Module 06 Quiz
Which of the following techniques is used by the attackers to clear online tracks? A)Disable the user account B)Disable LAN manager C)Disable auditing D) Disable LMNR and NBT-NS services
Disable auditing
What statement is true regarding LAN Manager (LM) hashes? A)LM hashes are based on AES128 cryptographic standard. B)LM hashes consist in 48 hexadecimal characters. C)Uppercase characters in the password are converted to lowercase. D)LM hashes limit the password length to a maximum of 14 characters.
LM hashes limit the password length to a maximum of 14 characters.
Least privilege is a security concept, which requires that a user is ... A) Given privileges equal to everyone else in the department. B) Given root or administrative privileges. C) Limited to those functions which are required to do the job. D)Trusted to keep all data and access to that data under their sole control.
Limited to those functions which are required to do the job. Least privilege refers to the process of providing users with sufficient access privilege that allows them to perform only their assigned task and not more than that to ensure information security.
Which one of the following techniques is used by attackers to hide their programs? A)NTFS Stream B)Enumeration C)Scanning D)Footprinting
NTFS Stream You should do the following to defend against malicious NTFS streams: -To delete hidden NTFS streams, move the suspected files to FAT partition -Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain integrity of NTFS partition files against unauthorized ADS -Use third-party utilities such as EventSentry or adslist.exe to show and manipulate hidden streams -Avoid writing important or critical data to alternate data streams -Use up-to-date antivirus software on your system. -Enable real-time antivirus scanning to protect against execution of malicious streams -Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory) to help detect creation of additional or new data streams.
Which of the following operating systems allows loading of weak dylibs dynamically that is exploited by attackers to place a malicious dylib in the specified location? A) Android B) Linux C) OS X D) Unix
OS X OS X provides several legitimate methods, such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows the loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location.
Which of the following is an example of two-factor authentication? A) Username and Password B) Password and fingerprint C) PIN Number and Birth Date D) Digital Certificate and Hardware Token
Password and fingerprint
A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users? A) Perform a brute force attack. B) Perform a dictionary attack. C) Perform a hybrid attack. D) Perform an attack with a rainbow table.
Perform an attack with a rainbow table.
Which of the following vulnerabilities allows attackers to trick a processor to exploit speculative execution to read restricted data? A) DLL Hijacking B) Dylib Hijacking C) Spectre D) Meltdown
Spectre Spectre vulnerability: Spectre vulnerability is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future and to complete the execution faster. Meltdown vulnerability: This is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution. Dylib hijacking: This allows an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. DLL hijacking: In DLL hijacking attackers place a malicious DLL in the application directory; the application will execute the malicious DLL in place of the real DLL.
In the options given below; identify the nature of a library-level rootkit? A)Uses devices or platform firmware to create a persistent malware image in hardware B)Functions either by replacing or modifying the legitimate bootloader with another one C)Works higher up in the OS and usually patches, hooks, or supplants system calls with backdoor versions D)Operates inside the victim's computer by replacing the standard application files
Works higher up in the OS and usually patches, hooks, or supplants system calls with backdoor versions
Which of the following is the advantage of adopting a single sign on (SSO) system? A) Impacts user experience when an application times out the user needs to login again reducing productivity B) Decreased security as the logout process is different across applications C) A reduction in overall risk to the system since network and application attacks can only happen at the SSO point D) A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications
A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications Advantages of Single Sign On (SSO) system: A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications. A reduction in system administration overhead since any user login problems can be resolved at the SSO system. Improves usability and user satisfaction through automatic login functionality. Users need not maintain multiple passwords and since authentication is performed at a centralized server it improves security. Improves productivity through single sign in functionality as it reduces the login time. Improves auditing as the SSO system provides easy way of tracking application usage, shared resources usage, etc. Improves account management such as account disabling (Disabling hardware and network accounts).
