Skip to content
ethical hacking
VM workstation for ethical hacking
ethical hacking worksheets
e-hacking ws responses
unit themes: theory
HTB academy
pentest log
hacking workshops
More
Share
Explore

icon picker
e-hacking ws responses

Exercise 1: Malware

pages 4-8
Malware is a term made up from which two words?
malicious software
Explain why it is incorrect to describe any type of malware as a virus.
Different types of malware each have their own characteristics, which differentiates them. Some exhibit behaviours of two or more of the different types.
Describe two characteristics unique to a computer virus.
computer viruses are self replicating
typically ‘attach’ themselves to another file
spread to other computers by some user interaction: clicking a link / download a file.
Describe two methods by which viruses can spread.
USB flash drives: if a drive is infected, then any computer it connects to is at risk
Email users are tricked into downloading attachments by clicking on a link.
The most common method of spreading viruses is on the internet
Describe two symptoms that may suggest a computer system has been compromised malware.
The computer is displaying a lot of error messages, or unwanted pop-up windows.
The machine suddenly begins to slow down, taking a longer time to respond.
You noticed that files are disappearing with no explanation.
You are suddenly unable to access a program that worked previously.
Backing storage seems active but the computer is idle. A virus running in the background.
Computer ignores commands, or does something unexpected, eg the wrong appl loads.
If the machine reboots or shuts down at random, this is a sign that a virus could be at work.
In the context of computer viruses, explain what is meant by the term replication.
Viruses depend on human interaction to replication and spreading, eg clicking on a malicious link or running a program which the virus has infected.
Computer viruses often use camouflage to evade detection. Describe two camouflage techniques that a virus may employ and explain why this makes it more difficult for anti-virus software to detect it.
insert ‘dummy’ lines into their code so they do not resemble a known virus in the anti-virus software database. Change the order of code execution, makes them difficult to detect.
Explain how a file virus differs from a boot sector virus.
File viruses attach themselves program (.exe) files, virus runs when the program runs
Boot sector code on backing storage is loaded and executed at startup, so virus gets in 1st
Anti-malware software makes use of various techniques to detect malware.
Describe how each of the following techniques operates:
Signature detection
bit pattern of virus code matches with database of known malware
Heuristic detection
anti-virus monitors virus behavior, tries to identify suspicious activity based on examples of previous malware
Checksum
since virus alters program code the checksum calculation for the file will be different
Describe how a Trojan differs from a virus
Trojans typically do not self-replicate, looks like legitimate software but contains malware

Exercise 2: Malware 2 (Level 5)

Trojans are often used to create a backdoor into a computer system. Explain what is meant by a backdoor and how an attacker might use it.
A Backdoor Trojan gains access to a computer system and alters the system to allow hackers and cyber criminals to gain access, eg by disabling a security feature, esp network security
Describe how a worm operates, and how it differs from a virus.
They replicate working copies of themselves but spread by exploiting a vulnerability on the target system and do not rely on human action, use network connections.
Describe two examples of spyware and describe how each might be used by criminals.
a keylogger is hardware/software to record the keystrokes a user enters. Criminal can collect sensitive data like passwords from keylogger
Webcam hijacks allow perpetrators to secretly turn on a user's webcam/microphone on PC or mobile device and capture video/audio
What is a ‘drive-by-download’?
Visit (‘drive by’) a web page, without stopping to click or accept any software, but malware downloads in the background to the device, exploits browser security.
It is essential to ensure users have strong passwords. State three characteristics of a strong password.
long password, upper/lower case + number+ special characters, use different passwords
Some users have difficulty remembering many different passwords, and can be tempted into using the same password for several accounts. Explain why this practice carries risk.
if hacker discovers the password than all accounts are vulnerable
Criminals make use of various techniques to 'crack' passwords and gain access to users' accounts. Describe two of these techniques.
dictionary attack, brute force attempt all known passwords
social engineering: email link to fake login, get user to submit account and password
Biometric systems are being used increasingly in place of passwords. Name and describe two methods of biometric authentication.
finger-print pattern scanner eg on phone
face recognition, phones
iris scan (eye scan)
voice pattern recognition
Describe how a DDOS attack makes use of a botnet to attack a computer system or website.
bot is code on very many infected zombie machines (botnet), user is unaware, criminal remotely instructs all bots to send simultaneous requests to server which is overwhelmed
Describe how Ransomware operates.
malware encrypts or threatens to delete files unless a large sum of money paid to attackers

Exercise 3: Advanced Persistent Threat (Level 6)

