CEH Round 2 Flashcards by Chris Brown

What cryptography attack is usually performed without the use of a computer?

Rubber hose attack

How well did you know this?

Not at all

Perfectly

Attacker sniffs encrypted traffic from the network and is able to decrypt it. What cryptanalytic technique can the attacker use now to discover the encryption key?

chosen ciphertext attack

How well did you know this?

Not at all

Perfectly

Attacker has captured a target file that is encrypted with public key cryptography. What attack is likely to be used to crack the target file?

chosen plain text attack

How well did you know this?

Not at all

Perfectly

What cryptanalysis is applicable to symmetric key algorithms?

Differential cryptanalysis

How well did you know this?

Not at all

Perfectly

In what attack, can an attacker obtain ciphertexts encrypted under two different keys and gather plaintext and matching ciphertext?

Related-key attack

How well did you know this?

Not at all

Perfectly

Attacker breaks an n bit key cipher into 2 n/2 number of operations in order to recover the key. What is the cryptography attack?

Chosen-key attack

How well did you know this?

Not at all

Perfectly

What is a physical attack that is performed on a cryptographic device/cryptosystem to gain sensitive information?

Side channel attack

How well did you know this?

Not at all

Perfectly

What attack mainly affects any hardware/software using an ANSI X9.31 random number generator (RNG)?

DUHK attack

How well did you know this?

Not at all

Perfectly

What cryptographic algorithm uses multiple keys for encryption?

Meet-in-the-middle Attack

How well did you know this?

Not at all

Perfectly

What contains a public key and the identity of the owner and the corresponding private key

Signed certificates

How well did you know this?

Not at all

Perfectly

A person wants to send encrypted email from home and not pay any license fees. What should you recommend?

Pretty Good Privacy (PGP)

How well did you know this?

Not at all

Perfectly

What element of PKI verifies the applicant?

Registration Authority

How well did you know this?

Not at all

Perfectly

SDLC, Binary Analysis, Scanners, Web App Firewalls, Transactional Sec - are all at what layer of the cloud security control model?

Application

How well did you know this?

Not at all

Perfectly

NIDS/NIPS, firewalls, DPI, Anti-DDoS, QoS, DNSSEC, and OAuth are at what layer of the cloud security control model?

Network Layer

How well did you know this?

Not at all

Perfectly

DLP, CMF, Database activity monitoring and encryption are at what layer of cloud security control?

Information Layer

How well did you know this?

Not at all

Perfectly

What mechanism should be incorporated into cloud services to facilitate networks and resources to improve the response time of a job with maximum throughput?

Load Balancing

How well did you know this?

Not at all

Perfectly

What categories of security controls strengthens the system against incidents by minimizing or eliminating vulnerabilities?

Preventative Controls

How well did you know this?

Not at all

Perfectly

What is an example of a detective security control?

Employing IDS and IPS

How well did you know this?

Not at all

Perfectly

What cloud security control layer does DNSSEC, OAuth operate?

Network Layers

How well did you know this?

Not at all

Perfectly

What is not a legitimate cloud computing attack?

Port Scanning

How well did you know this?

Not at all

Perfectly

What is it called when an attacker try to control operations of other cloud customers to gain illegal access to the data?

Isolation Failure

How well did you know this?

Not at all

Perfectly

What threat occurs when an attacker creates anonymous access to the cloud services to carry out various attacks such as password and key cracking, hosting malicious data, and DDoS attack?

Abuse and nefarious use of cloud services

How well did you know this?

Not at all

Perfectly

What weakness is caused when a mistake in the access allocation system causes a customer third party, or employee to get more access rights than needed?

privilege escalation

How well did you know this?

Not at all

Perfectly

What attack occurs when an attacker steals a CSP’s or client’s credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilites?

Service Hijacking Using Social Engineering Attacks

How well did you know this?

Not at all

Perfectly

What attack occurs when an attacker runs a virtual machine on the same physical host as the victim's virtual machine and takes advantage of shared physical resources (processor cahce) to steal data (cryptographic key) from the victim?

Side Channel Attack

What attack occurs when an attacker rides an active computer session by sending an email or tricking the user into visiting a malicious web page while they are logged into the targeted site?

Session Hijacking Using Session Riding

What is not a type of DNS attack?

Session Hijacking

What is not a type of side-channel attack?

Cybersquatting

In what attack does an attacker diver a user to a spoofed website by poisoning the DNS server or the DNS cache on the user's system?

DNS Poisoning

XYZ wants to perform a root cause anaysis and discover if any data was exfiltrated and if so, what type of information did it contain? How would XYZ inc find out this information?

Cloud Forensics

You are a security engineer for XYZ Corp. You are looking for a cloud-based e-mail provider to migrate the company’s legacy on-premise e-mail system to. What type of cloud service model will the new e-mail system be running on?

SaaS

You are a security engineer for a cloud-based startup, XYZ Partners LLC, and they would like you to choose the best platform to run their environment from. The company stores sensitive PII and must be SOC 2 compliant. They would like to run their Windows server VMs and directory services from the cloud. Which of the following services and deployment models would meet the company’s requirements?

IaaS and Private

What type of cloud computing services provides virtual machines and other abstracted hardware and operating systems (OSs) which may be controlled through a service API?

