Certified Ethical Hacker. Test 1 - Victor Flashcards
Determine the attack according to the following scenario:
Benjamin performs a cloud attack during the translation of the SOAP message in the TLS layer. He duplicates the body of the message and sends it to the server as a legitimate user. As a result of these actions, Benjamin managed to access the server resources to unauthorized access.
A. Cloud Hopper
B. Cloudborne
C. Wrapping
D. Side-channel
C. Wrapping
Explanation
Wrapping attacks aim at injecting a faked element into the message structure so that a valid signature covers the unmodified element while the faked one is processed by the application logic. As a result, an attacker can perform an arbitrary Web Service request while authenticating as a legitimate user.
Wrapping attack which uses Extensible Mark-up Language (XML) signature element in order to weaken the web servers’ validation requests. When a user requests for a service, it is interacted with using Simple Object Access Protocol (SOAP) and submitted in XML format. This type of attack usually occurs during the translation of SOAP messages in the Transport Layer Service (TLS) layer between the web server and valid user. The message body will be duplicated and sent to the server as a valid user. The hacker will copy the user’s account login details. During the login session, the hackers will inject a spurious element into the message structure. They will modify the original content with malicious code. After that, the message is sent to servers. The server will approve the message as the body is unchanged. As a result, the hackers will be able to access the server resources to unauthorized access.
Incorrect answers:
Cloud Hopper https://www.bankinfosecurity.com/report-cloud-hopper-attacks-affected-more-msps-a-13565
The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.
Cloudborne
An attack scenario affecting various cloud providers could allow an attacker to implant persistent backdoors for data theft into bare-metal cloud servers, which would be able to remain intact as the cloud infrastructure moves from customer to customer. This opens the door to a wide array of attacks on businesses that use infrastructure-as-a-service (IaaS) offerings.
Appropriately dubbed “Cloudborne” by Eclypsium, the attack vector (which the firm characterizes as a critical weakness) consists of the use of a known vulnerability in bare-metal hardware along with a weakness in the “reclamation process.”
In the Cloudborne scenario, an attacker can first use a known vulnerability in Supermicro hardware (present in many cloud providers’ infrastructure, the firm said), to overwrite the firmware of a Baseboard Management Controller (BMC). BMCs are a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting.
Side-channel https://en.wikipedia.org/wiki/Side-channel_attack
A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited.
John needs to choose a firewall that can protect against SQL injection attacks. Which of the following types of firewalls is suitable for this task?
A. Hardware firewall.
B. Packet firewall.
C. Web application firewall.
D. Stateful firewall.
C. Web application firewall.(Correct)
Explanation
https://en.wikipedia.org/wiki/Web_application_firewall
A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.
Incorrect answers:
Stateful firewallhttps://en.wikipedia.org/wiki/Stateful_firewall
A stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.
Packet firewall
Packet filtering firewall is a network security technique that is used to control data flow to and from a network. It is a security mechanism that allows the movement of packets across the network and controls their flow on the basis of a set of rules, protocols, IP addresses, and ports.
Hardware Firewalls
Hardware firewalls use a physical appliance that acts in a manner similar to a traffic router to intercept data packets and traffic requests before they’re connected to the network’s servers. Physical appliance-based firewalls like this excel at perimeter security by making sure malicious traffic from outside the network is intercepted before the company’s network endpoints are exposed to risk.
Suppose your company has implemented identify people based on walking patterns and made it part of physical control access to the office. The system works according to the following principle:
The camera captures people walking and identifies employees, and then they must attach their RFID badges to access the office.
Which of the following best describes this technology?
A. Biological motion cannot be used to identify people.
B. The solution implements the two factors authentication: physical object and physical characteristic.
C. Although the approach has two phases, it actually implements just one authentication factor.
D. The solution will have a high level of false positives.
B. The solution implements the two factors authentication: physical object and physical characteristic.(Correct)
Explanation
https://en.wikipedia.org/wiki/Multi-factor_authentication
The authentication factors of a multi-factor authentication scheme may include:
· Something you have: Some physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, etc.
· Something you know: Certain knowledge only known to the user, such as a password, PIN, TAN, etc.
