I hope nobody reading this will ever find themselves in this situation, but have you ever given any thought at all to what you would do if challenged to a fight? I’m not talking about the free-for-all brawls in elementary and middle school, surrounded by a circle of cheering, but ignorant, children; I’m talking about an actual street confrontation you cannot get out of. In almost every situation, most people are taught to leave the situation and protect themselves, and that’s absolutely the right way to go. But every once in a while, good law-abiding folks are put in a situation they can’t get out of, and a physical confrontation is inevitable.

Did you know there’s a science to hand-to-hand combat? Pugilism (pygmachia in Greek, made into an Olympic sport in 688 BC) is the hand-to-hand combat sport better known as boxing. Despite the circus it has become in modern times, boxing was a well-respected and carefully studied art for thousands of years. It’s not just simply putting two guys in a ring and having them beat on each other; it’s about crafting a strategy to accentuate strengths and exploit weaknesses. Sound familiar?

And we’re not talking about just boxing here—hand-to-hand combat takes on many forms. Professional boxers, for example, might tell you that light punches are faster, require less energy, and leave you less vulnerable. They might also advise you that deception and speed in combat are much more valuable than strength and the “knockout punch.” Self-defense experts might point out areas of the human anatomy that disable an attacker, providing you a means of escape. They might also point out things like the value of a knife versus a gun in defense situations and that one cleverly executed strike, set up and thrown with quickness (sometimes not even with power), may be all it takes to frustrate and confuse an attacker. The science of carrying out a physical attack on an individual, and protecting yourself against such an attack, is founded on the principles of distance, leverage, and timing. It’s fascinating, even if you don’t ever plan on being in a situation requiring the knowledge.

You may be sitting there having no idea what kind of virtual damage you can do with the knowledge you’ve gained so far. Who knows if, put in the right situation, you’d knock out virtual targets with ease? I can see you now, looking down at your keyboard in awe and answering the “How did you do that?” question with, “I don’t know—the training just kicked in.” Granted, we still have a lot of training to do, and I doubt you’ll be punching any virtual targets outside an agreed-upon scope (after all, you are an ethical hacker, right?). However, this chapter will help hone your skills. Here, we’ll talk all about system attacks and putting to use some of the training and knowledge you already have in place.

QUESTIONS Q

1.   You are examining test logs from the day’s pen test activities and note the following entries on a Windows 10 machine:

Which of the following statements is true regarding the code listing?

A.   The team member added a user account.

B.   The team member switched his login to that of a different user.

C.   The team member changed the password of a user.

D.   The team member renamed a user account.

2.   Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover his tracks?

A.   ISA proxy

B.   IAS proxy

C.   TOR proxy

D.   Netcat

3.   The following HOSTS file was pulled during an incident response:

Which of the following statements best describes the HOSTS file?

A.   A user on the machine attempting to go to check their bank account at mybank.com will be directed to a Chinese IP address instead.

B.   A user on the machine attempting to go to google.com will receive an HTTP return code of 400.

C.   A user on the machine attempting to go to gmail.com will redirect to the local host.

D.   Any DNS resolution to IP 220.181.0.16 will be redirected to one of the five sites listed in round-robin fashion.

4.   Which of the following opens the Computer Management MMC in a Windows command line?

A.   compmgmt.mmc

B.   compmgmt.msc

C.   compmgmt.exe

D.   computermgmt.exe

5.   Which of the following will extract an executable file from NTFS streaming?

A.   c:> cat file1.txt:hidden.exe > visible.exe

B.   c:> more file1.txt | hidden.exe > visible.exe

C.   c:> type notepad.exe > file1.txt:hidden.exe

D.   c:> list file1.txt$hidden.exe > visible.exe

6.   Which command is used on a Linux machine to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file?

A.   chmod 411 file1

B.   chmod 114 file1

C.   chmod 117 file1

D.   chmod 711 file1

C.   chmod 744 file1

7.   Examine the following passwd file:

Which of the following statements are true regarding this passwd file? (Choose all that apply.)

