Certified Ethical Hacker. Ch 1 - 3 Flashcards by Chris Brown

What are the 5 phases in hacking?

Reconnaissance, 
Scanning, 
Gaining Access, 
Maintaining Access, 
Clearing Tracks

How well did you know this?

Not at all

Perfectly

Information Assurance includes

Confidentiality,
Integrity,
Availability,
Authenticity

How well did you know this?

Not at all

Perfectly

Set of requirements, processes, principles, and models that determines the structure and behavior of an organization’s information systems

EISA (Enterprise Information Security Architecture)

How well did you know this?

Not at all

Perfectly

Risk Management Phases

Risk Identification
Risk Assessment
Risk Treatment
Risk Tracking 
Risk Review

How well did you know this?

Not at all

Perfectly

What is a risk assessment approach for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application

Threat Modeling

How well did you know this?

Not at all

Perfectly

What is User Behavior Analytics (UBA)

The process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds

How well did you know this?

Not at all

Perfectly

IAM Component 1, Includes single sign on, session management, password services, strong authentication and multi factor

Authentication

How well did you know this?

Not at all

Perfectly

IAM Component 2, Provides access control to various organizational resources

Authorization

How well did you know this?

Not at all

Perfectly

IAM Component 3, Performs user life cycle management and password management

User Management

How well did you know this?

Not at all

Perfectly

IAM Component 4, Provides central user repository that stores user identity information and enables other components and services of IAM

Enterprise Directory Services

How well did you know this?

Not at all

Perfectly

Protocols used by Enterprise Directory Services

LDAP, Lightweight Directory Access Protocol

- SCIM, Simple Cloud Identity Management

How well did you know this?

Not at all

Perfectly

Protects the penetration tester / agency from any legal or financial liabilities, in case the penetration test results in loss or damage to the assets of the organization

Indemnification Clause

How well did you know this?

Not at all

Perfectly

An open source application security project that assists the organizations to purchase, develop and maintain software tools, software applications, and knowledge-based documentation for Web application security

OWASP, Open Web Application Security Project

How well did you know this?

Not at all

Perfectly

A peer-reviewed methodology for performing high quality security tests such as methodology tests: data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls and various security processes

OSSTMM, Open Source Security Testing Methodology Manual

How well did you know this?

Not at all

Perfectly

An open source project aimed to provide a security assistance for professionals. The mission is to research, develop, publish, and promote a complete and practical generally accepted information systems security assessment.

ISSAF, Information System Security Assessment Framework

How well did you know this?

Not at all

Perfectly

The federal technology agency that works with industry to develop and apply technology, measurements, and standards

NIST

How well did you know this?

Not at all

Perfectly

What clause specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization?

ISO/IEC 27001:2013

How well did you know this?

Not at all

Perfectly

Protects investors and the public by increasing the accuracy and reliability of corporate disclosures

Sarbanes Oxley Act

How well did you know this?

Not at all

Perfectly

A comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets

FISMA

How well did you know this?

Not at all

Perfectly

Google Hacking Database (GHDB) is?

An index of search querys used to find publicly available information used in pentesting.

How well did you know this?

Not at all

Perfectly

What tool is used on Linkedin to find people based on job title, company, or email address?

InSpy

How well did you know this?

Not at all

Perfectly

Tool to determine the operating system (or top level domains) used by a target

Netcraft

How well did you know this?

Not at all

Perfectly

Search engine to find connected devices (routers, servers, IoT,) used by a target

SHODAN

How well did you know this?

Not at all

Perfectly

Search engine used to ask questions about the hosts and networks that compose the Internet

Censys

How well did you know this?

Not at all

Perfectly

What does an attacker examine to determine the software running and its behavior

What do attackers use to perform automated searches on a target website

Web Spiders

What is a common Web Spidering Tool

Web Data Extractor

The process of creating an exact replica or clone of the original website to browse offline

Website Mirroring

Common Website Mirroring Tool

HTTrack Web Site Copier

Website used to find archived versions of websites

archive.org

Tool to extract metadata of public documents belonging to a target company

Metagoofil

Tool to check websites for updates and changes

WebSite-Watcher

What is a common email tracking tool

eMailTrackerPro

What tool provides social media monitoring across many different platforms?

Trackur

What is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name?

Whois

What is a common Geolocation Lookup tool?

IP2Location

What tool is used to find the network range of the target network?

ARIN Whois database

What is a web reconnaissance framework with modules, databases, and more that provides an environment in which open source web-based reconn can be conducted

Recon-ng

What is an open-source intell and forensics app used to deliver a clear threat picture to the environment that an organization owns (uses graphs and link analysis)

Maltego

What is a tool used to scan word and PDF docs for metadata

FOCA

What is the first step in pentesting?

Footprinting

ISO 27002 outlines

Guidelines and practices for security controls

What does CSIRT provide?

Incident response services

What helps to avoid information leakage

Configure Web Servers

What filters are used for defense in depth?

TCP/IP and IPSec

What tool should a hacker use to find a company's internal URLs?

Sublist3r

What will searching 'site:target.com -site:Marketing.target.com accounting' return?

Results matching "accounting" in domain target.com but not on the site Marketing.target.com ... The reason is because adding [-] tells Google to search for anything but that particular text

If you want to find all Wikipedia pages on SQL injection attacks what will you search?

SQL injection site:Wikipedia.org

What command does an attacker use for nslookup interactive mode?

Set type=ns

What tool would you use to find the location of routers, servers, and IP devices in a network?

Traceroute

Which flags do SYN scans deal with?

SYN, ACK, RST

What tool allows an attacker to create custom network packets

Colasoft Packet Builder

What type of packets can bypass network firewalls and IDS

fragmented

What is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests?

Hping2 / Hping3

What scanning searches for a firewall and its rule sets?

ACK Scanning on Port 80

What does -Q accomplish in an hping3?

Collects all the TCP sequence numbers

What is a tool for troubleshooting, monitoring, and detecting devices on your network?

NetScan Tools Pro

What type of device does IP Scanner scan?

Mobile

What does an ICMP query or ICMPush send from a UNIX system to learn the target system time zone?

ICMP type 13

What is ICMP type 17

Address Mark Request

What is used to determine live hosts from a range of IP addresses?

Ping Sweep

What scan do you use to identify active devices and determine if ICMP can pass through a firewall?

ICMP Scanning

What do you use to map active devices and calculate subnet masks?

Ping Sweep

What ICMP scan determines which hosts are active in a target network by pinging all machines in the network?

ICMP Echo Scanning

What do you do to make a TCP connection half open? (Stealth)

Send a RST right before the handshake is complete

What flags are set in an XMAS probe?

FIN, URG, PUSH

What is a disadvantage of Inverse TCP flag scanning?

Requires super-user privileges

What is the boundary value (TTL) of a RST packet that determines if a port is open

TTL Less than 64

A Window size on RST packet that is not 0 means what?

That port is open

If the TTL value for all packets in an ACK flag probe are the same what type of scan do you need to do?

WINDOW based

What does a RST response from a target in an ACK flag probe tell you?

No firewall is present (Port is not filtered)

What type of ports do Spyware and Trojan Horses use?

UDP Ports

What two protocols detect plug and play devices?

SSDP | UPnP

What outbound ICMP message type should be blocked

type-3 unreachable

What rule set blocks IP fragmentation in Linux?

CONFIG_IP_ALWAYS_DEFRAG

What is the nmap command for random decoy scan?

nmap -D RND:10 [Target IP]

What is the nmap command for manual decoy scan?

nmap -D decoy1,decoy2,decoy3,...real IP,...[Target IP]

What would you check to see if a packet is spoofed?

TTL of reply to source IP and see if it matches

If an attacker is sending spoofed packets on the same subnet what would you view next to see if the source IP is spoofed?

