Chapter 2 Security Operations (Sybex)

Question 1

A white hat penetration test showed your organization to be susceptible to social engineering attacks. A victim in your organization was phished successfully, clicked a link in an email, and downloaded commodity malware. What processes could you take to prevent the spread of malware or ransomware in your environment in the future?

A. IPsec on critical systems
B. Use threat emulation
C. Encryption
D. Establish KPIs

Answer 1

B. Use threat emulation

Explanation:
Threat emulation picks up malware at the exploit phase before hackers can apply evasion techniques. Files are quickly quarantined and inspected, running virtually to discover malicious -behavior before it enters your network. Threat emulation can convert newly identified unknown attacks into known signatures, making it possible to block these threats before they have a chance to become widespread

Question 2

Your CISO wants you to conduct risk assessment for a vital new healthcare system that needs to be in place as quickly as possible. As you conduct the assessment, you find a review from a competitor who is using the software that mentions a vulnerability with a low likelihood of exploitation. Why might your CISO still have reservations deploying this system?

A. The CISO is concerned about government regulations and compliance
B. The CISO feels rushed to decide
C. Other competitors have elected not to use the system
D. Even one attack would be devastating to the organization, both financially and to its reputation

Answer 2

D. Even one attack would be devastating to the organization, both financially and to its reputation

Explanation:
The vital new healthcare system being exploited might ruin the company. The healthcare industry is a prime target for cyberattacks and faces hostile cybersecurity issues that have financial and reputational impacts for hospitals, pharmaceutical and other healthcare institutions

Question 3

Alex works for a financial institution that decided to purchase costly custom computer systems and software. In the supply chain, one of the vendors supplying the custom computer software is experiencing a delay without any type of explanation. What should Alex be wary of to limit exposure?

A. SLA
B. Penalty clause
C. Supply chain attack
D. Proof of insurance in the RFP

Answer 3

C. Supply chain attack

Explanation:
The risks associated with a supply chain attack have never been higher. Due to recent supply chain attacks, there is growing public awareness of these threats and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before. A supply chain attack, also known as third party, happens when someone infiltrates your enterprise through an outside partner, vendor or provider who has access to your software, systems, updates and patches and/or data

Question 4

A newly certified administrator makes a change to Group Policy for 12,000 users. The box is checked on the operating system to not allow the overwriting of operating system security logs. After 48 hours, no users can log into their domain accounts because the logs have filled up. What change control process was initially skipped in this scenario?

A. Approval
B. Testing
C. Implementation
D. Deployment

Answer 4

A. Approval

Explanation:
If the administrator received approval, perhaps the technical catastrophe could have been avoided with a more senior administrators wisdom. Gaining approval is the first step in managing a needed change. Once approved, testing can be performed. Implementation, deployment and documentation should follow after testing

Question 5

You reached out to your legal department to determine whether there are repercussions after a data breach, including notification of customers whose personal information might have been lost. Every state and federal definition is based on the unlawful acquisition of personal information. What is the safe harbor for organizations?

A. Encryption
B. Divestiture
C. Confidentiality
D. Investigation

Answer 5

A. Encryption

Explanation:
If sensitive data is encrypted properly, there is no possibility of repercussions. Organizations that are the target of attackers usually face serious costs due to notification of quantitative and qualitative losses. Organizations with PII face even higher liabilities

Question 6

You need to find the true severity of an incident and accurately measure based on certain factors like scope and impact as well as how you should have prioritized the incident. Which of the following is not a factor for measuring the severity of an incident for your organization?

A. Cost
B. Downtime
C. Disclosure
D. Legal ramifications

Answer 6

C. Disclosure

Explanation:
In measuring the severity of an incident, the five measurable factors are scope, impact, cost, downtime and legal ramifications. Disclosure should be in the disclosure policy, which ensures that the require information is shared with the public, investors, customers, employees and other stakeholders at the proper time after an event, incident or breach

Question 7

A firewall administrator added new rules to the corporate border firewall. What should the firewall administrator do next to ensure that the rules are functioning properly?

