hacking / penn final

What is SQL Injection?

An attack that places special characters into existing SQL commands to modify their behavior; exploits web apps lacking input validation; requires only a browser and SQL knowledge

What is a Buffer Overflow?

Sending more data than a buffer can hold, overwriting adjacent memory; a common web server and database vulnerability

What is a Poison Null Byte attack?

Uploads masses of files to a server with the goal of filling up the hard drive to cause the application to crash

What is a Smurf Attack?

A ping flood with amplification — attacker sends ICMP broadcast requests spoofed with the victim's IP, causing many hosts to reply to the victim simultaneously

What is a SYN Flood?

Exploits the TCP three-way handshake by sending many SYN packets without completing the connection, consuming server resources

What is IP Fragmentation attack?

Sending malformed or overlapping packet fragments to confuse and crash the target system

What is NIDS and what does it consist of?

Network Intrusion Detection System — monitors a network and reports suspicious activity; components are Network Sensors and a Command Console

What is SQLPing 3.0?

A tool that locates rogue or unknown SQL Server/MSDE database installations using active and passive network scans

What is SQLRecon?

Similar to SQLPing but uses additional techniques to discover SQL Server installations that may be hidden

What are web application session management vulnerabilities?

Long-lived sessions, missing logout features, insecure or weak session identifiers, granting session IDs to unauthorized users

What is malware?

Software that performs hostile actions without the user's knowledge or consent; not always hidden — sometimes disclosed in the EULA

What does the Computer Fraud & Abuse Act of 1986 cover?

Applies to federal computers or cases that cross state lines; the original U.S. federal cybercrime law

What did the Patriot Act add to cybercrime law?

Up to 10 years in prison for first offense; increased penalties for attacking military/judicial systems; covers foreign computers; makes selling malware-infected computers a federal offense

How does a virus work?

Attaches itself to other files and spreads system to system; activated when the infected file is accessed; antivirus can only find known viruses (misuse detection)

What are the five virus types?

Boot sector virus (infects MBR), Logic bomb (triggers on condition, e.g. Michelangelo), Polymorphic virus (changes code to evade detection), Multipartite virus (attacks boot sector AND files), Macro virus (embedded in document macros)

What is a polymorphic virus?

A virus that changes its own code each time it replicates to evade antivirus signature detection

How does a worm differ from a virus?

A worm is self-replicating and self-contained — it does NOT require a host file and does NOT require user intervention; spreads rapidly and can carry a payload like a virus

What are the strategies to stop worms?

Patch operating systems (not zero-day proof), education (safe email habits, no phishing responses), antivirus, firewalls, multi-homed firewalls, stateful firewalls, proxy firewalls

What is a zero-day exploit?

An attack against a vulnerability unknown to the vendor with no available patch; patching OSes does NOT protect against zero-days

What are the symptoms of a Trojan infection?

Browser redirected to unknown page, ISP reports port scans from victim, account passwords changed, legitimate accounts accessed without authorization, unknown credit card charges

What is a Trojan wrapper?

A tool that merges a malicious payload with a legitimate executable into a single file; attacker downloads real app, wraps Trojan in it, posts it for unsuspecting users to download

How do you defeat ransomware?

Education, keep regular backups and simulate disasters, code and antivirus updates, check logs for initial infection and spreading, shut down the network when infected

What is ShellShock?

A shell exploit where entering () { :;}; as an environment variable causes it to execute as a command rather than a string, letting an attacker run any command and take control of the system

What are covert channels and their two types?

Communication using a mechanism not designed for that purpose; two types: Covert Storage Channels (encode data in storage fields like packet headers) and Covert Timing Channels (encode data via timing of events)

What packet fields are used in covert communication?

IP Packet ID field (~1 packet/second, slow); TCP Initial Sequence Number field (32 bits, better); TCP ACK sequence number field

What is TCSEC?

Trusted Computer System Evaluation Criteria — a security framework that references covert channels

What is a sniffer?

An application or device designed to capture network traffic as it moves across the network; must be on the same network as the target

What is passive sniffing?

Capturing network traffic without sending packets; easy to do and hard to detect; particularly easy on hub networks

What is active sniffing and what techniques does it use?

Sniffing that gets around switches; uses MAC flooding and ARP cache poisoning to redirect traffic to the attacker

How does ARP poisoning work?

Attacker sends bogus ARP responses mapping a router IP to the attacker's MAC address; traffic is redirected to the attacker who sniffs it then forwards to real destination to stay hidden; bogus entries cached in switch so other clients auto-send to attacker

What is session hijacking?

