Mid-term Exam
Unit 1 Questions: 1. Explain the Morris Worm and its significance.
It is considered to be the first Internet Worm. It was designed to count the number of systems connected to the Internet, however due to a flaw the worm replicated quickly and caused widespread slowdown across the globe.

2. Explain what____ hackers are.
White-Hat- Those that know how hacking works but use skills for good
Black-Hat – Those that through actions or stated intent, indicated that their hacking is designed to break the law, disrupt systems or businesses, or generate an illegal return
Grey-Hat – Rehabilitated hackers or those that once were on the (black-hat) dark side but are now reformed, not all people will trust a grey-hat hacker

3. What is ECPA and what does it regulate?
The Electronic Communications Privacy Act it prohibits eavesdropping or the interception of message contents without distinguishing between private or public systems

4. What is SOX and what does it regulate?
It is the Sarbanes-Oxley Act and it generates laws that affect public corporations financial reporting. Under SOX corps must certify the accuracy and integrity of financial reporting and accounting

5. What is the main motivation for hackers today and what was the previous motivation for earlier generations of hackers?
Today’s hackers are motivated by greed or money some for status/terrorism/revenge and some for fun. Early hackers were in it for the curiosity. However also today you have Hactivists that are in it for a cause.

6. Explain the 6 different fallacies of hacking. a. No-harm-was-done – its ok as long as nothing is stolen or damaged b. Computer-game- if the computer system didn’t take any action then it’s OK c. Law-abiding citizen- Writing a virus is not illegal so it must be OK d. Shatterproof – Computers cannot do any real harm. The worst that can happen is a deleted file or program e. Candy-from-a-baby – If it is so easy to copy a program or download a song how can it be illegal f. Hacker – Information should be free. No one should have to pay for books or media.

7. What is ethical hacking?
Hacking a system with the “written” consent of the asset owner to review their security vulnerabilities

8. What role does professional organizations and certifying bodies play in regards to ethical standards?

9. What is the issue with conducting security assessments without prior authorization?
Engaging in any hacking activity without the explicit permission of the owner of the target you are attacking is a crime whether you get caught or not. You will be treated as a hostile threat and persecuted by the law.
Unit 2 Questions: 1. From (Chap 2) of The Art of Intrusion, what are some of the countermeasures that can be used to reduce the threat of terrorist hacking?
Patch and update your system regularly, use defense in depth by placing publically accessed systems in a DMZ, Monitoring activity for unusual or suspicious, stronger authentication or passwords, it boils down to what you want to protect and how far you are willing to go to protect it. 2. From (Chap 1) of The Art of Intrusion, explain the importance of doing research to discover exploitable vulnerabilities when it comes to defending an existing computer system or network.
It was extremely helpful to the individuals that were trying to hack the casino machines. First they found out which type of machine then bought one, next they checked on a ROM chip under patents and found a working binary printout of the chip, they then engineered a way to count how they could exploit the random number generator. So I think that research worked out well for them. They also did the same for a newer machine and it worked then also.

3. Explain asymmetric encryption.
An algorithm that requires two separate keys one which is secret and one which is public they are mathematically linked. Public is used to encrypt plaintext or verify a digital signature private is used to decrypt or create a digital signature (they are inverse of each other)

4. What is MD5 hashing?
An improved/redesign of MD4. It provides a unique data fingerprint that is used to verify data sent and received. It changes dramatically if the message is altered. They are used for authentication and integrity of the data. One way encryption that produces 128 bit digest used to verify integrity (if file has been altered the hash should not match, but it is vulnerable to collision attacks) 5. What is IPSEC and what is it used for?
It stands for IP security and is used for information protection. It can be used to encrypt just the data or the data and the header of the information being sent.

6. What does hashing provide?
Security of integrity of a message or data, it gives the person opening the file a way of determining whether or not it has been tampered with.

7. What is the purpose of Authenticity in regards to cryptography?
It help with verifying that the data is in fact the data it claims to be.

