CPSA

Question 1

What is on Port 123?

Answer 1

Network Time Protocol, NTP. TCP as UDP

Question 2

What is on Port 110?

Answer 2

POP3, getting mails. TCP as UDP

Question 3

What is on Port 19?

Answer 3

Character Generator, TCP as UDP

Question 4

What is on Port 7?

Answer 4

Echo

Question 5

What is on Port 5432?

Answer 5

Postgresql

Question 6

What is on Port 23?

Answer 6

Telnet

Question 7

What is on Port 520?

Answer 7

Routing Information Protocol, UDP

Question 8

What is on Port 512?

Answer 8

R-exec

Question 9

What is on Port 513?

Answer 9

R-Login

Question 10

What is on Port 514?

Answer 10

R-Shell

Question 11

What is on Port 79?

Answer 11

Finger

Question 12

What is on Port MSSQL and hidden mode?

Answer 12

TCP port 1433 and Hidden 2433

Question 13

What is the default port of Oracle database?

Answer 13

1521, TCP

Question 14

What port is used for ipsec?

Answer 14

500 (Internet Key Exchange)

Question 15

What does IKE stands for?

Answer 15

Internet Key Exchange
In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol
used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and
ISAKMP.[1] IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS
(preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from
which cryptographic keys are derived.[2][3] In addition, a security policy for every peer which will connect
must be manually maintained.[2]

Question 16

What does LSASS stands for?

Answer 16

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that
is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows
computer or server, handles password changes, and creates access tokens.[1] It also writes to the Windows
Security Log

Question 17

What does SAM stands for?

Answer 17

The Security Account Manager (SAM) is a database file[1] in Windows XP, Windows Vista and Windows 7 that
stores users’ passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000
SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent forbidden
users to gain access to the system.

Question 18

What does EAP stands for?

Answer 18

Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless
networks and point-to-point connections

Question 19

What does WPA stands for?

Answer 19

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security
certification programs developed by theWi-Fi Alliance to secure wireless computer networks. The Alliance
defined these in response to serious weaknesses researchers had found in the previous system, Wired
Equivalent Privacy (WEP).[1]

Question 20

What does SMS,SUS,WSUS, MBSA stands for?

Answer 20

Windows Update Agent (WUA)
Systems Management Server (SMS)
Server update services (SUS)
Windows Server Update Services (WSUS)
Microsoft Baseline Security Analyzer (MBSA)

Question 21

What does OSPF stands for?

Answer 21

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state
routing (LSR) algorithm and falls into the group of interior routing protocols, operating within a single
autonomous system (AS).

Question 22

What does RIP stands for?

Answer 22

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employ
the hop count as a routing metric

Question 23

What does tkip stands for?

Answer 23

Temporal Key Integrity Protocol or TKIP /tikp/ was a stopgap security protocol used in the IEEE 802.11
wireless networking standard.

Question 24

What does STP stands for?

Answer 24

The Spanning Tree Protocol (STP) is a network protocol that builds a logical loop-free topology for Ethernet
networks.

Question 25

What does PGP stand for?

Answer 25

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for
data communication.

Question 26

What does DES stands for ?

Answer 26

The Data Encryption Standard (DES, /diis/ or /dz/) is a symmetric-key algorithm for the encryption of electronic
data.
Successor is 3DES

Question 27

What is the use of EICAR ?

Answer 27

EICAR is a text file with a signature recognised by all AV vendors to test if a virus is detected by the AV engine.
EICAR is not a virus by itself.

Question 28

How does traceroute work?

Answer 28

Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value of one. The
first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value
zero. The router sends an ICMP Time Exceeded message back to the source.

Question 29

What does AJAX stands for?

Answer 29

Ajax (also AJAX; /edæks/; short for asynchronous JavaScript and XML)[1][2][3] is a set of web development
techniques using many web technologies on the client-side to create asynchronous Web applications.

Question 30

What does SOAP stands for?

Answer 30

SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the
implementation of web services in computer networks.

Question 31

What does IIS stands for?

Answer 31

Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by
Microsoft for use with Windows NT family.

Question 32

What does URI stands for?

Answer 32

Uniform Resource Identifier (URI) is a string of characters used to identify a
resource. Such identification enables interaction with representations of the resource over a network, typically
the World Wide Web

Question 33

What does HTTP stands for?

Answer 33

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems.

Question 34

What does FSMO stands for ?

Answer 34

Flexible Single Master Operations (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just single master
operation or operations master, is a feature of Microsoft’s Active Directory (AD).[1] As of 2005, the term FSMO
has been deprecated in favour of operations masters.

Question 35

What does NETBIOS stands for?

Answer 35

NetBIOS /ntb.s/ is an acronym for Network Basic Input/Output System. It provides services related to the
session layer of the OSI model allowing applications on separate computers to communicate over a local area
network. As strictly an API, NetBIOS is not a networking protocol.