IaaS

In what cloud deployment models does the provider make services such as applications, servers, and data storage available to the public over the Internet?

Public Cloud

What is not a characteristic of virtualization in cloud computing technology?

Storage

Which type of virtualization is used in increasing space utilization and reducing the hardware maintenance cost?

Server Virtualization

In order to protect a device against insecure network services vulnerability, what solution should be implemented?

Disable UPnP

What TCP/UDP port is used by the infected devices to spread malicious files to other devices in the network?

Port 48101

What is a security consideration for the gateway component of IoT architecture?

Multi-directional encrypted communications, strong authentication of all the components, automatic updates

In order to prevent an illegitimate user from performing a brute force attack, what security mechanism should be implemented to the accounts?

lockout mechanism

What can be used to protect private data and home networks while preventing unauthorized access using PKI-based security solutions for IoT devices?

DigiCert IoT Security Solution

Encrypted communications, strong authentication credentials, secure web interface, encrypted storage, and automatic updates are the security considerations for which of the following components?

Cloud Platform

Secure update server, verify updates before installation, and sign updates are the solutions for what IoT device vulnerabilities?

Insecure Software / Firmware

An attacker can perform attacks such as CSRF, SQLi, and XSS attack by exploiting which of the following IoT device vulnerability?

Insecure web interface

Proper communication and storage encryption, no default credentials, strong passwords, and up-to-date components are the security considerations for which of the following component?

Edge

What tool offers SaaS technology and assists in operating IoT products in a reliable, scalable, and secure manner?

SeaCat.io

Second phase in IoT device hacking?

Vulnerability Scanning

If an attacker wants to gather information such as IP address, hostname, ISP, device’s location, and the banner of the target IoT device, which of the following tools should he use to do so?

Shodan

Which of the following tools can an attacker use to gather information such as open ports and services of IoT devices connected to the network?

Nmap

What tool is used to perform a rolling code attack by obtaining the rolling code?

RF crack

What tool can perform BlueBorne or airborne attacks such as replay, fuzzing, and jamming?

HackRF one

If an attacker wants to reconstruct malicious firmware from a legitimate firmware in order to maintain access to the victim device, which of the following tools can he use to do so?

Firmware Mod Kit

If an attacker wants to gather information such as IP address, hostname, ISP, device’s location, and the banner of the target IoT device, which of the following types of tools can he use to do so?

Information Gathering Tools

What tool can be used to find buffer overflow vulnerabilities present in the system?

beSTORM

What RFCrack command is used by an attacker to perform jamming?

python RFCrack.py -j -F 314000000

IoT vulnerability that gives rise to issues such as weak credentials, lack of account lockout mechanism, and account enumeration?

Insecure web interface

attack where an attacker uses multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?

Sybil

Attack where attacker uses a malicious script to exploit poorly patched vulnerabilities in an IoT device?

Exploit Kits

What component in IoT is used to send some unwanted commands in order to trigger some events which are not planned?

Fake Server

Attack where attacker intercepts legitimate messages from a valid communication and continuously send the intercepted message to the target device to crash the target device?

Replay Attack

Nmap command used to identify IPv6 capabilities of an IoT device?

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX

IoT technology that bridges the gap between the IoT device and the end user?

IoT gateway

IoT technology that collects data that undergoes data analysis, from the gateway?

cloud server/data storage

What IoT architecture layer consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors, and the device itself

Edge technology layer

What IoT architecture layer carries out communication between two end points such as device-to-device, device-to-cloud, device-to-gateway, and back-end data-sharing?

Internet Layer

What IoT devices is included in the buildings service sector?

HVAC, transport, fire and safety, lighting, security, access, etc.

What protocol is a type of short-range wireless communication?

ZigBee

What protocol uses magnetic field introduction to enable communication between two electronic devices?

Near Field Communication

Communication model where the IoT devices use protocols such as ZigBee, Z-Wave or Bluetooth, to interact with each other?

Device-to-Device

Communication model where the IoT devices communicate with the cloud service through gateways?

Device-to-gateway communication model

Short range wireless communication protocol used for home automation that allows devices to communicate with each other on local wireless LAN?

Threat

What is not a feature of Mobile Device Management?

Sharing confidential data among devices and networks

What is a Mobile Device Management Software?

XenMobile

If you are responsible for securing a network from any type of attack and if you have found that one of your employees is able to access any website that may lead to clickjacking, attacks, what would you do to avoid the attacks?

Harden browser permission rules

In order to avoid data loss from a Mobile device, what Mobile Device Management security measures should you consider?

Perform periodic backup and synchronization

What is not a countermeasure for phishing attacks?

Disable the “block texts from the internet” feature from your provider

What refers to a policy allowing an employee to bring his or her personal devices such as laptops, smartphones, and tablets to the workplace and using them for accessing the organization’s resources as per their access privileges?

BYOD

What can pose a risk to mobile platform security?

Connecting two separate networks such as Wi-Fi and Bluetooth simultaneously

What browser applications encrypts your Internet traffic and then hides it by bouncing through a series of computers around the world?

ORBOT

What application allows attackers to identify the target devices and block the access of Wi-Fi to the victim devices in a network?

