Hacking Mid-Term

What is the name of a non-profit corporation that manages federally funded research and development
centers (FFRDCs)?

- Mitre


What was the first company to have a .org web address?

- Mitre


What does Mitre maintain?

- CWE, CVE, and Top 25 Most Dangerous Software Errors


What does NIST stand for?

- National Institute of Standards and Technology


What does NIST do?

- A non-regulatory federal agency within the U.S. Department of Commerce.
- Advanced R&D in technology and Engineering
- Computer Security Division & Computer Security Resource Center


NIST is responsible for creating FIPS, what does FIPS stand for?

- Federal Information Processing Standards


NIST publishes ITL Security Bulletins, what does ITL stand for?

- Information Technology Laboratory Security Bulletins


Define the following terms: CWE, CPE, CVE?

- Common Weakness Enumeration (CWE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities & Exposures (CVE)



What is a weakness?

- A weakness is the generic flaw that leads to the unique instance described by a vulnerability or exposure.


What is a vulnerability?

- A vulnerability is a unique instance of a flaw (a weakness) that leads to access of a system or network.


What is an exposure?

- An exposure occurs when data is released to an unauthorized person or entity.


What is an exploit?

- An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug,
glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer
software, hardware, or something electronic.


How are CWE ID's managed?

- Follows the format: CWE-<id> - Unique IDs that are counting up


Who maintains the CWE Database and who provides input to this?

- Maintained by Mitre - Input from the entire InfoSec community


What format does CPE follow?

- cpe:/part:vendor:product:version:release:edition


What format do CVE's follow?

- Follow the format: CVE-<Year>-<ID>
- Year is written with 4-digits.
- ID is a 4-digit number that increments.


Who maintains CVE databases?
- Databases maintained by MITRE & NIST




What are the three stages to becoming a CVE?

- Submission
- Candidate
- Entry


What does CVSS mean?

- Common Vulnerability Scoring System


Who maintains the CVSS?

- Maintained by FIRST (Forum of Incident Response and Security Teams)


What three components provide a means of prioritizing vulnerabilities through the CVSS?

- Base: Static score that is unique to a vulnerability
- Temporal: Dynamic score that is unique to a vulnerability but changes over time.
- Environmental: Score that is unique to the organization utilizing the score.


What scores represent low, medium and high vulnerabilities through CVSS?

Low 0.0 - 3.9
Medium 4.0 - 6.9
High 7.0 - 10.0


How are CVE, CWE, CPE and CVSS related?

- Each CVE then is based on at least one CWE
- Each CVE pertains (is about) to at least one CPE
- Each CVE is given a CVSS Score and Severity


Concerning web security, what vulnerabilities would receive a CVE?

- Web Client vulnerabilities would receive a CVE.
- Web Server vulnerabilities would receive a CVE.
- Web Application vulnerabilities may receive a CVE.
- Custom websites would not receive a CVE, you would reference the CWE.


What does OWASP stand for?
- Open Web Application Security Project


What does OWASP publish and what is this based on?

- Publish the top ten current and most serious risks to Web application security
- Information based on published list of vulnerabilities from MITRE Corporation


What is the goal of the Top 10 Project?

- The goal of the Top 10 project is to raise awareness about application security by identifying some of the
most critical risks facing organizations.


What are the 5 types of vulnerabilities?

- Buffer Overflow
- Format String
- Race Conditions
- Privilege Escalations
- Denial of Service


When the new value of a variable overwrites data outside of its allocated memory space, what occurs?

- A Buffer Overflow occurs.
- The application failed to check the length/type of the input and the input bytes larger than the variable
overflowed.
- Overwriting the EIP (Extended Instruction Pointer/Return Address) allows you to point to code of your choice
and have it executed.


What does EIP stand for?

- Extended Instruction Pointer


What is Format String Injection?

- Often involves improper use of printf
- Allows potential disclosure/exposure and manipulation of memory
- Takes two inputs, a data format and data


How can a Format String be used to gain control of a system?

- There is a method of constructing a format string to overwrite memory.
- If you can overwrite executable memory, you can take control of the system.



Give an example of a vulnerability which can enumerate information from memory?

- This happens, for example, with a format string vulnerability.


What are Race Conditions sometimes referred to?

- TOCTTOU (TOCK-too)


What is a Race Condition?

- Program that checks and then uses something.
- Race between the attacker and the user to attempt to manipulate access between the check and the use.