A.   None of the user accounts has passwords assigned.

B.   The system makes use of the shadow file.

C.   The root account password is root.

D.   The root account has a shadowed password.

E.   Files created by Alecia will initially be viewable by Jason.

8.   You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)

A.   /etc/passwd

B.   /etc/shadow

C.   c:windowssystem32config

D.   c:winntconfig

E.   c:windows epair

9.   Which of the following statements are true concerning Kerberos? (Choose all that apply.)

A.   Kerberos uses symmetric encryption.

B.   Kerberos uses asymmetric encryption.

C.   Clients ask for authentication tickets from the KDC in clear text.

D.   KDC responses to clients never include a password.

E.   Clients decrypt a TGT from the server.

10.   What is the difference between a dictionary attack and a hybrid attack?

A.   Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.

B.   Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.

C.   Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.

D.   Hybrid and dictionary attacks are the same.

11.   Which of the following contains a listing of port numbers for well-known services defined by IANA?

A.   %windir%etclists

B.   %windir%system32driversetclmhosts

C.   %windir%system32driversetcservices

D.   %windir%system32driversetchosts

12.   Which of the following SIDs indicates the true administrator account?

A.   S-1-5-21-1388762127-2960977290-773940301-1100

B.   S-1-5-21-1388762127-2960977290-773940301-1101

C.   S-1-5-21-1388762127-2960977290-773940301-500

D.   S-1-5-21-1388762127-2960977290-773940301-501

13.   In which step of EC-Council’s system hacking methodology would you find steganography?

A.   Cracking passwords

B.   Escalating privileges

C.   Executing applications

D.   Hiding files

E.   Covering tracks

14.   A review of the command history on a Linux box shows the following command entered:

Which of the following is the best description of what the attacker is attempting to accomplish?

A.   Add a user to the system.

B.   Elevate current login privileges.

C.   Change passwords for users.

D.   Display password file contents.

15.   You are examining LM password hashes and see the following:

3A02DF5289CF6EEFAAD3B435B51404EE

Which of the following passwords is most likely to have created the hash?

A.   123456789

B.   CEHISHARD

C.   c3HisH@RD!

D.   CEHhard

16.   You are examining history logs on a Linux machine and note the attacker added an ampersand (&) after a few process commands. Which of the following is true regarding this?

A.   The & symbol has no effect on the process command.

B.   The & symbol runs the process as a background task and closes it when the user logs off.

C.   The & symbol ensures the process continues to run after the user logs off.

D.   The & symbol concatenates the process to subsequent commands.

17.   Which of the following are considered offline password attacks? (Choose all that apply.)

A.   Using a hardware keylogger

B.   Brute-force cracking with Cain and Abel on a stolen SAM file

C.   Using John the Ripper on a stolen passwd file

D.   Shoulder surfing

18.   If a rootkit is discovered on the system, which of the following is the best alternative for recovery?

A.   Replacing all data files from a good backup

B.   Installing Tripwire

C.   Reloading the entire system from known-good media

D.   Deleting all data files and rebooting

19.   Examine the following portion of a log file, captured during a hacking attempt:

What was the attacker attempting to do?

A.   Copy files for later examination

B.   Cover his tracks

C.   Change the shell to lock out other users

D.   Upload a rootkit

20.   You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

A.   ls -d

B.   ls -l

C.   su

D.   ps -ef

E.   ifconfig

21.   An organization wants to control network traffic and perform stateful inspection of traffic going into and out of its DMZ. Which built-in functionality of Linux can achieve this?

A.   iptables

B.   ipchains

C.   ipsniffer

D.   ipfirewall

22.   Which of the following best describes Cygwin?

A.   Cygwin is a Unix subsystem running on top of Windows.

B.   Cygwin is a Windows subsystem running on top of Unix.

C.   Cygwin is a C++ compiler.

D.   Cygwin is a password-cracking tool.

23.   Which folder in Linux holds administrative commands and daemons?

A.   /sbin

B.   /bin

C.   /dev

D.   /mnt

E.   /usr

24.   Which of the following is the appropriate means to pivot within a Metasploit attack session?

A.   Use the pivot exploit outside meterpreter.

B.   Reconfigure network settings in meterpreter.

C.   Set the payload to propagate.

D.   Create a route statement in the meterpreter.

25.   You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?

A.   The file is flagged for backup.

B.   The file is part of the help function.

C.   The file is fragmented because of size.

D.   The file has been quarantined by an antivirus program.

E.   The file is hidden.

26.   An attacker has gained access to an internal system. Using Metasploit, he accesses and attacks other internal systems. Which of the following terms best describe the action taken?

A.   Attack splitting

B.   Pivoting

C.   Attack swinging

D.   Hinging

27.   Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

A.   LADS

B.   ADS Spy

C.   Sfind

D.   Snow

28.   Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

A.   NTLMv1

B.   NTLMv2

C.   LAN Manager

D.   Kerberos

QUICK ANSWER KEY

1.   C

2.   C

3.   A

4.   B

5.   A

6.   E

7.   B, D, E

8.   C, E

9.   A, B, C, D, E

10.   C

11.   C

12.   C

13.   D

14.   D

15.   D

16.   B

17.   A, B, C

18.   C

19.   B

20.   D

21.   A

22.   A

23.   A

24.   D

25.   E

26.   B

27.   A, B, C

28.   C

ANSWERS A

1.   You are examining test logs from the day’s pen test activities and note the following entries on a Windows 10 machine:

Which of the following statements is true regarding the code listing?

