define functions using tcsh script. They need to use scripts such as Csh to write functions.
Zsh: This shell can be used as an interactive login shell as well as a command-line interpreter for writing shell scripts. It is an extension of Bourne shell and includes vast number of improvements.
Ksh: It improved version of the Bourne shell that includes floating-point arithmetic, job control, command aliasing and command completion.

Question 8

Which of the following technique is used by the attacker to distribute the payload and to create covert channels?

A. Clear online tracks
B. Covering tracks
C. TCP parameters
D. Performing steganalysis

Answer 8

Answer: C. TCP parameters

Explanation:
TCP Parameters: TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP fields where data can be hidden are as follow:
IP Identification field: This is an easy approach where a payload is transferred bitwise over an established session between two systems. Here, one character is encapsulated per packet.
TCP acknowledgement number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet.
TCP initial sequence number: This method also does not require an established connection between two systems. Here, one hidden character is encapsulated per SYN request and Reset packets.
Clear Online Tracks: Attackers clear online tracks maintained using web history, logs, cookies, cache, downloads, visited time, and others on the target computer, so that victims cannot notice what online activities attackers have performed.
Covering Tracks: Covering tracks is one of the main stage during system hacking. In this stage, the attacker tries to hide and avoid being detected, or “traced out,” by covering all “tracks,” or logs, generated while gaining access to the target network or computer.
Steganalysis: Steganalysis is the process of discovering the existence of the hidden information in a medium. Steganalysis is the reverse process of steganography. It is one of the attacks on information security in which attacker called a steganalyst tries to detect the hidden messages embedded in images, text, audio and video carrier mediums using steganography.

Question 9

Which of the following is used by an attacker to manipulate the log files?

A. Clear_Event_Viewer_Logs.bat
B. Auditpol.exe
C. SECEVENT.EVT
D. clearlogs.exe

Answer 9

Answer: C. SECEVENT.EVT

Explanation:
Auditpol.exe: Auditpol.exe is the command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
Clear_Event_Viewer_Logs.bat/clearlogs.exe: The Clear_Event_Viewer_Logs.bat or clearlogs.exe is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and application logs on the target system. Attackers might use this utility, wiping out the logs as one method of covering their tracks on the target system.
SECEVENT.EVT: Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.
The attacker can manipulate the log files with the help of: SECEVENT.EVT (security): failed logins, accessing files without privileges
SYSEVENT.EVT (system): Driver failure, things not operating correctly
APPEVENT.EVT (applications)

Question 10

Which of the following registry entry you will delete to clear Most Recently Used (MRU) list?

A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
B. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Answer 10

Answer: D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Explanation:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey stores the hotkeys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts is responsible for file extension association.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 stores the network locations.

Question 11

Which of the following registry entry you will delete to clear Most Recently Used (MRU) list?

A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
B. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Answer: D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Explanation:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey stores the hotkeys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts is responsible for file extension association.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 stores the network locations.

Answer 11

Answer: B. attrib +h +s +r

Explanation:

Attackers use various commands to hide files, folders, and user accounts on targeted systems to evade detection and maintain persistence. Below are some commonly used commands for this purpose:

attrib +h +s +r : Attackers use this command with administrator privileges to hide any file or folder in a Windows system. The “+h”, “+s”, and “+r” flags hide the file or folder and make it a system file, read-only, and hidden, respectively.

net user /add: Attackers can create a hidden user account on the victim system using this command in the Windows system. This allows them to maintain access to the system even if their primary account is discovered and disabled.

net user /active:no: Attackers can use this command to hide the user account when it’s not required in the Windows system. This allows them to keep the account available for future use while reducing the risk of detection.

mkdir .HiddenMaliciousFiles: This command creates a new hidden folder in a Linux system. The “.” prefix makes the folder hidden, and the name “HiddenMaliciousFiles” can be customized to the attacker’s needs.

It’s essential to monitor system logs and implement security measures to protect against these types of commands. Limiting access to sensitive information, implementing strong passwords, and using intrusion detection systems can also help prevent attackers from using these commands to hide malicious activity.

Question 12

Carter, a professional hacker, infiltrated a target Windows system and wanted to maintain persistence without being traced. For this purpose, he executed a command to hide his account in the Windows system.

