Session Hijacking
Out of the following, which network-level session hijacking technique can be used to inject malicious data or commands into the intercepted communications in a TCP session? UDP Hijacking RST Hijacking Blind Hijacking TCP/IP Hijacking
Blind Hijacking
During the penetration testing, Marin identified a web application that could be exploited to gain the root shell on the remote machine. The only problem was that in order to do that he would have to know at least one username and password usable in the application. Unfortunately, guessing usernames and brute-forcing passwords did not work. Marin does not want to give up his attempts. Since this web application,was being used by almost all users in the company and was using http protocol, so he decided to use Cain & Abel tool in order to identify at least one username and password. After a few minutes, the first username and password popped-up and he successfully exploited the web application and the physical machine. What type of attack did he use in order to find the username and password to access the web application? ARP spoofing DNS spoofing TCP protocol hijacking UDP protocol hijacking
ARP spoofing
A session hijacking attack that gains control over the HTTP's user session by obtaining the session IDs, is known as_______________. Application Level Hijacking Network Level Hijacking Passive attack Active hijacking
Application Level Hijacking
Which of the following tools can be used to perform RST hijacking on a network? FOCA Nmap Colasoft's Packet Builder Recon-ng
Colasoft's Packet Builder
Marin is performing penetration testing on the target organization. He discovered some vulnerabilities in the organization's website. He decided to insert malicious JavaScript code into a vulnerable dynamic web page to collect information such as credentials, cookies, etc. Identify the attack performed by Marin? Cross-site Scripting Attack Cross-site Request Forgery Attack Session Replay Attack Man-in-the-Browser Attack
Cross-site Scripting Attack
Which protocol defines the payload formats, types of exchange, and naming conventions for security information such as cryptographic algorithm or security policies. Identify from the following options. AH ESP DOI ISAKMP
DOI
Which of the following tools can be used by a pentester to test the security of web applications? Fiddler BetterCAP MITMf Cain & Abel
Fiddler
Out of the following, which is not a component of the IPsec protocol? IPsec policy agent Oakley HPKP IKE
HPKP
Which of the following technique allows users to authenticate web servers? HTTPS HPKP SSH SFTP
HPKP
Which of the following protocols is an extension of IP to send error messages? An attacker can use it to send messages to fool the client and the server. ICMP ARP SSL FTP
ICMP
Out of the following, which network-level session hijacking technique is useful in gaining unauthorized access to a computer with the help of a trusted host's IP address? IP Spoofing: Source Routed Packets TCP/IP Hijacking UDP Hijacking Bling Hijacking
IP Spoofing: Source Routed Packets
A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company's internal network. Which of the following can be implemented to minimize the opportunity for a man-in-the-middle attack to occur? SSL Mutual authentication IPSec Static IP addresses
IPSec
Which of the following protocols is used to implement virtual private networks (VPNs)? HTTPS IPsec HPKP Token binding
IPsec
A tester wants to test an organization's network against session hijacking attacks. Which of the following tools can he use to detect session hijacking attacks? LogRhythm Nmap FOCA Recon-ng
LogRhythm
MitB (Man in the Browser) is a session hijacking technique heavily used by e-banking Trojans. The most popular ones are Zeus and Gameover Zeus. Explain how MitB attack works. Malware is injected between the browser and OS API, enabling to see the data before encryption (when data is sent from the machine) and after decryption (when data is being received by the machine). Malware is injected between the browser and keyboard driver, enabling to see all the keystrokes. Malware is injected between the browser and network.dll, enabling to see the data before it is sent to the network and while it is being received from the network. Man-in-the-Browser is just another name for sslstrip MitM attack.
Malware is injected between the browser and OS API, enabling to see the data before encryption (when data is sent from the machine) and after decryption (when data is being received by the machine).
Out of the following, which session hijacking detection technique involves using packet-sniffing software such as Wireshark and SteelCentral packet analyzer to monitor session hijacking attacks? Normal Telnet session Manual method Forcing an ARP entry Automatic method
Manual method
During a penetration test, Marin exploited a blind SQLi and exfiltrated session tokens from the database. What can he do with this data? Marin can do Session hijacking Marin can do SQLi (SQL injection) Marin can do XSS (Cross-Site Scripting) Marin can do CSRF (Cross-Site Request Forgery)
Marin can do Session hijacking
Marin is a penetration tester in XYZ organization and while performing penetration testing using MITMF tool, he captured the Microsoft NTLMv2 hash file as shown in the screenshot. What can Marin do with it? Marin can try to crack it Marin can use it in the pass-the-hash attack Marin cannot crack it since it's salted Marin can crack it with rainbow tables
Marin can try to crack it
During the penetration testing of e-banking application, Marin is using burp to analyze the traffic. Unfortunately intercepting the traffic between the website and the browser that Marin is testing does not work with his burp installation. Website is using HSTS (HTTP Strict Transport Security). What can Marin do to fix this issue? Marin has to install burp certificate into trusted CA's in order to intercept the traffic between website and the browser is protected with HSTS. He can do that by configuring the web browser with burp as the proxy server and then navigating to https://burp website. There he has to download burp CA certificate and install it in browser trust pool. Marin has to install burp certificate into trusted CA's in order to intercept the traffic between website protected with HSTS. He can do that automatically by navigating to https://burp website Marin has to install burp certificate into trusted CA's in order to intercept the traffic between website protected with HSTS. He can do that automatically by configuring web browser with burp as the proxy server and then navigating to https://burp website That's impossible. HSTS prevents any type of MitM or traffic analysis
Marin has to install burp certificate into trusted CA's in order to intercept the traffic between website and the browser is protected with HSTS. He can do that by configuring the web browser with burp as the proxy server and then navigating to https://burp website. There he has to download burp CA certificate and install it in browser trust pool.
During a penetration test, Marin identified a web application that could be exploited to gain a root shell on the remote machine. The only problem was that in order to do that he would have to know at least one valid username and password that could be used in the application. Unfortunately, guessing usernames and brute-forcing passwords did not work. Marin does not want to give up his attempts. Since this web application is being used by almost all users in the company, and moreover it was using the http protocol, so he decided to use the Cain&Abel tool in order to identify at least one username and password. Morin found that the network was using layer 2 switches with no configuration or management features. What could be the easiest way to start an attack in this case? MitM (Man in the Middle) ARP spoofing DNS spoofing MitB (Man in the Browser)
MitM (Man in the Middle)
John, a malicious attacker, was intercepting packets during transmission between the client and server in a TCP and UDP session, what is this type of attack called? Network level hijacking Application level hijacking Intrusion Session hijacking
Network level hijacking
During a penetration test, Marin discovered a session token that had had the content: 20170801135433_Robert. Why is this session token weak, and what is the name used for this type of vulnerability? Unknown Session Token Predictable Session Token Captured Session Token Date/Time Session Token
Predictable Session Token
Maira wants to establish a connection with a server using the three-way handshake. As a first step she sends a packet to the server with the SYN flag set. In the second step, as a response for SYN, she receives packet with a flag set. Which flag does she receive from the server? ACK SYN+ACK RST FIN
SYN+ACK
In order to hijack TCP traffic, an attacker has to understand the next sequence and the acknowledge number that the remote computer expects. Explain how the sequence and acknowledgment numbers are incremented during the 3-way handshake process. Sequence and acknowledgment numbers are incremented by one during the 3-way handshake process Sequence and acknowledgment numbers are incremented by two during the 3-way handshake process Sequence number is incremented by one and acknowledge number is not incremented during the 3-way handshake process Sequence number is not incremented and acknowledgment number is incremented by one during the 3-way handshake process
Sequence and acknowledgment numbers are incremented by one during the 3-way handshake process
When a person (or software) steals, can calculate, or can guess part of the communication channel between client and the server application or protocols used in the communication, he can hijack the ______. Session Channel TCP protocol UDP protocol
Session
Which of the following is not a type of network-level hijacking? Blind Hijacking Man-in-the-Middle: Packet Sniffer Session Hijacking UDP Hijacking
Session Hijacking
During a penetration test, Marin discovered that a web application does not change the session cookie after successful login. Instead, the cookie stays the same and is allowed additional privileges. This vulnerability and application-level session hijacking is called ______________. Session fixation Session sniffing Session replay attack Predictable session token
Session fixation
An attacker is using session hijacking on the victim system to perform further exploitation on the target network. Identify the type of attacks an attacker can perform using session hijacking? Sniffing Piggybacking Dumpster Diving Tailgating
Sniffing
During the penetration testing in company "Credit Cards Rus Ltd." Marin was using sslstrip tool in order to sniff HTTP traffic. Unfortunately, no data was received. Marin double checked the setup, tested the setup between his virtual machines, and was successful in intercepting the traffic here, but when he tried to do it against other machines on the same network, nothing happened. Marin was puzzled with that and he did not understand why that was happening. Help Marin and explain why he was unsuccessful with intercepting the traffic with sslstrip? Sslstrip can show the data only if the initial request to the server is sent as HTTP. Marin cannot use sslstrip on the real network—it works only between virtual machines Marin was using the wrong tool. To decrypt the https traffic, he should have used httpsdecrypt instead Sslstrip can show only GET requests—in this case, all the client/server communication was using POST requests
Sslstrip can show the data only if the initial request to the server is sent as HTTP.