Use the internet to research an example of an advanced persistent threat. You should then create a short presentation on your findings.
Some points you may wish to include:
Nature of the threat
Sykipot APT malware family leverages flaws in Adobe Reader and Acrobat, spear phishing attack that included links and malicious attachments
Target
UK and US government agencies, defense contractors and telecommunications companies
How an APT differs from a conventional cyber threat
methods that have been customized to the target and carried out (undetected) over a much longer timeframe, high degree of and coordination necessary to breach high-value targets (intellectual property, military plans) and are initiated to steal data, focus on establishing multiple points of compromise, hackers retain access even if the malicious activity is discovered and incident response is triggered

Exercise 4: Social Engineering (Level 5)

Describe three characteristics that would suggest an e-mail might be an attempt at phishing.
AMBIGUOUS GREETING Phishing e-mails tend not to address users by name
POOR SPELLING OR GRAMMAR criminals’ first language is not English
TEMPTING OFFER/SENSE OF URGENCY make an offer that seems too good to be true
UNTRUSTWORTHY LINKS: apparent hyperlink destination goes to a different malicious site
Describe the difference between phishing and spear phishing.
Spear-phishing attack is targeted at a specific individual rather than a generic mass mail-shot to thousands of users, spear-phishing text is crafted to appear genuine to one target
Explain what is meant by e-mail spoofing.
forging an e-mail header so it appears to originate from someone else
Describe what is meant by dumpster-diving and outline one method that could be employed to protect individuals and organisations from falling prey to it.
raiding the waste of companies, or individuals, aim of finding discarded documents that contain valuable information eg bank statement
shred confidential papers before disposal
Describe how a watering-hole attack operates.
attacker observes the websites often visited by a victim, and infects those sites with malware
Give an example of how psychological manipulation can be used by malicious individuals to gain unauthorised access to computer systems or data.
attacker creates a trusted relationship with human target and exploits it to bypass security
asking target to help in a contrived emergency or coercing target to “bend the rule”
Outline two methods an organisation could employ to make their company less susceptible to social engineering attacks.
Staff training so people are aware of the risks and techniques to cope, disciplinary action
Policies to reduce opportunities: ban use of USB flash drives, restrict access to files
Give two reasons why criminals might prefer to make use of social-engineering techniques instead of hacking computer systems.
no special technical skills are required, less time consuming, less expensive
Explain what is meant by the term ‘baiting’.
use a false promise to get attention through a victim's greed or curiosity, click a link
Describe two methods individuals can employ to prevent falling victim to a social engineering attack.
take a social engineering awareness course
develop good cyber hygiene habits

Exercise 5: Biometric Security Methods (Level 4)

Biometric authentication makes use of physical attributes (such as fingerprint/retina) to authenticate users.
Use the internet to investigate another type of biometric authentication. You should then write a brief summary of how it operates. You should consider the following points in your response:
How does it operate?
camera projects and analyses over 30,000 invisible infrared dots to create a 3-D map of a face, works in the dark, coped with glasses, makeup, hats
How secure is this method?
data (mathematical representations of your face) is encrypted and protected with a key available only to the Secure Enclave, not stored in the cloud, locks after 5 false attempts, probability of another face unlocking a phone is 1 : 1,000,000 and Touch ID at 1 : 50,000
Speed of response
Almost instant
Comparison with other authentication methods
Convenient, small size, harder to hack (iris scan and fingerprint can be spoofed)

Exercise 6: Cyber Resilience (Level 6)

Explain what is meant by cyber resilience.
how well and how quickly an organisation could recover from a successful cyber attack.
Cyber attacks are often analysed in terms of their effect on the ‘CIA’ of sensitive data. Summarise what is meant by this.
C (confidentiality): if sensitive information is compromised
I (integrity): if data has been damaged or destroyed, corrupted, made inaccurate
A (availability): if users, clients can still get access to data they need
Describe what is meant by a tabletop exercise and how it is beneficial for organisations to participate in these.
employees work through a hypothetical real-world scenario, attack simulation
the company can reflect upon the drill in order to improve their reaction strategies
Explain why it is important that software patches be installed as soon as they become available.
the update/patch removes an existing code vulnerability to latest threats
It is important for organisations to ensure they have a robust backup system in operation.
Describe what is meant by a full backup.
complete copy of all files, stored elsewhere, very time consuming, weekly/ monthly
Describe what is meant by an incremental backup.
copy of changes only, unchanged data not copied, done hourly/ daily
A company that takes thousands of online orders per day operates a backup strategy whereby they take a full backup of their data every Sunday.
Explain why this backup strategy is insufficient.
On a Saturday they have M-Sat data unsaved and at risk of loss
Describe how this could be improved.
keep incremental or differential backup at least once a day, perhaps hourly
Intrusion detection is a useful part of a wider cyber security strategy. Describe how a honey-pot might be used as part of an Intrusion Detection system.
fake sensitive data on isolated and highly monitored part of organisation network
hackers are lured to this decoy site and unauthorised access is immediately detected
organisation could study hackers methods without alerting them
Staff training is one of the most important elements of a cyber security strategy. Describe three practices an organisation should consider as part of their staff training programme.
social engineering awareness, basic cyber hygiene, data security methods, password practice, updates on scams
Two-factor authentication is a feature available on many online services. Explain how two-factor authentication protects users against cyber attacks.
something you know / have
bankcard + PIN, password security code messaged to trusted phone / email, approved device ID + security code