Identify the command executed by Carter in the above scenario.

A. touch MaliciousFile.txt
B. net user /active:yes
C. net user /active:no
D. net user /add

Answer 12

Answer: C. net user /active:no

Explanation:

Attackers use various commands to create files, activate user accounts, and hide their activity on targeted systems to evade detection and maintain persistence. Below are some commonly used commands for this purpose:

touch MaliciousFile.txt: Attackers can use the touch command to create a file within the hidden folder. This allows them to store malicious code or other sensitive information that they don’t want to be easily discoverable.

net user /active:yes: This command activates the user account for exploitation in the Windows system. Attackers can use this command to gain access to the system using the newly created user account.

net user /active:no: Attackers can use this command to hide the user account when it’s not required in the Windows system. This allows them to keep the account available for future use while reducing the risk of detection.

net user /add: Attackers can create a hidden user account on the victim system using this command. This allows them to maintain access to the system even if their primary account is discovered and disabled.

It’s essential to monitor system logs and implement security measures to protect against these types of commands. Limiting access to sensitive information, implementing strong passwords, and using intrusion detection systems can also help prevent attackers from using these commands to hide malicious activity. Regular system updates and patch management can also help prevent exploitation of known vulnerabilities.

Question 13

Which of the following practices helps security experts defend against covering track attempts?

A. Deactivate the logging functionality on all critical systems.
B. Periodically back up log files to alterable media.
C. Use restricted ACLs to secure log files.
D. Open all unused open ports and services.

Answer 13

Answer: C. Use restricted ACLs to secure log files.

Explanation:
The various countermeasures to overcome covered tracks are as follows:

Activate the logging functionality on all critical systems.
Close all unused open ports and services.
Use restricted ACLs to secure the log files.
Regularly update and patch OSes, applications, and firmware.
Set log files to the “append only” mode to prevent the unauthorized deletion of log entries.
Periodically back up the log files to unalterable media.

Question 14

Which of the following commands is used by an attacker to delete only the history of the current shell and retain the command history of other shells?

A. cat /dev/null > ~.bash_history && history –c && exit
B. history -w
C. history –c
D. export HISTSIZE=0

Answer 14

Answer: B. history -w

Explanation:
cat /dev/null > ~.bash_history && history –c && exit: This command deletes the complete command history of the current and all other shells and exits the shell.
history -w: This command only deletes the history of the current shell, whereas the command history of other shells remains unaffected
export HISTSIZE=0: This command disables the Bash shell from saving history. HISTSIZE determines the number of commands to be saved, which is set to 0.
history –c: This command is useful in clearing the stored history

Question 15

Which of the following techniques do attackers use to cover the tracks?

A. Steganography
B. Steganalysis
C. Scanning
D. Disable auditing

Answer 15

Answer: D. Disable auditing

Explanation:
Steganography: This refers to the art of hiding data “behind” other data without the target’s knowledge.
Steganalysis: This is a process of discovering the existence of the hidden information in a medium.
Disable auditing: This is the technique where an attacker disables auditing features of the target system to cover the tracks.
Scanning: This refers to a set of procedures used for identifying hosts, ports, and services in a network

Question 16

Which of the following techniques is used by the attackers to clear online tracks?

A. Disable LMNR and NBT-NS services
B. Disable auditing
C. Disable the user account
D. Disable LAN manager

Answer 16

Answer: B. Disable auditing

Explanation:
Techniques used for Clearing Tracks
The main activities that an attacker performs toward removing his/her traces on the computer are:
Disable auditing: An attacker disables auditing features of the target system
Clearing logs: An attacker clears/deletes the system log entries corresponding to his/her activities
Manipulating logs: An attacker manipulates logs in such a way that he/she will not be caught in legal actions

Question 17

Which of the following commands is used to disable the BASH shell from saving the history?

A. history-w
B. shred ~/.bash_history
C. export HISTSIZE=0
D. history –c

Answer 17

Answer: C. export HISTSIZE=0

Explanation:
history –c: This command is useful in clearing the stored history.
export HISTSIZE=0: This command disables the BASH shell from saving the history by setting the size of the history file to 0.
history–w: This command only deletes the history of the current shell, whereas the command history of other shells remain unaffected.
shred ~/.bash_history: This command shreds the history file, making its contents unreadable.

