ITN - 261 Chapter 7
What is one outcome from process injection? 1. Hidden process 2. Rootkit 3. Alternate data streams 4. Steganography
1. Hidden process Steganography is the process of hiding data inside of other data, such as media files like MP3s, WAVs, or video files. An alternate data stream is a secondary data stream attached to a filename in the NT file system. A rootkit can be used to hide processes. It may use process injection but wouldn't be the outcome from process injection. When you inject into a process, you are putting executable operations you have created into the space of another executable. The end result could be an execution thread running your code without any new process name indicating it was running.
What would an attacker use an alternate data stream on a Windows system for? 1. Hiding files 2. Running programs 3. Storing PowerShell scripts 4. Blocking files
1. Hiding files Alternate data streams are a function of the New Technology File System (NTFS), created to support the resource forks of Apple's file system in Windows NT. Since many of the utilities and programs in Windows don't natively understand alternate data streams, they can't make use of them and won't show them. The file can be accessed if the user knows how to display and manipulate the alternate data streams.
What is it called when you obtain administrative privileges from a normal user account? 1. Privilege escalation 2. Account migration 3. Privilege migration 4. Account escalation
1. Privilege escalation Account migration, privilege migration, and account escalation are vague and don't have clearly defined definitions, even if they may exist. Privilege escalation, on the other hand, is used to gain elevated privileges when you only have the permissions of a normal user.
Which of these techniques might be used to maintain access to a system? 1. Run key in the Windows Registry 2. Alternate data stream 3. .vimrc file on Linux PowerShell
1. Run key in the Windows Registry You may use a PowerShell script to perform functions that could support persistence on a system, but the PowerShell script alone won't be used to maintain access. Alternate data streams won't be of any use for maintaining access, and a .vimrc file is a startup file for the Vi editor. The run key in the Windows Registry, though, could be used to put an entry in that would run a program automatically that could make sure an attacker could get access even after a reboot.
What does pivoting on a compromised system get you? 1. Database access 2. A route to extra networks 3. Higher level of privileges Persistent access
2. A route to extra networks Pivoting is the process of using a compromised system to move onto other systems and networks within the target environment. Pivoting does not get you higher-level permissions or persistent access. You may ultimately get to a database server by pivoting, but that's not what pivoting does or is specifically used for. It would be a nice side effect of pivoting.
You find after you get access to a system that you are the user www-data. What might you try to do very shortly after getting access to the system? 1. Pivot to another network 2. Elevate privileges 3. Wipe logs 4. Exploit the web browser
2. Elevate privileges When the Apache web server runs on a Linux system, it will commonly run as the user www-data. This is a privilege-restricted account that would prevent an attacker from doing much on the system. In order to do anything, like wiping log files or pivoting to another network, you would need to elevate privileges to administrative/root level. Exploiting the web browser wouldn't be done in this context. A web server more than likely wouldn't even have a web browser installed.
What would you use the program rtgen for? 1. Generating wordlists 2. Generating rainbow tables 3. Generating firewall rules 4. Persistent access
2. Generating rainbow tables The program rtgen is a program that is part of the rcrack suite. rcrack is used to crack passwords with rainbow tables. It is used to generate the rainbow tables that rcrack will use to crack passwords. Rainbow tables are not wordlists but mappings of plaintext passwords to hashes, which makes it much easier to get passwords from hashes.
What could you use to obtain password hashes from a compromised system? 1. John the Ripper 2. Mimikatz 3. Rainbow tables 4. Process dumping
2. Mimikatz John the Ripper and Rainbow tables are tools for cracking passwords, not gathering or obtaining password hashes. Process dumping could possibly yield passwords associated with a certain process/application. However, you may not get password hashes, depending on how the passwords are maintained in memory. Process dumping is taking the memory space of a process and writing it out to disk for analysis. Mimikatz is a utility and Metasploit module that could be used to extract passwords from a compromised system.
What is it called when you manipulate the time stamps on files? 1. Time stamping 2. Timestomping 3. Meta stomping 4. Meta manipulation
2. Timestomping Manipulating time stamps on files is called timestomping. It is used to set file times, which may be used to throw off investigations or identify intrusions. None of the other answers are real things.
What does John the Ripper's single crack mode, the default mode, do? 1. Checks every possible password 2. Uses known information and mangling rules 3. Uses a built-in wordlist 4. Uses wordlist and mangling rules
2. Uses known information and mangling rules Incremental mode in John will run an attack in which it will try every possible password within specified parameters, meaning John will generate the passwords. The default mode in John is single crack mode, which uses information including the username and the home directory to generate a password using mangling rules. Incremental mode does not use wordlists, though John does support the use of wordlists.
