CEH Test Questions Flashcards
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?
A. Application
B. Transport
C. Session
D. Presentation
D. Presentation
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?
A. The WAP does not recognize the client’s MAC address
B. The client cannot see the SSID of the wireless network
C. Client is configured for the wrong channel
D. The wireless client is not configured to use DHCP
A. The WAP does not recognize the client’s MAC address
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist’s email, and you send her an email changing the source email to her boss’s email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don’t work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
A. Social engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping
A. Social engineering
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?
A. Traceroute
B. Hping
C. TCP ping
D. Broadcast ping
B. Hping
Which is the first step followed by Vulnerability Scanners for scanning a network?
A. OS Detection
B. Firewall detection
C. TCP/UDP Port scanning
D. Checking if the remote host is alive
D. Checking if the remote host is alive
Which of the following programs is usually targeted at Microsoft Office products?
A. Polymorphic virus
B. Multipart virus
C. Macro virus
D. Stealth virus
C. Macro virus
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred?
The computer is not using a private IP address.
The gateway is not routing to a public IP address.
The gateway and the computer are not on the same network.
The computer is using an invalid IP address.
The gateway is not routing to a public IP address.
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?
113
69
123
161
123
Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?
Nikto
John the Ripper
Dsniff
Snort
Nikto
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?
The network devices are not all synchronized.
Proper chain of custody was not observed while collecting the logs.
The attacker altered or erased events from the logs.
The security breach was a false positive.
The network devices are not all synchronized.
During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Circuit
Stateful
Application
Packet Filtering
Application
By using a smart card and pin, you are using a two-factor authentication that satisfies
Something you are and something you remember
Something you have and something you know
Something you know and something you are
Something you have and something you are
Something you have and something you know
“ ……. is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.”
Fill in the blank with appropriate choice.
Evil Twin Attack
Sinkhole Attack
Collision Attack
Signal Jamming Attack
Evil Twin Attack
What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
Residual risk
Impact risk
Deferred risk
Inherent risk
Residual risk
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?
tcpsplice
Burp
Hydra
Whisker
Whisker
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best Nmap command you will use?
nmap -T4 -q 10.10.0.0/24
nmap -T4 -F 10.10.0.0/24
nmap -T4 -r 10.10.1.0/24
nmap -T4 -O 10.10.0.0/24
nmap -T4 -F 10.10.0.0/24
Which of the following is the BEST way to defend against network sniffing?
Using encryption protocols to secure network communications
Register all machines MAC Address in a Centralized Database
Use Static IP Address
Restrict Physical Access to Server Rooms hosting Critical Servers
Using encryption protocols to secure network communications
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?
SFTP
Ipsec
SSL
FTPS
Ipsec
You are the Network Admin, and you get a complaint that some of the websites are no longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL. What may be the problem?
Traffic is Blocked on UDP Port 53
Traffic is Blocked on TCP Port 80
Traffic is Blocked on TCP Port 54
Traffic is Blocked on UDP Port 80
Traffic is Blocked on UDP Port 53
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a linux platform?
Kismet
Abel
Netstumbler
Nessus
Kismet
Scenario1:
Victim opens the attacker’s web site.
Attacker sets up a web site which contains interesting and attractive content like ‘Do you want to make
$1000 in a day?’.
Victim clicks to the interesting and attractive content URL.
Attacker creates a transparent ‘iframe’ in front of the URL which victim attempts to click, so victim thinks that he/she clicks to the ‘Do you want to make $1000 in a day?’ URL but actually he/she clicks to the content or URL that exists in the transparent ‘iframe’ which is setup by the attacker.
What is the name of the attack which is mentioned in the scenario?
Session Fixation
HTML Injection
HTTP Parameter Pollution
Clickjacking Attack
Clickjacking Attack
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named “nc.” The FTP server’s access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server’s software. The “ps” command shows that the “nc” file is running as process, and the netstat command shows the “nc” process is listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
File system permissions
Privilege escalation
Directory traversal
Brute force login
File system permissions
Which method of password cracking takes the most time and effort?
Dictionary attack
Shoulder surfing
Rainbow tables
Brute force
Brute force
What does the –oX flag do in an Nmap scan?
Perform an eXpress scan
Output the results in truncated format to the screen
Output the results in XML format to a file
Perform an Xmas scan
Output the results in XML format to a file
A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature?
Perform a vulnerability scan of the system.
Determine the impact of enabling the audit feature.
Perform a cost/benefit analysis of the audit feature.
Allocate funds for staffing of audit log review.
Determine the impact of enabling the audit feature.
Which Intrusion Detection System is the best applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?
Honeypots
Firewalls
Network-based intrusion detection system (NIDS)
Host-based intrusion detection system (HIDS)
Network-based intrusion detection system (NIDS)
The collection of potentially actionable, overt, and publicly available information is known as
Open-source intelligence
Real intelligence
Social intelligence
Human intelligence
Open-source intelligence
What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?
Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.
Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
Symmetric encryption allows the server to security transmit the session keys out-of-band.
Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely negotiate keys for use with symmetric cryptography.
Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.
The change of a hard drive failure is once every three years. The cost to buy a new hard drive is $300.
It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns
$10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1(100%). What is the closest approximate cost of this replacement and recovery operation per year?
$1320
$440
$100
$146
$146
What is the known plaintext attack used against DES which gives the result that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key?
Man-in-the-middle attack
Meet-in-the-middle attack
Replay attack
Traffic analysis attack
Meet-in-the-middle attack
Steve, a scientist who works in a governmental security agency, developed a technological solution to identify people based on walking patterns and implemented this approach to a physical control access.
A camera captures people walking and identifies the individuals using Steve’s approach.
After that, people must approximate their RFID badges. Both the identifications are required to open the door. In this case, we can say:
Although the approach has two phases, it actually implements just one authentication factor
The solution implements the two authentication factors: physical object and physical characteristic
The solution will have a high level of false positives
Biological motion cannot be used to identify people
The solution implements the two authentication factors: physical object and physical characteristic
What is not a PCI compliance recommendation?
Use a firewall between the public network and the payment card data.
Use encryption to protect all transmission of card holder data over any public network.
Rotate employees handling credit card transactions on a yearly basis to different departments.
Limit access to card holder data to as few individuals as possible.
Rotate employees handling credit card transactions on a yearly basis to different departments.
What is the minimum number of network connections in a multihomed firewall?
3
5
4
2
3
Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implemented the necessary controls. After that, another security risk assessment was performed showing that risk has decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions will be the best for the project in terms of its successful continuation with the most business profit?
Accept the risk
Introduce more controls to bring risk to 0%
Mitigate the risk
Avoid the risk
Accept the risk
You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?
All three servers need to be placed internally
A web server facing the Internet, an application server on the internal network, a database server on the internal network
A web server and the database server facing the Internet, an application server on the internal network
All three servers need to face the Internet so that they can communicate between themselves
A web server facing the Internet, an application server on the internal network, a database server on the internal network
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections.
When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?
Wireshark
Ettercap
Aircrack-ng
Tcpdump
Ettercap
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
ESP transport mode
ESP confidential
AH permiscuous
AH Tunnel mode
ESP transport mode
Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, President, or
Managers. The time a hacker spends performing research to locate this information about a company is known as?
Exploration
Investigation
Reconnaissance
Enumeration
Reconnaissance
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
Macro virus
Stealth/Tunneling virus
Cavity virus
Polymorphic virus
Stealth/Tunneling virus
The “Gray-box testing” methodology enforces what kind of restriction?
Only the external operation of a system is accessible to the tester.
The internal operation of a system in only partly accessible to the tester.
Only the internal operation of a system is known to the tester.
The internal operation of a system is completely known to the tester.
The internal operation of a system in only partly accessible to the tester.
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s Computer to update the router configuration. What type of an alert is this?
False negative
True negative
True positive
False positive
False positive
A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the Prometric Online Testing – Reports https://ibt1.prometric.com/users/custom/report_queue/rq_str… corporate network. What tool should the analyst use to perform a Blackjacking attack?
Paros Proxy
BBProxy
Blooover
BBCrack
BBProxy
When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, DELETE, PUT, TRACE) using NMAP script engine. What Nmap script will help you with this task?
http-methods
http enum
http-headers
http-git
http-methods
Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?
A biometric system that bases authentication decisions on behavioral attributes.
A biometric system that bases authentication decisions on physical attributes.
An authentication system that creates one-time passwords that are encrypted with secret keys.
An authentication system that uses passphrases that are converted into virtual passwords.
An authentication system that creates one-time passwords that are encrypted with secret keys.
Which of the following is a low-tech way of gaining unauthorized access to systems?
Social Engineering
Eavesdropping
Scanning
Sniffing
Social Engineering
Which system consists of a publicly available set of databases that contain domain name registration contact information?
WHOIS
CAPTCHA
IANA
IETF
WHOIS
Why is a penetration test considered to be more thorough than vulnerability scan?
Vulnerability scans only do host discovery and port scanning by default.
A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.
The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com”.
Which statement below is true?
This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
This is a scam because Bob does not know Scott.
Bob should write to scottmelby@yahoo.com to verify the identity of Scott.
This is probably a legitimate message as it comes from a respectable organization.
This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
env x=’(){ :;};echo exploit’ bash –c ‘cat/etc/passwd’
What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
Removes the passwd file
Changes all passwords in passwd
Add new user to the passwd file
Display passwd content to prompt
Display passwd content to prompt
Which of the following is assured by the use of a hash?
Authentication
Confidentiality
Availability
Integrity
Integrity
Which results will be returned with the following Google search query? site:target.com – site:Marketing.target.com accounting
Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting.
Results matching all words in the query.
Results for matches on target.com and Marketing.target.com that include the word “accounting”
Results matching “accounting” in domain target.com but not on the site Marketing.target.com
Results matching “accounting” in domain target.com but not on the site Marketing.target.com
Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?
OPPORTUNISTICTLS
UPGRADETLS
FORCETLS
STARTTLS
STARTTLS
In the field of cryptanalysis, what is meant by a “rubber-hose” attack?
Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.
A backdoor placed into a cryptographic algorithm by its creator.
Extraction of cryptographic secrets through coercion or torture.
Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plaintext
Extraction of cryptographic secrets through coercion or torture.
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?
tcp.srcport= = 514 && ip.src= = 192.168.0.99
tcp.srcport= = 514 && ip.src= = 192.168.150
tcp.dstport= = 514 && ip.dst= = 192.168.0.99
tcp.dstport= = 514 && ip.dst= = 192.168.0.150
tcp.dstport= = 514 && ip.dst= = 192.168.0.150
What two conditions must a digital signature meet?
Has to be the same number of characters as a physical signature and must be unique.
Has to be unforgeable, and has to be authentic.
Must be unique and have special characters.
Has to be legible and neat.
Has to be unforgeable, and has to be authentic.
A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
Attempts by attackers to access the user and password information stored in the company’s SQL database.
Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
Attempts by attackers to access password stored on the user’s computer without the user’s knowledge.
Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.
Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
What is correct about digital signatures?
A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
Digital signatures may be used in different documents of the same type.
A digital signature cannot be moved from one signed document to another because it is a plain hash of the document content.
Digital signatures are issued once for each user and can be used everywhere until they expire.
A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?
He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
He will activate OSPF on the spoofed root bridge.
He will repeat this action so that it escalates to a DoS attack.
He will repeat the same attack against all L2 switches of the network.
He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user’s password or activate disabled Windows accounts?
John the Ripper
SET
CHNTPW
Cain & Abel
CHNTPW
What does a firewall check to prevent particular ports and applications from getting packets into an organization?
Transport layer port numbers and application layer headers
Presentation layer headers and the session layer port numbers
Network layer headers and the session layer port numbers
Application layer port numbers and the transport layer headers
Transport layer port numbers and application layer headers
___ is a set of extensions to DNS that provide the origin authentication of DNS data to DNS
clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.
DNSSEC
Resource records
Resource transfer
Zone transfer
DNSSEC
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to “www.MyPersonalBank.com”, the user is directed to a phishing site.
Which file does the attacker need to modify?
Boot.ini
Sudoers
Networks
Hosts
Hosts
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
Preparation phase
Containment phase
Identification phase
Recovery phase
Preparation phase
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?
Multi-cast mode
Promiscuous mode
WEM
Port forwarding
Promiscuous mode
A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems.
What is the best security policy concerning this setup?
Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.
As long as the physical access to the network elements is restricted, there is no need for additional measures.
There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.
The operator knows that attacks and down time are inevitable and should have a backup site.
Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.
PGP, SSL, and IKE are all examples of which type of cryptography?
Digest
Secret Key
Public Key
Hash Algorithm
Public Key
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?
Scanning
Footprinting
Enumeration
System Hacking
Footprinting
A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer’s software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and defensively at various times?
White Hat
Suicide Hacker
Gray Hat
Black Hat
Gray Hat
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
What is this type of DNS configuration commonly called?
DynDNS
DNS Scheme
DNSSEC
Split DNS
Split DNS
What kind of detection techniques is being used in antivirus software that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it’s made on the provider’s environment?
Behavioral based
Heuristics based
Honeypot based
Cloud based
Cloud based
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
tcptrace
Nessus
OpenVAS
tcptraceroute
tcptrace
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall?
Session hijacking
Firewalking
Man-in-the middle attack
Network sniffing
Firewalking
Which of the following is not a Bluetooth attack?
Bluedriving
Bluesmacking
Bluejacking
Bluesnarfing
Bluedriving
What is the role of test automation in security testing?
It is an option but it tends to be very expensive.
It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.
Test automation is not usable in security due to the complexity of the tests.
It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.
It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.
Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking.
What should you do?
Confront the client in a respectful manner and ask her about the data.
Copy the data to removable media and keep it in case you need it.
Ignore the data and continue the assessment until completed as agreed.
Immediately stop work and contact the proper legal authorities.
Immediately stop work and contact the proper legal authorities.
While using your bank’s online servicing you notice the following string in the URL bar:
“http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21”
You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflects the changes.
Which type of vulnerability is present on this site?
Cookie Tampering
SQL Injection
Web Parameter Tampering
XSS Reflection
Web Parameter Tampering
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?
ACK
SYN
RST
SYN-ACK
SYN
Which type of security feature stops vehicles from crashing through the doors of a building?
Bollards
Receptionist
Mantrap
Turnstile
Bollards
The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?
The CFO can use a hash algorithm in the document once he approved the financial statements
The CFO can use an excel file with a password
The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure is the same document
The document can be sent to the accountant using an exclusive USB for that document
The CFO can use a hash algorithm in the document once he approved the financial statements
What is the purpose of a demilitarized zone on a network?
To scan all traffic coming through the DMZ to the internal network
To only provide direct access to the nodes within the DMZ and protect the network behind it
To provide a place to put the honeypot
To contain the network devices you wish to protect
To only provide direct access to the nodes within the DMZ and protect the network behind it
Which of the following Linux commands will resolve a domain name into IP address?