Question 18

Which of the following types of spyware can record and monitor Internet activities, record software usage and timings, record an activity log and store it at one centralized location, and log users’ keystrokes?

A. GPS spyware
B. Email spyware
C. Audio spyware
D. Desktop spyware

Answer 18

Answer: D. Desktop spyware

Explanation:
Email spyware: Email spyware is a program that monitors, records, and forwards all incoming and outgoing emails.
Audio Spyware: Audio spyware is a sound surveillance program designed to record sound onto a computer.
GPS Spyware: This spyware allows you to track the phone location points, saves or stores them in a log file and sends them to the specified email address.
Desktop spyware: Desktop spyware is software that allows an attacker to gain information about a user’s activity or personal information, send it via the Internet to third parties without the user’s knowledge or consent. It can record and monitor Internet activities, record software usage and timings, record an activity log and stores it at one centralized location and logs users’ keystrokes.

Question 19

Which of the following best practices should be adopted to defend against spyware?

A. Read all disclosures before installing an application
B. Download open-source music files, screensavers, or emoticons
C. Always use the administrative mode
D. Disable a firewall to enhance the security level of the computer

Answer 19

Answer: A. Read all disclosures before installing an application

Explanation:
Different ways to defend against spyware are as follows:

Enable a firewall to enhance the security level of your computer.
Do not use administrative mode unless it is necessary, because it may execute malicious programs such as spyware in administrator mode. Consequently, attackers may take complete control of your system.
Do not download free music files, screensavers, or emoticons from the Internet because when you do, there is a possibility that are downloading spyware along with them.
Beware of pop-up windows or web pages. Never click anywhere on the windows that display messages such as “your computer may be infected,” or claim that they can help your computer to run faster. If you click on such windows, your system may become infected with spyware.
Carefully read all disclosures, including the license agreement and privacy statement, before installing any application.
Do not store personal or financial information on any computer system that is not totally under your control, such as in an Internet café.

Question 20

Which of the following rootkit detection techniques compares the characteristics of all system processes and executable files with a database of known rootkit fingerprints?

A. Heuristic/behavior-based detection
B. Alternative trusted medium
C. Integrity-based detection
D. Signature-based detection

Answer 20

Answer: D. Signature-based detection

Explanation:
Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
Heuristic/Behavior- Based Detection: Any deviations in the system’s normal activity or behavior may indicate the presence of a rootkit.
Signature-Based Detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
Alternative Trusted Medium: The infected system is shut down and then booted from an alternative trusted media such as a bootable CD-ROM or USB flash drive to find the traces of the rootkit.

Question 21

Harper, a security professional in an organization, was instructed to increase the security of the organization. In this process, he trained the employees on the best practices that they should employ to defend against keyloggers.

Which of the following is NOT a countermeasure to defend against keyloggers?

A. Recognize phishing emails and delete them
B. Never update and patch system software
C. Use pop-up blockers and avoid opening junk emails
D. Install antivirus programs and keep the signatures up to date

Answer 21

Answer: B. Never update and patch system software

Explanation:
Different countermeasures to defend against keyloggers are listed as follows:

Use pop-up blockers and avoid opening junk emails.
Install anti-spyware/antivirus programs and keep the signatures up to date.
Install professional firewall software and anti-keylogging software.
Recognize phishing emails and delete them.
Regularly update and patch system software.
Do not click on links in unsolicited or dubious emails that may direct you to malicious sites.
Use keystroke interference software that insert randomized characters into every keystroke.

Question 22

Quiz: Which one of the following techniques is used by attackers to hide their programs?

A. Footprinting
B. NTFS stream
C. Scanning
D. Enumeration

Answer 22

Answer: B. NTFS stream

Explanation:
Scanning: Scanning is the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker which enables him/her to create a profile of the target organization.
NTFS Stream: Using NTFS data steam, an attacker can almost completely hide files within the system. It is easy to use the streams but the user can only identify it with specific software. Explorer can display only the root files; it cannot view the streams linked to the root files and cannot define the disk space used by the streams. As such, if a virus implants itself into ADS, it is unlikely that usual security software will identify it.
Enumeration: Enumeration is the process of extracting user names, machine names, network resources,shares, and services from a system or network. In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system.
Footprinting: Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.

