Module006SystemHacking Flashcards

Question 1

Q

Disctionary attack is applicable under two situations

Question 2

Q

Methods to improve the success of a dictionary attack

Question 3

Q

What is cryptanalysis

Answer

A

Cryptanalysis is a brute-force attack on an encryption employing a search of the keyspace.

Question 4

Q

What is Brute Force attack

Question 5

Q

What is Rule based attack

Answer

A

Attackers use this type of attack when they obtain some information about the password. This is a more powerful attack than the dictionary and brute-force attacks, because the cracker knows the password type. For example, if the attacker knows that the password contains a two-or three-digit number, he or she will use some specific techniques to extract the password quickly.

Question 6

Q

What is Hybrid attack ?

Answer

A

Brute force + dictionary

Question 7

Q

Syllable Attack

Answer

A

Hackers use this cracking technique when passwords are not known words. Attackers use the dictionary and other methods to crack them, as well as all possible combinations of them.
Combination of brute force and dictionary attack

Question 8

Q

Password Guessing

Answer

A

The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim’s machine to crack the passwords

Find a valid user
Create a list of possible passwords
Rank passwords from high probability to low
Key in each password, until correct password is discovered

Question 9

Q

Manual Password-Cracking Algorithm

Answer

A

FOR loop thing

Question 10

Q

Default Passwords

Answer

A

A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected
Attackers use default passwords present in the list of words or dictionary that they use to perform password guessing attack

Question 11

Q

Active Online Attack: Trojan/Spyware/Keylogger

Answer

A

Attacker installs Trojan/Spyware/Keylogger on victim’s machine to collect victim’s user names and passwords Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker

Question 12

Q

What is Trojan

Answer

A

A Trojan is a program that masks itself as a benign application. The software initially appears to perform a desirable or benign function but instead steals information or harms the system. With a Trojan, attackers can gain remote access and perform various operations limited by user privileges on the target computer.

Question 13

Q

What is Spyware

Answer

A

Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect.

Question 14

Q

What is keylogger

Answer

A

A keylogger is a program that records all user keystrokes without the user’s knowledge. Keyloggers ship the log of user keystrokes to an attacker machine or hide it in the victim’s machine for later retrieval. The attacker then scrutinizes them carefully for finding passwords or other useful information that could compromise the system.

Question 15

Q

Active Online Attack Using USB Drive

Answer

A

You need to download PassView, a password hacking tool.
Copy the downloaded .exe PassView file to the USB drive.
Create a Notepad document, and put the following content or code in the notepad: [autorun] en=launch.bat

After writing this content into Notepad, save the document as autorun.inf and copy this file to the USB drive.

Open Notepad, and write the following content: start pspv.exe/stext pspv.txt After that, save file as launch.bat and copy this file to the USB drive.
Insert the USB drive and the autorun window pop-up appears (if enabled).
PassView (or other password-hacking tool) runs in the background and stores the passwords in the .txt files on the USB drive.

Question 16

Q

Active Online Attack: Hash Injection Attack

Answer

A

This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows user to input the hash value directly. The server then checks it against the stored hash value for authentication. Attackers take advantage of such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with stolen user’s pre-computed hashes. Thus, in a hash injection attack, the attackers inject a compromised hash into a local session and then use the hash to authenticate to the network resources.

Question 17

Q

LLMNR, NBT-NS

Answer

A

LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service)

Question 18

Q

Active Online Attack: LLMNR/NBT-NS Poisoning

Question 19

Q

LLMNR port

Question 20

Q

NBT-NS port

Question 21

Q

Steps in LLMNR/NBT-NS

Answer

A

User sends a request to connect to the data sharing system, \DataServer which she mistakenly typed as \DtaServr.
The \DataServer responds to the user saying that it does not know the host named \DtaServr.
The user then performs LLMNR/NBT-NS broadcast to find out if anyone in the network knows the host name\DtaServr.
The attacker replies to the user saying that it is \DataServer and accepts user NTLMv2 hash and responds to the user with an error.

Question 22

Q

LLMNR/NBT-NS Poisoning Tools

Answer

A

Responder.py

Question 23

Q

Passive Online Attack: Wire Sniffing

Question 24

Q

Passive Online Attacks: Man-in-the-Middle and Replay Attack

Answer

A

In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.

In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.

Relatively hard to perpetrate

Must be trusted by one or both sides

Can sometimes be broken by invalidating traffic

Question 25

Q

Why its not easy to implement mitm attacks

Answer

A

This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks because of the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.

