Help
Options
Question
What non-technical password attacks do organizations need to guard themselves against?
click to flip
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't know
Question
What are the main types of technical password attacks?
Remaining cards (166)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
TestOut Ethical Hack
TestOut Ethical Hacker Pro Q&A Chapter 8 System Hacking
| Question | Answer |
|---|---|
| What non-technical password attacks do organizations need to guard themselves against? | |
| What are the main types of technical password attacks? | |
| What are rainbow table attacks? | |
| What is password salting? | |
| What can an organization do to protect passwords? | |
| Brute force attack | A password cracking technique that tests every possible keystroke for each character in a password until the correct one is found. |
| Rainbow attack | A password hash cracking technique that uses pre-computed word lists and their hashes in tables for quick comparison using the cracked hashes for authentication. |
| Dictionary attack | A password cracking technique that tests for words from a dictionary, but can include additional common password phrases and symbol substitutions that are added to the database. |
| Password salting | Adding random bits of data to a password before it is stored as a hash to make password cracking much more difficult. |
| Keylogger | Hardware or software that captures every keystroke on the computer. |
| Dumpster diving | This non-technical method of attack relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that a hacker has access to. |
| Social engineering | The social engineering attack relies on human error. The hacker convinces an employee or other authorized person to give him a password. |
| Shoulder surfing | This technique involves watching and recording a password, pin, or access code that is being entered by someone in close proximity. |
| Pass the hash | Pass the hash is a hacking technique where an hacker uses an underlying NTML or hash of a user's password to gain access to a server without ever using the actual plain text password. Pass the hash is dangerous to an organization because once a hacker gains access, the entire organization can be compromised very quickly. |
| Sniffing | Sniffing is a passive way for a hacker to gain access to an account. The sniffer collects data that is in transit in a LAN. If access is gained on one system in a LAN, then more data can be gathered from data transmissions to any other system in the network. The sniffer runs in the background, making it undetectable to the victim. Sniffing tools include Wireshark, TCPDump, and Recon-ng. |
| rtgen | rtgen generates rainbow tables based on parameters specified by user. The command line syntax of rtgen program is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index |
| rtsort | A rainbow table is an array of rainbow chains. Each rainbow chain has a start point and an end point. The rtsort program sorts the rainbow chains by end point to make a binary search possible. Use the rtsort . command to sort all .rt rainbow tables in current directory. Please be aware that after rtsort, the command includes a space and then a period. |
| RainbowCrack | RainbowCrack is software that cracks hashes by rainbow table lookup. The rtgen program generates rainbow tables, and the rtsort program sorts them. The following table describes these two programs. |
| hash_algorithm | Program options for rtgen: A rainbow table is hash algorithm specific. A rainbow table for a certain hash algorithm helps to crack only hashes of that type. The rtgen program natively support lots of hash algorithms, like lm, ntlm, md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM, and md5-half. In the example above, we generated md5 rainbow tables that speed up the cracking of md5 hashes. |
| charset | Program options for rtgen: The charset includes all possible characters for the plain text. Loweralpha-numeric is represented by abcdefghijklmnopqrstuvwxyz0123456789, which is defined in configuration file charset.txt. |
| plaintext_len_min plaintext_len_max | Program options for rtgen: These two parameters limit the plain text length range of the rainbow table. In the example above, the plain text length range is 1 to 7. So plain texts such as abcdefg are likely contained in the rainbow table generated. But plain text abcdefgh with length 8 will not be contained. |
| table_index | Program options for rtgen: The table_index parameter selects the reduction function. Rainbow tables with a different table_index parameter use different reduction functions. |
| chain_len | Program options for rtgen: The rainbow chain length. A longer rainbow chain stores more plain texts and requires longer time to generate. |
| chain_num | Program options for rtgen: The number of rainbow chains to generate. A rainbow table is simply an array of rainbow chains. The size of each rainbow chain is 16 bytes. |
| part_index | Program options for rtgen: To store a large rainbow table in many smaller files, use a different number for each part, and keep all other parameters identical. |
| numeric | Is a hash types and its possible characters or values is: [0123456789] |
| alpha | Is a hash types and its possible characters or values is: [ABCDEFGHIJKLMNOPQRSTUVWXYZ] |
| alpha-numeric | Is a hash types and its possible characters or values is: [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] |