Question 23

Which one of the following software program helps the attackers to gain unauthorized access to a remote system and perform malicious activities?

A. Antivirus
B. Keylogger
C. Anti-spyware
D. Rootkit

Answer 23

Answer: D. Rootkit

Explanation:
Anti-Spyware: Anti-spyware provides real-time protection by scanning your system at regular intervals, either weekly or daily. It scans to ensure the computer is free from malicious software.
Keyloggers: A keylogger is a hardware or software program that secretly records each keystroke on the user keyboard at any time. Keyloggers save captured keystrokes to a file for reading later or transmit them to a place where the attacker can access it.
Rootkit: Rootkits are software programs aimed to gain access to a computer without detection. These are malware that help the attackers to gain unauthorized access to a remote system and perform malicious activities. The goal of the rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform any task such as installing software or deleting files, and so on.
Antivirus: Antivirus is a software used to protect, detect, prevent, and remove malicious programs from systems and networks.

Question 24

In a Windows system, an attacker was found to have run the following command: type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt. What does the above command indicate?

A. Attacker has used Alternate Data Streams to rename SecretFile.txt file to LegitFile.txt
B. Attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt
C. Attacker was trying to view SecretFile.txt file hidden using an Alternate Data Stream
D. Attacker has used Alternate Data Streams to copy the content of SecretFile.txt file into LegitFile.txt

Answer 24

Answer: B. Attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt

Question 25

Which of the following countermeasures allows security experts to defend against rootkits?

A. Surf the Internet while logged into an administrator account.
B. Use configuration management and vulnerability-scanning tools to verify the effective deployment of updates.
C. Disable write protection on the motherboard to prevent BIOS from being infected by a rootkit.
D. Skip reading the instructions in the end-user license agreement (EULA) before installing software.

Answer 25

Answer: B. Use configuration management and vulnerability-scanning tools to verify the effective deployment of updates.

Explanation:
A few techniques adopted to defend against rootkits are as follows:

Use configuration management and vulnerability-scanning tools to verify the effective deployment of updates.
Employ traffic filtering software to detect and block malicious traffic entering the network.
Use next-generation antivirus programs having machine learning–based anomaly detection and behavioral heuristics capabilities.
Thoroughly read the instructions in the end-user license agreement (EULA) before installing any software.
Avoid surfing the Internet while logged into an administrator account.
Enforce write protection on the motherboard to prevent BIOS from being infected by a rootkit.

Question 26

A technique allows attackers to conduct persistence attacks if they identify a service with all the necessary permissions that is connected with a registry key, and when any authorized user attempts to log in, the service link associated with the registry runs automatically. Identify this technique.

A. Abusing Data Protection API (DPAPI)
B. Abusing boot or logon autostart executions
C. Abusing accessibility features
D. Abusing AdminSDHolder

Answer 26

Answer: B. Abusing boot or logon autostart executions

Explanation:

Abusing Data Protection API (DPAPI): DPAPI is a unified location in Windows environments where all the cryptographically secured files, passwords of browsers, and other critical data are stored. Windows domain controllers (DCs) contain a master key to decrypt DPAPI-protected files. Attackers often attempt to obtain this master key from the DC.
Abusing AdminSDHolder: AdminSDHolder is an object of AD that protects user accounts and groups having high privileges against accidental modifications of security permissions.
Abusing Boot or Logon Autostart Executions: Attackers can conduct persistence attacks or privilege escalation if they identify a service with all the necessary permissions that is connected with the registry key. When any authorized user attempts to log in, the service link associated with the registry runs automatically.
Abusing accessibility features: Attackers create persistence and escalate privileges by embedding and running malicious code within Windows accessibility features.

Question 27

Which of the following is a PowerShell toolset for building malicious WMI event subscriptions?

