Spørmål fra Review

Question 1

Type of hackers and their motivations

Answer 1

• Black hat hackers: With malicious intent. Often economically or politically motivated (backed by a government).
• White hat hackers: Perform penetration testing to promote security. Often motivated by doing good for others or society at large.
• Script kiddies: Amateurs using publicly available software tools to attack.
• Protest hackers (protest against something e.g. anonymous)
• Grey hat hackers: Usually white hat, but can be black hat
• Red hat hackers: Stopping black hat hackers by attacking them
• Blue hat hackers: Hacking in order to take revenge
• Green hat hackers: beginners to hacking

Question 2

Differences between ethical and non-ethical hacking

Answer 2

Ethical:
• Promotes security by making vulnerabilities apparent.
• Finds vulnerabilities without causing harm.
• Documents all activities and makes a final presentation and report for the benefit of the victim

Unethical:
• Steals information, modifies data, makes services unavailable for own purposes.
• Finds the easiest way to reach the goal (weakest link)
• Does not care if the system is destroyed (but not too early)
• Documents nothing and actively deletes all clues and traces afterwards.

Question 3

The usual detailed steps of ethical hacking

Answer 3

1. General information gathering.
2. Technical information gathering.
3. Identifying available hosts computers in the target network.
4. Identifying available services in the target network.
5. Manual mapping of the services and their responses.
6. Automated vulnerability scanning using tools.
7. Manual verification of the found vulnerabilities.
8. Exploitation of the confirmed vulnerabilities.
9. Lateral movements through the local network.
10. Ensure access until finished, adding more entry points.
11. Achieve goals.
12. Remove clues
13. Reporting and presentation of the found vulnerabilities.
14. Removal of the attacking files.

Question 4

Google hacking expressions and the type of information that can be obtained

Answer 4

Using specific Google queries we can use smart filtering or get «hidden» data.

Common filters:
“site” filters for a specific domain.

“filetype” filters to file type with extension.

“intitle” filters according to the site title.

“inurl” filters for the url content.

Data that can be obtained:
• Default website (domain name) and other sites.
• History and public data (faculties, number of staff members)
• Key persons with contact details
• Important pages 
• Services
• Recent news
• Social media info

Question 5

The technical information of a company

Answer 5

• Domain names of the target
• Domain owner(s) of the target
• Domain registrants
• Ip addresses associated with the target websites
• Ip ranges of the target
• Ip range owner(s)
• List of hosted websites
• Hosting companies

Question 6

CIDR and usage

Answer 6

In the beginning classful networking was used, but is was wasteful in the way it assigned network ranges. Then CIDR was created to be much less wasting. CIDR stands for Classless InterDomain Routing.
This is done by writing network ranges with two type of bits, one set amount and one fluid amount. For example:

One company has the network range 130.18.0.0 - 130.19.255.255
In CIDR this range can be written as 130.18.0.0/15 because the 15 first bits of the range is the set range:

(10000010.00010010.00000000.00000000) – (10000010.00010011.11111111.11111111)

The rest is the fluid part, therefore you can see that “/x” is the first x amount of bits.

Another example:

129. 240.171.56 – 129.240.171.63
     (10000001. 11110000.10101011.00111000) – (10000001.11110000.10101011.00111111)
130. 240.171.56/29 - The first 29 of 32 bits are set; the rest are fluid.

Question 7

Whois information

Answer 7

The whois database must contain the following information:

• Administrative contact
• Technical contact
• Billing contact
• Name servers

Nameservers are computers that provide subdomain information for the particular domain using the DNS protocol.

The whois protocol is also used to get the owner of a particular ip range.
The records are stored in different databases according to the continents.
The Norwegian entries are stored in the European database (RIPE NCC)
If we don’t know which database to use the general whois protocol helps us.

Question 8

DNS and its records

Answer 8

DNS servers are all around the world and is organized in a tree structure with 13 root servers. The top level domains (.com, .no) are directly under the root servers. DNS data are stored redundantly. The DNS converts a domain to an IP.

Commands:
• Address Mapping records (A) ...
• IP Version 6 Address records (AAAA) ...
• Canonical Name records (CNAME) ...
• Host Information records (HINFO) ...
• Mail exchanger record (MX) ...
• Name Server records (NS) ...
• Reverse-lookup Pointer records (PTR)

Question 9

Difference between packet switched and circuit switched networks

Answer 9

In circuit switched networks a virtual line is allocated between the communicating parties. The line is busy until the communication ends.

In packet switched networks the caller sends packets to the direction of the receiver. There’s no planned route, each network device chooses the most appropriate device as next considering routing tables and traffic.