| lower alpha | Is a hash types and its possible characters or values is: [abcdefghijklmnopqrstuvwxyz] |
| lower alpha-numeric | Is a hash types and its possible characters or values is: [abcdefghijklmnopqrstuvwxyz0123456789] |
| mix alpha | Is a hash types and its possible characters or values is: [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ] |
| mix alpha-numeric | Is a hash types and its possible characters or values is: [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] |
| ascii-32-95 | Is a hash types and its possible characters or values is: [ !" |
| ascii-32-65-123-4 | Is a hash types and its possible characters or values is: [ !" |
| alpha-numeric-symbol32-space | Is a hash types and its possible characters or values is: [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@ |
| What are the Password Cracking Countermeasures | 1. Password salting adding random bits of data to a password before it is stored as a hash. 2. complex a password, Use 8 to 12 character, numbers, uppercase and lowercase letters, and special symbols. 3. Never share your passwords. 4. If asked to routinely change your password, do not reuse your current password. 5. No dictionary words 6. Change every 30 days. 7. Never store a password in an unsecure location. 8. No default password. 9. Never store in a weak encryption or clear text. |
| What is a USB Keylogger Attack | Keystrokes on the computer keyboard are logged or recorded to obtain passwords and other important data. This can be done through either hardware devices or software programs on an individual computer or on a whole network. The user cannot detect the keylogger software, and the information can be recorded before it is encrypted. A hardware keylogger is a physical device that looks like a regular USB drive. It is installed between a keyboard plug and a USB port. |
| What are the types of keylogger attacks | Hardware Software |
| How are software keylogger attacks installed | Software keyloggers are installed through an opened email attachment or remotely through a network. An advantage of this type of keylogger is that it has no memory limitations because the data is stored on a remote computer hard drive. |
| What is md5 | |
| What is SHa1 | |
| What is John the Ripper | It combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. You can run it against many encrypted password formats, including several password hash types commonly found in Linux and Windows. You can also run John the Ripper against access passwords for compressed ZIP files and documents. |
| What is L0phtCrack | It can audit passwords on a local machine or a remote machine as long as you have an administrative username and password. |
| Where are Linux passwords kept | /etc/shadow |
| Where do you get scripts for John the ripper | GitHub |
| Tool used to crack zip passwords | John the ripper |
| crack a pdf password | John the ripper Let's type 'pdf2john password.pdf > pdfhash' and press Enter. Now let's crack the password, just like we did for the zipped file password, by typing 'john - -format=pdf pdfhash - -wordlist=words.txt' and pressing Enter. There's the password! It's the word 'secret". Let's try it to make sure it works. |
| Medusa | is a speedy brute-force login tool. It has many modules, including FTP, HTTP, and MySQL. |
| xHydra | pretty much do the same thing Medusa did, but from a GUI interface. |
| What are the steps to configure Account Password Policies on windows server. | Account Policies/Password Policy: Enforce password history, Maximum password age , Minimum password age, Minimum password length, Passwords must meet complexity requirements Account Policies/Account Lockout Policy: Account lockout threshold, Account lockout duration, Reset account lockout counter after 1. Start. 2. Windows Administrative Tools. 3. Local Security Policy. 4. Account Policies. 5. Password Policy. 6. The policy 7. Configure the policy settings. 8. Click OK. |
| You have just run the John the Ripper command Which of the following was this command used for? zip2john secure.zip > secure.txt -To extract the password from a rainbow hash and save it in the secure.txt file. -To extract the password and save it in a rainbow table named secure.txt. -To extract the password hashes and save them in the secure.txt file. -To extract the password and save it in the secure.txt file. | To extract the password hashes and save them in the secure.txt file. The zip2john command is used to extract the password hashes from a zip file. Using the > output redirect operator saves the output to the specified file which is secure.txt in this case. After the hashes have been saved, you could run john --format=pkzip secure.txt to crack the password. References |
| Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occured? | Social engineering Social engineering relies on human error. It works by feigning trustworthiness to convince someone to share information. |
| You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? | Dumpster diving Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that create access for attackers. |
| Which of the following best describes shoulder surfing? | Someone nearby watches you enter your password on your computer and records it. Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby. |
| Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? | Password salting Password salting is adding random bits of data to a password before it is stored as a hash, making password cracking much more difficult. |
