test3

Question 1

When would a penetration tester need to use a privilege escalation attack?

Answer 1

When they gain access to a shell but it isn’t root or admin.

Question 2

If you had the ability to overwrite any file on a Linux system, which one would be the easiest to overwrite to gain root-level privileges?

Answer 2

Etc/shadow

Question 3

When performing a penetration test, what can you offer your clients far beyond simple Nessus and pentest puppy mills?

Answer 3

Give them actionable feedback that will help them feel more secure.

Question 4

How can history files be used for privilege escalation attacks?

Answer 4

Passwords, secret files, and other hosts can be caught in command history.

Question 5

Who is Trevor the Roach? On what day was Trevor murdered?

Answer 5

A roach was sucked up through a straw and died, became famous on Twitter. Sept 23, 2017.

Question 6

What does sudo allow you to do on a Linux host?

Answer 6

It allows you run commands as either root or a privileged user that has been configured.

Question 7

What should you include in your penetrating testing reports to help your audience understand the risks you are attempting to communicate?

Answer 7

Visuals and images help drill your point home

Question 8

What is a cron job?

Answer 8

Does regularly scheduled actions like backups or report generation.

Question 9

What is the full command you can use on a Linux host to find any SUID / SGID program (any program with the SUID or SGID bits sets)?

Answer 9

Find / -perm -4000 -o -perm -2000

Question 10

What does the ltrace command do?

Answer 10

Calls and searches for libraries.

Question 11

What are two privilege escalation techniques that can be used to get full administrative access on most Windows systems?

Answer 11

DLL Hijacking by inserting a DLL in a path and Windows will run it. Missing DLLs when a DLL tries to load and nothing is there, the code takes another path.

Question 12

22. What tool can be used to find phantom or ghost DLLs?

Answer 12

Process Monitor

Question 13

What port is ssh and what is the correct way to sign in via ssh?

Answer 13

Port 22

ssh (username)@(ip)
input password

Question 14

How to find the kernel version on linux?

Answer 14

uname -r

Question 15

How to load just the server headers on curl?

Answer 15

curl -i

Question 16

What is Hydra and what are some commands for it?

Answer 16

Hydra is a password cracking tool.
-L (text file of usernames) -P (password list) ssh://(ip) ftp://(ip):(port)

Question 17

John the Ripper? and commands

Answer 17

Password cracker

john file.txt

john –show –format=Raw-SHA1 file.txt

Question 18

What are some common nmap switches?

Answer 18

-sC is a script scan -sV is a version scan
-Pn is ping sweep -p- pings all ips

Question 19

What is cewl?

Answer 19

Cewl spiders (scans) a URL to a certain depth, and returns a list of words that can be used by password crackers like John the Ripper.

Question 20

netcat?

Answer 20

Lets you read and write through network connections.

Question 21

IEEE 802.11

Answer 21

is the LAN technical standard for WiFi.

Question 22

What are the two types of Wireless Networks?

Answer 22

Ad Hoc Mode, broadcasts a signal from router to ISP (home wifi)
Infrastructure mode, connect to a wireless Access Point (enterprise wifi)

Question 23

Airmon-ng?

Answer 23

Lets you view broadcast id’s for wireless networks in your area.

Question 24

What is a BSSID?

Answer 24

The MAC Address of an access point. The first 3 sets of characters gives information on the device manufacturer. Example- 70:DB:98 is from Cisco Systems.

Question 25

Difference between monitor mode and promiscuous mode?

Answer 25

Promiscuous mode covers wired and wireless networks.

Monitor mode is only wireless.

Question 26

How to kill off processes with airmon-ng and why would you do that?

Answer 26

sudo airmon-ng check kill

Ensures the WiFi card is clear for you to sniff packets and look for AP’s

Question 27

What is the command to put a WiFi card into monitor mode?

Answer 27

sudo airmon-ng start wlan0

Question 28

What tool and command is used to look for WiFi APs?

Answer 28

Airodump

sudo airodump-ng wlan0mon

Question 29

What is an aerodump-ng command that can connect to an AP and watch all clients connected to that AP.

Answer 29

airodump-ng -c 1 -bssid () -w /root wlan0mon

Question 30

All devices on a wireless network ______ and ______ data via _____ communication.

Answer 30

send, receive, broadcast

Question 31

If a WiFi network is not encrypted, what happens?

Answer 31

Other systems can easily read the unencrypted traffic.

Question 32

What is WEP and what does it do?

Answer 32

Wired Equivalent Privacy,

An old encryption protocol (RC4). Trivial to decrypt.

Question 33

What was added to WEP to raise the encryption?

Answer 33

Temporal Key Integrity Protocol (TKIP) was added.

It raised the encryption to 128-bit (still trivial to decrypt)

Question 34

What is WPA and how does it function?

Answer 34

Wi-Fi Protected Access

Uses RC4 encryption (incredibly broken)

Question 35

What is the best wireless protocol to use?

Answer 35

WPA3 the best
WPA2 acceptable
WPA no way
WEP heck no

Question 36

How does deauthenticating a Wifi Client work?

Answer 36

An active WiFi client can be forced to deauthenticate from an AP by the attacker kicking the client from the network.
Client will automatically reconnect WITH packets that can be captured.

Question 37

What is the chmod command?

Answer 37

The chmod command is used to edit read, write, and execute permissions for files and directories.

Question 38

What is the numeric method?

Answer 38

The numeric method is a way to symbolize file changes for the chmod command.

read=4
write=2
execute=1

User Group Other
rw- r-x —
6 4 0

chmod 640 file.txt (Read and write for user, read and execute for group, nothing for other.)

Question 39

What do these commands do?

cat
ls
cd
cp
rm
uname

Answer 39

cat-displays the contents of a file or files
ls-lists directory contents of files and directories. -l displays detailed information
cd-changes working directory
cp-copies file from one location to another
rm-deletes a file or directory
uname-displays system information

Question 40

Where are the wordlists located in Kali?

Answer 40

/usr/share/wordlists

Question 41

What is an LM hash?

Answer 41

The LM hash splits the password into 7-character chunks, with padding as necessary. 128 bits

Question 42

What is an NT hash?

Answer 42

A hash that is calculated based on the entire password the user entered. 128 bits

Question 43

What is an NTLM hash?

Answer 43

A cryptographic format where user passwords are stored on Windows systems in the SAM (Security Account Manager). 128 bit

Question 44

How many bits in SHA512?

Answer 44

512-bits

Question 45

How many bits in MD5?

Answer 45

128-bit

Question 46

How many bits in sha1?

Answer 46

160 bits

Question 47

How many bits in SHA256?

Answer 47

256 bits