Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH SEP -24 > Chapter 12 - Attack & Defense > Flashcards

Chapter 12 - Attack & Defense Flashcards

1
Q

What protocol is used for a Smurf attack?

A. DNS
B. ICMP
C. TCP
D. SMTP

A

B.

While DNS is also used for amplification attacks, Smurf attacks are a result of someone sending ICMP echo requests to the broadcast address of a network. The echo responses would be sent to the address in the source of the request, which would be spoofed. If enough systems respond, the volume of responses can overwhelm the target system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If you were to see ‘ or 1=1; in a packet capture, what would you expect was happening?

A. Cross-site scripting
B. Command injection
C. SQL injection
D. XML external entity injection

A

C.

An SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks uses a syntax that looks like the example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which protocol is commonly used for amplification attacks?

A. TCP
B. SMTP
C. DNS
D. XML

A

C.

Because TCP uses a three-way handshake, spoofing like that needed in amplification is difficult. SMTP also uses TCP. XML is used for data structure and presentation. DNS is often used for modern amplification attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of a SYN flood?

A. Fill up connection buffers at the operating system
B. Fill up connection buffers in the web server
C. Fill up connection buffers at the Application layer
D. Fill up connection buffers for UDP

A

A.

A SYN flood takes advantage of the three-way handshake. A SYN message alone will con- sume a connection buffer at the operating system. Until the operating system has passed the three-way handshake, the request won’t make it to the web server at the Application layer. SYN is not a header flag used with UDP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does a slowloris attack work?

A. Holds open connection buffers at the operating system
B. Holds open connection buffers at the web server
C. Holds open connection buffers at the Application layer
D. Holds open connection buffers for UDP

A

B.

A slowloris attack is used to hold open connection buffers at the web server. Enough of these requests will consume all of the possible connections for the web server. The Applica- tion layer doesn’t factor in here because there are no connection buffers at the Application layer. Web servers don’t use UDP for HTTP requests, and slowloris is an attack against a web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes?

A. Heap spraying
B. SQL injection
C. Buffer overflow
D. Slowloris attack

A

C.

Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. An SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data than space has been allocated for into the application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the target of a cross-site scripting attack?

A. Web server
B. Database server
C. Third-party server
D. User

A

D.

A cross-site scripting attack uses a scripting language to run in the browser. Since the browser is with the user, ultimately the attack targets the user, even if the injection code is stored in a database server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If you were to see the following in a packet capture, what would you think was happening? <!ENTITY xxe SYSTEM “file:///etc/passwd” >]>

A. Cross-site scripting
B. SQL injection
C. Command injection
D. XML external entity injection

A

D.

Cross-site scripting attacks usually use JavaScript or perhaps VBScript. SQL injection uses SQL. Command injection uses operating system commands. The fragment shows XML using an external entity. This is, then, an XML external entity injection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What protection could be used to prevent an SQL injection attack?

A. Buffer overflows
B. Input validation
C. XML filtering
D. Lateral movement

A

B.

SQL injection attacks take data injected from the user/attacker. Any data sent in from a user should always be validated before being acted on. Nothing coming in from a user should be trusted. None of the other answers could be used to prevent an SQL injection attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What security element would be a crucial part of a defense-in-depth network design?

A. Firewall
B. SIEM
C. Web application firewall
D. Log management system

A

A.

A defense-in-depth network design makes use of multiple prevention layers to make breaching the inside of the network quite a bit harder. A SIEM is used to collect and corre- late intelligence and log data. A web application firewall protects against Application layer
A log management system is just what it says. A firewall, though, is commonly used
in a defense-in-depth network design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does a defense-in-breadth approach add?

A. Consideration for a broader range of attacks
B. Protection against SQL injection
C. Buffer overflow protection
D. Heap spraying protection

A

A.

Defense in breadth starts with defense in depth and takes a broader range of attack strat- egies into consideration. Defense in breadth doesn’t necessarily protect against SQL injection and probably doesn’t protect against buffer overflows or heap spraying attacks. Those pro- tections may possibly be achieved, but ultimately defense in breadth would achieve them by taking a broader range of attacks into consideration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What attack injects code into dynamically allocated memory?

A. Buffer overflow
B. Cross-site scripting
C. Heap spraying
D. Slowloris

A

C.

A buffer overflow attack is an attack against data in the stack, which is known about
at compile time and, as a result, is not dynamic. Cross-site scripting attacks and slowloris attacks don’t inject code into memory. A heap spraying attack, though, injects code into the heap, which is where dynamically allocated memory is taken from.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you were to see the following in a packet capture, what attack would you expect is
happening?
%3Cscript%3Ealert(‘wubble’);%3C/script%3E

A. SQL injection
B. Command injection
C. Cross-site scripting
D. Buffer overflow

A

C. A buffer overflow takes an excess amount of data and tries to store it into a memory location that can’t accommodate it. An SQL injection attack uses SQL. Command injec- tion attacks use operating system commands. A cross-site scripting attack uses a scripting language such as JavaScript or VBScript. The script is injected using a 

 HTML tag, and the %3C is a way of encoding < while %3E is a way of encoding >. This means %3Cscript%3E would be decoded to 
.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What has been done to the following string?
%3Cscript%3Ealert(‘wubble’);%3C/script%3E

A. Base64 encoding
B. URL encoding
C. Encryption
D. Cryptographic hashing

A

B. Base64 encoding takes nonprintable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A crypto- graphic hash is a way of generating a fixed-length value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so the characters can be used in a URL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What technique does a slow read attack use?