Question 26

Q

Which attack is used to replay back transactions

Answer

A

Reply Attack.

Question 27

Q

What is a rainbow attack

Answer

A

A rainbow table attack uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance.

Question 28

Q

What is contained in Rainbow table

Answer

A

Dictionary files brute force lists and their hashes

Question 29

Q

Rainbow attack is time consuming ?

Question 30

Q

Why rainbow attack can be successful

Answer

A

Due to thier smaller keyspace and shorter length

Question 31

Q

How rainbow attacks can be prevented

Answer

A

Keystreching and random salting

Question 32

Q

Tools to create Rainbow tables: rtgen and Winrtgen

Answer

A

rtgen The rtgen program needs several parameters to generate a rainbow table. Syntax for the command line is http://project-rainbowcrack.com

rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index

Winrtgen is a graphical rainbow table generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes

http://www.oxid.it

Question 33

Q

What hashes Winrtgen supports

Answer

A

Winrtgen supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes.

Question 34

Q

What is Offline Attack: Distributed Network Attack

Answer

A

A Distributed Network Attack (DNA) is a technique used for recovering password-protected files that utilizes the unused processing power of machines across the network to decrypt passwords.

Question 35

Q

Features of Distributed Network Attack

Answer

A

Reads statistics and graphs easily
Adds user dictionaries to crack the password
Optimizes password attacks for specific languages
Modifies the user dictionaries
Comprises the stealth client installation functionality
Automatically updates client while updating the DNA server

Question 36

Q

Security Accounts Manager (SAM) Database

Answer

A

Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in the hashed format (one-way hash
The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file.

Question 37

Q

NTLM

Answer

A

NTLM (NT LAN Manager) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works correctly in every situation. It has been on some Windows installations, where it worked successfully. NTLM authentication consists of two protocols: NTLM authentication protocol and LM authentication protocol. These protocols use different hash methodology to store users’ passwords in the SAM database.

Question 38

Q

does ntml use SAM datbase

Question 39

Q

two protocols used in ntlm

Question 40

Q

Kerberos Authentication

Answer

A

secret-key cryptography
mutual authentication
KDC trusted 3rd party => AS, TGS
Stronger for client server authentication than NTLM

Question 41

Q

If you have to protect against reply attacks and eves dropping which authentication protocol will you use ?

Question 42

Q

How Hash Passwords Are Stored in Windows SAM?

Question 43

Q

NTLM LM hashes in various versions of windows

Answer

A

NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hash by default.

Question 44

Q

when is it not possible to capture LM hashes ?

Answer

A

It is not possible to calculate LM hashes for passwords exceeding 14 characters in length.

Question 45

Q

NTLM 3 methods of challenge-response

Answer

A

LM, NTLMv1, NTLMv2
In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiated Security Support Provider (SSP).

Question 46

Q

SSP

Question 47

Q

NTLM diagram

Question 48

Q

“nonce”

Question 49

Q

Kerberos Authentication Diagram

Question 50

Q

Autherization in Kerberos

Answer

A

The authorization mechanism of Kerberos provides the user with a Ticket Granting Ticket (TGT) that serves post-authentication for later access to specific services, Single Sign-On by which the user need not re-enter the password again for accessing any authorized services.
It is important to note that there is no direct communication between the application servers and Key Distribution Center (KDC); the service tickets, even if packed by TGS, reach the service only through the client willing to access them.

Question 51

Q

What is password salting

Answer

A

Password salting is a technique where random string of characters are added to the password before calculating their hashes
Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks

Question 52

Q

Are Windows password hashes are salted ???

Answer

A

Windows password hashes are not salted

Question 53

Q

More about salting

Answer

A

In cryptography, a “salt” consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password. This makes cracking the passwords difficult.

Question 54

Q

Tools to exract password hashes

Answer

A

pwdump7 extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database
gdump works like pwdump but also extracts cached credentials and allows remote network execution fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -p l4mep4ssw0rd Dumps a remote machine (192.168.0.10) using a specified user

Question 55

Q

Which types of password hashes and from where pwdump7 gets them

Question 56

Q

which password hash extraction tool extracts cached credentials and allows remote network execution ?

Question 57

Q

Password Cracking Tools: L0phtCrack, ophcrack, Rainbowcrack

Answer

A

Password cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords.
L0phtCrack : L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding
ophcrack : ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms
RainbowCrack : RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.