IP Identification number

What is a common proxy tool for mobile devices?

Shadowsocks

What is the Linux TTL

What is the Windows 7 TTL

128

What are the Pen Test steps?

1. Host Discovery (Live Hosts) 2. Port Scanning 3. Scan Beyond IDS and Firewall 4. Perform Banner Grabbing (Find OS) 5. Draw Network Diagram 6. Document Findings

In which phase does an attacker use steganography and tunneling?

Clearing Tracks

What is the difference between OWASP and OSSTMM?

OSSTMM addresses controls and OWASP does not

Low humidity in a data center can cause what?

Static Electricity

What is true regarding N-Tier architecture?

> Each layer must be able to exist on a physically independent system > Each layer should exchange information only with the layers above and below it

When does PCI-DSS require organizations to perform external and internal penetration testing?

At least once a year and after any significant upgrade or modification

What is the best type of vulnerability assessment for smartphones?

Host-Based Assessment

Is Querying published name servers of a target passive or active footprinting?

Active

If an attacker is attempting to get information about sub-domains to learn about different departments and business units what should they do?

Use online services such as netcraft.com

What database is used to delete the history of a target website?

archive.org

What technique is used to create complex search engine queries?

Google Hacking

What is not an objective of network scanning?

Discovering usernames and passwords

What relies on sending an abnormally large packet size that exceeds TCP/IP specifications? (This exploits the fragmentation and reassembly implementation

Ping of Death

What is the most likely cause of ICMP Code 3 reply?

UDP Port is closed

What would an attacker use to get a response using TCP?

Hping

If an attacker is attempting to scan an internal corporate network from the internet without alerting the border sensor what will they use?

Tunneling scan over SSH

What is a routing protocol that allows the host to discover the IP addresses of active routers on their subnet by listening to router advertisement and soliciting messages on their network?

IRDP (ICMP Routing Discovery Protocol)

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? (active or passive)

Active

What tool is designed to find potential exploits in Windows?

Microsoft Baseline Security Analyzer

What feature can you implement with NMAP to avoid detection by an IDS?

Timing options to slow the speed that the port scan is conducted

If stealth is not an issue with an NMAP scan what would you use for the most reliable results?

Connect scan (TCP Connect Scan)

What port does TCP and UDP use to interact with printers?

515 and 631

What are the five zones?

``` Internet Internet DMZ Production (Restricted) Intranet Management ```

Mandatory rules used to achieve consistency

Standards

What provides the minimum security level necessary

Baselines

Flexible, recommended actions users are to take in the event there is no standard to follow

Guidelines

Detailed step-by-step instructions for accomplishing a task or goal

Procedures

What framework enables clear policy development, good practice, and emphasizes regulatory compliance. It also categorizes control objectives into domains.

COBIT

What makes conspiracy to commit hacking a crime

Computer Fraud and Abuse Act

(Operator) Searches only for files of a specific type (DOC, XLS, and so on)

Filetype:type Ex: filetype:doc

(Operator) Displays pages with directory browsing enabled, usually used with another operator.

Index of /string Ex: "intitle:index of" passwd

(Operator) Displays information Google stores about the page itself

Info:string Ex: info:www.example.com

(Operator) Searches for pages that contain the string in the title.

Intitle:string Ex: intitle: login

(Operator) Displays pages with the string in the URL.

Inurl:string Ex: inurl:passwd

(Operator) Displays linked pages based on a search term

Link:string

(Operator) Shows web pages similar to webpagename

Related:webpagename

(Operator) Displays pages for a specific website or domain holding the search term.

Site:domain or web page string Ex: site:anywhere.com passwds

What can be used to check web pages for changes, automatically notifying you when there's an update

Website Watch (aignes.com)

DNS Record, defines the hostname and port number of servers providing specific services, such as a Directory Services server

SRV (Service)

DNS Record, identifies the primary name server for the zone.

SOA (Start of Authority)

DNS Record, maps an IP address to a hostname for reverse DNS lookup

PTR (Pointer)

DNS Record, identifies your e-mail servers within your domain

MX (Mail Exchange)

DNS Record, maps a domain to an IP address

A Record

Manage North American IPs

ARIN

Manage Asia Pacific IPs

APNIC

Manage Europe IPs

RIPE

Manage Latin America's IPs

LACNIC

Manage African IPs

AfriNIC

NSLookup syntaxt

Nslookup [-options] {hostname | [-server] }

NSLookup command for a zone transfer (to list all records in the DNS domain)

ls -d Or | ls -t ANY

Dig syntax

Dig @server name type

What are the three options in Colasoft Packet Builder

Packet List Decode Editor Hex Editor

RPC Port Number

TCP 135

NetBIOS Port Number

TCP / UDP 137 - 139

IMAP Port Number

TCP 143

SMB Port Number

TCP 445

What is a tool that displays a list of all currently opened TCP/IP and UDP ports on your computer

CurrPorts

ICMP Message Types

0: Echo Reply 3: Destination Unreachable 4: Source Quench 5: Redirect 8: Echo Request 11: Time Exceeded

What is the first type of ping sent?

Type 8: Echo Request

ICMP Type 3 Codes

0 - Network Unreachable 1 - Destination Unreachable 2 - Protocol Unreachable 3 - Port Unreachable 6 - Network Unknown 7 - Host Unknown 9 - Network administratively prohibited 10 - Host administratively prohibited 13 - Communication administratively prohibited

Scan. Runs through a full connection on ports, tearing it down with a RST at the end. Open ports will respond with a SYN / ACK and closed ports will respond with a RST

Full Connect Scan (TCP Connect)

Scan. Only SYN packets are sent to ports. Open ports respond with a SYN/ACK

Stealth Scan (Half Open Scan)

Scan. Uses FIN, URG, or PSH to poke at system ports. If the port is open there will be no response. If the port is closed there will be a RST/ACK

Inverse TCP Flag Scan | Null Scan

Scan. Attacker sends the ACK flag and looks at the return header

Ack Flag Probe

In Ack flag probe what two things tell that the port is open?

> TTL is less than 64 | > Window size on the RST packet has a value other than zero

What does it mean if an ACK flag probe does not receive a response

There is a stateful firewall between the attacker and the host

Scan. Uses a spoofed IP address to elicit port responses during a scan. Then reviews the IPID to see if it increases by 2

IDLE Scan

Nmap ACK scan switch

-sA

Nmap FIN scan switch

-sF

Nmap IDLE scan switch

-sI

Nmap DNS scan switch

-sL

Nmap NULL scan swith

-sN

Nmap Protocol scan switch

-sO

Nmap disable port scan. Host discovery only.

-sn

Nmap RPC scan switch

-sR

Nmap SYN scan switch

-sS

Nmap TCP Connect scan switch

-sT

Nmap Window scan switch

-sW

Nmap XMAS scan switch

-sX

Nmap ICMP ping scan switch

-PI

Nmap No ping scan switch

-Po

Nmap SYN ping scan switch

-PS

Nmap TCP ping scan switch

-PT

Nmap Normal output scan switch

-oN

Nmap XML output scan switch

-oX

Nmap Serial, slowest scan switch (paranoid)

-T0

Nmap Serial, normal speed scan switch (Polite)

-T2

Nmap Parallel, normal speed scan switch

-T3

Nmap Parallel, fast scan switch (Aggressive)

-T4

Hping switch to ICMP ping

-1

Hping switch to UDP scan

-2

Hping switch to scan multiple ports

-8

Hping switch for listening mode

-9

Hping switch to send packets as fast as possible

--flood

NetBios, Domain Master Browser

NetBios, Domain Controller

NetBios, Master Browser for the subnet

1D (Group)

NetBios Hostname

NetBios Domain Name

00 (Group)

NetBios Service Running on the system

NetBios server service running

What are the 3 SMTP commands