To avoid infinite loops, ttl is used (time to live)

Question 10

The layers of the OSI model

Answer 10

Data - Application
Data - Presentation
Data - Session
Segments - Transport
Packets - Network
Frames - Data Link
Bits - Physical

Question 11

ICMP protocol and usage (tools)

Answer 11

• To check if a host is responding
• Echo request – Echo reply to make sure a host is turned on

Examples of tools using ICMP:
Ping
Traceroute
Visual Traceroute

Answer types:
• Positive answer
In case of icmp we get an echo reply for our echo request
• Negative answer
In case of icmp we get destination unreachable / host unreachable message
• No answer
In case of icmp, we have no response from the host that was addressed by the echo request

Question 12

Answers types in case of ping scan and tcp scan

Answer 12

Ping:
0 - Echo reply
3 - Destination unreachable
4 - Source quench 
5 - Redirect
8 -  Echo request
11 - Time exceeded
12 - Parameter unintelligeble
13 - Time-stamp request
14 - Time-stamp reply
15 - Information request
16 - Information reply
17 - Address mask request
18 - Address mask reply

TCP:

1. SYN - SYN+ACK - ACK = Port is open
2. SYN - RST = Port is closed
3. SYN = Port is filtered

Question 13

TCP header and flags, handshake

Answer 13

TCP headers consists of 20 bytes of data and a additional 40 bytes of optional data.

In order to ensure that the packages arrives in the right order the sequence number and the acknowledgement number are used.

TCP flags are for maintaining the connection status (urg, ack, psh, rst, syn, fin).

TCP handshake is the process for when a connection is about to be established in a specific port.

                                     32 bits ---------------------------------------------------------------------------------
       source port                |           destination port
                                SEQ. number
                                ACK. number Hlen | reserved | URG/ACK/PSH/RST/SYN/FIN |  window
        checksum                 |              urgent pointer
                                    [options]

Question 14

Factory defaults

Answer 14

In earlier years it was not uncommon to see services use factory default credentials. This made them easy to compromise and misuse. This is an example of a configuration error.

It is still common today to see default credentials on things like routers and printers.

Question 15

Open-relay smtp

Answer 15

An open relay is a SMTP e-mail server that allows third-party relay of e-mail messages.

In case of open relay settings, the user doesn’t need to provide credentials. Anyone can send a mail with arbitrary fields.

How to find/attack open-relay SMTP:
• If one of the client’s SMTP allows open-relay access then any email can be written.
• Spamboxes will probably contain some open-relay SMTP server.

Question 16

DNS zone transfer

Answer 16

Since DNS data is stored redundantly the slave DNS can ask the master DNS to send a copy of a part of its database (zone) to the slave.

Zone transfer operation should be limited for the slave ip address. If this is not the case, anyone can obtain the whole zone data (and network topological information too).

Question 17

THC-Hydra, services that can be attacked by Hydra!

Answer 17

Various Cisco services, FTP, Various HTTP functions, IMAP, IRC, MYSQL, POP3, SMTP, SSH, Telnet, VNC, XMPP and many others.

Question 18

The obligatory header fields of HTTP

Answer 18

Request: 
• The protocol version 
• The requested file 
• The webmethod
• The host name 

Response:
• The web answer
• The date
• The content type

Question 19

Information disclosures on a website

Answer 19

Most web sites will disclose some amount of information. The more info the attacker can obtain, the easier the system will be to compromise.

Examples of common disclosure:
Prohibited content for search engines - robots.txt
Dangerous default scripts: e.g. cgibin/test-cgi.
Directory brute-force / dirb to find hidden directories.

Question 20

Brute-force on a website

Answer 20

Hydra can be used for HTTP brute-forcing. Contrary to the previous cases Hydra needs a keyword to identify negative answers (reverse brute-force).
Example:
hydra -l username -P passwordfile url.to.bf http-post-form “/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid”

Different web servers use different default folders and default files. Dirb has collections of typical webserver related folder names. Dirb also has unified dictionaries (big.txt, common.txt, etc. Dirb brute-forces the folders and files using the dictionaries.

Question 21

Web-methods, inappropriate configuration related to web methods

Answer 21

HTTP response splitting is an old vulnerability (still appears in 2018). In case of inappropriate validation of the requests, the client can provide misleading input (two new lines in the header indicates the end of the header). The attacker can force the server to cache a wrong server answer.

HTTP PUT method was used to place and update website content before ftp. If it is enabled for a folder and the folder has permission to write then the attacker can take advantage of that vulnerability and upload arbitrary files.