· Something you are: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
· Somewhere you are: Some connection to a specific computing network or using a GPS signal to identify the location.
Which of the following incident handling process phases is responsible for defining rules, employees training, creating a back-up, and preparing software and hardware resources before an incident occurs?
A. Recovery
B. Identification
C. Preparation
D. Containment
C. Preparation(Correct)
Explanation
- Preparation
Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident.
Employees should be properly trained to address security incidents and their respective roles. Companies need to develop incident response drill scenarios that are practiced regularly and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources, and execution, should be fully approved and funded before an incident occurs.
- Identification
The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. Besides, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered, and who discovered the breach. Companies should also consider how the incident will impact operations if other areas have been impacted and the compromise’s scope.
- Containment
If it is discovered that a breach has occurred, organizations should work fast to contain the event. However, this should be done appropriately and does not require all sensitive data to be deleted from the system. Instead, strategies should be developed to contain the breach and prevent it from spreading further. This may involve disconnecting the impacted device from the internet or having a back-up system that can be used to restore normal business operations. Having remote access protocols in place can help ensure that a company never loses access to its system.
- Neutralization
Neutralization is one of the most crucial phases of the incident response process and requires the intelligence gathered throughout the previous stages. Once all systems and devices that have been impacted by the breach have been identified, an organization should perform a coordinated shutdown.
To ensure that all employees are aware of the shutdown, employers should send out notifications to all other IT team members. Next, the infected systems and devices should be wiped clean and rebuilt. Passwords on all accounts should also be changed. If a business discovers that there are domains or IP addresses that have been affected, it is essential to block all communication that could pose a risk.
- Recovery
The recovery phase of an incident response plan involves restoring all affected systems and devices to allow for normal operations to continue. However, before getting systems back up and running, it is vital to ensure that the breach’s cause has been identified to prevent another breach from occurring again. During this phase, consider how long it will take to return systems to normal, whether systems have been patched and tested, whether a system can be safely restored using a backup, and how long the system will need to be monitored.
- Review
The final step in an incident response plan occurs after the incident has been solved. Throughout the incident, all details should have been properly documented so that the information can be used to prevent similar breaches in the future. Businesses should complete a detailed incident report that suggests tips on how to improve the existing incident plan. Companies should also closely monitor any post-incident activities to look for threats. It is important to coordinate across all departments of an organization so that all employees are involved and can do their part to help prevent future security incidents.
Viktor, the white hat hacker, conducts a security audit. He gains control over a user account and tries to access another account’s sensitive information and files. How can he do this?
A. Port Scanning
B. Privilege Escalation
C. Fingerprinting
D. Shoulder-Surfing
B. Privilege Escalation(Correct)
Explanation
https://en.wikipedia.org/wiki/Privilege_escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include viewing and editing files, or modifying system files.
Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:
· Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
· Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)
Incorrect answers:
Port Scanning
Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities. This scanning process can’t occur without identifying a list of active hosts and mapping those hosts to their IP addresses. After a thorough network scan is complete and a host list is compiled, a proper port scan can occur. The organization of IP addresses, hosts, and ports allows the scanner to properly identify open or vulnerable server locations to diagnose security levels.
Fingerprint https://en.wikipedia.org/wiki/Fingerprint_(computing)
A fingerprinting algorithm is a procedure that maps an arbitrarily large data item (such as a computer file) to a much shorter bit string, its fingerprint, that uniquely identifies the original data for all practical purposes just as human fingerprints uniquely identify people for practical purposes. This fingerprint may be used for data deduplication purposes. This is also referred to as file fingerprinting, data fingerprinting, or structured data fingerprinting. Fingerprints are typically used to avoid the comparison and transmission of bulky data. For instance, a web browser or proxy server can efficiently check whether a remote file has been modified, by fetching only its fingerprint and comparing it with that of the previously fetched copy.
Shoulder-Surfing https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)
In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder, either from keystrokes on a device or sensitive information being spoken and heard, also known as eavesdropping.
Which of the following cipher is based on factoring the product of two large prime numbers?
- SHA-1
- RSA
- MD5
- RC5
B. RSA(Correct)
Explanation
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
SA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly, in 1973 at GCHQ (the British signals intelligence agency), by the English mathematician Clifford Cocks. That system was declassified in 1997.