``` VRFY (Validates Users) EXPN (Provides actual delivery addresses of mailing lists and aliases) RCPT TO (defines recipients) ```

Windows driver for NIC to act promiscuous

WinPcap

Linux driver for NIC to act promiscuous

Libpcap

IPv6 address reserved for link-local addressing

Fe80::/10

What is the process of legally intercepting communications between two or more parties

Lawful Interception

What does the US government use to collect foreign intelligence coming into U.S IPs

PRISM | Planning Tool for Resource Integration, Synchronization, and Management

What do you configure to get a switch to send a packet to your device and the intended device simultaneously (sniffing the packet)

Span Port or Port Mirroring

What is it called to send so many MAC addresses to the CAM table it can't keep up, effectively turning it into a hub

MAC flooding

What is it called to flood a CAM table with unsolicited ARPs creating a race condition between a bad MAC and the real one

Switch Port Stealing

Wireshark string to say "Exactly This"

Wireshark string to say both of these must be true

Wireshark string to say either or

Wireshark string for IP source

Ip.src

Wireshark string for IP destination

Ip.dst

What are the Wireshark flag numbers

``` Fin = 1 Syn = 2 RST = 4 PSH = 8 ACK = 16 Urg = 32 ```

TCPdump switch for listening mode

-i

TCPdump switch to write to a file

-w

Wireshark string for TCP packets containing (name)

TCP contains (name)

What command is used to query the ntpd daemon about its current state

Ntpdc

What command collects the number of time samples from a number of time sources

Ntpdate

What command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source

Ntptrace

What command monitors NTP daemon ntpd operations and determines performance

Ntpg

In Windows, what command could be used to list active (running) services

Sc query

What information is collected using enumeration?

``` Network resources Network shares Machine Names Routing Tables SNMP and FQDN details Users and Groups Applications and banners Audit and service settings ```

What enumeration technique is used to replicate DNS data across many DNS servers

DNS Zone Transfer

What step in enumeration serves as an input to many of the ping sweep and port scanning tools

Calculate the subnet mask

What step in enumeration extracts information about encryption and hashing

IPsec enumeration

What protocol provides reliable multi-process communication service in a multi network environment

TCP

What windows utility allows an attacker to perform NetBIOS enumeration

Nbtstat

What are the NetBIOS enumeration tools?

Hyena Netscan Tools Pro SuperScan

What are common SNMP enumeration tools

OpUtils | SNScan

What protocol enables an attacker to enumerate user accounts and devices on a target system?

SNMP

What protocol is responsible for accessing distributed directories and access information such as valid usernames, addresses, departmental details, and so on

LDAP

What SMTP command tells the actual delivery addresses of aliases and mailing lists?

EXPN

What SMTP command defines the recipients of the message

RCPT To

What port is Global Catalog Service

TCP / UDP 3268

What port is IKE

UDP 500

What ports are SIP

TCP / UDP 5060 / 5061

What port is RPC endpoint Mapper?

TCP / UDP 135

What port is NBNS (Network BIOS Naming Service)

137

Why would an attacker use NetBIOS enumeration?

> Find a list of computers that belong to a domain | > Find policies and passwords

What command line tool would you use to display NetBIOS information

Nbtstat

What is the first step in enumerating a Windows system

Take advantage of the NetBIOS API

What command line tool would you use to display a list of computer or network resources in a specified workgroup or shared resources available on the specified computer

Net View

SNMP command to request information from SNMP agent?

GetRequest

SNMP command to continuously retrieve data stored in the array or table?

GetNextRequest

SNMP command to satisfy a request from the SNMP manager

GetResponse

SNMP command to modify a value in a parameter within the SNMP agent's MIB

SetRequest

SNMP command to inform a SNMP manager of a certain event

Trap

What is a common LDAP enumeration tool

Softerra | JXplorer

What is a common NTP Enumeration tool

PRTG Network Monitor

What does RPC Enumeration tell an attacker?

Vulnerable services on a service port

What is the first step in enumeration and the tool used?

Find the network range - Whois

2nd step in enumeration

Calculate the subnet mask

Where does Microsoft store password hashes?

SAM File | C:\windows\system32\config folder

What represents the root directory in Linux

What Linux directory hold numerous basic Linux commands

/bin

What Linux folder contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives

/dev

What Linux folder contains all the administration files and passwords

/etc

What Linux folder holds the user home directories

/home

What Linux folder holds the access locations you've actually mounted

/mnt

What Linux folder is the repository for most of the routines Linux runs (known as daemons)

/sbin

What Linux folder holds almost all of the information, commands, and files unique to users

/usr

What occurs in each hacking step

1. Reconnaissance -> Reconnaissance 2. Scanning -> Discovery and Port Scanning, Enumeration 3. Gaining Access -> Cracking Passwords, Escalating Privileges 4. Maintaining Access -> Executing Applications, Hiding Files 5. Clearing Tracks -> Clearing Logs

What are the four password cracking types

> Non-electronic > Active Online - include dictionary, brute force, hash injection, phishing, trojans, password guessing, etc. > Passive Online > Offline

In Linux, what provides information on the user and host machine

Finger

What is a split horizon DNS

Using an internal DNS for your end users and a separate external DNS to make your site routeable

What port is BGP

179

What port is Syslog

514

What defines a user identity and authentication information in Windows

Security Context

What do Access Control Lists utilize in Windows

Security Context

In Windows, what identifies users, groups, and computer accounts

Windows Security Identifier (SID)

In Windows, what is a portion of SID that identifies a specific user, computer, or domain?

Windows Resource Identifier (RID)

What RID number shows the admin?

500

What RID shows the first user?

1000

What Linux command provides information on the RPC in the environment?

Rpcinfo

What Linux command displays all the shared directories on the machine

Showmount

What are small GUI containers for specific tools in Windows

Microsoft Management Consoles (MMC)

Linux command, adds a user to the system

adduser

Linux command displays the contents of a file

cat

Linux command to make copies

Linux command that display network configuration information (Like IPconfig)

Ifconfig

Linux command to kill a running process

kill

Linux command to display the contents of a folder.

ls (L S not I S)

Linux command to display the manual page for a command (like a help file)

man

Linux command to change your password

passwd

Process status command in Linux

Linux command to remove files

Linux command to perform functions as another user

Linux command to make a process run in the background

Linux command to make a process persistent after a user logs out

nohup

Linux command to see current security settings for the contents of the directory you are in