Which of the following techniques do attackers use to escalate privileges in the Windows operating system? A) Launch Daemon B) Application Shimming C) Plist Modification D) Setuid and Setgid
Application Shimming The Windows operating system uses Windows application compatibility framework called Shim to provide compatibility between the older and newer versions of Windows. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on.
Which of the following are valid types of rootkits? (Choose three.) A)Kernel level B)Application level C) Physical level D) Data access level Hypervisor level Network level
Kernel level Application level Hypervisor level
Which of the following is an sh-compatible shell that stores command history in a file? A)ksh B)Zsh C)BASH D)Tcsh/Csh
BASH BASH: The BASH or Bourne Again Shell is an sh-compatible shell which stores command history in a file called bash history. You can view the saved command history using more ~/.bash_history command. This feature of BASH is a problem for hackers as the bash_history file could be used by investigators in order to track the origin of an attack and the exact commands used by an intruder in order to compromise a system. Tcsh: This is a Unix shell and compatible with C shell. It comes with features such as command-line completion and editing, etc. Users cannot define functions using tcsh script. They need to use scripts such as Csh to write functions. Zsh: This shell can be used as an interactive login shell as well as a command-line interpreter for writing shell scripts. It is an extension of the Bourne shell and includes a vast number of improvements. Ksh: It improved version of the Bourne shell that includes floating-point arithmetic, job control, command aliasing, and command completion.
What is the command used by an attacker to establish a null session with the target machine? A) C :\>auditpol \\<ip address of target> /disable B) C:\>auditpol \\<ip address of target> C)C:\clearlogs.exe -app D)auditpol /get /category:*
C:\>auditpol \\<ip address of target> Auditpol.exe is the command-line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. The attacker would establish a null session to the target machine and run the command: C:\>auditpol \\<ip address of target> This will reveal the current audit status of the system. He or she can choose to disable the auditing by: C :\>auditpol \\<ip address of target> /disable This will make changes in the various logs that might register the attacker's actions. He/she can choose to hide the registry keys changed later on. The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe). Attackers can use AuditPol to view defined auditing settings on the target computer, running the following command at the command prompt: auditpol /get /category:* Run clearlogs.exe from the command prompt, for clearing application logs C:\clearlogs.exe -app
A hacker is sniffing the network traffic and trying to crack the encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks. Which of the following tool helps the hacker to recover the passwords? A) Cain and Abel B) Hoovers C) Nessus D) Metagoofil
Cain and Abel
Identify the technique used by the attackers to wipe out the entries corresponding to their activities in the system log to remain undetected? A)Clearing logs B)Executing applications C)Gaining access D)Escalating privileges
Clearing logs Clearing Logs: To maintain future system access, attackers attempt to avoid recognition by legitimate system users. To remain undetected, attackers wipe out the entries corresponding to their activities in the system log, thus avoiding detection by users.
Which of the following techniques is used to place an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target? A) Path Interception B) Scheduled Task C) Application Shimming D) File System Permissions Weakness
Path Interception Path interception is a method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target. Attackers can take advantage of several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.
A computer science student needs to fill some information into a password protected Adobe PDF job application that was received from a prospective employer. Instead of requesting the password, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Identify the type of password attack. A) Man-in-the-middle attack B) Session hijacking C) Brute-force attack D) Dictionary attack
Dictionary attack Dictionary Attack: In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. This dictionary is the text file that contains a number of dictionary words that are commonly used as passwords. The program uses every word present in the dictionary to find the password. Apart from a standard dictionary, attackers' dictionaries have added entries with numbers and symbols added to words (e.g., "3December!962"). Simple keyboard finger rolls ("qwer0987"), which many believe to produce random and secure passwords, are thus included in an attacker's dictionary.
