2.2 Given a scenario, use appropriate software tools to assess the security posture of an org Flashcards

1
Q

A company is using Microsoft’s Security Compliance Toolkit (SCT) and Nessus to get a sense of the company’s security posture. What of the following does NOT describe nor apply to either of these applications? (Select two)

A

Nessus compares with a system configuration template

SCT patches non-compliant systems

Nessus is, by design, a vulnerability scanner. It does not have a database of system configuration templates, for example, specific to Windows, to compare hosts with.

SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.

Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.

CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A company is going through excess equipment and recyclables. Management will repurpose all the computer workstations and discard archived printed documents. Which of the following can help achieve the company’s goals? (Select two)

A

Active KillDisk software

Paper shredder

Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.

A paper shredder can make printed information harder to read or recover. This type of machinery cannot shred hard drives or other computer parts.

A powerful magnet can erase data on a hard drive, but it also renders the hard drive inoperable by eliminating the disk’s magnetic charge.

A hard drive shredder would break apart or pulverize a hard drive and make it is unusable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

And admin wants to quickly asses the open ports of a Windows server. Which command will provide the admin with the right information?

A

netstat

The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.

The netcat (or nc for short) is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.

The ipconfig command only provides network adapter information such as the IP address of the server.

The ip command is a replacement to the ifconfig command that is used on Linux servers. It serves the same functionality as the ipconfig command used on the Windows operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A security event popped up, alerting security of a suspicious user gaining access to and copying files from the %SystemRoot%\NTDS\ file path on a server. What is the user trying to do?

A

Gather employee login credentials.

The %SystemRoot%\NTDS\NTDS.DIT file stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.

BitLocker keys are stored along with the associated computer account object in Active Directory. It is viewable in the object’s properties view. This is a different location than the NTDS.DIT file.

A brute force attack is the process of using precompiled dictionaries and rainbow tables to break naïvely chosen passwords. Only file copies are occurring at this point.

Proprietary company information is never stored in the same location as Windows operating system files and folders or the C: drive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which password cracking tool comes with a password sniffing tool and is compatible with Windows computers?

A

Cain and Abel

Cain and Abel is used to recover Windows passwords and includes a password sniffing utility.

John the Ripper is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.

THC Hydra is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.

Aircrack is used to sniff and decrypt WEP (wired equivalent privacy) and WPA (wireless protected access) wireless traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A hacker obtained the 24-bit prefix of several network interface MAC (media access control) addresses. From this information, the hacker notated that the target company has Cisco and Dell devices. What type of attack technique did the hacker use?

A

OUI grabbing

OUI (Organizationally Unique Identifier) grabbing is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.

OS (operating system) fingerprinting is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).

Packet injection refers to injecting forged or spoofed network traffic. Often, network sniffing software libraries allow frames to be inserted into the network steam in this manner.

Side channel attacks is a technique used in cryptographic systems and is not applicable to this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Management wants to create a fake network with similar network security boundaries as the operational network. This fake network will host a few servers and will be near the DMZ (Demilitarized Zone). Which of the following solutions will allow an administrator to gather information about how an attacker penetrates a network of working servers and services, while the attack happens?

A

Honeynet

A honeynet is a whole network, which can be simulated, to attract attackers, with the intention of analyzing attack strategies and tools and to provide early warnings of attack attempts.

NIDS or network intrusion detection provides real-time analysis of either network traffic or system and application logs.

A honeypot is similar in purpose as a honeynet, but represents only a single computer system. This is best for analyzing penetration techniques on a Windows server, for example.

Firewalls are the devices principally used to implement security zones, such as intranet, DMZ, and the Internet. The basic function of a firewall is traffic filtering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A network administrator’s computer desktop is full of network security tools that are useful for patching and hardening the network. However, after an audit, admin recently discovered a Wireshark application, which alarmed management. What is it about Wireshark that makes management apprehensive about having it on company computers? (Select two)

A

Can eavesdrop on network communication

Can scan a network for open ports

A protocol analyzer tool like Wireshark facilitates eavesdropping, which is a valuable counterintelligence technique. It can decode a captured frame to reveal its contents in a readable format.

Packets that are analyzed or decoded will provide information, such as protocol used and at what port. If a port is open, it will be listed in the analyzed information.

A sniffer is a tool that captures frames moving over the network medium. This might be a cabled or wireless network. Once captured, the protocol analyzer can decode the data and make sense of the information. Wireshark sniffs and analyzes captured data packets.

