201 a 322 Flashcards
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator’s bank account password and login information for the administrator’s bitcoin account. What should you do?
Report immediately to the administrator.
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?
Make sure that legitimate network routers are configured to run routing protocols with authentication
Which system consists of a publicly available set of databases that contain domain name registration contact information?
WHOIS
A penetration test was done at a company. After the test, a report was written and given to the company’s IT authorities. A section from the report is shown below:
- Access List should be written between VLANs.
- Port security should be enabled for the intranet.
- A security solution which filters data packets should be set between intranet (LAN) and DMZ.
- A WAF should be used in front of the web applications.
According to the section from the report, which of the following choice is true?
A stateful firewall can be used between intranet (LAN) and DMZ
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?
HIPAA
Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file named
“Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating,
“This word document is corrupt”. In the background, the file copies itself to Jesse APPDATA\local directory and
begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered?
Trojan
A company’s Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of web application vulnerability likely exists in their software?
Cross-site scripting vulnerability
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gain access to the DNS server and redirect the direction www.google.com to his own IP address. Now when the employees of the office wants to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
DNS spoofing
Which results will be returned with the following Google search query?
site:target.com site:Marketing.target.com accounting
Results for matches on target.com and Marketing.target.com that include the word “accounting”
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?
Malicious code is attempting to execute instruction a non-executable memory region
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing.
What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?
Rules of engagement
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s Computer to update the router configuration. What type of an alert is this?
False positive
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport Layer Security (TLS) protocols defined in RFC6520.
What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?
Private
Eve stole a file named secret.txt, transferred it to her computer and she just entered these commands:
[eve@localhost*~]$ john secret.txt
Loaded 2 password hashes with no different salts (LM[DES 128/128 SSE2-16])
Press ‘q’ or Ctrol-C to abort, almost any other key for status
0g 0:00:00:03 3/3 0g/s 86168p/s 86168c/s 172336C/s MERO…SAMPLUI
0g 0:00:00:04 3/3 0g/s 3296Kp/s 3296Kc/s 6592KC/s GOS..KARIS4
0g 0:00:00:07 3/3 0g/s 8154Kp/s 8154Kc/s 16309KC/s NY180K..NY1837
0g 0:00:00:10 3/3 0g/s 7958Kp/s 7958Kc/s 15917KC/s SHAGRN..SHENY9
What is she trying to achieve?
She is using John the Ripper to crack the passwords in the secret.txt file
What is the correct process for the TCP three-way handshake connection establishment and connection termination?
Connection establishment: SYN, SYN-ACK, ACK Connection termination: FIN, ACK-FIN, ACK
env x=’(){ :;};echo exploit’ bash –c ‘cat/etc/passwd’
What is the Shellshock bash vulnerability attempting to do a vulnerable Linux host?
Display passwd content to prompt
Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides ‘security through obscurity’.
What technique is Ricardo using?
Steganography
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability
Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.
nmap -p 445 -n -T4 -open 10.1.0.0/16
It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition?
Bluetooth
Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety?
Perform a full restore
A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
Attempts by attackers to access web sites that trust the web browser user by stealing the user’s authentication credentials
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?
Vulnerability scanner
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist’s email, and you send her an email changing the source email to her boss’s email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don’t work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
Social engineering
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client?
Reconnaissance
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?
Delegate
OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?
openssl s_client -connect www.website.com:443
Which of the following describes the characteristics of a Boot Sector Virus?
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
John is an incident handler at a financial institution. His steps in a recent incident are not up to the standards of the company. John frequently forgets some steps and procedures while handling responses as they are very stressful to perform. Which of the following actions should John take to overcome this problem with the least administrative effort?
Create an incident checklist
Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company?
Height and weight
While using your bank’s online servicing you notice the following string in the URL bar:
“http: // www. MyPersonalBank. com/ account?id=368940911028389&Damount=10980&Camount=21”
You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflects the changes.
Which type of vulnerability is present on this site?
Web parameter tampering
It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition?
Threat
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
Validate and escape all information sent to a server
Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using?
Nikto
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access?
He must perform privilege escalation
Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He is determined that the application is vulnerable to SQL injection and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?
Blind SQL Injection
You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:
user.log
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do?
Forward the message to your company’s security response team and permanently delete the message from your computer.
The “Gray-box testing” methodology enforces what kind of restriction?
The internal operation of a system is only partly accessible to the tester
Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occuring during non-business hours. After further examination of all login activities, it is notices that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realized the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux serves to synchronize the time has stopped working?
NTP
The “black box testing” methodology enforces what kind of restriction?
Only the external operation of a system is accessible to the tester
> NMAP –sn 192.168.11.200-215 The NMAP command above performs which of the following?
A ping scan
An LDAP directory can be used to store information similar to a SQL database. LDAP uses a ____ database structure instead of SQL’s ______ structure. Because of this, LDAP has difficulty representing many-to-one relationships.
Hierarchical, Relational
What is the purpose of DNS AAAA record?
IPv6 address resolution record
Which of the following statements is FALSE with respect to Intrusion Detection Systems?
Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic
You are performing a penetration test for a client and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain. If the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer?
ls -d abccorp.local
Which command can be used to show the current TCP/IP connections?
Netstat