A. GFI LanGuard
B. Hashcat
C. PowerLurk
D. Immunity’s CANVAS

Answer 27

Answer: C. PowerLurk

Explanation:
Hashcat: Hashcat is a cracker compatible with multiple OSs and platforms and can perform multihash (MD4, 5; SHA – 224, 256, 384, 512; RIPEMD-160; etc.), multi-device password cracking.
PowerLurk: PowerLurk is a PowerShell toolset for building malicious WMI event subscriptions. The goal of PowerLurk is to make WMI events easier to trigger during a penetration test or red-team engagement. Attackers use PowerLurk to create malicious WMI event subscriptions and execute arbitrary payloads on every Windows logon.
Immunity’s CANVAS: Immunity’s CANVAS provides penetration testers and security professionals with hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework.
GFI LanGuard: The GFI LanGuard patch management software scans the user’s network automatically as well as installs and manages security and non-security patches.

Question 28

Which of the following file-system commands allows attackers to discover SUID-executable binaries?

A. find / -perm -3000 -ls 2> /dev/null
B. keytool -list -v -keystore keystore.jks
C. chmod o-w file
D. find / -name “*.txt” -ls 2> /dev/null

Answer 28

Answer: A. find / -perm -3000 -ls 2> /dev/null

Explanation:

File-system commands are frequently used by attackers to discover sensitive files, directories, and permissions that can be exploited to gain unauthorized access. Below are some commonly used file-system commands:

find / -perm -3000 -ls 2> /dev/null: This command discovers SUID-executable binaries that have the setuid bit set, which can allow attackers to execute commands with elevated privileges.

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null: This command discovers world-writable files that can be exploited to write malicious code or steal sensitive information.

chmod o-w file: This command disables write access to a file, which can help prevent attackers from modifying or deleting sensitive information.

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null: This command discovers world-writable directories that can be exploited to store malicious files or gain access to sensitive data.

find / -name “*.txt” -ls 2> /dev/null: This command discovers .txt files on the system, which can provide attackers with sensitive information.

sudo -l: This command displays the list of permitted and forbidden commands for the current user, which can help attackers identify which commands they can run with elevated privileges.

openssl s_client -connect : -showcerts: This command displays all certificates’ details for a given hostname and port, which can help attackers identify vulnerable certificates and exploit them.

keytool -list -v -keystore keystore.jks: This command displays the contents of keystore files and alias names, which can provide attackers with sensitive information and potentially allow them to gain unauthorized access.

It’s essential to monitor system logs and implement security measures to protect against these types of file-system commands. Limiting access to sensitive information, implementing strong passwords, and using intrusion detection systems can also help prevent attackers from using these commands to gain unauthorized access.

Question 29

Identify the sysinternals command that allows an attacker to retrieve a remote system’s network information.

A. psexec -i -d -s c:\windows\regedit.exe
B. psexec -i \RemoteSystem ipconfig /all
C. psexec -i \RemoteSystem -c file.exe
D. psexec -i \RemoteSystem cmd

Answer 29

Answer: B. psexec -i \ ipconfig /all

Explanation:

Sysinternals is a suite of tools developed by Microsoft for Windows systems administration and troubleshooting. Below are some commonly used Sysinternals commands:

psexec -i \ cmd: This command establishes an interactive Command Prompt (CMD) with a remote system. This can be useful for remote administration and troubleshooting.

psexec -i \ -c file.exe: This command copies the file.exe from the local machine to a remote computer. This can be useful for deploying software or executing programs on remote systems.

psexec -i -d -s c:\windows\regedit.exe: This command retrieves the contents of security keys and SAM on the local system. This can be useful for troubleshooting and analyzing system security.

psexec -i \ ipconfig /all: This command displays a remote system’s network information, including IP addresses, subnet masks, and DNS servers.

Sysinternals commands can provide valuable information for system administrators, but they can also be used by attackers for reconnaissance and exploitation purposes. It’s important to limit access to Sysinternals tools and monitor their usage for any suspicious activity. Regular system updates, antivirus software, and intrusion detection systems can also help protect against malicious Sysinternals commands.

Question 30

Which of the following commands helps network administrators view details about a specific service?