Question 58

Q

Other password cracking tools

Answer

A

Cain & Abel (http://www.oxid.it)

 Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)

 Windows Password Key (https://www.lostwindowspassword.com)

 hashcat (https://hashcat.net)

 Passware Kit Forensic (https://www.passware.com)

 John the Ripper (http://www.openwall.com)

 THC-Hydra (https://github.com)

 InsidePro (http://www.insidepro.com)

 HashKiller.co.uk (https://hashkiller.co.uk)

 LSASecretsView (http://www.nirsoft.net)

 Password Cracker (http://www.amlpages.com)

 Windows Password Recovery (https://www.passcape.com)

 Password Recovery Bundle (https://www.top-password.com)

 JRecoverer Database Bundle(http://www.lcpsoft.com)

 Hash Suite (http://hashsuite.openwall.net)

 Medusa (http://foofus.net)

 Password Unlocker Bundle (https://www.passwordunlocker.com)

 Offline NT Password & Registry Editor (https://pogostick.net)

Question 59

Q

How to defend against Password Cracking

Answer

A

Enable information security audit to monitor and track password attacks
Do not use the same password during password change
Do not share passwords
Do not use passwords that can be found in a dictionary
Do not use clear text protocols and protocols with weak encryption
Set password change policy to 30 days
Avoid storing passwords in an unsecured location
Do not use any systems default passwords
Make password guess hard by using 8 to 12 alpha numerical characters in combination of uppercase lowercase letters numbers and symbols
Ensure that applications neither store passwords to memory nor write them to disk in their text
Use random string salt as prefix or suffix in password before encrypting
Use SYSKEY with strong password to encrypt and protect SAM database
Never use passwords such as birth of date spouse of child’s or pets name
Monitor server logs for brute force attack on user accounts
Lockout an account subject to do many incorrect password guesses

Question 60

Q

How to Defend against LLMNR/NBT-NS Poisoning

Answer

A

Add image

Question 61

Q

DYLD_INSERT_LIBRARIES

Answer

A

OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.

Question 62

Q

Privilege escalation

Question 63

Q

Privilege escalation using DLL hijacking

Question 64

Q

Privilege escalation by exploiting vulnerabilities

Answer 44

A

For example, Windows Administrators have to log on as a normal user and need to run their tools with admin privileges using token manipulation command “runas”. Attackers can take advantage of this to access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection.

Answer 45

A

%WINDIR%\AppPatch\sysmain.sdb hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb

Answer 46

A

UAC(RedirectEXE), inject malicious DLLs(InjectDLL), capture memory addresses (GetProcAddress)
Disabling windows defender, privilage escalation, installing backdoors

Answer 47

A

File System Permission Weakness

Answer 48

A

Restrict the interactive logon privileges
Use encryption technique to protect sensitive data
Run users and applications on the least privileges
Reduce the amount of code that runs with particular privilege
Implement multi-factor authentication and authorization
Perform debugging using bounds checkers and stress tests
Run services as unprivileged accounts
Test operating system and application coding errors and bugs thoroughly
Implement a privilege separation methodology to limit the scope of programming errors and bugs
Patch and update the kernel regularly
Change UAC settings to “Always Notify”, so that it increases the visibility of the user when UAC elevation is requested
Restrict users from writing files to the search paths for applications
Continuously monitor file system permissions using auditing tools
Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes
Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions
Use fully qualified paths in all the Windows applications
Ensure that all executables are placed in write-protected directories
In MAC operating systems, prevent plist files from being altered by users making them read-only
Block unwanted system utilities or software that may be used to schedule tasks
Patch and update the web servers regularly
Disable the default local administrator account

Answer 49

A

Once attackers gain higher privileges on the target system by trying various privilege escalation attempts, they may attempt to execute a malicious application by exploiting a vulnerability to execute arbitrary code.

Attackers execute malicious applications in this stage. This is called “owning” the system
Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.

Answer 50

A

steal personal information
gain unauthorized access to system resources
crack passwords
capture screenshots
install a backdoor for maintaining easy access, and so on.

Answer 51

A

Backdoors-Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources.
Crackers-Piece of software or program designed for cracking a code or passwords.
Keyloggers-This can be hardware or a software type. In either case, the objective is to record each keystroke made on the computer keyboard.
Spyware-Spy software may capture the screenshots and send them to a specified location defined by the hacker. To this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.

Answer 52

A

Its a tool for executing applications

RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network.

It allows an attacker to modify the registry, change local admin passwords, disable local accounts, and copy/ update/delete files and folders.

