1
Q
What does writing echo do?
A
echo Output any text that we provide
2
Q
How do you find out which user you are logged in as?
A
whoami Find out what user we’re currently logged in as!
3
Q
How do you list contents of directory with privileges? How do you include hidden files?
A
ls -l
ls listing
ls -a for hidden files
4
Q
How do you move in and out of a directory?
A
cd
cd ..
cd /dir/
5
Q
How do you list the contents of a file?
A
cat file.txt
6
Q
How do you show your current working directory?
A
pwd
print working directory
7
Q
How do you find a specific file in among different directories?
A
find -name specificfile.txt
8
Q
How do you find a specific TYPE of file in among different directories?
A
find -name *.txt
9
Q
How do you find a specific entry in a long file, like an IP address in a .log file?
A
grep “(what you’re looking for)” (file of contents).log
grep “81.143.211.90” access.log
10
Q
How do you write text into an empty file using the command line?
A
echo (content) > (filename)
cat (content) > (filename)
echo hey > welcome
> > to keep the contents of the file without overwriting them
11
Q
What is SSH and how does it work? How does SSH authenticate users, and how does this authentication work?
A
Secure Shell is a network communication protocol.
SSH employs encryption to ensure that hackers cannot interpret the traffic between two connected devices.
The ssh command provides a secure encrypted connection between two hosts over an insecure network. This connection can also be used for terminal access, file transfers, and for tunneling other applications. Graphical X11 applications can also be run securely over SSH from a remote location.
AUTHENTICATION
TCP based connection, 3 way handshake.
SSH daemon must be running in order to use this protocol on both sides of the communication. I.E, listening on a port for inbound SSH connections.
SSH authenticates users by using passwords or SSH keys. SSH passwords can be easily breached.
- SSH keys are a matching set of cryptographic keys which can be used for authentication. Each set contains a public and a private key. The public key can be shared freely without concern, while the private key must be vigilantly guarded and never exposed to anyone.
- To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user’s home directory at ~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.
- When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use. The server then checks its authorized_keys file for the public key, generates a random string, and encrypts it using the public key. This encrypted message can only be decrypted with the associated private key. The server will send this encrypted message to the client to test whether they actually have the associated private key.
SIMPLER EXPLANATION
An SSH key relies upon the use of two related keys, a public key and a private key, that together create a key pair that is used as the secure access credential. The private key is secret, known only to the user, and should be encrypted and stored safely. The public key can be shared freely with any SSH server to which the user wishes to connect. These keys are normally managed by an organization’s IT team, or better yet, with the help of a trusted Certificate Authority (CA) to ensure they are stored safely.
12
Q
What is ARP? How does it function (1)? How can it be abused?
A
ARP stands for Address Resolution Protocol. It is used to discover MAC addresses and map them to IP addresses for LAN communications.
- WHOIS? ARP request broadcast of a host asking for someone’s MAC address. This is sent to every client on the network, and then discarded if it isn’t the target IP. Target client will send out ARP frame containing their MAC address.
- Host receives a MAC address, which is stored in an ARP cache. This allows for communication among the network now that both devices know their MAC addresses.
- ARP request broadcast for 192. is sent to every device on the LAN
- each device receives the request and discards it if they are not the designated recipient, whereas the target IP will respond with their
MAC. - this MAC address is saved into the senders ARP cache, where MAC addresses are stored in relation to IP addresses for other devices on the network
operating on layer 2 of the OSI7 and TCP/IP as it deals with MAC addressing
ARP can be abused via ARP cache poisoning
- hacker will send ARP packets containing false information, impersonating the MAC address of a particular device which is the endpoint of
sensitive data (usually default gateway). - target will accept this ARP information and store it in its ARP cache, effectively having it poisoned with the hacker’s spoofed MAC address
- target will begin sending it’s data to spoofed address of the hacker
You can use bettercap ARP spoof feature which will send arbitrary ARP packets to intended victims, allowing you to impersonate any device on the LAN (default gateway being the prime target to imitate)
13
Q
How do you usually install the requirements for a particular package off github?
A
Pip.
python3 -m pip install filename.txt
14
Q
How do you quickly view the history of your commands from a terminal session?
A
History
15
Q
How do you make a new directory?
A
mkdir *
16
Q
How do you delete a directory? How do you remove a directory if it isn’t empty?
A
rmdir *
rm -r
17
Q
How do you get the current system details such as OS version?
A
hostnamectl
Detailed
uname -a
OS version and build of machine
18
Q
How do you display free memory of the system?
A
free -m
sounds like “free -memory”
19
Q
How do you display the running processes in a system?
A
top
htop
sounds like “top processes”
20
Q
How do you display all ports the machine is listening on?
A
netstat
21
Q
How do you list the contents of your current working directory with permissions? How do you do this for a specific file?
A
ls -l filename
22
Q
How do you allow a file to be ran by every user? How do you allow to read, write and execute?
A
chmod 777 filename
23
Q
How do you allow a file to be read and written by every user but not executed?
A
chmod 766 filename
24
Q
How do you add another user?
