Vulnerability Assessment
๐ฉ CTFs & Labs ๐งช¶
โ Quizzes¶
Overview of Windows Vulnerabilities¶
Question | Answer |
---|---|
What makes Windows a prime target for attackers? | Its market share and wide deployment. |
What role does endpoint protection play in Windows security? | It mitigates security vulnerabilities. |
Which of the following vulnerabilities does NOT directly involve executing malicious code? | Information disclosure |
Why are older versions of Windows often more vulnerable to attacks? | They have more discovered vulnerabilities over time. |
Which type of vulnerability allows an attacker to gain unauthorized access to sensitive data? | Information disclosure |
What is a consequence of Windows's development in C language? | Susceptibility to buffer overflow exploits |
Frequently Exploited Windows Services¶
Question | Answer |
---|---|
WebDAV is mainly used to | Update, delete, move, and copy files on a web server |
What does WinRM stand for and what port does it typically use with SSL? | Windows Remote Management, port 5986 |
Which protocol allows for graphical user interface remote access on Windows systems? | RDP |
What is the primary function of the SMB protocol in Windows? | To share files and peripherals over a network |
When would the RDP service be enabled by default on a Windows system? | It is not enabled by default |
Which native Windows service runs on TCP port 80 or port 443 if SSL is configured? | IIS |
Vulnerability Scanning with MSF¶
Question | Answer |
---|---|
Which command can be used to perform an Nmap scan and import results directly into the Metasploit database? | DB_nmap |
Which Metasploit plugin assists in identifying exploit modules based on currently open ports? | db_autopwn |
What is the primary purpose of vulnerability scanning in the context of the Metasploit framework? | To identify and exploit Metasploit exploit modules. |
In vulnerability scanning, which step is crucial before using exploit modules? | Confirming the target's service version information |
What does the auxiliary module for SMB -MS17 -010 check? | Vulnerability to the EternalBlue exploit |
WebDAV Vulnerabilities¶
Question | Answer |
---|---|
Why is it important to perform a service version detection scan with nmap? | To identify the specific service versions running on open ports |
Which type of file was used for achieving command execution on the WebDAV server? | ASP file |
What does IIS stand for? | Internet Information Services |
Which protocol does WebDAV extend? | HTTP |
On which ports can a WebDAV server run when utilized by Microsoft IIS? | 80 and 443 |
What is the primary function of the tool 'Davtest' in WebDAV exploitation? | To scan, authenticate, and exploit a WebDAV server |
Vulnerability Analysis: EternalBlue¶
Question | Answer |
---|---|
What is the main benefit of using the EternalBlue exploit in terms of system access? | Obtain elevated privileges on the target system |
Which organization originally developed the EternalBlue exploit? | NSA |
What major cyberattack utilized the EternalBlue exploit for spreading ransomware? | WannaCry |
What does the EternalBlue exploit target? | Windows SMB version 1 protocol |
How can one verify if a system is vulnerable to the MS-17-010 vulnerability using nmap? | Use a script named smb-vulnerability-ms17010 |
Which tool is mentioned for automating the exploitation of the MS-17-010 vulnerability? | AutoBlue MS17-010 |
Vulnerability Analysis: BlueKeep¶
Question | Answer |
---|---|
Why is targeting kernel memory during exploitation critical in the BlueKeep vulnerability? | Exploiting it provides access to privileged operations. |
Which tool is commonly used to check for system vulnerability to BlueKeep? | Metasploit |
What mitigation technique is suggested if network-level authentication is enabled? | It makes exploiting BlueKeep nearly impossible. |
Which systems are primarily affected by the BlueKeep vulnerability? | Windows XP to Windows Server 2008 R2. |
What is the primary consequence of successfully exploiting the BlueKeep vulnerability? | It enables remote code execution with elevated privileges. |
Why should only verified exploit code be used in vulnerability tests? | To avoid potentially malicious or ineffective code. |
Pass-the-Hash Attacks¶
Question | Answer |
---|---|
Why is a Pass-the-Hash attack advantageous even if the original vulnerability is patched? | It allows continued access without exploiting a patched service |
What is the primary purpose of a Pass-the-Hash attack? | To authenticate with NTLM hashes or clear text passwords |
Why might you use CrackMapExec in a Pass-the-Hash attack? | It automates interactions for SMB authentication |
What additional information is required when using the PS exec module for a Pass-the-Hash attack? | Both LM and NTLM hashes |
How does a Pass-the-Hash attack provide persistence on a target system? | By allowing authentication even if vulnerabilities are patched |
Which Metasploit module can be used for performing a Pass-the-Hash attack? | PS exec module |
Frequently Exploited Linux Services¶
Question | Answer |
---|---|
What is the main purpose of the Secure Shell (SSH) service on a Linux server? | To enable remote access and control over networks |
Linux distributions differ primarily based on what feature? | The desktop environment and purpose |
What is the core component of the Linux operating system? | The Linux kernel |
What is SAMBA used for in a Linux environment? | Enabling Linux systems to share with Windows |
What is the function of the Apache service on a Linux server? | To serve as a web server |
Which protocol utilizes port 21 on Linux servers for file sharing? | FTP |
Vulnerability Analysis: Shellshock¶
Question | Answer |
---|---|
What does the exploitation of the Shellshock vulnerability require in the context of an Apache server? | Utilizing CGI scripts or shell scripts |
What characteristic of Bash specifically leads to the Shellshock vulnerability? | Faulty environment variable function declaration |
What type of attack is enabled by the Shellshock vulnerability? | Remote arbitrary command execution |
Who discovered the Shellshock vulnerability and when was it made public? | Stefan Shazalas, September 2014 |
Which HTTP header field is commonly modified to exploit the Shellshock vulnerability? | User-Agent |
Which shell is primarily affected by the Shellshock vulnerability? | Bash |
Vulnerability Scanning with Nessus¶
Question | Answer |
---|---|
Looking for compatible exploit modules using CVE codes. | |
Why is it important to configure service scanning settings in Nessus? | To limit scanning to essential services |
Which protocol might Nessus use to determine if a host is online before a scan? | ARP |
Which of the following is a key benefit of using Nessus for vulnerability scanning? | It automates the identification of known vulnerabilities. |
Which of the following does Nessus use to identify vulnerabilities on a target system? | A proprietary vulnerability database |
What is the primary function of Nessus in cybersecurity? | It is a vulnerability scanner for identifying potential exploits. |
Web App Vulnerability Scanning with WMAP¶
Question | Answer |
---|---|
How is the WMAP plugin loaded into the Metasploit framework? | It is pre-installed and just needs to be loaded. |
Which of the following vulnerabilities can WMAP help identify in web applications? | SQL injection vulnerabilities |
Which command would you use to list all vulnerabilities found by WMAP? | wmap_vulnerabilities L |
What is the primary purpose of the WMAP plugin in the Metasploit framework? | To automate web server enumeration and scan web applications for vulnerabilities. |
What type of vulnerabilities does the HTTP PUT module in WMAP test for? | Files upload or resource manipulation vulnerabilities |
Why is it important to configure the HTTP POST method correctly on a web server? | To avoid giving attackers the ability to upload malicious files |