Cerified Ethical Hacker

You just purchased a new computer, pre-installed with Windows 7, McAfee antivirus and other applications. Before connecting the Ethernet wire to the modem, what should you do?

-Install the latest antivirus signatures. -Configure Windows Update to 'automatic'. -Create a non-admin user account with a complex password, and logon to this account.

Where is the password file kept in Linux?

/etc/shadow

Tool for ARP response MAC flooding.

/macof

LAN Manager passwords are concantenated to 14 bytes, split in half, and each half (7 bytes) is hashed separately. If a password is 7 characters or less, what will the second hash be?

0xAAD3B435B51404EE

How many steps for an ARP poisoning attack?

1. Send a Malicious ARP "reply" to the router, to associate the "attacker" MAC address to the IP address. 2.Send a Malicious ARP "reply" to the Victim computer, to then identify the Attack computer, as the router.

How do you protect against, SYN flood attacks?

1. Stack Tweaking. 2. Send the wrong SYN/ACK, to the client. 3. Micro Blocks.

3 steps involved in Network Level Hijacking.

1. Trap... 2. De-synch. 3. Take Over.

How long to crack a 22 character ditionary password?

5 minutes

Exploit

A defined way to breach the security of an IT system through a vulnerability, using malicious software or commands.

Daisy Chaining

A method of external testing whereby several systems or resources are used together to affect an attack. Using another system or device to perform illegal activities.

What can be done to sniff a switched network?

ARP spoof the default gateway.

Prudent Security Policy

All services blocked. Administrator enables safe and necessary services, individually. All activities logged.

What is found in NTFS, and is described as the ability to fork file data into existing files, without affecting their functionality, size, or display, to traditional file browsing utilities like DIR or Windows Explorer.

Alternate Data Streams

Trojan Horse

An "Unauthorized" program contained inside a legitimate program and runs unknown to the user.

Zero-Day Attack

Attack between the time a new software vulnerability is discovered and the software developers release software that fixes the vulnerability

IPv6 Security Threats

Auto Configuration. Unavailability. Repudiation-Based protection. Incompatibility of Logging Systems. Rate Limiting (Impractical). Default IPv6 Activation. Complexity of Network Management tasks. Complexity of Vulnerability Assessment. Overlaoding Perimeter Security Controls. Translating IPv4 to IPv6. Security Information and Event Management (SIEM) problems.

How is data sent when basic authentication is configured on a webserver?

Clear Text (unencrypted)

Network Threat

Collection of computers and other hardware, connected by communication channels to share resources and information.

What would you use to send/receive unauthorized information without alerting the IDS?

Covert Channel

What layer do sniffers operate at?

Data Link Layer

Incident Management

Defined processes to Identify, Analyze, Prioritize, and Resolve security incidents To restore the system to normal operations as soon as possible.

Hybrid Password attack

Dictionary attack combined with exchanging letters with numbers, and special characters.

Vulnerability Research

Discovering system design faults and weaknesses, that might help attackers compromise the system. Keep abreast of current exploits, trends or threats. Checking newly released alerts. How to recover from attacks.

Key feature of a Worm.

Does not require the infection of executables, to run. They can spread on their own.

Penetration Testing

Evaluation of the security of a system or network, by simulating an attack to find design weaknesses, technical flaws and vulnerabilities , that could be exploited.

S.I.E.M. -Security Information and Event Management.

Every IPv6 host can have multiple IPv6 addresses simultaniously, leading to complexity of log or event correlation.

Paranoid Security Policy

Everything is forbidden. Strict restrictions on usage. No or limited internet usage.

Vulnerability

Existance of a loop-hole, limitation or weakness, design or implementation error, that can lead to an unexpected and undesirable event, compromising the security of the system.

Hacking

Exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources. Modifying system or application features to achieve a goal outside the creators original purpose.

