Ch. 8 - System Hacking
Steganography
A method of embedding data into legitimate files like graphics, music, video, and plain text messages to hide it from everyone except the intended receiver.
Rootkit
A software program that attackers use to establish root-level privileges to a system.
Password salting
Adding random bits of data to a password before it is stored as a hash to make password cracking much more difficult.
Backdoor
An installed program that grants continued access to a previously hacked system.
Touch
The touch command in Linux, Unix, and OSX can be used to alter the timestamp as well. It can change the time to the current time or to any specific time.
B. A black hat hacker
Who would be most likely to erase only parts of the system logs file? A. The network admin B. A black hat hacker C. A penetration tester D. An everyday user
D. rcrack . -h 202cb962ac59075b964b07152d234b70
You have created and sorted an md5 rainbow crack table. You want to crack the password. Which of the following commands would you use to crack a single hash? A. rtgen md5 ascii-32-95 1 20 0 1000 1000 0 B. rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 C. rcrack . -l /root/hashes.txt D. rcrack . -h 202cb962ac59075b964b07152d234b70
C. Touch
James, a hacker, has hacked into a Unix system and wants to change the timestamps on some files to hide his tracks. Which of the following timestamp tools would he most likely use? A. ctime B. Meterpreter C. Touch D. Timestomp
B. Hiding evidence
Which of the following could a hacker use Alternate Data Streams (ADS) for? A. Erasing evidence B. Hiding evidence C. Modifying evidence D. Tracking evidence
A. Backdoors
Which of the following do hackers install in systems to allow them to have continued admittance, gather sensitive information, or establish access to resources and operations within the system? A. Backdoors B. Kerberos C. Crackers D. cPassword
A. System log files
You believe your system has been hacked. Which of the following is the first thing you should check? A. System log files B. Modified timestamps C. Hidden files D. Browser history
C. To extract the password hashes and save them in the secure.txt file.
You have just run the John the Ripper command shown in the image. Which of the following was this command used for? (zip2john secure.zip > secure.txt) A. To extract the password and save it in a rainbow table named secure.txt. B. To extract the password from a rainbow hash and save it in the secure.txt file. C. To extract the password hashes and save them in the secure.txt file. D. To extract the password and save it in the secure.txt file.
C. Ascii-32-95
[ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] are the possible values in which of the following hash types? A. Alpha-numeric-symbol32-space B. Mix alpha-numeric C. Ascii-32-95 D. Ascii-32-65-123-4
ctime
ctime is a header file that contains definitions of functions to get and manipulate date and time information.
C. Ultimate Boot CD
A hacker has gained physical access to a system and has changed an administrator's account password. Which of the following tools did the hacker most likely use to accomplish this? A. CCleaner B. Timestomp C. Ultimate Boot CD D. StegoStick
Brute force attack
A password cracking technique that tests every possible keystroke for each character in a password until the correct one is found.
Rainbow attack
A password hash cracking technique that uses pre-computed word lists and their hashes in tables for quick comparison using the cracked hashes for authentication.
GrayFish
A rootkit tool that runs within the Windows operating system. It contains hidden storage and has invisible command execution. GrayFish isn't flagged in anti-rootkit scans because it sets no hooks on Window kernel functions and doesn't register callback functions.
Clear My History
Clear My History is software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well.
Keylogger
Hardware or software that captures every keystroke on the computer.
DLL hijacking
Loading a malicious DLL in the application directory so that when the application executes, it will choose the malicious DLL.
A. Malicious alternate data streams.
Mark is moving files from a device that is formatted using NTFS to a device that is formatted using FAT. Which of the following is he trying to get rid of? A. Malicious alternate data streams. B. Antivirus and anti-spyware programs. C. Software programs that hackers use. D. Encrypted steganographic information.
Meterpreter
Meterpreter is Metasploit's payload. It has many features for covering tracks, including the ability to launch a fileless attack.
NTFS data streams
One data stream stores the attributes, another stores the data. Additional data streams, which can be hidden, are allowed.
D. auditpol
Phil, a hacker, has found his way into a secure system. He is looking for a Windows utility he can use to retrieve, set, back up, and restore logging policies. Which of the following utilities should he consider? A. poledit B. secedit C. gpedit D. auditpol
Local Security Authority Subsystem Service (LSASS)
The Local Security Authority Subsystem Service is a Windows service that performs the system's security protocol.
cPasswords
The attribute that stores passwords in a Windows group policy preference item. This attribute can be exploited because Microsoft publishes a public key for the account credentials.
