ethical hacking notes

Man-in-the-middle (MITM) attack

A hacker placing himself between a client and a host to intercept network traffic; also called session hijacking.

THC Hydra

A password cracking tool which utilizes a dictionary attack method

pass-the-ticket attack

A technique used for authenticating a user to a system that is using Kerberos tickets without providing the user's password. Kerberos authentication allows users to access services provided by remote servers without the need to provide passwords for every requested service. To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools

dictionary attack

A type of password attack that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.

rainbow table attack

A type of password attack where an attacker uses a set of related plaintext passwords , from dictionary files, brute force lists, and their hashes values, the hash of the passwords are captured and compared with the precomputed hash table and if matches then it crack passwords. this is easy to recover,

In which of the following hacking phases do attackers extract information such as live machines, port, port status, OS details, device type, and system uptime to launch further attacks? Gaining access Reconnaissance Clearing tracks Scanning

Scanning is the phase immediately preceding the attack. Here, the attacker uses the details gathered during reconnaissance to scan the network for specific information. Scanning is a logical extension of active reconnaissance, and in fact, some experts do not differentiate scanning from active reconnaissance.

microsoft Authentication

Security accounts Manager (SAM) database NTLM authentication kerberos authentication (default of microsoft-stronger than NTLM)

Identify the password cracking tool that helps attackers to gain unauthorized access to the system or network.

THC Hydra is a parallelized login cracker that can attack numerous protocols. This tool is a proof-of-concept code that provides researchers and security consultants the possibility to demonstrate how easy it would be to gain unauthorized remote access to a system.

Which of the following acts defines legal prohibitions against circumvention of the technological protection measures employed by copyright owners to protect their works and against the removal or alteration of copyright management information?

The DMCA defines legal prohibitions against circumvention of the technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information.

offline attacks

The attacker copies the target's password file and then tries to crack passwords on his own system at a different location. ex: Rainbow Table Attack (Pre-Computed Hashes), Distributed Network Attack

passive online attacks

The attacker performs password cracking without communicating with the authorizing party. Ex. Wire Sniffing, Man-in-the-Middle Attack, Replay Attack

Which of the following titles in The Digital Millennium Copyright Act (DMCA) allows the owner of a copy of a program to make reproductions or adaptations when these are necessary to use the program in conjunction with a system?

Title V: Protection of Certain Original Designs

Clara, a security professional, while checking the data feeds of the domains, detects downloaded malicious files and unsolicited communication with the outside network based on the domains. Which of the following adversary behaviors was detected by Clara? Internal Reconnaissance Use of web shell HTTP user agent Unspecified proxy activities

Unspecified proxy activities - An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains.

passive reconnaissance

Using searches online for publicly accessible information that can reveal valuable insight about a system.

wire sniffing

Wire sniffing is an attack in which attackers sniff credentials by capturing packets that are being transmitted. During the packet transmission, attackers are able to capture packets and extract sensitive information such as passwords and emails. With this info, they can gain access to the target system.

rainbow crack

a program compares hash passwords against the table, has a algorithm that uses a time-memory tradeoff,

types of password attacks:

active online attacks, and non-electronic attacks

Pass-the-Hash attack

allows the attacker to inject a compromised hash into a local session and use the hash to validate network resources, the attack finds and extracts a logged on domain admin acct hash, and uses the extracted hash to log on to the domain controller, the attacker will inject the extracted hash to attack the network assets

In which of the following phases of hacking does an attacker employ steganography and tunneling techniques to retain access to the victim's system, remain unnoticed, and remove evidence that might lead to prosecution? Maintaining Access Scanning Preparatory Clearing tracks

clearing tracks

Peter, a professional hacker, managed to gain total control of his target system and was able to execute scripts in the trojan. He then used techniques such as steganography and tunneling to remain undetected and to avoid legal trouble. Which of the following hacking phase was Peter currently performing in the above scenario? Gaining access Maintaining access Clearing tracks Scanning

clearing tracks

Indicators of compromise

clues, artifacts, and pieces of forensic data that indicates that there might be malicious activity, and acts as a good source of info, continuous monitoring helps CSO respond to evolving cyber threats

