Penetration Testing Final
____________ is a non-profit organization with the primary goal of improving the security of software.
OWASP
Bob, a blackhat hacker, wants to gain a shell on Alice's machine.If Bob sends a malicious file to Alice in the hopes she will download and execute the file, which type of shell should Bob configure his exploit and payload to use?
Reverse Shell
A _______ session, is a Windows feature designed to give access to information over the network, but can be used to collect information such as; password policy, user names and groups, shared folders, and host SIDs.
null
Match each type of password attack to the description of the attack. 1. An attack that uses a list of common words or combinations of characters to attempt to find a matching password. 2. An attack that uses every possible combination of characters to crack a password. 3. An attack that uses a precomputed table of hash values to recover the plain text of a password. 4. An attack that requires sniffing traffic from both sides of a connection in order intercept the password on the wire.
1. Dictionary Attack 2. Brute-Force 3. Rainbow Attack 4. Man-in-the-middle
A tool that can be used to encode or create binaries from metasploit exploits is ___________.
Msfvenom
A common technique to enumerate DNS information on a system is known as _______________
Zone Transfers
Match the OWASP Top 10 Web Application Security Risks to their discriptions. 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using components with known vulnerabilites 10. Insufficient Logging and Monitoring
1. Injection flaws, such as SQL, NOSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 2. Application functions related to authentication and session management are often implementedincorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploitother implementation flaws to assume other users identities temporarily or permanently. 3. Many web applications and APIs do not properly protect sensitive data, such as financial,healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct creditcard fraud, identity theft, or other crimes. Sensitive data may be compromised without extraprotection, such as encryption at rest or in transit, and requires special precautions whenexchanged with the browser. 4. Many older or poorly configured XML processors evaluate external entity references within XMLdocuments. External entities can be used to disclose internal files using the file URI internal port scanning, remote code execution, and denial of service attacks 5. Restrictions on what to do are often not properly enforced.Attackers can exploit these flaws to access unauthorizeded functionality and/ users' accounts, view sensitive files, modify other users' data, change access rights, etc. 6. This is commonly a result of insecuredefault configurations, incomplete or ad hoc configurations, open cloud storage, misconfiguredHTTP headers, and verbose error messages containing sensitive information. Not only must alloperating systems, frameworks, libraries, and applications be securely configured, but they mustbe patched and upgraded in a timely fashion. 7. flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with usersupplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in thevictim's browser which can hijack user sessions, deface web sites, or redirect the user tomalicious sites. 8. often leads to remote code execution. Even if deserialization flaws do notresult in remote code execution, they can be used to perform attacks, including replay attacks,injection attacks, and privilege escalation attacks. 9. libraries, frameworks, and other software modules, run with the sameprivileges as the application. If a vulnerable component is exploited, such an attack can facilitateserious data loss or server takeover. Applications and APls using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. 10. allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over200 days, typically detected by external parties rather than internal processes or monitoring.
Match the follow General-Purpose memory registers in an x86 architecture to the proper description. 1. ESP 2. EBP 3. EIP 4. Free Points!
1. Points to top of the stack 2. Points to the highest memory address in the stack 3. Hold the memory address of the next instruction to be executed 4. Free Points!
Which of the following HTTP response codes indicates success/ok?
200
Which of the following can be broadly classified as an injection vulnerability?
All of These
_____________ is a programming Language that makes a one to one human readable translation to machine code.
Assembly
Alice wants to gain a shell on Bob's machine. Both parties agree that Alice should initiate the connection and Bob's machine should be passively waiting for the incoming connection from Alice.
Bind Shell
What type of attack relies on a variation of the input validation attack but has the goal of going after a user instead of the application or data?
Cross-site scripting (XSS)
______________ is a step beyond port scanning that establishes an active connection to help discover useful information such as; user names, service versions or settings, network shares, etc.
Enumeration
__________ is a technique designed to find bugs in software applications by sending random combinations of inputs, but can also be used to create exploits in the application using a debugger.
Fuzzing
Which application protocol is the most popular when used in web-based client + server architecture?
HTTP(S)
A denial of service (DoS) attack is considered a critical problem because it is very difficult to defeat.
False
A distributed denial of service (DDoS) attack is mostly an annoyance; however, a denial of service (DoS) attack is much more of a problem.
False
Are there any topics in this course that you would have liked to see covered in more depth? Where there any topics not covered that you were hoping to learn about?
Freebie
The default hash used by modern Windows operating systems SAM database is ______________
NTLM
Using a ________ allows an attacker to intercept requests and response between a client and a web server.
proxy
Which of the following is NOT considered a vulnerability of web servers?
Poor end-user training
Which of the following can be used for passive password attacks?
Replay Attacks | Man-In-The-Middle
Which type of exploit development takes advantage of how Windows operating system handle exceptions?
SEH Overwrites
Often used by network administrators to monitor networks and devices, which protocol can be used to gather information such as ARP and routing tables, as well as, traffic statistics
SNMP
Which type of attack results in overwriting or corrupting data in a memory buffer?
Stack-Based Buffer Overflow
Which of the following statements is NOT true regarding Structured Query Language (SQL) injections?
They are specific to only one vendor's database and cannot force the application to reveal restricted information.
A buffer overflow associated with a web application can result in data being corrupted or overwritten.
True
Input validation refers to restricting the type of input or data the website will accept so that mistakes will not be entered into the system.
True
The following technique is a viable option to use when attempting to create malicious files to bypass antivirus (AV) solutions on a potential victim. Obfuscation with an encoder.This will help scramble the contents and intentions of the malicious code, making it more difficult for anti-virus products to classify the code as good or bad.
True
When a password is stored on a local system, a _____ algorithm is run against it so that it is not stored as plain text.
hash
A ______________ is a software program or hardware device that can be installed on a system to record what the user is typing. Often used in non-technical password attacks.
keylogger
A binary value that represents an instruction that can be executed by a CPU.
opcode
A technique of adding a random number to a value before hashing it is know as ____________.
salting
