Networking
Cyber-attacks
Linux
Concepts & Tools
Random or Riddle
100
This device connects multiple devices on the same network and forwards data based on MAC addresses.
What is a switch?
100
This common type of attack tricks users into giving up personal information through fake emails or websites.
What is phishing?
100
This command displays your current working directory - useful for confirming where you are in the file system.
What is pwd?
100
This framework maps attacker tactics and techniques across the intrusion lifecycle
What is MITRE ATT&CK?
100
9+10?
What is 21?
200
This layer of the OSI model is responsible for logical addressing and routing packets across networks.
What is the Network Layer (Layer 3)?
200
This attack floods a system or network with traffic, making it unavailable to legitimate users.
What is a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack?
200
Attackers often use this command to list all files, including hidden ones (those beginning with a dot), in a directory.
What is ls -a?
200
This security model limits user access to only what’s necessary for their job.
What is the Principle of Least Privilege?
200
Feed me any message and I return a fixed-size fingerprint. I’m easy to compute, hard to reverse, and perfect for checking integrity.
What is a cryptographic hash?
Hashing is a one-way function that converts data into a fixed-length string, while salting is the process of adding a unique, random string (the "salt") to the data before hashing it.
300
This protocol is used to automatically assign IP addresses to devices on a network.
What is DHCP (Dynamic Host Configuration Protocol)?
300
In this type of attack, a hacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
What is a Man-in-the-Middle (MitM) attack?
300
This command temporarily grants administrative privileges to execute a single command, often targeted for privilege escalation.
What is sudo?
300
This open-source SIEM platform collects, searches, and visualizes log data for threat detection and analysis.
What is ELK Stack (Elasticsearch, Logstash, Kibana)?
300
If you type rm -rf / on a Linux system as root, what happens next?
What is you delete your entire system (and cry)?
rm = remove (deletes files) , -r = recursive (delete everything inside subdirectories), -f = force (don’t ask for confirmation), / = the root directory — basically the entire file system
400
When analyzing network traffic, this TCP flag combination indicates that a connection is being terminated between two hosts.
What is FIN + ACK?
The TCP flags FIN and ACK are used to gracefully terminate a connection, while the RST flag is used for abrupt termination. A typical, graceful connection close involves a four-way handshake where both sides send a FIN flag to signal they are done sending data, and an ACK flag is sent in response to acknowledge this.
400
In this attack, an attacker corrupts a DNS cache or response so users are redirected to a malicious website instead of the legitimate one.
What is DNS Spoofing or DNS Cache Poisoning?
400
This command shows all active network connections and listening ports, commonly used to detect backdoors or malware communications.
What is netstat -tulnp (or ss -tulnp)?
Netstat is a general command, while netstat -tulnp is a specific combination of flags that shows only tcp, udp, and listening ports, with their corresponding process information (p) and numerical addresses (n). Netstat provides all network connections, while netstat -tulnp filters the output to show only the ports a system is actively listening on.
400
This tool analyzes volatile memory dumps to extract running processes, network connections, and injected code.
What is Volatility?
WinPmem cannot analyze the memory dump itself; its function is to capture a volatile memory dump, not to analyze it. The dump created by WinPmem must then be analyzed using a separate tool like Volatility, which can extract information such as running processes, network connections, and injected code from the captured memory image.
400
What is "It's Clobberin time! ~ " ?
500
In a network with the IP address 192.168.10.0/26, how many usable host addresses are available per subnet?
What is 62?
500
This advanced attack technique abuses legitimate administrative tools like PowerShell or WMI to perform malicious actions while blending in with normal activity.
What is a Living-off-the-Land Attack?
In a LotL attack, adversaries use tools and features that are already installed on a target system (such as PowerShell, Windows Management Instrumentation, PsExec, or CertUtil) to carry out their objectives, rather than introducing custom, malicious software that might trigger security alerts.
500
This file, if misconfigured, can allow attackers to escalate privileges by running commands as root without a password.
What is /etc/sudoers?
If misconfigured with the NOPASSWD option, can allow attackers to escalate privileges by running commands as root without a password. A common misconfiguration is an entry like:
username ALL=(ALL) NOPASSWD: ALL
500
This tool allows secure storage, rotation, and access control of secrets and encryption keys used by applications and infrastructure.
What is HashiCorp Vault?
Cloud Key Management - Manages encryption keys for AWS services and customer data. Cloud-based alternative often confused with Vault.
Password Managers securely store user passwords — not infrastructure secrets, but often confused due to the word “vault.”
500
What color is the sky usually?
Blue