Challenges

Answer every question briefly and clearly.

Question 1

Which of the following are commonly accepted as secure protocols? Select zero or more correct items. Erroneous selections will be penalized.

A: SSH v1

B: SSL v3

C: SFTP v6

D: TLS 1.0

E: SNMP v3

Question 2

Which of the following protocols are on level 3 on OSI-model? Erroneous selections will be penalized.

A: Ethernet

B: ARP

C: ICMP

D: RIP

E: TCP

F: PPP

Question 3

Justify briefly the following statement as either correct or false: MAC-address based filtering is effective method for protecting network from unauthorized connections attempts within the local area network (LAN).

Question 4

Justify briefly the following statement as either correct or false: Web Application component does NOT need to have input validation as long as it has solid output validation and output encoding.

Question 5

Justify briefly the following statement as either correct or false: Encryption is effective protection against replay -attacks.

Question 6

Assume that you're using port scanner to identify all open tcp ports from following target networks. What is the maximum amount of TCP ports scanned in the range?

A: 10.0.0.0/16

B: 192.168.1.2/27

C: 169.255.8.124, netmask 255.255.255.240

Question 7

You are connected to a network switch together with Alice and Bob. You know that Alice and Bob have http -based instant messaging system in use. Describe the methods you do in order to have effective Man-in-the-Middle attack to gain control of the IM-traffic.

Note: You're expected to explain the methods briefly, not just to name them.

Question 8

Alice's Windows profile has a mapped drive H: to the 'Accounts' share on the Customer1 server. Given the configuration settings below, what are her effective permissions when accessing this data through the H: drive? Select zero or more correct items. Erroneous selections will be penalized.

Alice's Groups: 'Customer Service' and 'Accounts Receivable'

'Accounts' NTFS permissions: Read for 'Customer Service', Full Control for 'Account Managers', and no access defined for other groups 'Accounts' Share permissions: Full Control for all Authenticated Users

A: Alice will have full control over the data in the H: drive (Accounts share).

B: Alice will be able to Read the data in the H: drive (Accounts share).

C: Alice will have be denied access to the data in the H: drive (Accounts share).

D: Alice will be able to Modify the data in the H: drive (Accounts share).

Question 9

What can be done with the following command: grep “:0:” /etc/passwd | awk –F”:” ‘{print$1”:”$3”:”}’ | grep “:0:” Select zero or more correct items. Erroneous selections will be penalized.

A: Search for all users

B: Search all users with root privileges

C: Search all null passwords

D: Search all files without owner

Question 10

You are writing a script that will automate the gathering of baseline information for Linux servers prior to deployment. Part of your script is shown below.

BASELINE = /tmp/base_data
echo Linux Baseliner > BASELINE
echo ---------------------------------- >> BASELINE
#Get a process listing
ps –aux >> BASELINE
#Get network connection listing
Netstat –an >> BASELINE

After you finish running the script you notice that there is no file in the tmp directory called base_data. What is the likely reason for this?

Question 11

Web Application Firewall (WAF) log includes following GET request. Describe the most probable attack attempted against the application.

GET /index.php?f=advanced%0d%0aSet%20Cookie:%20aeee013512111ae%0d%0a&a=010101-0112&c=dGVzdA&b=1%27%20wait%20for%20delay%20%2700:00:10%27--

Question 12

You are analyzing logs from network devices and the logs have lot's of unanswered SYN packets as well as duplicate ACK packets. What does this indicate? Select zero or more correct items. Erroneous selections will be penalized.

A: Broken log parser

B: Firewall is filtering traffic accordingly

C: Spoofing attacks

D: Denial of Service attacks

Question 13

Assume you know that your network traffic using proprietary protocol is intercepted by third party while in transit. To protect your mission critical messaging, which approach you should take? Select zero or more correct items. Erroneous selections will be penalized.

A: Calculate checksum from the content and then encrypt the message

B: Encrypt the message and then calculate the checksum

Question 14

736c96f76bea07f483e13680ed5365e1277739c8de8f98a322faa0fadf776c7c

Question 15

You have been assigned to write a piece of code for filtering out html-tags from user input. Write the relevant parts of the code with known programming language of your choice (or use pseudo-code).

Question 16

Which of the following SQL statements selects all rows from a table called Products with the column Price having a value greater than 500 but less than 700? Select zero or more correct items. Erroneous selections will be penalized.

  1. SELECT * FROM Products WHERE Price > 500 and Price < 700
  2. SELECT * FROM Products IF Price > 500 and Price < 700
  3. SELECT Products WHERE Price > 500 and Price< 700
  4. SELECT Products IF Price > 500 and Price< 700
  5. IF Price > 500 and Price < 700 THEN SELECT Products

Question 17

Following packet has been logged in firewall. What is the destination and purpose of the packet?