A.   The team member added a user account.

B.   The team member switched his login to that of a different user.

C.   The team member changed the password of a user.

D.   The team member renamed a user account.

  C. The net commands in Windows will definitely make an appearance on your exam, and because it’s impossible to tell which syntax or command structure they’ll throw at you, you should learn them all. In this example, the net user command lists all users on the machine. Next, the team member used the net user USERNAME PASSWORD command—where USERNAME equates to the user to update and PASSWORD is the password to set for the user. In this example, the user—USER1—had his password updated to user2. Other net user options include ADD, DELETE, TIMES, and ACTIVE. Net commands run in the security context you are logged on as, so ensure you’re actually an administrator on the machine before attempting many of them.

Net commands have many other uses. For example, net view will display systems in the workgroup, net use lets you create, connect to, and display information on shared resources, net share will list all the shares the user has access to, and net start allows you to start a service.

  A is incorrect because this does not match the syntax provided. If the team member wanted to add a user, he’d first ensure he had administrative privileges and would then use the net user /ADD USERNAME command (where USERNAME is the name of the user to be created).

  B is incorrect because this command or syntax would not accomplish this action.

  D is incorrect because this command or syntax would not accomplish this action.

2.   Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover his tracks?

A.   ISA proxy

B.   IAS proxy

C.   TOR proxy

D.   Netcat

  C. I’ve mentioned it before, and I’ll mention it again here: sometimes the CEH exam and real life just don’t match up. Yes, this question may be, admittedly, a little on the “hokey” side, but it’s valid insofar as EC-Council is concerned. The point here is that TOR (The Onion Routing; https://www.torproject.org/) provides a quick, easy, and really groovy way to hide your true identity when performing almost anything online. According to the site, “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” (For the real-world folks out there, just know that without law enforcement and some serious network visibility, you’d probably be successful in tracking to the first hop, but that’d be it.) TOR is, by nature, dynamic, and a hacker can simply use a different path for each attack. Just remember the question is really about identifying TOR as a means of covering tracks and not necessarily a treatise on how it really works. Were this a discussion based in reality, we’d be more interested in how Amanda would determine the connection was bouncing around proxies in the first place: more realistically, she might detect several similar connections leveraging the same access that were coming from several different countries.

  A is incorrect because an Internet Security and Acceleration (ISA) server isn’t designed to bounce between multiple proxies to obscure the original source. Per Microsoft, ISA “is the successor to Microsoft’s Proxy Server 2.0 ... and provides the two basic services of an enterprise firewall and a Web proxy/cache server. ISA Server’s firewall screens all packet-level, circuit-level, and application-level traffic. The Web cache stores and serves all regularly accessed Web content in order to reduce network traffic and provide faster access to frequently-accessed Web pages. ISA Server also schedules downloads of Web page updates for non-peak times.”

  B is incorrect because Internet Authentication Service (IAS) is a component of servers that allows you to provide a Remote Authentication Dial-In User Service (RADIUS) connection to clients. It’s not designed as an obfuscating proxy—its purpose is in authentication.

  D is incorrect because while you can set up a single proxy using Netcat, and it may even be possible to chain several together, it’s simply not designed to work that way (and that’s what this question was all about to begin with). You can set up a listening port with it, but it’s not designed to act as a proxy, and setting one up as a chain of proxies would be insanely complicated and unnecessary with the myriad other options available.

3.   The following HOSTS file was pulled during an incident response:

Which of the following statements best describes the HOSTS file?

A.   A user on the machine attempting to go to check their bank account at mybank.com will be directed to a Chinese IP address instead.

B.   A user on the machine attempting to go to google.com will receive an HTTP return code of 400.

C.   A user on the machine attempting to go to gmail.com will redirect to the local host.

D.   Any DNS resolution to IP 220.181.0.16 will be redirected to one of the five sites listed in round-robin fashion.

  A. The HOSTS file is a thing of beauty or an instrument of horror and terror, depending on how you look at it. Before any Windows system even bothers to check DNS for an IP matching a name request, it checks the HOSTS file first. For example, when the user types www.mybank.com in their browser and presses ENTER, Windows checks the hosts file to see if there is a mapping for mybank.com. If there is one, that’s where the user will go. If there’s not, Windows will ask DNS for an IP to use. Therefore, if you edit your own HOSTS file, you can save yourself from lots of ad stream sites (just redirect them to localhost) and ensure your kids don’t accidentally go somewhere they’re not supposed to. If you get a hold of your target’s HOSTS file, you can send them anywhere you want.

In this example, it appears someone has gotten a hold of this particular machine’s HOSTS file and has edited it to send some common URL requests to a Chinese IP. Maybe they’ve set up fake versions of these sites in order to grab credentials. Or maybe they just want to DoS the user. In any case, any attempt to go to mybank.com, google.com, gmail.com, amazon.com, or facebook.com will immediately get redirected to the Chinese IP listed. The only way the user could avoid this is to use IP addresses instead of named URLs.

  B is incorrect because it is impossible to tell if the 400 return code (which means the server cannot or will not process the request due to an apparent client error, such as a malformed request syntax, invalid request message framing, or deceptive request routing) would appear. If the request is valid (it should be) and the server is capable of registering the request as valid (again, that depends on what the bad guy set up on that particular IP), then Code 400 will not be returned.

  C and D are incorrect because neither matches the action taken in a HOSTS file entry.

4.   Which of the following opens the Computer Management MMC in a Windows command line?

A.   compmgmt.mmc

B.   compmgmt.msc

C.   compmgmt.exe

D.   computermgmt.exe

  B. Admittedly this one is an easy pick—assuming, of course, you’ve studied and know your MMCs in Windows. You have studied them, right? Because if you had, you’d know that the Microsoft Management Consoles can be used for a variety of tasks. Some of these MMCs include Computer Management, Device Management, Event Viewer, Group Policy Editor, and Active Directory Users and Computers. While you can create your own custom MMC, by typing mmc in the command line and then using Add/Remove Snap in from the menu line, you can also just open the individual consoles themselves by using their “msc” command-line option. For example, Computer Management can be a snap-in for a custom MMC, or you can open it by itself using the compmgmt.msc command. Others you may want to know for future reference include AD Users and Computers (dsa.msc), Device Manager (devmgmt.msc), Event Viewer (eventvwr.msc), Local Group Policy Editor (gpedit.msc), and Local Security Settings Manager (secpol.msc).

  A, C, and D are all incorrect because they do not match the syntax for opening Computer Management.

5.   Which of the following will extract an executable file from NTFS streaming?

A.   c:> cat file1.txt:hidden.exe > visible.exe

B.   c:> more file1.txt | hidden.exe > visible.exe

C.   c:> type notepad.exe > file1.txt:hidden.exe

D.   c:> list file1.txt$hidden.exe > visible.exe

  A. This is the correct syntax. The cat command will extract the executable directly into the folder you execute the command from. NTFS file steaming allows you to hide virtually any file behind any other file, rendering it invisible to directory searches. The file can be a text file, to remind you of steps to take when you return to the target, or even an executable file you can run at your leisure later. Alternate data stream (ADS) in the form of NTFS file streaming is a feature of the Windows-native NTFS to ensure compatibility with Apple file systems (called HFS). Be careful on the exam—you will see ADS and NTFS file streaming used interchangeably. As an aside, the cat command isn’t available on Windows 7 and Windows 10 machines (you’ll need a Linux emulator or something like it to use the cat command on these). What’s more, you can use c:> (more<file1.txt:hidden.exe) > output.txt as another option. This will read the output of the hidden stream and write it to the output.txt file without having to use cat.

  B is incorrect because this is not the correct syntax. There is no pipe (|) function in extracting a file, and the more command is used to display the contents of a text file, not extract an executable from ADS.

  C is incorrect because this is not the correct syntax. This option would display the contents of a hidden text file—maybe one you’ve stowed away instructions in for use later.

  D is incorrect because the syntax is not correct by any stretch of the imagination. This is included as a distractor.

6.   Which command is used on a Linux machine to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file?

A.   chmod 411 file1

B.   chmod 114 file1

C.   chmod 117 file1

D.   chmod 711 file1

E.   chmod 744 file1

  E. You’re going to need to know some basic Linux commands to survive this exam, and one command I can guarantee you’ll see a question on is chmod. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read is equivalent to 4, write to 2, and execute to 1. To accumulate permissions, you add the number: 4 is read-only, 6 is read and write, and adding execute to the bunch results in 7. As an aside, if you think in binary, the numbers are just as easy to define: 111 equates to 7 in decimal, and each bit turned on gives read, write, and execute. Setting the bits to 101 turns on read, turns off write, and turns on execute; and its decimal equivalent is 5.

  A, B, C, and D are all incorrect syntax for what we’re trying to accomplish here: 411 equates to read-only, execute, and execute (with 114 being the reverse of that), and 117 equates to execute, execute, full permissions, with 711 being the reverse.

7.   Examine the following passwd file:

Which of the following statements are true regarding this passwd file? (Choose all that apply.)