Exercise 7a: Cybercrime Investigation (Level 6)

Part A: Historical example of cybercrime 9
Use the internet to investigate a historical example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place prior to the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
unauthorised access to military computer systems, theft of data by teenagers
Malware used (Virus/Trojan/Worm)
spyware: programme called a "Sniffer" had been installed on one of their computer networks
Behaviour of malware; how did the malware operate?
captured passwords
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
confidentiality: passwords
Primary method of infection/spreading
Techniques used (DDOS attack/Insider attack, etc)
captured passwords of military personnel
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
sensitive USAF, NASA, and NATO military establishments
Motivation of criminals (financial gain? revenge?)
searching for evidence of anti-gravity propulsion systems that they saw as proof of the existence of UFOs and the secret exploitation of alien technology
Impact of attack:
Financial
Reputational
Social/political
hacked his way into a research facility in Korea, and dumped the contents of the Korean Atomic Research Institute's database on the USAF system
Effects on victims/other consequences
Final outcome: Were the perpetrators brought to justice? If so, what was the outcome?
What law(s) were broken? Has any remedial action been taken as a result of the attack, for example, changes in the law or company policies?
"Datastream Cowboy" was prosecuted in 1996 for offences under the Computer Misuse Act
When you have collated your research, you should then present your findings in the form of a written report.

Exercise 7b: Cybercrime Investigation (Level 6)

Part B: Contemporary example of cybercrime
Use the internet to investigate a recent example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place on, or after, the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
government (USA and Israel) sponsored cyber attack on an enemy state (Iran), digital weapon
Malware used (Virus/Trojan/Worm)
worm called STUXNET
Behaviour of malware; how did the malware operate?
designed to cause physical damage to electro-mechanical equipment controlled by computers
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
availability of machines as they had been physically damaged through malfunction
Primary method of infection/spreading
infected USB drive, propagates across the network on Windows OS, scanning for Siemens Step7 software on computers controlling an electro mechanical machine
Techniques used (DDOS attack/Insider attack, etc)
worm infection
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
Very carefully customized and configured to affect the only kind of machines used in Iranian nuclear research although other devices in other countries were hit by the worm
Motivation of criminals (financial gain? revenge?)
To severely disrupt nuclear research by Iran.
Impact of attack:
Financial
Reputational
Social/political
Attempted to delay Iran’s development of nuclear weapons. Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges
Effects on victims/other consequences
Final outcome: Were the perpetrators brought to justice? If so, what was the outcome?
No-one has been able to prove anything, however a cyber attack using STUXNET is the most likely explanation. The Iran nuclear program was delayed in a minor way.
What law(s) were broken? Has any remedial action been taken as a result of the attack, for example, changes in the law or company policies?
Military attack by a state so law not applicable.
When you have collated your research, you should then present your findings in the form of a
written report.

Exercise 8: Legislation

Using the following list of pieces of legislation, find out some more details about each of them.
Think about the purpose of each Act and the date they were passed.
Data Protection Act
1998: protect personal data stored on computers or in an organised paper filing system, to give legal rights to people who had information stored about them
General Data Protection Regulation
2018: provide 8 rights to european citizens regarding personal data. Applies to data outside EU also.
Computer Misuse Act
1990: deal with unauthorised access to systems, including use of malware
Regulation of Investigatory Powers Act
2000: governs the use of covert surveillance by police, intelligence services and local authorities
Investigatory Powers Act
2016: allow government (GCHQ, MI5) to order cooperation of Internet Service Providers to coperate in mass surveillance and hack into devices
Police and Justice Act
2006: extend Computer Misuse Act, makes DOS a crime, clarifies offences relating to creating and supplying malware and hacking tools, identifies criminality for any unauthorised act regarding computer systems when the system is affected in terms of CIA
Copyright, Design and Patents Act
1988: designed to protect all types of intellectual property (IP) and ensure that the authors or creators of a piece of work receive both credit and compensation, including digital
Intellectual Property Act
2014: update to copyright, focus on design and patent
Present your findings in a presentation, word document or poster.