What is a privilege escalation attack?

- The ability to take yourself from a regular user to Administrator/root or to SYSTEM.


Give an example of a privilege escalation attack?

- Program abc.exe runs as a service as LocalSystem.
- Hacker replaces abc.exe with cmd.exe.
- Cmd.exe now runs as LocalSystem instead of running as User.


What is a Denial of Service attack?

- Attacks which prevent a system or program from providing service.


What are the two main avenues of attack for a DoS?

- Resource Utilization (HTTP Post Attacks, SYN floods)
- Crash Condition (Buffer Overflow)


What are the two types of Denial of Service attacks?

- DDoS Distributed Denial of Service (Multiple Host, Multiple packets - not always a flood!)
- DoS Denial of Service (Single packet, minimal attack, Race Conditions, Data Interruptions, Crash Conditions)


What is Malware?

- Software designed to infiltrate or damage a computer system without the owner's informed consent.

What is a Rootkit?

- The term Rootkit originally referred to a collection of tools used to gain administrative access on UNIX
operating systems.


What tools are often included in Rootkits?

- The collection of tools often included well-known system monitoring tools that were modified to hide the
actions of an unauthorized user.

- An unauthorized user would replace the existing tools on the system with the modified versions preventing
authorized users from discovering the security breach.


What are the two main types of Rootkits?

- User Mode
- Kernel Mode


What is the difference between Rootkits and Malware?

- Only different in terms of delivery
- Rootkits generally dropped by hacker
- Malware Infections spread two ways:
Manual Spread via social engineering or direct attack (virus)
Automatic Spread by jumping from host to host via vulnerability or poor configuration (worm)


What are the 5 primary ways of finding vulnerabilities?

- Fuzzing
- Reverse Engineering
- Static Code Analysis
- Manual Testing
- Accidental Discovery


Who coined the term, Fuzz Testing?

- Professor Barton Miller


What is Fuzz Testing?

- Fuzz testing a simple technique for feeding random input to applications.


What are the 3 characteristics of Fuzz testing?

1. The input is random. We do not use any model of program behavior, application type, or system
description. This is sometimes called black box testing.

2. Our reliability criteria is simple: if the application crashes or hangs, it is considered to fail the test, otherwise
it passes.

3. As a result of the first two characteristics, fuzz testing can be automated to a high degree and results can be
compared across applications, operating systems, and vendors.


What is reverse engineering?

- The process of discovering the technological principles of a device, object or system through analysis of its
structure, function and operation.


Give an example of how Hackers & Researchers will often reverse engineer patches?

- Binary Diffing the patched and unpatched version of a file will often reveal the Fix.


What is the difference between Static & Dynamic Code Analysis?

- Static Code Analysis: The analysis of computer software that is performed without actually executing
programs built from that software.
- Dynamic Code Analysis: The analysis performed on executing programs.


When is Static Code Analysis often used?

- Often used during the QA process by a company before releasing code.


Under what circumstances does Static Code Analysis not work?

- Cannot be used with compiled software.
- Generally means the public only use it with open source software.


What is meant by Manual Testing?

- Manually poking software with common tricks.
- This may mean manually testing each buffer or inputting specific data.
- Often seen as non-scripted fuzzing.



Give an example of how a vulnerability can be accidentally discovered?

- Vulnerabilities can be identified by day-to-day operations.
- An unexpected piece of data may crash a program, leading to the discovery of a new vulnerability.


What is a Code Scanner?

- Code scanners look for certain types of vulnerabilities within a given body of code.


What is Microsoft's definition of Malware?

- Anything we didnt put there!


What is a good resource to go to for finding lists of known Malware?

Malware Protection Center


What is MS SIR?

- Microsoft Security Intelligence Report


What does MS SIR contain?

- Compiled with data from more than 600 Million computers across the planet
- New and Upcoming Threats


What are Microsoft's 7 Stages to finding and killing Malware?

1 - Disconnect from network
2 - Identify malicious processes and drivers
3 - Suspend and terminate suspicious processes
4 - Identify and delete malware autostarts
5 - Delete malware files
6 - Reboot
7 - Repeat step 2


What was considered to be the first Virus?

- Creeper Virus (1971)



What year was the term 'Virus" first coined and what was its definition?

1983 - Defined as: a program that can infect other programs


What was the name of the first worm?

- Morris Worm


What worm is listed as still spreading and active?

- Conficker Worm