NetCut

What mobile application is used to perform Denial-of-Service Attacks?

Low Orbit Ion Cannon

What Jailbreaking techniques will make the mobile device jailbroken after each reboot?

Untethered Jailbreaking

What tool is not used for iOS Jailbreaking?

Unrevoked

What process is supposed to install a modified set of kernel patches that allows users to run third-party applications not signed by the OS vendor?

Jailbreaking

What statement is not true for securing iOS devices?

Disable Jailbreak detection

What technique helps protect mobile systems and users by limiting the resources the mobile application can access on the mobile platform?

Sandbox

What attack can be performed by Spam messages?

Phishing

What Bluetooth attacks enables an attacker to gain remote access to the victims mobile and use its features without the victim’s knowledge or consent?

Bluebugging

If an attacker is able to access the email contact list, text messages, photos, etc. on your mobile device, then what type of attack did the attacker employ?

Bluesnarfing

What is not a mobile platform risk?

Sandboxing

When Jason installed a malicious application on his mobile, the application modified the content in other applications on Jason’s mobile phone. What process did the malicious application perform?

Data Tampering

Mark is working as a penetration tester in InfoSEC, Inc. One day, he notices that the traffic on the internal wireless router suddenly increases by more than 50%. He knows that the company is using a wireless 802.11 a/b/g/n/ac network. He decided to capture live packets and browse the traffic to investigate the issue to find out the actual cause. Which tool should Mark use to monitor the wireless network?

CommView for WiFi

Andrew, a professional penetration tester, was hired by ABC Security, Inc., a small IT-based firm in the United States to conduct a test of the company’s wireless network. During the information-gathering process, Andrew discovers that the company is using the 802.11 g wireless standard. Using the NetSurveyor Wi-Fi network discovery tool, Andrew starts gathering information about wireless APs. After trying several times, he is not able to detect a single AP. What do you think is the reason behind this?

SSID broadcast feature must be disabled, so APs cannot be detected.

What countermeasure helps in defending against KRACK attack?

Turn On auto-updates for all the wireless devices and patch the device firmware

What device is used to analyze and monitor the RF spectrum?

WIDS

What layer of wireless security does per frame/packet authentication provide protection against MITM attacks?

Connection Security

What countermeasure helps in defending against WPA/WPA2 cracking?

Select a random passphrase that is not made up of dictionary words

What countermeasure helps in defending against Bluetooth hacking?

Use non-regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential on the keypad.

What technique is used to detect rogue APs?

RF scanning

What technique is used by network management software to detect rogue APs?

Wired side inputs

What is to be used to keep certain default wireless messages from broadcasting the ID to everyone?

SSID Cloaking

What Bluetooth attack allows attacker to gain remote access to a target Bluetooth-enabled device without the victim being aware of it?

Bluebugging

Thomas is a cyber thief trying to hack Bluetooth-enabled devices at public places. He decided to hack Bluetooth-enabled devices by using a DoS attack. He started sending an oversized ping packet to a victim’s device, causing a buffer overflow and finally succeeded. What type of Bluetooth device attack is Thomas most likely performing?

Bluesmacking

What bluetooth mode filters out non-matched IACs and reveals itself only to those that matched?

Limited discoverable

What term is used to describe an attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it?

Bluebugging

What protocol is used by BlueJacking to send anonymous messages to other Bluetooth-equipped devices?

OBEX

An attacker collects the make and model of target Bluetooth-enabled devices analyzes them in an attempt to find out whether the devices are in the range of vulnerability to exploit. Identify which type of attack is performed on Bluetooth devices.

Blueprinting

What attack does the attacker exploit the vulnerability in the Object Exchange (OBEX) protocol that Bluetooth uses to exchange information?

Bluesnarfing

In which type of bluetooth threat does an attacker trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information?

Social Engineering

A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?

BBProxy

What is the art of collecting information about Bluetooth enabled devices such as manufacturer, device model and firmware version.

Blueprinting

There is a WEP encrypted wireless AP with no clients connected. In order to crack the WEP key, a fake authentication needs to be performed. Which of the following steps need to be performed by the attacker for generating fake authentication?

Ensure association of source MAC address with the AP

What attack involves exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy?

Denial-of-Service

John is a pen tester working with an information security consultant based in Paris. As part of a penetration testing assignment, he was asked to perform wireless penetration testing for a large MNC. John knows that the company provides free Wi-Fi access to its employees on the company premises. He sets up a rogue wireless access point with the same SSID as that of the company’s Wi-Fi network just outside the company premises. He sets up this rogue access point using the tools that he has and hopes that the employees might connect to it. What type of wireless confidentiality attack is John trying to do?

Evil Twin AP

This application is a Wi-Fi security tool for mobile devices, It works on both Root and Non-root devices, and it can prevent ARP spoofing attacks such as MITM attacks, which are used by some applications such as WifiKill, dSploit, and sniffers.

WiFiGuard

Steven, a wireless network administrator, has just finished setting up his company’s wireless network. He has enabled various security features such as changing the default SSID and enabling strong encryption on the company’s wireless router. Steven decides to test the wireless network for confidentiality attacks to check whether an attacker can intercept information sent over wireless associations, whether sent in clear text or encrypted by Wi-Fi protocols. As a part of testing, he tries to capture and decode unprotected application traffic to obtain potentially sensitive information using hardware or software tools such as Ettercap, Kismet, Wireshark, etc. What type of wireless confidentiality attack is Steven trying to do?