ls -l

what do d and - indicate in Linux when placed behind rwx

``` d = a folder - = a file ```

Linux command to change read, write, execute permissions

chmod

Where are Linux passwords stored if not in a shadow file (encrypted file)

/etc/passwd

What is a type of virus that is designed to hide itself, often through encryption, from antivirus

Crypter

What is a type of virus is stored permanently in RAM

Resident

What is the most common medium for transporting malware?

What tool attempts to get higher search engine ranking for malware pages

Blackhat SEO (Search Engine Optimization)

What is a type of Trojan that downloads other malware or malicious code and files.

Downloader

What program allows malware to be downloaded covertly

Dropper

What tool injects exploits or malicious code into other vulnerable running processes

Injector

What is a program designed to conceal malicious code

Obfuscator

What program compresses malicious code to make it unreadable

Packer

What is the difference between payload and exploit?

Exploit takes advantage of a vulnerability to allow the attacker to use a malicious payload that then does the harm

What state does a port go into after it has been infected with a trojan?

Listening

What binds a Trojan to a legitimate file (often .exe)

Wrapper

What is a common Trojan Construction kit

DarkHorse Trojan Virus Maker

What is a common Wrapper

IExpress Wizard

What is a common Crypter?

BitCrypter

What is a common Exploit Kit?

RIG Exploit Kit

What is a common RAT that is capable of accessing a camera, stealing credentials stored in browsers, and more?

njRAT

What is a tool to monitor subnets for MAC address changes to detect MAC spoofing?

XArp

How can you protect yourself against DNS spoofing

Use Infrastructure ACLS to filter DNS requests

What occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization (A1 on OWASP)

Injection Flaws (A1 on OWASP)

What is a flaw allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other user's identities? (A2 on OWASP)

Broken Authentication and Session Management (A2 on OWASP)

What is A3 in OWASP

Sensitive Data Exposure (credit cards, tax IDs, and authentication credentials)

What flaw can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, and more (#4 on OWASP)

XML External Entities (XXE) (A4 on OWASP)

What is this attack? Attacker uploads XML or includes hostile content in an XML document, exploiting vulnerable code, dependencies, or integrations.

XML External Entities

What tools can detect a lack of absence control?

Static Application Security Testing (SAST) | Dynamic Application Security Testing (DAST)

What is Broken Access Control in OWASP

What is Security Misconfiguration in OWASP

What is XSS (Cross Site Scripting) in OWASP

What is Insecure Deserialization in OWASP

What is Using Components with Known Vulnerabilities in OWASP

What is Insufficient Logging and Monitoring in OWASP

A10

What does a robots.txt file do

Tells search engine crawlers which pages or files the crawler can or can't request from the site

What nmap scan detects a vulnerable server that uses the TRACE method?

nmap --script http-trace -p80 localhost

What nmap scan lists e-mail accounts

nmap --script http-google-email

What nmap scan discovers virtual hosts on an IP address that you are attempting to footprint

nmap --script hostmap-*

What nmap scan enumerates common web applications

nmap --script http-enum -p80

What nmap scan grabs the robots.txt file?

nmap -p80 --script http-robots.txt

What is a great scanning tool for web servers?

Nikto

What are the three most common web servers?

Apache - 1 Nginx - 2 Microsoft IIS - 3

In Apache, what file controls aspects including who can view the server status page (Which contains information the server, hosts connected, and requests being attended to)?

httpd.conf

In Apache, what file contains the verbose error messaging setting?

php.ini

What are the 5 HTTP response types?

1xx: Informational 2xx: Success 3xx: Redirection 4xx: Client Error 5xx: Server Error

What is a way to get around an IDS with a directory traversal attack?

Replace the dots or slashes with unicode

What web attack tool allows you to craft HTTP requests to see raw request and response data, and to pull off performance tests?

WFETCH

What web attack is an injection attack that takes advantage of web applications that communicate with databases by using semicolons to separate each parameter?

CSPP (Connection String Parameter Pollution)

What type of attack uses the same communication channels to perform and retrieve in SQL

In-band SQL injection

What type of attack uses different communication channels ?

Out-of-band SQL injection

What type of SQL attack occurs when the attacker knows the database is susceptible to injection, but the error messages don't reveal anythign?

Blind/inferential

When you see Unicode such as /%2e%2e in a URL ... what attack is indicated?

Directory Traversal

If an attacker changes the price of something on a web page, how did they do it?

Copied the source code and altered hidden fields to modify the purchase price.

Why would a pen tester send http-methods in an nmap scan

To see which HTTP methods are supported by the domain

What would NOPS-x86 be an indication of?

Buffer overflow attack

If an attacker is able to put type="text/javascript"> into an input successfully what does this indicate?

XSS is a vulnerability

What does SOAP use to format information?

XML

If an admin sets the HttpOnly flag in cookies, what are they trying to mitigate against?

XSS

What has to happen for an ICMP attack to work?

Host MUST process the ICMP request

What is it called to install compromised hardware updates that render the hardware useless

Bricking

What is it called to to send traffic to a bit bucket?

Black Hole

What is a common tool for SYN Flood?

PHP DoS

Why is Session hijacking possible? (3)

> Session IDs can be sent in plaintext > Data is often sent unencrypted > Sessions have lengthly expiration times

802.11a speed and frequency

54 Mbps | 5 GHz

802.11b speed and frequency

11 Mbps | 2.4 GHz

802.11g speed and frequency

54 Mbps | 2.4 GHz

802.11n speed and frequency

100+ Mbps | 2.4-5 GHz

802.11ac speed and frequency

1000 Mbps | 5 GHz

What is the Bluetooth standard?

802.15.1

What is the Zigbee standard

802.15.4

What is the WiMAX standard?

802.16

What are the two modulation methods for wireless?

OFDM (orthogonal frequency-division multiplexing) | DSSS (direct-sequence spread spectrum)

What is the MAC address of the wireless access point at the center of a BSS (Basic Service Set)

BSSID (Basic Service Set Identifier)

What can be used to verify wireless quality, detect rogue access points, and detect various attacks against a network

Spectrum Analyzer

What is the WEP IV bit size

What is the bit size of TKIP

128

What replaces TKIP for WPA2

CCMP (Cipher Block Chaining Message Authentication Code Protocol)

What is the integrity check for WPA2

CBC-MAC

What are the five wireless attacks?

``` Access Control Attacks Authentication Attacks Availability Attacks Confidentiality Attacks Integrity Attacks ```

What is a Linux tool that discovers access points that have not been configured (have default passwords) (and are not sending beacon frames)

Kismet

What technique does Aircrack use for WPA and WPA2

Dictionary

What type of attack occurs on WPA2 where an attacker repeatedly re-sends the third handshake of another device's session to manipulate or reset the WPA2 encryption key?

Key Re-installation Attack (KRACK)

What is the best way to crack a WPA2 network key?

Capture the WPA2 authentication traffic and crack they key

What information is required to crack a WEP AP?

> Network SSID | > MAC address of the AP

What protects against man in the middle attacks with WPA

MIC - it provides integrity checking, verifying frames are authentic through the use of a sequence number

What wireless encryption technology makes use of temporal keys?

WPA

What wireless technology uses RC4 for encryption?

WEP (WPA uses RC4 + TKIP)

What is the difference between Passive and Active session hijacking?

In Passive you just record traffic, in Active you take over the session

What do you attempt to successfully carry out an application level attack? (session hijacking)

> Sniffing > Brute Force > Replay Attack > Man in the middle

What is the goal of an application level attack (session hijacking)

obtains session ID

Where are session IDs stored?

Cookies Passed in URL "Hidden Fields"

What is one tool for attackers to conduct a man-in-the-browser

Proxy

What is number one in OWASP for Mobile Security?

Improper Platform Usage

What is number two in OWASP for Mobile Security?

Insecure Data Storage

What is number 3 in OWASP for Mobile Security?

Insecure Communication

What is number 4 in OWASP for Mobile Security?

Insecure Authentication

What is number 5 in OWASP for Mobile Security?

Insufficient Cryptography (this occurs when cryptography is attempted but fails --- failing to use cryptography at all is #2 and using ssl or tls is #3)

What is number 6 in OWASP for Mobile Security?

Insecure Authorization

What is number 7 in OWASP for Mobile Security?

Client Code Quality (buffer overflows, format string vulnerabilities, etc.)

What is number 8 in OWASP for Mobile Security?

Code Tampering (binary patching, local resource modification, method hooking, etc.)

What is number 9 in OWASP for Mobile Security?

Reverse Engineering (determining source code, libraries, algorithms, etc.)

What is number 10 in OWASP for Mobile Security?

Extraneous Functionality (backdoor)

what is the process of gaining admin access on a Android

Rooting

what is the process of gaining admin access on an iphone

jailbreaking

What is a common tool to find nearby bluetooth devices?

BlueScanner

What is the best tool to perform a bluebugg attack?

Blooover

If you want to gain admin privileges over an Android device what tool should you use?

SuperOneClick

What is an iOS jailbreaking type that cannot be patched by Apple, as the failure is within the hardware itself and provides admin-level access?

BootROM

What Iot communication model makes use of a component adding a collective before sending data to the cloud?

