Ethical Hacking
How much damage did NotPetya cause?
$10 billion
Where are Linux passwords stored?
/etc/shadow
In exploitation section using eternalblue, which port number is exploited to launch the attack ?
445
What is GRUB?
A bootloader that loads the operating system
ARP poisoning forges what?
ARP Packets
What does ARP stand for?
Address Resolution Protocol
What user would you try to compromise if you could not get root access?
Any user
A DoS attack would affect which part of the CIA Triad?
Availability
Thomas tries to change his friend's PC boot order but encounters a password request. What security solution was implemented?
BIOS password
What is a Windows Disk Encryption Feature?
BitLocker
What tool is highly effective when testing client-server transactions, can be used to manipulate captured data, and can send the data to the server?
Burp Suite Repeater
HashCat uses what for processing Brute force attacks?
CPU/GPU
Sasha wants to crack a password on a website. To do so, she did some research on the user and gathered information about him. What tool can be used to make the cracking process easier?
CUPP
What is Talos?
Cisco's threat intelligence group
Protecting information from unauthorized access meets which element of the CIA Triad?
Confidentiality
What are the goals of the CIA triad?
Confidentiality, Integrity, Availability
What can you steal with XSS?
Cookies, credentials
What does XSS stand for?
Cross-site scripting
Which of the following is not true about SQL statements? A. SQL statements are not case sensitive. B. SQL statements can be written on one or more lines. C. Keywords cannot be split across lines. D. Clauses must be written on separate lines.
D. Clauses must be written on separate lines.
Which of these are valid SQL? A. SELECT * FROM table ORDER name DESC; B. SELECT name; firstname FROM table C. SELECT * FROM table ORDER name ASC; D. SELECT * FROM table ORDER BY name DESC;
D. SELECT * FROM table ORDER BY name DESC;
True or False? NMAP is the tool we would use to see traffic traversing in the network.
False
True or false? A mutated dictionary attack uses a standard password list.
False
True or false? Adding a "$" sign to a user account hides it from the logon screen.
False
What are some valid types of HTTP request methods?
HEAD, DELETE, TRACE, PUT, etc.
John wants to launch a phishing campaign. He is looking for a tool to help him clone a specific website. What tool can he use to create the website?
HTTrack
Social Engineering is a type of what?
Hacking
The Social Engineering Toolkit is what?
Helps perform social engineering attacks and generate phishing sites
What does Ngrok help us do?
Host a phishing website in the Internet
What is privilege escalation?
Increasing privileges on a user account
Why is JavaScript added to web pages?
It makes websites more interactive.
What does HIPAA do?
It protects the privacy/security of a person's health info
What is an example of a client-side technology?
JavaScript
XSS commonly uses what type of scripting language?
JavaScript
What uses the GPU to crack passwords?
Jumbo-John and HashCat
What is an example of an open-source operating system?
Linux
Which Windows privilege type gives privileged account access to the local system?
Local admin
ARP cache poisoning involves sending erroneous what?
MAC addresses
What is a common relational database?
MySQL and MariaDB
Confidentiality means what?
Not talking about company business with others
What command sorts rows in SQL?
ORDER BY
What are some examples of Server-Side coding?
PHP, MySQL, etc.
What is the primary use of Hashcat?
Password Cracking
How can you identify a password?
Password guessing, default passwords, cracking and phishing
In a wired environment, where do we (the attacker) need to be positioned to perform a MITM attack?
Physically connected to the network
What does the SQL command "SELECT" do?
Picks the Attributes you wish to see as a search result
What can Leanne use to prevent SQL Injection on her website?
Prepared statements
What is OWASP?
Project dedicated to securing the web
What are the three permissions in Linux?
RWX
What SQLi attack provides visible output?
Regular SQLi
What does SQLi stand for?
SQL Injection
How does SQL Injection work?
SQL query is entered into the input box of a website, The SQL code can give unauthorised access to the database
What is an example of an Nmap scan?
SYN Scans, Xmas Scans, ACK Scans
What are SFX files?
Self Extracting files that are used to run background executables
What are cookies?
Small text files that are saved to your device by various websites
John built a forum-based website. He wants to save a payload in the database to affect its viewers. What attack is most likely to be used?
Stored XSS
SQL Stands for what?
Structured Query Language
A stored XSS attack is saved in what?
The web application's database
Which method do we used to mitigate the attack from EternalBlue ?
Upgrade the system to the newer version
What's a fingerprint?
Version information for running services
What is Burp Suite used for?
Web application security testing
Packet sniffing and file grabbing violate which element of the CIA Triad?
confidentiality
What command can be used to display a list of users?
net user
How can an attacker who is using the Windows command line run all the commands with administrator privilege?
run the command prompt program as administrator
What file can make it so you can access cmd.exe on logon without password?
sethc.exe
In Linux, how do you execute a command with privileged permissions?
sudo/su
What is the aim of an ARP spoofing attack?
to associate IP addresses to the wrong MAC address
What is the purpose of a hash?
to provide a digital fingerprint
What are the On-Path execution Steps in order?
1. Attacker places their system between computers that communicate with each other 2. Ideally, victim should not be aware their traffic is being intercepted 3. The attacker collects and potentially modifies data 4. The attacker analyzes and potentially weaponizes collected data.
What can we use to validate a server is legitimate and authenticate?
A certificate from a CA
How was MeDoc used to spread NotPetya?
A malicious update infected customers
Which protocols use TCP? A. HTTPS B. HTTP C. SSH D. ICMP
A. HTTPS B. HTTP C. SSH
How can we mitigate local PE in Linux?