Eavesdropping

Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct wireless network penetration testing. Kenneth proceeds with the standard steps of wireless penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific AP. Which of the following aircrack-ng commands will help Kenneth to do this?

airodump-ng -c 9 -- bssid 00:14:6C:7E:40:80 -w output ath0

Which of the following Wi-Fi discovery tools facilitates detection of Wireless LANs using the 802.11a/b/g WLAN standards and is commonly used for wardriving, verifying network configurations, finding locations with poor coverage and detecting rouge APs?

NetStumbler

What protocol encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel?

PEAP

What consists of 40/104 bit Encryption Key length

WEP

What is a standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards?

802.11i

In what do the station and access point use the same WEP key to provide authentication, which means that this key should be enabled and configured manually on both the access point and the client?

Shared key authentication process

What is considered as a token to identify a 802.11 (Wi-Fi) network (by default it is the part of the frame header sent over a wireless local area network (WLAN))?

SSID

What network is used for very long-distance communication?

WiMax

What is considered as the method of transmitting radio signals by rapidly switching a carrier among many frequency channels?

Frequency-hopping Spread Spectrum (FHSS)

What is the original data signal multiplied with a pseudo random noise spreading code?

Direct-sequence Spread Spectrum (DSSS)

Snort rule to detect SQL injection attacks?

alert tcp $EXTERNAL_NET any -> 172.16.66.23 443 (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:to_server,estahlished; uricontent:"".pl"";pcre:""/(\%27)|(\')|(\-\-)|(%23)|(#)/i""; classtype:Web-application-attack; sid:9099; rev:5;) rule SQLiTester {

Why are Web Applications vulnerable to SQL injection attacks?

Error messages reveal important information

What tool is used for detecting SQL injection attacks?

IBM Security AppScan

What tool provides automated web application security testing with innovative technologies including DeepScan and AcuSensor technology?

Acunetix web vulnerability scanner

What tool is used to build rules that aim to detect SQL injection attacks?

Snort

What countermeasure prevents buffer overruns?

Test the size and data type of the input and enforce appropriate limits

Robert is a user with a privileged account and he is capable of connecting to the database. Rock wants to exploit Robert’s privilege account. How can he do that?

Access the database and perform malicious activities at the OS level

What command has to be disabled to prevent exploitation at the OS level?

xp_cmdshell

What is a Snort rule that is used to detect and block SQL injection attack?

/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix

During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with a local system account. How can this weakness be exploited to access the system?

Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

What tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

DataThief

A tester has been hired to perform source code review of a web application to detect SQL injection vulnerabilities. As part of the testing process, he needs to get all the information about the project from the development team. During the discussion with the development team, he comes to know that the project is in the initial stage of the development cycle. As per the above scenario, which of the following processes does the tester need to follow in order to save the company’s time and money?

The tester needs to perform static code analysis as it covers the structural and statement coverage testing

Robert, a penetration tester is trying to perform SQL penetration testing on the SQL database of the company to discover coding errors and security loopholes. Robert sends massive amounts of random data to the SQL database through the web application in order to crash the web application of the company. After observing the changes in the output, he comes to know that web application is vulnerable to SQL injection attacks. Which of the following testing techniques is Robert using to find out the loopholes?

Fuzzing Testing

David, a penetration tester, was asked to check the MySQL database of the company for SQL injection attacks. He decided to check the back end database for a double blind SQL injection attack. He knows that double blind SQL injection exploitation is performed based on an analysis of time delays and he needs to use some functions to process the time delays. David wanted to use a function which does not use the processor resources of the server. Which of the following function David need to use?

sleep()

Michel, a professional hacker, is trying to perform time-based blind SQL injection attacks on the MySQL backend database of RadioTV Inc. He decided to use an SQL injection tool to perform this attack. Michel surfed the Internet and finally found a tool which has the following features: Sends heavy queries to the target database to perform a Time-Based Blind SQL Injection attack. Database Schema extraction from SQL Server, Oracle and MySQL. Data extraction from Microsoft Access 97/2000/2003/2007 databases. Parameter Injection using HTTP GET or POST. Which of the following tools does Michael use to perform time-based blind SQL injection attacks on the MySQL backend database?

Marathon Tool

Steve works as a penetration tester in a firm named InfoSecurity. Recently, Steve was given an assignment to test the security of the company’s web applications and backend database. While conducting the test, he sends a malicious SQL query with conditional timing delays to the backend database through the web application. This conditional time delay forces the database to wait for a specified amount of time before responding. He performs the same task using different malicious SQL queries. By observing various query responses from the database, Steve came to know that the web application is vulnerable to an SQL injection attack. What type of SQL injection attack is Steve most likely performing?

Blind SQL Injection

What attack does an attacker use the same communication channel to perform the attack and retrieve the results?

In-band SQL injection

What attack does an attacker use a conditional OR clause in such a way that the condition of the WHERE clause will always be true?

Tautology

An attacker uses the following SQL query to perform an SQL injection attack SELECT * FROM users WHERE name = ‘’ OR ‘1’=‘1'; Identify the type of SQL injection attack performed.