| [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] are the possible values in which of the following hash types? | Ascii-32-95 |
| Which of the following includes all possible characters or values for plaintext? | Charset |
| Jack is tasked with testing the password strength for the users of an organization. He has limited time and storage space. Which of the following would be the best password attack for him to choose? | Rainbow attack |
| You have created and sorted an md5 rainbow crack table. You want to crack the password. Which of the following commands would you use to crack a single hash? | rcrack . -h 202cb962ac59075b964b07152d234b70 |
| You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? | Brute force |
| Sam has used malware to access Sally's computer on the network. He has found information that will allow him to use the underlying NTLM to escalate his privileges without needing the plaintext password. Which of the following types of attacks did he use? | Pass the hash |
| What is privilege escalation? | is when an attacker accesses the network as a non-administrator-level user and then gains access to administrative-level privileges. An attacker seeks privilege escalation to access sensitive information, delete files, or install programs like worms, viruses, or Trojan horses. |
| How do attackers escalate privileges? | |
| What are escalation tools? | |
| How can you protect against privilege escalation? | |
| Kerberoasting | An offline brute force to crack a Kerberos ticket to reveal the service account password in plain text. There is no risk of detection and no need for escalated privileges, and the attack is easy to perform. |
| DLL hijacking | Loading a malicious DLL in the application directory so that when the application executes, it will choose the malicious DLL. |
| cPasswords | The attribute that stores passwords in a Windows group policy preference item. This attribute can be exploited because Microsoft publishes a public key for the account credentials. |
| Security Account Manager (SAM) database | The database that authenticates local and remote users. In Windows, this database stores user passwords as an LM hash or an NTLM hash. |
| Local Security Authority Subsystem Service (LSASS) | The Local Security Authority Subsystem Service is a Windows service that performs the system's security protocol. |
| cPassword | cPassword is the name of the attribute that stores passwords in a Group Policy preference item in Windows. This attribute is easy to exploit because Microsoft publishes the public key for the Group Policy preferences account credentials. These preferences allow domain admins access to create and change any local user or local admin account. Cpasswords are stored in an encrypted XML file in the SYSVOL folder on the domain controllers. This allows any domain authenticated user access to decrypt the password. |
| Clear text credentials in LDAP | Data transferred unencrypted or in clear text is vulnerable to hackers. Beware, however, most domain controllers allow clear text credentials to be transmitted over the network, even to and from the local directory. You can check for clear text transfers by using the unsecure LDAP bind script in PowerShell. PowerShell will deliver a CSV file as output, showing you which accounts are vulnerable. |
| Credentials in LSASS | In Microsoft Windows, the local security authority sub-system service (LSASS) is a file in the directory that performs the system's security protocol. It's an essential part of the security process as it verifies user logins, creates access tokens, and handles password changes. |
| Unattended installation | While it is convenient and sometimes necessary, to install a program throughout a network without having to sit at every computer, there are risks. If the administrator fails to clean up after the installation, a file called Unattended is left on the individual workstations. The Unattended file is an XML file and has configuration settings used during the installation that can contain the configuration of individual accounts including admin accounts. This makes privilege escalation easy. |
| DLL hijacking | DLL hijacking can happen during an application installation. When loading an external DLL library, Windows usually searches the application directory from which the application was loaded before attempting a fully qualified path. If an attacker has installed a malicious DLL in the application directory before the application installation has begun, then the application will choose the malicious DLL. |
| Trinity Rescue Kit | tools hackers can use to elevate privilages. Trinity Rescue Kit (TRK) helps with repair and recovery operations on Windows machines. It is a great tool for maintenance. It has many functions, including resetting passwords, scanning for viruses, running a disk cleanup, and fixing bugs. |
| ERD Commander | tools hackers can use to elevate privilages. ERD Commander software is designed to correct problems that can occur when rebooting after you install new software on a Windows NT system. It allows users access to the command prompt to perform basic system maintenance tasks during the boot process. |
| OPH Crack | tools hackers can use to elevate privilages. A tool for cracking Windows login passwords. It uses rainbow tables and has the capability to crack hashes from many formats. It is an open-source program and free to download. |