> host-t a hackeddomain.com
host-t ns hackeddomain.com
host -t soa hackeddomain.com
host -t AXFR hackeddomain.com
> host-t a hackeddomain.com
Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services, which OS did it not directly affect?
Linux
Unix
OS X
Windows
Windows
Which regulation defines security and privacy controls for Federal information systems and organizations?
HIPAA
EU Safe Harbor
PCI-DSS
NIST-800-53
NIST-800-53
What is a “Collision attack” in cryptography?
Collision attacks try to get the public key
Collision attacks try to break the hash into three parts to get the plaintext value
Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key
Collision attacks try to find two inputs producing the same hash
Collision attacks try to find two inputs producing the same hash
Which of the following tools can be used for passive OS fingerprinting?
nmap
tcpdump
tracert
ping
tcpdump
Which of the following describes the characteristics of a Boot Sector Virus?
Modifies directory table entries so that directory entries point to the virus code instead of the actual program.
Moves the MBR to another location on the RAM and copies itself to the original location of the MBR.
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
Overwrites the original MBR and only executes the new virus code.
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
Your company was hired by a small healthcare provider to perform a technical assessment on the network.
What is the best approach for discovering vulnerabilities on a Windows-based computer?
Use the built-in Windows Update tool
Use a scan tool like Nessus
Check MITRE.org for the latest list of CVE findings
Create a disk image of a clean Windows installation
Use a scan tool like Nessus
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
nessus
tcpdump
ethereal
jack the ripper
tcpdump
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
Spanning tree
Dynamic ARP Inspection (DAI)
Port security
Layer 2 Attack Prevention Protocol (LAPP)
Dynamic ARP Inspection (DAI)
Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students.
He identified this when the IDS alerted for malware activities in the network. What should Bob do to avoid this problem?
Disable unused ports in the switches
Separate students in a different VLAN
Use the 802.1x protocol
Ask students to use the wireless network
Use the 802.1x protocol
A company’s policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as display filter to find unencrypted file transfers?
tcp.port = = 21
tcp.port = 23
tcp.port = = 21 | | tcp.port = =22
tcp.port ! = 21
tcp.port = = 21
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ““FTP on the network!””;)
A firewall IPTable
FTP Server rule
A Router IPTable
An Intrusion Detection System
An Intrusion Detection System
Which of the following program infects the system boot sector and the executable files at the same time?
Polymorphic virus
Stealth virus
Multipartite Virus
Macro virus
Multipartite Virus
To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program.
What term is commonly used when referring to this type of testing?
Randomizing
Bounding
Mutating
Fuzzing
Fuzzing
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Protocol analyzer
Network sniffer
Intrusion Prevention System (IPS)
Vulnerability scanner
Protocol analyzer
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport Layer Security (TLS) protocols defined in RFC6520.
What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?
Public
Private
Shared
Root
Private
Why should the security analyst disable/remove unnecessary ISAPI filters?
To defend against social engineering attacks
To defend against webserver attacks
To defend against jailbreaking
To defend against wireless attacks
To defend against webserver attacks
Which of the following is a component of a risk assessment?
Administrative safeguards
Physical security
DMZ
Logical interface
Administrative safeguards
CompanyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of CompanyXYZ. The employee of CompanyXYZ is aware of your test. Your email message looks like this:
From: jim_miller@companyxyz.com
To: michelle_saunders@companyxyz.com Subject: Test message
Date: 4/3/2017 14:37
The employee of CompanyXYZ receives your email message.
This proves that CompanyXYZ’s email gateway doesn’t prevent what?
Email Masquerading
Email Harvesting
Email Phishing
Email Spoofing
Email Spoofing
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations.
Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA.
In this context, what can you say?
Bob can be right since DMZ does not make sense when combined with stateless firewalls
Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one by one
Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations
Bob is partially right. DMZ does not make sense when a stateless firewall is available
Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations
Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well.
In this context, what would be the most effective method to bridge the knowledge gap between the “black” hats or crackers and the “white” hats or computer security professionals? (Choose the test answer.)
Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
Hire more computer security monitoring personnel to monitor computer systems and networks.
Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life.
Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.
Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:
From the above list identify the user account with System Administrator privileges.
John
Rebecca
Sheela
Shawn
Somia
Chang
Micah
Chang
Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing “server publishing”?
Overloading Port Address Translation
Dynamic Port Address Translation
Dynamic Network Address Translation
Static Network Address Translation
Static Network Address Translation
What is the following command used for?
net use \targetipc$ “” /u:””
Grabbing the etc/passwd file
Grabbing the SAM
Connecting to a Linux computer through Samba.
This command is used to connect as a null session
Enumeration of Cisco routers
This command is used to connect as a null session
What is the proper response for a NULL scan if the port is closed?
SYN
ACK C. FIN
PSH
RST
No response
RST
One of your team members has asked you to analyze the following SOA record.
What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)
200303028
3600
604800
2400
60
4800
2400
One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)
200303028
3600
604800
2400
60
4800
200303028
MX record priority increases as the number increases. (True/False.)