Tautology

What attack does an attacker inject an additional malicious query to the original query?

Piggybacked Query

What attack does an attacker use an ORDER BY clause to find the right number of columns in a database table?

UNION SQL Injection

What attack is time-intensive because the database should generate a new statement for each newly recovered bit?

Blind SQL Injection

What command is used to make the CPU wait for a specified amount of time before executing an SQL query?

WAITFOR DELAY '0:0:10'--

What SQL query is an example of a heavy query used in SQL injection?

SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C

What is the main difference between a “Normal” SQL injection and a “Blind” SQL injection vulnerability?

The vulnerable application does not display errors with information about the injection results to the attacker.

What system table does MS SQL Server database use to store metadata? Hackers can use this system table to acquire database schema information to further compromise the database.

sysobjects

What attack is not performed by an attacker who exploits SQL injection vulnerabilities?

Covering Tracks

What method carries the requested data to the webserver as a part of the message body?

HTTP POST

What is the most effective technique in identifying vulnerabilities or flaws in the web page code?

Code Analysis

An attacker injects the following SQL query: blah' AND 1=(SELECT COUNT(*) FROM mytable); -- What is the intention of the attacker?

Identifying the Table Name

A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application has been developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field: IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>" When the analyst submits the form, the browser returns a pop-up window that says “Vulnerable.” Which web applications vulnerability did the analyst discover?

Cross-site scripting

An attacker has been successfully modifying the purchase price of items purchased on the company’s website. The security administrators verify the webserver and Oracle database have not been compromised directly. They have also verified the intrusion detection system (IDS) logs and found no attacks that could have caused this. What is the most likely way the attacker has been able to modify the purchase price?

changing hidden form values

What is a web application that does not have the secure flag set and that is implemented by OWASP that is full of known vulnerabilites?

WebGoat

What condition must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?

The web application should not use random tokens

An attacker identifies the kind of websites a target company/individual is frequently surfing and tests those particular websites to identify any possible vulnerabilities. When the attacker identifies the vulnerabilities in the website, the attacker injects malicious script/code into the web application that can redirect the webpage and download the malware onto the victim’s machine. After infecting the vulnerable web application, the attacker waits for the victim to access the infected web application. What kind of an attack is this?

Water hole attack

What is a DNS interrogation tool?

DIG

What automatically discover hidden content and functionality by parsing HTML form and client-side JavaScript requests and responses?

Web Spiders

An attacker wants to exploit a webpage. From which of the following points does he start his attack process?

Identify entry points for user input

An attacker tries to enumerate the username and password of an account named “rini Mathew” on wordpress.com. On the first attempt, the attacker tried to login as “rini.mathews,” which resulted in the login failure message “invalid email or username.” On the second attempt, the attacker tried to login as “rinimathews,” which resulted in a message stating that the password entered for the username was incorrect, thus confirming that the username “rinimathews” exists. What is the attack that is performed by the attacker?

Username enumeration

What involves injection of malicious code through a web application?

Command Injection

What attack can take place due to flaws such as insecure cryptographic storage and information leakage?

Sensitive data exposure

An attacker exploits a web application by tampering with the form and parameter of the web application and he is successful in exploiting the web application and gaining access. Which type of vulnerability did the attacker exploit?

Security Misconfiguration

If a threat detection software installed in any organization network either does not record the malicious event or ignores the important details about the event, then what kind of vulnerability is it?

Insufficient Logging and monitoring

What attack exploits vulnerabilities in dynamically generated webpages, which enables malicious attackers to inject client-side scripts into webpages viewed by other users?

Cross-site scripting

What provides an interface between end users and webservers?

Web applications

If your web application sets any cookie with a secure attribute, what does this mean?

The client will send the cookie only over an HTTPS connection

In which type of fuzz testing do the current data samples create new test data and the new test data again mutates to generate further random data?

Mutation-based

In which type of fuzz testing does the protocol fuzzer send forged packets to the target application that is to be tested?

Protocol-based

What is used to detect bugs and irregularities in web applications?

Source code review

What is considered as a quality checking and assurance technique used to identify coding errors and security loopholes in web applications?

Fuzz Testing

What team has the responsibility to check for updates and patches regularly?

Patch Management Team

A security administrator is looking for a patch management tool which scans the organization's network and manages security and non-security patches. Which of the following patch management tool, he/she can use in order to perform the required task?

GFI LanGuard

What is not a webserver security tool?

Netcraft

What is not a patch management tool?

Burp Suite

What is the patch management process?

Detect -> Assess -> Acquire -> Test -> Deploy -> Maintain

What is considered as a repair job to a programming problem?

Patch

A network administrator has observed that the computers in his network have Windows 7 operating system. The administrator has learned that the WannaCry ransomeware is affecting Windows 7 Systems across the globe. Which of the following is the best option that the network administrator has to provide efficient security and defend his network?

Update Security Patches and fixes provided by Microsoft

What is defined as a package that is used to address a critical defect in a live environment, and contains a fix for a single issue

Hotfix

Andrew, a software developer in CyberTech organization has released a security update that acts as a defensive technique against the vulnerabilities in the software product the company has released earlier. Identify the technique used by Andrew to resolve the software vulnerabilities?