Timestomp
Timestomp is a tool for modifying or deleting a file's timestamp in order to hide when the file was created, accessed, or modified. Hackers change times and dates to blend in with existing timestamps so as to not alert digital forensic investigators of access or exploitation.
C. Someone nearby watches you enter your password on your computer and records it.
Which of the following best describes shoulder surfing? A. Finding someone's password in the trash can and using it to access their account. B. Guessing someone's password because it is so common or simple. C. Someone nearby watches you enter your password on your computer and records it. D. Giving someone you trust your username and account password.
D. Password salting
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? A. Pass the hash B. Keylogging C. Password sniffing D. Password salting
Dictionary attack
A password cracking technique that tests for words from a dictionary, but can include additional common password phrases and symbol substitutions that are added to the database.
Writable services
A service with permissions that allow anyone to change the service's execution.
D. Integrity-based
Jerry runs a tool to scan a clean system to create a database. The tool then scans the system again and compares the second scan to the clean database. Which of the following detection methods is Jerry using? A. Cross view-based B. Behavior-based C. Signature-based D. Integrity-based
C. Instigate multi-factor authentication and authorization.
Roger, a security analyst, wants to tighten up privileges to make sure each user has only the privileges they need to do their work. Which of the following additional countermeasure could he take to help protect privelige? A. Create plain text storage for passwords. B. Restrict the interactive logon privileges. C. Instigate multi-factor authentication and authorization. D. Allow unrestricted interactive logon privileges.
Crackers
Software programs that crack code and passwords to gain unauthorized access to a system
A. This can lead to DLL hijacking and malicious file installations on a non-admin targeted user.
Hackers can maintain access to a system in several ways. Which of the following best describes the unsecure file and folder method? A. This can lead to DLL hijacking and malicious file installations on a non-admin targeted user. B. Services with weak permissions allow anyone to alter the execution of the service. C. The hacker will have rights to do whatever the admin account can do. D. There is no problem if the path is written within quotation marks and has no spaces.
A. Rainbow attack
Jack is tasked with testing the password strength for the users of an organization. He has limited time and storage space. Which of the following would be the best password attack for him to choose? A. Rainbow attack B. Brute force attack C. Keylogger attack D. Dictionary attack
C. Searches for execution path hooking, which allows a function value in an accessible environment to be changed.
Which of the following best describes the heuristic or behavior-based detection method? A. Scans a system's processes and executable files, looking for byte sequences of known malicious rootkit programs. B. Runs a tool to scan a clean system and create a database, then scans the system and compares the current scan to the clean database. C. Searches for execution path hooking, which allows a function value in an accessible environment to be changed. D. Uses an algorithm as it goes through the system files, processes, and registry keys to create a baseline that is compared to the data returned by the operating system's APIs.
C. cPasswords
Which of the following is the name of the attribute that stores passwords in a Group Policy preference item in Windows? A. LSASS B. SPNs C. cPasswords D. SAM
C. Unattended installation
Which of the following privilege escalation risks happens when a program is being installed without the constant supervision of the IT employee and fails to clean up after? A. Kerberoasting B. Gaining credentials in LSASS C. Unattended installation D. DLL hijacking
B. Path interception
Which of the following system exploitation methods happens by adding a malicious file to a file path that is missing quotation marks and has spaces in it? A. Writable services B. Path interception C. Spyware D. Unsecure file and folder permissions
A. Metasploit
A hacker finds a system that has a poorly design and unpatched program installed. He wants to create a backdoor for himself. Which of the following tools could he use to establish a backdoor? A. Metasploit B. AuditPol C. Timestomp D. CCleaner
Dump event log
The dump event log command line tool in Windows 2000 dumps an event log remotely or on a local system into a tab-separated text file. It can also be used to filter specific types of events.
Slack space
The unused portion of an existing file that has been defined.
C. Steganography
Cameron wants to send secret messages to his friend Brandon, who works at a competitor's company. To secure these messages, he uses a technique to hide a secret message within a video. Which of the following techniques is he using? A. Encryption B. RSA algorithm C. Steganography D. Public-key cryptograph
Spyware
Malware that works by stealth to capture information and send it to a hacker to help them gain remote access.