A. All firewall rules should be tested with traffic matching the rules
B. Only the new firewall rules should be tested with traffic matching the rules
C. No testing is required. Firewall rules are checked for validity within the firewall
D. Because of time constraints, only firewall rules considered to be the most important should be tested

Answer 7

A. All firewall rules should be tested with traffic matching the rules

Explanation:
When changing or adding firewall rules, all rules should be tested with matching traffic. It is possible that the rule is not configured properly or that there is a contradicting rule higher up the firewall rule list that could negate the new rule. Only by testing all the rules on the firewall can the validity of the rules be verified.

Question 8

A system administrator has a Bash script that does not need many commands. For security reasons, the admin wants to run the Bash script in restricted mode. Which of the following commands does not provide a restricted shell?

A. bash /r
B. rbash
C. bash –restricted
D. bash -r

Answer 8

A. bash /r

Explanation:
The command bash /r is not a valid Bash command. All of the other commands listed place Bash in restricted mode

Question 9

Angel works for a large enterprise that is expanding through the acquisition of a second corporation. What should be done before connecting the networks?

A. Credentialed vulnerability scan
B. Implementation of a firewall system
C. Development of a risk analysis for the two networks
D. Complete review of the new corporation

Answer 9

C. Development of a risk analysis for the two networks

Explanation:
Networks can be built with a multitude of hardware and software. When you are attempting to join two disparate networks, many problems can occur with connectivity, latency, and vulnerabilities due to the two separate entities becoming one. Before making any technical changes, both networks should be examined and documented, and a risk analysis should be performed, beginning with a credentialed vulnerability scan

Question 10

Your organization finished a penetration test with a third party and have received the report. The pentester has detailed what active and passive reconnaissance was done as well as what vulnerabilities were exploited and where they were able to move laterally during the test. When does lateral movement occur during a penetration test?

A. Reconnaissance
B. Persistence
C. Weaponization
D. Post exploitation

Answer 10

D. Post exploitation

Explanation:
There are several cyberattack models, including the Mandiant Attack Model and Lockheed Martins Cyber Kill Chain. Most steps are similar in nature. Post exploitation refers to any action taken after a session is open from a successful exploit or brute force

Question 11

You look through your incident detection toolkit for a Windows tool that displays NetBIOS over TCP/IP protocol statistics for analyzation. Which tool do you choose?

A. netcat
B. memcat
C. nbstat
D. tshark

Answer 11

C. nbstat

Explanation:
nbtstat displays NetBIOS over TCP/IP (NetBT) statistics. NetBIOS displays tables for both the local and remote computers. It refreshes names registered with the Windows Internet Name Service (WINS)

Question 12

Saul is on the development team testing an in house application for vulnerabilities. During the test, the application fails repeatedly and has poor exception handling. Which of the following tools do you suggest the development team deploy to identify these bugs?

A. Code escrow
B. Fuzzing
C. Pivoting
D. OSINT

Answer 12

B. Fuzzing

Explanation:
A fuzze

Question 13

You have implement a Simple Certificate Enrollment Protocol (SCEP) in your organization. SCEP is designed to support the issuing of certificates in a scalable way. How does SCEP work in an enterprise environment?

A. The SCEP server CA issues and approves the certificate
B. The SCEP server RA issues pending certificates automatically, and the IAM admin approves them
C. A certificate requested from the SCEP server and is issued automatically
D. The SCEP issues the certificate, the CA approves and issues the certificate

Answer 13

A. The SCEP server CA issues and approves the certificate

Explanation:
There are two ways to enroll in SCEP; an SCEP server CA automatically issues the certificate, or an SCEP is requested and set to PENDING, and the CA admin then manually approves or denies the certificate

Question 14

As a security architect, you have blended Windows and Linux environments. What is the technology will you want to use that will virtualize an instance on top of their operating system kernel?

A. Hypervisor 1
B. Hypervisor 2
C. Containerization
D. Automation

Answer 14

C. Containerization

Explanation:
Containerization is a standardized unit for development and deployment. It is a standalone lightweight instance of software that includes code, system tools, third party libraries, and settings. The two most popular containerization tools are Docker and Kubernetes

Question 15

You work for a SOHO and replace servers whenever there is money readily available from expenditure. Over the past few tech refresh cycles, you have received many servers and workstations from several different vendors. What is the challenge and risk to this style of asset management?