Patch Management

What term refers to a set of hotfixes packed together?

Service pack

What tool can be used to detect web server hacking attempts and alert you through emails?

WebsiteCDS

What tool determines the OS of the queried host by looking in detail at the network characteristics of the HTTP response received from the website?

Netcraft

What is not a defensive measure for web server attacks while implementing Machine.config?

Ensure that tracing is enabled and debug compiles are turned on

What security tool helps to prevent potentially harmful HTTP requests from reaching applications on the server?

URLScan

What is NOT a best approach to protect your firm against web server attacks?

Allow remote registry administration

What technique defends servers against blind response forgery?

UDP source port randomization

What is NOT a best approach to protect your firm against web server files and directories?

Enable serving of directory resources

Where should a web server be placed in a network in order to provide the most security?

Inside DeMilitarized Zones (DMZ)

Attackers use GET and CONNECT requests to use vulnerable web servers as which of the following?

Proxies

What is not a session hijacking technique?

DNS hijacking

What command does an attacker use to detect HTTP Trace?

nmap -p80 --script http-trace

What command does an attacker use to enumerate common web applications?

nmap --script http-enum -p80

An attacker wants to exploit a target machine. In order to do this, he needs to identify potential vulnerabilities that are present in the target machine. What tool should he use to achieve his objective?

Nessus

An attacker wants to perform a session hijacking attack. What tool should he use to achieve his objective?

Burp Suite

An attacker wants to crack passwords using attack techniques like brute-forcing, dictionary attack, and password guessing attack. What tool should he use to achieve his objective?

Hydra

What statement best describes a server type under an N-tier architecture?

A group of servers with a unique role

Identify the component of the web server that provides storage on a different machine or a disk after the original disk is filled-up?

Virtual document tree

What stores critical HTML files related to the webpages of a domain name that will be served in response to requests?

Document root

What stores a server's configuration, error, executable, and log files?

Server root

What provides storage on a different machine or disk after the original disk is filled up?

Virtual Document Tree

An attacker sends numerous fake requests to the webserver from various random systems that results in the webserver crashing or becoming unavailable to the legitimate users. Which attack did the attacker perform?

DoS attack

If an attacker compromises a DNS server and changes the DNS settings so that all the requests coming to the target webserver are redirected to his/her own malicious server, then which attack did he perform?

DNS server hijacking

Jamie is an on-call security analyst. He had a contract to improve security for the company’s firewall. Jamie focused specifically on some of the items on the security of the Company’s firewall. After working for some time on the items, Jamie creates the following list to fix them: 1. Set ssh timeout to 30 minutes. 2. Set telnet timeout to 30 minutes. 3. Set console timeout to 30 minutes. 4. Set login password retry lockout. Which task should Jamie perform if he has time for just one change before leaving the organization?

Set login password retry lockout.

Which honeypot detection tools has following features: Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports Checks several remote or local proxylists at once Can upload "Valid proxies" and "All except honeypots" files to FTP Can process proxylists automatically every specified period May be used for usual proxylist validating as well

Send-Safe Honeypot Hunter

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following.

Continues to evaluate the packet until all rules are checked

In what way do the attackers identify the presence of layer 7 tar pits?

By looking at the latency of the response from the service

Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique?

Look for the nop opcode other than 0x90

Siya is using a tool to defend critical data and applications without affecting performance and productivity. Following are the features of the tool: Pre-built, real-time reports that display big-picture analyses on traffic, top applications, and filtered attack events. Permits to see, control, and leverage the rules, shared services, and profiles of all the firewall devices throughout the network. Comprises of in-line, bump-in-the-wire intrusion prevention system with layer two fallback capabilities. Gives an overview of current performance for all HP systems in the network, including launch capabilities into targeted management applications by using monitors. Identify the tool used by Siya-

TippingPoint IPS

What firewall is used to secure mobile device?

NetPatch firewall

Manav wants to simulate a complete system and provide an appealing target to push hackers away from the production systems of his organization. By using some honeypot detection tool, he offers typical Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. Can you identify the tool?

SPECTER

What firewall solution tool has the following features: ● Two-way firewall that monitors and blocks inbound as well as outbound traffic ● Allows users to browse the web privately ● Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption ● Through Do Not Track, it stops data-collecting companies from tracking the online users ● Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure

ZoneAlarm PRO FIREWALL 2018

A pentester gains access to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used?

Netsh firewall show config

Check Point's FireWall-1 listens to which of the following TCP ports?

259

Which method of firewall identification has the following characteristics: uses TTL values to determine gateway ACL filters maps networks by analyzing IP packet response probes ACLs on packet filtering routers/firewalls using the same method as trace-routing sends TCP or UDP packets into the firewall with TTL value is one hop greater than the targeted firewall

Firewalking

What tool is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall?

Loki

What is a two-way HTTP tunneling software tool that allows HTTP, HTTPS, and SOCKS tunneling of any TCP communication between any client–server systems?

Super network tunnel

Which feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks?

Local forwards

An attacker sends an e-mail containing a malicious Microsoft office document to target WWW/FTP servers and embed Trojan horse files as software installation files, mobile phone software, and so on to lure a user to access them. Identify by which method the attacker is trying to bypass the firewall.