0       00 02 50 f8 a1 28 02 00  00 00 01 00 08 00 45 00
10      01 5b 54 c6 40 00 80 06  a2 bc 0a 20 05 da 50 f8
20      a1 28 aa 11 00 50 bf 9e  9f e6 42 3b f4 16 50 18
30      fd c0 f7 a8 00 00 47 45  54 20 2f 65 6e 2f 20 48
40      54 54 50 2f 31 2e 31 0d  0a 48 6f 73 74 3a 20 77
50      77 77 2e 70 75 6f 6c 75  73 74 75 73 76 6f 69 6d
60      61 74 2e 66 69 0d 0a 55  73 65 72 2d 41 67 65 6e
70      74 3a 20 4d 6f 7a 69 6c  6c 61 2f 35 2e 30 20 28
80      57 69 6e 64 6f 77 73 20  4e 54 20 36 2e 31 3b 20
90      57 4f 57 36 34 3b 20 72  76 3a 34 33 2e 30 29 20
91      47 65 63 6b 6f 2f 32 30  31 30 30 31 30 31 20 46
00b0    69 72 65 66 6f 78 2f 34  33 2e 30 0d 0a 41 63 63
00c0    65 70 74 3a 20 74 65 78  74 2f 68 74 6d 6c 2c 61
00d0    70 70 6c 69 63 61 74 69  6f 6e 2f 78 68 74 6d 6c
00e0    2b 78 6d 6c 2c 61 70 70  6c 69 63 61 74 69 6f 6e
00f0    2f 78 6d 6c 3b 71 3d 30  2e 39 2c 2a 2f 2a 3b 71
100     3d 30 2e 38 0d 0a 41 63  63 65 70 74 2d 4c 61 6e
110     67 75 61 67 65 3a 20 65  6e 2d 55 53 2c 65 6e 3b
120     71 3d 30 2e 35 0d 0a 41  63 63 65 70 74 2d 45 6e
130     63 6f 64 69 6e 67 3a 20  67 7a 69 70 2c 20 64 65
140     66 6c 61 74 65 0d 0a 44  4e 54 3a 20 31 0d 0a 43
150     6f 6e 6e 65 63 74 69 6f  6e 3a 20 6b 65 65 70 2d
160     61 6c 69 76 65 0d 0a 0d  0a

Question 18

Identify the possible problems in the following Python code and make recommendation(s) for changes needed to make the code secure.

1   #!/usr/bin/env python
2   import MySQLdb
3   import hashlib
4   import logging
5   import config
6       
7   def authenticate_user_login(username, password):
8       stored_hash = ""
9       calculated_hash = ""
10      try:
11          # connect to sql server
12          db = MySQLdb.connect(host=config.sql_host, user=config.sql_user, passwd=config.sql_pass, db=config.user_database)
13          # query the user database for the user's password hash
14          sql_cursor = db.cursor() 
15          sql_cursor.execute('SELECT password_hash FROM users WHERE username = "' + username + '" LIMIT 1;')
16          query_result = sql_cursor.fetchall()
17          
18          if query_result:
19              stored_hash = query_result[0][0]
20              
21          hasher = hashlib.md5()
22          hasher.update(password);
23          calculated_hash = hasher.hexdigest()
24          
25      except Exception as e:
26          logging.error('Database error while authenticating user: %s' % (e))
27      
28      if stored_hash == calculated_hash:
29          return 1
30      else:
31          return 0
32      

Question 19

Find the possible problems in the following code. Report for each problem the line number(s), the essence of the problem and the possible consequences.