A. Small HTTP header requests
B. Small HTTP body requests
C. Small HTTP POST requests
D. Small file retrieval requests

A

D. A slowloris attack uses small HTTP requests to hold open a web server’s available connections. There are attacks that use body requests in a slow fashion. However, a slow read attack tries to download a file in small increments to keep a web server from serving legitimate requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What element could be used to facilitate log collection, aggregation, and correlation?

A. Log manager
B. Firewall
C. IDS
D. SIEM

A

D. While a firewall and an IDS will generate logs, they don’t collect them. A log manager will collect logs and perhaps aggregate them, but it probably doesn’t correlate log messages. A SIEM, though, will consume logs, aggregate them, and correlate them.

17
Q

What is the target of a command injection attack?
A. Operating system
B. Web server
C. Database server
D. User

A

A.

A command injection sends operating system commands into a web application so they can be run by the operating system. The web server (meaning the web server application) is not the target of the command injection, nor is the database server or the user.

18
Q

What would the Low Orbit Ion Cannon be used for?

A. SQL injection attacks
B. Log management
C. Denial-of-service attacks
D. Buffer overflows

A

C. The Low Orbit Ion Cannon is a .NET-based application used to launch denial-of-service attacks. It is not used for log management or SQL injection attacks, nor is it used for buffer overflows

19
Q

What could you use to inform a defensive strategy?

A. SIEM output
B. Attack life cycle
C. Logs
D. Intrusion detection system

A

B. SIEM output is useful and may have some value in understanding current attacks. The same is true with logs and intrusion detection systems. However, the attack life cycle is a structured way to understand how attacks happen in order to better inform a defensive strategy so controls can be implemented for each of the phases of the attack.

20
Q

What information does a buffer overflow intend to control?

A. Stack pointer
B. Frame pointer
C. Instruction pointer
D. Buffer pointer

A

C. The stack pointer indicates where the stack is in memory. The frame pointer indicates which part of the stack is being used for the current frame. There is no buffer pointer from the perspective of the operating system, though applications do use pointers and they do point to buffers. An instruction pointer tells the processor where the next instruction to be executed is. Controlling this piece of information can allow the attacker to control the execu- tion flow of the program.

21
Q

Which of these prevention techniques would be best used against an SQL injection attack?

A. Return to libc
B. Web application firewall
C. Address space layout randomization
D. Stack canary

A

B.

A web application firewall could be used to protect against web application attacks, including SQL injections. While it can be used for detection, a WAF could be used to block these attacks. Return to libc is a way to get around protections against buffer overflow attacks. Address space layout randomization and stack canaries are ways of protecting against buffer overflow attacks.

22
Q

If you wanted to get access to a file in the file system on a web server, which of these attack
techniques might you use?

A. Cross-site scripting
B. Command injection
C. SQL injection
D. File traversal

A

D.

A file traversal attack attempts to break out of the jail that a web server uses to contain interaction to a specific set of directories and files. Cross-site scripting attacks user systems through the browser. SQL injection attacks are targeted at database servers, while command injection attacks target the operating system by trying to inject shell commands into the application to be executed by the underlying system.

23
Q

What are two important characteristics that differentiate defensible network architectures
from defense in depth?

A. Firewalls and DMZs
B. Honeypots and DMZs
C. Isolation and malware protection
D. Containment and monitoring

A

D.

Defense in depth commonly focuses on protection, while defensible network architectures focus on being able to contain attackers as well as monitor attacker activity. A DMZ is a way of protecting the broader network from an attacker. Firewalls are used to protect, and honey- pots are deceptive mechanisms. Malware protection is all about protection.

24
Q

What type of system could you use to trap and monitor an attacker?

A. Web application firewall
B. Next generation firewall
C. Honeypot
D. DMZ

A

C.

A honeypot is used to lure an attacker in, providing enough content of interest to keep them busy on that system while you can monitor them. Different firewalls can be used to block bad traffic but would not be used to trap an attacker. A DMZ is a way of isolating Internet-facing systems from other parts of the enterprise network.

25
Q
  1. What attack technique can be used to bypass address space layout randomization?

A. Return to libc
B. Stack canary
C. Buffer overflow
D. Return to JavaScript

A

A.

A stack canary could be used to detect a buffer overflow attack. A buffer overflow is an attack technique. Return to libc is a way of making use of a fixed, known address to jump to during a buffer overflow attack. There is no such thing as a return to JavaScript.

CEH SEP -24 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions