Certified in The Art of Hacking - Day 2


This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning!

Day 1 was all about password cracking and metasploit. Today? Linux Hacking! Sadly, we aren't learning anything to do with distributing 1337 cracks for warez (so 1998!).

One point to note is that the questions we're set are extremely vague. Here's a sample:

Exploit the HeartBleed vulnerability on 192.168.123.123 to get administrative access to the login interface on the server

That doesn't tell me anything about what HeartBleed is, what tools I should be using, or - importantly - what exactly I'll be tested on. Do I need to know the exact sequence of bit to fire at a server? The name of a tool? How it could be defended against? The teaching slides we have are OK - but make large logical leaps. For example, telling us to run a curl command against a specific path without telling us how we would know about that specific URl.

Practice Questions

Got a bit more info about the sort of questions. Mostly trivia really. Some of the topics weren't really discussed yesterday.

Here are the Port Scanning questions. I was a bit narked to get 50% (a barely passing grade). How well would you do?

  1. Sam has scanned a device in his network with nmap, and has identified a service running on port 22. What service should Sam assume this is?
    • FTP
    • SSH
    • HTTP
    • SNMP
  2. Jackie wants to scan all TCP ports with her nmap scan. What switch will enable Jackie to scan all ports?
    • -P
    • -p
    • -p-
    • -A
  3. Simon wants to scan a number of devices in his network with a half-connect scan. What switch should Simon use to accomplish this?
    • -sU
    • -sT
    • -oA
    • -sS
  4. If an nmap scan is executed with the -F (fast) switch set, how many ports does nmap scan?
    • The 1st 1000 ports
    • The first 100 ports
    • The top 1000 most common ports
    • The top 100 most common ports
  5. Which timing switch is more commonly known as the insane mode?
    • -T1
    • -T5
    • -T0
    • -T9
  6. James wants to scan the SSH service on his device. Which of the following will allow James to do this?
    • -p 22
    • -p ssh
    • -p T:22
  7. Sandra has run the following scan; what does it do? nmap -Pn -O -sV -oA scan_results 192.168.0.1
    • Performs a ping scan, OS enumeration, Service enumeration, and outputs data to a file called scan_results
    • Performs a scan of all ports, performs OS enumeration, performs a half-connect scan and outputs results to a file called scan_results
    • Does not perform any nmap discovery scans, performs an overt scan, a verbose scan and outputs results to a file called scan_results
    • Does not perform any nmap discovery scans, performs an OS scan, a service enumeration scan, and outputs results to a file called scan_results
  8. Which of the following outputs is NOT a nmap file output type
    • Normal
    • Grepable
    • XML
    • HTML
  9. True or False, performing a TCP Half-Connect (-sS) scan required privleges on the scanning computer?
    • True
    • False
  10. How many TCP ports does nmap scan by default unless told otherwise?
    • 100
    • 1,024
    • 1,000
    • 10,000

Mostly convinced me that most UNIX tools need a better CLI UI!

A DB quiz. Again, mostly trivia. And some stuff not covered. I got 7/9.

Art of Hacking - Database hacking

  1. Sarah has scanned a server and has identified a service running on port 3306. What is this service likely to be?
    • MySQL
    • Postgresql
    • Microsoft SQL
    • Mongo DB
  2. When attacking a MySQL server, which common account should you try to attack that is normally not configured to lockout?
    • Admin
    • User1
    • MySQL
    • Root
  3. Gary has identified a weakness in a MySQL database installation and has managed to use the database to extract the contents of the /etc/passwd file from the underlying server. what command would Gary have used to do this?
    • select LOAD_FILE('/etc/passwd');
    • select READ_FILE('etc/passwd');
    • select * from /etc/passwd
    • select all from FILE('/etc/passwd');
  4. What is the default port for a postgres SQL database?
    • 1234
    • 5544
    • 2345
    • 5432
  5. What is the default user for a postgres SQL database?
    • root
    • admin
    • postgres
    • user0
  6. James has recovered a set of credentials for a MySQL database running on IP address 192.168.0.43. The credentials he has discovered are: user = root password = P@55w0rd. What syntax should James use to gain access to the database?
    • mysql -u root -p P@55w0rd -h 192.168.0.43
    • mysql -u root -p -h 192.168.0.43
    • mysql -a root -p -u 192.168.0.43
    • mysql -u root --password -h 192.168.0.43
  7. David has managed to locate a vulnerable Microsoft SQL database application and wants to find out the version of database in use. What syntax should David use to obtain the version data?
    • UNION SELECT @@version --
    • SELECT * FROM DB_VERSION #
    • VERSION FROM TB_DATABASE WHERE V >1 --
    • SELECT * FROM @@version #
  8. What is the name of the file that all databases have that describes the database structure, including database names, table names, column names, and data types, amongst others?
    • DB_STRUCTURE
    • db_schema
    • data_definitions
    • information_schema
  9. What sqlmap switch would you use to retrieve all the contents from a targeted database table?
    • --ALL
    • --download
    • --dump
    • --loot

Password questions - again, trivia. I got 7/10 with a few guesses.

