Vulnerability Assessment
๐ฉ CTFs & Labs ๐งช¶
โ Quizzes¶
Overview of Windows Vulnerabilities¶
| Question | Answer |
|---|---|
| What makes Windows a prime target for attackers? | Its market share and wide deployment. |
| What role does endpoint protection play in Windows security? | It mitigates security vulnerabilities. |
| Which of the following vulnerabilities does NOT directly involve executing malicious code? | Information disclosure |
| Why are older versions of Windows often more vulnerable to attacks? | They have more discovered vulnerabilities over time. |
| Which type of vulnerability allows an attacker to gain unauthorized access to sensitive data? | Information disclosure |
| What is a consequence of Windows's development in C language? | Susceptibility to buffer overflow exploits |
Frequently Exploited Windows Services¶
| Question | Answer |
|---|---|
| WebDAV is mainly used to | Update, delete, move, and copy files on a web server |
| What does WinRM stand for and what port does it typically use with SSL? | Windows Remote Management, port 5986 |
| Which protocol allows for graphical user interface remote access on Windows systems? | RDP |
| What is the primary function of the SMB protocol in Windows? | To share files and peripherals over a network |
| When would the RDP service be enabled by default on a Windows system? | It is not enabled by default |
| Which native Windows service runs on TCP port 80 or port 443 if SSL is configured? | IIS |
Vulnerability Scanning with MSF¶
| Question | Answer |
|---|---|
| Which command can be used to perform an Nmap scan and import results directly into the Metasploit database? | DB_nmap |
| Which Metasploit plugin assists in identifying exploit modules based on currently open ports? | db_autopwn |
| What is the primary purpose of vulnerability scanning in the context of the Metasploit framework? | To identify and exploit Metasploit exploit modules. |
| In vulnerability scanning, which step is crucial before using exploit modules? | Confirming the target's service version information |
| What does the auxiliary module for SMB -MS17 -010 check? | Vulnerability to the EternalBlue exploit |
WebDAV Vulnerabilities¶
| Question | Answer |
|---|---|
| Why is it important to perform a service version detection scan with nmap? | To identify the specific service versions running on open ports |
| Which type of file was used for achieving command execution on the WebDAV server? | ASP file |
| What does IIS stand for? | Internet Information Services |
| Which protocol does WebDAV extend? | HTTP |
| On which ports can a WebDAV server run when utilized by Microsoft IIS? | 80 and 443 |
| What is the primary function of the tool 'Davtest' in WebDAV exploitation? | To scan, authenticate, and exploit a WebDAV server |
Vulnerability Analysis: EternalBlue¶
| Question | Answer |
|---|---|
| What is the main benefit of using the EternalBlue exploit in terms of system access? | Obtain elevated privileges on the target system |
| Which organization originally developed the EternalBlue exploit? | NSA |
| What major cyberattack utilized the EternalBlue exploit for spreading ransomware? | WannaCry |
| What does the EternalBlue exploit target? | Windows SMB version 1 protocol |
| How can one verify if a system is vulnerable to the MS-17-010 vulnerability using nmap? | Use a script named smb-vulnerability-ms17010 |
| Which tool is mentioned for automating the exploitation of the MS-17-010 vulnerability? | AutoBlue MS17-010 |
Vulnerability Analysis: BlueKeep¶
| Question | Answer |
|---|---|
| Why is targeting kernel memory during exploitation critical in the BlueKeep vulnerability? | Exploiting it provides access to privileged operations. |
| Which tool is commonly used to check for system vulnerability to BlueKeep? | Metasploit |
| What mitigation technique is suggested if network-level authentication is enabled? | It makes exploiting BlueKeep nearly impossible. |
| Which systems are primarily affected by the BlueKeep vulnerability? | Windows XP to Windows Server 2008 R2. |
| What is the primary consequence of successfully exploiting the BlueKeep vulnerability? | It enables remote code execution with elevated privileges. |
| Why should only verified exploit code be used in vulnerability tests? | To avoid potentially malicious or ineffective code. |
Pass-the-Hash Attacks¶
| Question | Answer |
|---|---|
| Why is a Pass-the-Hash attack advantageous even if the original vulnerability is patched? | It allows continued access without exploiting a patched service |
| What is the primary purpose of a Pass-the-Hash attack? | To authenticate with NTLM hashes or clear text passwords |
| Why might you use CrackMapExec in a Pass-the-Hash attack? | It automates interactions for SMB authentication |
| What additional information is required when using the PS exec module for a Pass-the-Hash attack? | Both LM and NTLM hashes |
| How does a Pass-the-Hash attack provide persistence on a target system? | By allowing authentication even if vulnerabilities are patched |
| Which Metasploit module can be used for performing a Pass-the-Hash attack? | PS exec module |
Frequently Exploited Linux Services¶
| Question | Answer |
|---|---|
| What is the main purpose of the Secure Shell (SSH) service on a Linux server? | To enable remote access and control over networks |
| Linux distributions differ primarily based on what feature? | The desktop environment and purpose |
| What is the core component of the Linux operating system? | The Linux kernel |
| What is SAMBA used for in a Linux environment? | Enabling Linux systems to share with Windows |
| What is the function of the Apache service on a Linux server? | To serve as a web server |
| Which protocol utilizes port 21 on Linux servers for file sharing? | FTP |
Vulnerability Analysis: Shellshock¶
| Question | Answer |
|---|---|
| What does the exploitation of the Shellshock vulnerability require in the context of an Apache server? | Utilizing CGI scripts or shell scripts |
| What characteristic of Bash specifically leads to the Shellshock vulnerability? | Faulty environment variable function declaration |
| What type of attack is enabled by the Shellshock vulnerability? | Remote arbitrary command execution |
| Who discovered the Shellshock vulnerability and when was it made public? | Stefan Shazalas, September 2014 |
| Which HTTP header field is commonly modified to exploit the Shellshock vulnerability? | User-Agent |
| Which shell is primarily affected by the Shellshock vulnerability? | Bash |
Vulnerability Scanning with Nessus¶
| Question | Answer |
|---|---|
| Looking for compatible exploit modules using CVE codes. | |
| Why is it important to configure service scanning settings in Nessus? | To limit scanning to essential services |
| Which protocol might Nessus use to determine if a host is online before a scan? | ARP |
| Which of the following is a key benefit of using Nessus for vulnerability scanning? | It automates the identification of known vulnerabilities. |
| Which of the following does Nessus use to identify vulnerabilities on a target system? | A proprietary vulnerability database |
| What is the primary function of Nessus in cybersecurity? | It is a vulnerability scanner for identifying potential exploits. |
Web App Vulnerability Scanning with WMAP¶
| Question | Answer |
|---|---|
| How is the WMAP plugin loaded into the Metasploit framework? | It is pre-installed and just needs to be loaded. |
| Which of the following vulnerabilities can WMAP help identify in web applications? | SQL injection vulnerabilities |
| Which command would you use to list all vulnerabilities found by WMAP? | wmap_vulnerabilities L |
| What is the primary purpose of the WMAP plugin in the Metasploit framework? | To automate web server enumeration and scan web applications for vulnerabilities. |
| What type of vulnerabilities does the HTTP PUT module in WMAP test for? | Files upload or resource manipulation vulnerabilities |
| Why is it important to configure the HTTP POST method correctly on a web server? | To avoid giving attackers the ability to upload malicious files |