Intro

This is my personal preparation notes for security engineering roles. In addition to my course studies, I get these questions from variety of sources around the internet. I try to answer in my own words. If you are preparing for the same role, just remember - don’t memorize. That’s how I’m approaching it. If I’m completely lost on a question, I won’t even bother putting it down here. I admit, it’s tough for sure, like drinking from a fire hydrant; c’est la vie. Disclaimer to employers, I will not reveal any actual interview questions. Any interview questions here are ones I found on the internet (such as on glassdoor).

Lab Setup

  1. Burp Suite
  2. Nmap
  3. Wireshark

(Or just setup and use Kali on a VM.) On a side note, if you think you found a bogus phishing email, forward them to: spam@uce.gov, reportphishing@antiphishing.org

Step by step

  1. Recon
  2. Scanning
  3. Network
  4. Password
  5. Reporting

Questions (and Answers)

  1. "What is \r?" Carriage return. It'll move the cursor back to position 0. Different from \n which will return cursor back to position 0 on the next line. Apparently useful for older devices. This is ridiculous. Useful but ridiculous. Imagine a 10 minute lesson on \n...
  2. "Describe in detail how traceroute works." This command does what it sounds like, it traces routes. It tells you the time it takes to get from one hop (or node) to the next. It tells you about the device (like identity and latency) that it hops to.
  3. "How would you go about securing a web server?" This is an "in general" answer. Remove unnecessary services. Remove unused applications. Close off remote access. Separate environments, for example, production, testing and development. Watch for who has what permissions and privileges. Regularly install stable patches and security patches. Audit often. Regularly red team and blue team the web server. Continue to be educated (personally or team).
  4. "Write a function to determine if an input is a power of 2." Look at the binary of the powers of 2. For example, 00000000 is 0, 00000001 is 1, 00000010 is 2, 000000100 is 4, etc. Then build cases. For example, if the input number is an odd number or not a number, return an error. No need to check. Write a function or use something built-in that converts the input number to binary. Then compare. An alternative is to keep dividing by 2 until it gets to 1. This is probably better as it's easier. The idea is the same with figuring out if there is a negative involved. You just keep multiplying. As usual, if it's an odd number, don't even bother.</strong>
  5. "Describe a TCP handshake." This is what a typical handshake session look like:
    Client --SYN--> Server
    Client <--ACK/SYN-- Server
    Client --ACK--> Server
    The question that usually follows is, "why?" The answer is because we want to ensure that the packets are actually delivered. To avoid the handshakes, just use UDP. So, the transactions require some explanation. First the client sends a SYN and gives a sequence number to the server. The server ACK (acknowledges) the sequence number and then does the same, generate and sends a sequence number to the client. The client then acknowledges and sends the ACK packet to the server.
  6. "What is buffer overflow?" A buffer overflow is a class of attack where the program goes out of bound of what's allocated for the memory space. Typically this'll crash the program.
  7. "What are common web vulnerabilities." SQL injection, XSS, poor (or no) security configuration, social engineering (not sure if count but viable attack surface), unvalidated redirects, unvalidated forwards.
  8. "What is the opposite function of malloc() in C?" free()
  9. "What Unix function lets a socket receive connections?" listen()
  10. "How many bytes are necessary to store a MAC address?" 6 in binary; 12 in hexadecimal (17 with delimiters)
  11. "Sort the time taken by: CPU register read, disk seek, context switch, system memory read." CPU register read, system memory read, context switch, disk seek. From fastest to slowest. Hint, context switch is a problem for microkernels.
  12. "What is a Linux inode?" I actually agree with the answer that it's a "a unique file identifier for any given file system." Not sure why the insistence on metadata. From here, it suggests that it's interchangeable. So, you can also say that "an inode is metadata of the data." I worry that answering this based on the first thing that comes up to my mind will penalize me.
  13. "What Linux function takes a path and returns an inode?" stat(), fstat(), lstat(), fstatat(); stat for status, fstat for file descriptor status, lstat for symbolic link status, fstatat for status relative to a directory file descriptor
  14. "What is the name of the KILL signal?" Terminate? I would've gone for SIGKILL and the signal code if I remember that as well (9). Also not sure why the answer is wrong.
  15. "Why Quicksort is the best sorting method?" It's not. It has a O(n^2). In practice, I agree that: ""big-O" ignores data storage latencies, topology, volume, available memory, and even the computational cost of every CPU instructions involved in a given implementation – instead, it merely counts the number of algorithmic operations! Big-O can be a valuable indication when designing algorithms but the best performing and scaling solution depends on the particular constraints of any specific problem and environment."
  16. "There's an array of 10,000 16-bit values, how do you count the bits most efficiently?" Then ... I think they wanted a hash table? I suppose the correct answer is a hash table. Not sure what's wrong with that person's answer though. I can't deny that you can use hash table for just about everything including this problem.
  17. "What is the type of the packets exchanged to establish a TCP connection?" SYN, SYN-ACK and ACK (synchronize and acknowledge)
  18. "Explain CSRF." CSRF is short for cross site request forgery. The best way to think of it is as "session riding." The attacker takes advantage of the authenticated user.
  19. "Explain same origin policy." It's a policy that dictates that the site and the following site come from the same origin. It's dictated by URI scheme, host name and port number. It tries to prevent the attacker from taking advantage of that site's DOM (Document Object Model). As an example, http://siferaseph.com is different from https://www.siferaseph.com.

Hack Night at NYU

  1. On a Linux VM: 1. apt-get install gcc-multilib 2. apt-get tmux 3. wget https://raw.githubusercontent.com/blankwall/Template/master/socat.sh 4. git clone https://github.com/wi-fi-analyzer/fluxion
  2. Day 1: 1. ./load-tmux-profile.rb exploit ../Binary_Exploitation/exploit_1/exploit_1
  3. Day 2: 1. Microsoft Word 2. https://github.com/n1nj4sec/pupy otw up-to: koReBOKuIDDepwhWk7jZC0RTdopnAYKh (level 5)

Assembly Notes

Code Description Example
mov src, dest
add src, dest
sub src, dest

IRC

If you are like me and still use IRC… then you’re probably going to want to setup Tor.

  1. Put said onion into network list. (SASL EXTERNAL)
  2. openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out network-name.pem -keyout network-name.pem
  3. Make sure said app can use this cert.
  4. openssl x509 -in network-name.pem -outform der | sha1sum -b | cut -d' ' -f1
  5. Add this fingerprint to the list (unfortunately, on plain internet first).
  6. Make sure SSL is enabled (invalid if necessary, since some CA won't issue onion certs).
  7. Connect and enjoy.

Phreaking

Haven’t touched this for years but if you’re one of the relatively few who enjoy this topic:

  • Google -> "Recently used devices"
  • ##72786# = delete phone info from settings
  • Blue is iPhone; Green is Android (this is a thing people fight about)
  • To get a different tower.. turn on and off Airplane Mode.

Regarding stickers (a fight I actually got into), don’t put them on your laptop. Maybe over the webcam if it doesn’t come with some kind of guard. I don’t know why people put it on their laptop shell but it’s often ugly. As much as possible, use the device as intended.