System Hacking Flashcards
What is a unquoted service path vulnerability?
The path of a service isn’t encapsulated with “ “ tags, which could result in exploitation such as execution of .exe
What are the 5 System Hacking Goals? (In order)
- Gaining Access
- Escalating Privileges
- Executing Applications
- Hiding Files
- Covering Tracks
What is meant by “False Acceptance Rate” (FAR)?
Rate that a system accepts access for people that shouldn’t have it
What is meant by “False Rejection Rate” (FRR)?
Rate that a system rejects access for someone who should have i
How is LLMNR/NBT-NS Poisoning triggered and when is it used?
It is triggered as a backup for internal DNS, it is used to crack NTLM hashes - Attacked used in internal pentesting.
What is the outcome of vertical privilege escalation attack?
Gain access/execute code at higher privilege level.
What is the outcome of horizontal privilege escalation attack?
Gain access/execute code from a different location with same permission level.
List 4 most effective privilege escalation / code execute attacks (Carried out when you have access to the endpoint)
- Cracking password of Administrator users
- Exploit OS vulnerabilities
- DLL Hijacking
- Social Engineering - Have someone else run malware
What are Alternate Data Streams (ADS)?
ADS can hide files or data from directory listings inside other files, only applies to NFTS file systems
Covering Tracks
List 3 types of logs to clear during system hacking
- Application
- System
- Security
Covering Tracks
List 3 best methods of covering track during system hacking
- Corrupting log files
- Selective deletion (Determined by your actions)
- Disable auditing ahead of time
Why are Rootkits so affective?
Placed malware can remain hidden for long period of time.
Pros:
- Hides processes
- Allows for future access
What type of malware is “horsepill” and which OS does is it target?
- Rootkit - Infect via initrd (Linux boot loader startup process)
- Linux
What type of malware is “Grayfish” and which OS does is it target?
- Rootkit injected via Windows Boot Record - Used by APTs
- Windows
What is a hypervisor level malware?
Rootkits that modify the boot sequence of a host system to load a VM as the host OS
What is hardware level malware?
Malware hidden with devices or firmware.
What is Boot Loader level malware?
Replaces boot loader with one controlled by the hacker
What is a application level malware?
Malware that replaces valid applications with trojans
What is a kernal level malware?
Attacks boot sectors and kernel replacing kernel code with backdoor code - highly dangerous
What is a library level malware?
Malware that hides within system level calls.
What kind of risk does TFTP present if enabled?
Unauthenticated access to the host
Which programming language is most vulnerable to Buffer Overflow?
C++
What is PSExec known for in Metasploit?
Ability to Pass the hash, authenticate using the password hash instead of the plaintext password.
Additionally, it is a Windows tool that allows administrators to run programs on local and more commonly remote computers.
List all 7 steps of the Cyber Kill Chain Methodology
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Action on Objectives