Which of the following techniques do attackers use to cover the tracks? A) Steganography B) Scanning C) Disable auditing D) Steganalysis
Disable auditing Techniques used for Clearing Tracks The main activities that an attacker performs toward removing his/her traces on the computer are: Disable auditing: An attacker disables auditing features of the target system Clearing logs: An attacker clears/deletes the system log entries corresponding to his/her activities Manipulating logs: An attacker manipulates logs in such a way that he/she will not be caught in legal actions
Which of the following steganography techniques allows the user to add white spaces and tabs at the end of the lines? A)Video steganography B)Document steganography C)Folder Steganography D)Image Steganography
Document steganography Document Steganography: As with image steganography, document steganography is the technique of hiding secret messages transferred in the form of documents. It includes addition of white spaces and tabs at the end of the lines. Stego-document is a cover document comprising of the hidden message. Steganography algorithms, referred to as the "stego system, are employed for hiding the secret messages in the cover medium at the sender end. The same algorithm is used for extracting the hidden message from the stego-document by the recipient. Folder Steganography: Folder steganography refers to hiding secret information in folders. Files are hidden and encrypted within a folder and are not seen by the normal Windows applications, including Windows Explorer. Video Steganography: Video steganography refers to hiding secret information into a carrier video file. The information is hidden in video files of different formats such as .AVI, .MPG4, .WMV, etc. Discrete Cosine Transform (DCT) manipulation is used to add secret data at the time of the transformation process of the video. Image Steganography: Image steganography allows you to conceal your secret message within an image. You can take advantage of the redundant bit of the image to conceal your message within it. These redundant bits are those bits of the image that have very little effect on the image, if altered. Detection of this alteration is not easy. You can conceal your information within images of different formats (e.g., .PNG, .JPG, .BMP).
Which of the following registry entry you will delete to clear Most Recently Used (MRU) list? A)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey B)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs C)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts D)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
In which of the following techniques does an unauthorized user try to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions? A) Vertical Privilege Escalation B) Horizontal Privilege Escalation C) Kerberos Authentication D) Rainbow Table Attack
Horizontal Privilege Escalation Horizontal Privilege Escalation: In a horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online banking user A can easily access user B's bank account. A rainbow table attack is a type of cryptography attack where an attacker uses a rainbow table for reversing cryptographic hash functions. A rainbow table attack uses the cryptanalytic time memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance. Vertical Privilege Escalation: In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site using administrative functions. Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. This provides mutual authentication, in that both the server and the user verify each other's identity. Messages sent through Kerberos protocol are protected against replay attacks and eavesdropping.
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least eight characters in length. All passwords must also use three of the four following categories: lower-case letters, capital letters, numbers, and special characters. With your given knowledge of users, likely user account names, and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values to get results? A) Dictionary Attack B) Hybrid Attack C) Brute Force Attack D) Replay attack
Hybrid Attack Replay Attack: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access. The attacker uses this type of attack to replay bank transactions or other similar types of data transfer, in the hope of replicating and/or altering activities, such as banking deposits or transfers. Dictionary Attack: In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. This dictionary is the text file that contains a number of dictionary words that are commonly used as passwords. The program uses every word present in the dictionary to find the password. Apart from a standard dictionary, attackers' dictionaries have added entries with numbers and symbols added to words (e.g., "3December!962"). Simple keyboard finger rolls ("qwer0987"), which many believe to produce random and secure passwords, are thus included in an attacker's dictionary. Brute-Force Attack: In a brute force attack, attackers try every combination of characters until the password is broken. Cryptographic algorithms must be sufficiently hardened to prevent a brute-force attack, which is defined by the RSA: "Exhaustive key-search, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified." Hybrid Attack:A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also uses symbols and numbers. Password cracking becomes easier with this method. Often, people change their passwords merely by adding some numbers to their old passwords. In this case, the program would add some numbers and symbols to the words from the dictionary to try and crack the password. For example, if the old password is "system," then there is a chance that the person will change it to "system1" or "system2."