True
False
False
Which of the following tools can be used to perform a zone transfer?
NSLookup
Finger
Dig
Sam Spade
Host
Netcat
Neotrace
NSLookup, Dig, Sam Spade, Host
Under what conditions does a secondary name server request a zone transfer from a primary name server?
When a primary SOA is higher that a secondary SOA
When a secondary SOA is higher that a primary SOA
When a primary name server has had its service restarted
When a secondary name server has had its service restarted E. When the TTL falls to zero
When a primary SOA is higher that a secondary SOA
What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?
110
135
139
161
445
1024
135, 139, 445
What is a NULL scan?
A scan in which all flags are turned off
A scan in which certain flags are off
A scan in which all flags are on
A scan in which the packet size is set to zero
A scan with an illegal packet size
A scan in which all flags are turned off
What is the proper response for a NULL scan if the port is open?
SYN
ACK C. FIN
PSH
RST
No response
No response
Which of the following statements about a zone transfer is correct? (Choose three.)
A zone transfer is accomplished with DNS
A zone transfer is accomplished with the nslookup service
A zone transfer passes all zone information that a DNS server maintains
A zone transfer passes all zone information that a nslookup server maintains
A zone transfer can be prevented by blocking all inbound TCP port 53 connections
Zone transfers cannot occur on the Internet
A zone transfer is accomplished with DNS
A zone transfer passes all zone information that a DNS server maintains
A zone transfer can be prevented by blocking all inbound TCP port 53 connections
You have the SOA presented below in your Zone.
Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?
collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
One day
One hour
One week
One month
One week
Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain.
What do you think Tess King is trying to accomplish? Select the best answer.
A zone harvesting
A zone transfer
A zone update
A zone estimate
A zone transfer
A zone file consists of which of the following Resource Records (RRs)?
DNS, NS, AXFR, and MX records
DNS, NS, PTR, and MX records
SOA, NS, AXFR, and MX records
SOA, NS, A, and MX records
SOA, NS, A, and MX records
Let’s imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing?
Install DNS logger and track vulnerable packets
Disable DNS timeouts
Install DNS Anti-spoofing
Disable DNS Zone Transfer
Install DNS Anti-spoofing
Which DNS resource record can indicate how long any “DNS poisoning” could last?
MX
SOA
NS
TIMEOUT
SOA
Joseph was the Web site administrator for the Mason Insurance in New York, who’s main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker’s message ‘‘Hacker Message: You are dead! Freaks!” From his office, which was directly connected to Mason Insurance’s internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.
No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack?
ARP spoofing
SQL injection
DNS poisoning
Routing table injection
DNS poisoning
Which of the following tools are used for enumeration? (Choose three.)
SolarWinds
USER2SID
Cheops
SID2USER
DumpSec
USER2SID, SID2USER , DumpSec
What did the following commands determine?
That the Joe account has a SID of 500
These commands demonstrate that the guest account has NOT been disabled
These commands demonstrate that the guest account has been disabled
That the true administrator is Joe
Issued alone, these commands prove nothing
That the true administrator is Joe
Which definition among those given below best describes a covert channel?
A server program using a port that is not well known.
Making use of a protocol in a way it is not intended to be used.
It is the multiplexing taking place on a communication link.
It is one of the weak channels used by WEP which makes it insecure
Making use of a protocol in a way it is not intended to be used.
Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory.
What kind of attack is Susan carrying on?
A sniffing attack
A spoofing attack
A man in the middle attack
A denial of service attack
A man in the middle attack
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack?
Interceptor
Man-in-the-middle
ARP Proxy
Poisoning Attack
Man-in-the-middle
Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command prompt, she types the following command.
What is Eve trying to do?
Eve is trying to connect as a user with Administrator privileges
Eve is trying to enumerate all users with Administrative privileges
Eve is trying to carry out a password crack for user Administrator
Eve is trying to escalate privilege of the null user to that of Administrator
Eve is trying to carry out a password crack for user Administrator
Which of the following represents the initial two commands that an IRC client sends to join an IRC network?
USER, NICK
LOGIN, NICK
USER, PASS
LOGIN, USER
USER, NICK
Study the following log extract and identify the attack.
Hexcode Attack
Cross Site Scripting
Multiple Domain Traversal Attack
Unicode Directory Traversal Attack
Unicode Directory Traversal Attack
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
137 and 139
137 and 443
139 and 443
139 and 445
139 and 445
The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack.
You also notice “/bin/sh” in the ASCII part of the output.
As an analyst what would you conclude about the attack?
The buffer overflow attack has been neutralized by the IDS
The attacker is creating a directory on the compromised machine
The attacker is attempting a buffer overflow attack and has succeeded
The attacker is attempting an exploit that launches a command-line shell
The attacker is attempting an exploit that launches a command-line shell
Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?
har.txt
SAM file
wwwroot
Repair file
SAM file
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?
Choose four.
Use the same machines for DNS and other applications
Harden DNS servers
Use split-horizon operation for DNS servers
Restrict Zone transfers
Have subnet diversity between DNS servers
Harden DNS servers
Use split-horizon operation for DNS servers
Restrict Zone transfers
Have subnet diversity between DNS servers
Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?