A. OS and asset EOL issues and updates
B. OS complexities and OS patch version dependencies
C. Failure rate of legacy equipment, replacement parts, and firmware updates and management
D. Poor security posture, inability to manage performance on old OS

Answer 15

C. Failure rate of legacy equipment, replacement parts, and firmware updates and management

Explanation:
This is hardware. You can put an OS on most any hardware out there. When old equipment has maintenance issues, it is sometimes difficult to find the parts and perform regular updates to those assets

Question 16

Your end users utilize Microsoft Office. A few users have reached out for approval to install ActiveX. How do you advise those end users to use ActiveX securely?

A. If you are browsing the web and a site wants you to install an ActiveX control, decline it
B. If you are browsing the web and a site wants you to install an ActiveX control, accept it.
C. Request the vetting of the software to be downloaded
D. You cannot use ActiveX securely. You must use Flash.

Answer 16

A. If you are browsing the web and a site wants you to install an ActiveX control, decline it

Explanation:
ActiveX controls are dangerous and should be installed only when needed, removed when no longer necessary and downloaded only from a trusted source.

Question 17

You examine your blue team cybersecurity toolkit and want to add a tool that produces proof of an exploit and supports JavaScript and Ajax-based applications. Which of these is best to use?

A. SET
B. Nmap
C. Netsparker
D. SQLi

Answer 17

C. Netsparker

Explanation:
Netsparker is a popular web application scanner that supports JavaScript and Ajax based apps. It can find flaws like SQLi and local file inclusion and event suggests remediation actions.

Question 18

Ron is a security analyst reviewing corporate settings on multiple assets. He notices some settings were disabled and are allowing untrusted programs to be installed on mobile devices. What settings should be adjusted so that applications can be sandboxed and tested before deploying securely?

A. Updates
B. Digitally signed applications
C. Containerization
D. Remote wiping

Answer 18

C. Containerization

Explanation:
Containerization establishes a separate and encrypted space on employees mobile devices where business data is kept apart from everything else on the device. This can enable an administrator to manage what is in the container and restrict access to the corporate network

Question 19

You were asked to secure the Ethernet ports on the company’s switches used to connect to host systems to prevent a VLAN hopping attack. Which of the following actions helps prevent this issue?

A. Ensuring the Ethernet ports are statically defined as trunk ports
B. Ensuring the Ethernet ports have DPT turned off
C. Ensuring the Ethernet ports have DTP turned on
D. Ensuring the Ethernet ports are configured as access ports

Answer 19

D. Ensuring the Ethernet ports are configured as access ports

Explanation:
VLAN hopping is an attack where the attacker changes the VLAN tag of a frame so that the attackers frame is able to access a different VLAN. To launch this attack, the attacker must establish a trunk link between the target switch port and the attackers system. IF the switch port is configured as static or has Dynamic Trunking Protocol (DTP) enabled on the port, a trunk link can be established . To prevent this, ensure that the Ethernet ports are configured as access ports only. DTP is a misspelling of DTP

Question 20

Your MDM for COPE devices neglected to restrict the use of NFC. What is the biggest worry for employees using NFC for transactions?

A. No login/password
B. Interception
C. Breaches
D. Legalities

Answer 20

A. No login/password

Explanation:
Mobile device management for company owned, personally enabled devices using near field communication was built for convenience, not security. All you have to do is bump, tap or swipe against an NFC reader and the connection is valid. No login or password is necessary. NFC is concerned only with distance. Turn off NFC by default when not in use.

Question 21

A small insurance business implemented least privilege. Management is concerned that staff might accidentally aid in fraud with the customers. Which of the following addresses security concerns associated with this risk?

A. Policy
B. Job rotation
C. Separation of duties
D. Security awareness training

Answer 21

D. Security awareness training

Explanation:
Security awareness is vital to any customer facing organization because 80-85 of compromises today begin with some form of social engineering.

Question 22

You work as a security analyst for a large banking organization that is about to disclosure to the public that a substantial breach occurred. You are called into the meeting with the CISO and CEO to discuss how to ensure proper forensic action took place and that the incident response team responded appropriately. Which of these should you ensure happens after the incident?

A. Avoid conflict of interest by hiring outside counsel
B. Create forensic images of all mission critical servers
C. Perform a formal investigation yourself with law enforcement
D. Treat the incident as though a crime has been committed

Answer 22

D. Treat the incident as though a crime has been committed

Explanation:
If the process is broken, the risk of challenging or diminishing the value of the evidence could make it inadmissible and reduce its value to the company

Question 23

You are a security analyst working for a casino. You work with a security firm and have traced the origin of a ransomware attack to a connected fish tank in the casino lobby. The attack was stopped within seconds and the threat was mitigated. The attack was stopped within seconds, and the threat was mitigated. What would have led to the quick discovery of the attack?