  1. Kali Linux comes with some pre-installed word lists for use when conducting password attacks. What is the location of these files?
    • /usr/share/wordlists
    • /var/temp/wordlists
    • /usr/wordlists
    • /etc/wordlists
  2. What switch should Carl use to provide hydra with a single username to try in an online password attack?
    • -L
    • -D
    • -p
    • -l
  3. Denise is trying to use hydra to attack an ftp server which is running on the non-standard port (2121) - what syntax should Denise use when configuring hydra to target this service?
    • :2121
    • -p 2121
    • -s 2121
    • p:2121
  4. Joanne has extracted the following data from a Linux server; What hashing algorithm is the system using to generate the password hash? root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
    • SHA-512
    • Blowfish
    • SHA-256
    • MD5
  5. What encryption standard did Windows LanMan use to secure its hashes?
    • DES
    • AES
    • 3DES
    • RSA
  6. In order for John-the-Ripper to process Linux passwd & shadow files, they have to be unshadowed first and the results placed into a new file. What is the correct syntax to achieve this?
    • unshadow /etc/passwd /etc/shadow > hashfile
    • unshadow /etc/shadow /etc/passwd > hashfile
    • /etc/passwd /etc/shadow unshadow | hashfile
    • unshadow /etc/passwd /etc/shadow | hashfile
  7. What does the "-a0" switch denote when using hashcat?
    • To use only 1 core of the CPU for processing
    • To output all results to the screen
    • To use a brute-force attack
    • To use a dictionary attack
  8. Which password hashes does Windows salt
    • The SAM file
    • NTLM hashes
    • Cached domain hashes
    • The NTDS.dit file
  9. Which of the following is not a hash function
    • MD5
    • Blowfish
    • SHA-1
    • RIPEMD-160
  10. What is the maximum length of a LanMan password
    • 14 charters
    • 20 characters
    • 7 characters
    • 32 characters

Verdict

Lots of students hadn't been exposed to Linux or these tools before. Concern expressed about lots of rote memorisation. All the above questions could be answered with -h - but not able to do that one a proctored exam.

Quite a "script kiddie" day. Lots of loading up metasploit and just guessing until things work. A few infrastructure problems - broken test servers made things quite frustrating.

Lots of technical jargon without any explanation. Jenkins, Groovy, Sandbox, Metaprogramming. What are they? What definitions are needed for the exam?

Nothing so far about law and ethics… Which is a bit worrying. We're only working on a restricted demo lab, and all the exploits are ancient.

There's still no checking if students have done the tasks. It would be helpful if each student had to, say, retrieve a specific file or string from the target and present it back to the tutor. I know a couple of students who are a bit bewildered but a bit nervous to ask for help.

A short day - so off to Cloud Academy to brush up on my skills.

Notes

Heartbleed - get up to 64KB data from memory. Ask for specific length, bounds aren't checked. Only on old versions of TLS. Can also check key length - under 128bit may be vulnerable.

Heartbleed to find username / password. Log in via the web. View source to find .cgi path.

Metasploit - use the right module and configure. Exploit and then cat the /etc/passwd file.

Shellshock - as above. Copy and paste commands.

LD_PRELOAD need to ensure you keep privileges.

Use of nc to get remote machine to connect to your machine in order to get a shell on it.

Use of history to check for entered passwords and other interesting bits.

Weak Linux permissions. Can you overwrite a command run by root?

cron jobs a good source of this.

Use of local Python server to transfer files across. linpeas.sh

Always compile exploits on target machine to ensure architecture compatibility.

Basic use of wget and chmod

Exploiting other Linux things like JBoss, Tomcat, Jenkins. What is our attack surface? Weak defaults. Outdated versions with CVE.

Data Serialisation. Can be weaponised into a payload which will be parsed and executed. Tools like CommonsCollections1.

CMS targets like Joomla, Drupal, WordPress. Lots of complexity leads to misconfiguration. Vulnerable plugins and add-ons. Version leakage.

joomscan and wpscan both useful automated tools. As are DroopeScan and DruPwn for Drupal

Injection of serialised objects into HTTP_HEADER. Chain with x-forward-for to trigger the payload.

Basics of scanning for unknown ports then running droopescan and wpscan.

EXIF metadata can also be used to hide information - old WP plugins particularly vulnerable.

Use of dirb to find directories on remote webservers.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

One thought on “Certified in The Art of Hacking - Day 2”

  1. Chris Midgley says:

    Shame about the trivia questions when the solutions are a man away. Some flags are good to know -- some you'll inevitably memorise -- but I can't see a lot of these being useful.

    A course like this is screaming out for a practical exam.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">