A. netsh firewall show state
B. netsh firewall show config
C. sc queryex type=service state=all
D. sc queryex type=service state=all | find /i “Name of the service: myService”

Answer 30

Answer: D. sc queryex type=service state=all | find /i “Name of the service: myService”

Explanation:

Service commands are used to manage the services running on a Windows system. Below are some commonly used service commands:

sc queryex type=service state=all: This command lists all the available services on the Windows system. The output includes details like the display name, service name, current status, and process ID.

sc queryex type=service state=all | find /i “Name of the service: myService”: This command lists details about the specified service on the Windows system, including the service name, display name, and current status.

net start or stop: This command starts or stops a network service on the Windows system, depending on the specified service name.

netsh firewall show state: This command displays the current state of the Windows firewall.

netsh firewall show config: This command displays the settings for the Windows firewall, including the enabled state, allowed programs, and port exceptions.

netsh advfirewall set currentprofile state off: This command turns off the firewall service for the current profile on the Windows system.

netsh advfirewall set allprofiles state off: This command turns off the firewall service for all profiles on the Windows system.

Service commands can provide valuable information for system administrators, but they can also be used by attackers for reconnaissance and exploitation purposes. It’s important to monitor service usage and implement security measures to protect against malicious service commands. Regular system updates, antivirus software, and intrusion detection systems can also help protect against attacks that use service commands.

Question 31

Which of the following techniques is not a countermeasure to defend against spyware?

A. Always use the administrative mode
B. Be cautious of pop-up windows or web pages; never click anywhere on these windows
C. Adjust the browser security settings to medium or higher for the Internet zone
D. Avoid using any computer system that is not entirely under the user’s control

Answer 31

Answer: A. Always use the administrative mode

Explanation:
Some of the defensive techniques against Spyware are as follows:

Try to avoid using any computer system that is not entirely under your control
Adjust the browser security settings to medium or higher for the Internet zone
Be cautious about suspicious emails and sites
Enable the firewall to enhance the security level of the computer
Regularly update the software and use a firewall with outbound protection
Regularly check the task manager report and MS configuration manager report
Regularly update virus definition files and scan the system for spyware
Install and use anti-spyware software
Perform web surfing safely and download cautiously
Do not use administrative mode unless it is necessary
Keep your operating system up to date
Do not download free music files, screensavers, or smiley faces from the Internet
Beware of pop-up windows or web pages. Never click anywhere on these windows
Carefully read all disclosures, including the license agreement and privacy statement before installing any application
Do not use administrative mode unless it is necessary

Question 32

Harry recently joined an organization and was assigned a system that was used by a previous employee. While working on the system, he observed that the system was behaving in a suspicious manner and raised a complaint. After investigation, the security team found software that allows an attacker to monitor everything users do on the computer.

Which of the following software did the attacker install on the target system?

A. Stream Armor
B. NetVizor
C. CCleaner
D. GFI LanGuard

Answer 32

Answer: B. NetVizor

Explanation:
NetVizor: NetVizor comes with an unparalleled task recording feature-set that in secret records everything employees do on the network. Chats, keystrokes and emails, site and on-line search activity, application usage, file usage, uploads and downloads, computer software setups, and web traffic represent simply a sampling of the NetVizor activity recording capabilities.
Stream Armor: Stream Armor is a tool used to discover hidden ADSs and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs that may be present
GFI LanGuard: GFI LanGuard scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases
CCleaner: CCleaner is a system optimization, privacy, and cleaning tool. It allows attackers to remove unused files and cleans traces of Internet browsing details from the target PC. With this tool, an attacker can very easily erase his/her tracks

Question 33

Identify the technique used by the attackers to execute malicious code remotely?

A. Sniffing network traffic
B. Install malicious programs
C. Rootkits and steganography
D. Modify or delete logs

Answer 33

Answer: B. Install malicious programs

Explanation:
Executing Applications: Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. Installing Rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install Backdoors.
Hiding Files: Attackers use Rootkits and steganography techniques to attempt to hide the malicious files they install on the system, and thus their activities.
Covering Tracks: To remain undetected, it is important for attackers to erase all evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence.
Gaining Access: In system hacking, the attacker first tries to gain access to a target system using information obtained and loopholes found in the system’s access control mechanism. Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware. At this stage, attackers use techniques such as password cracking and social engineering tactics to gain access to the target system.