A. Signatures
B. Endpoint analysis
C. Machine learning algorithms
D. Immunity learning

Answer 23

C. Machine learning algorithms

Explanation:
Machine learning algorithms detected the intrusion and no damage was done

Question 24

What risks and mitigations are associated with BYOD?

A. Risk: Data exfiltration Mitigation: Remote wipe
B. Risk: Confidentiality leaks Mitigation: Corporate policy
C. Risk: Theft Mitigation: Minimal Storage
D. Risk: GPS tracking Mitigation: Minimal cost

Answer 24

A. Risk: Data exfiltration Mitigation: Remote wipe

Explanation:
The biggest issue with any type of BYOD is the loss of data (data exfiltration) and the biggest fix is to remotely wipe the device should it become lost or stole

Question 25

Your new role within a network operations center is to support the development of policies and to implement standard IT security practices of incident response. You will be writing the procedures for how your incident team will manually respond to events. This would be considered which type of response?

A. Least privilege
B. Automated
C. Non automated
D. Forensic task

Answer 25

C. Non automated

Explanation:

Question 26

Your organization was breached, but you have been able to prove that sufficient due care and due diligence was taken. You have documented exactly when the workflow began and what the response tasks were. What is this document called?

A. SOW
B. NDA
C. Runbook
D. Playbook

Answer 26

C. Runbook

Explanation: Due care is acting responsibly. Due diligence is verifying those actions are sufficient. An organization that shows due care means they took every reasonable precaution to protect their assets and environment. Run books are often confused with playbooks. While runbooks define individual processes, playbooks deal with overarching responses to larger issues or events and may incorporate multiple runbooks and personnel within them - think of a runbook as a chapter within the playbook

Question 27

Your organization terminates an employee from the IT department. After the IT employee is escorted from the building, a complete forensic investigation on all systems that IT employee has access to shows a logic bomb installed on a server. Only three IT staff members had access to that server, and the remaining IT employees did not have admin access; therefore, they could not have installed the logic bomb. Which of the following factors supports the evidence you have collected?

A. Authorized people accessing evidence
B. Improper storage of evidence
C. Mislabeled evidence
D. Alteration of digital evidence

Answer 27

A. Authorized people accessing evidence

Explanation:
In criminal cases, a defendant can petition the court to exclude evidence that the prosecution obtained if someone breaks the chain of custody for any reason

Question 28

Your web application storages sensitive information, including credit card numbers and account records. Which of the following is an encryption mistake and can possibly lead to insecure storage in your website?

A. Strong algorithm
B. Initialization vectors
C. Support for key changes
D. Storage of certificates on USB

Answer 28

D. Storage of certificates on USB

Explanation:
Insecure storage of keys, certificates, and passwords is a common mistake. Encryption is fairly easy to implement, but developers may overestimate the level of protection gained and not perform due diligence over other parts of the web application

Question 29

Your organization wants to start digging deeper into malware analysis and needs software to spot vulnerabilities that can be exploited. You do not have the budget for Encase this year, so an open source tool is best. You also need to create your own plug ins. Which of these tools meet that criteria?

A. Ghidra
B. Immunity Debugger
C. AngryIP
D. Hydra

Answer 29

A. Ghidra

Explanation:
The US NSA recently outsourced Ghidra, a reverse engineer tool used to forensically analyze malware

Question 30

You decided to ensure that your network is protected and will perform your own port scans using Nmap. To get accurate results, you must perform this port scan from a remote location using noncompany equipment and another Internet Service provider (ISP). What must you first do?

A. Get permission
B. Decide what range of IPs and ports to scan
C. Contact HR
D. Create a Scan for 10 packet attempts to non listening ports

Answer 30

A. Get permission

Explanation:
You must ensure that you have approval from appropriate stakeholders before taking on this task. If you do not, you could find yourself violating terms of service or the law

Question 31

The second CIS control of the top 20 controls is knowing software inventory. A feature of Nmap is the ability to remotely detect operating systems. By default, Nmap will attempt to identify which of the following using the nmap-os-db file?