Bypassing firewall through content

What is a hijacking technique where an attacker masquerades as a trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access to a network?

IP Address spoofing

What term is used to refer service announcements provided by services in response to connection requests and often carry vendor’s version of information?

Banner

What type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

Passive

Jamie has been informed by the local helpdesk team that there has been a security issue related to some detected malware. The helpdesk has asked Jamie to help in finding out the location of the malware on the network. Jamie knows that the deployed firewall log data can show various bits of information about files moving through the network. What can Jamie do to help the team to match the file actually causing the malware concern given the sha256 of the suspected file by the team? Of the below, what should Jamie do to help the team?

Add a sha256 certificate to the firewall to find the sha256 of the file.

Susan works for “CustomData Intl.” and she has to deploy a guest Wi-Fi. She did everything by the manual and deployed the guest Wi-Fi successfully. The deployed guest Wi-Fi is separated from the company network, it is protected with WPA2 and every user wants to use the Wi-Fi has to ask for a username and password. There is one problem though—after a few months she noticed that the users connecting to the guest Wi-Fi are being attacked with MitM attacks. She identified that the MitM attack was initiated with ARP spoofing. She found that someone is stealing users’ web application credentials, including Windows system credentials in some cases. Unfortunately, internal users have also become prey to these attacks since they used guest Wi-Fi because it was more open than their internal network. So, only external guests are not being compromised. She wanted to mitigate this issue and the first step she took was to ban all internal users from guest using Wi-Fi network. What, according to you, is the easiest and probably the best way to prevent the ARP spoofing attacks on Wi-Fi networks?

Use Client isolation WiFi feature

Which session hijacking detection technique involves using packet-sniffing software such as Wireshark and SteelCentral packet analyzer to monitor session hijacking attacks?

Manual method

What technique allows users to authenticate web servers?

HPKP

A tester wants to test an organization’s network against session hijacking attacks. Which of the following tools can he use to detect session hijacking attacks?

LogRhythm

What protocol defines the payload formats, types of exchange, and naming conventions for security information such as cryptographic algorithm or security policies. Identify from the following options.

DOI

What tool can be used by a pentester to test the security of web applications?

Fiddler

A user wants to securely establish a remote connection to a system without any interference from perpetrators. Which of the following methods should he incorporate in order to do so?

VPN

John, a malicious attacker, was intercepting packets during transmission between the client and server in a TCP and UDP session, what is this type of attack called?

Network level hijacking

Network-level session hijacking attacks what level protocols?

Transport and internet level protocols

If an attacker intercepts an established connection between two communicating parties using spoofed packets, and then pretends to be one of them, then which network-level hijacking is he performing?

TCP/IP hijacking

What network-level session hijacking technique is useful in gaining unauthorized access to a computer with the help of a trusted host’s IP address?

IP spoofing: source routed packets

What tool can be used to perform RST hijacking on a network?

Colasoft's Packet Builder

What network-level session hijacking technique can be used to inject malicious data or commands into the intercepted communications in a TCP session?

Blind Hijacking

What protocol is an extension of IP to send error messages? An attacker can use it to send messages to fool the client and the server.

ICMP

During the penetration testing in company “Credit Cards Rus Ltd.” Marin was using sslstrip tool in order to sniff HTTP traffic. Unfortunately, no data was received. Marin double checked the setup, tested the setup between his virtual machines, and was successful in intercepting the traffic here, but when he tried to do it against other machines on the same network, nothing happened. Marin was puzzled with that and he did not understand why that was happening. Help Marin and explain why he was unsuccessful with intercepting the traffic with sslstrip?

Sslstrip can show the data only if the initial request to the server is sent as HTTP

During a penetration test, Marin discovered a session token that had had the content: 20170801135433_Robert. Why is this session token weak, and what is the name used for this type of vulnerability?

Predictable session token

Marin is performing penetration testing on the target organization. He discovered some vulnerabilities in the organization’s website. He decided to insert malicious JavaScript code into a vulnerable dynamic web page to collect information such as credentials, cookies, etc. Identify the attack performed by Marin?

Cross-site scripting attack

What is considered to be a session hijacking attack?

Taking over a TCP session

When a person (or software) steals, can calculate, or can guess part of the communication channel between client and the server application or protocols used in the communication, he can hijack the what?

Session

During a penetration test, Marin exploited a blind SQLi and exfiltrated session tokens from the database. What can he do with this data?

Marin can do Session hijacking

Send-Safe Honeypot Hunter

In what way do the attackers identify the presence of layer 7 tar pits?

By looking at the latency of the response from the service

Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique?

Look for the nop opcode other than 0x90

What firewall is used to secure mobile device?

NetPatch firewall

SPECTER

What DoS attack detection techniques analyzes network traffic in terms of spectral components? It divides incoming signals into various frequencies and examines different frequency components separately

Wavelet-based Signal Analysis

What is the DoS/DDoS countermeasure strategy to at least keep the critical services functional?

Degrading services

What algorithm does the “sequential change-point detection” technique use to identify and locate the DoS attacks?

Cumulative Sum

Smith, a network security administrator, is configuring routers in his organization to protect the network from DoS attacks. Which router feature can he use to prevent SYN flooding effectively?