Answer 53

A

 PDQ Deploy (https://www.pdq.com)
 Dameware Remote Support (https://www.dameware.com)
 ManageEngine Desktop Central (https://www.manageengine.com)
 PsExec (https://docs.microsoft.com)
 TheFatRat (https://github.com)

Answer 54

A

Remote MSI package Installation: RemoteExec can remotely deploy applications developed using .msi format to a number of Windows systems by specifying the path of .msi file that the attacker wants to deploy, and then choosing the action (install/uninstall/repair/update) to perform.

Remote Execution: RemoteExec allows remote execution of programs (.exe, .bat, .cmd), scripts (.vbs, .js) and files associated to executables (.txt, .doc, .wav, .reg, .inf, .msi, etc.).

Registry Modification: RemoteExec allows the remote modification of the registry on all Windows systems throughout the network, or of a specific subset of computers. You just have to indicate the path to the .reg, select the target systems and launch with a click.

File Operations: RemoteExec allows copying, updating, or deleting files and folders on Windows systems throughout the network.

Password and Local Account Management: RemoteExec allows remotely changing the Local Administrator Password and disabling all other local accounts to reinforce security.

Interaction with Remote Systems: RemoteExec enables you to remotely power off, reboot or shutdown systems, wake up computers equipped with Wake-On-LAN technology, and lock or close user sessions.

Answer 55

A

Softwre cannot detect it. not OS dependent

Answer 56

A

KeyGrabber
KeyCarbon (http://www.keycarbon.com)
Keyllama Keylogger (https://Keyllama.com)
Keyboard logger (https://www.detective-store.com)
KeyGhost (http://www.keyghost.com)
KeyCobra (http://www.keycobra.com)
KEYKatcher (https://keykatcher.com)

Answer 57

A

 Spyrix Personal Monitor (http://www.spyrix.com)
 SoftActivity Activity Monitor (https://www.softactivity.com)
 Elite Keylogger (https://www.elitekeyloggers.com)
 Keylogger Spy Monitor (http://ematrixsoft.com)
 Micro Keylogger (https://www.microkeylogger.com)
 REFOG Personal Monitor (https://www.refog.com)
 Revealer Keylogger (https://www.logixoft.com)
 Realtime-Spy (http://www.realtime-spy.com)
 StaffCop Standard (https://www.staffcop.com)
 Ardamax Keylogger (https://www.ardamax.com)
 Ultimate Keylogger (http://www.ultimatekeylogger.com)
 Powered Keylogger (http://www.mykeylogger.com)
 Actual Keylogger (http://www.actualkeylogger.com)
 Spytector (https://www.spytector.com)
 Spy Keylogger (http://www.spy-key-logger.com)
 KidLogger (https://kidlogger.net)
 Advanced Keylogger (http://www.mykeylogger.com)
 KeyProwler (https://keyprowler.com)  Keylogger (https://github.com)

Answer 58

A

Capture all keystrokes (keystrokes logger)
Record instant messages
Monitor application usage
Capture desktop activity and take screenshots
Quick search over the log
Send reports via email, FTP, network
Record microphone sounds
Generate and send HTML reports
Disable anti keyloggers and unwanted software
Filter monitored user accounts
Block unwanted URLs
Stop logging when the computer is idle

Answer 59

A

o Logs typed passwords o Logs keystrokes and chat conversations o Records websites and takes screenshots o Logs the Mac’s IP address o Automatically runs at startup stealthily o Enables you to apply settings to all users with one click

Answer 60

A

 Elite Keylogger (https://www.elite-keylogger.net)
 Aobo Mac OS X KeyLogger (https://www.keylogger-mac.com)
 KidLogger for MAC (http://kidlogger.net)
 Perfect Keylogger for Mac (http://www.blazingtools.com)
 MAC Log Manager (http://www.keylogger.in)
 Award Keylogger for Mac (http://www.award-soft.com)
 Aobo Keylogger for Mac (https://aobo.cc)
 REFOG Keylogger for MAC (https://www.refog.com)
 FreeMacKeylogger (http://www.hwsuite.com)
 Spyrix Keylogger For Mac OS (http://www.spyrix.com)
 SniperSpy Mac (http://www.sniperspymac.com)
 Net Nanny for Mac (https://www.netnanny.com)
 Keyboard Spy Logger (http://alphaomega.software.free.fr)
 Keylogger (https://github.com)

Answer 61

A

Spyware is a stealthy program that records user’s interaction with the computer and Internet without the user’s knowledge and sends them to the remote attackers
Spyware hides its process, files, and other objects in order to avoid detection and removal
It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download
It allows attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc.