To determine who is the holder of the root account
To perform a DoS
To create needless SPAM
To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
To test for virus protection
To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
What tool can crack Windows SMB passwords simply by listening to network traffic?
This is not possible
Netbus
NTFSDOS
L0phtcrack
L0phtcrack
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
Use port security on his switches.
Use a tool like ARPwatch to monitor for strange ARP activity.
Use a firewall between all LAN segments.
If you have a small network, use static ARP entries.
Use only static IP addresses on all PC’s.
Use port security on his switches.
Use a tool like ARPwatch to monitor for strange ARP activity.
If you have a small network, use static ARP entries.
Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network.
Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
SNMPUtil
SNScan
SNMPScan
Solarwinds IP Network Browser
NMap
SNMPUtil
SNScan
Solarwinds IP Network Browser
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
Birthday
Brute force
Man-in-the-middle
Smurf
Brute force
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers.
Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?
Hardware, Software, and Sniffing.
Hardware and Software Keyloggers.
Passwords are always best obtained using Hardware key loggers.
Software only, they are the most effective.
Hardware, Software, and Sniffing.
Study the snort rule given below:
From the options below, choose the exploit against which this rule applies.
WebDav
SQL Slammer
MS Blaster
MyDoom
MS Blaster
Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored?
symmetric algorithms
asymmetric algorithms
hashing algorithms
integrity algorithms
hashing algorithms
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
However, he is unable to capture any logons though he knows that other users are logging in.
What do you think is the most likely reason behind this?
There is a NIDS present on that segment.
Kerberos is preventing it.
Windows logons cannot be sniffed.
L0phtcrack only sniffs logons to web servers.
Kerberos is preventing it.
You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting?
MD4
DES
SHA
SSL
DES
In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?
Full Blown
Thorough
Hybrid
BruteDics
Hybrid
What is the algorithm used by LM for Windows2000 SAM?
MD4
DES
SHA
SSL
DES
E-mail scams and mail fraud are regulated by which of the following?
18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication
18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)
BA810DBA98995F1817306D272A9441BB
44EFCE164AB921CQAAD3B435B51404EE
0182BD0BD4444BF836077A718CCDF409
CEC52EB9C8E3455DC2265B23734E0DAC
B757BF5C0D87772FAAD3B435B51404EE
E52CAC67419A9A224A3B108F3FA6CB6D
44EFCE164AB921CQAAD3B435B51404EE
B757BF5C0D87772FAAD3B435B51404EE
Which of the following is the primary objective of a rootkit?
It opens a port to provide an unauthorized service
It creates a buffer overflow
It replaces legitimate programs
It provides an undocumented opening in a program
It replaces legitimate programs
This kind of password cracking method uses word lists in combination with numbers and special characters:
Hybrid
Linear
Symmetric
Brute Force
Hybrid
___ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
Trojan
RootKit
DoS tool
Scanner
Backdoor
RootKit
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
Copy the system files from a known good system
Perform a trap and trace
Delete the files and try to determine the source
Reload from a previous backup
Reload from known good media
Reload from known good media
What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
All are hacking tools developed by the legion of doom
All are tools that can be used not only by hackers, but also security personnel
All are DDOS tools
All are tools that are only effective against Windows
All are tools that are only effective against Linux
All are DDOS tools
How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?
There is no way to tell because a hash cannot be reversed
The right most portion of the hash is always the same
The hash always starts with AB923D
The left most portion of the hash is always the same
A portion of the hash will be all 0’s
The right most portion of the hash is always the same
When discussing passwords, what is considered a brute force attack?
You attempt every single possibility until you exhaust all possible combinations or discover the password
You threaten to use the rubber hose on someone unless they reveal their password
You load a dictionary of words into your cracking program
You create hashes of a large number of words and compare it with the encrypted passwords
You wait until the password expires
You attempt every single possibility until you exhaust all possible combinations or discover the password
Which of the following are well known password-cracking programs?
L0phtcrack
NetCat
Jack the Ripper
Netbus
John the Ripper
L0phtcrack
John the Ripper
Password cracking programs reverse the hashing process to recover passwords. (True/False.)
True
False
False
While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?
Block port 25 at the firewall.
Shut off the SMTP service on the server.
Force all connections to use a username and password.
Switch from Windows Exchange to UNIX Sendmail.
None of the above.
None of the above.
Windows LAN Manager (LM) hashes are known to be weak.
Which of the following are known weaknesses of LM? (Choose three.)
Converts passwords to uppercase.
Hashes are sent in clear text over the network.
Makes use of only 32-bit encryption.
Effective length is 7 characters.
Converts passwords to uppercase.
Hashes are sent in clear text over the network.
Effective length is 7 characters.
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?
Online Attack
Dictionary Attack
Brute Force Attack
Hybrid Attack
Hybrid Attack
An attacker runs netcat tool to transfer a secret file between two hosts.
He is worried about information being sniffed on the network.
How would the attacker use netcat to encrypt the information before transmitting onto the wire?
Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine> 1234
Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine> 1234
Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine> 1234 -pw password
Use cryptcat instead of netcat</machine></machine></machine>
Use cryptcat instead of netcat
What is GINA?
Gateway Interface Network Application
GUI Installed Network Application CLASS
Global Internet National Authority (G-USA)
Graphical Identification and Authentication DLL
Graphical Identification and Authentication DLL
Fingerprinting an Operating System helps a cracker because:
It defines exactly what software you have installed
It opens a security-delayed window based on the port being scanned
It doesn’t depend on the patches that have been applied to fix existing security holes
It informs the cracker of which vulnerabilities he may be able to exploit on your system
It informs the cracker of which vulnerabilities he may be able to exploit on your system
In the context of Windows Security, what is a ‘null’ user?
A user that has no skills
An account that has been suspended by the admin
A pseudo account that has no username and password
A pseudo account that was created for security administration purpose
A pseudo account that has no username and password
What does the following command in netcat do?
nc -l -u -p55555 < /etc/passwd
logs the incoming connections to /etc/passwd file
loads the /etc/passwd file to the UDP port 55555
grabs the /etc/passwd file when connected to UDP port 55555
deletes the /etc/passwd file when connected to the UDP port 55555
grabs the /etc/passwd file when connected to UDP port 55555
In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam.
Which of the following statement is incorrect related to this attack?
Do not reply to email messages or popup ads asking for personal or financial information
Do not trust telephone numbers in e-mails or popup ads
Review credit card and bank account statements regularly
Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
Do not send credit card numbers, and personal or financial information via e-mail
Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
What hacking attack is challenge/response authentication used to prevent?
Replay attacks
Scanning attacks
Session hijacking attacks
Password cracking attacks
Replay attacks
Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. What is Bob supposed to do next?
Take over the session
Reverse sequence prediction
Guess the sequence numbers
Take one of the parties offline
Guess the sequence numbers
ViruXine.W32 virus hides their presence by changing the underlying executable code.
This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.
Here is a section of the Virus code:
What is this technique called?
Polymorphic Virus
Metamorphic Virus
Dravidic Virus
Stealth Virus
Polymorphic Virus
Identify the correct terminology that defines the above statement.
Vulnerability Scanning
Penetration Testing
Security Policy Implementation
Designing Network Security
Penetration Testing
Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches.
If these switches’ ARP cache is successfully flooded, what will be the result?
The switches will drop into hub mode if the ARP cache is successfully flooded.
If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.
Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch.
The switches will route all traffic to the broadcast address created collisions.
The switches will drop into hub mode if the ARP cache is successfully flooded.
You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c
What is the hexadecimal value of NOP instruction?
0x60
0x80
0x70
0x90
0x90
This TCP flag instructs the sending system to transmit all buffered data immediately.
SYN
RST
PSH
URG
FIN
PSH
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router’s access-list as below:
You are hired to conduct security testing on their network.
You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?
Use the Cisco’s TFTP default password to connect and download the configuration file
Run a network sniffer and capture the returned traffic with the configuration file from the router
Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
Run a network sniffer and capture the returned traffic with the configuration file from the router
Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company’s Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?
Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
Package the Sales.xls using Trojan wrappers and telnet them back your home computer
You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques
Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account
You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques
Study the snort rule given below and interpret the rule. alert tcp any any –> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msG. “mountd access”;)
An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet
An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet
An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
What port number is used by LDAP protocol?
110
389
464
445
389
Fred is the network administrator for his company. Fred is testing an internal switch.
From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?
Fred can accomplish this by sending an IP packet with the RST/SYN bit and the source address of his computer.
He can send an IP packet with the SYN bit and the source address of his computer.
Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
Within the context of Computer Security, which of the following statements describes Social Engineering best?
Social Engineering is the act of publicly disclosing information
Social Engineering is the means put in place by human resource to perform time accounting
Social Engineering is the act of getting needed information from a person rather than breaking into a system
Social Engineering is a training program within sociology studies
Social Engineering is the act of getting needed information from a person rather than breaking into a system
In Trojan terminology, what is a covert channel?
A channel that transfers information within a computer system or network in a way that violates the security policy
A legitimate communication path within a computer system or network for transfer of data
It is a kernel operation that hides boot processes and services to mask detection
It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections
A channel that transfers information within a computer system or network in a way that violates the security policy
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the “TCP three-way handshake.” While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.
How would an attacker exploit this design by launching TCP SYN attack?
Attacker generates TCP SYN packets with random destination addresses towards a victim host
Attacker floods TCP SYN packets with random source addresses towards a victim host
Attacker generates TCP ACK packets with random source addresses towards a victim host
Attacker generates TCP RST packets with random source addresses towards a victim host
Attacker floods TCP SYN packets with random source addresses towards a victim host
Yancey is a network security administrator for a large electric company. This company provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him.
What would Yancey be considered?
Yancey would be considered a Suicide Hacker
Since he does not care about going to jail, he would be considered a Black Hat
Because Yancey works for the company currently; he would be a White Hat
Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
Yancey would be considered a Suicide Hacker
You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.