Question 36

B2) Network Architectures

Question 37

WEP (Wired Equivalent Privacy)
64bit WEP Key (40 + 24 (IV) (Initialization Vector)
128bit WEP Key (104 + 24 (IV) (Initialization Vector)

Question 38

B4) Network Mapping & Target Identification

Question 39

Map route between engagement point and target:

Answer 39

• traceroute (uses UDP or ICMP echo)
• tcptraceroute (use TCP SYN)
• tracert (Windows)

Question 40

Network sweeping (Ping Sweep)

Answer 40

• ICMP sweeps (ICMP ECHO request) is a basic network scanning technique used to determine which of
a range of IP addresses map to live hosts (computers). Whereas a single ping will tell you whether one
specified host computer exists on the network, a ping sweep consists of ICMP (Internet Control
Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an
ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network.

Question 41

Network sweeping (TCP)

Answer 41

With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCK SYN
packets (depending if we have root access or not) to the target network. The port number can be selected to
meet our needs. Usually a good pick would be one of the following ports – 21 / 22 / 23 / 25 / 80 (especially if a
firewall is protecting the targeted network). Receiving a response is a good indication that something is up
there. The response depends on the target’s operating system, the nature of the packet sent and any firewalls,
routers or packet-filtering devices used. Bear in mind that firewalls can spoof a RESET packet for an IP address,
so TCP Sweeps may not be reliable.

Question 42

B5) Interpreting Tool Output

Question 43

• Types of Scanning Method

Answer 43

o -sS (TCP SYN scan)
o -sT (TCP connect scan)
o -sU (UDP scans)
o -sY (SCTP INIT scan)
o -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
o -sA (TCP ACK scan

Question 44

• Port ranges:

Answer 44

o The port numbers in the range from 0 to 1023 are the well-known ports or system ports.
They are used by system processes that provide widely used types of network services. On
Unix-like operating systems, a process must execute with superuser privileges to be able to
bind a network socket to an IP address using one of the well-known ports.

Question 45

• Port ranges:

Answer 45

o The range of port numbers from 1024 to 49151 are the registered ports. They are assigned
by IANA for specific service upon application by a requesting entity. On most systems,
registered ports can be used by ordinary users

Question 46

• Port ranges:

Answer 46

o The range 49152–65535 (215+214 to 216−1) contains dynamic or private ports that cannot
be registered with IANA. This range is used for private, or customized services or temporary
purposes and for automatic allocation of ephemeral ports.

Question 47

TTL

Question 48

AIX

Answer 48

60 30

Question 49

DEC Pathworks V5

Answer 49

30 30

Question 50

FreeBSD 2.1R

Answer 50

64 64

Question 51

HP/UX 9.0

Answer 51

30 30

Question 52

HP/UX 10.01

Answer 52

64 64

Question 53

Irix 5.3

Answer 53

60 60

Question 54

Irix 6.x

Answer 54

60 60

Question 55

Linux

Answer 55

64 64

Question 56

MacOS/MacTCP 2.0.x

Answer 56

60 60

Question 57

OS/2 TCP/IP 3.0

Answer 57

64 64

Question 58

OSF/1 V3.2A

Answer 58

60 30

Question 59

Solaris 2.x

Answer 59

255 255

Question 60

SunOS 4.1.3/4.1.4

Answer 60

60 60

Question 61

Ultrix V4.1/V4.2A

Answer 61

60 30

Question 62

VMS/Multinet

Answer 62

64 64

Question 63

VMS/TCPware

Answer 63

60 64

Question 64

VMS/Wollongong

Answer 64

128 30

Question 65

VMS/UCX

Answer 65

128 128

Question 66

MS WFW

Answer 66

32 32

Question 67

MS Windows 95

Answer 67

32 32

Question 68

MS Windows NT 3.51

Answer 68

32 32

Question 69

MS Windows NT 4.0

Answer 69

128 128

Question 70

B6) Filtering Avoidance Techniques

Question 71

Ingress:

Answer 71

Network traffic that originates from outside of the network’s routers and proceeds toward a destination inside
of the network.

Question 72

What is running on Port 1524?

Answer 72

Ingress

Question 73

Egress:

Answer 73

Network traffic that begins inside of a network and proceeds through its routers to a destination somewhere
outside of the network.
As a security-in-depth measure not only ingress should be restricted but also egress traffic. This would make it
harder for an attacker to start a reverse shell on the server, if only the services running on the server are
allowed to connect to the outside world.

Question 74

B8) OS Fingerprinting

Question 75

Active fingerprinting:

Answer 75

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding
replies.

Question 76

Passive fingerprinting:

Answer 76

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter
acts as a sniffer and doesn’t put any traffic on a network.