Answer 62

A

Drive-by download
Masquerading as anti-spyware
Web browser vulnerability exploits
Piggybacked software installation
Browser add-ons
Cookies

Answer 63

A

Steals users’ personal information and sends it to a remote server or hijacker
Monitors users’ online activity
Displays annoying pop-ups
Redirects a web browser to advertising sites
Changes the browser’s default setting and prevents the user from restoring
Adds several bookmarks to the browser’s favorites list
Decreases overall system security level
Reduces system performance and causes software instability
Connects to remote pornography sites
Places desktop shortcuts to malicious spyware sites
Steals your passwords
Sends you targeted email
Changes the home page and prevents the user from restoring
Modifies the dynamically linked libraries (DLLs) and slows down the browser
Changes firewall settings
Monitors and reports websites you visit

Answer 64

A

Types of Spyware

Desktop
Email
Internet
Child-Monitoring
Screen Capturing
USB
Audio
Video
Print
Telephone Cellphone
GPS

Answer 65

A

Spytech SpyAgent allows you to monitor everything users do on your computer

Answer 66

A

Power Spy secretly monitors and records all activities on your computer

Answer 67

A

Anti-keyloggers, also called anti-keystroke loggers, detect and disable keystroke logger software. Anti-keylogger’s special design helps them to detect software keyloggers. Many large organizations, financial institutions, online gaming industries, as well as individuals use anti-keyloggers for protecting their privacy while using systems. This software prevents a keylogger from logging every keystroke typed by the victim and thus keeps all personal information safe and secure. An anti-keylogger scans a computer, detects, and removes keystroke logger software. If the software (anti-keylogger) finds any keystroke logging program on your computer, it immediately identifies and removes the keylogger, whether it is legitimate keystroke logging program or an illegitimate keystroke logging program.

Answer 68

A

It keeps track of who is doing what on your PC. It monitors your PC against the bad guys and prevents any kind of attempts to record or steal your private data and blocks any kind of suspicious activit
 GuardedID (https://www.strikeforcecpg.com)  KeyScrambler (https://www.qfxsoftware.com)  SpyShelter Free Anti-Keylogger (https://www.spyshelter.com)  DefenseWall HIPS (http://www.softsphere.com)  Elite Anti Keylogger (http://www.elite-antikeylogger.com)

Answer 69

A

Identify potentially unwanted programs and securely removes them
Detect and remove Spyware, Adware, Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products, and many other types of threats
Other tools
1. Kaspersky Internet Security 2018 (https://www.kaspersky.com)
2. SecureAnywhere Internet Security Complete (https://www.webroot.com)
3. adaware antivirus free (https://www.adaware.com)
4. MacScan (https://www.securemac.com)
5. Norton AntiVirus Basic (https://in.norton.com)
6. Spybot – Search & Destroy (https://www.safer-networking.org)
7. SpyHunter (https://www.enigmasoftware.com)
8. Malwarebytes for Windows (https://www.malwarebytes.com)
9. Zemana Anitmalware (https://www.zemana.com)
10. Hitman Pro (https://www.hitmanpro.com)
11. Emsisoft Antimalware (https://www.emsisoft.com)
12. Digital Care AntiVirus (http://www.paretologic.com)
13. Spyware Terminator 2015 (http://www.pcrx.com)

Answer 70

A

Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time and also in future

Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed

A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.

Answer 71

A

backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.

Answer 72

A

Scanning for vulnerable computers and servers on the web

Wrapping it in a special package like games

Installing it on the public computers or corporate computers through social engineering

Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)

Answer 73

A

To root the host system and gain remote backdoor access
To mask attacker tracks and presence of malicious applications or processes
To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access
To store other malicious programs on the system and act as a server resource for bot updates

Answer 74

A

All files contain a set of attributes. There are different fields in the file attributes. The first field determines the format of the file, if it is a hidden, archive, or read-only file. The other field describes the time of the file creation, access, as well as its original length. The functions GetFileAttributesEx() and GetFileInformationByHandle() are used for these purposes. ATTRIB.exe displays or changes the file attributes. An attacker can hide, or even change the attributes of a victim’s files, so that the attacker can access them.

Answer 75

A

Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine. rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1

Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity

Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes

Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker

Application Level Rootkit: Replaces regular application binaries with fake Trojan or modifies the behavior of existing applications by injecting malicious code

Library Level Rootkits: Replaces original system calls with fake ones to hide information about the attacker

Answer 76

A

System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first.

Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the “system” process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access to the \Device\Physical Memory object. It hide a process by unlinking it from the process list.