Question 22

Burp method attack types

Answer 22

Burp is a graphical tool for testing websites. It has several modules for manipulating the web traffic. In order to test https traffic Burp provides its own certificate, the Burp CA can be added to any browser as root CA.

• Spider: Automatic crawl of web applications
• Intruder: Automated attack on web applications
• Sequencer: Quality analysis of the randomness in a sample of data items
• Decoder: Transform encoded data
• Comparer: Perform comparison of packets
• Scanner: Automatic security test
• Repeater: Resend a selected tampered packet from the history

Various iteration combinations:
Sniper: one parameter, one iteration
Battering ram: multiple parameters, one iteration
Pitchfork: multiple parameters, multiple iteration
Cluster bomb: multiple parameters, multiple iteration all combinations considered

Question 23

Cross Site Scripting

Answer 23

Cross Site Scripting (XSS) is a frequently appearing web related vulnerability. If the website accepts input from the user without proper validation or encoding then the attacker can inject client side code to be executed in the browser.

Question 24

Ways to compromise a website with XSS

Answer 24

• DOM based XSS: The data flow never leaves the browser, classical example: the source is a html element, the result is a sensitive method call.
• Stored XSS : The user input is stored on the target server, such as in a database, in a message forum, visitor log. The victims will retrieve the xss through the web site.
• Reflected XSS: The user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request.
• Client Side XSS: The malicious data is used to fire a JavaScript call
• Server Side XSS: The malicious data is sent to the server and the server sends it back without proper validation

Question 25

XSS filter evasions

Answer 25

Server side scripts can filter out XSS attacks with proper input validation. If the keyword is replaced by antihacker then the attacker needs to find another way to execute the scripts.

Alternative ways for executing javascript:

<link></link>

Attacker can write characters in a special format to avoid filtering:
Decimal HTML character: &#106; &#0000106

Base64 encode:
eval(atob(…));

iframe:
<iframe srcdoc=”<img src=x:x onerror=alert(‘XSS’);>

Question 26

Ways of stealing the session variable

Answer 26

The session can be compromised in different ways:
Predictable session token: The attacker finds out what is the next session id and sets his own session according to this.
Session sniffing: The attacker uses a sniffer to capture a valid session id
Client-side attacks (e.g. XSS): The attacker redirects the client browser to his own website and steals the cookie containing the session id.
Man-in-the-middle attack: The attacker intercepts the communication between two computers.
Man-in-the-browser attack

Question 27

Sql injection exploitation types

Answer 27

Boolean based blind: The attacker provided an input and observes the website answer. The answer is either page 1 or page 2. There’s no direct response to the attacker’s query but it’s possible to play a true and false game using the two different responses. The difference between the two responses can be only one byte or totally different.

Time based blind: It is the same as the boolean based, but instead of having two different web responses the difference is the response time (less trustworthy).

Error based: The attacker forces syntactically wrong queries and tries to map the
database using the data provided by the error messages.

Union query: The attacker takes advantage of the SQL’s union select statement. If the attacker can intervene to the sql query then he can append it with a union select and form the second query almost freely (see example later).

Stacked query: If the sql engine supports stacked queries then in case of a vulnerable parameter the attacker closes the original query with a semicolon and writes additional queries to obtain the data.

Question 28

File uploading with sql injection

Answer 28

Using the LFI vulnerability the attacker can upload attacking scripts. The most frequently used way for writing files to the server is to write the script in a local file first, then read it back through the LFI vulnerability. How can the attacker place his own attacking script in a local file? One option is to access the /proc/self linux folder.

If the php settings allow, remote file can be inserted into the page.
Php settings relevant to remote inclusion:
allow_url_fopen: open file with fopen
allow_url_include: include, include_once, require and require_once

If the attacker can include remote files he will be able to include
attacking scripts that are stored on an attacker controlled web server.

Question 29

Xpath injection and its exploitation

Answer 29

Instead of storing datasets in databases, data can be stored in xml format.

Xpath can be used to make a query, finding the full name of a user, and once you have the full name, you can find the username and password for the user.
Xpath injection is possible when there’s no input validation or the validation is inappropriate in the xpath query.

Question 30

Exploitation of local file inclusion

Answer 30

Local file inclusion (LFI) is a vulnerability where the attacker can include a local file from a webserver using the webpage. If the server side script uses an include file type of method and the input for the method is not validated then the attacker can provide a filename that points to a local file.