A
useradd username
25
How do you list all disk partitions?
fdisk -l
26
How do you create a new disk partition on the sda directory?
fdisk /dev/sda
27
How do you format a particular disk partition?
mkfs.ext4 /dev/sda1
mcfucks.ext4
I mcfuck your partition
28
How do you display all devices connected by USB?
lsusb -tv
29
How do you compress a file into a .zip file?
zip filename.zip filename
30
How do you unzip a .zip file?
unzip filename.zip
31
How do you copy a file or a directory to somewhere else?
cp -r /*/ /**/*
32
How do you view the address of the default gateway?
ip r
33
How to view what DNS server your machine is configured to use?
cat /etc/resolv.conf
34
How do you terminate a process?
kill *
35
How do you view all hardware components?
lshw
36
How do you string together several commands in one terminal entry?
;
37
What is a FTP server? How does this protocol work (1)? How are FTP servers usually accessed (2)? How is a connection established for FTP (3)? What are the issues with this protocol (4)? What are the variants of FTP (5)?
File transfer protocol.
FTP uses a client server model, where a server hosts files for a client. Upload, download, delete.
you can use your browser to access, so ftp://22.35.65.123.1, or windows file explorer. Or FTP client.
FTP servers allow access through log ins or anonymously depending on permissions.
FTP uses TCP connections, established through 3 way handshakes.
SYN -> Server
Client <- SYN-ACK
ACK -> Server
FTP connections involve 2 connections over Port 21:
-Control connection: All FTP commands, such as GET
-Data connection to transfer files
FTP connections are open and unencrypted as it is a very old protocol. FTPS is a secure extension of FTP servers through TLS encryption. Regular FTP traffic can be viewed in plaintext if intercepted, which is bad for login details.
Variants of FTP:
-TFTP, trivial file transfer protocol
-SFTP, SSH file transfer protocol
-FTPS, TLS encrypted FTP connection
38
What is the default gateway?
A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet.
39
How do you resolve a website domain to IPV4?
host *.com
40
How do you conceal all traffic including traffic from the terminal?
Conceal traffic by routing it all through tor networks, by downloading Torghost.
TorGhost redirects all internet traffic through SOCKS5 tor proxy. DNS requests are also redirected via tor, thus preventing DNSLeak.
To install TorGhost:
git clone https://github.com/SusmithKrishnan/to...
cd torghost
chmod +x build.sh
./build.sh
Torghost -s to start tor routing.
41
What is SOCKS5? How can it be used by hackers?
What is SOCKS5 proxy? A SOCKS5 proxy is an alternative to a VPN. It routes packets between a server and a client using a proxy server, and potentially a chain of public proxy servers.
It can be used by hackers by routing malicious traffic through their proxy server.
Unlike VPNs, SOCKS5 does not encrypt traffic, and so it can be sniffed and captured through packet analysis as it enters its entry node.
42
Define onion routing (2). What is it often used for (3)? How does tor encryption work (5)?
Onion routing routes your traffic through several different servers for privacy. Data moving to another tor node is called a hop.
It offers end-to-end encryption which is layered for each hop in the TOR circuit. These layers of encryption are removed with each hop (like an onion), which allows the data to be unrecognisable and anonymous between hops. This means that data intercepted between hops cannot be traced back to the original sender, unless the traffic is intercepted at the beginning or end. This is why onion routing is often used for criminal activities, as it makes it difficult to track by law enforcement.
43
What type of device is a WiFi Hub? What does it do (3)? How does it differ from other networking devices (5)?
A Hub connects devices on a network together. Classic Hubs are very old technology, and are largely discontinued, and have been replaced by switches.
A hub repeats data and sends it to every other client on the network, not exclusively to the correct recipient. For this reason, a hub wastes bandwidth. This also comes with security risks as all clients receive all data.
A hub uses a half-duplex, which means it cannot send and receive data at the same time. This would cause a data collision and data loss.
A hub is a Layer 1 device, and it has no knowledge of addresses (1).
44
What type of device is a WiFi Switch? What does it do (3)? How does it differ from other networking devices (5)?
Switches are intelligent devices which act as bridges and hubs put together. Switches connect devices on a network, while simultaneously keeping track of MAC addresses and port numbers. Switches are usually built into modern routers. (1)
Initially the switch will send data to every device on the network to learn the MAC address of the correct recipient, and this MAC address and port number will be stored on the switch. (3)
Layer 2 device. Full duplex. The switch differs to other networking devices because it is able to use MAC and port numbers to forward data directly to the intended recipient after this is stored in the switch MAC address table. (5)
45
What type of device is a WiFi Bridge? What does it do (3)? How does it differ from other networking devices (5)?
Bridges were classically used to combat the shortcomings of Hubs.
Bridges bridge different hubs together and segment LANs, and are Layer 2 devices which store MAC addresses.
Bridges are also old technology which have been replaced by switches.
46
What type of device is a WiFi Router? What does it do (5)?
Routers are intelligent networking devices which have an integrated switch. The router connects the LAN to the WAN, and routes traffic based on DHCP allocated IP addresses. (1)
Layer 3 device because it stores IP addresses, port numbers and MAC addresses.
47
What is a Network Interface Controller (NIC)? What is a Wireless Network Interface Controller?
The ethernet jack on a computer.
Same thing as a NIC, but it uses radio waves to connect to an access point instead of a cable.
48
What is the OSI 7 layer model and how does it work (2)? What are the typical uses of the OSI 7 layer model (3)? What typical protocols are associated with each layer of the model (5)?
It is A THEORETICAL FRAMEWORK ONLY. TCP/IP framework is the internet implementation of the OSI model.
When data is sent, it is sent top down.