A.   None of the user accounts has passwords assigned.

B.   The system makes use of the shadow file.

C.   The root account password is root.

D.   The root account has a shadowed password.

E.   Files created by Alecia will initially be viewable by Jason.

  B, D, E. If there are not two to four questions on your exam regarding the Linux passwd file, I’ll eat my hat. Every exam and practice exam I’ve ever taken references this file—a lot—and it’s included here to ensure you pay attention. Fields in the passwd file, from left to right, are as follows:

•   User Name This is what the user types in as the login name. Each user name must be unique.

•   Password If a shadow file is being used, an x will be displayed here. If not, you’ll see the password in clear text. As an aside, setting this to an asterisk (*) is a method to deactivate an account.

•   UID The user identifier is used by the operating system for internal purposes. It is typically incremented by 1 for each new user added.

•   GID The group identifier identifies the primary group of the user. All files that are created by this user will normally be accessible to this group, unless a chmod command prevents it (which is the reason for the “initial” portion of the question).

•   Gecos This is a descriptive field for the user, generally containing contact information separated by commas.

•   Home Directory This is the location of the user’s home directory.

•   Startup Program This is the program that is started every time the user logs in. It’s usually a shell for the user to interact with the system.

  A is incorrect because the x indicates a shadowed password, not the absence of one.

  C is incorrect because the x indicates that root does indeed have a password, but it is shadowed. Could it actually be root? Sure, but there’s no way to tell that from this listing.

8.   You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)

A.   /etc/passwd

B.   /etc/shadow

C.   c:windowssystem32config

D.   c:winntconfig

E.   c:windows epair

  C, E. Per Microsoft’s definition, the Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. The SAM file can be found in c:windowssystem32config. If you’re having problems getting there, try pulling a copy from system restore (c:windows epair).

  A and B are both incorrect because /etc is a dead giveaway this is a Linux folder (note the forward slash instead of the Windows backward slash). The /etc folder contains all the administration files and passwords on a Linux system. Both the password and shadow files are found here.

  D is incorrect because this is not the correct location of the SAM. It’s included as a distractor.

9.   Which of the following statements are true concerning Kerberos? (Choose all that apply.)

A.   Kerberos uses symmetric encryption.

B.   Kerberos uses asymmetric encryption.

C.   Clients ask for authentication tickets from the KDC in clear text.

D.   KDC responses to clients never include a password.

E.   Clients decrypt a TGT from the server.

  A, B, C, D, E. All answers are correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). A basic Kerberos exchange starts with a client asking the KDC, which holds the AS and TGS, for a ticket, which will be used to authenticate throughout the network. This request is in clear text. The server will respond with a secret key, which is hashed by the password copy kept on the server (passwords are never sent—only hashes and keys). This is known as the TGT. The client decrypts the message, since it knows the password, and the TGT is sent back to the server requesting a TGS service ticket. The server responds with the service ticket, and the client is allowed to log on and access network resources.

10.   What is the difference between a dictionary attack and a hybrid attack?

A.   Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.

B.   Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.

C.   Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.

D.   Hybrid and dictionary attacks are the same.

  C. A hybrid attack is a variant on a dictionary attack. In this effort, you still have a word list; however, the cracker is smart enough to replace letters and characters within those words. For example, both attacks might use a list containing the word Password. To have multiple variants on it, the dictionary attack would need to have each variant added to the list individually (P@ssword, Pa$$word, and so on). A hybrid attack would require the word list only to include Password because it would swap out characters and letters to find different versions of the same word.

  A is incorrect because hybrid attacks don’t use rainbow tables.

  B is incorrect because dictionary attacks can use variants of a whole word; they just need to be listed separately in the list.

  D is incorrect because hybrid and dictionary attacks are most definitely different.

11.   Which of the following contains a listing of port numbers for well-known services defined by IANA?

A.   %windir%etclists

B.   %windir%system32driversetclmhosts

C.   %windir%system32driversetcservices

D.   %windir%system32driversetchosts

  C. I’ve sat back many times in writing these books struggling to determine why certain specific but not very useful things seem to be so near and dear to the exam question writers, but I can’t find any particular rhyme or reason. Sometimes you just have to memorize and move on, and this example is no exception. If you happen to be out on your real job and completely forget every well-known port number, you’d probably just look up the list on an Internet search. If you’re bored or really nerdy, though, you can pull up a list of them by visiting the services file. It’s sitting right there beside the hosts and lmhosts files.

  A, B, and D are incorrect because these locations do not hold the services file.

12.   Which of the following SIDs indicates the true administrator account?

A.   S-1-5-21-1388762127-2960977290-773940301-1100

B.   S-1-5-21-1388762127-2960977290-773940301-1101

C.   S-1-5-21-1388762127-2960977290-773940301-500

D.   S-1-5-21-1388762127-2960977290-773940301-501

  C. The security identifier (SID) in Windows is used to identify a “security principle.” It’s unique to each account and service and is good for the life of the principle. Everything else associated with the account is simply a property of the SID, allowing accounts to be renamed without affecting their security attributes. In a Windows system, the true administrator account always has an RID (relative identifier) of 500.