James, a professional hacker, successfully penetrated the target's network and now wants to gather as much information as possible. To achieve this, he uses a technique that can collect and combine as much information as possible, including business tactics of the organization, financial information, and network infrastructure information. Which of the following techniques was used by James in the above scenario? HTTP user agent Use of PowerShell Use of web shell Data staging

data staging

In which of the following phases of cyber kill chain methodology does an adversary distribute USB drives containing malicious payload to the employees of the target organization? Installation Exploitation Weaponization Delivery

delivery

Question 4 A computer user was trying to read the latest news articles from a popular website, but the user was prevented from accessing the resources of the website as certain underlying vulnerabilities in the webpage allowed an attacker to inject fake requests into the network; as a result, the server stopped responding to legitimate user requests. What is the impact caused due to vulnerabilities in the above scenario? Remote code execution Denial of service Information disclosure Privilege escalation

denial of service

active online attacks

directly communicating with victim machine, dictionary, brute force, rule-based attack, Hash injection attack, LLMNR?NBT-NS poisoning, Trojan, spyware, keyloggers, password guessing.

categories of indicators of Compromise

email indicators network indicators host-based indicators behavioral indicators

Identify the term that refers to IT professionals who employ their hacking skills for defensive purposes, such as auditing their systems for known vulnerabilities and testing the organization's network security for possible loopholes and vulnerabilities. Ethical hacker Attacker Hacker Cracker

ethical hacker

Question 3 In which of the following stages of the virus lifecycle does a user install antivirus updates and eliminate virus threats? Detection Execution of the damage routine Replication Launch

execution of the damage routine

Jack, a professional hacker, was recruited by an agency to steal sensitive data from a rival company. From a remote location, he discovered vulnerabilities in the target company's network using a vulnerability scanner. He exploited them to intrude into the network and steal confidential data. Identify the threat source exploited by Jack in the above scenario. External threats Unintentional threats Natural threats Internal threats

external threat

intentional threats - internal

fired employees, disgruntled employee, service providers ( another company that provides a service so has access), contractors

natural threats

fires, floods, power failures

Host-based indicators

found by performing an analysis of the infected system within the organizational network. EX: filenames, file hashes, registry keys, DLLs, and mutex

Lopez, a penetration tester, executes different phases of the hacking cycle in her organization. She detects that the network is susceptible to password cracking, buffer overflows, denial of service, and session hijacking attacks. Identify the hacking phase Lopez was executing in the above scenario. Clearing tracks Gaining access Maintaining access Scanning

gaining access

Which of the following types of threat actors helps both hackers find various vulnerabilities in a system and vendors improve products by checking limitations to make them more secure? White hats Organized hackers Gray hats Black hats

gray hat

intentional external threats

hackers, criminals, terrorists, foreign intelligence agents, corporate raiders

hacking phase: Clearing tracks

hide malicious acts, continuing access, overwriting servers, and scripts to go unnoticed.

ethical hacking limitations

hiring an outside vendor to hack systems, ethical hacker can only help the organization understand its security system, its up to the organization to set up the right safeguards.

Steve, a cyber security engineer, is tasked with rapidly detecting threats against the organization. For this purpose, he analyzes an infected system and uses the identified indicators of compromise (IoCs) such as filenames, file hashes, registry keys, DLLs, and a mutex to further protect the organization from evolving threats. Which of the following categories of IoCs was utilized by Steve in the above scenario? Network indicators Host-based indicators Email indicators Behavioral indicators

host-based indicators

adversary behavioral id

id of the common methods that a threat uses to launch an attack, behaviors include: internal recon, CML, use of DNS tunneling, use of powershell, HTTP user agent, use of web shell, unspecified proxy activities, command and control server, data staging(piling up data in different areas of the network)

active reconnaissance

interacting with the organization, to get information

Elon, a disgruntled employee with access to sensitive data, intends to damage the organization's reputation. He shares all the critical information and blueprints with the competitor and benefits financially. Identify the threat source in the above scenario. Unintentional threat Natural threat Internal threat External threat

internal threat

ophcrack

is a free GUI driven Windows password cracker based on rainbow tables

Pod slurping

is an insider attack that are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems.

skills of a ethical hacker

knowledge of operating environments, knowledge of networking, computer expert, knowledgeable about security areas, high technical knowledge, ability to learn a strong work ethic, organization's security policies, local standards and laws

threat sources

natural, unintentional, intentional, (also internal, external)