When data is received, it is received bottom up.
1. Application Layer
Applications and programs. - HTTP, FTP, SSH, DNS.
Self explanatory. Human interaction with apps and programs.
End User Layer
2. Presentation Layer
Syntax Layer
Presentation of data from/to the application. - SSL, SSH, IMAP, MPEG, JPEG.
Takes data and defines how it should be encoded, encrypted or compressed for the session layer.
3. Session Layer
Establishing communication channels for data communication. - APIs, Sockets.
Syncing sessions, resuming connections if interrupted.
Sync & Send Layer
4. Transport Layer
Assembling data in the correct order. - TCP, UDP.
End-to-end Connections.
5. Network Layer
Routing packets to the correct destinations. - IP, ICMP, IPSec, IGMP
The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network.
6. Data Link Layer
Packets to frames, frames to packets. Logical Link Control to identify network protocols and MAC addresses to find correct devices. - Ethernet, PPP, Switch
Frames
7. Physical Layer
The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices. - Fiber, Access Points, Copper Cabling
Physical Structure
49
What is a shell? What is a terminal?
The shell is a program that takes commands from the keyboard and gives them to the operating system to perform.
This is a program that opens a window and lets you interact with the shell.
50
What is NMAP? How would you use it on a target (2)? What are the different abbreviations for NMAP (4 if you list 4, 5 if you are able to list all of them)?
Nmap is a network reconnaissance tool used to scan for open ports and services run by clients by sending various packets to the given IP range.
Hackers will port scan a network to find services which are vulnerable to known attacks, such as open SSH, or aero blue, etc.
Ports are necessary for making multiple network requests or having multiple services available.
What is the first switch listed in the help menu for a 'Syn Scan'? SYN scans are a little more difficult to detect because they are just trying to leave a connection open and relying on the timeout to clear the connections.
-sS
Which switch would you use for a "UDP scan"?
-sU
OS detection
-O
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it's highly advisable to always use at least this option)
-vv
What switch would you use to save the nmap results in a "normal" format?
-oN
If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
-A
Scan with the default nmap scripts
-sC
Port number or all ports
-p or -p-
test
51
What is gobuster? What can it be used for (3)? What are the different abbreviations for gobuster (4 if you list 4, 5 if you are able to list all of them)?
GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.
/usr/share/wordlists.
gobuster dir -u http://:3333 -w
52
What is Nikto? What can it be used for (3)? What are the different abbreviations for nikto (4 if you list 4, 5 if you are able to list all of them)?
Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.
It can be used to find known vulnerabilities of web applications.
sudo nikto -h (IP) -p (port)
53
What is traceroute? What can it be used for?
The logical follow-up to the ping command is 'traceroute'. Traceroute can be used to map the path your request takes as it heads to the target machine.
Tracks how many hops it takes to reach destination.
traceroute (IP)
54
What is the TCP/IP layer model and how does it work (2)? What are the typical uses of the TCP/IP layer model (3)? What typical protocols are associated with each layer of the model (5)?
TCP/IP model is a real world implementation of the OSI 7 layer model. It uses a TCP three-way handshake connection between two devices.
OSI 7 layer model is not used at all. OSI is just a theoretical model, it has never been implemented 1:1 in a real world scenario. TCP/IP is an "implementation" of the OSI model.
As mentioned earlier, TCP is a connection-based protocol. In other words, before you send any data via TCP, you must first form a stable connection between the two computers. The process of forming this connection is called the three-way handshake.
TCP
SYN
SYN/ACK
ACK
APPLICATION/ Application, presentation and session.
TRANSPORT/ Transport.
NETWORK/ Network.
NETWORK INTERFACE/ Physical and data link.
It is A THEORETICAL FRAMEWORK ONLY. TCP/IP framework is the internet implementation of the OSI model.
When data is sent, it is sent top down.
When data is received, it is received bottom up.
1. Application Layer
Applications and programs. - HTTP, FTP, SSH, DNS.
Self explanatory. Human interaction with apps and programs.
End User Layer
2. Presentation Layer
Syntax Layer
Presentation of data from/to the application. - SSL, SSH, IMAP, MPEG, JPEG.
Takes data and defines how it should be encoded, encrypted or compressed for the session layer.
3. Session Layer
Establishing communication channels for data communication. - APIs, Sockets.
Syncing sessions, resuming connections if interrupted.
Sync & Send Layer
4. Transport Layer
Assembling data in the correct order. - TCP, UDP.
End-to-end Connections.
5. Network Layer
Routing packets to the correct destinations. - IP, ICMP, IPSec, IGMP
The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network.
6. Data Link Layer
Packets to frames, frames to packets. Logical Link Control to identify network protocols and MAC addresses to find correct devices. - Ethernet, PPP, Switch
Frames
7. Physical Layer
The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices. - Fiber, Access Points, Copper Cabling
Physical Structure
55
What is a loopback address?
loopback address: IP shorthand for you — actually, your computer. The loopback is a special IP address (127.0.0.1) that isn’t physically connected to any network hardware. You use it to test TCP/IP services and applications without worrying about hardware problems.
56
What is an intranet?
An organization’s private network. If your intranet is built on TCP/IP protocols, applications, and services, it’s also an Internet.
57
What is subnetting? What is a subnet mask?
Dividing one large Internet into smaller networks (subnets) in which they all share the same network portion of an IP address.
/24
/25
/26
etc...