  A and B are incorrect because neither 1100 nor 1101 is the RID associated with the administrator account. RID values between 1000 and 1500 indicate a standard user account.

  D is incorrect because 501 is the RID for the guest account.

13.   In which step of EC-Council’s system hacking methodology would you find steganography?

A.   Cracking passwords

B.   Escalating privileges

C.   Executing applications

D.   Hiding files

E.   Covering tracks

  D. Yes, sometimes you get a question that’s relatively easy, and this is a prime example. Hiding files is exactly what it sounds like: finding a way to hide files on the system. There are innumerable ways to accomplish this, but steganography is one method you’ll most likely see referenced on the exam. Steganography hides things such as passwords, files, malicious code (let’s just say anything that can be put into a binary format) inside images, video, and such. The other file-hiding technique you’ll most likely see referenced on the exam is NTFS file streaming.

  A, B, C, and E are incorrect because you do not hide files in these steps. Cracking passwords is self-explanatory. Escalating privileges refers to the means taken to elevate access to administrator level. Executing applications is exactly what it sounds like, and you’ll probably see remote execution tools referenced (and, for some bizarre reason, keyloggers and spyware). Covering tracks deals with proxies, log files, and such.

14.   A review of the command history on a Linux box shows the following command entered:

Which of the following is the best description of what the attacker is attempting to accomplish?

A.   Add a user to the system.

B.   Elevate current login privileges.

C.   Change passwords for users.

D.   Display password file contents.

  D. Ever heard of Bashdoor (a.k.a. the Shellshock vulnerability)? Of course you have, and that’s what’s being attempted here. Vulnerable versions of the Bash shell (commonly used to process requests) allow an attacker to execute arbitrary commands concatenated to the end of function definitions stored in environment variables. In this case, the attacker is trying to read the contents of the password file using the cat command.

  A, B, and C are incorrect because they do not match the command syntax.

15.   You are examining LM password hashes and see the following:

3A02DF5289CF6EEFAAD3B435B51404EE

Which of the following passwords is most likely to have created the hash?

A.   123456789

B.   CEHISHARD

C.   c3HisH@RD!

D.   CEHhard

  D. You will certainly see LM hashes on your exam at least once or twice, and usually in this type of scenario. EC-Council isn’t just going to come out and ask you if you know that the last half of the LM hash is always the same if the password is seven characters or less—they’re going to throw it in a scenario and see if you remember it in the stress of test time. For review purposes, LM splits any password into two seven-character pieces and hashes each piece. If the password is seven characters or less, the last half of the hash is always the value of a hash of nothing (which equates to AAD3B435B51404EE, by the way). In this question, apply the LM “splitting” of passwords into two separate groups of seven characters, and it’s easy to see the answer: the first seven characters are CEHhard and the second seven do not exist, so the hash of CEHhard equals 3A02DF5289CF6EEF, and the hash of the blank characters equals AAD3B435B51404EE.

On a final note, because it’s related here, don’t get hung up on password complexity unless it is explicitly noted in the question. Most people are in a rush during the exam and may not read things carefully. Glancing at the answers, these folks might pick the complex password by mistake. Therefore, use caution in reading the questions—take time to fully understand what they’re asking for before just clicking the choice and moving on.

  A is incorrect because this password has nine characters; therefore, the second half of the hash would be different (LM would hash 1234567 and then 89).

  B is incorrect because this password also has nine characters; therefore, the second half of the hash would be different (LM would hash CEHISHA and then RD).

  C is incorrect because this password has ten characters; therefore, the second half of the hash would be different (LM would hash c3HisH@ and then RD!).

16.   You are examining history logs on a Linux machine and note the attacker added an ampersand (&) after a few process commands. Which of the following is true regarding this?

A.   The & symbol has no effect on the process command.

B.   The & symbol runs the process as a background task and closes it when the user logs off.

C.   The & symbol ensures the process continues to run after the user logs off.

D.   The & symbol concatenates the process to subsequent commands.

  B. Okay, so this one is a little picky, I admit it, but lots of questions on your exam will be picky, so I’m not apologizing. The ampersand (&) is not only one of the coolest sounding character symbols of all time, but it’s also used in the Linux command line to place a process in the background and cause it to close at user logoff. As an aside, you can use the bg and fg commands to move processes to the background and foreground, respectively.

  A is incorrect because it does have an effect on the command.

  C is incorrect because the process will not continue to run after logoff.

  D is incorrect because it does not concatenate anything.

