Topic 5, System Hacking
Study the snort rule given below:
From the options below, choose the exploit against which this rule applies.
A.
WebDav
B.
SQL Slammer
C.
MS Blaster
D.
MyDoom
MS Blaster
Explanation: MS Blaster scans the Internet for computers that are vulnerable to its attack.
Once found, it tries to enter the system through the port 135 to create a buffer overflow.
TCP ports 139 and 445 may also provide attack vectors.
The following script shows a simple SQL injection. The script builds an SQL query by
concatenating hard-coded strings together with a string entered by the user:
The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the
query assembled by the script looks similar to the following:
SELECT * FROM OrdersTable WHERE ShipCity = Chicago
How will you delete the OrdersTable from the database using SQL Injection?
A.
Chicago; drop table OrdersTable --
B.
Delete table blah; OrdersTable --
C.
EXEC; SELECT * OrdersTable > DROP --
D.
cmdshell; del c:\sql\mydb\OrdersTable //
Chicago; drop table OrdersTable --
What hacking attack is challenge/response authentication used to prevent?
A.
Replay attacks
B.
Scanning attacks
C.
Session hijacking attacks
D.
Password cracking attacks
Replay attacks
Explanation: A replay attack is a form of network attack in which a valid data transmission
is maliciously or fraudulently repeated or delayed. This is carried out either by the originator
or by an adversary who intercepts the data and retransmits it. With a challenge/response
authentication you ensure that captured packets can’t be retransmitted without a new
authentication.
You want to capture Facebook website traffic in Wireshark. What display filter should you
use that shows all TCP packets that contain the word facebook?
A.
display==facebook
B.
traffic.content==facebook
C.
tcp contains facebook
D.
list.display.facebook
tcp contains facebook
Samuel is the network administrator of DataX communications Inc. He is trying to
configure his firewall to block password brute force attempts on his network. He
enables blocking the intruder’s IP address for a period of 24 hours time after more
than three unsuccessful attempts. He is confident that this rule will secure his
network hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from
various IP addresses around the world. After some investigation he realizes that the
intruders are using a proxy somewhere else on the Internet which has been scripted
to enable the random usage of various proxies on each request so as not to get
caught by the firewall use.
Later he adds another rule to his firewall and enables small sleep on the password
attempt so that if the password is incorrect, it would take 45 seconds to return to the
user to begin another attempt. Since an intruder may use multiple machines to brute
force the password, he also throttles the number of connections that will be
prepared to accept from a particular IP address. This action will slow the intruder’s
attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password
attacks on his site?
A.
Enforce a password policy and use account lockouts after three wrong logon attempts
even through this might lock out legit users
B.
Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP
address of the intruder so that you can block them at the firewall manually
C.
Enforce complex password policy on your network so that passwords are more difficult
to brute force
D.
You can’t completely block the intruders attempt if they constantly switch proxies
You can’t completely block the intruders attempt if they constantly switch proxies
Explanation: Without knowing from where the next attack will come there is no way of
proactively block the attack. This is becoming a increasing problem with the growth of large
bot nets using ordinary workstations and home computers in large numbers.
John Beetlesman, the hacker has successfully compromised the Linux System of
Agent Telecommunications, Inc’s WebServer running Apache. He has downloaded
sensitive documents and database files off the machine.
Upon performing various tasks, Beetlesman finally runs the following command on
the Linux box before disconnecting.
for ((i=0;i<1;i++));do
?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda
done
What exactly is John trying to do?
A.
He is making a bit stream copy of the entire hard disk for later download
B.
He is deleting log files to remove his trace
C.
He is wiping the contents of the hard disk with zeros
D.
He is infecting the hard disk with random virus strings
He is wiping the contents of the hard disk with zeros
Explanation: dd copies an input file to an output file with optional conversions. –if is input
file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCII
NULL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the
hard drive.
You run nmap port Scan on 10.0.0.5 and attempt to gain banner/server information from
services running on ports 21, 110 and 123.