Dear valued customers,
We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:
or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta
Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?
Look at the website design, if it looks professional then it is a Real Anti-Virus website
Connect to the site using SSL, if you are successful then the website is genuine
Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site
Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site
Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company’s systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company’s computer systems until they have signed the policy in acceptance of its terms.
What is this document called?
Information Audit Policy (IAP)
Information Security Policy (ISP)
Penetration Testing Policy (PTP)
Company Compliance Policy (CCP)
Information Security Policy (ISP)
Take a look at the following attack on a Web Server using obstructed URL:
How would you protect from these attacks?
Configure the Web Server to deny requests involving “hex encoded” characters
Create rules in IDS to alert on strange Unicode requests
Use SSL authentication on Web Servers
Enable Active Scripts Detection at the firewall and routers
Create rules in IDS to alert on strange Unicode requests
Which type of sniffing technique is generally referred as MiTM attack?
Password Sniffing
ARP Poisoning
Mac Flooding
DHCP Sniffing
ARP Poisoning
Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.
In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?
Switch then acts as hub by broadcasting packets to all machines on the network
The CAM overflow table will cause the switch to crash causing Denial of Service
The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
Every packet is dropped and the switch sends out SNMP alerts to the IDS port
Switch then acts as hub by broadcasting packets to all machines on the network
You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company’s network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place.
Your peer, Peter Smith who works at the same department disagrees with you.
He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of “weakest link” in the security chain. What is Peter Smith talking about?
Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain
“Zero-day” exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks
“Polymorphic viruses” are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks
Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway
Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain
How does a denial-of-service attack work?
A hacker prevents a legitimate user (or group of users) from accessing a service
A hacker uses every character, word, or letter he or she can think of to defeat authentication
A hacker tries to decipher a password by using a system, which subsequently crashes the network
A hacker attempts to imitate a legitimate user by confusing a computer or even another person
A hacker prevents a legitimate user (or group of users) from accessing a service
You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles.
You know that conventional hacking doesn’t work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems.
In other words, you are trying to penetrate an otherwise impenetrable system. How would you proceed?
Look for “zero-day” exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank’s network
Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive information
Launch DDOS attacks against Merclyn Barley Bank’s routers and firewall systems using 100, 000 or more “zombies” and “bots”
Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank’s Webserver to that of your machine using DNS Cache Poisoning techniques
Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive information
This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.
What is this attack?
Cross-site-scripting attack
SQL Injection
URL Traversal attack
Buffer Overflow attack
Cross-site-scripting attack
Which utility will tell you in real time which ports are listening or in another state?
Netstat
TCPView
Nmap
Loki
TCPView
During an Xmas scan what indicates a port is closed?
No return response
RST
ACK
SYN
RST
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104- 501. What needs to happen before Matthew has full administrator access?
He must perform privilege escalation.
He needs to disable antivirus protection.
He needs to gain physical access.
He already has admin privileges, as shown by the “501” at the end of the SID.
He must perform privilege escalation.
An LDAP directory can be used to store information similar to a SQL database. LDAP uses a ___ database structure instead of SQL’s ___ structure. Because of this, LDAP has difficulty representing many-to-one relationships.
Relational, Hierarchical
Strict, Abstract
Hierarchical, Relational
Simple, Complex
Hierarchical, Relational
Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?
Error-based SQL injection
Blind SQL injection
Union-based SQL injection
NoSQL injection
Blind SQL injection
You are performing a penetration test for a client and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain, if the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer?
list server=192.168.10.2 type=all
is-d abccorp.local
Iserver 192.168.10.2-t all
List domain=Abccorp.local type=zone
is-d abccorp.local
John is an incident handler at a financial institution. His steps in a recent incident are not up to the standards of the company. John frequently forgets some steps and procedures while handling responses as they are very stressful to perform. Which of the following actions should John take to overcome this problem with the least administrative effort?
Create an incident checklist.
Select someone else to check the procedures.
Increase his technical skills.
Read the incident manual every time it occurs.
Create an incident checklist.
OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?
openssl s_client -site www.website.com:443
openssl_client -site www.website.com:443
openssl s_client -connect www.website.com:443
openssl_client -connect www.website.com:443
openssl s_client -connect www.website.com:443
What is the purpose of DNS AAAA record?
Authorization, Authentication and Auditing record
Address prefix record
Address database record
IPv6 address resolution record
IPv6 address resolution record
Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics: - Verifies success or failure of an attack - Monitors system activities Detects attacks that a network-based IDS fails to detect - Near real-time detection and response - Does not require additional hardware - Lower entry cost Which type of IDS is best suited for Tremp’s requirements?
Gateway-based IDS
Network-based IDS
Host-based IDS
Open source-based
Host-based IDS
What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it’s made on the premiers environment-
VCloud based
Honypot based
Behaviour based
Heuristics based
VCloud based
Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using?
Nikto
Nmap
Metasploit
Armitage
Nikto
Consider the following Nmap output:
What command-line parameter could you use to determine the type and version number of the web server?
-sv
-Pn
-V
-ss
-sv