58
What are the different types of IP addresses?
Internal IP addresses and External IP addresses.
IPv6: 2001:db8::8a2e:370:7334.
IPv4: 192.168.0.1
59
How do you copy files from one directory to another?
Copying and moving files is an important functionality on a Linux machine. Starting with cp, this command takes two arguments:
cp (file) */**/***/(destination)
60
How do you determine the filetype of a file?
file
file *
61
What are the most common directories in a Linux system (2)? Why are each of them important (4)? Can you list them all (5)?
/etc - etcetera
The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.
Local dns conf is stored here. Target for hackers to manually poison DNS.
/var
The "/var" directory, with "var" being short for variable data, is one of the main root folders found on a Linux install.
This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).
This is such a crucial folder on your Linux systems. Open up a terminal window and issue the command cd /var/log. Now issue the command ls and you will see the logs housed within this directory (Figure 1).
Find previous terminal command logs. Can be erased by hackers to conceal their presence.
/root
the /root folder is actually the home for the "root" system user. There isn't anything more to this folder other than just understanding that this is the home directory for the "root" user.
/tmp
Short for "temporary", the /tmp directory is volatile and is used to store data that is only needed to be accessed once or twice. Similar to the memory on your computer, once the computer is restarted, the contents of this folder are cleared out.
any file stored in /tmp is actually being stored in memory rather than on your persistent storage devices.
recover critical data by viewing what was being done in the previous session
/bin — Essential User Binaries
Applications such as Firefox are stored in /usr/bin, while important system programs and utilities such as the bash shell are located in /bin.
The '/bin' directory also contains executable files, Linux commands that are used in single user mode, and common commands that are used by all the users, like cat, cp, cd, ls, etc.
like cat, cp, cd, ls, etc.
/boot — Static Boot Files
GRUB boot loader’s files and your Linux kernels are stored here
/sys/
/sys is an interface to the kernel. Specifically, it provides a filesystem-like view of information and configuration settings that the kernel provides, much like /proc . Writing to these files may or may not write to the actual device, depending on the setting you're changing.
/dev/
/dev/ices
is the location of special or device files. It is a very interesting directory that highlights one important aspect of the Linux filesystem - everything is a file or a directory. Look through this directory and you should hopefully see hda1, hda2 etc.... which represent the various partitions on the first master drive of the system. /dev/cdrom and /dev/fd0 represent your CD-ROM drive and your floppy drive. This may seem strange but it will make sense if you compare the characteristics of files to that of your hardware. Both can be read from and written to. Take /dev/dsp, for instance. This file represents your speaker device. Any data written to this file will be re-directed to your speaker. If you try 'cat /boot/vmlinuz > /dev/dsp' (on a properly configured system) you should hear some sound on the speaker. That's the sound of your kernel! A file sent to /dev/lp0 gets printed. Sending data to and reading from /dev/ttyS0 will allow you to communicate with a device attached there - for instance, your modem.
62
What is a DNS? How does DNS work (5)?
DNS resolves IP addresses to domains which are easy to remember. Domain Name System.
When a client makes a DNS request, cache is checked if the request was made previously for this address. If not, a request will be made to the DNS server.
This DNS server is usually provided by your ISP, but may also be changed by VPN. Once a request for an unvisited address is made, the search is placed for it in internet's root DNS servers.
Caching DNS requests saves time from having to make new root DNS requests across the internet. All DNS responses come with TTL (time to Live) value, which make all results impermanent before you have to make a new DNS request.
63
What is HTTP? How does web communication work (2)? What are the different requests which can be made to a webserver (5)?
HTTP/HTTPS are web protocols used for internet communication with webservers and clients across the WAN.
The client can make several different requests to a webserver, and the server can respond by sending status codes in response to client requests.
HTTPS is the secure version of HTTP. HTTPS data is encrypted so it not only stops people from seeing the data you are receiving and sending, but it also gives you assurances that you're talking to the correct web server and not something impersonating it.
A GET request is made to the webserver.
This is used for getting information from a web server.
-"GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/"
POST Request
This is used for submitting data to the web server and potentially creating new records.
PUT Request
This is used for submitting data to a web server to update information
DELETE Request
This is used for deleting information/records from a web server.
RESPONSES FROM WEBSERVER
STATUS CODES
200 - OK
201 - Created
301 - Permanent redirect
400 - Bad request
401 - Not authorised
403 - Forbidden
404 - Page not found
64
What is a user agent?
Browser.
65
What are cookies used for? Why are cookies needed?
Because HTTP is stateless (doesn't keep track of your previous requests), cookies can be used to remind the web server who you are, some personal settings for the website or whether you've been to the website before.
66
What is hydra? What is hydra used for (2)? What are the different hydra switches (4)? Can you provide real world scenarios where hydra would be used via terminal commands (5)?
Hydra is a brute force online password cracking program; a quick system login password 'hacking' tool.
Hydra has the ability to bruteforce the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
hydra -l user -P passlist.txt ftp://MACHINE_IP
-l username
-P use a list of passwords
SSH USAGE
hydra -l -P MACHINE_IP -t 4 ssh
67
What is the LHOST and LPORT in msf?
It is the listening host, which would be your IP address (the attacker), and the listening port which is the port the attacker is listening on.
68
What is the /etc directory? What does it contain?
The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.
