ANS Quiz Question Bank 1.

. List the four components of security Confidentiality concealment of information or resources Authenticity identification and assurance of the origin of information Integrity trustworthiness of data in terms of preventing improper and unauthorized changes Availability ability to use the information desired 2. Define the terms: Threat, Vulnerability, Exploit Threat - Situation wherein human or natural occurrences can cause undesirable outcome Vulnerability - Presence of fault in the design or implementation of the system that lead to an unanticipated compromise of security Exploit - A defined way to breach the security of an IT through vulnerabilities 3. Who is a hacker? Differentiate between malicious and ethical hacker A computer expert In-depth knowledge of target platforms such as Unix & Linux Extensive knowledge of networking and related hardware and software Knowledge about security areas and related issues 4. Discuss the steps to conduct ethical hacking. Talk to the client and discuss the needs to be addressed during the testing Prepare and sign the nondisclosure agreement Organize an ethical hacking team and prepare a schedule for testing Conduct the test Analyze the results of the testing and prepare a report Present the report to the client 5. Explain different types of network security testing >Black box -performing a security evaluation and testing without any prior knowledge of the infrastructure or the system -Simulates an attack by a malicious attacker outside the network >White box -performing a security evaluation and testing with complete knowledge of the infrastructure or the system such as a network administrator >Grey box -performing a security evaluation and testing internally -Examines the extent of access by insiders within the network.

6. What are the phases of hacking Phase1 Phase2 Phase3 Phase4 Phase5 - Reconnaissance - Scanning Gaining access Maintaining access Covering tracks

7. What are the information gathered during foot printing Information gathered during this phase -Domain name -Network services and applications -System architecture -Intrusion detection systems -Specific IP address -Access control mechanisms -Authentication mechanisms -Phone numbers and contact lists 8. Various methods of information gathering in the footprinting phase -Ascertain active machines -Find the active machines by pinging to them -Discover open ports / access points -Identify the open ports and access points in active machines using port scanner -Detect operating systems -Detect the operating systems by querying using telnet -Uncover services on ports -Map the network Information gathering methodology Unearthing initial information Domain name lookup HTML source code of website Dumpster diving Physical access Search engines Locate the network range Locate the network range of the target system using tools such as nslookup and whois 9. Steps on how to perform footprinting -Finding companies external and internal URL -Perform whois lookup for personal details -Extract DNS information -Mirror the entire website and lookup names -Extract archives of the websites -Google search for personal information of employees

-Find the physical location of the webserver using the tool Neotracer -Analyze companys infrastructure details from job postings -Track email using readnotify.com 10.Types of DNS records -Types of DNS records -A host IP address -MX Host mail Exchange -NS Host name server -SOA authority of the domain -HINFo host info with CPU type and operating system 11.What is competitive intelligence gathering and why you need it Process of gathering information about your competitor from freely available resources. Non-interfering and subtle in nature. Compare your products with that your competitors Analyze your market positioning compared to the competitors Pull up list of competing companies in the market Extract sales person stories on how deals are won or lost in this arena Study the resumes/ skills et of the CEO, management and technical teams Predict the competitors tactics and methodology based on their previous track record 12.State of the objectives of scanning To To To To To detect live systems running on the network discover which ports are active/running discover the operating system running on the target system discover the services running/listening on the target system discover the IP address of the target system 13.Types of scanning >Port scanning -open ports and services -Series of messages sent with well known port numbers >Network scanning -Identifies active hosts on the network -IP address used for attack or network security assessment. >Vulnerability scanning -Identify the presence of known weaknesses 14.Scanning methodology _ Check for live systems _ Check for open ports _ Identify service

_ _ _ _ _

OS identification Scan for vulnerability Draw network diagram of vulnerable hosts Prepare proxies Active probe / silently monitor the traffic 15.TCP based scanning

Manipulation of TCP 3-way handshake is the basis for TCP based scanning _ 3-way handshake _ SYN sent from client _ SYN/ACK sent from server _ ACK sent from client 16.Banner grabbing - Provides info about the type and version of software that is running E.g Telnet banner grab against a Microsoft-IIS/5.0 server C:\> telnet 192.168.0.100 80 HTTP/1.1 400 Bad request Server: Microsoft-IIS/5.0 Date: mon, 05 Feb 2009 16:04:52 GMT +8:00 Context-Type: text/html Other tool: Netcat 17.State the services for the following port numbers PORT # SERVICE 21 23 25 53 80 161 194 119 2049 18.Scanning countermeasures Firewall of a particular network should be good enough to detect the probes of an attacker Network intrusion detection systems should be used to find out the OS detection methods Only necessary ports should be kept open All sensitive information that is not to be disclosed to the public over the internet should not be displayed 19.Enumeration definition, information gathered FTP Telnet SMTP DNS HTTP SNMP IRC NNTP shilp

