CH22 Vulnerability Management

Question 1

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

a. Ping
b. nmap
c. netstat
d. Wireshark

Answer 1

b. nmap

Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts.

In addition, nmap can determine the versions of the applications being used on those ports and services.

Nmap is a command-line tool for use on Linux, Windows, and macOS systems.

Question 2

A cybersecurity analyst in your company notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002, and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

a. Rainbow table
b. Dictionary
c. Hybrid
d. Brute-force

Answer 2

d. Brute-force

A brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, then it will take more time, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

Question 3

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?

a. Red team
b. White team
c. Blue Team
d. Yellow team

Answer 3

c. Blue team

Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white.

The red team acts as the adversary.
The blue team acts as the defenders.
The white team acts as the referees and sets the parameters for the exercise.
The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Question 4

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers?

a. transfer type=ns
b. set type=ns
c. request type =ns
d. locate type = ns

Answer 4

b. set type=ns

OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Question 5

Which type of method is used to collect information during the passive reconnaissance?

a. Reviewing public repositories
b. Network traffic sniffing
c. API requests and responses
d. Social engineering

Answer 5

a. Reviewing public repositories

OBJ-1.8: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Question 6

Dion Training wants to get an external attacker’s perspective on its security status. Which of the following services should they purchase?

a. Patch management
b. Asset management
c. Penetration test
d. Vulnerability scan

Answer 6

c. Penetration test

OBJ-1.8: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Question 7

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output:

tcpdum -n -i eth0
IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157 (52) ack 18060 win 16549
IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136 (148) ack 157 win 113
IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380 (224) ack 157 win 113

Which of the following statements is true based on this output?

a. 10.0.19.121 is a client that is accessing an SSH server over port 52497
b. 10.0.19.121 is under attack from a host at 11.154.12.121
c. 11.154.12.121 is under attack from a host at 10.0.19.121
d. 11.154.12.121 is a client that is accessing an SSH server over port 52497

Answer 7

a. 10.0.19.121 is a client that is accessing an SSH server over port 52497

OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Question 8

(Sample Simulation – On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?

a. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody
b. Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody
c. Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup
d. Immediately remove the database server from the network, create an image of its hard disk, and maintain the chain of custody.

Answer 8

a. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

OBJ-1.7: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Question 9

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

a. Metasploit
b. Nmap
c. BeEF
d. Nessus

Answer 9

d. Nessus

OBJ-4.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.