Which of the following categories of IoCs are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information? Host-based indicators Behavioral indicators Email indicators Network indicators

network indicators

Non-Electronic attacks

no tech knowledge, shoulder surfing, social engineering, dumpster diving

mimikatz

one of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory.

maintaining access hacking phase

ownership of system, using backdoors, rootkits, trojans, then they can upload, download, or manipulate data, then they can launch further attacks

john the ripper

password-cracking program -runs automated dictionary attacks -takes large dictionary file, runs an enc function on them, then looks for matches

what is a threat?

potential occurrence of a damaging/disruptive event into the activities and functions of an organization

Cyber kill chain methodology

reconnaissance weaponization delivery exploitation installation command and control actions on objectives

Question 1 Which of the following Google advanced search operators displays websites that are similar to the URL specified? info allinurl cache related

related

ethical hacking scope

risk assessment, auditing, counter fraud, and best practices, used to id risks, and develop remedial actions,

spyware

software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.

keyloggers

software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don't know that your actions are being monitored.

Question 2 John, a professional hacker, was hired by a government agency to penetrate, gain top-secret information from, and damage other government agencies' information systems or networks. Based on the above scenario, which of the following classes of hacker does John fall in? Cyber terrorists State-sponsored hackers Hacker teams Industrial spies

state-sponsored hackers

T,T,Ps

tactics, techniques, and procedures of threat actors

The DPA 2018 sets out?

the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May, 2018. It was amended on 01 January, 2021 by regulations under the European Union (Withdrawal) Act 2018 to reflect the UK's status outside the EU.

brute-Force attack

the password cracker tries every possible combination of characters

how do attackers use threats?

they use them to infiltrate and steal data

ethical hacker purposes

to find the vulnerabilities, and recommendations, but not to fix their problems

Password characters should be a combination of alphanumeric characters such as letters, numbers, punctuation marks, and mathematical and other conventional symbols.

true

Password cracking is the process of recovering passwords from the data transmitted by a computer system or from the data stored in it.

true

Identify the reason why organizations recruit ethical hackers. Allow hackers to gain access to the information systems Minimize the security controls to safeguard the customer data Uncover vulnerabilities in systems and explore their potential as a risk Retain the current security posture of the organization

uncover vulnerabilities in a system and explore their potential as a risk

unintentional

unskilled admin, accidents, lazy or untrained employees

Behavioral indicators

used to identify specific behavior related to malicious activities. EX: document executing powershell script, remote command execution

Email indicators

used to send malicious data to the target organization or individual.ex: email address, email subject, attachments or links

network indicators

useful for command and control, malware delivery, identifying the operating system, and other tasks. ex: URLs, domain names, IP addresses

Question 1 In which of the following phases of cyber kill chain methodology does the adversary create a deliverable malicious payload using an exploit and a backdoor? Installation Weaponization Delivery Exploitation

weaponization

replay attacks

work against applications by attempting to recreate the conditions that existed the first time the sequence of events occurred

James, a malware programmer, intruded into a manufacturing plant that produces computer peripheral devices. James tampered with the software inside devices ready to be delivered to clients. The tampered program creates a backdoor that allows unauthorized access to the systems. Identify the type of attack performed by James in the above scenario to gain unauthorized access to the delivered systems.

Distribution attacks occur when attackers tamper with hardware or software prior to installation.

Which of the following malware distribution techniques involves exploiting flaws in browser software to install malware by merely visiting a web page?

Drive-by downloads

External threats

External attacks are performed by exploiting vulnerabilities that already exist in a network, without the assistance of insider employees.

GDPR

General Data Protection Regulation, a regulation in EU law on data protection and privacy that was implemented in May 2018. the right to be forgotten, cookie notifications made mandatory

Which of the following ISO/IEC standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization?

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization.

what is a HTTP user agent?

In HTTP-based communication, the server identifies the connected HTTP client using the user agent field. An adversary modifies the content of the HTTP user agent field to communicate with the compromised system and to carry further attacks. Therefore, security professionals can identify this attack at an initial stage by checking the content of the user agent field.

Williams, an employee, was using his personal laptop within the organization's premises. He connected his laptop to the organization's internal network and began eavesdropping on the communication between other devices connected to the internal network. He sniffed critical information such as login credentials and other confidential data passing through the network. Identify the type of attack performed by Williams in the above scenario.

Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems.