During the penetration testing in company "Credit Cards Rus Ltd." Marin was using the sslstrip tool in order to sniff HTTPS traffic. Knowing that HTTPS traffic is encrypted and cannot be sniffed normally, explain the reason why it is possible to see the traffic in cleartext. Sslstrip tool is exploiting user behavior and if a user does not type https:// in front of the link, and the website has redirection from HTTP to HTTPS, it will intercept HTTP 302 redirection and send the user exactly what the user asked for, i.e. HTTPsite Sslstrip tool is exploiting an older or in HTTPS protocol, allowing it to gracefully decrypt http traffic by intercepting HTTP 403 denied messages and sending user HTTP 200 OK messages Sslstrip tool is exploiting certificate signing and it is sending its own certificate instead of the original one, allowing for the traffic to be easily decrypted Sslstrip tool is exploiting network bug, which allows it to decrypt HTTPS protocols (TLS and SSL) by sending gratuitous ARP packets to all the nodes on the network
Sslstrip tool is exploiting user behavior and if a user does not type https:// in front of the link, and the website has redirection from HTTP to HTTPS, it will intercept HTTP 302 redirection and send the user exactly what the user asked for, i.e. HTTPsite
If an attacker intercepts an established connection between two communicating parties using spoofed packets, and then pretends to be one of them, then which network-level hijacking is he performing? RST hijacking IP spoofing Man-in-the-middle: packet sniffer TCP/IP hijacking
TCP/IP hijacking
Which of the following is considered to be a session hijacking attack? Taking over a TCP session Taking over a UDP session Monitoring a TCP session Monitoring a UDP session
Taking over a TCP session
OpenSSH or SSH is a more secure solution to which of the following protocol? HTTP IP Telnet, rlogin SMB
Telnet, rlogin
Marin is using the mitmf tool during a penetration test and after few minutes this is what pops up on the screen. A few seconds later though, the hash is different. Why? This is Microsoft NTLMv2 hash—it's salted, so it will be different for every new request. This is Microsoft NTLMv2 hash. It's different because this is another user accessing the website. This is Microsoft NTLMv2 hash. It's different because user is visiting another website. Each website will have its own unique hash. This is Microsoft NTLMv2 hash. It's different because user changed the password in the meantime.
This is Microsoft NTLMv2 hash—it's salted, so it will be different for every new request.
Network-level session hijacking attacks ____________ level protocols. Transport and internet level protocols Application level protocols Network or Internet level protocols Data link level protocols
Transport and internet level protocols
Susan works for "CustomData Intl." and she has to deploy a guest Wi-Fi. She did everything by the manual and deployed the guest Wi-Fi successfully. The deployed guest Wi-Fi is separated from the company network, it is protected with WPA2 and every user wants to use the Wi-Fi has to ask for a username and password. There is one problem though—after a few months she noticed that the users connecting to the guest Wi-Fi are being attacked with MitM attacks. She identified that the MitM attack was initiated with ARP spoofing. She found that someone is stealing users' web application credentials, including Windows system credentials in some cases. Unfortunately, internal users have also become prey to these attacks since they used guest Wi-Fi because it was more open than their internal network. So, only external guests are not being compromised. She wanted to mitigate this issue and the first step she took was to ban all internal users from guest using Wi-Fi network. What, according to you, is the easiest and probably the best way to prevent the ARP spoofing attacks on Wi-Fi networks? Use Client isolation WiFi feature Use IPsec on WiFi Use HTTPS all the time It's impossible to protect WiFi from ARP spoofing
Use Client isolation WiFi feature
A user wants to securely establish a remote connection to a system without any interference from perpetrators. Which of the following methods should he incorporate in order to do so? HTTPS VPN SMB Signing SFTP
VPN