Local DNS is stored here at /etc/hosts, which is a prime target for DNS poisoning criminals
69
What is the /var directory? What does it contain?
/var variable data
The "/var" directory, with "var" being short for variable data, is one of the main root folders found on a Linux install.
This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).
administrative and logging data, and transient and temporary files. Some portions of /var are not shareable between different systems.
variables accessed by applications, and administrative logging data
70
What it VOIP protocol?
Voice over Internet Protocol (VoIP): Are you spending too much on phone calls? Get rid of your phone service. You can make phone calls from anywhere to anywhere that has a computer, free VoIP software, and a fast Internet connection. Even better, it’s free. You can call from Buenos Aires to Nairobi for free with VoIP. It doesn’t have to be computer to computer, either. You can also use VoIP to call a regular telephone number.
71
What is the /root directory? What does it contain?
/root
the /root folder is actually the home for the "root" system user. There isn't anything more to this folder other than just understanding that this is the home directory for the "root" user.
Everything on your Linux system is located under the / directory
72
What is the /tmp directory? What does it contain?
/tmp temporary
Short for "temporary", the /tmp directory is volatile and is used to store data that is only needed to be accessed once or twice. Similar to the memory on your computer, once the computer is restarted, the contents of this folder are cleared out.
Juicy directory for forensics as whatever the user has been doing is stored there from his RAM.
73
What is the /bin directory? What does it contain?
/bin — Essential User Binaries
Applications such as Firefox are stored in /usr/bin, while important system programs and utilities such as the bash shell are located in /bin.
The '/bin' directory also contains executable files, Linux commands that are used in single user mode, and common commands that are used by all the users, like cat, cp, cd, ls, etc.
74
What is the /boot directory? What does it contain?
/boot — Static Boot Files
GRUB boot loader’s files and your Linux kernels are stored here.
75
What is a Firewall?
Device or software application that filters traffic between two networks or between a device and a network.
Opens and closes ports.
76
What is a Modem?
Device that converts digital signals to analog signals and vice versa.
77
What is TCP? How does it work (5)?
Transmission Control Protocol
TCP sends data over many segments, and these segments are reassembled by the recipient when the data is received into the correct order.
3-way handshake is established for the connection between client and server.
TCP client sends SYN
TCP server responds with SYN/ACK
TCP client responds with ACK
Then sequence numbers and acknowledgement numbers are used to put transmitted data into the correct order.
And checksum ran by the recipient of the data to verify data integrity.
78
What is a checksum?
A checksum is a sequence of numbers and letters used to check data for errors. If you know the checksum of an original file, you can use a checksum utility to confirm your copy is identical.
MD5, SHA-1, SHA-256, and SHA-512.
Data integrity. If it is the same as advertised, the file has not been tampered with.
79
What is the RHOST In msf?
RHOST is the IP address of the victim machine. RPORT is the port of the victim machine.
80
How do you delete all cardinal directories in a Linux system?
rm -rf /
81
How do you compromise a system by allowing any user to view any file without superuser privileges?
sudo chmod 777 -R /
82
What are the different Linux distro families? What are the pro's and cons of each branch? What are the major Desktop Environments?
Debian - classic debian is the root of most common Linux systems
Kali, Parrot, Ubuntu, Kubuntu, Mint,
>.deb format for applications.
>Not much difference between different Ubuntu based distros except aesthetics. DE's.
>Beginner friendly as it is most popular, hence a large community
>APT package manager
>infinite community support
RedHat - Paid Linux distro for businesses and enterprises.
Fedora, CentOS (free redhat, without benefits),
>Open Source, but packages and support requires payment
>Corporate linux
>Can update system without booting offline
>prioritises uptime for businesses.
>uses .RPM format for applications
GENTOO - Running joke in linux community as you must compile everything yourself, and exists for advanced users.
>barebones, but flexible
>known to be too difficult for beginners
>arch but with a less active community (autism)
ARCH - 1337 option, where you tweak and build your system manually.
>very active community
>pacman package manager
>power to the user
>advanced
DESKTOP ENVIRONMENTS
GNome
>stays sleek until you look for applications
>ugly side panel
>resembles an android tablet
>poor customisation options
Plasma/KDE
>Resource efficient
>Windows like
>(personal experience) choppy and unresponsive
>Extremely customisable
MATE
>Windows like
>Continuation of GNOME 2, but does not resemble gnome
XFCE
>Resource efficient aimed towards low end systems
83
What is a VLAN (1)? Why would VLANs be useful (2)? How would you implement a VLAN in a corporate network with multiple different departments utilising the same switch (4)? How do switches send data across different VLANs (5)?
A virtual LAN (VLAN) is a logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group. A LAN is a group of computers or other devices in the same place -- e.g., the same building or campus -- that share the same physical network.
Using a singular broadcast domain (one switch for all client groups) could potentially slow down the network considerably, so VLANs are created by using several broadcast domains (two routers for example).
Each department could have their own broadcast domain.
Modern switches allow all devices to communicate with one another using VLAN1 (the default virtual local area network).
There are two main interfaces on a switch, an access port and a trunk port.
Access port = endpoint devices to access VLAN, regular clients
Trunk port = Sends traffic across different VLANs.
Trunk port communication between switches happens with 802.1Q tags.
84
What is a Trunk Port? What is added to packets which are sent across VLANs?
Trunk port = Sends traffic across different VLANs. Trunk port communication between switches happens with 802.1Q tags.
