CPSA MQ1

Question 1

Why can remote access VPNs not use Main Mode for IKE Phase-1 if the authentication method is pre-shared key?

Answer 1

Because pre-shared key authentication with Main Mode requires that the peer’s IP is known before the connection is established.

Question 2

What is the blocksize of the DES encryption cipher?

Answer 2

64 bits

Question 3

What is this: 16:23:57.094021 IP 192.168.124.204.137 > 192.168.124.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Answer 3

A NetBIOS over TCP/IP name service broadcast

Question 4

Which is the least secure encryption cipher of those listed below?

Answer 4

DES

Question 5

Which file in a user’s home directory controls the trust relationships for Berkeley R services?

Answer 5

rhosts

Question 6

Which operating system is most likely to be vulnerable to the TTYPROMPT vulnerability in the telnet service?

Answer 6

Solaris 8

Question 7

Which of the following algorithms could be used to negotiate a shared encryption key?

Answer 7

Diffie-Hellman

Question 8

Why might a tester insert the string “alert(“it works”)” into a web form?

Answer 8

To check for a Cross-Site Scripting vulnerability

Question 9

Which protocols are associated with PPTP?

Answer 9

TCP port 1723 and IP protocol 47

Question 10

Where are the encrypted passwords stored on a Solaris system?

Answer 10

/etc/shadow

Question 11

Which of the following statements about the rwho protocol is true?

Answer 11

The rwho daemon sends regular broadcasts to UDP port 513, and listens to broadcasts from other systems.

Question 12

How would you establish a null session to a windows host from a windows command shell?

Answer 12

NET USE \hostname\ipc$ “” /u:””

Question 13

If the account lockout threshold is set to 5, how many incorrect password attempts will cause the built in administrator account to be locked out on a Windows 2003 system?

Answer 13

The built in administrator account will never be locked out

Question 14

What effect would an octal umask of 0027 have on the permissions of new files?

Answer 14

Remove group write access, and remove all permissions for others

Question 15

What is the name given to the field concerned with the security implications of electronic eminations from communications equipment?

Answer 15

TEMPEST

Question 16

Which of these is not a valid IPv6 address?

Answer 16

2001:0db8:1428:57ab

Question 17

You discover an Internet accessible anonymous FTP server on a client’s internal network, which is vulnerable to the FTP bounce attack. What is the impact of this vulnerability?

Answer 17

Attackers could exploit the vulnerability to port scan other systems on the client’s internal network.

Question 18

What would you expect the command “finger 0@hostname” (that is a zero) against a Solaris 8 system to display?

Answer 18

Users with an empty GCOS field in the password file.

Question 19

What are the four potential risk treatments

Answer 19

Avoid, Reduce, Accept and Transfer

Question 20

What does “export” signify for an SSL cipher

Answer 20

It is a weak cipher that was acceptable for export under the old US cryptography export regulations

Question 21

Which of these protocols is not vulnerable to address spoofing if implemented correctly?

Answer 21

TCP

Question 22

What effect does setting the RestrictAnonymous registry setting to 1 have on a Windows NT or 2000 system?

Answer 22

It prevents enumeration of SAM accounts and names.

Question 23

What command would you use to list the installed packages on a Solaris system?

Answer 23

pkginfo

Question 24

Which protocols and ports are used by Telnet, SMTP and Finger?

Answer 24

TCP/23, TCP/25 and TCP/79.

Question 25

What would an SNMP request to set OID 1.3.6.1.4.1.9.2.1.55.10.0.0.1 to “file” on a Cisco router using a community string with read/write access do?

Answer 25

Cause the target router to upload its configuration file to the TFTP server at 10.0.0.1 as a file called “file”.

Question 26

What RPC authentication mechanism does NFS v2 and v3 use?

Answer 26

AUTH_SYS, using Unix UID and GID

Question 27

Which of these statements about the Windows built in administrator account is correct?

Answer 27

It always has RID 500

Question 28

What does the “Root Squash” option on an NFS export do?

Answer 28

Makes the root user on the NFS client access files as nobody on the server

Question 29

With blind SQL injection, the results of the injection are not visible, and no errors are displayed. How can blind SQL injection be detected?