Adding null character at the end of the directory sometimes works when the normal exploitation fails

In addition to obtaining local files an additional aim is to upload attacking scripts and execute commands. Depending on the server and the php settings executing php scripts can be possible if the local file is the: php://input and the php script is the posted data:

Question 31

The Virtual Address Space and its content

Answer 31

When an executable is launched the OS generates a Virtual Address Space for the process or processes with a practically infinite size.

The virtual memory differs from the physical memory in that:
• the process doesn’t need to address the real physical memory (RAM)
• the processes are separated from each-other
• the OS handles the memory requirements dynamically

In order to use the real physical memory the OS provides a runtime memory translation between the virtual and the physical memory. This is also useful to optimize the physical memory usage.

The Virtual Address Space is divided into kernel and user space. The user space consist of segments (code and data).

Question 32

The stack frame and its content

Answer 32

The stack frame is a continuous block inside the stack that stores the data of a method that was called (callee) by the caller. When a method is called it prepares the stack for the method execution.

The stack frame contains the following data:
• Method parameters - In order to pass parameters to the method the parameters are placed on the stack.
• The return address of the method – in order to be able to return to the place where the method is called the return address is placed.
• The local variables – local variables of the method die after exiting the method so they are stored inside the stack frame.
• The saved base pointer – to have a reference to the local variables, the top of the stack is saved to the base pointer and the previous base pointer is stored inside the stack frame

Question 33

The parts of a stack overflow exploit

Answer 33

Stack overflow exploit should overrun the local variable and arrive to the return pointer. The size of this depends on the size of the local variable and the stack layout. It can be determined by debugging or using unique string such as “aaaabbbbccccddddeeee….” and then obtain the address from the error message. The new return address can point to the beginning of the payload.

Question 34

Return Oriented Programming, conditions for the gadgets

Answer 34

Return Oriented Programming (ROP) is a software vulnerability exploitation method that is able to bypass the non-executable memory protections. Contrary to stack overflow, ROP uses already existing code parts in the virtual address space to execute the payload. Although ROP is based on the stack usage of the program it can be used in case of heap related vulnerabilities as well by redirecting the stack to an attacker controlled part of the virtual memory.

The payload is divided into code-parts, each code-part is executed by a gadget. A gadget is a small code-block with one or more simply instructions and a ret type of instruction at the end.

Question 35

The freelist and its usage

Answer 35

The heap consists of chunks. Free chunks with the same size are organized in double linked lists. When a heap memory is being freed it goes to a free list according to its size. When the code requests a dynamic buffer first the freelists are checked according to the requested size. If there is no free chunk for the size a chunk is created.

Question 36

The Virtual Method Table and its usage

Answer 36

A basic principle of OOP is the polymorphism. Methods can be redefined for derived classes. Since the real type of an object is only decided in runtime, each object needs to have a virtual method table (vtable) that contains the object specific method addresses. In case of exploiting Use after free vulnerabilities, the attacker can overwrite the vtable with a value pointing to an attacker controlled memory region

Question 37

The use after free vulnerability and its exploitation

Answer 37

When a process is destroyed it is possible to create a fake object with the same size as the original and insert it into the heap.

Question 38

The fastbin into stack exploitation

Answer 38

Fastbins are stored in simple linked lists. All chunks have the same size. The pointer to the first fastbin chunk is not visible for us, but the pointer to the second fastbin chunk is stored in the first one, the pointer to the third element is stored in the second one, and so on. If we manage to overwrite the content of the first fastbin we can overwrite the address of the next fastbin. It is useful to force the OS to do the second allocation to a place where we would like to (e.g. into the stack).

Question 39

Accessing physically the internal network

Answer 39

Tailgating: An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access
Hold the door: Standing in front of the restricted area with a big packet and ask somebody to help.
Go inside in a normal way with fake reason (have a real meeting inside the building, going in for job interview)
Taking a real job inside (insider attack)

Question 40

Traffic listening of the internal network

Answer 40

Without a valid IP we can still listen to the internal traffic of a network. Packets addressed to a different device can pass through our machine in addition to broadcast messages.

Question 41

ARP protocol and ARP poisoning

Answer 41

ARP protocol:
ARP (Address Resolution Protocol) is a network protocol used to find out the hardware (MAC) address of a device from an IP address. It is used when a device wants to communicate with some other device on a local network

ARP poisoning:
ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. The sending device uses ARP to translate IP addresses to MAC addresses.

Question 42

The NetBios and its services

Answer 42

Network Basic Input/Output System (Netbios) provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.