8. What is the importance of the encryption key to stored data?
As near as I can tell without the proper key the stored data cannot be accessed. The encryption key is the cypher that unlocks the data, without the proper key the data remains useless without a serious decoding program

9. What are digital signatures used for?
It provides authentication and non-repudiation that the message was not altered
It gives a recipient reason to believe that a message was created by a known sender such as the sender cannot deny sending the message it also provides integrity.

10. What are the requirements of symmetric key encryption and what is the greatest danger with symmetric key encryption?
The key must be distributed to all parties involved; it must have a process of distributing the key. The greatest danger is the strength of the key (weak keys easier to crack/strong keys much harder to crack) Also the quality of the algorithm.

11. What is a birthday attack?
An exploit that possibly two messages might share the same message digits. It is a probability attack which finds two messages that hash to the same value (collision). Used for MD5 algorithm

12. What is SSL encryption used for?
A standard security algorithm protocols used to encrypt data between server and client, webserver and browser or even between mail server and client. Transmitting information securely over the internet.
Unit 3 Questions: 1. What is split-horizon DNS configuration and how can it be used to defend against footprinting? (Ch 5, The Art of Intrusion)
Setting up two DNS servers, one internal to resolve hostnames inside the network and an external one that contains only records for hosts that are used by the public. The public facing one should not contain records about internal hosts limiting what info is available during footprinting.

2. What are the valid footprinting techniques?
Pinging a destination to discover an IP address
Using a registrar to find out what country it comes from (arin.net, apnic.net) (tracing)
Using Netstat to find out who your computer is talking to (netstat –n)
Using allwhois.com to find out who is responsible for a particular domain
Social engineering for passwords and company information
Examine company website; identify key employees; analyze open positions and job requests; assess affiliate, parent or sister companies; find technologies and software used; determine network address and range; determine if system is hosted elsewhere; look for employee postings, blogs, and other leaked info; review collected data

3. What can be discovered by using Google Hacking?
Advisories and server vulnerabilities, error messages that contain too much info, files containing passwords, sensitive directories, pages containing logon portals, pages containing network or vulnerability data.

4. What is EDGAR and what is it used for?
(Electronic Data Gathering, Analysis and Retrieval) It is a database of corporate information, it allows for the research of a company’s activities, registration statements, and periodic reports which include financial statements. It makes a good footprinting tool.

5. Which techniques can be used to secure DNS?
Limit zone transfers to specified IPs
Limit who can create, modify and delete DNS Data
Keep everything internal 6. What can Internet Archives be used for and what are a few names of some?
Gleaning older information about a website or information from the past about a company or person of interest. It provides permanent free storage to collections of digitized materials such as websites, music, moving images, public domain books.
WABAC Machine
Archive-it
Open Library

7. What are some key DNS words that can be used to help identify potential targets?
Nslookup
Dig
Fierce (used for brute forcing)
Whois
Host (command) etc.
Explination of DNS records for getting started:
A= Links a Host name to an IP.
NS= Name Server (I.E, ns1.sysexploits.net)
MX= Mail server Records
CNAM= Used to thread many names to a Single IP.

8. What can be done to help prevent search engine exposures?
Prevent indexing, minimize journal inclusion, and stop live journal searches,

9. What is ICANN and what can it be used for?
Internet Corporation for Assigned Names and Numbers, is used for gathering info regarding IP addresses and domain names.

10. How can penetration testers use a physical address of a company?
They can use your address to attempt to penetrate you system once they have it they can scan for open ports to see if you are vulnerable to attack (hack). They can use a known exploit to gain access to your system.

11. Explain Footprinting and why is can be useful?
The process of using various tools to understand and learn the best way to attack a target. Basically using internet to find out everything about the company to exploit the network

By the admin using footprinting they may help to thwart the loopholes or open ports in their own system. If you already know what a hacker might use you have a chance to stop them 12. How can newsgroups be used against a company?
They can be useful for footprinting a company, by letting the hackers know more information about the company. They are basically an online bulletin board

Unit 4 Questions: 1. What basic defenses against social engineering are provided in Chpt. 10, The Art of Intrusion?