Question 34

Which type of rootkit is created by attackers by exploiting hardware features such as Intel VT and AMD-V?

A. Hypervisor level rootkit
B. Boot loader level rootkit
C. Kernel level rootkit
D. Hardware/firmware rootkit

Answer 34

Answer: A. Hypervisor level rootkit

Explanation:
Hypervisor Level Rootkit: Attackers create Hypervisor level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system’s boot sequence and gets loaded instead of the original virtual machine monitor.
Hardware/Firmware Rootkit: Hardware/firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware.
Kernel Level Rootkit: The kernel is the core of the operating system. Kernel level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux.
Boot Loader Level Rootkit: Boot loader level (bootkit) rootkits function either by replacing or modifying the legitimate bootloader with another one. The boot loader level (bootkit) can activate even before the operating system starts. So, the boot-loader level (bootkit) rootkits are serious threats to security because they can help in hacking encryption keys and passwords.

Question 35

In the options given below, identify the nature of a library-level rootkit?

A. Operates inside the victim’s computer by replacing the standard application files
B. Uses devices or platform firmware to create a persistent malware image in hardware
C. Functions either by replacing or modifying the legitimate bootloader with another one
D. Works higher up in the OS and usually patches, hooks, or supplants system calls with backdoor versions

Answer 35

Answer: D. Works higher up in the OS and usually patches, hooks, or supplants system calls with backdoor versions

Question 36

Which of the following techniques refers to the art of hiding data “behind” other data without the target’s knowledge?

A. Enumeration
B. Footprinting
C. Steganography
D. Scanning

Answer 36

Answer: C. Steganography.

Explanation:
Scanning: Scanning is the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker which enables him/her to create a profile of the target organization.
Steganography: Steganography refers to the art of hiding data “behind” other data without the target’s knowledge. Thus, Steganography hides the existence of the message. It replaces bits of unused data into the usual files such as graphic, sound, text, audio, video, etc. with some other surreptitious bits. The hidden data can be plaintext or ciphertext, or it can be an image.
Enumeration: Enumeration is the process of extracting user names, machine names, network resources,shares, and services from a system or network. In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system.
Footprinting: Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.

Question 37

Which of the following steganography techniques allows the user to add white spaces and tabs at the end of the lines?

A. Folder steganography
B. Video steganography
C. Document steganography
D. Image steganography

Answer 37

Answer: C. Document steganography.

Explanation:
Image Steganography: Image steganography allows you to conceal your secret message within an image. You can take advantage of the redundant bit of the image to conceal your message within it. These redundant bits are those bits of the image that have very little effect on the image, if altered. Detection of this alteration is not easy. You can conceal your information within images of different formats (e.g., .PNG, .JPG, .BMP).
Document Steganography: As with image steganography, document steganography is the technique of hiding secret messages transferred in the form of documents. It includes addition of white spaces and tabs at the end of the lines. Stego-document is a cover document comprising of the hidden message. Steganography algorithms, referred to as the “stego system, are employed for hiding the secret messages in the cover medium at the sender end. The same algorithm is used for extracting the hidden message from the stego-document by the recipient.
Folder Steganography: Folder steganography refers to hiding secret information in folders. Files are hidden and encrypted within a folder and are not seen by the normal Windows applications, including Windows Explorer.
Video Steganography: Video steganography refers to hiding secret information into a carrier video file. The information is hidden in video files of different formats such as .AVI, .MPG4, .WMV, etc. Discrete Cosine Transform (DCT) manipulation is used to add secret data at the time of the transformation process of the video.

Question 38

Which of the following is a process of taking control over critical assets such as domain controllers (DCs) on a target system and gaining access to other networked resources?

A. Steganography
B. Steganalysis
C. Domain dominance
D. Kernel exploits

Answer 38

Answer: C. Domain dominance.

Explanation:
Steganography: Steganography refers to the art of hiding data “behind” other data without the knowledge of the victim.
Kernel Exploits: Kernel exploits refer to programs that can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges.
Steganalysis: Steganalysis is the process of discovering the existence of hidden information in a medium. It is the reverse process of steganography.
Domain Dominance: Domain dominance is a process of taking control over critical assets such as domain controllers (DCs) on a target system and gaining access to other networked resources.