Answer 29

The web server behaviour changes when a successful injection is performed.

Question 30

What does the phrase “Inherent Risk” mean in risk management?

Answer 30

A risk that is implicitly associated with an activity or location.

Question 31

Which of the following cipher modes use a block cipher to generate a key stream that can be used as a stream cipher?

Answer 31

CFB

Question 32

What is the digest length for the SHA1 hash function?

Answer 32

160 bits

Question 33

What is the default password for the DBSNMP user on Oracle 9i?

Answer 33

DBSNMP

Question 34

Which of these groups of tools are commonly used for packet crafting?

Answer 34

hping2, hping3 and scapy

Question 35

The active directory database file is:

Answer 35

NTDS.DIT

Question 36

Which nmap flag enables OS TCP/IP stack fingerprinting?

Answer 36

-O

Question 37

Which of the following is NOT an EAP method?

Answer 37

EAP-RSA

Question 38

What is the significance of the string “SEP” in the configuration filename of a Cisco IP phone?

Answer 38

It stands for Selsius Ethernet Phone, which was the original name of the Cisco IP phone.

Question 39

Which of these is an IP option?

Answer 39

Record Route

Question 40

Which of the following are all ONC/RPC services?

Answer 40

cmsd, kcms_server, sadmind, snmpXdmid.

Question 41

When was the Apache chunked encoding vulnerability fixed in version 1.3?

Answer 41

1.3.26

Question 42

An accepted limitation of Diffie-Hellman key agreement protocol is

Answer 42

It is vulnerable to a man-in-the-middle attack

Question 43

What are the privileged TCP and UDP ports, which only a privileged user can listen on?

Answer 43

0 - 1023 inclusive

Question 44

What attack can be used to force some switches to forward frames to all ports?

Answer 44

MAC flooding

Question 45

Which of the following protocols is the most secure?

Answer 45

WPA with CCMP (AES)

Question 46

What command would you use to display the version number of a Microsoft SQL Server database if you are connected with a command line client?

Answer 46

select @@version;

Question 47

A web server returns “Server: Microsoft-IIS/5.0” in the HTTP headers. What operating system is it probably using?

Answer 47

Windows 2000 Server

Question 48

Some older TCP implementations are vulnerable to a DoS attack that exploits the small queue for connections in progress?

Answer 48

SYN flood

Question 49

What is the function of the /etc/ftpusers file on a Unix FTP server?

Answer 49

It lists the users that are NOT permitted to use the FTP server.

Question 50

In active directory, what does FSMO (pronounced “Fizz-Mo”) stand for?

Answer 50

Flexible Single Master Operations

Question 51

What TCP port does Microsoft SQL Server listen on in hidden mode?

Answer 51

2433

Question 52

During a penetration test, you gain access to a database containing personal details of staff. What is the best course of action?

Answer 52

Note the issue but do not store any of the personal data on your system.

Question 53

When should the scope of work be defined?

Answer 53

Before testing is started

Question 54

Which of these techniques is commonly implemented in modern C compilers to prevent buffer overflow exploitation?

Answer 54

Canary values

Question 55

Which of the following encryption algorithms is an asymmetric cipher?

Answer 55

RSA

Question 56

What are the valid key lengths for the AES encryption cipher?

Answer 56

128, 192 and 256

Question 57

Which are the six base SIP methods?

Answer 57

REGISTER, INVITE, ACK, CANCEL, BYE, OPTIONS

Question 58

Which scan would be most likely to discover a firewall that blocks all traffic to itself from the interface connected to the network you are scanning from?

Answer 58

ARP scan

Question 59

You find a system that is offering the NFS RPC service. What is the logical next step?

Answer 59

Run “showmount -e” to list the NFS exports.

Question 60

What is this: password 7 052D131D33556C081D021200

Answer 60

A password encoded with the reversible Cisco vigenere algorithm

Question 61

What identifies the superuser on a Unix or Linux system?

Answer 61

Any user with UID 0 (zero) in the password file

Question 62

Which command will retrieve the version number from default installations of the BIND nameserver software?