17.   Which of the following are considered offline password attacks? (Choose all that apply.)

A.   Using a hardware keylogger

B.   Brute-force cracking with Cain and Abel on a stolen SAM file

C.   Using John the Ripper on a stolen passwd file

D.   Shoulder surfing

  A, B, C. An offline password attack occurs when you take the password file (or the passwords themselves) offline for work. A common method involves stealing the SAM or passwd (shadow) file and then running a dictionary, hybrid, or brute-force attack against it (using a password-cracking tool such as Cain and Abel or John the Ripper). Keyloggers are also considered offline attacks because you examine the contents off network.

  D is incorrect because shoulder surfing is considered another form of attack altogether—a nonelectronic attack. No, I’m not making this up; it’s actually a term in CEH lingo and refers to social engineering methods of obtaining a password. Shoulder surfing is basically standing behind someone and watching their keystrokes.

18.   If a rootkit is discovered on the system, which of the following is the best alternative for recovery?

A.   Replacing all data files from a good backup

B.   Installing Tripwire

C.   Reloading the entire system from known-good media

D.   Deleting all data files and rebooting

  C. Sometimes a good old wipe and reload is not only faster than a cleaning effort but is just flat out better. And when it comes to rootkits, it’s really your only option. If it’s an off-the-shelf rootkit that has been documented, it’s likely that good instructions on how to fully remove it are available somewhere, but remember that while you think you may have it removed by following removal instructions, you know it’s gone if you blow the system away and reload it.

  A and D are incorrect because nearly anything you’re doing with the data files themselves isn’t going to help in getting rid of a rootkit. The device has been rooted, so all data should be treated as suspect.

  B is incorrect because while Tripwire is a great tool, it isn’t really useful to you once the machine has been infected.

19.   Examine the following portion of a log file, captured during a hacking attempt:

What was the attacker attempting to do?

A.   Copy files for later examination

B.   Cover his tracks

C.   Change the shell to lock out other users

D.   Upload a rootkit

  B. You’ll definitely see basic Linux commands on your test, and this is one example of how you’ll be asked about them. In this example, the rm command is used to remove (delete) files on a Linux system. Looking at what the hacker is attempting to remove, it seems logical to assume—even without seeing the rest of the log—that the hacker is covering his tracks.

  A is incorrect because the command for copy in Linux is cp.

  C is incorrect because the shell is not being tampered with. This answer is included as a distractor.

  D is incorrect because there is no evidence in this capture that anything is being uploaded; all commands are for removal of files (using the rm command). Granted, it’s highly likely something was uploaded before this portion, but we’re not privy to that information here.

20.   You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

A.   ls -d

B.   ls -l

C.   su

D.   ps -ef

E.   ifconfig

  D. The ps command is used in Linux to display processes. The -e switch selects all processes, running or not, and the -f switch provides a full listing. A couple of other options you might see include -r (restrict output to running processes), -u (select by effective user ID; supports names), and -p (select by process ID).

  A and B are incorrect because the ls command in Linux lists files inside a storage directory. A couple switches of note include -d (list directory entries instead of contents), -h (print sizes in human readable format), -l (use a long listing format), and -p (file type).

  C is incorrect because the su command in Linux is for “switch user.” Assuming you have permission/authentication to do so, this allows you to change the effective user ID and group ID to whatever you want.

  E is incorrect because ifconfig is used to configure a network interface in Linux. It looks, and works, very much like the ipconfig command in Windows, which makes it an easy target for test question writers, so pay close attention to the OS when asked about configuring your NIC.

21.   An organization wants to control network traffic and perform stateful inspection of traffic going into and out of its DMZ. Which built-in functionality of Linux can achieve this?

A.   iptables

B.   ipchains

C.   ipsniffer

D.   ipfirewall

  A. Iptables is a built-in “user space” application in Linux that allows you to configure the tables used by the Linux kernel firewall. It must be executed with root privileges and allows for stateful inspection. On most Linux systems, iptables is installed as /usr/sbin/iptables.

  B is incorrect because ipchains won’t allow for stateful inspection.

  C and D are incorrect because, as far as I know, there’s no such thing as ipsniffer or ipfirewall.

22.   Which of the following best describes Cygwin?

A.   Cygwin is a Unix subsystem running on top of Windows.

B.   Cygwin is a Windows subsystem running on top of Unix.

C.   Cygwin is a C++ compiler.

D.   Cygwin is a password-cracking tool.

  A. Cygwin (www.cygwin.com/) provides a Linux-like environment for Windows. It’s a large collection of GNU and open source tools that provide functionality similar to a Linux distribution on Windows, as well as a DLL (cygwin1.dll) that provides substantial POSIX API functionality, according to the Cygwin website. The Cygwin DLL currently works with all recent, commercially released x86 32-bit and 64-bit versions of Windows, starting with Windows XP SP3.