In a public-key cryptosystem, the encryption key is public and distinct from the decryption key, which is kept secret (private). An RSA user creates and publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers are kept secret. Messages can be encrypted by anyone, via the public key, but can only be decoded by someone who knows the prime numbers.
Incorrect answers:
SHA-1 https://en.wikipedia.org/wiki/SHA-1
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard.
SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits).
MD5 https://en.wikipedia.org/wiki/MD5
The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database.
RC5 https://en.wikipedia.org/wiki/RC5
RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for “Rivest Cipher”, or alternatively, “Ron’s Code” (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
What is meant by a “rubber-hose” attack in cryptography?
- Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.
- Extraction of cryptographic secrets through coercion or torture.
- Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plain text.
- A backdoor is placed into a cryptographic algorithm by its creator.
- Extraction of cryptographic secrets through coercion or torture.(Correct)
Explanation
https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method’s main advantage is the decryption time’s fundamental independence from the volume of secret information, the length of the key, and the cipher’s mathematical strength.
The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part. (Pss, it’s a joke, ok? ^_^)
Attacker uses various IDS evasion techniques to bypass intrusion detection mechanisms. At the same time, IDS is configured to detect possible violations of the security policy, including unauthorized access and misuse. Which of the following evasion method depend on the Time-to-Live (TTL) fields of a TCP/IP ?
- Insertion Attack
- Unicode Evasion
- Denial-of-Service Attack
- Obfuscation
- Insertion Attack(Correct)
According to the EC-Council’s study guides, the Insertion Attack looks like this:The attacker can send packets whose time-to-live (TTL) fields are crafted to reach the IDS but not the target computers. This will result in the IDS and the target system having two different character strings. An attacker confronts the IDS with a stream of one-character packets (the attacker-originated data stream), in which one of the characters (the letter “X”) will be accepted only by the IDS. As a result, the IDS and the end system reconstruct two different strings.
More information about Insertion Attack:
An IDS can accept a packet that an end-system rejects. An IDS that does this makes the mistake of believing that the end-system has accepted and processed the packet when it actually hasn’t. An attacker can exploit this condition by sending packets to an end-system that it will reject, but that the IDS will think are valid. In doing this, the attacker is “inserting’’ data into the IDS — no other system on the network cares about the bad packets.
It calls an “insertion’’ attack, and conditions that lend themselves to insertion attacks are the most prevalent vulnerabilities in the intrusion detection systems we tested. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.
To understand why insertion attacks foil signature analysis, it’s important to understand how the technique is employed in real ID systems. For the most part, signature analysis'' uses pattern-matching algorithms to detect a certain string within a stream of data. For instance, an IDS that tries to detect a PHF attack will look for the stringphf’’ within an HTTP “GET’’ request, which is itself a longer string that might look something like “GET /cgi-bin/phf?’’.
The IDS can easily detect the string “phf’’ in that HTTP request using a simple substring search. However, the problem becomes much more difficult to solve when the attacker can send the same request to a webserver, but force the IDS to see a different string, such as “GET /cgi-bin/pleasedontdetecttthisforme?’’. The attacker has used an insertion attack to add “leasedontdetectt’’, “is’’, and “orme’’ to the original stream. The IDS can no longer pick out the string “phf’’ from the stream of data it observes.
Incorrect answers:
Denial-of-Service Attackhttps://en.wikipedia.org/wiki/Denial-of-service_attack
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.
Obfuscation
Obfuscation refers to the process of concealing something important, valuable, or critical. Cybercriminals use obfuscation to conceal information such as files to be downloaded, sites to be visited, etc.
Unicode invasion
Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
What actions should be performed before using a Vulnerability Scanner for scanning a network?
- Checking if the remote host is alive.
- TCP/UDP Port scanning.
- TCP/IP stack fingerprinting.
- Firewall detection.
- Checking if the remote host is alive.(Correct)
Explanation
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:
1.Locating nodes:The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.
2.Performing service and OS discovery on them:After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.
3.Testing those services and OS for known vulnerabilities:Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.
Which of the following methods is best suited to protect confidential information on your laptop which can be stolen while travelling?
- Password protected files.
