System Hacking Flashcards

1
Q

What is a unquoted service path vulnerability?

A

The path of a service isn’t encapsulated with “ “ tags, which could result in exploitation such as execution of .exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 5 System Hacking Goals? (In order)

A
  1. Gaining Access
  2. Escalating Privileges
  3. Executing Applications
  4. Hiding Files
  5. Covering Tracks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is meant by “False Acceptance Rate” (FAR)?

A

Rate that a system accepts access for people that shouldn’t have it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is meant by “False Rejection Rate” (FRR)?

A

Rate that a system rejects access for someone who should have i

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is LLMNR/NBT-NS Poisoning triggered and when is it used?

A

It is triggered as a backup for internal DNS, it is used to crack NTLM hashes - Attacked used in internal pentesting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the outcome of vertical privilege escalation attack?

A

Gain access/execute code at higher privilege level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the outcome of horizontal privilege escalation attack?

A

Gain access/execute code from a different location with same permission level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List 4 most effective privilege escalation / code execute attacks (Carried out when you have access to the endpoint)

A
  1. Cracking password of Administrator users
  2. Exploit OS vulnerabilities
  3. DLL Hijacking
  4. Social Engineering - Have someone else run malware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are Alternate Data Streams (ADS)?

A

ADS can hide files or data from directory listings inside other files, only applies to NFTS file systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Covering Tracks

List 3 types of logs to clear during system hacking

A
  1. Application
  2. System
  3. Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Covering Tracks

List 3 best methods of covering track during system hacking

A
  1. Corrupting log files
  2. Selective deletion (Determined by your actions)
  3. Disable auditing ahead of time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why are Rootkits so affective?

A

Placed malware can remain hidden for long period of time.

Pros:
- Hides processes
- Allows for future access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of malware is “horsepill” and which OS does is it target?

A
  1. Rootkit - Infect via initrd (Linux boot loader startup process)
  2. Linux
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of malware is “Grayfish” and which OS does is it target?

A
  1. Rootkit injected via Windows Boot Record - Used by APTs
  2. Windows
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a hypervisor level malware?

A

Rootkits that modify the boot sequence of a host system to load a VM as the host OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is hardware level malware?

A

Malware hidden with devices or firmware.

17
Q

What is Boot Loader level malware?

A

Replaces boot loader with one controlled by the hacker

18
Q

What is a application level malware?

A

Malware that replaces valid applications with trojans

19
Q

What is a kernal level malware?

A

Attacks boot sectors and kernel replacing kernel code with backdoor code - highly dangerous

20
Q

What is a library level malware?

A

Malware that hides within system level calls.

21
Q

What kind of risk does TFTP present if enabled?

A

Unauthenticated access to the host

22
Q

Which programming language is most vulnerable to Buffer Overflow?

23
Q

What is PSExec known for in Metasploit?

A

Ability to Pass the hash, authenticate using the password hash instead of the plaintext password.

Additionally, it is a Windows tool that allows administrators to run programs on local and more commonly remote computers.

24
Q

List all 7 steps of the Cyber Kill Chain Methodology

A
  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Action on Objectives
25
What is a Fragmentation Attack?
Exploit against system's ability to reconstruct fragmented packets
26
What is a Volumetric attack?
Bandwidth attack, consumes all bandwidth for a system or service
27
What is a Application Attack (Terms of DoS)?
Consumes the resources of the application to not be able to run
28
What is a TCP State-Exhaustion Attack?
Target public facing devices such as load balancers, firewalls, application servers.
29
What is a Phlashing Attack?
DoS attack that bricks the target.
30
Before running Metasploit, which database needs to be running first?
Postgresql
31
What type of tool is Medusa?
Password brute-forcer
32
What type of tool is Arpwatch?
Tool that monitors strange ARP activity that can help identify ARP spoofing with alerts.
33
What type of tool is SMBRelay?
Server Message Block (SMB) server that is used to grab usernames and password hashes from inbound SMB traffic
34
What are the issues with LM hashing?
1. The user’s password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The “fixed-length” password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. The hashes themself are sent in clear text over the network instead of sending the password in cleartext.
35
What tool in Metasploit can be used to alter the code in execution to evade AVs?
msfencode
36
Which type of server is most affected by Smurf attack?
IRC