A. Hostname and IP address
B. OS vendor, generation and device type
C. FQDN and open ports
D. OS patch level and DNS

Answer 31

B. OS vendor, generation and device type

Explanation:
You can use Nmap detect to detect OS vendor, generation and device type. Nmap probes the target with TCP and UDP packets and examines OS specifics like initial sequence numbers (ISNs), IP identifier, timestamps, explicit congestion notifications (ECNs) and window sizes. Every OS has distinctive responses to these probes, which results in an OS fingerprint

Question 32

You must use a computer networking utility to read and write network connections using TCP and UDP. Which of the following commands is a network debugging tool enabling you to create nearly any kind of connection?

A. IPconfig
B. Netcat
C. Openbsd

Answer 32

B. Netcat

Explanation:
Netcat is a utility that features port scanning and listening and can transfer files. It can even be used strategically as a backdoor.

Question 33

You see traffic addressed to 119.0.23.5. What class address is this?

A. Class A
B. Class B
C. Class C
D. Classless

Answer 33

A. Class A

Explanation:
Classful routing classifies IPv4 addresses that start with 0.0.0.0 to 127.255.255.255 as a Class A address. The first 8 bits, or the first octet, denote the network portion and the last 3 octets belong to the host portion. There are several reserved spaces within the Class A network space to include 127.x.x.x which is reserved for loopback addressing

Question 34

Digital evidence is part of many legal proceedings litigated by your organization. This evidence includes social media posts, photographs, videos and text messages. With physical evidence alone, you were tasked with creating a chain of digital evidence. After law enforcement collects the digital evidence, what should happen next?

A. The original digital media should be forensically examined
B. Law enforcement should make a public statement
C. Forensic technicians should analyze the data before making a copy
D. Your organization should immediately hash the original copy of data

Answer 34

C. Forensic technicians should analyze the data before making a copy

Explanation:
Just like with physical evidence, digital evidence must have a chain of custody should you ever need to present this information in court. A technician may install a password or write blocker to reduce the risk of altering the copy of the data and some forensic specialists will hash the drives with tools like sha256sum or ssdeep to secure the evidence

Question 35

Chain of custody begins with a crime scene. A digital forensic investigator carefully examines the scene and takes detailed notes, for each single piece of evidence found, including the time, location, and date before using any forensic carving tools. What may not be included in the chain of custody documentation?

A. Description
B. Condition
C. Unique attributes
D. Investigator CV

Answer 35

D. Investigator CV

Explanation:
In this situation, until the evidence is presented in court, it is not necessary for the investigator to provide their credentials in the chain of custody documentation

Question 36

A publishing company has experienced a breach and an analyst has found some ELF files on the Linx machines that are suspicious. What is the command similar to objdump that goes into more detail?

A. readelf
B. redgram
C. unwind
D. objcrack

Answer 36

A. readelf

Explanation:
ELF is the abbreviation for Executable and Linkable Format and defines the structure for binaries, libraries and core files. The formal specification allows the OS to interpret its underlying machine instructions correctly. ELF files are typically the output of a compiler or linker and are a binary format. With the right tools, such files can be analyzed and better understood. readelf displays information about one or more ELF format object files. This program performs a similar function to objdump but goes into more detail.

Question 37

What suite of tools can be used to capture a four way handshake/wireless password?

A. Aircrack -ng
B. Ettercap
C. Netstumbler
D. Burp Suite

Answer 37

A. Aircrack -ng

Explanation:
The weakness is WPA/WPA2 wireless passwords is that the encrypted password is shared in what is known as a four way handshake. When a client authenticates to an access point, the client and the access point go through a four step process to authenticate the user to the access point. We can then capture the password with Aircrack-ng and attempt to crack it. Ettercap is one of the best tools for network and host analysis.

Question 38

You need a tool that allows you to examine filesystems of a suspect computer in a non-intrusive fashion. You need the tool to not rely on the OS to process the filesystems because you want deleted and hidden content. Which of these would be the best tool to use?

A. FindBugs
B. Meterpreter
C. TSK
D. Nikto

Answer 38

C. TSK

Explanation:
The Sleuth Kit (TSK) is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy, the GUI version of TSK and many other open source and commercial forensics tools. FindBugs is a free static analyzing tool for Java.