B. Pass the hash
Sam has used malware to access Sally's computer on the network. He has found information that will allow him to use the underlying NTLM to escalate his privileges without needing the plaintext password. Which of the following types of attacks did he use? A. Rainbow attack B. Pass the hash C. Password sniffing D. Dictionary attack
A. Ophcrack
Which of the following is a tool for cracking Windows login passwords using rainbow tables? A. Ophcrack B. Trinity Rescue Kit C. ERD Commander D. GreyFish
B. Spyware
Which of the following is malware that works by stealth to capture information and then sends it to a hacker to gain remote access? A. ERD Commander B. Spyware C. Writable services D. Crackers
B. Dumpster diving
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? A. Shoulder surfing B. Dumpster diving C. Password guessing D. Social engineering
B. Brute force
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? A. Keylogger B. Brute force C. Password sniffing D. Pass the hash
B. A database that stores user passwords in Windows as an LM hash or a NTLM hash.
Which of the following best describes the Security Account Manager (SAM)? A. The attribute that stores passwords in a Group Policy preference item in Windows. B. A database that stores user passwords in Windows as an LM hash or a NTLM hash. C. A protocol that allows authentication over an unsecure network through tickets or service principal names. D. A file in the directory that performs the system's security protocol.
D. Kerberoasting
Which of the following extracts service account credentials from Active Directory using a brute force for offline cracking over a non-secure network by using tickets or service principal names (SPNs)? A. Credentials in LSASS B. DLL hijacking C. Unattended installation D. Kerberoasting
B. Sirefef
Which of the following is also known as ZeroAccess and has virus, Trojan horse, and rootkit components? A. Touch B. Sirefef C. DeepSound D. GrayFish
Ccleaner
Ccleaner is a cleaning tool that can remove files and clears internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
Sirefef
Sirefef, also known as ZeroAccess, has virus, Trojan horse, and rootkit components. As a rootkit, it is unseen by antivirus and anti-spyware programs. It hides by changing the internal process of the target operating system. Sirefef is difficult to remove and can create problems with Windows Firewall and Defender Service, remote hosts, and browser settings. It creates a folder to store additional malware.
C. Social engineering
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occured? A. Password guessing B. Shoulder surfing C. Social engineering D. Dumpster diving
D. Steganography
The method of embedding data into legitimate files like graphics to hide it and then extracting the data once it reaches its destination is called: A. Execution path profiling B. Rootkits C. NTFS data streaming D. Steganography
C. A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
Which of the following best describes CCleaner? A. A program that searches for carrier files through statistical analysis techniques, scans for data hiding tools, and can crack password-protected data to extract the payload. B. A software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well. C. A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines. D. A command line tool in Windows 2000 that will dump a remote or local event log into a tab-separated text file. It can also be used to filter specific types of events.
A. Can modify the operating system and the utilities of the target system.
Which of the following best describes a rootkit? A. Can modify the operating system and the utilities of the target system. B. Allows each file an unlimited number of data streams with unlimited size. C. Allows the user to create a password to make the hidden file more secure. D. Scans the system and compares the current scan to the clean database.
System file logs
Files that are continuously recording when files are created, accessed, or modified.
B. CCleaner
Which of the following is used to remove files and clear the internet browsing history? A. cPassword B. CCleaner C. User Account Control D. Steganography
Path interception
When a malicious file name is added to a service path without quotation marks and includes spaces in the code.
D. DLL hijacking
An attacker installed a malicious file in the application directory. When the victim starts installing the application, Windows searches in the application directory and selects the malicious file instead of the correct file. The malicious file gives the attacker remote access to the system. Which of the following escalation methods best describes this scenario? A. Unattended installation B. Clear text credentials in LDAP C. Kerberoasting D. DLL hijacking
Kerberoasting
An offline brute force to crack a Kerberos ticket to reveal the service account password in plain text. There is no risk of detection and no need for escalated privileges, and the attack is easy to perform.
C. Charset
Which of the following includes all possible characters or values for plaintext? A. Chain_num B. Table_index C. Charset D. Chain_len
Security Account Manager (SAM) database
The database that authenticates local and remote users. In Windows, this database stores user passwords as an LM hash or an NTLM hash.