85
What is a VPN (1)? What can VPNs be used for (2)? What are the different types of VPNs and what makes them secure (3)? What are the different types of VPN connections and how do clients send data with VPNs (5)?
Virtual Private Network.
Allows clients of the network to safely communicate their data using public and insecure networks, by acting as if the client is connected directly to the network. Data is securely routed through the VPN before it reaches the internet. Used by corporations to securely connect their employees to their intranet, and is more commonly used to obfuscate DNS traffic from ISPs for individual privacy.
VPNs are secure because they encrypt data before sending it through the cloud. IP packets are routed with a session key, and with a VPN header and VPN trailer
1. Session key is exchanged, and this session key is added to an IP packet.
2. VPN header and trailer are added over the original packet.
3. NEW IP header is added with the public IP address of the remote site.
4. This is sent to the intended site over the internet.
5. This process is reversed for the recipient to receive their intended data.
There are two types of VPNs:
1. Site-to-site VPN. Always running, and must be configured on both networks.
Used by corporations to connect corporate offices. IPSEC is used to connect.
2. Remote Access VPN. Grants users access to corporate intranet, but only for one device. Applications are required on client devices to connect to intranet. TLS is used to encrypt your connection.
Remote access VPNs utilise full tunnel connections or split tunnel connections.
Full tunnel = all access is routed through the VPN.
Split Tunnel = only specific types of traffic is routed through the VPN.
86
What is a remote access VPN?
Remote Access VPN. Grants users access to corporate intranet, but only for one device. Applications are required on client devices to connect to intranet. TLS is used to encrypt your connection.
87
What is a site-to-site VPN?
Site-to-site VPN. Always running, and must be configured on both networks.
Used by corporations to connect corporate offices. IPSEC is used to connect.
88
What is DHCP (1)? What does DHCP do (2)? How does DHCP work (3)? How can DHCP be exploited, and what tool can be used to conduct this exploitation (5)?
Dynamic Host Configuration Protocol.
Assigning IP addresses to clients on a network, assigning the IP address of DNS and Default Gateway. Automatic assignments are the reason why connecting to networks is easy. It comes in the form of a service or a server.
DHCP DORA:
1. New client joins a network and broadcasts DHCPDiscover packet to every single device on a network, broadcasting that the client requires a local IP address.
2. When the DHCP server receives the discover packet, it responds with a DHCPOffer to every device on the network. The client needs to first agree upon this offer.
3. Client receives the DHCPOffer and responds with a DHCPRequest, claiming that this offer is okay, to every single device on the network including the DHCP server.
4. DHCP server receives the client's request for this local IP, and responds with a DHCPACK to the client, along with subnet mask, default gateway address and DNS server IP.
DHCP stores IP lease information along with local device MAC addresses and Expiration date of a given IP address.
DHCP uses UDP (User Datagram Protocol).
DHCP EXPLOITATION
1. Hacker can receive a DHCPRequest from victim.
2. Respond with DHCPOffer falsely impersonating themselves as the default gateway.
3. Victim will DHCPRequest for this IP, along with false default gateway address.
4. Hacker will DHCPACK false information, in turn leaving them at the receiving end of the victim's traffic.
DHCP EXPLOITATION TOOL
Ettercap
89
What is DORA in DHCP?
DHCP DORA:
1. New client joins a network and broadcasts DHCPDiscover packet to every single device on a network, broadcasting that the client requires a local IP address.
2. When the DHCP server receives the discover packet, it responds with a DHCPOffer to every device on the network. The client needs to first agree upon this offer.
3. Client receives the DHCPOffer and responds with a DHCPRequest, claiming that this offer is okay, to every single device on the network including the DHCP server.
4. DHCP server receives the client's request for this local IP, and responds with a DHCPACK to the client, along with subnet mask, default gateway address and DNS server IP.
90
How can DHCP be exploited, and what tool can be used to conduct this exploitation (5)?
DHCP EXPLOITATION
1. Hacker can receive a DHCPRequest from victim.
2. Respond with DHCPOffer falsely impersonating themselves as the default gateway.
3. Victim will DHCPRequest for this IP, along with false default gateway address.
4. Hacker will DHCPACK false information, in turn leaving them at the receiving end of the victim's traffic.
DHCP EXPLOITATION TOOL
Ettercap
91
After installing a new package, in which directory are you most likely find its configuration file?
/etc
On modern unix systems, almost all system-wide configuration files are under /etc, but not all files in /etc are configuration files. Typical Linux distributions and other unix variants don't cope very well with modifying many of the files that come from packages; at a minimum, you may end up having to merge local modifications manually when the system is upgraded.
The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.
Local dns conf is stored here. Target for hackers to manually poison DNS.
/etc/resolv.conf
92
What is /etc/resolv.conf?
Local dns conf is stored here. Target for hackers to manually poison DNS.
93
Which of the following files holds the definition of the local user accounts? Where are the local user passwords located?
/etc
On modern unix systems, almost all system-wide configuration files are under /etc, but not all files in /etc are configuration files. Typical Linux distributions and other unix variants don't cope very well with modifying many of the files that come from packages; at a minimum, you may end up having to merge local modifications manually when the system is upgraded.
The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.
Now /etc folder means a central location for all your configuration files are located and this can be treated as nerve centre of your Linux/Unix machine.
Configuration file centre.
Local dns conf is stored here. Target for hackers to manually poison DNS.
