System Hacking

Question 1

Mandatory Access Control (MAC)

Answer 1

Determine the usage and access policies of the users. Users can access a resource only if that particular user has the access rights to that resource. MAC finds its application in the data marked as highly confidential. The network administrators impose MAC, depending on the operating system and security kernel. It does not permit the end user to decide who can access the information, and does not permit the user to pass privileges to other users as the access could then be circumvented.

Question 2

Discretionary Access Control (DAC)

Answer 2

Determine the access controls taken by any possessor of an object in order to decide the access controls of the subjects on those objects. The other name for DAC is a need-to-know access model. It permits the user, who is granted access to information, to decide how to protect the information and the level of sharing desired. Access to files is restricted to users and groups based upon their identity and the groups to which the users belong.

Question 3

Role Based Access Control (RBAC)

Answer 3

the access permissions are available based on the access policies determined by the system. The access permissions are out of user control, which means that users cannot amend the access policies created by the system. Users can be assigned access to systems, files, and fields on a one-to-one basis whereby access is granted to the user for a particular file or system. It can simplify the assignment of privileges and ensure that individuals have all the privileges necessary to perform their duties.

Question 4

Rule-Based Access Control (RuBAC)

Answer 4

In rule based access control, the end point devices such as firewalls verifies the request made to access the network resources against a set of rules. These rules generally include IP addresses, port numbers, etc.

Question 5

Meltdown vulnerability

Answer 5

This is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution.

Question 6

Dylib hijacking

Answer 6

This allows an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime.

Question 7

Spectre vulnerability

Answer 7

vulnerability is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future and to complete the execution faster.

Question 8

DLL hijacking

Answer 8

In DLL hijacking attackers place a malicious DLL in the application directory; the application will execute the malicious DLL in place of the real DLL.

Question 9

Application Shimming

Answer 9

The Windows operating system uses Windows application compatibility framework called Shim to provide compatibility between the older and newer versions of Windows. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on.

Question 10

Scheduled task

Answer 10

Windows operating system includes utilities such as “at” and “schtasks.” A user with administrator privileges can use these utilities in conjunction with the task scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, he can also schedule a task from a remote system using RPC. An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc

Question 11

Web shell

Answer 11

A web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user’s privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.

Question 12

Launch daemon

Answer 12

t the time of MacOS and OS X booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemonsand/Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into concerned directories. The weak configurations allow an attacker to alter the existing launch daemon’s executable to maintain persistence or to escalate privileges

Question 13

Access token manipulation

Answer 13

In Windows operating system, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access token. Every process the user executes makes use of this access token. The system verifies this access token when a process is accessing a secured object.

Question 14

Defend against malicious NTFS streams

Answer 14

To delete hidden NTFS streams, move the suspected files to FAT partition
Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain
integrity of NTFS partition files against unauthorized ADS
Use third-party utilities such as EventSentry or adslist.exe to show and manipulate
hidden streams
Avoid writing important or critical data to alternate data streams
Use up-to-date antivirus software on your system.
Enable real-time antivirus scanning to protect against execution of malicious streams
Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory) to help detect creation of additional or new data streams.

Question 15

Hypervisor Level Rootkit

Answer 15

Exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system’s boot sequence and gets loaded instead of the original virtual machine monitor.

Question 16

Hardware/Firmware Rootkit

Answer 16

Hardware/firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware

Question 17

Kernel Level Rootkit

Answer 17

The kernel is the core of the operating system. Kernel level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux.

Question 18

Boot Loader Level Rootkit

Answer 18

Boot loader level (bootkit) rootkits function either by replacing or modifying the legitimate bootloader with another one. The boot loader level (bootkit) can activate even before the operating system starts. So, the boot-loader level (bootkit) rootkits are serious threats to security because they can help in hacking encryption keys and passwords.

Question 19

BASH

Answer 19

The BASH or Bourne Again Shell is an sh-compatible shell which stores command history in a file called bash history. You can view the saved command history using more ~/.bash_history command. This feature of BASH is a problem for hackers as the bash_history file could be used by investigators in order to track the origin of an attack and the exact commands used by an intruder in order to compromise a system.

Question 20

Tcsh

Answer 20

This is a Unix shell and compatible with C shell. It comes with features such as command-line completion and editing, etc. Users cannot define functions using tcsh script. They need to use scripts such as Csh to write functions.

Question 21

Zsh

Answer 21

This shell can be used as an interactive login shell as well as a command-line interpreter for writing shell scripts. It is an extension of the Bourne shell and includes a vast number of improvements.

Question 22

Ksh

Answer 22

It improved version of the Bourne shell that includes floating-point arithmetic, job control, command aliasing, and command completion.

Question 23

Auditpol.exe

Answer 23

The command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.

Question 24

Clear_Event_Viewer_Logs.bat/clearlogs.exe

Answer 24

An utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and application logs on the target system. Attackers might use this utility, wiping out the logs as one method of covering their tracks on the target system.

Question 25

SECEVENT.EVT

Answer 25

Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.

Question 26

SECEVENT.EVT

Answer 26

The attacker can manipulate the log files with the help of: SECEVENT.EVT (security): failed logins, accessing files without privileges
SYSEVENT.EVT (system): Driver failure, things not operating correctly
APPEVENT.EVT (applications)

Question 27

Alternate Data Streams

Answer 27

that allows attackers to hide a file behind other normal files. Given below are some steps in order to hide file using NTFS:

Open the command prompt with an elevated privilege
Type the command “type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt”
(here, LegitFile.txt file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file)
To view the hidden file, type “more < C:\SecretFile.txt” (for this you need to know the hidden file name)