A blocked connection is more of an action performed by a firewall or NIPS (network intrusion prevention system).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which procedure would a government agency prefer to use, to completely destroy top secret documentation removed from basement file cabinets?

A

Incinerate

Incineration is the process of destroying something by burning. Burning paper documents will leave no trace of top-secret information.

Degaussing is the process of exposing a computer disk to a powerful electromagnet that disrupts the magnetic pattern that stores the data. This option will destroy electronic documents stored on the disk.

Wiping is the process of writing zeroes and ones in a random pattern over existing data on the disk, to render the electronic information unrecoverable. This option is applicable to electronic documents.

Performing a low-level format resets a disk to factory condition. This option is applicable to electronic data on the disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Steganography is a technique for hiding data within other data. Typically, information embeds in the least expected places. Which of the following are examples of steganography? (Select three)

A

Embed a watermark on bank notes

Encode message within TCP packet data

Embedding a watermark using the design and color of bank notes is an example of steganography. This method is employed by the Counterfeit Deterrence System (CDS) and can be used for anti-counterfeiting efforts.

Encoding messages within TCP packet data fields to create a covert message channel is an example of steganography.

Changing the least significant bit of pixels in an image file (the cover file) is another example. This can code a useful amount of information, without distorting the original image noticeably.

IPSec or IP Security is used to secure data as it travels across the network or the Internet. Running in tunnel mode, IPSec encrypts the whole IP packet (header and payload) and a new IP header is added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A local environment includes modern servers with Windows Server 2012 R2, along with some legacy systems using Windows Server 2003. A security administrator has concerns about legacy servers and their LAN (local area network) Manager service vulnerabilities with password hashes. What are the organization’s best options to improve authentication? (Select two)

A

Fresh install of Windows Server 2008 R2

Kerberos

Kerberos is the preferred method in a Windows domain, using a ticket-granting system to login and access resources on the network.

A fresh install will ensure core services and settings of a Windows Server 2008 R2 operating system is working and authentic. LM (LAN manager) is disabled by default starting with Windows Server 2008.

Windows server upgrade paths are not always clean. A system upgraded from Windows Server 2003 to Windows Server 2008 R2 may still hold residual systems files from Windows Server 2003.

NTLM (New Technology LAN Manager) and NTLMv2 (version 2) provide stronger session key generation for digital signing and sealing applications, rather than LM and LM version 2. However, they are still vulnerable to Man-in-the-Middle attacks and others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Network administrators look for ways to map out their network to find rogue devices. The admins would prefer a solution with a UI or user interface to manage and view the map. Which of the following tools and features will provide a useful report of devices on the network? (Select more than one)

A

Zenmap

–traceroute

Zenmap is the GUI (Graphical User Interface) version for Nmap. Also known as Nmap Security Scanner, it uses diverse methods of host discovery.

Using the –traceroute switch with Zenmap, the GUI can record the path to an IP target address and present the route in a graphical view, like a map.

The basic syntax of an nmap command is to give the IP subnet (or IP address) to scan. When used without switches, it pings and sends a TCP ACK packet to ports 80 and 443 to determine whether a host is present. This is a command line view.

Nmap, by default, does a host discovery and port scan. Using a -sn switch suppresses the port scanning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The security administrator at a brand-new company proposes the use of vulnerability scanners to find common targets. The admin suggests using a method that will not use up a lot of bandwidth on the network and does not need direct or privileged access. What type of scanning may this security administrator be proposing? (Select two)

A

Passive scanning

Non-credentialed scanning

A scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities.

A non-credentialed scan is one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network.

Active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host.

A credentialed scan is given a user account with logon rights to various hosts. This method allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following will make data nearly impossible to recover on a hard disk drive (HDD) using basic recovery software?

A

Drilling holes

Drilling holes through a physical hard drive destroys the spinning platters and the mechanisms that make the disk work. Physical destruction like this renders the disk unusable and unrecoverable through common ways like using recovery software.

Encryption technologies, like Windows BitLocker, encrypt full hard drives. However, encryption technologies output a recovery key or password that can still be used to unlock an encrypted disk.

Disk formatting is the creation of a file system on disk. Formatting an already used hard drive does not wipe the data, but merely hides the data, allowing the operating system to write over blocks on a disk.