Slammer Worm

Exploits stack-based overflow in DLL, implementing the Resolution Service. Targets MS-SQL

What tool would allow you, to detect unauthorized modifications of binary files, on your system by unknown malware?

File integrity verification tools

Tool for sniffing NFS files over a company network.

Filesnarf

Hacking tool, which can be used to port-scan a system, using a floppy disk. It Boots-up mini-Linux, and Displays the Blue Screen of Death screen. It then Port-scans the network using NMAP, and then Sends the results by e-mail to a remote server.

Floppy Scan

What is defined as the process of collecting as much information as possible about a target network?

Footprinting

Best reason to send a single SMTP message to an address that does not exist?

Gather information about internal hosts used in email treatment.

Where would you look for a Trojan startup settings?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run

Protocols vulnerable to Sniffing.

HTTP, Telnet, R.Login, Pop3, IMAP, SMTP, NNTP, FTP

Human Threats

Hackers, Insiders, Social Engineering, Lack of knowledge, and or awareness.

How does tripwire work?

Hashes files and compares old hashes, to current hashes. It catches unexpected changes to a system utility file that might indicate it has been replace by a Trojan file.

What would be the fastest attack against complex passwords?

Hybrid attack

Default IPv6 Activation threat.

IPv6 activated without administrators knowledge, leaving IPv4 based security controls ineffective.

Confidentiality, Integrity, Availability, Authenticity, and Non-Repudiation, are all elements of___.

Information Security

Best prevention against viruses.

Install and update antivirus scanner.

Hack Value

It is the notion among hackers that something is worth doing or is interesting

How does tracert map the route a packet travels from A to B?

It manipulates (TTL) time to live, within a packet, to elicit a time (jump) exceeded in transit to message.

What internet registry can be used to find the geographical location of an IP address from Panama.

LACNIC

GSM

LTE. Universal system used for mobile wireless network.

Incident Management Process

Logging, recording, and resolving incidents. Preparation. Detection and Analysis. Classification and Prioritization. Notification. Containment. Forensic Investigation. Eradication and Recovery. Post Incident Activities.

What is a CAM table?

MAC address Table

What are the most prominent SQL products today?

MS-SQL, Oracle, MySQL.

Permissive Security Policy

Majority of internet traffic is accepted, while Known Dangerous services and attacks are blocked.

Remote Access Trojan - Rat

Malware that installs a backdoor and allows an attacker remote access to a system.

Non-Repudiation

Method of ensuring a party cannot deny the authenticity of their signature, to a message they originated.

What are the 3 classes of Information Security Threats?

Natural, Physical, Human.

Promiscuous Security Policy

No restrictions on internet access

What can be done to protect a packet from session hijacking?

Packet Signing

NS lookup is a good tool, used to gain additional information about a target network. What does the following command accomplish? C:\Documents and Settings\Hacker>nslookup

Performs a Zone-Transfer

Hacker

Person who illegally, breaks into a system or network, to steal or destroy data, or perform malicious attacks.

What is the most common vehicle for social engineering attacks?

Phone (can be hidden behind)

What DoS method, sends fragmented ICMP packets, to a remote target?

Ping of Death

What are the three phases involved in security testing?

Preparation. Conduct. Conclusion.

What step should be taken, after cracking the password of a user account, and gaining access to the system?

Privilege Escalation

What tool uses LM hashes already computed, to crack a password?

RainbowCrack

Hacking Phases

Reconnaissance, Scanning (Pre-Attack Phase), Gaining Access, Maintaining Access, Clearing tracks.

In what hacking attack, is challenge and response authentication, used to prevent?

Replay Attacks

Steps to create and implement, Security Policies.

Risk Assessment. Standard Guidelines. Include senior management and staff. Set clear penalties and enforce them. Final version available to all staff. Everyone reads, signs and understands the policies. Install tools needed to enforce policy. Train employees.

Suspecting a Trojan, that your antivirus has missed, you run Netstat -an, and find port 6666 open. What is the next step?