Using a valid, existing session to gain unauthorized access to a system; targets authentication, which occurs at session start — hijacking happens after that point

What are the 6 steps of session hijacking?

1) Insert between Party A and B, 2) Monitor packets via sniffing, 3) Analyze and predict sequence numbers, 4) Sever the connection, 5) Seize control of the session, 6) Perform packet injection

What is a DoS attack?

An attack intended to prevent services from being delivered by consuming fixed resources; a switch may enter fail-open state (act like a hub) when its CAM table overflows — a security risk

What are the three DoS attack layers?

Application Layer (targets Windows, Linux, Apache), Protocol Layer (SYN floods, MAC floods), Volume Based / Physical Layer (ICMP floods, bogus Ethernet frames with randomized hardware addresses)

What is a DDoS attack?

Uses hundreds or thousands of systems; has primary and secondary victims; difficult to track back to source; harder to defend against than DoS

What is a botnet?

A network of malware-infected systems used for DDoS attacks, sending spam, stealing information, and performing clickfraud; can span the globe (one Cisco botnet had 500,000 nodes)

What is clickfraud?

A botnet activity that generates fraudulent advertisement clicks to defraud advertisers

What are the four DNS security improvements?

Randomized requests (unpredictable port/request numbers to resist cache poisoning), Limited resolver access (ISPs restrict to their own customers), Replicated DNS servers (so DoS on one won't shut down a TLD), DNSSEC (authentication for DNS responses)

What is DNSSEC?

DNS Security Extensions — provides authentication for DNS responses to protect against cache poisoning and spoofing

What is phishing vs. spear phishing?

Phishing = mass emails hoping a small percentage respond | Spear phishing = targeted emails after performing reconnaissance on a specific individual or organization

What psychological triggers do social engineers exploit?

Fear, Greed, and Curiosity — all attempt to leverage Type 1 (fast, intuitive) decision-making

What are the Dark Triad personality traits and why do they matter?

Machiavellianism (manipulative, self-interested, deceptive, low empathy), Narcissism (grandiose, entitled, dominant, low empathy), Psychopathy (arrogant, deceitful, impulsive, thrill-seeking, low empathy/anxiety); relevant to insider threat modeling in cybersecurity

What is dumpster diving?

A social engineering technique of searching through physical trash to find sensitive or confidential information

What is shoulder surfing?

Watching someone enter credentials or sensitive data in person without their knowledge

What is the Amazon Customer Service Backdoor lesson?

Never do customer support unless the user can log in to their account; agents are trained to assume requests are legitimate; show agents the connecting IP to flag VPN or Tor addresses

What is a security incident?

A serious event (accidental or malicious) that results in theft or misuse of confidential information, provides unauthorized access, or substantially affects network infrastructure

What must an incident response policy include?

Who determines if an incident occurred, who is notified and how (email, phone, face-to-face), who leads the response, and appropriate response guidelines for each incident type

What is a Business Continuity Plan (BCP)?

Defines how the organization will maintain normal day-to-day business after a security incident or other disruptive event

What is a Disaster Recovery Plan (DRP)?

Defines how personnel and assets will be safeguarded in a disaster and how assets will be restored and brought back to an operating state after the disaster passes

What is a Business Impact Analysis (BIA)?

The process of analyzing existing risk and using various strategies to minimize said risk

What are the four tiers of the forensics chain of custody?

Tier 1 (Collection) — search, collect, document, create image of original media | Tier 2 (Examination) — make evidence visible, reveal hidden info | Tier 3 (Analysis) — study evidence for case relevance | Tier 4 (Reporting) — document results and investigation limitations

What are the three physical defense-in-depth layers?

1st: Building perimeter | 2nd: Building exterior (roof, walls, floor, doors, ceiling) | 3rd: Interior controls (locks, safes, containers, cabinets, interior lighting)

What is the difference between overt and covert entry?

Overt entry (Suicide Hackers) = will be noticed | Covert entry = does NOT mean no evidence — a trained specialist is needed to find it (e.g., scratches inside a lock visible under a scanning electron microscope)

Why does caller ID not provide authentication?

Caller ID can be spoofed — it only shows a number, not verified identity; never give sensitive info based on caller ID alone

What is CAM and how does it relate to DoS?

Content Addressable Memory — the switch lookup table; when overflowed via MAC flooding, the switch enters fail-open state and acts like a hub, broadcasting all traffic to all ports

What is a multipartite virus?

A virus that attacks both the boot sector and executable files, making it harder to remove since it has multiple infection vectors

What is a logic bomb?

Malware that executes its payload when a specific condition is met (e.g., a certain date, like the Michelangelo virus)