Process of discovering logon accounts and passwords and gaining access to network resources Next step after scanning phase that identifies the live hosts and their OS in the network. Active phase as it involves connecting to the system Information gathered in this phase are - Resources and shares on the network - Usernames or groups on assigned networks - The last time a user logged on as well as the logon password 20.Enumerating Microsoft windows OS ( learn in detail) _ _ _ _ _ _ _ _ _ _ Windows Vista, XP, 2000, NT, Server 2003 etc share the same kernel Two layers User mode Limited access to system resources Lower priority to applications Attack tools can be detected by anti-attack programs Kernel mode unlimited access to system resources Higher priority to applications Attack tools hide from detection and harder to remove 21.Enumeration countermeasures Null sessions Null sessions require to access ports TCP 139 or 445. These ports can be disabled If possible system administrator can disable SMB services Restrict anonymous user by editing the registry Open regedt32 Navigate to HKLM\SYSTEM\CurrentControlSet\LSA Choose edit | add value Value name: RestrictAnonymous Datatype: REG_WORD Value: 2 SNMP countermeasures - Simplest way is to turn off the SNMP service - Change the default publc community name - Implement Group policy security restriction additional restrictions for annonymous connections - Access to null session pipes, IPsec filtering should be restricted

22. Password cracking & countermeasures

Passive online attack Get access to the communication channel and record raw network traffic Wait until authentication sequence Brute force credentials / proxy authentication-traffic Relatively hard to penetrate Tools: wire sniffing / Main-in-middle and replay attacks Active online attack Try different passwords until one works Succeeds with : Bad passwords Open authentication points Takes long time Tools: password guessing Offline attack Encrypted passwords are readable by the attacker Dictionary attack Checks the password and detects the correct password by the hash functions and hash value is compared with encrypted value Try different passwords from the list Succeeds only with poor passwords Hybrid attack Starts with a dictionary list Insert an entropy ( append a symbol / number) Relatively fast Non-Technical attacks Shoulder surfing Keyboard sniffing Social engineering COUNTERMEASURES Enforce 8-12 bit character alphanumeric passwords Set the password change policy to 30 days Physically isolate and protect the server Monitor server logs for brute force attacks 23. Rootkits and rootkit detectors Changing the h attribute of the file >Rootkits Replaces OS system files with its own >Countermeasures Detecting rootkit is difficult If detected, shutdown the computer and check its storage by booting from an alternative reliable media Rootkit detectors : Backlight Rootkit revealer Malicious software removal tool ( from Microsoft)

24. Steganography Process of hiding data in imagesxx -Hide data files into the graphic files -Embedded information include -Source code for hacking -List of compromised servers -Plans for future attacks 25. Covering tracks Once intruder gained access, they will try to cover this detection of their presence Intruder installs backdoor programs on the attacker system for easy access in future Methods : Disabling auditing Clearing event log ( elsave) Evidence eliminator 26. Defnition of sniffers Sniffing is passively eavesdropping on the network. A way for hackers to gain information on the network. E.g. Username Password Can also be used as an investigating technique. 27. How sniffers A packet sniffer is a program that eavesdrops on the network traffic. It captures data as it passes across the network. >Normal Condition Data is placed in frames for the local area network. Each frame is addressed to a particular MAC address. Each network interface card (NIC) and network device has a unique MAC address. Usually MAC address is not allowed to be changed. NIC only receives packets destined to its specific MAC address, and all other packets are ignored. >Promiscuous mode When the NIC is in promiscuous mode, it will pass the data from every frame to the protocol stack regardless of the MAC address. 28. What sniffer can do Determine the local gateway of an unknown network via passive sniffing. Become a simple password sniffer Parsing each application protocol and saving interesting information. Output all requested URLs sniffed from HTTP traffic and analyze them offline. Send URLs sniffed from a client to your local Netscape browser for display.