Here is the output of your scan results:
Which of the following nmap command did you run?
A.
nmap -A -sV -p21,110,123 10.0.0.5
B.
nmap -F -sV -p21,110,123 10.0.0.5
C.
nmap -O -sV -p21,110,123 10.0.0.5
D.
nmap -T -sV -p21,110,123 10.0.0.5
nmap -O -sV -p21,110,123 10.0.0.5
What will the following command produce on a website's login page if executed
successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email
= someone@somewhere.com; DROP TABLE members; -
A.
This code will insert the someone@somewhere.com email address into the members
table.
B.
This command will delete the entire members table.
C.
It retrieves the password for the first user in the members table.
D.
This command will not produce anything since the syntax is incorrect
This command will delete the entire members table.
What is the algorithm used by LM for Windows2000 SAM ?
A.
MD4
B.
DES
C.
SHA
D.
SSL
DES
Explanation: Explanation: Okay, this is a tricky question. We say B, DES, but it could be
A “MD4” depending on what their asking - Windows 2000/XP keeps users passwords not
"apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into the
passwords keeping at large. The most interesting structure of the complex SAM-file
building is so called V-block. It's size is 32 bytes and it includes hashes of the password for
the local entering: NT Hash of 16-byte length, and hash used during the authentication of
access to the common resources of other computers LanMan Hash, or simply LM Hash, of
the same 16-byte length. Algorithms of the formation of these hashes are following:
NT Hash formation:
User password is being generated to the Unicode-line.
Hash is being generated based on this line using MD4 algorithm.
Gained hash in being encoded by the DES algorithm, RID (i.e. user identifier) had
been used as a key. It was necessary for gaining variant hashes for users who
have equal passwords. You remember that all users have different RIDs (RID of
the Administrator's built in account is 500, RID of the Guest's built in account is
501, all other users get RIDs equal 1000, 1001,1002, etc.).
LM Hash formation:
User password is being shifted to capitals and added by nulls up to 14-byte length.
Gained line is divided on halves 7 bytes each, and each of them is being encoded
separately using DES, output is 8-byte hash and total 16-byte hash.
Then LM Hash is being additionally encoded the same way as it had been done in
the NT Hash formation algorithm step 3.
Charlie is an IT security consultant that owns his own business in Denver. Charlie has
recently been hired by Fleishman Robotics, a mechanical engineering company also in
Denver. After signing service level agreements and other contract papers, Charlie asks to
look over the current company security policies. Based on these policies, Charlie compares
the policies against what is actually in place to secure the company's network. From this
information, Charlie is able to produce a report to give to company executives showing
which areas the company is lacking in. This report then becomes the basis for all of
Charlie's remaining tests.
What type of initial analysis has Charlie performed to show the company which areas it
needs improvements in?
A.
Charlie has performed a BREACH analysis; showing the company where its weak points
are
B.
This analysis would be considered a vulnerability analysis
C.
This type of analysis is called GAP analysis
D.
This initial analysis performed by Charlie is called an Executive Summary
This type of analysis is called GAP analysis
Explanation:
In business and economics, gap analysis is a tool that helps a company to compare its
actual performance with its potential performance.
At its core are two questions: "Where are we?" and "Where do we want to be?".
http://en.wikipedia.org/wiki/Gap_analysis
Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come
across what appears to be SYN requests to an internal computer from a spoofed IP
address. What is Jacob seeing here?
A.
Jacob is seeing a Smurf attack.
B.
Jacob is seeing a SYN flood.
C.
He is seeing a SYN/ACK attack.
D.
He has found evidence of an ACK flood.
Jacob is seeing a SYN flood.
Which is the Novell Netware Packet signature level used to sign all packets ?
A.
0
B.
1
C.
2
D.
3
3
Explanation:
Level 0 is no signature, Level 3 is communication using signature only.
| Page 29 out of 64 Pages |
| Previous |