What application would be a common target for client-side exploits? 1. Web server 2. Web browser 3. Web application firewall 4. Web pages
2. Web browser Of all of the options presented, only the web browser exists on the client side. By definition, the web server is on the server. A web application firewall is placed with the server to protect the server from Application layer attacks. Web pages are hosted on a web server. They are not a target for client-side exploits, though they would be used to carry out those attacks.
What are two advantages of using a rootkit? 1. Installing alternate data streams and Registry keys 2. Creating Registry keys and hidden processes 3. Hiding processes and files Hiding files and Registry keys
3. Hiding processes and files A rootkit is a piece of malicious software that is used to accomplish several tasks. This may include hiding processes and files through the use of kernel-mode drivers or replaced system utilities. A rootkit may also provide a backdoor for attackers to maintain long-term access to the system after the initial compromise. None of the other answers are things that a rootkit does.
What might an attacker be trying to do by using the clearev command in Meterpreter? 1. Run an exploit 2. Manipulate time stamps 3. Manipulate log files 4. Remote login
3. Manipulate log files The clearev command is a Meterpreter command used to clear the Windows Event Viewer logs. While you may be able to manipulate time stamps and log files in Meterpreter, you wouldn't use the clearev command for that. The clearev command does not allow an attacker to log in remotely.
Which of these is a reason to use an exploit against a local vulnerability? 1. Pivoting 2. Log manipulation 3. Privilege escalation 4. Password collection
3. Privilege escalation Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be "local" to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect passwords; you don't need a vulnerability to do that. Similarly, you don't need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.
You've installed multiple files and processes on the compromised system. What should you also look at installing? 1. Registry keys 2. Alternate data streams 3. Rootkit 4. Root login
3. Rootkit Attackers often install extra files and run extra processes on systems. These could easily be detected by manual investigation or, certainly, by automated detection tools. The way around that is to install a rootkit, which may include kernel-mode drivers or replacement system utilities that would hide the existence of these files and processes. Alternate data streams may be used to hide files but not processes. Registry keys could also hide files but not processes.
Which of these would be a way to exploit a client-side vulnerability? 1. Sending malformed packets to a web server 2. Sending large ICMP packets 3. Sending a crafted URL 4. Brute-force password attack
3. Sending a crafted URL Malformed packets could potentially cause a failure or trigger a vulnerability on the server side. Large ICMP packets aren't likely to do anything and certainly wouldn't exploit a client-side vulnerability. A brute-force password attack isn't exploiting a vulnerability, even if it is an attack technique. Sending a crafted URL could potentially exploit a client-side vulnerability in a web browser.
If you were looking for reliable exploits you could use against known vulnerabilities, what would you use? 1. Tor network 2. Meterpreter 3. msfvenom 4. Exploit-DB
4. Exploit-DB While the Tor network may be used to obtain an exploit against a vulnerability, there is some question as to how reliable that exploit may be. The Tor network may contain malicious content, even in the case of source code. Meterpreter and msfvenom are elements of Metasploit that don't have anything to do with locating vulnerabilities. Exploit-DB is a website and repository of exploits that could be searched to locate an exploit targeting specific and known vulnerabilities.
What tool would you use to compromise a system and then perform post-exploitation actions? 1. Nmap 2. John the Ripper 3. searchsploit 4. Metasploit
4. Metasploit John the Ripper is used for cracking passwords, while nmap is used for port scanning. They could be part of the overall process of system compromise, but neither could be used to compromise a system, in spite of what it suggests in The Matrix. searchsploit is a program used to search a local exploit-db repository. Metasploit is an exploit framework that could be used to compromise a system. Once the system is compromised, Metasploit could then be used for post-exploitation actions using modules that come with it.
What are the three times that are typically stored as part of file metadata? 1. Moves, adds, changes 2. Modified, accessed, deleted 3. Moved, accessed, changed 4. Modified, accessed, created
4. Modified, accessed, created There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file expecting to modify it, but not end up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC, like modified, accessed, and created, those are not tasks associated with file times.
What is the trade-off for using rainbow tables? 1. Disk space prioritized over speed 2. Accuracy prioritized over disk space 3. Speed prioritized over accuracy 4. Speed prioritized over disk space
4. Speed prioritized over disk space Rainbow tables use precomputed hashes that are mapped to plaintext passwords in order to speed up the process of obtaining the passwords from stored hashes. Rainbow tables, though, are very expensive when it comes to disk space. Hashes and passwords are stored in the rainbow tables. Accuracy is neither sacrificed nor prioritized using rainbow tables. You will give up disk space to get faster cracking times using rainbow tables.