A CD shredder is useful to shred CDs, making them unusable and unrecoverable. There are hard drive shredders available for use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

After a recent hurricane, the company realizes that it is not ready to resume services of their online products immediately after the weather event. IT (Information Technology) management must develop an architectural solution to this dilemma. Which of the following will provide the best solution? (Select two)

A

Stand up a hot site

Create a failover process

The company, using Enterprise-level networking, can create a failover of the current site to an alternate processing site or recovery site, in the event the current site is no longer active.

A hot site can be described as an alternate processing site. Services at the main site can failover immediately to a hot site and will have duplicate services running.

A warm site can be described as a site with the necessary resources, but services will need to be loaded and/or manually activated. Typical recovery may take a few hours to a day.

Scheduled backups are a common configuration and should already be in place prior to planning a disaster recovery scenario. Backups can be restored at a recovery site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A company finalizes the plans for their COOP (Continuity of Operation Planning) site. Security and compliance should be at the same level as the current site of operations. When looking at the order of restoring services at this warm site, which of the following is the most important to enable, test, and monitor?

A

Nessus checks against CVEs

Microsoft’s Policy Analyzer uses a configuration template

Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.

CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.

SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.

Nessus is, by design, a vulnerability scanner. It is not a NIPS (Network Intrusion Prevention System).

17
Q

System administrators at a government facility are replacing damaged hard drives from a storage unit. After receiving the new hard drives from the manufacturer, the administrators must properly dispose of the bad drives. What policy items are applicable in this case? (Select two)

A

Degauss media with a magnet

Use the DoD 5220.22-M method

The Department of Defense (DoD) 5220.22-M wipe method involves a three-phase pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods.

Degaussing is a method of erasing data on a hard drive with a powerful magnet. This process also renders the drive unusable because of permanent damage to the device’s servo control data that is required to read and write.

A CD shredder will make the disk unreadable. This is effective for CDs with data, but not applicable to hard drives.

A paper shredder can make printed information harder to read or recover. The method does not apply to hard drives.

18
Q

An administrator noticed a flood of network packets coming into a file server. After closing the open port experiencing the excess traffic, the admin rebooted the server. The admin checked the server and it no longer sent a flood of packets to the same port. Which of the following tools did the admin most likely use to troubleshoot the issue?

A

Wireshark

Wireshark is a protocol analyzer. It can parse the headers network protocols and list their contents and derive purpose. This can help pinpoint the dropped packets and on what network adapter, so further troubleshooting can take place.

The internet protocol configuration (ipconfig) command is a tool used to query or reset network settings and information. It cannot examine network traffic like Wireshark.

Sysinternals is a suite of tools designed to assist with troubleshooting issues with Windows. Its Process Explorer can reveal all the processes and its details on the system. These tools are not useful for a networking issue.

The trace route (tracert) command can help discover where a network route ends when a ping fails. However, the server is responding to pings.

19
Q

An independent security penetration tester tried to access the company’s wireless network. The first test is to determine if pre-shared keys are not dictionary words. Which of the following tools would help find weak passwords?

A

Aircrack-ng

Aircrack-ng is a suite of utilities designed for wireless network security testing. The specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.

Sniffing non-unicast wireless traffic requires a wireless adapter driver that supports monitor mode. Windows would usually need a wireless adapter designed specifically for packet capture, such as AirPcap.

inSSIDer is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.

Netcat (nc) is a remote access trojan (RAT) that is available for both Windows and Linux. It can be configured as a backdoor.

20
Q

Management wants to see a graphical view of the company’s network and endpoints. This information will help to determine any rogue devices on the network. Which of the following tools will be most effective in providing the right information?

A

Zenmap

21
Q

A network admin troubleshoots a virtual host that currently restarted. The admin wants to know when the virtual host is reachable through the network. Which ping switch would provide the most useful information?

A

-t

The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

The -r switch records route for count hops. This is used for IPv4 addresses.

22
Q

A company finalizes the plans for their COOP (Continuity of Operation Planning) site. Security and compliance should be at the same level as the current site of operations. When looking at the order of restoring services at this warm site, which of the following is the most important to enable, test, and monitor?

A

UPS

In general, the first step in restoring services involves enabling and testing power delivery systems, such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.

In general, the second step in restoring services involves enabling and testing switch infrastructure, then routing appliances and systems.

In general, the fourth step in restoring services involves enabling and testing critical network servers, like DHCP, so that client computers can get an IP address. Other important network servers include domain controllers so that users may log in to their computers and reach Enterprise services.

In general, the sixth step in restoring services involves enabling and testing front-end applications like a web server.