Question 39

The containers you built are running, and software is currently undergoing a patch. These changes must be integrated into the application to reduce risk. What tool can you use to ensure that changes are not causing security issues on the containers in production?

A. Container image scanning
B . Container vulnerability scanner
C. Container Port scanner
D. Container antivirus

Answer 39

A. Container image scanning

Explanation:
You can ensure that your containers are free from malware and vulnerabilities and are not exposing secrets by running a container image scanner. This scanner looks at the environment and searches for custom indicators of compromise, enabling you to mitigate any risk before additional development takes place or before deploying a live ecosystem

Question 40

You have taken your workstation into the hardware lab to get reimaged with the newest operating system using Clonezilla. While there, you notice some new machines on the workbench with the USB port filled with glue. What type of security approach is this?

A. Redundant
B. Reciprocal
C. Vector oriented
D. Protective oriented

Answer 40

C. Vector oriented

Explanation:
Vector oriented security is an approach in layering defense mechanism to protect valuable information and data. Vector oriented security focuses on common attack vectors like permanently disabling USB ports so they cannot be used

Question 41

You need to pull data into a tool from a suspected compromised system. Imaging has not been done and you want to start media and network analysis as soon as possible. Which of these tools will allow you to create a forensic image of hard drives, preview files on the network drives and then export those files from a forensic image?

A. MD5
B. FTK
C. SHA-1
D. Duplicator

Answer 41

B. FTK

Explanation:
Forensic Tool Kit (FTK) is a computer forensics software application made by8 AccessData. The toolkit includes a standalone disk imaging program called FTK Imager. FTK Imager is a free tool that saves an image of a hard disk in one file or in segments that may be reconstructed later. It calculates the MD5 or SHA1 hash values of the original and the copy, confirming the integrity of the data before closing the files. A duplicator is hardware that allows you to swap drives in and out as needed and can be used to copy information or erase it

Question 42

Sometimes your victim cannot afford to remove the system, or the only evidence of the incident may currently be in memory. Either way, a standard forensic duplication is impossible. What is your alternative?

A. String searches
B. Memory dumps
C. Live incident response
D. Encryption

Answer 42

C. Live incident response

Explanation:
Live data is collected in nearly every incident response investigation. The main purpose of the collection is to preserve volatile evidence that will further the investigation. You should also collect any additional information that can be collected quickly, such as log files and file listings. This is done so that you have answers to investigate questions without performing a lengthier drive duplication. The first response will look for rogue connections or mysterious running processes, and it is sometimes possible to capture an image of the running memory

Question 43

Mike is debugging network problems on a Linux server; ping and traceroute are helpful, but he may need to have further network details on hand to help track down an issue and get it fixed. What tool might be use?

A. Netstat
B. Metasploit
C. LDAP
D. TSK

Answer 43

A. Netstat

Explanation:
netstat is a linux tool that can display incoming and outgoing network connections. It can be used to get information on network statistics, protocol statistics, and routing tables.

Question 44

You are looking for a tool that will assist in recovering and reconstructing Microsoft Event Viewer logs. Which of these would work best?

A. EVTXtract
B. MUI
C Ghidra
D. Aircrack ng

Answer 44

A. EVTXtract

Explanation:
This is a Python script, which you can easily run on any platforms such as Windows, Linux, MacOS. Just invoke the script, provide the path to the binary image, and wait until EVTXtract writes its results to the standard out stream. EVTXtract recovers and reconstructs the fragments of EVTX log files from binary data, memory image and unallocated space

Question 45

Jessica is conducting a digital forensics investigation and needs a fast file carver that is filesystem independent and that will carve files from FATx and NTFS. Which of these would be the best option?

A. OllyDbg
B. Forceps
C. Scalpel
D. Nmap

Answer 45

C. Scalpel

Explanation:
The Scalpel file carving tool is based on pattern recognition that describes a particular file or data fragment types. The patterns can be based on either binary strings or regular expressions

Question 46

You have an ASCII hex dump file and need a tool that will assist you in reading a temporary libpcap file. What is the best tool to use?

A. TSK
B. Wireshark
C. strace
D. MD5

Answer 46

B. Wireshark

Explanation:
Wireshark can read in an ASCII hex dump and write the data described into a temporary libpcap capture file.It can read hexdumps with multiple packets in t and b