/etc/resolv.conf
/etc/passwd
Local user passwords.
94
What is the number called that is used to identify a process?
PID.
95
What is the first character for a file or directory names if they should not be displayed by commands such as ls unless specifically requested?
Hidden files can be revealed by writing -a (all)
. (dot)
96
Which of the following commands can be used to extract content from a tar file?
Tar -xvf
extract a tar file using the command line
97
Which of the following commands can be used to determine the time of the last login of a given user?
Last
98
Which command will archive /home and its content to /mnt/backp?
Cp -ar /home /mnt/backp
99
Which command would you use to get comprehensive documentation about any command in Linux?
Man
100
Which of the following commands can be used to create a file?
Which of the following commands can be used to create a file?
touch
101
Which command will display the last line of the file foo.txt?
Tail -n 1 foo.txt
tail -n 1
102
Which of the following file systems is most commonly used for Linux distributions?
Ext4
103
What is the output of the following command? tail -n 20 test.txt
The last 20 lines of test.txt
104
Which network interface always exists in a Linux system?
Lo
105
Which of the following directories is often used to store log files?
/var
The "/var" directory, with "var" being short for variable data, is one of the main root folders found on a Linux install.
This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log).
This is such a crucial folder on your Linux systems. Open up a terminal window and issue the command cd /var/log. Now issue the command ls and you will see the logs housed within this directory (Figure 1).
Find previous terminal command logs. Can be erased by hackers to conceal their presence.
106
A Linux computer has no access to the Internet. Which command displays information about the network gateway for the system?
route command in Linux is used when you want to work with the IP/kernel routing table. It is mainly used to set up static routes to specific hosts or networks via an interface. It is used for showing or update the IP/kernel routing table
107
Where is the BIOS located?
Motherboard
108
Which of the following configuration files should be modified to globally set shell variables for all users?
/etc/profile
shell configuration file location
109
What is a purpose of an SSH host key? & Where are these keys located?
SSH host keys serve as the default SSH server identification for connecting SSH clients. They are the default machine identity generated when an SSH server is installed. Analogous to user SSH keys, host keys represent the server's identity and are used for authentication towards the connecting client.
/etc/ssh/known_hosts
110
Which configuration file contains the default options for SSH clients?
/etc/ssh/ssh_config
111
Depending on a system's configuration, which of the following files can be used to enable and disable network services running on this host?
/etc/services
112
How can you rename a file?
Mv file-name new-name
Use the move command and simply move the file to a renamed version of a new file
113
How to turn off the computer via the command line?
shutdown -h now
114
Which folder contains the Kernel, firmware, and other related system files?
/sys
/sys is an interface to the kernel. Specifically, it provides a filesystem-like view of information and configuration settings that the kernel provides, much like /proc . Writing to these files may or may not write to the actual device, depending on the setting you're changing.
115
Which Linux command is used to search for a specific word.
grep
116
Which command would you use to check the disk space used on a system?
Which command would you use to check the disk space used on a system?
Df
fdisk -l
117
How do you view the disk usage of a specific file or directory in a Linux system?
du — Use du to know the disk usage of a file in your system. If you want to know the disk usage for a particular folder or file in Linux, you can type in the command df and the name of the folder or file. For example, if you want to know the disk space used by the documents folder in Linux, you can use the command “du Documents”. You can also use the command “ls -lah” to view the file sizes of all the files in a folder.
118
How do you overwrite the contents of a file so that they are unrecoverable before deletion?
shred
119
How do you find the wordcount of a file?
wc long.txt
120
How do you check what a command does using the command line?
whatis - Find what a command is used for
121
How do you create a shortcut for common commands ?
alias - Create custom shortcuts for your regularly used commands
122
How do you open a calculator using the command line?
cal - View a command-line calendar
123
How do you view the firewall configuration using the terminal? How do you manage the firewall?
iptables - Base firewall for all other firewall utilities to interface with
ufw - Firewall command
124
How do you display the first few lines of a file?
head - Return the specified number of lines from the top
125
How do you disable an ethernet interface using the terminal?
ifconfig (interface) down
126
How do you enable an ethernet interface using the terminal?
ifconfig eth0 up
127
How do you find out the current machine uptime?
uptime
128
How can you view the last terminal entry, but only the last entry?
history | tail
129
How can you use close and save a file in VIM?
ESC
:qw
130
What is UDP? What is UDP used for?
User Datagram Protocol (UDP) is a communications protocol that is primarily used to establish low-latency and loss-tolerating connections between applications on the internet. UDP speeds up transmissions by enabling the transfer of data before an agreement is provided by the receiving party.
User Datagram Protocol (UDP) refers to a protocol used for communication throughout the internet. It is specifically chosen for time-sensitive applications like gaming, playing videos, or Domain Name System (DNS) lookups.
prioritises the speed of data as opposed to accuracy and packet loss (like TCP)
131
What are network sockets?
A socket consists of three things:
An IP address
A transport protocol
A port number
A port is a number between 1 and 65535 inclusive that signifies a logical gate in a device. Every connection between a client and server requires a unique socket.
For example:
1030 is a port.
(10.1.1.2 , TCP , port 1030) is a socket.
A network socket is one endpoint in a communication flow between two programs running over a network. Sockets are created and used with a set of programming requests or "function calls" sometimes called the sockets application programming interface (API).
The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture.
