System Hacking

Question 1

What is a unquoted service path vulnerability?

Answer 1

The path of a service isn’t encapsulated with “ “ tags, which could result in exploitation such as execution of .exe

Question 2

What are the 5 System Hacking Goals? (In order)

Answer 2

1. Gaining Access
2. Escalating Privileges
3. Executing Applications
4. Hiding Files
5. Covering Tracks

Question 3

What is meant by “False Acceptance Rate” (FAR)?

Answer 3

Rate that a system accepts access for people that shouldn’t have it

Question 4

What is meant by “False Rejection Rate” (FRR)?

Answer 4

Rate that a system rejects access for someone who should have i

Question 5

How is LLMNR/NBT-NS Poisoning triggered and when is it used?

Answer 5

It is triggered as a backup for internal DNS, it is used to crack NTLM hashes - Attacked used in internal pentesting.

Question 6

What is the outcome of vertical privilege escalation attack?

Answer 6

Gain access/execute code at higher privilege level.

Question 7

What is the outcome of horizontal privilege escalation attack?

Answer 7

Gain access/execute code from a different location with same permission level.

Question 8

List 4 most effective privilege escalation / code execute attacks (Carried out when you have access to the endpoint)

Answer 8

1. Cracking password of Administrator users
2. Exploit OS vulnerabilities
3. DLL Hijacking
4. Social Engineering - Have someone else run malware

Question 9

What are Alternate Data Streams (ADS)?

Answer 9

ADS can hide files or data from directory listings inside other files, only applies to NFTS file systems

Question 10

Covering Tracks

List 3 types of logs to clear during system hacking

Answer 10

1. Application
2. System
3. Security

Question 11

Covering Tracks

List 3 best methods of covering track during system hacking

Answer 11

1. Corrupting log files
2. Selective deletion (Determined by your actions)
3. Disable auditing ahead of time

Question 12

Why are Rootkits so affective?

Answer 12

Placed malware can remain hidden for long period of time.

Pros:
- Hides processes
- Allows for future access

Question 13

What type of malware is “horsepill” and which OS does is it target?

Answer 13

1. Rootkit - Infect via initrd (Linux boot loader startup process)
2. Linux

Question 14

What type of malware is “Grayfish” and which OS does is it target?

Answer 14

1. Rootkit injected via Windows Boot Record - Used by APTs
2. Windows

Question 15

What is a hypervisor level malware?

Answer 15

Rootkits that modify the boot sequence of a host system to load a VM as the host OS

Question 16

What is hardware level malware?

Answer 16

Malware hidden with devices or firmware.

Question 17

What is Boot Loader level malware?

Answer 17

Replaces boot loader with one controlled by the hacker

Question 18

What is a application level malware?

Answer 18

Malware that replaces valid applications with trojans

Question 19

What is a kernal level malware?

Answer 19

Attacks boot sectors and kernel replacing kernel code with backdoor code - highly dangerous

Question 20

What is a library level malware?

Answer 20

Malware that hides within system level calls.

Question 21

What kind of risk does TFTP present if enabled?

Answer 21

Unauthenticated access to the host

Question 22

Which programming language is most vulnerable to Buffer Overflow?

Answer 22

C++

Question 23

What is PSExec known for in Metasploit?

Answer 23

Ability to Pass the hash, authenticate using the password hash instead of the plaintext password.

Additionally, it is a Windows tool that allows administrators to run programs on local and more commonly remote computers.

Question 24

List all 7 steps of the Cyber Kill Chain Methodology

Answer 24

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Action on Objectives

Question 25

What is a Fragmentation Attack?

Answer 25

Exploit against system’s ability to reconstruct fragmented packets

Question 26

What is a Volumetric attack?

Answer 26

Bandwidth attack, consumes all bandwidth for a system or service

Question 27

What is a Application Attack (Terms of DoS)?

Answer 27

Consumes the resources of the application to not be able to run

Question 28

What is a TCP State-Exhaustion Attack?

Answer 28

Target public facing devices such as load balancers, firewalls, application servers.

Question 29

What is a Phlashing Attack?

Answer 29

DoS attack that bricks the target.

Question 30

Before running Metasploit, which database needs to be running first?

Answer 30

Postgresql

Question 31

What type of tool is Medusa?

Answer 31

Password brute-forcer

Question 32

What type of tool is Arpwatch?

Answer 32

Tool that monitors strange ARP activity that can help identify ARP spoofing with alerts.

Question 33

What type of tool is SMBRelay?

Answer 33

Server Message Block (SMB) server that is used to grab usernames and password hashes from inbound SMB traffic

Question 34

What are the issues with LM hashing?

Answer 34

1. The user’s password as an OEM string is converted to uppercase.
2. This password is either null-padded or truncated to 14 bytes.
3. The “fixed-length” password is split into two
   7-byte halves.
4. These values are used to create two DES keys, one from each 7-byte half.
5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.
6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. The hashes themself are sent in clear text over the network instead of sending the password in cleartext.

Question 35

What tool in Metasploit can be used to alter the code in execution to evade AVs?

Answer 35

msfencode

Question 36

Which type of server is most affected by Smurf attack?

Answer 36

IRC