Device to gateway (IoT gateway provides a collective area that allows for at least some measure of security controls)

In what phase of IoT hacking would Shodan be used?

information-gathering

What is the best tool for sniffing IoT traffic?

Foren6

In PAAS What two components are the clients responsibility?

Applications | Data

In IAAS what three components does the provider provide?

Virtualization Physical Hardware Networking

What are the five roles within cloud architecture?

``` Cloud Auditor Cloud Broker Cloud Consumer Cloud Carrier Cloud Provider ```

In NIST 500-292, what is the organization that has responsibility of transferring the data.

Cloud Carrier

In NIST 500-292, who acquires and uses cloud products and services?

Cloud Consumer

In NIST 500-292, who is the purveyor of products and services?

Cloud Provider

In NIST 500-292, who acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers?

Cloud Broker

In NIST 500-292, who is an independent assessor of cloud service and security controls?

Cloud Auditor

What is the top cloud security attack?

Data Breach

What is a cross-site request forgery attack that occurs with cloud services?

Session Riding

What is an attack where an attacker uses a cloud hosted VM to jump to other VM's?

Side Channel Attack (or Cross-Guest VM)

What is SOA?

Service Oriented Architecture - An API that makes it easier for application components to cooperate and exchange info on systems connected over a network.

What is a wrapping attack?

A SOAP message is intercepted, data in the envelope is changed, and then the data is sent/replayed

What is a tool to compress malware executables into a smaller size?

Packers

What are common e-banking trojans?

Zeus | Spyeye

What is a remote access Trojan that uses exploitation techniques to create data transfer channels in previously authorized data streams?

Covert Channel Tunneling Trojan (CCTT)

What is Trojan port 2

Death

What is Trojan port 20

Senna Spy

What is Trojan port 31,456

Hackers Paradise

What is Trojan port 421

TCP Wrappers

What is Trojan port 666

Doom, Satanz BackDoor

What is Trojan port 1001

Silencer, WebEx

What is Trojan port 1095-1098

RAT

What is Trojan port 1243

SubSeven

What is Trojan port 1600

Shivka-Burka

What is Trojan port 2001

Trojan Cow

What is Trojan port 6670-6671

Deep Throat

What is Trojan port 7777

Tini

What is Trojan port 12345, 12346

NetBus

What is Trojan port 12361-12362

Whack a Mole

What is Trojan port 31337, 31338

Back Orifice

What is a great command to look for port usage (hunting for Trojan access)

netstat -an

What is a great way to verify the integrity of critical files (protecting against / detecting trojans)?

Tripwire

What is built into Windows machines to help verify the integrity of critical files on the system?

SIGVERIF

What is a good test bed for malware analysis

Virtual machine with the NIC in host-only mode and no open shares

What state should a VM be in for malware analysis

Static

What is the preferred communication channel for botnets

IRC

What is a DOS attack with oversized payloads

Teardrop

What is a DOS attack that causes permanent damage

Phlashing (bricking)

What size sequence number would be allowed from an ack number of 105 and a window size of 200

105-305

What form of IPSec works with NAT

Transport

What type of DOS attacks consume all available bandwidth?

Volumetric

What is the difference between a SYN and SYN Flood attack

In a Syn attack you use a spoofed IP so the SYN ACK messages dont work... in a flood you dont spoof the IP, but you dont respond to the SYN ACK messages

What are the recommended steps in recovering from a malware infection?

> Delete system restore points > Remove the system from the network > Reinstall from original media

What is an attack where an attacker places content into the HTTP header section.

HTTP response splitting attack

What is an HTTP cache poisoning attack

Attacker places invalid data within the browser's cache. Result: browser queries rogue web server instead of real web server.

What are great tools for footprinting web servers?

Telnet, nmap, ID Serve

What is a man-in-the-middle attack that forces a downgrade of an RSA key to a weaker length?

FREAK

What SSL versions are vulnerable to Heartbleed?

SSL 1.0.1 | 1.0.1f

What CVE notation is Heartbleed?

CVE-2014-0160

What CVE notation is POODLE

CVE-2014-3566

In what attack does the attacker have both plain-text and corresponding cipher text

Known plain-text attack

In what attack does the hacker encrypt multiple plain-text copies in order to gain the key

Chosen plain-text attack

In what attack does a hacker gain copies of encrypted messages only

Cipher-text-only attack

What problems do symmetric algorithms have?

Scalability

When two companies merge and want their PKIs to validate certs from each other what must the CAs for both parties establish?

Cross certification

What is the difference between piggybacking and tailgating?

Tailgaters use fake ID badges

What are the three social engineering attacks?

1. Human 2. Computer 3. Mobile

What is smap messages over IM

spimming

What is phishing that redirects a user's web traffic?

pharming

What are the physical security measures

Physical Technical Operational

If an attacker texts a target and the target calls the hacker and gives up sensitive information, what type of attack is this?

Smishing

What is a toolkit for automated pen testing that eliminates unnecessary ad hoc manual testing?

Codenomic

What is a Layer 2 broadcast address?

FF:FF:FF:FF:FF:FF

What is a Layer 3 broadcast address?

255.255.255.255

What security standard is based on BS 7799 (British standard) and is focused on security governance?

ISO 27001

What security standards are based on BS 7799 and are focused on defining security objectives?

ISO 17799, | ISO 27002

What defines passive vs active reconnaissance?

Passive reconnaissance uses only publicly available sources to collect information; active reconnaissance involves direct contact with the target

What would AAD3B435B51404EE indicate?

This is a LAN password indicating a password is 7 characters or less. The full hashed password could look like, 2D02FD4398FC4FFFAAD3B435B51404EE

If Firewalk is used on a filtered port, what is a response it is not likely to receive?

TTL expired in transit (this is because this response would typically indicate the port is unfiltered)

If you suspect that users are using weak passwords what is one way to verify this?

Audit passwords by using a password cracking tool

How often does TCPView update?

It can be set to 1, 2, or 5 seconds (1 by default)

Why would you use TCP-over-DNS?

To evade firewall inspection

What is SMB used for?

To enable file and printer sharing without the need for NetBIOS port broadcasting

What standard is WPA2?

IEEE 802.11i

Who maintains WebGoat?

OWASP

What is a web application that has been made deliberately insecure so that users can practice exploiting security vulnerabilities in web applications?

Web Goat

What Nmap parameter is used to disable DNS resolution?

-n

What Nmap parameter configures Nmap to always perform DNS resolution?

-R

What Nmap parameters used to disable ICMP?

- P0 or | - PN

What Nmap switch is a Sneaky scan?

-T1

What should you do if you want to implement Microsoft SQL sever best practices?

Ensure that only the sysadmin role has access to the xp_cmdshell stored procedure

What is the difference between a hybrid attack and a dictionary attack?

Hybrid attack - list of words but substitutes numbers and symbols for some characters; dictionary attack relies only on a list of words

What would you likely be analyzing during passive OS fingerprinting?

DF flags TTL fields TCP window sizes Type of Service

