DF 311 Midterm
Which of the following is NOT a memory dump file format?
.mtv
All of the following are places to look for indicators of compromise EXCEPT
/etc/proxychains.conf file
Hypertext Transfer Protocol (HTTP) is associated with which network port?
80
The IP addresses highlighted in the packet capture below come from a "victim" computer that has been attacked using a MITM technique. The victim's computer has mistakenly routed his internet traffic through an attacker machine instead of through the default gateway (access point). What kind of attack is this?
ARP Cache Poisoning
What does AFF stand for?
Advanced Forensics Format
The screen capture below shows three Powershell commands that have been joined together to filter Windows environment. Which of the following statements below best describes the data being displayed? Get-ChildItem -Path "C:\users\jadkins\Downloads"|select name, lastwritetime, creationtime | sort-object -property creationtime
All files in the Downloads folder sorted by the time they were created
According to the Hashcat command below, what kind of attack is being run? ./hashcat.exe -a 3 -m 0 ntlmhash.txt -o cleartext.txt -0
Brute-force
Which of the following protocols resolves a www address (URL) to an IP address?
Domain Name Service (DNS)
What is the significance of the EAPOL protocol?
EAPOL is a wifi authentication protocol
In the image below, what will the -d option do in this case? cewl -d 0 -m 4 -w mywordlist.txt https://en.wikipedia.org/wiki/Star_Trek
Extract all unique words on the page (according to specified word size), ignoring all links
The following is a combinator attack that will use two wordlists to try and crack an NTLM v2 hash ./hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0
False, the option of -a 0 tells us that this is a single dictionary attack
The following Powershell command will create a memory dump file in a raw file format. ./winpmem64.exe memorydump.mem
False, this command will create a memory dump file with a .mem file format
Which one of these Powershell commands will display a list network connections and ports so you can identify indicators of compromise like a TCP connection that has lasted a long time?
Get-NetTCPConnection
Which of the following protocols provides instructions on how to navigate the world wide web (www)?
HTTP
According to the feedback provided by Hashcat seen below, what was the result of the password attack? Status... Exhausted
Hashcat couldn't guess the password
What does IoC stand for?
Indicators of Compromise
What will the --vhdx option in this command do? ./kape.exe --tsource C:\ --target RegistryHives --tdest C:\kape\ --vhdx hashcat
It will create a hard disk image file
What will the following command in Kali Linux do? cewl -d -m 4 -w mywordlist.txt https://en.wikipedia.org/wiki/Star_Trek
It. will create a custom word list called mywordlist.txt
What is the name of the corporate investigation and risk consulting firm that created the Kape tool which forensically extracts Windows password hashes from a computer?
Kroll
During incident response, what is the MOST preferred method of gathering information from a compromised machine?
Live examination using a tool like Powershell
What type of hash is being attacked according to the Hashcat commands? ./hashcat.exe -a 3 -m 0 ntlmhash.txt -o cleartext.txt -0
MD5
What technique of attack is being demonstrated here?
Man-in-the-middle (MiTM) attack
What type of password attack is this? ./hashcat.exe -a 3 -m 5600 ?u?1?1?1?1?d?d?d?d?s
Masking
What kind of hash is this? Billy-Bob Thornton::MicrosoftAccount...
NTLM v2
Which of the following is true about the QUIC protocol?
QUIC was built on top of the existing UDP protocol
What does RDP stand for?
Remote Desktop Protocol
What kind of password attack is this according to the Hashcat statement? ./hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -r d3ad0ne.rule -o cleartext.txt -0
Rule-based
Which of these registry hives contains the information associated with Windows user passwords?
SAM, SYSTEM
For Windows computers, what are the 3 log file types that can be found in the Event Log viewer?
System, Security, Application
Which of the following protocols provides a command line interface to communicate with a REMOTE device or server
Telnet
Why did this Hashcat statement fail? ./hashcat.exe -a 1 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0
The -a (attack mode) should be set to 0
What is the BSSID?
The MAC address of the access point
Which of the following statements is true about the password we are trying to crack according to the Hashcat command statements? ./hashcat.exe -a 3 -m 5600 ?u?1?1?1?1?d?d?d?d?s
The password will end with a special character
Why will this Hashcat statement fail when it is executed? .\hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0
The slash at the beginning needs to be a forward slash (./)
A TCP connection that lasts more than 72 hours in an example of an "unusual" artifact that may be an indicator of compromise.
True
Finding a log entry with a timestamp of 2 am which says the "Telnet service has started successfully" is a possible compromise.
True
What kind of hashes are these? Administrator:500:...
Windows NTLM
The screen capture below shows joined Powershell commands that provide environment data about a Widows computer. Which of the following choices best describes the information that Powershell is displaying? Get-Process |sort Starttime -Descending -ErrorAction SilenetlyContinue | select Name, StartTime
Windows processes (programs) sorted in descending order by the time they started
what Linux command in Kali will get the below information displayed?
ifconfig
What is the name of the command line application in Kali Linux that will extract Windows user password hashes from SAM and SYSTEM registry hives?
secretsdump