Question 77

Active fingerprinting by using nmap:

Answer 77

• OS defection (-O) and versions scan (-sV)
- Nmap -O -sV -v
• Use IPv6 (-6)
- Nmap -6 -O -sV -v

Question 78

B9) Application Fingerprinting and Evaluating Unknown Services

Answer 78

• nmap -sV -sC -T4 -F
-sV is for version scanning
-sC is to scan using some default nmap script
Recall that -T4 causes Nmap to go faster (more aggressive timing) and -F tells Nmap to scan only ports
registered in nmap-services.

Question 79

B11) Cryptography

Question 80

Which of the following is a Symmetric encryption? MD2, MD5, AES

Answer 80

MD2, MD5 and SHA1 are hashing algorithms.

AES (Advanced Encryption Standard) is symmetric encryption algorithm.

Question 81

Differences between encryption and encoding.

Answer 81

If data is encrypted it can be decrypted again into the original, clear text but only by the person that is in
possession of the secret/key.
Encoding is the process of applying a specific code, such as letters, symbols and numbers, to data for
conversion into an equivalent cipher. Only the encoding needs to be known (such as Base64) to decode the
data back into the clear text.

Question 82

Symmetric / asymmetric encryption

Answer 82

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both
encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple
transformation to go between the two keys.
Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the
other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A
encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it.

Question 83

Data Encryption Standard (DES)

Answer 83

The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data.
Although now considered insecure, it was highly influential in the advancement of modern cryptography.

Question 84

Triple Data Encryption Standard (3DES, or officially the Triple Data Encryption Algorithm TDEA or Triple DEA)

Answer 84

The original DES cipher’s key size of 56 bits was generally sufficient when that algorithm was designed, but the
availability of increasing computational power made brute-force attacks feasible. Triple DES provides a
relatively simple method of increasing the key size of DES to protect against such attacks, without the need to
design a completely new block cipher algorithm.

Question 85

Advanced Encryption Standard (AES

Answer 85

AES, also known as Rijndael[4][5] (its original name), is a specification for the encryption of electronic data
established by the U.S. National Institute of Standards and Technology (NIST) in 2001.[6]

Question 86

RSA (Rivest, Shamir, Adleman)

Answer 86

RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In
such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In
RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers,
the factoring problem.
RSA is a relatively slow algorithm, and because of this it is less commonly used to directly encrypt user data.
More often, RSA passes encrypted shared keys for symmetric key cryptography which in turn can perform bulk
encryption-decryption operations at much higher speed.

Question 87

RC4

Answer 87

In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a
stream cipher. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been
discovered in RC4, rendering it insecure.[3][4] It is especially vulnerable when the beginning of the output
keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4
have led to very insecure protocols such as WEP.[5]

Question 88

MD5

Answer 88

The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially
designed to be used as a cryptographic hash function, it has been found to suffer from extensive
vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional
corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be reversed by brute-force attack and
suffers from
extensive vulnerabilities.

Question 89

SHA-1 (Secure Hash Algorithm 1)

Answer 89

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United
States National Security Agency and is a U.S. Federal Information Processing Standard published by the United
States NIST.[2] SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value
is typically rendered as a hexadecimal number, 40 digits long.

Question 90

Hash-based message authentication code (HMAC)

Answer 90

In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message
authentication code (MAC) involving a cryptographic hash function (hence the ‘H’) in combination with a secret
cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the
authentication of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the
calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function,
the size of its hash output, and on the size and quality of the key.

Question 91

B12 Applications of Cryptography

Question 92

Transport Layer Security (TLS)

Answer 92

cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Question 93

Secure Sockets Layer

Answer 93

an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL is the predecessor to the modern TLS encryption used today.

Question 94

IPSec

Answer 94

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that
works by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols
for establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session.

Question 95

Authentication Header (AH)

Answer 95

is a member of the IPsec protocol suite. AH guarantees
connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect
against replay attacks by using the sliding window technique and discarding old packets

Question 96

Encapsulating Security Payload (ESP)

Answer 96

) is a member of the IPsec protocol suite. In IPsec it provides
origin authenticity, integrity and confidentiality protection of packets. ESP also supports encryption-only
and authentication-only configurations, but using encryption without authentication is strongly discouraged
because it is insecure.

Question 97

Secure Shell (SSH)

Answer 97

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an
unsecured network.[1] The best known example application is for remote login to computer systems by users.

Question 98

Pretty Good Privacy (PGP)

Answer 98

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for
data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories,
and whole disk partitions and to increase the security of e-mail communications. It was created by Phil
Zimmermann in 1991.[2]

Question 99

WEP

Answer 99

Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of
the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to
that of a traditional wired network.[1] WEP, recognizable by the key of 10 or 26 hexadecimal digits, was at one
time widely in use and was often the first security choice presented to users by router configuration tools.