| What is the most effective way to protect against privilege escalation | is to tighten privileges to make sure that users have only the privileges that they need. Once privileges are tightened, focus on these steps: • Encrypt • multi-factor authentication and authorization. • Restrict interactive logon privileges. • Scan the OS for bugs and errors. • updates on the OS and applications. • continuously monitor file system permissions. • Use fully qualified paths in Windows applications. • Select Always Notify in the UAC settings. |
| Roger, a security analyst, wants to tighten up privileges to make sure each user has only the privileges they need to do their work. Which of the following additional countermeasure could he take to help protect privelige? | Instigate multi-factor authentication and authorization. |
| Which of the following is used to remove files and clear the internet browsing history? | CCleaner |
| Which of the following is a protocol that allows authentication over a non-secure network by using tickets or service principal names (SPNs)? | Kerberoasting |
| Which of the following best describes the Security Account Manager (SAM)? | A database that stores user passwords in Windows as an LM hash or a NTLM hash. |
| An attacker installed a malicious file in the application directory. When the victim starts installing the application, Windows searches in the application directory and selects the malicious file instead of the correct file. The malicious file gives the attacker remote access to the system. Which of the following escalation methods best describes this scenario? | DLL hijacking |
| Which of the following is the name of the attribute that stores passwords in a Group Policy preference item in Windows? | cPasswords |
| Which of the following privilege escalation risks happens when a program is being installed without the constant supervision of the IT employee and fails to clean up after? | Unattended installation |
| A hacker has gained physical access to a system and has changed an administrator's account password. Which of the following tools did the hacker most likely use to accomplish this? | Ultimate Boot CD |
| Which of the following is a tool for cracking Windows login passwords using rainbow tables? | Ophcrack |
| How do hackers maintain access to the systems they exploit? | |
| What are writable services? | |
| How do hackers leave the back door open for themselves? | |
| Path interception | When a malicious file name is added to a service path without quotation marks and includes spaces in the code. |
| Backdoor | An installed program that grants continued access to a previously hacked system. |
| Spyware | Malware that works by stealth to capture information and send it to a hacker to help them gain remote access. |
| Crackers | Software programs that crack code and passwords to gain unauthorized access to a system. |
| Writable services | A service with permissions that allow anyone to change the service's execution. |
| What is Metasploit | |
| How do hackers maintain access | Path interception Writable services Unsecure file and folder permissions Backdoors crackers Spyware Scheduled tasks |
| Which of the following is malware that works by stealth to capture information and then sends it to a hacker to gain remote access? | Spyware |
| Which of the following do hackers install in systems to allow them to have continued admittance, gather sensitive information, or establish access to resources and operations within the system? | Backdoors |
| Hackers can maintain access to a system in several ways. Which of the following best describes the unsecure file and folder method? | This can lead to DLL hijacking and malicious file installations on a non-admin targeted user. |
| Which of the following system exploitation methods happens by adding a malicious file to a file path that is missing quotation marks and has spaces in it? | Path interception |
| A hacker finds a system that has a poorly design and unpatched program installed. He wants to create a backdoor for himself. Which of the following tools could he use to establish a backdoor? | Metasploit |
| How can an attacker prevent being detected? | |
| How is evidence such as files, data, and programs hidden? | |
| What are rootkits? How can you detect them? And how can you protect systems from them? | |
| What is steganography? Why is it so difficult to detect? | |
| Rootkit | A software program that attackers use to establish root-level privileges to a system. |
| Steganography | A method of embedding data into legitimate files like graphics, music, video, and plain text messages to hide it from everyone except the intended receiver. |
| NTFS data streams | One data stream stores the attributes, another stores the data. Additional data streams, which can be hidden, are allowed. |
| Slack space | The unused portion of an existing file that has been defined. |
| System file logs | Files that are continuously recording when files are created, accessed, or modified. |
| What logs do hackers normally Delete in Windows | • SECEVENT.EVT logs failed logins and file access without privileges. • SYSEVENT.EVT logs anomalies in system operations and driver failure. • APPEVENT.EVT logs application variants. |