Answer 77

A

Horse Pill

Horse Pill is Linux kernel rootkit that resides inside the “initrd” using which it infects the system and deceives the system owner with the use of container primitives
It has three important parts; klibc-horsepill.patch, horsepill_setopt, and horsepill_infect
Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage.
This also allows it run covert networking systems, such as dns tunnels.

GrayFish

GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage, and malicious command execution while remaining invisible
It injects its malicious code into the boot record which handles the launching of Windows at each step

Sirefef

Sirefef Rootkit or ZeroAccess gives attackers full access to your systemwhile using stealth techniques in order to hide its presence from the affected device It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can’t detect it
It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can’t detect it

Necurs

Necurs contains backdoor functionality, allowing remote access and control of the infected computer
It monitors and filters network activity and has been observed to send spam and install rogue security software

Answer 78

A

ZwOpenProcess, PsLookupProcessByProcessId, KeStackAttachProcess.

Answer 79

A

MmSecureVirtualMemory.

Answer 80

A

WingBird Rootkit
Avatar
Azazel
ZeroAccess
Alureon

Answer 81

A

Integrity based detection: it compares a snapshot of the file system, boot records or memory with a non-trusted baseline

Signature based detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.

Heuristic behaviour based detection: Any deviations in the system’s normal activity or behavior may indicate the presence of rootkit

Runtime execution path profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection

Cross view based detect: Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit

Answer 82

A

Execution path hooking deviant

Answer 83

A

This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.

Answer 84

A

Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results.
Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results
Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)

Answer 85

A

Run regedit.exe from inside the potentially infected operating system.
Export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format.
Boot into a clean CD (such as WinPE).
Run regedit.exe.
Create a new key such as HKEY_LOCAL_MACHINE\Temp.
Load the Registry hives named Software and System from the suspect operating system. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system.
Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.)
Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).

Answer 86

A

Does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, and so on

Answer 87

A

A common feature of these rootkits is that the attacker requires administrator access to the target system. The initial attack that leads to this access is often noisy. Monitor the excess network traffic that arises in the face of a new exploit. It goes without saying that log analysis is a part and parcel of risk management. The attacker may have shell scripts or tools that can help him or her cover his or her tracks, but surely there will be other telltale signs that can lead to proactive countermeasures, not just reactive ones.

A reactive countermeasure is to back up all critical data excluding the binaries, and go for a fresh clean installation from a trusted source. One can do code check summing as a good defense against tools like rootkits. MD5sum.exe can fingerprint files and note integrity violations when changes occur. To defend against rootkits, use integrity checking programs for critical system files.

Answer 88

A

McAfee Stinger is a standalone utility used to detect and remove specific viruses. It helps administrators and users when dealing with an infected system. Stinger performs rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the “Threat List” option under advanced menu options in the Stinger application.

Others

Avast Free Antivirus (https://www.avast.com)
TDSSKiller (https://usa.kaspersky.com)
Malwarebytes Anti-Rootkit (https://www.malwarebytes.com)
Rootkit Buster (http://www.trendmicro.co.in)
UnHackMe (http://www.greatis.com)
Virus Removal Tool (https://www.sophos.com)
F-Secure Anti-Virus (https://www.f-secure.com)
Avira Free Antivirus (https://www.avira.com)
SanityCheck (http://www.resplendence.com)
Webroot (https://www.webroot.com)  GMER (http://www.gmer.net)

Answer 89

A

NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata for the file such as attributes, word count, author name and access, and modification time of the files
ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities
ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user
Alternate Data Stream (ADS) is any kind of data attached to a file, but not in the file on an NTFS system. The Master File Table of the partition will contain a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files.
Files with ADS are impossible to detect using native file browsing techniques like the command line or Windows Explorer. After attaching an ADS file to the original file, the size of the file will show as the original size of the file regardless of the size of the ADS added file. The only indication that the file was changed is the modification timestamp, which can be relatively innocuous.

Answer 90

A

Launch c:\>notepad myfile.txt:lion.txt and click ‘Yes’ to create the new file, enter some data and Save the file
Launch c:\>notepad myfile.txt:tiger.txt and click ‘Yes’ to create the new file, enter some data and Save the file
View the file size of myfile.txt (It should be zero)
To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad myfile.txt:lion.txt notepad myfile.txt:tiger.txt

Answer 91

A

Hiding Trojan.exe (malicious program) into Readme.txt (stream): Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\>type c:\Trojan.exe >c:\Readme.txt:Trojan.exe The “type” command hides file in an Alternate Data Streams (ADS) behind an existing file. The colon (:) operator tells the command to create or use an ADS.
Creating a link to the Trojan.exe stream inside the Readme.txt file: After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the stream. C:\>mklink backdoor.exe Readme.txt:Trojan.exe
Executing the Trojan: Type C:\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan.