Exercise 9: Data Protection Act versus GDPR

Data Protection Regulation (Level 6) 12
Create a chart or diagram that represents the differences between the Data Protection Act and the General Data Protection Regulation. Think about the main differences and in what ways they differ.
Principles are worded slightly differently, Sights of a data subject are more detailed, increase 5 to 8
GDPR introduces concept of Data controller and Data processor
More explicit consent is needed, clear statement on data held outside EU
Deals with pseudonymised data
Extension: Can you think of any areas where the General Data Protection Regulation may not be good enough? Is this new piece of legislation sufficient to replace the Data Protection Act?

Exercise 10: RIPA Discussion (Levels 5 and 6)

Research RIPA and makes notes to prepare for a discussion on this piece of legislation.
Do you think it is a good piece of legislation?
No since it has needed to be updated several times and caused a lot of controversy.
Can you find examples of this piece of legislation being misused or used correctly?
Midlothian council using the powers to monitor dog barking and Allerdale borough council gathering evidence about who was guilty of feeding pigeons
It also covers the government’s counter-terrorism plans, including central and local crisis response, how the government communicates with the public and advice on staying safe during terrorism threats.
What are you overall feelings regarding this piece of legislation?
An area of cyber that needs a law but creates serious problems as well as trying to solve them

Exercise 11: Controversial Legislation (Level 6)

A lot of the legislation that has been covered can be considered controversial. In pairs, select two pieces of legislation and have a discussion on any controversial examples you can find regarding the legislation and decide if you agree with the outcome.

Exercise 12: Legislation Research (Levels 5 and 6)

The list below contains the legislation that we have explored in this unit. Choose two from the list to investigate, and then collate your findings in a manner that you choose. You may wish to create a presentation, poster, word document or voice recording.
Data Protection Act
General Data Protection Regulation
Computer Misuse Act
Regulation of Investigatory Powers Act
Investigatory Powers Act
Police and Justice Act
Copyright, Design and Patents Act
Intellectual Property Act
You should consider the following points in your investigations, but this list is not exhaustive:
Examples of the legislation being breached
Any future updates to the legislation
Examples of when the legislation failed

Exercise 13: Case Studies (Levels 5 and 6)

The list below contains well-known cyber attacks. Choose two from the list to investigate, and then produce a written report on your findings. (Same as 7a and 7b)
WannaCry
Stuxnet
Sony Hack
ILOVEYOU
Conficker
Ashley Madison
Some points to consider/investigate:
Type of Malware (Virus? Worm? Ransomware?)
Behaviour of malware (how did it operate?)
Target of malware
Perpetrators
Motivation (Financial? Political?)
Individual/group/nation state
What aspects of C/I/A were affected?
Impact of attack
Was the attack preventable? If so, how?
What lessons can be learned?
How did the attack come to an end?
Outcome: Did the target recover from the attack? What damage had been done?
Have the perpetrators been caught/prosecuted?
Once your investigation is complete, pair up with a pupil who investigated different cyber attacks and compare your findings.

Exercise 14: Penetration Testing (Theory)

Describe what is meant by the scope of a penetration test.
Detailed list of which parts of an organisation’s IT system are included / not included in the pentest
Explain why it is important that the scope of the test and any confidentiality arrangements are agreed and signed before the test commences.
To protect the company and pentester from unplanned issues. Matters covered by the areement can’t be disputed, metters not in the agreement could be open to prosecution or other legal process.
The reconnaissance stage of a penetration test is crucial to the success of the test. State two examples of the type of information a reconnaissance activity may attempt to retrieve.
General organisation info: name, address, phone, website, domain, IP, names and roles of staff incl email address, organisation structure incl departments and functions, customers, business partners incl banks. lawyers, suppliers, organization assets like buildings, vehicles. As full a profile as possible to identify any starting point which may be vulnerable to an attack, a way into the organisation.
Describe the difference between passive and active reconnaissance techniques and give one example of each.
passive: obtaining information without making any contact so anything that can be viewed or observed without any kind of request: looking at the company website
active: deliberate action which could be noticed to discover information that would be useful in an attack but not actually carrying out the attack: port scan
Once reconnaissance is complete, the next stage is to search for vulnerabilities. State what is meant by the term vulnerability in this context.
A weak point in the organisation IT infrastructure. Something an attacker to use as the starting point of an exploit. Unsecured hardware, a software flaw (unpatched code), a person open to social engineering
When a vulnerability has been discovered, the next stage is to exploit it in order to gain some level of access to the system. Describe the role that the Metasploit Framework (MSF) plays at this stage.
Allows pentester to configure and execute an appropriate payload that carries out an exploit on a target, launch the malware attack
Malicious hackers may attempt to maintain access to a system once they have successfully managed to gain access. Name and describe one method of maintaining access.
take control of one or more network devices in order to extract data from the target,
or to use that device to then launch attacks on other targets
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.