- BIOS password.
- Hidden folders.
- Full disk encryption.
- Full disk encryption.(Correct)
Explanation
https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption
The best solution of all the above options is Full Disk encryption as it provides the highest security.
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:
· Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted.
· With full disk encryption, the decision of which individual files to encrypt is not left up to users’ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
· Immediate data destruction, such as simply destroying the cryptographic keys (crypto-shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.
alert tcp any any -> 10.199.10.3 21 (msg: “FTP on the network!”;)
Which system usually uses such a configuration setting?
A. IDS
B. Router IPTable
C. FTP Server rule
D. Firewall IPTable
A. IDS(Correct)
Explanation
https://www.snort.org/documents#latest_rule_documents
NOTE: One thing is important to understand: there is no standard for parsers, at least for now. No one will force you, when developing your product, for example, IDS, to create a rule language the same as that of Snort. The question does not specify the manufacturer, although the example clearly hints at the Snort rules, other manufacturers can use the same syntax for anything. In some products, you may not even see the syntax at all cause you may only have access to the graphical user interface. For example, in cloud services, where the stratification of services by levels of abstraction is most clearly visible.
Which of the following will allow you to prevent unauthorized network access to local area networks and other information assets by wireless devices?
A. AISS
B. NIDS
C. WIPS
D. HIDS
C. WIPS(Correct)
Explanation
https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system
A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).
Incorrect answers:
HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.
NIDS https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems
Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NIDS are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real-time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not.
AIDS
Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the classification process used in detection more reliable.
Which of the following option is a security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
A. DAI
B. Spanning tree
C. DHCP relay
D. Port security
A. DAI(Correct)
Explanation
Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).
DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.
Incorrect answers:
Port security
Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits:
· You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted.
· You can enable port security on a per port basis.
Port security implements two traffic filtering methods, dynamic locking and static locking. These methods can be used concurrently.
· Dynamic locking. You can specify the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC addresses are forwarded.
NOTE: If you want to set a specific MAC address for a port, set the dynamic entries to 0, then allow only packets with a MAC address matching the MAC address in the static list.
Dynamically locked addresses can be converted to statically locked addresses. Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. You can set the time out value. Dynamically locked MAC addresses are eligible to be learned by another port. Static MAC addresses are not eligible for aging.
· Static locking. You can manually specify a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses.
DHCP relay
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect supported Juniper devices against attacks including spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
In a common scenario, various hosts are connected to the network via untrusted access interfaces on the switch, and these hosts request and are assigned IP addresses from the DHCP server. Bad actors can spoof DHCP requests using forged network addresses, however, to gain an improper connection to the network.
Spanning tree https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.
As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.
Which of the following application security testing method of white-box testing, in which only the source code of applications and their components is scanned for determines potential vulnerabilities in their software and architecture?
A. DAST
B. SAST
C. IAST
D. MAST
B. SAST(Correct)
Explanation
https://en.wikipedia.org/wiki/Static_application_security_testing
Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.
Unlike dynamic application security testing (DAST) tools for black-box testing of application functionality, SAST tools focus on the code content of the application, white-box testing. An SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture. Static analysis tools can detect an estimated 50% of existing security vulnerabilities.
Incorrect answers:
DAST https://en.wikipedia.org/wiki/Dynamic_application_security_testing
A dynamic application security testing (DAST) tool is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities by actually performing attacks.
DAST tools allow sophisticated scans, detecting vulnerabilities with minimal user interactions once configured with host name, crawling parameters and authentication credentials. These tools will attempt to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection.
MAST
Mobile Application Security Testing (MAST) is a blend of SAST, DAST, and forensic techniques while it allows mobile application code to be tested specifically for mobiles-specific issues such as jailbreaking, and device rooting, spoofed Wi-Fi connections, validation of certificates, data leakage prevention, etc.
IAST
Interactive Application Security Testing (IAST). Hybrid approaches have been around – combining SAST and DAST – but the cybersecurity industry has recently started to consider them under the term IAST. IAST tools can check whether known vulnerabilities (from SAST) can be exploited in a running application (i.e., DAST). These tools combine knowledge of data flow and application flow in an application to visualize advanced attack scenarios using test cases which are further used to create additional test cases by utilizing DAST results recursively.