Question 39

Which of the following is a form of malware that attackers use to inject false credentials into domain controllers (DCs) to create a backdoor password?

A. Skeleton key
B. Spyware
C. Keylogger
D. NTFS data stream

Answer 39

Answer: A. Skeleton key.

Explanation:
NTFS Data Stream: NTFS is a filesystem that stores a file with the help of two data streams, called NTFS data streams, along with the file attributes.
Keylogger: Keyloggers are software programs or hardware devices that record the keys struck on the computer keyboard (also called keystroke logging) of an individual computer user or a network of computers.
Spyware: Spyware is stealthy computer monitoring software that allows you to secretly record all the user activities on a target computer. It automatically delivers logs to the remote attacker using the Internet (via email, FTP, command and control through encrypted traffic, HTTP, DNS, etc.).
Skeleton Key Attack: A skeleton key is a form of malware that attackers use to inject false credentials into domain controllers (DCs) to create a backdoor password. It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain.

Question 40

George, a professional hacker, compromised the target domain controller to maintain domain dominance. For this reason, he installed a memory-resident virus that injects false credentials into a DC to create a backdoor password. Using the virus, George obtained the master password to validate himself as a legitimate user in the domain.

Which of the following attacks did George perform in the above scenario?

A. Skeleton key attack
B. STP attack
C. Dumpster diving
D. Overpass-the-hash attack

Answer 40

Answer: A. Skeleton key attack.

Explanation:
Overpass-the-Hash Attack: The overpass-the-hash (OPtH) attack is an extension of pass-the-ticket and pass-the-hash attacks. It is a type of credential theft-and-reuse attack using which attackers perform malicious activities on compromised devices or environments.
Dumpster Diving: “Dumpster diving” is a key attack method that employs significant failures in computer security in the target system.
STP Attack: In a Spanning Tree Protocol (STP) attack, attackers connect a rogue switch into the network to change the operation of the STP protocol and sniff all the network traffic. STP is used in LAN-switched networks with the primary function of removing potential loops within the network.
Skeleton Key Attack: A skeleton key is a form of malware that attackers use to inject false credentials into domain controllers (DCs) to create a backdoor password. It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain.

Question 41

Which of the following measures makes an organizational network vulnerable to persistence attacks?

A. Conduct security awareness campaigns/training on phishing attacks and password creation policies.
B. Regularly change KRBTGT’s password and reset the service twice.
C. Never restrict credential overlap within systems to maximize lateral movement.
D. Deploy a minimum privileges access model.

Answer 41

Answer: C. Never restrict credential overlap within systems to maximize lateral movement.

Explanation:
Discussed below are some of the countermeasures to defend against persistence attacks:

Conduct security awareness campaigns/training on phishing attacks, password creation policies, and other methods.
Deploy a minimum privileges access model, which assists in restricting user access and domain admin account access.
Regularly change KRBTGT’s password and reset the service twice.
Restrict the credential overlap within systems to limit lateral movement through privileged account management.
Use admin credentials only if the data need to be shared among the devices.

Question 42

Which of the following practices helps security professionals defend a network against persistence attacks?

A. Allow all the inbound traffic through Windows Firewall.
B. Restrict domain users within a local administrator group across multiple systems.
C. Never restrict credential overlap within systems to maximize lateral movement.
D. Never deploy the Kerberos validation tool for verifying the legitimacy of individual tickets.

Answer 42

Answer: B. Restrict domain users within a local administrator group across multiple systems.

Explanation:
The best practices to defend against persistence attacks are listed as follows:

Deploy the Kerberos validation tool for verifying the legitimacy of individual tickets provided by a valid KDC.
Restrict the credential overlap within systems to limit lateral movement through privileged account management.
Restrict domain users within a local administrator group across multiple systems.
Limit the inbound traffic through Windows Firewall.
Ensure that Kerberos follows the signing of the Privilege Attribute Certificate (PAC) and TGS with the key “krbtgt” by the key distribution center (KDC).