Which type of rootkit is created by attackers by exploiting hardware features such as Intel VT and AMD-V? A)Kernel Level Rootkit B)Boot Loader Level Rootkit C)Hypervisor Level Rootkit D)Hardware/Firmware Rootkit
Hypervisor Level Rootkit Hypervisor Level Rootkit: Attackers create Hypervisor level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor. Hardware/Firmware Rootkit: Hardware/firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware. Kernel Level Rootkit: The kernel is the core of the operating system. Kernel level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. Boot Loader Level Rootkit:Boot loader level (bootkit) rootkits function either by replacing or modifying the legitimate bootloader with another one. The boot loader level (bootkit) can activate even before the operating system starts. So, the boot-loader level (bootkit) rootkits are serious threats to security because they can help in hacking encryption keys and passwords.
Identify the technique used by the attackers to execute malicious code remotely? A) Install malicious programs B) Rootkits and steganography C) Sniffing network traffic D) Modify or delete logs
Install malicious programs
Which of the following tool is used for cracking passwords? A) John the Ripper B) OpenVAS C) Nikto D) Havij
John the Ripper John the Ripper is a password cracking tool, that can be used in multiple operating systems such as Unix, Windows, etc. It is helpful in detecting weak passwords in Unix environment. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
Fill in the blank _________________ type of rootkit is most difficult to detect. A) Hardware/Firmware Rootkit B) Kernel Level Rootkit C) Hypervisor Rootkit D) Application Rootkit
Kernel Level Rootkit Kernel Level Rootkit: The kernel is the core of the operating system. Kernel level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit's code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operating systems. Hardware/Firmware Rootkit: Uses device/platform firmware to create persistent malware image in hardware, like HDD, System BIOS, Network Card. Code integrity tool does not inspect the integrity of firmware. Application Rootkit: This replaces standard application files by modifying behavior of present applications with patches, injected malicious code. Hypervisor Rootkit: The Hypervisor hosts operating system of the target machine as a virtual machine and intercepts all hardware calls made by the target operating system.
Which of the following vulnerabilities is found in all the Intel processors and ARM processors deployed by Apple (and others) and leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution? A) Dylib Hijacking B) Meltdown C) DLL Hijacking D) Privilege escalation
Meltdown Meltdown: Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. For example, an attacker requests to access an illegal memory location. He/she sends a second request to conditionally read a valid memory location. In this case, the processor using speculative execution will complete evaluating the result for both requests before checking the first request. When the processor checks that the first request is invalid, it rejects both the requests after checking privileges. Even though the processor rejects both the requests, the result of both the requests remains in the cache memory. Now the attacker sends multiple valid requests to access out of bounds` memory locations. Privilege escalation: In a privilege escalation attack, attackers first gain access to the network using a non-admin user account, and then try to gain administrative privileges. Attackers take advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications. Dylib hijacking: OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc. DLL hijacking: Most Windows applications do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application will execute the malicious DLL in place of the real DLL.
In which of the following techniques is the text or an image considerably condensed in size, up to one page in a single dot, to avoid detection by unintended recipients? A) Invisible Ink B) Microdots C) Spread Spectrum D) Computer-Based Methods
Microdots
How can rainbow tables be defeated? A) Lockout accounts under brute force password cracking attempts B) Use of non-dictionary words C) All uppercase character passwords D) Password salting
Password salting Password salting is a technique where random strings of characters are added to the password before calculating their hashes. This makes it more difficult to reverse the hashes and defeats precomputed hash attacks. Rainbow tables can be created for all nondictionary words and uppercase characters. Locking out accounts is not a right answer as the rainbow attacks are passive attacks and not performed on live systems.
Which one of the following software program helps the attackers to gain unauthorized access to a remote system and perform malicious activities? A)Antivirus B)Rootkit C)Anti-spyware D)Keylogger
Rootkit Rootkit: Rootkits are software programs aimed to gain access to a computer without detection. These are malware that help the attackers to gain unauthorized access to a remote system and perform malicious activities. The goal of the rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform any task such as installing software or deleting files, and so on. Anti-Spyware: Anti-spyware provides real-time protection by scanning your system at regular intervals, either weekly or daily. It scans to ensure the computer is free from malicious software. Keyloggers: A keylogger is a hardware or software program that secretly records each keystroke on the user keyboard at any time. Keyloggers save captured keystrokes to a file for reading later or transmit them to a place where the attacker can access it. Antivirus: Antivirus is a software used to protect, detect, prevent, and remove malicious programs from systems and networks.