2. Explain how War-dialing works.
It uses a modem to dial random numbers, looking for a modem.
War dialing is a practice that involves calling large volumes of phone numbers to collect information about which numbers connect to modems and other devices of interest

3. How does SYN scan work as a network attack and what types of defenses can it bypass?
Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a "handshake." The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK.
Basically, if I'm an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood. 4. How would you use NMAP to treat all hosts as online?
-Pn: Treat all hosts as online -- skip host discovery
The -Pn flag allows nmap to assume that the host is online because you told nmap that the host is online.

5. Explain OS fingerprinting.
Determining the operating system in use on specific target; 2 types: active which interacts directly with target, responses are analyzed, and educated guess made based on responses; and passive: sniff network traffic and it for patterns that may suggest which OS it is.

6. How can null sessions be used with enumeration?
Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information. We can connect to this under Windows using the commands:

net use \\IP_ADDRESS\ipc$ "" /user:"" net use

7. What types of information can NetBIOS enumeration provide?
Usernames, share names, service information, providers

8. What can be discovered with ARIN lookups?
ARIN's WHOIS service gives contact and registration information for IP addresses, autonomous system numbers (ASN), organizations or customers that are associated with these resources, and related Points of Contact (POC). It doesn't include information on domain names or military networks

9. What is a privilege escalation attack and how does it work?
Compromising a low level account, finding one that has more privileges, and changing the password on that account.

10. What is a back door and what are some of the tools that can be used to create a back door from the command line?
A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system user and password combination which gives access to the system
Win Shell, VB script, Perl, PHP, Jave and C+

Unit 5 Questions: 1. What is tailgating in terms of penetration testing?(Chp 6 Art of Intrusion)

2. Explain what web site defacement is?
Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

3. What type of tool are Nessus and OpenVAS?
Vulnerability scanners, they help admins find problems with their own system but can also help hackers find holes in systems that they want to hack. They can also give you a solution to problems they find.

4. Explain what NAT is in relation to IP addresses?
Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

5. What is cross-site scripting (and give an example) and how might you defend against it?
When an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user
Defense
Never insert untrusted data except in allowed locations
HTML Escape before inserting untrusted data into an HTML element content
Attribute escape before inserting untrusted data into HTML common attributes
Java script escape before inserting untrusted data into JavaScript data values

6. What does Brutus do and what type of tool is it?
It’s a remote password cracker

7. What are some types of information that can be discovered through an insecure login system?

8. What is SQL injection and what can it do?
It involves the alteration of SQL statements that are used with a web application thru the use of an attacker supplied data.
With success you can
Bypass authentication Compromise data Availability
Information Disclosure Remote command execution
Compromise Data Integrity

9. Why is a unique identifier important for each and every session to have?
A session ID is used to identify a particular user and can be attached to a user’s IP for security purposes to avoid fraudulent communications of visitors to a website. They help to identify a user to a specific visit to a website for security and verification.

10. Why is proper tracking of database user actions important?
So that you as an administrator can review who has done what, when and where in case of problems with the database. Most cases of problems are from internal use personnel. This also helps to find persons that might have damaged them.

11. What are the issues and concerns about database attacks such as injection attacks for organizations?
If a data base gets hacked by a SQL injection the hacker would have access to all of the information that they do not need access to. With the compromise of the database they could delete or destroy critical data.

12. How can database attacks be defended against?
Separation of production or abilities in the database.(i.e. development/actual database)
Limited access
Read only roles with minimal privileges and actions
(Default accounts/users and roles/exposed passwords/patching/privileges and permissions/parameters/password management/profiles/auditing/listener security) check all and basically harden the environment.