• NetBIOS Name Service is a service providing name lookup, registration (tcp 137)
• NetBIOS Datagram Service is a connectionless service to send data (udp 138)
• NetBIOS Session service lets two computers establish a connection for a “conversation” (tcp 139) This allows larger messages to be handled, and provides error detection and recovery
• For NetBIOS troubleshooting the nbtstat is used.

Question 43

Situations that can be basis of social engineering attacks!

Answer 43

Serving moral obligation can overwrite security policies. Personal interest can be more important than the company’s interests even if it’s mixed with the nature of trust. E.g. Opening the door for someone carrying heavy boxes

Confusing situations and providing misleading information. People feel stupid and think it’s their fault. They try to solve the situation to be in the balance again that makes them less cautious.

Hurrying makes people disposed to overlook details or make them less cautious. Ignorant users easily overlook details or don’t care about security at all. Fear has also negative effective on the security. An attacker can use fear to make a subject less cautious.

All of these can be combined and mixed with to create the “perfect” attack.

Question 44

Social engineering attack types with examples

Answer 44

Impersonating a legitimate user, as a privileged user, as technical support or as a Repairman, Cleaning service or Pizza delivery, etc.

Eavesdropping is the act of secretly listening to the private conversation or communications of others without their consent.

Shoulder surfing is used to obtain personal information and other confidential data by looking over the victim’s shoulder.

Dumpster diving is looking for treasures in someone’s trash (calendar entries, passwords in post-it, phone numbers, emails, operation manuals)

Tailgating is when a person goes through a checkpoint (physical access) with another person who is authorized.

Question 45

Phishing and spear phishing

Answer 45

Phishing is used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
Spear phishing targets a specific person or enterprise. It’s a more in depth version of phishing that requires special knowledge about an organization, including its power structure. The attacker can use personal information obtained from information gathering to customize and tailor the story for that specific entity.

Question 46

Wi-Fi protection methods

Answer 46

No beacon frames: Hidden network. It won’t appear in your Wi-Fi list.

MAC filtering: The hotspot maintains a list of the acceptable MAC addresses, only those clients can connects. This protection can be bypassed with MAC spoofing.

WEP (Wireless Equivalent Privacy): an old security algorithm for IEEE802.11. Not recommended today.

WPA (Wi-Fi Protected Access): All WEP vulnerabilities are corrected

WPA2: Improvement of WPA, mandatory use of AES (Advanced Encryption Standard)

Question 47

Wi-Fi attacks methods

Answer 47

Wi-Fi hacking – monitor mode
To collect the IVs (initialization vector) first we need to change the wireless adapter to monitor mode. Monitor mode allows the user to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first.

WEP hacking
The attacker collect several packets with different WEP IVs. Airodump-ng can filter the air traffic for specific conditions and save them into file.

Aircrack-ng is able to restore the key if appropriate number of packets are provided. Multiple capture files can be provided. The whole cracking process is automatic.

WPA/WPA2 Hacking:
WPA aims to provide stronger wireless data encryption than WEP.
• 64 digit hexadecimal key or an 8 to 63 character password.

• WPA protocol used the same cipher (RC4) as WEP but added TKIP (Temporal Key Integrity Protocol) to make it harder to decipher the key
• WPA2 - replaced RC4 with AES and replaced TKIP with CCMP (Counter mode with Cipher block chaining Message authentication code Protocol)

Question 48

WPA handshake

Answer 48

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. These handshakes occur whenever a device connects to the network. The handshake has to be obtained to crack the password.

Question 49

Mobile device attack types (attack surfaces)

Answer 49

The Devices:
Browser: Phishing, framing, clickjacking, man-in-middle, buffer overflow, data caching

System: No passcode/ weak passcode, IOS jailbreak, Android Rooting, OS data caching, password & data accesible, carrier-loaded software, no encryption/weak encryption, user-initiated code

Phone: Apps, Baseband attack, Smishing (Phishing via SMS)

The Network:
Wi-Fi: No encryption/ Weak Encryption, Rogue Access Point, Pocket sniffing, MITM, Session Hacking, DNS poisoning, SSL strip, Fake SSL certificate.

The Data Center:
Web server: Platform vulnerabilities, Server misconfiguration, cross-site scripting, cross-site request forgery, weak input validation, brute force attacks

Database:
SQL injection, privilege escalation, data dumping, OS command execution

Question 50

OWASP mobile top 10

Answer 50

Improper platform usage
Insecure data storage
Insecure communication
Insecure authentication
Insufficient cryptography
Insecure authorazation
Client code quality
Code tampering
Reverse engineering
Extraneous functionality

PDA - AKA (ACA) - CT(E)F