vulnerable.c

1   #include <stdio.h>
2   #include <stdlib.h>
3   #include <unistd.h>
4   
5   char *strtok(char *str, const char *delim);
6   char strcmp(const char *s1, const char *s2);
7   char *strcpy(char *dest, const char *src);
8   char *strncpy(char *dest, const char *src, unsigned int n);
9   char *strchr(const char *s, int c);
10  
11  #include "vulnerable.h"
12  #include "net.h"
13  #include "worker.h"
14  
15  void *allocate_entry() {
16      struct_entry_t *ent = malloc(sizeof(struct_entry_t));
17      ent->type = 0;
18      ent->u.numstr.str = malloc(MAX_STR_SIZE);
19      return ent;
20  }
21  
22  int check_value(char *buffer) {
23    char *c = buffer;
24    while (*c) {
25      if (*c < 128)
26        c++;
27      else
28        return 0;
29    }
30    return 1;
31  }
32  
33  void *parse_line(char *buffer) {
34      struct_entry_t *ent;
35  
36  #define DELIM " ="
37      char *token = strtok(buffer, DELIM);
38      char *next_token = strtok(NULL, DELIM);
39  
40      if (!strcmp(token, "number_and_string")) {
41          if (next_token) {
42              unsigned int value;
43              char strval[200]; 
44  
45              sscanf(next_token, "%d:%s\n", &value, strval);
46              fprintf(stderr, "verify [%d] [%s]\n", value, strval);
47              if (!check_value(strval)) 
48                return NULL;
49  
50              ent = allocate_entry();
51              ent->u.numstr.num = value;
52              ent->u.numstr.cnt = 0;
53              strcpy(ent->u.numstr.str, strval);
54          }
55      } else if (!strcmp(token, "large_string")) {
56          if (next_token) {
57              char *val = strchr(next_token, ':');
58              if (!val)
59                  return NULL;
60              val++;
61  #define PREPEND_HEADER 16
62              unsigned short size = atoi(next_token);
63              unsigned short full_size = size + PREPEND_HEADER;
64              char *buf = malloc(full_size);
65  
66              strncpy(buf + PREPEND_HEADER, val, size);
67          }
68      } else {
69          return NULL;
70      }
71      return ent;
72  }
73  
74  int read_file(char *path) {
75      FILE *f;
76      char buffer[1024];
77  
78      f = fopen(path, "r");
79      if (f == NULL)
80          return -1;
81  
82      char *line;
83      while ((line = fgets(buffer, sizeof(buffer), f))) {
84          parse_line(line);
85      }
86  
87      fclose(f);
88      return 0;
89  }
90  
91  int main(int argc, char *argv[]) {
92      if (argc < 2) {
93          return -1;
94      }
95  
96      read_file(argv[1]);
97      start_manager();
98      start_server();
99      return 0;
100 }

vulnerable.h

1   #ifndef VULN_H
2   #define VULN_H
3   
4   typedef struct {
5       int type;
6       union {
7           struct {
8               int num;
9               char cnt;
10  #define MAX_STR_SIZE 100
11              char *str;
12          } numstr;
13      } u;
14  } struct_entry_t;
15  
16  #endif

Question 20

You are a network administrator. In order to find rogue hosts in your network, you have done a passive scan on the network and gained some information based on that.

Host OS Ports open
A Linux ?
B Windows ?
C ? 21/tcp, 23/tcp, 80/tcp
D ? 21/tcp, 22/tcp, 8080/tcp

You also know that the platform team installs hosts based on a very strict principle: if operating system is Windows, it is not running SSH service.

Which of the hosts you have to investigate further?

Question 21

You are conducting penetration test against a system X. You have already gained a foothold in the system X but you are lacking stable backdoor and root privileges. You do have three exploits in use: A, B and C. Only one of these exploits work, other two will reboot the system and you will loose the foothold and connectivity to the system. You have already chosen the exploit B to be run when the system X administrator accidentally exposes information which confirms that the exploit A would reboot the system. What is your next step?

Question 22

You are connecting to Gmail and you inspect the certificate that the site uses. Are there any issues with this?

    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FI, O=MIL, OU=CYBER, CN=*.gmail.com/emailAddress=mistergrey@live.xy
        Validity
            Not Before: Aug  5 10:15:00 2014 GMT
            Not After : Jun  4 10:15:00 2015 GMT
        Subject: C=FI, O=MIL, OU=CYBER, CN=*.gmail.com/emailAddress=mistergrey@live.xy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ca:76:4e:c6:f5:6f:12:29:2e:d9:4a:56:d9:96:
                    bf:a3:d8:a3:76:a0:6a:32:cf:ad:ec:62:a1:ad:92:
                    c3:d3:89:13:2d:64:db:a5:e6:e6:ce:34:89:45:ae:
                    8a:37:87:1d:d8:11:4c:2e:04:1f:d3:c3:dc:00:9e:
                    ae:54:a3:c2:d3:c1:bb:eb:a2:d4:6e:77:06:c0:98:
                    d3:68:b6:83:b6:f9:ec:a6:b7:d8:2b:c3:70:cb:98:
                    c2:58:53:42:05:13:17:54:df:a2:b7:8e:e0:4f:60:
                    9a:db:4d:cf:b0:dd:a3:19:4a:60:28:3c:2f:b5:73:
                    0d:78:19:5d:f5:2f:1f:b0:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
    Signature Algorithm: md5WithRSAEncryption
         9c:ea:51:d8:2f:a0:86:57:47:85:72:be:fd:55:6c:3f:18:3a:
         c0:49:a2:6a:5a:46:a0:d5:b7:48:58:54:9d:d7:36:bf:88:8d:
         e7:63:40:14:ff:13:ae:78:11:b3:ba:8c:ef:e6:6f:6b:3d:ba:
         b9:46:48:61:79:e4:e7:af:65:85:68:1b:59:66:4f:b5:12:2f:
         35:2e:5f:43:a4:34:88:68:ab:e2:2c:e2:90:88:2b:d1:95:ff:
         d4:0c:3b:c3:cd:10:46:76:2f:28:85:41:53:75:6a:86:da:b7:
         55:b4:e5:85:9a:26:ba:94:44:de:64:9d:c1:4c:73:ed:61:71:
         0f:32