Add a password to GRUB, encrypt the hard drive or volume, and physically secure the system
What is an example of a cloud service provider?
Amazon AWS, Azure
A bind shell creates a connection from the what?
Attacker to the victim (the victim is listening)
What services use UDP? A. SSH B. DNS C. ICMP D. DHCP
B. DNS D. DHCP
Which of the following is used by a system to connect to the network? A. Firewall B. NIC C. RAM D. SSD
B. NIC
What tool did we use to perform BOTH ARP spoofing and DNS poisoning?
Bettercap
What type of operations are executed on the browser?
Client-side
Local file inclusion attacks allow you to execute what?
Code local to the target's server.
Remote file inclusion attacks allow you to execute what?
Code remote to the target's server.
What are good lateral movement techniques?
Credential theft/reuse and exploitation
Which type of On-Path attack includes the process of redirecting a domain name request to a custom phishing domain?
DNS Poisoning
What are the common impacts of XSS?
Defacing, Cookie theft, clickjacking, malware delivery
How can we mitigate the local PE attack?
Encrypting the hard drive, physically securing the PC and a BIOS password
Which Windows privilege type can access any resource in the entire organization?
Enterprise domain admin
True or false? Adobe was transparent with what security controls they implemented.
False
True or false? DNS poisoning can occur without the attacker being on-path
False
True or false? GRUB loads after the operating system
False
True or false? NotPetya is a trojan horse and cryptomining malware
False
True or false? Obfuscating payloads can help prevent anti-virus detection with 100% efficacy.
False
True or false? Ping uses the SSH protocol
False
True or false? Python is not a good programming language for security.
False
True or false? Spoofing your number can be untraceable
False
True or false? The OWASP Top 10 contains information on the top threat actors from the last 6 months.
False
True or false? We know exactly how Adobe was compromised and the steps the attackers took.
False
True or false? When performing a UNION SELECT, the tables do not need to have the same number of columns.
False
True or false? Windows Defender is a network firewall
False
What technology protects your network from external attackers?
Firewall
What does DNS translate?
Hostnames to L3 addresses
What can be used to attack remote protocols and logins?
Hydra, Medusa, and Ncrack
What command allows you to add data to a table?
INSERT
When did the NotPeyta attack occur?
June 2017
What does ARP translate?
L2 to L3 addresses
What do attackers typically perform after exploiting a system?
Lateral movement
Which Windows privilege type gives anyone initial access to the PC with limited privileges?
Local guest user
What's an example hash?
MD5, SHA256, SHA1
How is an XSS attack typically conducted?
Malicious code is stored in the web application's database or is sent directly to user in a URL
In NotPetya, what system was compromised first?
MeDoc
Ted was hired to perform penetration testing on a system. What platform can help him accomplish that?
MetaSploit
What technology can be used to identify anomalous network traffic?
NIDS
What tool can we use to pentest a web application?
OWASP ZAP and Burp Suite
When did the Adobe Cyber Attack occur?
October 2013
How could NotPeyta been prevented?
Regular patching and Restricting file/folder permissions
What database type links tables to other files stored in the database?
Relational database
What can you identify with a network scan?
Running services, live hosts, fingerprints, open ports
In NotPetya, what vulnerability and exploit were used for post-exploitation lateral movement?
SMB and EternalBlue
You performed a scan of a target system. Ports 80, 443, and 22 are open. What are these services?
SSH, HTTP, HTTPS
What is the correct order of a TCP 3-way handshake?
SYN SYN-ACK ACK Data exchange occurs
What are Metaploit's features?
Scanning and enumeration, vulnerability searching, exploitation, post-exploitation shell and session management
How is JavaScript typically defined in a webpage?
Script tag
How do you mitigate XSS and file inclusion attacks?
Secure code review and user input data sanitation/validation, Blocking the script on the browser, encoding the output URL in HTML entities
What type of operations are executed on the server?
Server-side
In the Adobe attack, what did the attackers gain access to?
Source code, customer personal information and customer credit card information
A reflected XSS attack is typically in what?
The URL sent to the victim
Tom is a cyber consultant. He used Nmap to map an organization and find open ports. For one scanned port, he received RST as a response. What is the port status?
The port is closed.
Why would you want to mirror a site during a social engineering attack?
To reduce your target's suspicions
True or false? Adding a "$" sign to a user account hides it from user list tools.
True
True or false? Adobe took several steps to strengthen their security controls.
True
True or false? In NotPetya, users were unable to decrypt their files
True
True or false? You can crack a password if it has a weak hash.
True
How can you mitigate brute-force password attacks?
Using strong passwords, Login attempt limits. Fail2Ban
What command can we use to identify the database version?
VERSION()
A reverse shell create a connection from the what?
Victim to the attacker (the attacker is listening)
What attack infects a victim's favorite website(s) with malware?
Waterholing
What is SSL Stripping?
When the attacker removes encryption communications to read data.
How do you secure HTTP traffic?
With a digital certificate
In a wireless environment, where do we (the attacker) need to be positioned to perform a MITM attack?
Within wireless range of the wireless network
What occurs during network scanning?
You map the network structure, collect critical information about the network, and identify devices on the network
David recently discovered a new security vulnerability in his software that wasn't known before. What is the correct term for his discovery?
Zero-day
When Linux is booting up, what should be the first process to receive a PID?
init
What tool can we use to create and encode a payload?
msfvenom
What command can be used to display a list of Administrator users?
net localgroup Administrators
What tool can we use to conduct network reconnaissance?
nmap
What tool can you use to perform network scanning?
nmap