L0phtCrack

Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.

hash injection attack

It's when the attacker injects a compromised hash into a local session and use that same hash to validate the network resources of that particular network

Which of the following tools allows you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords?

John the Ripper is an open-source password security auditing and password recovery tool available for many operating systems.

Which of the following protocols was upgraded as a default authentication protocol on Windows OS to provide stronger authentication for client/server applications? Kerberos S/MIME SNMPv3 PGP

Kerberos

Which of the following protocols employs a key distribution center (KDC) that consists of two logically distinct parts, an authentication server (AS) and a ticket-granting server (TGS), and uses "tickets" to prove a user's identity? LM authentication NTLM authentication Kerberos authentication Security accounts manager (SAM)

Kerberos authentication

LLMNR/NBT-NS posioning

LLMNR and NBT-NS are the 2 main elements of windows operating systems that are used to perform name resolution for hsots present on the same link, attack cracks the NTLMv2 hash obtained from the victims authentication process, and the extracted credentials are used to log on to the host system in the network

Which of the following tools includes scanners such as comprehensive security scanners and port scanners and provides information such as NetBIOS names, configuration info, open TCP and UDP ports, transports, and shares? Tor Browser MegaPing Netcraft ShellPhish

MegaPing includes scanners such as Comprehensive Security Scanner, Port scanner (TCP and UDP ports), IP scanner, NetBIOS scanner, and Share Scanner. It provides the following information: NetBIOS names, Configuration info, open TCP and UDP ports, Transports, Shares, Users, Groups, Services, Drivers, Local Drives, Sessions, and Remote Time of Date, Printers.

Which of the following is a default authentication scheme that performs authentication using a challenge/response strategy as it does not rely on any official protocol specification and has no guarantee to work effectively in every situation?

NTLM NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works effectively in every situation

Network-based assessment

Network assessments determine the possible network security attacks that may occur on an organization's system. These assessments discover network resources and map the ports and services running to various areas on the network.

Non-credentialed assessment

Non-credentialed assessment, also called unauthenticated assessment, provides a quick overview of weaknesses by analyzing the network services that are exposed by the host. Since it is a non-credential assessment, a security professional does not require any credentials for the assets to perform their assessments.

Andrew, a professional hacker, drafts an email that appears to be legitimate and attaches malicious links to lure victims; he then distributes it through communication channels or mails to obtain private information like account numbers. Identify the type of attack vector employed by Andrew in the above scenario.

Phishing is a practice of sending an illegitimate email falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information. Attackers perform phishing attacks by distributing malicious links via some communication channel or mails to obtain private information like account numbers, credit card numbers, mobile numbers, etc. from the victim.

trojans

Programs that look useful, but actually cause damage to your computer

Don, a professional hacker, initiated an attack on a target organization. During the course of this attack, he employed automated tools to collect maximum weak points, vulnerabilities, and other sensitive information across the target network. Which of the following phases of cyber kill chain methodology is Don currently executing in the above scenario? Delivery Command and control Reconnaissance Exploitation

Reconnaissance

Question 1 Identify the civilian act designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures.

Sarbanes Oxley Act

APT attack

Advanced Persistent Threat (APT) is an attack that focuses on stealing information from the victim machine without its user being aware of it. These attacks are generally targeted at large companies and government networks. APT attacks are slow in nature, so the effect on computer performance and Internet connections is negligible.

Directory traversal attack

An attacker may be able to perform a directory traversal attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to a directory traversal attack.

rule-based attack

Attacker has some information about the password.

Black hat search engine optimization

Black hat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages.

Don, a professional hacker, targeted Johana's official email to steal sensitive information related to a project. Using a password cracking tool, Don tried all the possible combinations of password characters until it was cracked. Identify the type of password attack performed by Don in the above scenario.

Brute force attack

hashcat

Command-line tool used to perform brute force and dictionary attacks against password hashes.

Identify the type of vulnerability assessment where the chances of finding the vulnerabilities related to OS and applications are higher, and it is highly unclear who owns the assets in large enterprises

Credentialed assessment

Which of the following technique is a brute-force attack on encryption where all possible keys are tested in an attempt to recover the plaintext used to produce a particular ciphertext?

Cryptanalysis is a brute-force attack on encryption that employs a search of the keyspace. In other words, testing all possible keys is one of the attempts to recover the plaintext used to produce a particular ciphertext.