System Hacking
What are the steps followed in pivoting?
1 - Discover Live Hosts 2 - Setup routing rules 3 - Scan ports of live systems 4 - Exploit vulnerable services
What are the 4 steps in the CEH hacking methodology?
1. Gaining Access 2. Escalating Privilege 3. Maintaining Access 4. Clearing Logs
What are Service Object Permissions?
A misconfigured service permission may allow an attacker to modify or reconfigure the attributes associated with that service.
What is the privilege escalation technique Web Shell?
A web shell is a web-based script that allows access to a web server. Web shells can be created in all OSs like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject a malicious script on a web server to maintain persistent access and escalate privileges.
Which countermeasures allow a security professional to defend against techniques for covering tracks?
Activate the logging functionality on all critical systems
What does a Hypervisor Level Rootkit do?
Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
What are Modifiable registry autoruns?
Attackers can exploit misconfigured autoruns in registries.
What is a shy-compatible shell that stores command history in a file?
Bash
Joel, a professional hacker, has targeted an organization to steal sensitive information remotely. He was successful in the attack and was able to access sensitive data of the organization. He is now trying to wipe out the entries corresponding to his activities in the system to remain undetected. Which of the following hacking steps is Joel performing now?
Clearing Logs
Which Windows command-line tools is utilized by an attacker to overwrite data for preventing recovery in the future and also encrypt and decrypt data in NTFS partitions?
Cipher.exe
Identify the technique used by the attackers to wipe out the entries corresponding to their activities in the system log to remain undetected?
Clearing Logs
Lee, a professional hacker, decided to launch a few attacks on an organization to test his hacking skills. In this process, he employed a password cracking technique in which he merged the entries of one dictionary with those of another dictionary to produce full names and compound words, consequently cracking a password on the target system. Which Password attack did he attempt?
Combinator attack
A pen tester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pen tester pivot using Metasploit?
Create a route statement in the meterpreter
Which techniques are used by attackers to clear online tracks?
Disabling auditing
Which type of stack memory register stores the address of the next instruction to be executed?
EIP
In which hacking stage does an attacker use Trojans, spyware, backdoors, and keyloggers to create and maintain remote access to a system?
Executing applications
Where is the password hash stored on a domain environment?
On the domain controller in a file called ntds.dit
In which hacking phase does an attacker create a profile of the target organization and obtain information such as its IP address range, namespace, and employees?
Footprinting
An attacker is exploiting a buffer overflow vulnerability identified on a target server. Which of the following steps allows the attacker to send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register?
Fuzzing
What registry entry would you delete to clear Most Recently Used (MRU) list?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
What does a Hardware/Firmware Rootkit do?
Hides in hardware devices or platform firmware that are not inspected for code integrity.
Which type of password attack does not lead to any changes in the system and includes techniques such as wire sniffing, man-in-the-middle attacks, and replay attacks?
Passive online attacks
What are Unquoted Service Paths?
In Windows OSs, when a service starts running, the system attempts to find the location of the executable file to launch the service successfully. Generally, the executable path is enclosed in quotation marks "", so that the system can easily locate the application binary.
Which is the reason why programs and applications are vulnerable to buffer overflow exploitation?
Insufficient input sanitization
Which protocol employs the key distribution center (KDC) that consists of two logically distinct parts, namely an authentication server (AS) and a ticket-granting server (TGS), and uses "tickets" to prove a user's identity?
Kerberos authentication
What is the privilege escalation technique Kernel Exploits?
Kernel exploits refer to programs that can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges. By successfully exploiting kernel vulnerabilities, attackers can attain superuser or root-level access to the target system.
What is the most difficult Rootkit to detect?
Kernel-level rootkit
What is the privilege escalation technique Path Interception?
Path interception is a method of placing an executable in a particular path in such a way that the application will execute it in place of the legitimate target. Attackers can exploit several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking.
What does a Boot Loader Level Rootkit do?
Replaces the original boot loader with the one controlled by a remote attacker.
Wat does a Library Level Rootkit do?
Replaces the original system calls with fake ones to hide information about the attacker.
What is the best defense against a privilege escalation vulnerability?
Run services with least privileged accounts and implement multifactor authentication and authorization.
Where on a local PC is your password stored?
SAM database
What is used by an attacker to manipulate the log files?
SECEVENT.EVT
What is the privilege escalation technique Application Shimming?
Shims run in user mode, and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress), etc. An attacker can use these shims to perform different attacks including disabling Windows Defender, privilege escalation, installing backdoors, etc.
What does the Steganography attack Chosen-message do?
This attack generates stego objects from a known message using specific steganography tools in order to identify the steganography algorithms.
Which malware masks itself as a benign application or software that initially appears to perform a desirable or benign function but steals information from a system?
Trojan
Which technique is used by the attacker to distribute the payload and to create covert channels?
TCP parameters
What does the Steganography attack Distinguishing Statistical do?
The attacker analyzes the embedded algorithm used to detect distinguishing statistical changes along with the length of the embedded data
What does the Steganography attack Known-cover do?
The attacker compares the stego-object and the cover medium to identify the hidden message.
What does the Steganography attack Chi-square do?
The attacker performs probability analysis to test whether a given stego object and original data are the same or not.
How does the SAM database in Windows operating system store the user accounts and passwords?
The operating system performs a one-way hash of the passwords
Which misconfigured service allows attackers to deploy Windows OS without the intervention of an administrator?
Unattended Installs
Which command is used to disable the BASH shell from saving the history?
export HISTSIZE=0
Which technique is used by an attacker for identifying the active hosts, open ports, and unnecessary services enabled on target hosts?
scanning
In the Phase1 Gaining access to the system for system hacking, what 2 pieces of information do you need to gain access to a system?
username and password