Answer 92

A

To delete hidden NTFS streams, move the suspected files to FAT partition
Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain integrity of NTFS partition files against unauthorized ADS
Use third-party utilities such as EventSentry or adslist.exe to show and manipulate hidden streams
Avoid writing important or critical data to alternate data streams
Use up-to-date antivirus software on your system.
Enable real-time antivirus scanning to protect against execution of malicious streams
Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory)to help detect creation of additional or new data streams.

Answer 93

A

Stream Armor Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the system

Others

Stream Detector (http://www.novirusthanks.org)
Forensic Toolkit (https://www.mcafee.com)
ADS Manager (https://dmitrybrant.com)
ADS Scanner (https://www.pointstone.com)
ADS Spy (http://www.merijn.nu)
Streams (https://docs.microsoft.com)
AlternateStreamView (http://www.nirsoft.net)
ADS Detector (https://sourceforge.net)
GMER (http://www.gmer.net)
NTFS-Streams: ADS manipulation tool (https://sourceforge.net)

Answer 94

A

snow [-CQS] [-p passwd] [-l line-len] [-f file | -m message] [infile [ outfile]]

Answer 95

A

OpenStego

OpenStego is a steganography application that provides following functions. o Data Hiding: It can hide any data within a cover file (e.g. images) o Watermarking: Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying.

Others

 QuickStego (http://quickcrypto.com)
 CryptaPix (https://www.briggsoft.com)
 Hide In Picture (https://sourceforge.net)
 gifshuffle (http://www.darkside.com.au)
 PHP-Class Stream Steganography (https://www.phpclasses.org)
 Steganography Studio (http://stegstudio.sourceforge.net)
 OpenPuff (http://embeddedsw.net)
 Virtual Steganographic Laboratory (VSL) (http://vsl.sourceforge.net)
 Red JPEG XT (http://www.totalcmd.net)
 ImageHide (http://www.dancemammal.com)

Answer 96

A

StegoStick

 StegJ (http://stegj.sourceforge.net)  Office XML (https://www.irongeek.com)  SNOW (http://www.darkside.com.au)  Data Stash (http://www.skyjuicesoftware.com)  Hydan (http://www.crazyboy.com)  Texto (http://www.eberl.net)

Answer 97

A

OmniHide Pro

 RT Steganography (https://rtstegvideo.sourceforge.net)  StegoStick (https://sourceforge.net)  OpenPuff (http://embeddedsw.net)  MSU StegoVideo (http://www.compression.ru)

Answer 98

A

GiliSoft File Lock Pro

Folder Lock (http://www.newsoftwares.net)
Hide Folders 5 (https://fspro.net)
WinMend Folder Hidden (http://www.winmend.com)
Invisible Secrets 4 (http://www.invisiblesecrets.com)
Max Folder Secure (http://maxpcsecure.com)
QuickCrypto (http://www.quickcrypto.com)
Universal Shield (http://www.everstrike.com)

Answer 99

A

*Steganography Master**
*Stegais**

SPY PIX (https://www.juicybitssoftware.com)
Pixelknot: Hidden Messages (https://guardianproject.info)
Pocket Stego (http://www.talixa.com)
Steganography Image (https://play.google.com)
StegoSec (http://csocks.altervista.org)
StegDroid Alpha (https://play.google.com)
Da Vinci Secret Image (https://play.google.com)
Steg-O-Matic (https://itunes.apple.com)
Secret Tidings (https://play.google.com)
Steganography (https://github.com)
Steganography Application (https://play.google.com)

Answer 100

A

detection distortion

Answer 101

A

Stego-only
Known-stego
Known-message
Known-cover
Chosen-message
Chosen-stego

Answer 102

A

Gargoyle InvestigatorTM Forensic Pro

Answer 103

A

Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection

Attacker uses the following techniques to cover tracks on the target system

Disable Auditing: Disables auditing features of the target system

Clearing Logs: Clear/delete the system log entries corresponding to his/her activities

Manipulating Logs: Manipulates logs in such a way that he/she will not be caught in legal actions

In detials

Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.

Answer 104

A

SECEVENT.EVT (security): failed logins, accessing files without privileges , SYSEVENT.EVT, APPEVENT.EVT

Answer 105

A

Disabling Auditing: Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.

C:\>auditpol \

C :\>auditpol \ /disable

The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe).