What would you likely be analyzing during active OS fingerprinting?

ICMP Echo Replies

What is a Linux GUI-based tool for generating TCP/IP packets?

packETH

What command do you use to add a route

route add

What can you do with the net command?

> connect to a remote resource > manage user accounts > manage services

What is a C++ that is used to execute a block of code until a particular condition is met?

for

Visual Basic, C++, and Java are what type of languages

Compiled

What catalogs security and privacy controls for federal information systems with the exception of those related to national security?

NIST-800-53

What is an example of blackboard architecture

A Bayesian system designed to learn to recognize spam (blackboard architecture is self learning)

What SQL command deletes table information

DROP TABLE

What output will this command provide in Linux? cd /var/log grep -Le '^Jan 8' *.log

a list of all .log files that do not contain the term 'Jan 8' at the beginning of lines of content (L - search for everything but) (If I was used it would search for Jan 8)

What bit size is MD5?

128 bits

Which NAT is considered many to many

dynamic NAT

What is the frequency of potentially adverse events?

Threat

What virus rewrites itself each time it infects a new file?

Metamorphic

What commands can configure IP masquerading on a Linux-based firewall?

ipchains iptables ipfwadm

What command is used for evading IDS by obfuscating the true source IP address of network traffic?

proxychains

What is the maximum length of an LM password?

14 characters

What attack typically uses an IFrame?

clickjacking

What are sparse infector viruses?

Viruses that infect files only when a specific condition is met

What standard is EAP

IEEE 802.1X

What does (') denote in SQL?

Used to denote a character string

What is true regarding security policies?

They should be as short as possible (maximum 3 pages)

What flag configures Netcat to accept inbound connections on a UNIX host?

-I (-L does the same, but on Windows)

What describes a parameter-tampering attack?

modifying a value in query string

What is an interrupt

a signal that indicates that an event has occurred?

What is an example of a Perl module that supports IDS evasion techniques

libwhisker

http://vulnerable.example.com/..%C1%9C.. is an example of what?

a directory traversal vulnerability (%C1 is unicode that translates to ../..) (../.. is a method of directory traversal)

What file in Linux contains failed login attempts?

btmp

Which attack uses ICMP echo requests?

Smurf

What resource type should you use on a DNS server to configure the OS type of a particular DNS record?

HINFO

What command is used to enforce password complexity on a Windows host?

gpedit.msc

What is pcap?

A packet capture library used by packet sniffers like Tcpdump and wireshark

Why was SOX created?

to require companies to properly disclose financial information

What command should you issue to display active and inactive services on a computer running Windows ?

sc query state= all

what Linux command is used to view logs?

cd/var/log

Using grep command in Linux, what will the L parameter do?

Search for everything but the input (example L Jan 8 would search for everything but Jan 8)

Using grep command in Linux, what will the e parameter do?

Configures grep to accept a regular expression pattern as a search term.

What Linux command is used to view and create files?

cat

What is something metagoofil will likely not show you?

protected document passwords

What command can be configured to tunnel TCP or UDP traffic to a destination by way of one or more proxy servers?

proxychains

What vulnerability exploits Bash by unintentionally executing commands when the command are concatenated

Shellshock (Bashdoor)

How do you exploit a Bash Shellshock vulnerability?

send specially crafted environment variable and trailing commands

What vulnerability would you be exploiting by sending specially crafted HTML into a website form?

XSS

What vulnerability would you be exploiting by using a specially crafted URL parameter

Directory traversal or path traversal attack

What attack enables an attacker to view data or execute arbitrary commands

Directory traversal or path traversal

In SQL, what denotes a variable in SQL code?

In SQL, what concatenates two string values together

In SQL, what is used to add a comment in SQL code?

In SQL, what is used to denote a character string

What flag specifies a TCP port in Netcat

-p

What flag enables Telnet negotiation in Netcat?

-t

What flag specifies the program that should be executed when a Windows session is established in Netcat

-e

What flag specifies a UDP port in Netcat

-u

Which HTTP methods are considered risky (as in dangerous)

Connect Delete Put Trace

what command would you issue with nslookup to see the CPU type and OS of a queried host?

set type=HINFO

what command in nslookup specifies the DNS server that should be used

server DNS_SERVER

What DNS command is used to display mailbox information?

MINFO

What DNS command is used to display user information?

UINFO

What DNS command is used to display information about a well-known service defined for the host on the DNS server?

WKS

What Microsoft command would you use to examine services and modify if they should run automatically or manually

services.msc

What Microsoft command would you use to examine a Windows host's event logs including app level logs, security level logs, and system level logs? (showing you which users have recently logged in to a specific host)

eventvwr.msc

What does OSSTMM define as types of compliance

legislative contractual standards-based

What attack exposed customer data of T.J.Maxx?

Wardriving

What is a common criteria ST?

documentation for the system or product that is to be tested

What pentest method simulates an attack by an insider?

gray-box testing

What are common SQL injection tools?

Absinthe Pangolin Havij

What protocol is a loggin standard that transmits logging information from a device to a central server?

syslog

What file overwrites unused portions of a file, resulting in an infected file that is the same size as the original file?

cavity virus

Regarding ISAPI filters, what is the best way to increase security on a webserver?

removing ISAPI filters

Does Cisco use traceroute or tracert?

traceroute

What security standard recommends security controls based on industry best practices?

ISO 27002

If you see an unusual amount of outbound traffic to TCP port 25 what could this indicate?

a local bot sending spam to other networks

What tool would you use to hijack a session by predicting the next session ID token and modifying the contents of the packet?

Burp Suite

What techniques does Aircrack-ng use to crack WEP keys?

a dictionary Korek PTW

What attack can you perform with BBProxy?

Blackjacking

What is a bluesnarfing attack?

an attacker gains unauthorized access to information on a Bluetooth-enable device.

What is Bluejacking?

sending unsolicited messages to Bluetooth-enabled devices over OBEX communications protocol.

What is Bluebugging

An attacker creates a back door on a Bluetooth-enabled device.

What is Blackjacking?

Using a Blackberry device as a proxy between the Internet and a private network.

What Nmap switch activates Nmap Scripting Engine

-sC

What risk component is measured in lost business or time

Cost

What is the primary security concern with Bluetooth?

uses a weak encryption cipher

What is a command-line tool that can generate ARP, Ethernet, TCP, and UDP packets?

Nemesis

What type of traffic do stateful firewalls allow in?

Traffic that was requested internally in the network

How are SOAP messages sent?