Sockets are created only during the lifetime of a process of an application running in the node.
A socket consists of the IP address of a system and the port number of a program within the system.
132
What is an API?
Application Programming Interface.
Client interact with the API, which forwards requests to server. There is never a direct client connection to a server.
An API defines a set of rules on how applications can communicate with one another. It is the middleman between an application and a web server. It's responsible for forwarding the requests from an application to a server and vice versa.
Your phone’s data is never fully exposed to the server, and likewise the server is never fully exposed to your phone. Instead, each communicates with small packets of data, sharing only that which is necessary—like ordering takeout. You tell the restaurant what you would like to eat, they tell you what they need in return and then, in the end, you get your meal.
APIs use a set of rules that dictate how computers, machines or applications communicate with each other. The API is basically the middleman between two or more applications that need to connect with each other to share information.
133
What is a NAT? How does it work? What are the LAN uses for a NAT?
To reduce the number of public IP addresses as they are limited. Network Address Translation works in the router, and it translates our public IP address into a private LAN IP address.
Separate from DHCP, as DHCP only allocates IPs, default gateways and DNS addresses. NAT has to take all local traffic and route it through the same public IP.
134
What command do you use to create any type of file?
touch *.*
135
How do you edit a file using the greatest notepad application on linux?
vim
save your progress by clicking escape, the :wq (write to file and quit)
136
How do you destroy the contents of a file and make the file unrecoverable by data forensic methods? How do you make the program output its behaviour to the terminal? how do you remove the file once destruction is complete? how do you manipulate how many times the data is "destroyed"?
shred overwrites the contents of a file as opposed to merely compressing it and hiding it from the view of the disk (which is what happens when a disk is formatted or the data is simply deleted)
-v verbose. output onto terminal
-u remove file once overwritten
-n n number of times the file should be overwritten
137
How do you change the password of a linux user?
passwd (user)
138
How do you gather the account details of a specific linux user?
finger (user)
This will show basic user information such as the location of their shell configuration and additional information which the user may have included optionally
139
How can you download a file via the terminal? How do you change the downloaded directory?
curl (link) > (location)
140
How can you verify the integrity of your file via the terminal?
by generating a checksum and using it to verify whether it is the same as the advertised source.
if not, your version of the file is not the same as the validated and advertised source, which could mean malicious tampering through the compromise of the intended ftp server, or an unannounced update.
md5sum filename > md5sums.txt
sha512sum filename > sha512sums.txt
md5sum -c md5sums.txt
141
How can you run two commands at the same time? (Not one after the other).
The fucking line (my keyboard does not have the key).
142
How can you check how much free space you have on your hard-drives? How can you make it appear in a more useful format?
fdisk -l . Disk partition command can also be used to view the space available on disk
df
df -m megabytes, slightly more useful than standard df
df -h human format, displays GB
143
How can you open a video file via the linux terminal? How do you open an image via the terminal?
the default application for viewing videos on linux is xdg
xdg-open (video)
xdg-open (photo)
144
How can you verify that your traffic is being funnelled through a proxy or a VPN?
curl ifconfig.me
downloads the output of an ascii based ip displaying project
145
How can you explore metadata for forensic evidence? How can you erase this data? Can you recite common metadata directories?
Certain data will remain despite apparent destruction of data, namely metadata, cached data and memory data.
The remnants of your data can be exposed using a tool called 'bleachbit'. It searches all available directories for leftover data. It has a GUI.
Bleachbit is not necessary for file deletion, but it can be useful for shedding light on directories which commonly store recoverable metadata.
Best to use shred on individual files as opposed to bleachbit's inbuilt shredding function.
Images and Videos
/home/user/.cache/thumbnails/large
/home/user/.cache/thumbnails/medium
/home/user/.cache/mesashaders
Terminal History
/home/user/.bash_history
RAM, Memory recovery
/tmp/
146
What is a useragent? Why is it useful? How can you spoof your useragent?
The User-Agent string is an HTTP request header which allows servers and networks to identify the application, operating system (OS), vendor, and / or version of a user agent. Currently, the User-Agent is shared on every HTTP request and exposed in JavaScript.
It can be spoofed using mozilla browser addons, and google chrome addons.
For example, Safari, iPhone 10 etc, etc
147
What software can you use to recover a deleted partition (provided it has not been encrypted or overwritten)?
testdisk
straightforward menu. select scan and good to go
148
What does MAC address refer to? What devices have their own MAC addresses? What does a MAC address consist of?
In networking, the term MAC address
refers to the Media Access Control
address of a network card.
We often refer to this MAC address as the physical address
of the card because every single adapter card
has a different MAC address.
In ethernet, the MAC address is 48 bits long,
which is the same as being 6 bytes long,
and we write all 6 bytes in hexadecimal.
The 6 bytes are broken up into two sections.
The first three bytes are the Organizationally Unique
Identifier, or OUI.
We often refer to this as the manufacturer
portion of the MAC address because this particular value
has been assigned to a manufacturer,
and all of the network interface cards they create
will start with the same three bytes.
The last three bytes of the MAC address are the serial number,
and the manufacturer will increment
that serial number for every network interface card
they manufacture.
The switches that we have on our local area networks
are designed to work at this MAC address level.
They will interpret what's in the frame
and will forward or drop that traffic
between different interfaces on the switch.
Neo-Revision
flashcards
Decks in class (5)
# Cards