Attackers can use AuditPol to view defined auditing settings on the target computer, running the following command at the command prompt: auditpol /get /category:*

Answer 106

A

Attacker uses Clear_Event_Viewer_Logs.bat or clearlogs.exe utility to clear the security, system, and application logs

If the system is exploited with the Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system

Steps to clear logs using Clear_Event_Viewer_Logs.bat utility

Download the Clear_Event_Viewer_Logs.bat utility from the https://www.tenforums.com
Unblock the .bat file
Right click or press and hold on the .bat file, and click/tap on Run as administrator.
If prompted by UAC, click/tap on Yes.
A command prompt will now open to clear the event logs. The command prompt will automatically close when finished.

Steps to clear logs using clearlogs.exe utility

Download the clearlogs.exe utiliy from http://www.ntsecurity.nu
Run clearlogs.exe from the command prompt, and clear the security, system, and application logs using the following options

- C:\clearlogs.exe -app(for clearing application logs)
  - C:\clearlogs.exe -sec(for clearing application logs)
  - C:\clearlogs.exe -sys(for clearing application logs)

Steps to clear logs using meterpreter shell

If the system is exploited with the Metasploit, the attacker uses a meterpreter shell to wipe out all the logs from a Windows system:

Launch meterpretershell prompt of the Metasploit Framework.
Type clearev command in meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.

Answer 107

A

Windows
1. Navigate to Start->Control Panel->System and Security->Administrative Tools->double click Event Viewer
2. Delete the all the log entries logged while compromising of the system
Linux
1. Navigates to /var/log directory on the Linux system
2. Open plain text file containing log messages with text editor /var/log/messages
3. Delete all the log entries logged while compromising of the system

Answer 108

A

Use private browsing
Delete history in the address field
Disable stored history
Delete private data
Clear cookies on exit
Clear cache on exit
Delete downloads
Disable password manager
Clear data in password manager
Delete saved sessions
Delete user JavaScript
Set up multiple users
Remove Most Recently Used (MRU)
Clear Toolbar data from the browsers
Turn off AutoComplete

Answer 109

A

The BASH is an sh-compatible shell which stores command history in a file called bash_history
You can view the saved command history using more ~/.bash_history command

Attackers use following commands to clear the saved command history tracks:

Disabling history
- export HISTSIZE=0
Clearing the history
- history –c (Clears the stored history)
- history -w (Clears history of current shell)
Clearing the user’s complete history
- cat /dev/null > ~.bash_history && history -c && exit
Shredding the history
- shred ~/.bash_history (Shreds the history file, making its content unreadable)
- shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (Shreds the history file and clear the evidence of the command)

Answer 110

A

Using Reverse HTTP Shells
Using Reverse ICMP Tunnels
Using DNS Tunneling
Using TCP Parameters

Answer 111

A

Windows

NTFS has a feature called as Alternate Data Streams that allows attackers to hide a file behind other normal files. Given below are some steps in order to hide file using NTFS:

Open the command prompt with an elevated privilege
Type the command “type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt” (here, file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file)
To view the hidden file, type “more < C:\SecretFile.txt” (for this you need to know the hidden file name)

Unix

Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is subdivided into two directories: current directory (.) and parent directory (..). Attackers give a similar name like “. ” (space is there, after . ). These hidden files are usually placed in /dev, /tmp, /etc.

An attacker can also edit the log files to cover their tracks. However, sometimes using this technique of hiding files, an attacker can leave his trace behind because the command he used to open a file with will be recorded in a .bash_history file. A smart attacker knows how to overcome such a problem; he does so by using export HISTSIZE=0 command.

Answer 112

A

CCleaner cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history

Internet Explorer: Temporary files, history, cookies, Autocomplete form history, index.dat.
Firefox: Temporary files, history, cookies, download history, form history
Google Chrome: Temporary files, history, cookies, download history, form history
Opera: Temporary files, history, and cookies
Safari: Temporary files, history, cookies, form history
Windows: Recycle Bin, Recent Documents, Temporary files and Log files.

Others

 DBAN (http://www.cybertronsoft.com)

 Privacy Eraser (http://www.cybertronsoft.com)

 Wipe (https://privacyroot.com)

 BleachBit (https://www.bleachbit.org)

 ClearProg (http://www.clearprog.de)

 AVG TuneUp (https://www.avg.com)

 Norton Utilities (https://in.norton.com)

 Glary Utilities (http://www.glarysoft.com)

 Clear My History (https://www.hide-my-ip.com)

 WinTools.net Professional (http://www.wintools.net)

 Free Internet Window Washer (http://www.eusing.com)