| What methods do hackers can use to hide files. | Another way to cover tracks is to hide the evidence. Following are methods a hacker can use to hide files. • hidden option in the file attributes • Placing a period at the beginning of a Linux, Unix, and OS X file name • Placing the file in the unused or slack space of an existing file can hide a file. • Incorporating the file in the ADS can hide it. • Using executables that can be activated from the command line, |
| What are ways to modify the time stamp | Timestomp Touch ctime Meterpreter |
| Timestomp | Timestomp is a tool for modifying or deleting a file's timestamp in order to hide when the file was created, accessed, or modified. Hackers change times and dates to blend in with existing timestamps so as to not alert digital forensic investigators of access or exploitation. |
| Touch | The touch command in Linux, Unix, and OSX can be used to alter the timestamp as well. It can change the time to the current time or to any specific time. |
| ctime | ctime is a header file that contains definitions of functions to get and manipulate date and time information. |
| Meterpreter | Meterpreter is Metasploit's payload. It has many features for covering tracks, including the ability to launch a fileless attack. |
| What can be done with Auditpol.exe | disable auditing, a hacker can use the Auditpol.exe command line utility to remotely change the audit security settings. AuditPol can be used to disable security auditing on either local or remote systems. It can also be used to enable auditing after the attack is over to avoid suspicion. A hacker can use Auditpol.exe to alter the audit criteria for categories of security procedures. |
| How can the hacker clear online tracks? | • Browse in private mode • Delete history in address field and stored history • Clear cookies and caches • Delete downloads, saved sessions, and user JavaScript • Disable the password manager and clear its data • Create multiple users • Clear Most Recently Used and toolbar data |
| What is Ccleaner | Ccleaner is a cleaning tool that can remove files and clears internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines. |
| What is Clear My History | Clear My History is software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well. |
| What is Dump event log | The dump event log command line tool in Windows 2000 dumps an event log remotely or on a local system into a tab-separated text file. It can also be used to filter specific types of events. |
| Rootkit | is a software program that attackers use to establish root-level privileges to a system. Rootkits create backdoors through the login process, which gives them continued access. They also hide the applications and processes the attacker's added, send him sensitive data, and provide him knowledge about network traffic, and they can act as a server for bot updates. |
| GrayFish | A rootkit tool that runs within the Windows operating system. It contains hidden storage and has invisible command execution. GrayFish isn't flagged in anti-rootkit scans because it sets no hooks on Window kernel functions and doesn't register callback functions. |
| Sirefef | Sirefef, also known as ZeroAccess, has virus, Trojan horse, and rootkit components. As a rootkit, it is unseen by antivirus and anti-spyware programs. It hides by changing the internal process of the target operating system. Sirefef is difficult to remove and can create problems with Windows Firewall and Defender Service, remote hosts, and browser settings. It creates a folder to store additional malware. |
| Integrity-based detection | used to detect and identify rootkits: Integrity-based detection works by running a tool to scan a clean system to create a database. The integrity-based detection scans the system and compares the current scan to the clean database. Any dissimilarities between the clean baseline database and the current scan are flagged and a notification is sent. |
| Signature-based detection | used to detect and identify rootkits: Signature-based detection scans a system's processes and executable files looking for byte sequences of known malicious rootkit programs. |
| Heuristic or behavior-based detection | used to detect and identify rootkits: Heuristic or behavior-based detection searches for deviations in normal behaviors and patterns of an operating system. One of the patterns it searches for is execution path hooking which allows a function value in an accessible environment to be changed. This is a behavior used by rootkits. |
| Runtime execution path profiling | used to detect and identify rootkits: Runtime execution path profiling checks for variations in the runtime execution path of all executable files and system processes. |
| Cross view-based detection | used to detect and identify rootkits: Cross view-based detection uses an algorithm as it goes through the system files, processes, and registry keys to create a baseline that is compared to the data returned by the operating system's APIs. |
| How to prevent rootkits | To prevent rootkits: • Back up critical data and reinstall the OS and applications. • Install and routinely update firewalls. • Patch and regularly update the OS and applications. • Keep a record of automated installation procedures. • Harden servers and network stations. • Train users to confirm that downloads are from a trusted source. • Check for rootkits through a kernel memory dump analysis. |