Run fport utility, and look for the applications listening to the port

How are SSL and S-HTTP different?

SSL operates at the transport Layer, and is application independent. S-HTTP operates at the application layer, and Encrypts each message independently.

How would you search for newsgroup posting using Google search?

Search the target company name at http://groups.google.com

How does polymorphic shell code work?

Self-garbles code, to evade detection. Can mutate, and change, its known viral signature. It Encrypts the shell code, by XORing values over the shell code, uses a Loader Code to Decrypt the shell code, and then executes it.

Syn Flood Attack

Sending TCP connection requests, from a spoofed IP address, faster than a machine can process them.

Application Level hijacking involves determining the ___.

Session ID

Vulnerability Research classifications:

Severity level - Low, medium, high. Exploit Range - Local or remote.

What is the main drawback to antivirus software?

Signature driven, so new exploits are not detected.

What DoS attack, sends forged packets, and a broadcast address?

Smurf Attack

How can you detect sniffing interfaces?

Sniffing interface cannot be detected. You can send ARP requests to every PC and watch for the one, that responds to all requests. This one, is in promiscuous mode.

What software application can be used to hide data on CDs and flashdrives?

Snow

Which steganography utility exploits the nature of whitespace and allows the user to conceal information in these white spaces?

Snow

NTP - Network Time protocol.

Synchronizes clocks on a network. Can be used to hide log entries. Secure communications, requires clocks to be within 5 minutes.

While footprinting, what port/service should you look for to attempt a zone transfer?

TCP 53, DNS services, for zone transfers. UDP53 for queries.

Melissa Virus

Targets Microsoft Windows Platforms. Macro virus Category.

Social Engineering

The act of getting information, from a person, rather than breaking into a system.

Authenticity

The characteristic, that ensures the quality of being genuine, or not corrupted, from the original. Ensuring the message is not altered or forged. Confirming the user identity.

While gathering competitive intelligence on an organization. They have jobs listed on 5 job hunting sites. If there are two jobs for systems and network administrators, how can this help you in footprinting?

The types of operating systems and applications being used

Host threat

Threats directed at a particular system on which information resides.

Best reason for sending a single SMTP message to an address that does not exist within a target company?

To gather information about internal hosts used in email treatment. "No such recipient" error, can provide information about the name of the email server, versions used and so on.

What is a Wrapper? (Trojan context)

Tool used to bind a Trojan to a legitimate file.

What can be done to countermeasure SNMP attacks?

Use Encryption. Change Community Strings. (Read = Public, Read/Write = Private)

Covert Channel

Use of a protocol in a way that was not intended.

Information Warfare - InfoWar

Use of information and communication technologies to take competitive advantages over an opponent.

What can be used to create and secure sessions, from hijacking?

Use unpredictable sequence numbers.

What does a Sheepdip computer do?

Used only for virus checking.

Security Policy Classifications

User Policy, IT Policy, General Policies, Partner Policy, Issue-Specific Policies

Ethical Hacking

Using hacking tools, tricks, and techniques, to identify vulnerabilities, and ensure system security. Used to verify the existance of exploitable vulnerabilities. Requires target permission.

You are footprinting a website to gather competitive intelligence. You look for contact information and telephone numbers, but they are no longer available. How would you retrieve the information, if it used to be available previously? ( From an outdated website)

Visit Archive.org, and retrieve the archive of the website.

How do you calculate the range of sequence numbers that would be accepted by a server?

[Last received packet number +1) + Server-Receive-Window-Number

Hackers usually control bots through ___.

an IRC channel

Ethereal command, to view a three-way-handshake, for a connection to 192.168.0.1?

ip.addr==192.168.0.1 and tcp.flags.syn

Level of security in a system can be defined by the strength and balance of what 3 components?

the S.F.U. triangle.- Security, Functionality, Usability

Process for mirroring and downloading files, especially webpages.

wget -R, to mirror a site (i.e. wget -R www.testking.com)