23
Q

It is time to audit the network’s security. Which of the following will help with the process of scanning for vulnerabilities? (Select two)

A

Perform passive reconnaissance activities.

Check all computers for installed anti-virus software.

Creating a report of computers with and without anti-virus software can help gauge the network’s security posture. Software, like System Center Configuration Manager, can provide an active reporting of such instances.

Using brute force attacks is a type of penetration testing technique. Exploiting vulnerabilities is a separate action that can be performed afterward.

Passive reconnaissance includes actions such as finding unpatched software or finding week password policies. These actions probe the network or application to discover issues, but not exploit them.

Running malware from a USB is a penetration testing technique that is exploiting a vulnerability.

24
Q

Your organization has some Windows computers that are not part of the domain and therefore, cannot receive computer security policy updates. Which of the following tools can assess the local computer and make updates when necessary?

A

Microsoft Security Compliance Toolkit

The Microsoft Security Compliance Toolkit includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool. Both are necessary to assess the local policies from a baseline and automate changes where needed.

Nessus is a commonly deployed solution for application vulnerability assessments. It does not perform any changes to the application or computer operating system.

Metasploit is an exploitation framework with tools for exploiting vulnerabilities.

The local group policy object (LGPO) Tool, on its own, automates the process of change of local GPOs on a computer. This tool is helpful in managing systems that are not part of the domain. This tool is best used in conjunction with the policy analyzer tool.

25
Q

A security administrator prepares to eavesdrop on the network and determine if there are any open ports. The admin will analyze the ports to determine if they are legitimate connections and if they should be open. Which tool will the admin most likely use?

A

Wireshark

Wireshark is both a sniffer and protocol analyzer tool. It is capable of parsing (interpreting) the headers of hundreds of network protocols and listing the contents of the data packets in plain view, if available. It can be used to eavesdrop and scan open networks.

Metasploit is a well-known exploit framework. It includes a Meterpreter program that can sniff packets and can process by programs, like Wireshark, for analysis.

Sysinternals is a suite of tools to assist with troubleshooting issues with Windows. For example, Process Explorer is part of Sysinternals and it provides a detailed view of processes to determine which ones are unrecognized.

Managed by Rapid7, along with Metasploit, Nexpose is a vulnerability scanner that is like Nessus.

26
Q

One of the essential parts of detailing the process for recovering services at a cold site, include the order of restoration. The company has a backup solution that replicates data to a cloud service until needed. When restoring services, which of the following would take place first?

A

Enable and test UPS devices

In a general order of restoration, the first step involves enabling and testing power delivery systems such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.

Recovery agents or recovery media are needed to recover the backed-up data from the cloud to the cold site; however, systems must be able to power on first.

In a general order of restoration, the third step is to enable and test network security appliances, like a firewall. The cloud service must enter the network to restore data.

In a general order of restoration, the seventh or final step, will be to enable client workstations, devices, and even client browser access.

27
Q

Network administrators plan to deploy wireless access points (WAPs) in the building. Admin must record SSIDs (service set identifiers) and channels so there is no conflicting wireless traffic. Which of the following tools will help architect the configuration of these WAPs?

A

inSSIDer

inSSIDer is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.

Sniffing non-unicast wireless traffic requires a wireless adapter driver that supports monitor mode. Windows would usually need a wireless adapter designed specifically for packet capture, such as AirPcap.

Aircrack-ng is a suite of utilities designed for wireless network security testing. The principal tools include airmon-ng (monitor mode), airodump-ng (frame capture), aireplay-ng (frame injection), and aircrack-ng (decode authentication key).

A Remote Access Trojan (RAT) is software that gives an adversary the means of remotely accessing the network. It can create backdoors and evade detection systems.

28
Q

A system administrator responded to an issue on a server where the Windows file replication dropped the packets. Using a few application tools, the packets seem to be reaching the network adapter, but then Windows replication service drops them. The admin could ping the server with no issues, and antivirus scans did not reveal any malicious software on the server. Which of the following tools would the admin most likely use next to resolve the issue?

A

Wireshark

Wireshark is a protocol analyzer. It can parse the headers network protocols and list their contents and derive purpose. This can help pinpoint the dropped packets and on what network adapter, so further troubleshooting can take place.

The ipconfig command is a tool used to query or reset network settings and information. It cannot examine network traffic like Wireshark.

Sysinternals is a suite of tools designed to assist with troubleshooting issues with Windows. Its Process Explorer can reveal all the processes and its details on the system. These tools are not useful for a networking issue.