| What is NTFS Data Streaming | alternate data streams (ADS). When a file is created or copied to NTFS, one data stream stores the attributes, and a second stores the data. NTFS allows each file an unlimited number of data streams with unlimited size. Because they are hidden, a hacker can inject malicious code into these alternate data streams and execute the code without being detected by the user or system administrator. |
| How to get rid of malicious alternate data streams | move suspect files to a partition or device that is formatted using FAT. Since FAT doesn't support alternate data streams, the alternate file streams will be removed when the file is moved. Remember to keep your antivirus software updated. Some tools that detect and remove infected ADS include LADS, Stream Detector, LNS, and Forensic Toolkit. |
| Image stenography | The most common form of steganography is hiding information in image files. |
| Video steganography | Files with extensions can be hidden in video files such as .MPG4, .AVI, and .WMV. |
| Document or whitespace steganography | The data is hidden in added white spaces and tabs at the end of lines. |
| Audio steganography | The data is hidden in a digital sound format through least signification bit (LSB) manipulation. |
| Web steganography | The data is hidden behind a web object when uploaded to the server. |
| C++ source code steganography | A set of tools is hidden in the C++ code. |
| Spam/email steganography | Data is embedded in an email. |
| StegoStick | A steganography tool that allows a file to be hidden within any image, audio, or video file, even in PDFs and EXE files. |
| OpenStego | A tool for hiding data in a cover file or watermarked files. It can be used to trace file copying. |
| OmniHide Pro | OmniHide Pro can hide files in photos, movies, documents, and music. It allows the user to create a password to make the hidden file more secure. |
| DeepSound | A tool for hiding data in audio files and extracting files from audio tracks. It also has the option to encrypt the files. |
| Spam Mimic | Spam Mimic encodes data into emails and has the ability to decode the messages. |
| How to detect steganography | Text# Check for extra spaces and invisible characters. Look for unusual patterns in spacing, fonts, line heights, and even in the language. Image# Check for changes in format, size, the color palette, and the last modified timestamp. Audio# Look for distortions and patterns in frequencies that are above or below the human range of hearing. Video# Use a combination of the methods used for audio and image files to search for hidden information. |
| Discover the Hidden | Scans for known steganography and encryption programs. |
| StegoHunt | Searches for carrier files through statistical analysis techniques, scans for data hiding tools;,and can crack password-protected data to extract the payload. |
| Gargoyle | Scans for known steganography files created by tools such as BlindSide, S-tool, and WeavWav. |
| StegAlyzerSS | Scans media or forensic images for uniquely identifiable byte patterns or known signatures left inside files when a steganography application is used to embed hidden information in them. |
| Virtual Steganographic Laboratory (VSL) | Uses, tests, and adjusts different steganographic techniques in a simple GUI. VSL is free image steganography and steganalysis software. |
| Stegdetect | Detects steganographic content in images. |
| You believe your system has been hacked. Which of the following is the first thing you should check? | System log files |
| Who would be most likely to erase only parts of the system logs file? | A black hat hacker |
| Phil, a hacker, has found his way into a secure system. He is looking for a Windows utility he can use to retrieve, set, back up, and restore logging policies. Which of the following utilities should he consider? | auditpol |
| Which of the following could a hacker use Alternate Data Streams (ADS) for? | Hiding evidence |
| James, a hacker, has hacked into a Unix system and wants to change the timestamps on some files to hide his tracks. Which of the following timestamp tools would he most likely use? | Touch |
| Which of the following best describes CCleaner? | A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines. |
| Mark is moving files from a device that is formatted using NTFS to a device that is formatted using FAT. Which of the following is he trying to get rid of? | Malicious alternate data streams. |
| Which of the following best describes a rootkit? | Can modify the operating system and the utilities of the target system. |
| Which of the following is also known as ZeroAccess and has virus, Trojan horse, and rootkit components? | Sirefef |
| Jerry runs a tool to scan a clean system to create a database. The tool then scans the system again and compares the second scan to the clean database. Which of the following detection methods is Jerry using? | Integrity-based |
| Which of the following best describes the heuristic or behavior-based detection method? | Searches for execution path hooking, which allows a function value in an accessible environment to be changed. |
| The method of embedding data into legitimate files like graphics to hide it and then extracting the data once it reaches its destination is called: | Steganography |
| Cameron wants to send secret messages to his friend Brandon, who works at a competitor's company. To secure these messages, he uses a technique to hide a secret message within a video. Which of the following techniques is he using? | Steganography |
Created by:
jacobth