312-50 Ethical Hacking and Countermeasures Questions and Answers

Start by foot printing the network and mapping out a plan of attack.

Ask the employer for authorization to perform the work outside the company.

Begin the reconnaissance phase with passive information gathering and then move into active information gathering.

Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack.

Begin security testing.

Turn over deliverables.

Sign a formal contract with non-disclosure.

Assess what the organization is trying to protect.

Threaten to publish the penetration test results if not paid.

Follow proper legal procedures against the company to request payment.

Tell other customers of the financial problems with payments from this company.

Exploit some of the vulnerabilities found on the company webserver to deface it.

Kismet

Nessus

Netstumbler

Abel

tcp.dstport==514 && ip.dst==192.168.0.150

tcp.srcport==514 && ip.src==192.168.0.99

tcp.dstport==514 && ip.dst==192.168.0.0/16

tcp.srcport==514 && ip.src==192.168.150

Open Scan

Null Scan

Xmas Scan

Half-Open Scan

Nmap -O -p80

Nmap -hU -Q

Nmap -sT -p

Nmap -u -o -w2

Nmap -sS -0p targe

KDC

CA

CR

CBC

You attempt every single possibility until you exhaust all possible combinations or discover the password

You threaten to use the rubber hose on someone unless they reveal their password

You load a dictionary of words into your cracking program

You create hashes of a large number of words and compare it with the encrypted passwords

You wait until the password expires

Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.

Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234.

Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222.

Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.

ping 192.168.2.

ping 192.168.2.255

for %V in (1 1 255) do PING 192.168.2.%V

for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

Extensible Authentication Protocol (EAP)

Point to Point Protocol (PPP)

Point to Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IP Security (IPSEC)

Multipurpose Internet Mail Extensions (MIME)

Pretty Good Privacy (PGP)

Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

Drops the packet and moves on to the next one

Continues to evaluate the packet until all rules are checked

Stops checking rules, sends an alert, and lets the packet continue

Blocks the connection with the source IP address in the packet

Proxy firewalls increase the speed and functionality of a network.

Firewall proxy servers decentralize all activity for an application.

Proxy firewalls block network packets from passing to and from a protected network.

Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

NMAP -P 192.168.1-5.

NMAP -P 192.168.0.0/16

NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0

NMAP -P 192.168.1/17

Semicolon

Single quote

Exclamation mark

Double quote

Spoofing an IP address

Tunneling scan over SSH

Tunneling over high port numbers

Scanning using fragmented IP packets

SSL

Mutual authentication

IPSec

Static IP addresses

Patch systems regularly and upgrade interactive login privileges at the system administrator level.

Run administrator and applications on least privileges and use a content registry for tracking.

Run services with least privileged accounts and implement multi-factor authentication and authorization.

Review user roles and administrator privileges for maximum utilization of automation services.

g++ hackersExploit.cpp -o calc.exe

g++ hackersExploit.py -o calc.exe

g++ -i hackersExploit.pl -o calc.exe

g++ --compile –i hackersExploit.cpp -o calc.exe

By implementing written security procedures, enabling employee security training, and promoting the benefits of security

By using informal networks of communication, establishing secret passing procedures, and immediately terminating employees

By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative help line

By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring that managers know employee strengths

Sarbanes-Oxley Act (SOX)

Gramm-Leach-Bliley Act (GLBA)

Fair and Accurate Credit Transactions Act (FACTA)

Federal Information Security Management Act (FISMA)

Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness.

Employers use informal verbal communication channels to explain employee monitoring activities to employees.

Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes.

Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.

Control Objectives for Information and Related Technology (COBIT)

Sarbanes-Oxley Act (SOX)

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry Data Security Standards (PCI DSS)

At least once a year and after any significant upgrade or modification

At least once every three years or after any significant upgrade or modification

At least twice a year or after any significant upgrade or modification

At least once every two years and after any significant upgrade or modification

guidelines and practices for security controls.

financial soundness and business viability metrics.

standard best practice for configuration management.

contract agreement writing standards.

Penetration testing

Social engineering

Vulnerability scanning

Access control list reviews

Process

Procedure

Policy

Paradigm

Truecrypt

Sub7

Nessus

Clamwin

Regulatory compliance

Peer review

Change management

Penetration testing

RSA 1024 bit strength

AES 1024 bit strength

RSA 512 bit strength

AES 512 bit strength

Transport layer

Application layer

Data link layer

Network layer

white box

grey box

red box

black box

limited to those functions required to do the job.

given root or administrative privileges.

trusted to keep all data and access to that data under their sole control.

given privileges equal to everyone else in the department.

Ping sweep of the 192.168.1.106 network

Remote service brute force attempt

Port scan of 192.168.1.106

Denial of service attack on 192.168.1.106

Perform a vulnerability scan of the system.

Determine the impact of enabling the audit feature.

Perform a cost/benefit analysis of the audit feature.

Allocate funds for staffing of audit log review.

Unauthenticated access

Weak SSL version

Cleartext login

Web portal data leak

Preventative

Detective

Offensive

Defensive

Vulnerability scanning

Social engineering

Application security testing

Network sniffing

Network sniffing

Permission sets

Integrity checking hashes

Firewall alerts

Passive

Reflective

Active

Distributive

Reject the risk.

Deny the risk.

Mitigate the risk.

Initiate the risk.

transfers information over, within a computer system, or network that is outside of the security policy.

transfers information over, within a computer system, or network that is within the security policy.

transfers information via a communication path within a computer system, or network for transfer of data.

transfers information over, within a computer system, or network that is encrypted.

Information reporting

Vulnerability assessment

Active information gathering

Passive information gathering

Reports

Testing tools

Metrics

Taxonomy of vulnerabilities

Moves the MBR to another location on the RAM and copies itself to the original location of the MBR

Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR

Modifies directory table entries so that directory entries point to the virus code instead of the actual program

Overwrites the original MBR and only executes the new virus code

Network firewalls can prevent attacks because they can detect malicious HTTP traffic.

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.

Network firewalls can prevent attacks if they are properly configured.

Network firewalls cannot prevent attacks because they are too complex to configure.

Restore a random file.

Perform a full restore.

Read the first 512 bytes of the tape.

Read the last 512 bytes of the tape.

PSK (phase-shift keying)

FSK (frequency-shift keying)

ASK (amplitude-shift keying)

QAM (quadrature amplitude modulation)

Polymorphic virus

Multipart virus

Macro virus

Stealth virus

Paros Proxy

BBProxy

BBCrack

Blooover

Micro

Worm

Trojan

Virus

Fast processor to help with network traffic analysis

They must be dual-homed

Similar RAM requirements

Fast network interface cards

The victim user must open the malicious link with an Internet Explorer prior to version 8.

The session cookies generated by the application do not have the HttpOnly flag set.

The victim user must open the malicious link with a Firefox prior to version 3.

The web application should not use random tokens.

An attacker, working slowly enough, can evade detection by the IDS.

Network packets are dropped if the volume exceeds the threshold.

Thresholding interferes with the IDS’ ability to reassemble fragmented packets.

The IDS will not distinguish among packets originating from different sources.

Using the Metasploit psexec module setting the SA / Admin credential

Invoking the stored procedure xp_shell to spawn a Windows command shell

Invoking the stored procedure cmd_shell to spawn a Windows command shell

Invoking the stored procedure xp_cmdshell to spawn a Windows command shell