Which of the following is a network software suite designed for 802.11 WEP and WPA-PSK keys cracking that can recover keys once enough data packets have been captured?
A. wificracker
B. Aircrack-ng
C. Airguard
D. WLAN-crack
B. Aircrack-ng(Correct)
Explanation
https://en.wikipedia.org/wiki/Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux, FreeBSD, macOS, OpenBSD, and Windows; the Linux version is packaged for OpenWrt and has also been ported to the Android, Zaurus PDA and Maemo platforms; and a proof of concept port has been made to the iPhone.
Jack sent an email to Jenny with a business proposal. Jenny accepted it and fulfilled all her obligations. Jack suddenly refused his offer when everything was ready and said that he had never sent an email. Which of the following digital signature properties will help Jenny prove that Jack is lying?
A. Integrity
B. Authentication
C. Non-Repudiation
D. Confidentiality
C. Non-Repudiation(Correct)
Explanation
Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.
Incorrect answers:
Confidentiality
In information security, confidentiality “is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes.” While similar to “privacy,” the two words aren’t interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers. Examples of confidentiality of electronic data being compromised include laptop theft, password theft, or sensitive emails being sent to the incorrect individuals.
Integrity
In information security, data integrity means maintaining and assuring data’s accuracy and completeness over its entire life cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases. However, it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Information security systems typically provide message integrity alongside confidentiality.
Authentication
Authentication is the process of verifying that the individual who sends a message is really who they say they are, and not an impostor.
After several unsuccessful attempts to extract cryptography keys using software methods, Mark is thinking about trying another code-breaking methodology. Which of the following will best suit Mark based on his unsuccessful attempts?
A. One-Time Pad.
B. Trickery and Deceit.
C. Brute-Force.
D. Frequency Analysis.
B. Trickery and Deceit.
Explanation
Trickery and Deceit – it involves the use of social engineering techniques to extract cryptography keys
Brute-Force – cryptography keys are discovered by trying every possible combination
One-Time Pad – a one-time pad contains many non-repeating groups of letters or number keys, which are chosen randomly
Frequency Analysis – It is the study of the frequency or letters or groups of letters in a cipher text. It works on the fact that, in any given stretch of written language, certain letters and combination of letters occur with varying frequencies.
Which of the following tools is packet sniffer, network detector and IDS for 802.11(a, b, g, n) wireless LANs?
A. Kismet
B. Nessus
C. Nmap
D. Abel
A. Kismet(Correct)
Explanation
https://en.wikipedia.org/wiki/Kismet_(software)
Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.
Incorrect answers:
Nessus https://en.wikipedia.org/wiki/Nessus_(software)
Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network.
Nmap https://en.wikipedia.org/wiki/Nmap
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan.
Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software)
Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel.
How works the mechanism of a Boot Sector Virus?
A. Moves the MBR to another location on the Random-access memory and copies itself to the original location of the MBR.
B. Modifies directory table entries to point to the virus code instead of the actual MBR.
C. Overwrites the original MBR and only executes the new virus code.
D. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
D. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.(Correct)
Explanation
https://en.wikipedia.org/wiki/Boot_sector#Boot_Sector_Viruses
Among all the viruses, boot sector viruses are one of the oldest forms of computer viruses. At the time of your PC startup time, it infects the boot sector of floppy disks or the Master Boot Record(MBR). Some also infect the boot sector of the hard disk instead of the MBR. To start the operating system and other bootable programs, the boot sector contains all the files required. Before starting any security program like your antivirus program, the boot sector virus runs to execute malicious code.
When the system is booted from an infected disk, the infected code runs. If the infected code runs then, it will rapidly infect other floppy disks. The boot sector virus uses DOS commands while it infects at a BIOS level.
Because this virus is located on the boot sector of your hard drive and runs before the operating system begins, the boot sector virus can cause a lot of damage. Depending on their aim, each boot sector virus works differently. Adware or malware virus creating is the common and general irritating issues.
Most commonly, Boot sector computer viruses are spread using physical media. After it enters a computer, it modifies or replaces the existing boot code. After that, when a user tries to boot their pcs, the virus will be loaded and run immediately. By phishing, you can also be affected by the boot sector virus. It is also possible to send you an attachment with boot sector virus code to your pcs.