What is the best defense against a privilege escalation vulnerability? A) Run services with least privileged accounts and implement multifactor authentication and authorization. B) Review user roles and administrator privileges for maximum utilization of automation services. C) Never place executables in write-protected directories. D) Never perform debugging using bounds checkers and stress tests and increase the amount of code that runs with particular privilege.
Run services with least privileged accounts and implement multifactor authentication and authorization. The following are the best countermeasures to defend against privilege escalation: -Restrict the interactive logon privileges -Use encryption technique to protect sensitive data -Run users and applications on the least privileges -Reduce the amount of code that runs with particular privilege -Implement multi-factor authentication and authorization -Perform debugging using bounds checkers and stress tests -Run services as unprivileged accounts -Test operating system and application coding errors and bugs thoroughly -Implement a privilege separation methodology to limit the scope of programming errors and bugs -Change UAC settings to "Always Notify", so that it increases the visibility of the user when UAC elevation is requested -Restrict users from writing files to the search paths for applications -Continuously monitor file system permissions using auditing tools -Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes -Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions -Use fully qualified paths in all the Windows applications -Ensure that all executables are placed in write-protected directories -In MAC operating systems, prevent plist files from being altered by users making them read-only -Block unwanted system utilities or software that may be used to schedule tasks -Patch and update the web servers regularly
Which of the following is used by an attacker to manipulate the log files? A)Clear_Event_Viewer_Logs.bat B)Auditpol.exe C)clearlogs.exe D)SECEVENT.EVT
SECEVENT.EVT SECEVENT.EVT: Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection. The attacker can manipulate the log files with the help of: SECEVENT.EVT (security): failed logins, accessing files without privileges SYSEVENT.EVT (system): Driver failure, things not operating correctly APPEVENT.EVT (applications)
Which of the following techniques refers to the art of hiding data "behind" other data without the target's knowledge? A) Enumeration B)Scanning C)Footprinting D)Steganography
Steganography Steganography: Steganography refers to the art of hiding data "behind" other data without the target's knowledge. Thus, Steganography hides the existence of the message. It replaces bits of unused data into the usual files such as graphic, sound, text, audio, video, etc. with some other surreptitious bits. The hidden data can be plaintext or ciphertext, or it can be an image.
Which of the following technique is used by the attacker to distribute the payload and to create covert channels? A) Clear online tracks B) TCP Parameters C)Covering tracks D)Performing steganalysis
TCP Parameters TCP Parameters: TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP fields where data can be hidden are as follow: IP Identification field: This is an easy approach where a payload is transferred bitwise over an established session between two systems. Here, one character is encapsulated per packet. TCP acknowledgement number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet. TCP initial sequence number: This method also does not require an established connection between two systems. Here, one hidden character is encapsulated per SYN request and Reset packets.
In a Windows system, an attacker was found to have run the following command:type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txtWhat does the above command indicate? A)The attacker has used Alternate Data Streams to copy the content of SecretFile.txt file into LegitFile.txt. B)The attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt. C)The attacker has used Alternate Data Streams to rename SecretFile.txt file to LegitFile.txt. D)The attacker was trying to view SecretFile.txt file hidden using an Alternate Data Stream.
The attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt. NTFS has a feature called as Alternate Data Streams that allows attackers to hide a file behind other normal files. Given below are some steps in order to hide file using NTFS: Open the command prompt with an elevated privilege Type the command "type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt" (here, LegitFile.txt file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file) To view the hidden file, type "more < C:\SecretFile.txt" (for this you need to know the hidden file name)
You need to do an ethical hack for BAYARA Company, and the manager says that you need to obtain the password of the root account of the main server to hire you. You are in possession of a rainbow table, what else do you need to obtain the password of the root? A) Inject an SQL script into the database B) The hash of the root password C) Do a vulnerability assessment D) Perform a network recognition
The hash of the root password
Which tool can be used to silently copy files from USB devices? A) USB Grabber B) USB Dumper C) USB Sniffer D) USB Snoopy
USB Dumper
Which of the following techniques allows attackers to inject malicious script on a web server to maintain persistent access and escalate privileges? A) Web Shell B) Scheduled Task C) Launch daemon D) Access Token Manipulation
Web Shell Web shell: A web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user's privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc. Launch daemon: At the time of MacOS and OS X booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemonsand/Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into concerned directories. The weak configurations allow an attacker to alter the existing launch daemon's executable to maintain persistence or to escalate privileges. Access token manipulation: In Windows operating system, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access token. Every process the user executes makes use of this access token. The system verifies this access token when a process is accessing a secured object. Scheduled task: The Windows operating system includes utilities such as "at" and "schtasks." A user with administrator privileges can use these utilities in conjunction with the task scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, he can also schedule a task from a remote system using RPC. An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
How does the SAM database in Windows operating system store the user accounts and passwords? A)The operating system uses key distribution center (KDC) for storing all user passwords. B) The operating system stores all passwords in a protected segment of volatile memory. C) The operating system performs a one-way hash of the passwords. D) The operating system stores the passwords in a secret file that users cannot find.
Windows uses the security accounts manager (SAM) database or active directory database to manage user accounts and passwords in the hashed format (one-way hash). The system does not store the passwords in plaintext format, but in hashed format, to protect them from attacks. The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file. As this file consists of a file system lock, this provides some measure of security for the storage of passwords.
Which of the following is not a defense technique against malicious NTFS streams? A) Write critical data to alternate data streams B)Use up-to-date antivirus software C)Use File Integrity Monitoring tool like tripwire D)Move suspected files to FAT partition
Write critical data to alternate data streams You should do the following to defend against malicious NTFS streams: -To delete hidden NTFS streams, move the suspected files to FAT partition -Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain integrity of NTFS partition files against unauthorized ADS -Use third-party utilities such as EventSentry or adslist.exe to show and manipulate hidden streams -Avoid writing important or critical data to alternate data streams -Use up-to-date antivirus software on your system. -Enable real-time antivirus scanning to protect against execution of malicious streams -Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory) to help detect creation of additional or new data streams.
An engineer is learning to write exploits in C++ and is using Kali Linux. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A) g++ hackersExploit.cpp -o calc.exe B) g++ --compile -i hackersExploit.cpp -o calc.exe C) g++ hackersExploit.py -o calc.exe D) g++ -i hackersExploit.pl -o calc.exe
g++ hackersExploit.cpp -o calc.exe
Which of the following commands is used to disable the BASH shell from saving the history? A)history -c B)shred ~/.bash_history C)export HISTSIZE=0 D)history -w
export HISTSIZE=0
Which of the following vulnerability repositories is available online and allows attackers access to information about various software vulnerabilities? A) http://www.securityfocus.com B) https://www.tarasco.org C) http://foofus.net D)http://project-rainbowcrack.com
http://www.securityfocus.com Attackers search for any vulnerabilities on exploit sites such as Exploit Database (https://www.exploit-db.com), Security Focus (http://www.securityfocus.com), and Zero Day Initiative (http://zerodayinitiative.com). If a vulnerable component is identified, the attacker customizes the exploit as required and executes the attack. Successful exploitation allows attacker to cause serious data loss or takeover the control of servers. Attacker generally uses exploit sits to identify the web application exploits or performs vulnerability scanning using tools like Nessus and GFI LanGuard, to identify the existing vulnerable components. http://foofus.net is an advanced security services forum that provides various tools for cyber security. http://project-rainbowcrack.com provides RainbowCrack software used for cracking password hashes with rainbow tables. https://www.tarasco.org is a website that contains security-related tools and published exploit codes.