TCP Intercept

What is an attack detection technique that monitors the network packet’s header information? This technique also determines the increase in overall number of distinct clusters and activity levels among the network flow clusters?

Activity profiling

Don Parker, a security analyst, is hired to perform a DoS test on a company. What tool can he successfully utilize to perform this task?

Hping3

Paul has been contracted to test a network, and he intends to test for any DoS vulnerabilities of the network servers. Which of the following automated tools can be used to discover systems that are vulnerable to DoS?

Nmap

Martha is a network administrator in a company named “Dubrovnik Walls Ltd.” She realizes that her network is under a DDoS attack. After careful analysis, she realizes that large amounts of UDP packets are being sent to the organizational servers that are present behind the “Internet facing firewall.” What type of DDoS attack is this?

Volume (volumetric) attack

Martha is a network administrator in a company named “Dubrovnik Walls Ltd.”. She realizes that her network is under a DDoS attack. After careful analysis, she realizes that a large amount of fragmented packets are being sent to the servers present behind the “Internet facing firewall.” What type of DDoS attack is this?

Protocol Attack

The DDoS tool used by anonyous in the so-called Operation Payback is called what?

LOIC

Identify the DoS attack that does not use botnets for the attack. Instead, the attackers exploit flaws found in the network that uses the DC++ (direct connect) protocol, which allows the exchange of files between instant messaging clients.

Peer-to-peer attack

Attack where an attacker acquires information from different victims to create a new identify

Synthetic identify theft

Insider threat that is caused due to the employee's laxity toward security measures, policies, and practices?

Negligent insider

Roy is a network administrator at an organization. He decided to establish security policies at different levels in the organization. He decided to restrict the installation of USB drives in the organization and decided to disable all the USB ports. Which of the following countermeasure Roy must employ?

Implement proper access privileges

What toolbar is used to provide an open application program interface (API) for developers and researchers to integrate anti-phishing data into their applications?

Netcraft

What is an appropriate defense strategy to prevent attacks such as piggybacking and tailgating?

Implement strict badge, token or biometric authentication, employee training, and security guards

What is a generic exploit designed to perform advanced attacks against human elements to compromise a target to offer sensitive information?

Social-engineer toolkit (SET)

What refers to a generic exploit designed to perform advanced attacks against human elements to compromise a target to offer sensitive information?

Pharming

What attack can be prevented by implementing token or biometric authentication as a defense strategy?

Impersonation

Jean Power wants to try and locate passwords from company XYZ. He waits until nightfall and climbs into the paper recycling dumpster behind XYZ, searching for information. What is Jean doing?

Dumpster diving

A tester wants to securely encrypt the session to prevent the network against sniffing attack, which of the following protocols should he use as a replacement of Telnet?

SSH

What tool can a tester can use to detect a system that runs in promiscuous mode, which in turns helps to detect sniffers installed on the network?

Nmap

What command is used to set the maximum number of secure MAC addresses for the interface on a Cisco switch?

switchport port-security maximum 1 vlan access

What is a defense technique for MAC spoofing used in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database?

IP Source Guard

An ethical hacker is performing penetration testing on the target organization. He decided to test the organization’s network to identify the systems running in promiscuous mode. Identify the tool that the ethical hacker needs to employ?

Nmap

What tool would be used to collect wireless packet data?

NetStumbler

A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could have been used by the hacker to sniff all of the packets in the network?

MAC flood attack

What method should be incorporated by a network administrator to prevent the organization’s network against ARP poisoning

Implement dynamic arp inspection (DAI) using the dynamic host configuration protocol (DHCP) snooping binding table

What problem can be solved by Wireshark?

Troubleshooting communication resets between two systems

What is the correct pcap filter to capture all transmission control protocol (TCP)traffic going to or from host 192.168.0.125 on port 25?

tcp.port==25 and ip.addr==192.168.0.125

Marina is a malware analyst with a bank in London. One day, she suspects a file to be a malware and tries to perform static analysis to identify its nature. She wants to analyze the suspicious file and extract the embedded strings in the file into a readable format. What tool can she use to perform this task?

BinText

What technique involves going through the executable binary code without actually executing it to have a better understanding of the malware and its purpose?

Static malware analysis

Identify the monitoring tool that exhibits the following features: Reliable capture of process details, including image path, command line, user and session ID. Configurable and moveable columns for any event property. Filters can be set for any data field, including fields not configured as columns. Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data. Process tree tool shows the relationship of all processes referenced in a trace. Native log format preserves all data for loading in a different Process Monitor instance

Process Monitor

What windows service vulnerability does the WannaCry ransomware exploit during the attack on any windows machine?

SMB

What tool is an antivirus program that is used to detect viruses?

ClamWin

What virus tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

Stealth Virus

Trojan port 1863

XtremeRAT

A hacker wants to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality. What cryptor tool should be used by the hacker?

BitCrypter

Tool to achieve compliance with PCI requirement 11?

Nessus

What tool is used to schedule scans across multiple scanners, use wizards to easily and quickly create policies?

Nessus Proessional

What tool is used to schedule scans across multiple scanners, use wizards to easily and quickly create policies?

Nessus Professional

What is IPMI for?

managing servers remotely