Intercept packets from a target host by forging ARP replies. Flood the local network with random MAC addresses Cause some switches to fail open in repeating mode 29. Detection of a malicious sniffer DNS Test _ Create numerous fake TCP connections. _ Expecting a poorly written sniffer to _ pick up on those connections. _ Resolve the IP addresses of the nonexistent hosts. _When a reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the nonexistent host. Ping Test _ Construct an ICMP echo request _ Set the IP address to that of the suspected host. _ Deliberately choose a mismatched MAC address. _ Most systems will ignore this packet since its hardware address is wrong. _ In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly. _ If the suspected host replies to our request, we know that it is in promiscuous mode. _ Clever attackers are of course aware of this and update their sniffers to filter out these packets. ICMP Ping Latency Test _ Ping the suspected host and take the round trip time. _ Create a lot of fake TCP connections. _ We expect the sniffer to be processing those packets and the latency will increase. _ Ping the suspected host again to see if the round trip time is increased. ARP Test _ Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address. _ A machine that is not in promiscuous mode would never see the packet. _ If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. 30. Sniffer countermeasures The best countermeasure for a sniffer is not to allow the hacker to have access to your systems. _ Use switches instead of hubs. _With a hub, all traffic is shown to each system on the LAN. _ In a switched environment, frames are shown only to the interface where the MAC address

actually resides. _ However, some new sniffers have the capability to sniff on switched networks. _ The best way to avoid damage by sniffers is not to pass usernames and passwords over the network in form of clear text. _ Encryption is the key idea. _ Use SSH instead of telnet. _ Use HTTPS instead of HTTP _ Use SCP and SFTP for file transfer. 31. Session hijacking definition, steps, types, sequence number prediction, TCP session hijacking is when a hacker takes over a TCP session between two machines >Steps for session hijacking _ Tracking the connection _ Desynchronizing the connection _ Injecting the attackers packet _ Synchronize back the connection to the client >Place yourself between the victim and the target _ Monitor the flow of packets _ Predict the sequence number _ Kill the connection to the victims machine _ Take over the session _ Start injecting packets to the target server >Active _ Attacker finds an active session and take over _ Passive _ Attacker hijacks a session but sits back and watches and records all the traffic. Accurate prediction is important for successful take over _ Client send s SYN to the server, server respond with SYN-ACK with a sequence number of choosing, which the client must respond with ACK _ The attacker first connects to the service with its own IP, records the sequence number and opens a second connection with a forged IP address. _ The attacker doesnt see the SYN-ACK but still can predict the sequence number. TCP/RST hijacking >RST Involves injecting an authentic-looking reset (RST) packet _ Spoof the source address and predict the acknowledgement _ The victim will believe the source actually sent the reset packet and will reset the session Hacking technique that uses spoofed address to take over a connection between a victim and target machine

_ The victims connection hangs and the hacker is then able to communicate with the host machine as if the victim is a attacker >TCP _ To launch TCP/IP hijacking attack, the hacker must be on the same network as the victim _ The target and victim can be anywhere _ Most computers are vulnerable as they are using TCP/IP 32. Diff. between spoofing and hijacking In spoofing, attacker does not actively take over another user offline to perform the task _ He just pretends to be an another user to gain access _ In hijacking, an attacker takes over an existing session, which means he relies on legitimate user to make an authentic connection _ Subsequently the attacker takes over the session 33. Session hijacking countermeasures Use encryption _ Use a secure protocol ( IPSEC) _ Limit incoming connection _ Minimize remote access _ Educate the employee 34. How web servers are compromised Misconfigurations _ In Os or network _ In web server software _ Bugs _ OS bugs _ Flaws in programming code _ Installing server / OS with defaults _ Service packs not applied properly leaving holes behind _ Lack of proper security policy, procedures and maintenance 35. Web server hacking risks >On the server side _ Steal classified info _ Execute command on server machine and alter system configuration _ Retrieve host based information _ Launch DOS attacks make website unavailable >On the client side _ Crash the browser _ Damage user system _ Breach user privacy _ Misuse of personal information that user provides on active web pages