13. What does a typical web site banner look like?
Http/1.1 200 OK
Server: <web server name and version>
Content-Location: http://192.168.100.100/index.htm
Date: Wed, 12 May 2010 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 12 May 2010 18:56:06 GMT
ETag: “067d136a639be1: 15b6”
Content-Length: 4325
Unit 6 Questions: 1. Explain different methods to protect against malware.
Use strong security software
Use a security conscious Internet Service Provider (ISP)
Enable Automatic Window updates
Use caution when opening attachments
Be careful when engaging in Peer-to-peer file sharing
Download the latest version of your browser
Make sure websites are legit before you go there
Back up your files regularly

2. What is a Worm and what threat does it pose?
A computer worm is a self-replicating computer program that penetrates an operating system with the intent of spreading malicious code.
It is possible to install a backdoor to your system with a worm.
Worms are self-replicating and spread across networks exploiting vulnerabilities
They are usually sent in the form of attachments

3. What is a Trojan and what threat does it pose?
In the IT environment, the Trojan horse acts as a means of entering the victim’s computer undetected and then allowing a remote user unrestricted access to any data stored on the user's hard disk drive whenever he or she goes online. Their primary objective is to allow a remote user a means gaining access to a victim's machine without their knowledge.
Executing any files from suspicious or unknown sources.
Opening an e-mail attachment from an unknown source.
Allowing a "friend" access to your computer while you are away.
By executing files received from any online activity client such as ICQ.
Virtually every Trojan virus is comprised of two main parts. These are the called the "server" and the other, the "client". It is the server part that infects a user’s system.

4. What is a Virus and what threat does it pose?
Computer viruses are pieces of computer code, designed to implant itself in programs or files with the idea of destroying, or changing the data transmitted. Viruses are a threat to the computer since they spread through interchange of files and programs, loaded onto a computer and executed. They also slow down computers, crash a system, or simply reroute data to other units.

5. What is a polymorphic virus, what threat does it pose and how is it different from a standard virus?
Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection by anti-virus software. Some polymorphic virus use different encryption schemes and require different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation engine and random-number generators to change the virus code and its decryption routine. Also see: mutating virus.
For example, a polymorphic virus might have a virus decryption routine (VDR) and an encrypted virus program body (EVB). When an infected application launches, the VDR decrypts the encrypted virus body back to its original form so the virus can perform its intended function. Once executed, the virus is re-encrypted and added to another vulnerable host application. Because the virus body is not altered, it provides a kind of complex signature that can be detected by sophisticated antivirus programs

6. What is scareware and what threat does it pose?
These pop-ups known as scareware, fake, or rogue anti-virus software look authentic and may even display what appears to be real-time anti-virus scanning of the user’s hard drive. The scareware will show a list of reputable software icons; however, the user cannot click a link to go to the actual site to review or see recommendations.

The scareware is intimidating to most users and extremely aggressive in its attempt to lure the user into purchasing the rogue software that will allegedly remove the viruses from their computer. It is possible that these threats are received as a result of clicking on advertisements contained on a website. Cyber criminals use botnets to push the software and use advertisements on websites to deliver it. This is known as malicious advertising or malvertising.

7. What can the netstat tool be used for?
Netstat is a common command line TCP/IP networking utility available in most versions ofWindows, Linux, UNIX and other operating systems. Netstat provides information and statistics about protocols in use and current TCP/IP network connections. (The name derives from the words network and statistics.)
The Windows help screen (analogous to a Linux or UNIX man page) for netstat reads as follows:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT -a -b -e -n -o -p proto -r -s -v interval -a | Displays all connections and listening ports. | -b | Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions. | -e | Displays Ethernet statistics. This may be combined with the -s option. | -n | Displays addresses and port numbers in numerical form. | -o | Displays the owning process ID associated with each connection. | -p proto | Shows connections for the protocol specified by proto; proto may be any of: TCP,UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. | -r | Displays the routing table. | -s | Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. | -v | When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables. | interval | Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. |