  B, C, and D are incorrect descriptions of Cygwin.

23.   Which folder in Linux holds administrative commands and daemons?

A.   /sbin

B.   /bin

C.   /dev

D.   /mnt

E.   /usr

  A. The system binaries folder holds most administrative commands (/etc holds others) and is the repository for most of the routines Linux runs (known as daemons).

  B is incorrect because this folder holds a variety of basic Linux commands (a lot like the C:WindowsSystem32 folder in Windows).

  C is incorrect because this folder contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives and additional hard drives or partitions. By the way, everything in Linux is a file. Everything.

  D is incorrect because this folder holds the access locations you’ve actually mounted.

  E is incorrect because this folder holds most of the information, commands, and files unique to the users.

24.   Which of the following is the appropriate means to pivot within a Metasploit attack session?

A.   Use the pivot exploit outside meterpreter.

B.   Reconfigure network settings in meterpreter.

C.   Set the payload to propagate.

D.   Create a route statement in the meterpreter.

  D. To answer this, you have to know what pivot means and what the meterpreter is, and the best explanations for both are found right on the Offensive Security website (www.offensive-security.com/): “Pivoting is the unique technique of using an instance (also referred to as a plant or foothold) to be able to ‘move’ around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems. Metasploit has an autoroute meterpreter script that allows an attack into a secondary network through a first compromised machine. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Meterpreter resides entirely in memory and writes nothing to disk.” Adding a route statement inside the dynamic meterpreter environment allows the attack to “pivot” to a new target. Neat, eh?

  A, B, and C are incorrect because they are neither legitimate nor accurate statements regarding a pivot attack.

25.   You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?

A.   The file is flagged for backup.

B.   The file is part of the help function.

C.   The file is fragmented because of size.

D.   The file has been quarantined by an antivirus program.

E.   The file is hidden.

  E. The hidden attribute can be set on any file to hide it from standard directory searches. You can accomplish this with the command line

attrib +h filename

or by right-clicking, choosing Properties, and selecting the Hidden attribute check box at the bottom of the dialog.

  A, B, C, and D are all incorrect definitions of the hidden attribute.

26.   An attacker has gained access to an internal system. Using Metasploit, he accesses and attacks other internal systems. Which of the following terms best describe the action taken?

A.   Attack splitting

B.   Pivoting

C.   Attack swinging

D.   Hinging

  B. I love definition questions on the exam—they’re simple and easy. Pivoting refers to attackers using a compromised system to access systems they’d otherwise not be able to get to. You can use the route statement meterpreter attack session to pivot from the compromised system onto others. Offensive Security (https://www.offensive-security.com/metasploit-unleashed/pivoting/) has a great write-up on using the autoroute meterpreter script for the same purpose.

  A, C, and D are incorrect because these answers do not match any action taken from Metasploit.

27.   Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

A.   LADS

B.   ADS Spy

C.   Sfind

D.   Snow

  A, B, C. NTFS streaming (alternate data streaming) isn’t a huge security problem, but it is something many security administrators concern themselves with. If you want to know where it’s going on, you can use any of these tools: LADS and ADS Spy are freeware tools that list all alternate data streams of an NTFS directory. ADS Spy can also remove alternate data streams (ADSs) from NTFSs. Sfind, probably the oldest one here, is a Foundstone forensic tool you can use for finding ADS. As an aside, dir /R on Windows systems does a great job of pointing out alternate data streams.

  D is incorrect because Snow is a steganography tool used to conceal messages in ASCII text by appending whitespace to the end of lines.

28.   Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

A.   NTLMv1

B.   NTLMv2

C.   LAN Manager

D.   Kerberos

  C. LAN Manager is an older authentication model that burst onto the scene around the Windows 95 launch. It uses DES as an encryption standard (a 56-bit key DES, to be technical) and, as covered before, has a quirky habit of capitalizing passwords and splitting them into two seven-character halves. Believe it or not, this is still in use in the field. It’s most often found in places where backward compatibility was needed for something and, eventually, it was just forgotten or overlooked.

  A is incorrect because NTLMv1 (NT LAN Manager) improved upon LM methods. It stopped crazy practices such as padding passwords to 14 characters, and it supported stronger encryption.

  B is incorrect because NTLMv2 also did not follow the encryption methods used by LM. In addition to the improvements from version 1, NTLMv2 made use of 128-bit MD5 hashing.

  D is incorrect because Kerberos is a strong and secure authentication method that does not work like LM. Kerberos makes use of a key distribution center (KDC) and grants tickets to properly authenticated clients to access resources on the network.