>Network eavesdropping _ Capturing network data transmitted from browser or server / vice-versa _ Can be done from : Browser side network connection Server side network connection End user ISP Server side ISP 36. Web server hardening methods Rename the administrator account using a strong password _ Disable default websites and ftp sites _ Remove unused applications from the server _ Disable directory browsing in the web page configuration settings _ Disable remote administration _ Enable auditing and logging _ Use a script to map unused file extensions to a 404 error message File not found _ Add a legal notice to the site to make the potential hackers aware of legal implications 37. Web server hacking countermeasures Scanning for existing vulnerabilities _ Applying patches _ Anonymous access restriction _ Incoming traffic request screening and filtering 38. Introduction to firewalls The main purpose of a firewall system is to control access to or from a protected network.. _ It helps implement an organizational security policy for a given network. _ Firewalls let the network administrators define the services and resources to which access is permitted. _ A firewall implements a network access policy by forcing connections to pass through particular computer(s) designated as firewall -- where they can be examined and evaluated. _ A firewall system can be a router, a personal computer, a host, or a collection of these. Firewall is to protect a network from attackers. _ Without firewalls, you leave your security dependent only upon the individual hosts security. _ For example, a computer running a telnet service on a network without a firewall can compromise the security of other computers in that network if the security on the computer running telnet is not tight. 39. Types of firewalls services

Packet filtering to prevent unauthorized access to services or from a certain set of external computers. _ protection from routing-based attacks, such as source routing and other attempts to manipulate packets in the ICMP protocol. _ control access to certain sites on the network. This allows administrators to seal off unwanted access from specific hosts, but still allows certain hosts like mail servers and information servers to run unhindered. _ block DNS information about a network. _ log any connections made with foreign hosts or just log statistics about users with in the network. These log files are very important because they can be reviewed and a system administrator can detect and attempts of intruding, misuse by legitimate members of the network. 40. Firewall components Network Policy Two levels of network policy that directly influence the design, installation and use of a firewall system. _ The higher-level policy is issue specific, network access policy that defines those services that will be allowed. _ The lower-level policy describes how the firewall will actually go about restricting the access and filtering the services that were defined in the higher-level policy. Advanced authentication mechanisms THE BOOK DOESNT HAVE ANYTHING ON IT SO FK IT. Packet Filtering IP Packet filtering is done using a packet filtering router designed for filtering packets as they pass between the routers interfaces. _ A packet filter router usually can filter IP packets based on some or all of the following fields: _ Source IP address _ Destination IP address _ TCP/UDP source port _ TCP/UDP destination port Application Gateways Firewalls often use software applications to forward and filter connections for services such as TELNET and FTP. Such an application is referred to as a proxy service, while the host running this is referred to as an application gateway. _ Application gateways and packet filtering can be combined to provide higher levels of security and flexibility than if either were used alone. _ E.g If the application gateway contains proxies for FTP and TELNET, only FTP and TELNET may be allowed in the subnet that is using the proxy.

41. Honeypot definition and types of implementation >Definition A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attacker, his methods and tools. >Types of implementation Level of Involvement _ Low Involvement: Port Listeners _ Mid Involvement: Fake Daemons _ High Involvement: Real Services _ Risk increases with level of involvement 42. Introduction of penetration testing A penetration test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and compromise them. _ Most hackers follow a common approach when it comes to penetrating a system _ In the context of penetration testing, the tester is limited by resources namely time, skilled resources, and access to equipment as outlined in the penetration testing agreement. Pen Test involves using proprietary and open source tools to test for known and unknown technical vulnerabilities in networked systems. _ It also involves manual testing for conducting targeted testing on specific systems to ensure that there are no security flaws that may have gone undetected earlier. 43. Types of pen testing >External Testing _ Involves analysis of publicly available information, a network enumeration phase and the behavior of security devices analyzed >Internal Testing _ Typically performed from a number of network access points, representing each logical and physical segment _ Black hat testing, Grey hat testing, White hat testing 44. Pen test tools >Cerberus Internet scanner _ Helps to find and fix vulnerabilities in the systems >Cybercop scanner _ Helps to find and fix vulnerabilities in the systems >Foundscan _ Identify and locate the OS running on each system by analyzing the returned data >Nessus >NetRecon _ To define common intrusion and attack scenarios and locate loop holes

>SAINT _ Monitors every live system on a network for TCP and UDP connections >Securenet PRO _ Session monitoring, firewall, hijacking and keyword based intrusion detection systems 45. Phases of pen test Preattack phase Passive reconnaissance _ Active reconnaissance _ Best practices : Maintain a log Timestamp of all communications Reason out the strategic choices to the input/ output Develop or acquire tools base on your strategy _ Results interpretation Attack Phase Penetrate perimeter _ Acquire target _ Escalate privileges _ Execute, implant and retract Post attack phase This phase is to restore the system to their pre-test states _ Activities : Removing all files uploaded Cleaning all the registry entries Removing all tools and exploits Removing the shares and connections Analyzing the results and presenting to the organisation