one-way transmissions

What order are snort rules evaluated?

Pass Drop Alert Log

What attacks is RSA particularly susceptible?

chosen ciphertext

Is evaluating TTL fields, TCP window sizes, DF flags, and ToS active or passive?

Passive

What is 802.1X?

authentication for port-based connections (NAC)

What will the net use command prompt

You will see a list of connected shared resources

Is a TCP Xmas scan stealthy?

what does -p- do in a Nmap scan?

scans ports 1 through 65535

What does RUDY do?

It starves a webserver by keeping sessions open as long as possible

what type of authentication is a biometric passport?

something you have

What is a full-featured APT scanner?

THOR

Who maintains OSSTMM

ISECOM

What is one method of deobfuscation?

using program slicing

What is one way to mitigate against CSRF?

The website can send a random challenge token

How can hidden form field manipulation attacks be mitigated?

input validation

What language is most commonly vulnerable to buffer overflow?

C++

What is a common web scanner used for auditing a target?

Acuentix

What type of attack is this | "\x46\x46\x47\x77\x6f\x4e\x6f\x6f\x39\x78\x4x\

Buffer Overflow

What type of password cracking tool does THC Hydra use?

Dictionary

What layers do stateful firewalls and packet-filtering firewalls operate at?

Network and | Transport

What would you use MSCONFIG for?

to diagnose problems with the startup process on a computer

What does Low Orbit Ion Cannon do?

floods a server with TCP, UDP, or HTTP packets

What is key escrow used for?

access sensitive data if the need arises

What is occuring here: sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd D4n3wp4$$

Changing a password in Ubuntu

If you issue the command nmap 10.10.10.10 what will you receive?

Nmap will return TCP port information about 10.10.10.10

What does Maltego do?

Displays relational information by using graphs and links

When does Windows not respond to ICMP Echo?

When the ping is sent to a network or broadcast address

When would you use IKE scan?

to fingerprint VPN servers

What type of virus infects the boot sector AND various files and programs?

a multipartite virus

Why would you issue openssl s_server ?

to create an SSL/TLS server

What is the difference between TCSEC and TNIEG

>TCSEC provides guidance on computer security, >TNIEG provides guidance on network security

What windows command tells you which users have recently logged in to a specific windows host?

eventvwr.msc

Which character can be used to perform CSPP attack

;

What are three common federated identity management models?

> Trusted third-party model > Cross-Certification trust model > Bridge model

what does the r command do with grep in Linux?

configures grep to search recursively

what does the I command do with grep in Linux?

configures grep to list only files that contain the specified term.

What would you put with grep to search files with specific names

-Is (rl searches for content)

What should the network address and subnet mask be set to to create a default route?

0.0.0.0 as in | route add 0.0.0.0 mask 0.0.0.0 192.168.1.1

What is a man-in-the-middle attack used to downgrade TLS to earlier versions of SSL?

Poodle

What is an injection vulnerability that can be used to force OpenSSL to use a weak method of keying

CCS Injection

What does the - in nmap -sS 10.-2.0.1 mean

it means it will scan | 10.0.0.1, 10.1.0.1, and 10.2.0.1

What is the lkelihood that a threat against a company will be successful

Vulnerability

What is the frequency, or rate, of a potential negative event?

Threat

What is a difference between containers and VMs

VMs require a hypervisor, containers do not

How do you enable wireshark on a host to capture all traffic from a switch

enable port mirroring on the switch

What does nmap -A do?

aggressive scanning : OS fingerprinting, version detection, script scanning, and traceroute

How do you implement NIDS on a network

connect it to the SPAN port on a switch

If you set no switches with netcat what happens?

Just configures an outbound connection

What would user-created data in an HPA (host-protected area) indicate

Hidden data probably exists on a computer

What layer does DNS operate at?

If hiding an executable "dangerous.exe" within a text file name "innocent.txt" by using ADS what command would you issue?

start innocent.txt:dangerous.exe

Which spoofing occurs during a trust relationship?

ARP spoofing

What does the U.S Gramm-Leach-Bliley Act (GLBA) protect?

confidentiality and integrity of personal information collected by financial institutions

What does an attacker do in a Bluesmack attack?

Denies access to a Bluetooth device

In SYN flood the attacker doesnt send what?

The final ACK message

What is the format for Unicode?

UTF-8 (Unicode Transformation Format)

What is the purpose of WS-SecureConversation?

to create security contexts for faster message exchanges

What command lists aliases of computers in the DNS domain (nslookup)

ls -a

What command lists CPU and OS information for the DNS domain (nslookup)

ls -h

What command lists well-known services of computers in the DNS domain (nslookup)

ls -s

What is an open-source UNIX/Linux command-line network scanner?

Dmitry

What Burp suite feature is used for customized brute-force attack?

intruder tool

Is a device on a promiscous port NIPS or NIDS

NIDS

What can Cain & Abel do that John the Ripper cant

record and extract VoIP conversations

What would you use to hide your identity while attempting to gain access to a UNIX host

use a proxy server

What does Airsnarf do

sniffs passwords and user IDs

What is a piece of malware aimed at Android phones, taking advantage of two-factor authentication to control the phone itself

ZitMo

What would you use to discover an orgs restricted URLs

netcraft

What is an IPSec VPN scanning, fingerprinting, and testing tool?

IKE-scan

What is an attack whereby SOAP messages are replayed as if they are legitimate

Wrapping attack

Who does CSIRT help

associates of the department of homeland security

Where is the password file kept on a Linux machine

/etc

What command is used to open Computer Management on a Windows OS machine

compmgmt.msc

Describe port security

allows traffic from a specific MAC address to enter to a port

What is a windows tool that can detect wireless traffic on 802.11a,b, and g networks (not on 802.11n)

NetStumbler

command to banner grab with telnet

telnet 80

What tools are used for Bluetooth device discovery

BlueScanner | BT Browser

What IoT attack involves sniffing, jamming, and replaying a car key fob signal

Rolling code

What are two applications that may help against phishing

Netcraft Toolbar | PhishTank Toolbar

What attack is known as a cross-guest VM breach?

Side channel

What are software tools that use a combination of encryption and code maniputation to render malware as undetectable to antivirus

crypters

What are two automated methods of pentesting?

Core Impact | CANVAS

What DOS attack goes after load balancers, firewalls, and application servers by attacking connection state tables?

TCP state-exhaustion attacks

When would a secondary name server request a zone transfer from a primary?

When the primary SOA serial number is higher

What are the steps in signing a message using PKI

> Create a hash of message > Encrypt with your private key > Encrypt message with recipients public key

What attack does )(&) indicate

LDAP

What is the top vulnerability for IoT systems?

Insecure web interface

If a rootkit is discovered on the system, what is the best alternative for recovery?

Reload the entire system from known-good media

What network do IoT enabled vehicles use?

VANET

What are the OSSTMM process controls?