Which of the following can be designated as “Wireshark for CLI”?
A. ethereal
B. nessus
C. John the Ripper
D. tcpdump
D. tcpdump(Correct)
Explanation
https://www.tcpdump.org/
Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.
https://www.wireshark.org/
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.
Incorrect answers:
Nessus https://www.tenable.com/
Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example:
· Availability of vulnerable versions of services or domains;
· Configuration errors (for example, no need for authorization on the SMTP server);
· The presence of default passwords, blank, or weak passwords;
The program has a client-server architecture, which greatly expands the scanning capabilities.
Ethereal - the project was renamed Wireshark in May 2006 due to trademark issues.
John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper
John the Ripper is a free password cracking software tool.
Ivan, an evil hacker, conducts an SQLi attack that is based on True/False questions. What type of SQLi does Ivan use?
A. Blind SQLi
B. DMS-specific SQLi
C. Classic SQLi
D. Compound SQLi
A. Blind SQLi(Correct)
Explanation
https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection
Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.
Incorrect answers:
Compound SQLi
Compound SQLi is attacks that involve using SQLi alongside cross-site scripting, denial of service, DNS hijacking, or insufficient authentication attacks. Pairing SQLi with other methods of attack gives hackers additional ways to avoid detection and circumvent security systems.
Classic SQLi
Classic SQLi attacks are the most common and simplest form of SQLi. Classic attacks can occur whenever an SQL database allows users to submit an SQL statement. They come in two varieties:
· Error-based SQLi, which involves getting a web app to throw an SQL error that gives the attacker either information about the structure of the database or the particular information they’re seeking.
· UNION-based attacks, which use the SQL UNION operator to determine specifics of the database’s structure in order to extract information.
DMS-specific SQLi
Out-of-band SQLi (or DMS-specific SQLi) is a much less common approach to attacking an SQL server. It relies on certain features of an SQL database to be enabled; if those features aren’t, the OOB attack won’t succeed.
OOB attacks involve submitting a DNS or HTTP query to the SQL server that contains an SQL statement. If successful, the OOB attack can escalate user privileges, transmit database contents, and generally do the same things other forms of SQLi attacks do.
Rajesh, a network administrator found several unknown files in the root directory of his FTP server. He was very interested in a binary file named “mfs”. Rajesh decided to check the FTP server logs and found that the anonymous user account logged in to the server, uploaded the files and ran the script using a function provided by the FTP server’s software. Also, he found that “mfs” file is running as a process and it listening to a network port. What kind of vulnerability must exist to make this attack possible?
A. Brute force login.
B. Directory traversal.
C. File system permissions.
D. Privilege escalation.
C. File system permissions.(Correct)
Explanation
File system permissions
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Incorrect answers:
Privilege escalation https://en.wikipedia.org/wiki/Privilege_escalation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Directory traversal https://en.wikipedia.org/wiki/Directory_traversal_attack
A path traversal attack (also known as directory traversal) aims to access files and directories stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash,” “directory traversal,” “directory climbing,” and “backtracking.”
Brute force login https://en.wikipedia.org/wiki/Brute-force_attack
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.
These attacks are made by ‘brute force,’ meaning they use excessive forceful attempts to try and ‘force’ their way into your private account(s). This is an old attack method, but it’s still effective and popular with hackers. Because depending on the password’s length and complexity, cracking it can take anywhere from a few seconds to many years.
Which of the following is the type of violation when an unauthorized individual enters a building following an employee through the employee entrance?
A. Tailgating.
B. Announced.
C. Reverse Social Engineering.
D. Pretexting.
A. Tailgating.(Correct)
Explanation
The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication.
The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control).
Incorrect answers:
Pretexting
The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information.
Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement.
Reverse Social Engineering
A reverse social engineering attack is a person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem.
Determine the type of SQL injection:
SELECT * FROM user WHERE name = ‘x’ AND userid IS NULL; –’;
A. Illegal/Logically Incorrect Query.
B. End of Line Comment.(Correct)
C. Tautology.
D. UNION SQL Injection.
B. End of Line Comment.(Correct)