Answer 62

dig @nameserver version.bind txt chaos

Question 63

The UK Government protective marking levels are, from lowest to highest protection:

Answer 63

NPM, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET

Question 64

What are the SIP and RTP protocols used for in VoIP?

Answer 64

SIP is used for setting up and closing down calls, and RTP is used for audio data transmission.

Question 65

What is the primary legal reason for obtaining written permission before starting a test?

Answer 65

Because otherwise the penetration test might breach the Computer Misuse Act

Question 66

Which of the following statements about the time protocols “time”, “daytime” and “NTP” are correct?

Answer 66

“time” represents the time as a 32-bit value, “daytime” uses an ASCII string, and “NTP” uses a 64-bit value.

Question 67

Which of these is not a valid IP address?

Answer 67

192.168.300.1

Question 68

What command would you use to list the installed patches on a Solaris system?

Answer 68

showrev -a or showrev -p

Question 69

On a Unix system, what is the effect of the execute bit on a directory?

Answer 69

It allows the directory to be traversed

Question 70

What is this: 17:58:01.396446 CDPv2, ttl: 180s, Device-ID ‘chestnut.nta-monitor.com’, length 404

Answer 70

A CDP broadcast

Question 71

What are the four mandatory transform attributes for an IKE Phase-1 SA?

Answer 71

Encryption Algorithm, Hash Algorithm, Authentication Method, Diffie Hellman Group

Question 72

What command would you use to list the installed packages on a Redhat or Fedora system?

Answer 72

rpm -qa

Question 73

Where are the encrypted passwords stored on a FreeBSD system?

Answer 73

/etc/master.passwd

Question 74

You discover a vulnerability on an Internet accessible web server which allows you to execute commands as a non-privileged user. The web server is behind a firewall that allows only TCP
port 80 inbound and permits all outbound traffic. What technique could be used to get shell access to the webserver?

Answer 74

Run a shell on the webserver and connect its control channel back to a TCP port on your local system

Question 75

If you find TCP port 111 open on a Unix system, what is the next logical step to take?

Answer 75

Run “rpcinfo -p” to enumerate the RPC services.

Question 76

Which protocol and port does a normal DNS lookup use?

Answer 76

UDP port 53

Question 77

Which of the following web application technologies would you expect to be most secure?

Answer 77

A pure Java application.

Question 78

Which nmap command performs a half-open or “SYN” TCP portscan?

Answer 78

nmap -n -P0 -v -sS -p1-1024 hostname

Question 79

Which command will perform a DNS zone transfer of the domain “company.com” from the nameserver at 10.0.0.1?

Answer 79

dig @10.0.0.1 company.com axf

Question 80

What is this: 17:57:57.850175 802.1d config 8064.00:0c:85:f1:3f:80.8010 root 8064.00:0b:46:48:29:80 pathcost 19 age 1 max 20 hello 2 fdelay 15

Answer 80

A Spanning Tree Protocol broadcast

Question 81

Which of these is not an ICMP message type?

Answer 81

Host unreachable

Question 82

What version of NFS includes strong security, including strong authentication and encryption?

Answer 82

version 4

Question 83

The DNS entries for www.customer.com and www.example.com both point to the same IP address. How does the web server know which domain is being requested by the browser?

Answer 83

It uses the HTTP Host: header.

Question 84

If an attacker gained access to a Microsoft SQL server using the “sa” account, which stored procedure would he use to add a user account?

Answer 84

xp_cmdshell

Question 85

Which of these is an Ethernet multicast MAC address?

Answer 85

01:00:0c:cc:cc:cc

Question 86

what technique forwards traffic to an attacker’s system by associating the attacker’s MAC address with the IP address of the target system?

Answer 86

ARP spoofing or ARP poisoning

Question 87

Which of these methods is the best way to determine if a remote host is running an X Window server that allows remote connections from the local host?

Answer 87

Run “xdpyinfo -display remotehost:0.0”

Question 88

What is the default password for the SYS user on Oracle 10g?

Answer 88

CHANGE_ON_INSTALL

Question 89

UDP port 1434 is commonly used by which database?

Answer 89

Microsoft SQL Server

Question 90

AJAX is

Answer 90

Asynchronous Javascript and XML