The tracert command can help discover where a network route ends when a ping fails. However, the server is responding to pings.

29
Q

A security administrator is looking for ways to reconfigure servers and network devices so that hackers cannot easily probe for system information by generating errors. The network currently has a honeynet and a NIDS (network intrusion detection software). What type of attack is the security administrator most likely trying to prevent?

A

Banner grabbing

Banner grabbing refers to probing a server like OS fingerprinting; however, it also involves opening random connections to common port or network protocols and gathering information from banner or error responses.

OS (operating system) fingerprinting is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).

Packet injection refers to injecting forged or spoofed network traffic. Often network sniffing software libraries allow frames to be inserted into the network steam in this manner.

Side channel attacks is a technique used in cryptographic systems and is not applicable to this scenario.

30
Q

A company has backup schedules, running a fullback up every Friday and incremental backups on the other days of the week. Management wants to integrate a plan to recover services, in the event of a disaster. Which of the following types of recovery sites will work with the company’s current configuration?

A

Warm site

The company’s full and incremental backups will be used to recovery services at a remote site. This site will be a warm site, since data and services must be loaded and/or activated before use. This process will take some time to complete.

A hot site can be described as an alternate processing site. Services at the main site can failover immediately to a hot site and will have duplicate services running.

A cold site takes longer to set up (possibly up to a week). A cold site may be an empty building with a lease agreement in place, to install whatever equipment is required when necessary.

An offshore site is described by backup solutions as a target location for backup data that is replicated “offshore.” This offshore site can be at a warm or hot site.

31
Q

LM or LAN Manager is known for password hash vulnerabilities, resulting in successful Man-in-the-Middle attacks. Microsoft has since improved on authentication methods to make it harder for password crackers to calculate hashes and guess passwords. In what ways are modern versions of Windows systems that are part of a domain, making it harder for password cracker software? (Select two)

A

Biometrics

Kerberos

Kerberos is the preferred method in a Windows domain using a ticket granting system to login and access resources on the network.

Unlike LM and NTLM, Kerberos supports the use of tokens or biometric authentication.

Since the deployment of Windows 7 and Windows Server 2008, LM (LAN Manager) has been disabled by default. However, LM and NTLM are still available on Windows operating system for compatibility with legacy systems and, at times, where Kerberos is not in use.

BitLocker is a full drive encryption technology. It does not have a process for encrypting passwords, nor the sending and receiving of passwords from node to node.

32
Q

The company has a DLP or data loss prevention system integrated into several Enterprise services, including email. Security administrators identified some information leakage from insider threats, using a series of pictures attached to emails. Which of the following leaked the information?

A

Steganography

33
Q

A security administrator plans to create a boundary of the network where unauthorized personnel will have access to. This area of the network will have a working domain controller with a file server, web server, and email server. Which of the following summarizes the plans for the network boundary? (Select two)

A

Honeynet

Honeypot

A honeynet is a network of servers that can simulate a real organization, to attract attackers, with the intention of analyzing attack strategies and tools and to provide early warnings of attack attempts.

A honeypot is similar in purpose as a honeynet, but represents only a single computer system. This is best for analyzing penetration techniques on a Windows server, for example.

Firewalls are the devices principally used to implement security zones, such as intranet, DMZ, and the Internet. The basic function of a firewall is traffic filtering.

An example of an exploitation framework is Metasploit. It is a toolset that comprises a database of exploit code. This tool can be used for penetration testing.

34
Q

A hacker visited a company’s network a week ago, and planted stagers on an unsuspecting Windows server. The hacker can connect to this server and execute more code that is affecting enterprise services at a well-known company. How is the hacker able to execute this?

A

Meterpreter issues the payload

Meterpreter is an exploit module that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.

Nexpose is a vulnerability scanner. When integrated with Metasploit Pro, Metasploit can then read the scan report and confirm vulnerabilities to rule out false positives.

Kali or Kali Linux is a Debian-derived Linux distribution designed for system forensics and penetration testing. Simply loading onto a laptop does nothing.

Nessus is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.

35
Q

A company uses Microsoft’s Security Compliance Toolkit (SCT) and Nessus to get a sense of the company’s security posture. What is the difference between the two applications? (Select two)

A

Microsoft’s Policy Analyzer uses a configuration template

Nessus checks against CVEs

Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.

CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.

SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.

Nessus is, by design, a vulnerability scanner. It is not a NIPS (Network Intrusion Prevention System).

36
Q

A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server, to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?

A

Meterpreter