``` nonrepudiation confidentiality privacy integrity alarm ```

What are the OSSTMM interactive controls?

``` continuity authentication indemnification resilience subjugation ```

In Windows, what switch allows you to set the size of the echo request packet?

-I

What is a tool to perform an automated test against AWS?

CloudInspect

What is the process of evaluating assets to determine the amount of vulnerability each represents to the organization?

Risk Assessment

What is the best choice for protection against privilege escalation?

Ensuring services run with least privilege

What is an encrypted version of netcat

CryptCat

What vulnerability occurs when debug is enabled in an application?

Misconfiguration

What vulnerability assessment focuses on Web apps, traditional client server apps, and hybrid systems?

Application Assessment

What command will start Nessus in the background in Linux?

nessus &

What type of assessment tool is used to find and identify previously unknown vulnerabilities in a system?

Depth assessment tools

What are the three metrics for measuring vulnerabilities

Base metrics - inherent qualities Temporal metrics - features that keep changing Environmental metrics

What is the best way to crack Windows server 2003 (or anything you LM)

Rainbow table

What vulnerability is found in Intel processors and leads to tricking a process to access out-of-bounds memory by exploiting CPU optimization

Meltdown

What vulnerability leads to tricking a processor to exploit speculative execution to read restricted data?

Specter

What technique do attackers use to escalate privileges in Windows OS?

Application Shimming

What rootkit runs in Ring-0 with the highest operating system privileges? (also most difficult to detect)

Kernel-level

What rootkit patches, hooks, or supplants system calls with backdoor versions?

library-level rootkit

What is used by an attacker to distribute a payload and to create covert channels?

TCP Parameters

what command line tool is used to manipulate log files (not delete or disable entirely)

SECEVENT.EVT

What windows service vulnerability does WannaCry ransomware exploit?

SMB

What are the three ways to sniff traffic on a switched network?

MAC flooding MAC duplication ARP spoofing

What DNS poisoning technique uses ARP poisoning against switches to manipulate routing table?

Intranet DNS spoofing

Is querying published name servers of the target passive or active footprinting?

active

What countermeasure helps organizations prevent information disclosure through banner grabbing?

Configure IIS

Hping3 command for ACK scan?

hping3 -A -p 80

Attackers exploit HTML5 in an app and bypass mobile app login process. What attack is this?

CORS (Cross Origin Resource Sharing)

What attack does multiple layers of antivirus defense (including AV and e-mail gateway) mitigate?

Social Engineering

What type of packet inspection is a firewall conducting it it responds that port 80 is unfiltered?

Stateless

What can an admin do to verify that a tape backup can be recovered in its entirety?

Perform a full restore

What is TRUE regarding network firewalls preventing web application attacks?

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened

A pentester gains access to a Windows app server and needs to determine the settings of the built-in Windows firewall. What command would be used?

Netsh firewall show config

What does a vulnerability scanner use in order to detect a vulnerability on a target service?

Analyzing service response

What setting enables Nessus to detect when it is sending too many packets and the pipe is approaching capacity?

Reduce parallel connections on congestion

What is used to indicate a single-line comment in SQL?

What NMAP feature should a tester implement or adjust to avoid detection by IDS

Timing options can be used to slow the speed of the port scan

A properly implemented digital signature should be encrypted with what key?

Signers private key

How does an OS protect the passwords used for account logins?

OS performs a one time hash of the password

What is the purpose of conducting security assessments on network resources?

Validation

What is Diffie-Hellman group 5 key size?

1536 bit

What is Diffie-Hellman group 2 key size?

1024 bit

What is Diffie-Hellman group 14 key size?

2048 bit

What is Diffie-Hellman group 15 key size?

3072 bit

If a billing address is limited to 50 characters, what pseudo code would the developer use to avoid a buffer overflow attack?

If (billing Address < 50) {update field} else exit

What technique is used to perform a CSPP attack?

Injecting parameters into a connection string using semicolons as a separator

What two statements are true regarding LAN manager hashes?

1. Lowercase characters in the password are converted to uppercase 2. LM hashes are not generated when the password length exceeds 15 characters

What virtualization occurs when a VS is completely independent and unaware of other virtual servers on the same physical machine

Full virtualization

A hacker is attempting to see which IP addresses are currently active on a network . Which NMAP switch would the hacker use?

-sP

Which enumeration step extracts information about encryption and hashing algorithms, and more?

IPSec Enumeration

Why is stored biometric vulnerable to an attack?

A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric

What is the appropriate step if a computer technician notices that a special sequence of characters causes a computer to crash and no one else has experienced the problem?

Notify the vendor of the bug and do not disclose it until the vendor fixes it

What type of firewall inspects only header information in network traffic?

Stateful inspection firewall

What security control does encryption meet?

Preventative

What is a great way to restrict malicious input?

Validate web content input for type, length, and range

How should a security team determine which alerts to check first?

Investigate based on the potential effect of the incident

What technique will help a company protect against enumeration on their publicly hosted web app?

Remove records for internal hosts

What port does Nessus daemon listen to (default)?

Port 1241

Firewalk concludes the following: TCP port 21 - no response, TCP port 22 - no response, TCP port 23 - TTL exceeded . What does this mean?

Scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.

What vulnerability does alert thresholding in an IDS introduce?

An attacker, working slowly enough, can evade detection by the IDS

What vulnerability is login.php vulnerable to?

SQL injection

What bit size encryption does WPA2 use?

128 bit

What will NMAP -sS -O -p 123-153 192.168.100.3 do?

A stealth scan determining operating system on ports 123 through 153

What is the command to use telnet to fingerprint a web server?

Telnet (Webserver IP) 80 HEAD / HTTP /1.0

Which virus hides from AV by actively altering and corrupting the chosen service call interruptions when they are being run?

Tunneling virus

A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot use Metasploit?

Create a route statement in the meterpreter

A hacker injects malicious data into the intercepted communications in the TCP session when the victim has disabled source routing, what kind of attack is this?

Blind Hijacking

What do you need to know to crack a WEP key?

MAC AP | SSID

What scripting engine does NMAP need to be used as a basic vulnerability scanner?

NSE (Nmap Scripting Engine)

What are the types of rootkits?

``` Kernel Hardware / firmware Hypervisor Bootloader Memory Application Library ```

Why would a pen test not contain management or control packets in the submitted traces?

Certain operating systems and adapters do not collect the management or control packets

What are valid data-gathering activities associated with a risk assessment?

Threat identification, vulnerability identification, control analysis

What NMAP command would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

NMAP -PN -A -O -sS 192.168.2.0/24

Low humidity in a data center can cause which of the following problems?

Static electricity

Which vulnerability would this command display alert ('TestingTestingTesting')

XSS

Which NMAP switch would show which ports have been left open on a network?

-sO

What type of access control is used on a router or firewall to limit network activity?

Rule Based

What network layer security control will prevent attacks such as session hijacking?

SSL

What tool is used to automate SQL injections?

Safe3 SQL-Injector

What jailbreaking allows user-level access but doesn't allow iboot-level access?

Userland exploit

When does the Payment Card Industry (PCI-DSS) require organizations to perform external and internal penetration testing?

Once a year and after ay significant infrastructure or application upgrade or modification

An IT security engineer notices that the company's web server is currently being hacked. What should the engineer do next?

Unplug the network connection on the company's web server

What describes a component of PKI where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

Key Escrow

What security policy must a security analyst check to see if dial-out modems are allowed?

Remote-access policy

When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?

A top down approach

One way to defeat a multi-level security solution is to leak data via?

Covert Channels

How can a rootkit bypass Windows 7 operating system's kernel mode, and code signing policy?

Attaching itself to the master boot record in a hard drive and changing the machines boot sequence/options

How can NMAP be used to scan 5 adjacent Class C networks?

NMAP -P 192.168.1-5

What is the primary drawback of using AES with 256 bit key?

Each recipient must receive the key through a different channel than the message

What does snort do when an alert rule is matched?

Continues to evaluate the packet until all rules are checked

What hardware requirements must IDS/IPS have in order to properly function?

They must be dual-homed

What are two variants of mandatory access control?

1. 2 factor authentication | 2. Username / Password

What is a common SOA vulnerability?

XML denial of service issues

How do employers protect assets with security policies pertaining to employee surveillance activities?

Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences

Which type of antenna is used in wireless communnication?

Omni-directional

What tool is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall?

Loki

What indicator identifies a network intrusion?

Repeated probes of the available services on your machines

What is the main advantage that a network based IDS/IPS system has over a host-based solution?

They do not use host system resources

What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

Common Criteria

A pen tester is attempting to scan an internal corporate network from the Internet without alerting the border sensor. Which technique should the tester consider using?

Tunneling scan over SSH

Which type of assessment tools are used to find and identify previously unknown vulnerabilities in a system?

Depth assessment tools

What is a common vulnerability management tool for mobile devices?

Retina CS for Mobile

Which element in a vulnerability scanning report allows the system admin to obtain info such as the origin of the scan?

Classification

A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

Requiring client and server PKI certificates for all connections

What vulnerability would this code show: IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>"

XSS

What is an attack specific to UDP that sends packets with a spoofed source address to a directed broadcast address?

Fraggle

You create a firewall rule that allows Telnet traffic between 192.168.110.64/26 and 10.1.110.0/26 ... what rule is true?

Any device on 192.168.110.64/26 network can establish a Telnet session with any device on the 10.1.110.0/26 network.

When footprinting an organization during a black-box pen test, what resource would you likely use?

mailing list messages

What is a primary benefit of signature-matching IDSs?

low false positive rate

What is true of TCPView?

updates every second by default

Which OS would you be most likely to experience difficulty collecting 802.11 management and control packets in monitor mode?

Windows

What term describes BGP?

a routing protocol

What can you do with the Abel half of the Cain & Abel utility?

launch a system shell on a remote computer

What file contains a list of currently logged-in users on a Linux computer?

utmp

Which HTTP method is commonly used to retrieve only HTTP header information?

HEAD

What is also known as cache poisoning?

DNS spoofing

where can Nikto save log information?

libwhisker

What is the most accurate, noninvasive biometric access control?

an Iris scan

If a database does not allow the use of time-delay functions for an attack what method should be tried?

heavy query

What tool combines Trinoo and TFN?

Stacheldraht

What is a passive OS fingerprinting tool?

p0f

What C library function performs bounds checking on its input?

fgets()

What step in Common Criteria is divided into seven ratings?

EAL

What happens when AH is used in tunnel mode?

It provides authentication and integrity, but not encryption for the packet.

Which google string searches for exposed directory listings on web servers?

intitle:

What occurs during the Design phase of Microsoft's Security Development lifecycle?

Threat modeling

Which protocol does Hping2 use by default?

TCP

Which compliance category does OSSTMM place PCI DSS?

contractual