Skip to content

Vulnerability Assessment


๐Ÿšฉ CTFs & Labs ๐Ÿงช


โ” Quizzes

Overview of Windows Vulnerabilities

Question Answer
What makes Windows a prime target for attackers? Its market share and wide deployment.
What role does endpoint protection play in Windows security? It mitigates security vulnerabilities.
Which of the following vulnerabilities does NOT directly involve executing malicious code? Information disclosure
Why are older versions of Windows often more vulnerable to attacks? They have more discovered vulnerabilities over time.
Which type of vulnerability allows an attacker to gain unauthorized access to sensitive data? Information disclosure
What is a consequence of Windows's development in C language? Susceptibility to buffer overflow exploits

Frequently Exploited Windows Services

Question Answer
WebDAV is mainly used to Update, delete, move, and copy files on a web server
What does WinRM stand for and what port does it typically use with SSL? Windows Remote Management, port 5986
Which protocol allows for graphical user interface remote access on Windows systems? RDP
What is the primary function of the SMB protocol in Windows? To share files and peripherals over a network
When would the RDP service be enabled by default on a Windows system? It is not enabled by default
Which native Windows service runs on TCP port 80 or port 443 if SSL is configured? IIS

Vulnerability Scanning with MSF

Question Answer
Which command can be used to perform an Nmap scan and import results directly into the Metasploit database? DB_nmap
Which Metasploit plugin assists in identifying exploit modules based on currently open ports? db_autopwn
What is the primary purpose of vulnerability scanning in the context of the Metasploit framework? To identify and exploit Metasploit exploit modules.
In vulnerability scanning, which step is crucial before using exploit modules? Confirming the target's service version information
What does the auxiliary module for SMB -MS17 -010 check? Vulnerability to the EternalBlue exploit

WebDAV Vulnerabilities

Question Answer
Why is it important to perform a service version detection scan with nmap? To identify the specific service versions running on open ports
Which type of file was used for achieving command execution on the WebDAV server? ASP file
What does IIS stand for? Internet Information Services
Which protocol does WebDAV extend? HTTP
On which ports can a WebDAV server run when utilized by Microsoft IIS? 80 and 443
What is the primary function of the tool 'Davtest' in WebDAV exploitation? To scan, authenticate, and exploit a WebDAV server

Vulnerability Analysis: EternalBlue

Question Answer
What is the main benefit of using the EternalBlue exploit in terms of system access? Obtain elevated privileges on the target system
Which organization originally developed the EternalBlue exploit? NSA
What major cyberattack utilized the EternalBlue exploit for spreading ransomware? WannaCry
What does the EternalBlue exploit target? Windows SMB version 1 protocol
How can one verify if a system is vulnerable to the MS-17-010 vulnerability using nmap? Use a script named smb-vulnerability-ms17010
Which tool is mentioned for automating the exploitation of the MS-17-010 vulnerability? AutoBlue MS17-010

Vulnerability Analysis: BlueKeep

Question Answer
Why is targeting kernel memory during exploitation critical in the BlueKeep vulnerability? Exploiting it provides access to privileged operations.
Which tool is commonly used to check for system vulnerability to BlueKeep? Metasploit
What mitigation technique is suggested if network-level authentication is enabled? It makes exploiting BlueKeep nearly impossible.
Which systems are primarily affected by the BlueKeep vulnerability? Windows XP to Windows Server 2008 R2.
What is the primary consequence of successfully exploiting the BlueKeep vulnerability? It enables remote code execution with elevated privileges.
Why should only verified exploit code be used in vulnerability tests? To avoid potentially malicious or ineffective code.

Pass-the-Hash Attacks

Question Answer
Why is a Pass-the-Hash attack advantageous even if the original vulnerability is patched? It allows continued access without exploiting a patched service
What is the primary purpose of a Pass-the-Hash attack? To authenticate with NTLM hashes or clear text passwords
Why might you use CrackMapExec in a Pass-the-Hash attack? It automates interactions for SMB authentication
What additional information is required when using the PS exec module for a Pass-the-Hash attack? Both LM and NTLM hashes
How does a Pass-the-Hash attack provide persistence on a target system? By allowing authentication even if vulnerabilities are patched
Which Metasploit module can be used for performing a Pass-the-Hash attack? PS exec module

Frequently Exploited Linux Services

Question Answer
What is the main purpose of the Secure Shell (SSH) service on a Linux server? To enable remote access and control over networks
Linux distributions differ primarily based on what feature? The desktop environment and purpose
What is the core component of the Linux operating system? The Linux kernel
What is SAMBA used for in a Linux environment? Enabling Linux systems to share with Windows
What is the function of the Apache service on a Linux server? To serve as a web server
Which protocol utilizes port 21 on Linux servers for file sharing? FTP

Vulnerability Analysis: Shellshock

Question Answer
What does the exploitation of the Shellshock vulnerability require in the context of an Apache server? Utilizing CGI scripts or shell scripts
What characteristic of Bash specifically leads to the Shellshock vulnerability? Faulty environment variable function declaration
What type of attack is enabled by the Shellshock vulnerability? Remote arbitrary command execution
Who discovered the Shellshock vulnerability and when was it made public? Stefan Shazalas, September 2014
Which HTTP header field is commonly modified to exploit the Shellshock vulnerability? User-Agent
Which shell is primarily affected by the Shellshock vulnerability? Bash

Vulnerability Scanning with Nessus

Question Answer
Looking for compatible exploit modules using CVE codes.
Why is it important to configure service scanning settings in Nessus? To limit scanning to essential services
Which protocol might Nessus use to determine if a host is online before a scan? ARP
Which of the following is a key benefit of using Nessus for vulnerability scanning? It automates the identification of known vulnerabilities.
Which of the following does Nessus use to identify vulnerabilities on a target system? A proprietary vulnerability database
What is the primary function of Nessus in cybersecurity? It is a vulnerability scanner for identifying potential exploits.

Web App Vulnerability Scanning with WMAP

Question Answer
How is the WMAP plugin loaded into the Metasploit framework? It is pre-installed and just needs to be loaded.
Which of the following vulnerabilities can WMAP help identify in web applications? SQL injection vulnerabilities
Which command would you use to list all vulnerabilities found by WMAP? wmap_vulnerabilities L
What is the primary purpose of the WMAP plugin in the Metasploit framework? To automate web server enumeration and scan web applications for vulnerabilities.
What type of vulnerabilities does the HTTP PUT module in WMAP test for? Files upload or resource manipulation vulnerabilities
Why is it important to configure the HTTP POST method correctly on a web server? To avoid giving attackers the ability to upload malicious files