CPSA MQ1 Flashcards
Why can remote access VPNs not use Main Mode for IKE Phase-1 if the authentication method is pre-shared key?
Because pre-shared key authentication with Main Mode requires that the peer’s IP is known before the connection is established.
What is the blocksize of the DES encryption cipher?
64 bits
What is this: 16:23:57.094021 IP 192.168.124.204.137 > 192.168.124.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
A NetBIOS over TCP/IP name service broadcast
Which is the least secure encryption cipher of those listed below?
DES
Which file in a user’s home directory controls the trust relationships for Berkeley R services?
rhosts
Which operating system is most likely to be vulnerable to the TTYPROMPT vulnerability in the telnet service?
Solaris 8
Which of the following algorithms could be used to negotiate a shared encryption key?
Diffie-Hellman
Why might a tester insert the string “alert(“it works”)” into a web form?
To check for a Cross-Site Scripting vulnerability
Which protocols are associated with PPTP?
TCP port 1723 and IP protocol 47
Where are the encrypted passwords stored on a Solaris system?
/etc/shadow
Which of the following statements about the rwho protocol is true?
The rwho daemon sends regular broadcasts to UDP port 513, and listens to broadcasts from other systems.
How would you establish a null session to a windows host from a windows command shell?
NET USE \hostname\ipc$ “” /u:””
If the account lockout threshold is set to 5, how many incorrect password attempts will cause the built in administrator account to be locked out on a Windows 2003 system?
The built in administrator account will never be locked out
What effect would an octal umask of 0027 have on the permissions of new files?
Remove group write access, and remove all permissions for others
What is the name given to the field concerned with the security implications of electronic eminations from communications equipment?
TEMPEST
Which of these is not a valid IPv6 address?
2001:0db8:1428:57ab
You discover an Internet accessible anonymous FTP server on a client’s internal network, which is vulnerable to the FTP bounce attack. What is the impact of this vulnerability?
Attackers could exploit the vulnerability to port scan other systems on the client’s internal network.
What would you expect the command “finger 0@hostname” (that is a zero) against a Solaris 8 system to display?
Users with an empty GCOS field in the password file.
What are the four potential risk treatments
Avoid, Reduce, Accept and Transfer
What does “export” signify for an SSL cipher
It is a weak cipher that was acceptable for export under the old US cryptography export regulations
Which of these protocols is not vulnerable to address spoofing if implemented correctly?
TCP
What effect does setting the RestrictAnonymous registry setting to 1 have on a Windows NT or 2000 system?
It prevents enumeration of SAM accounts and names.
What command would you use to list the installed packages on a Solaris system?
pkginfo
Which protocols and ports are used by Telnet, SMTP and Finger?
TCP/23, TCP/25 and TCP/79.
What would an SNMP request to set OID 1.3.6.1.4.1.9.2.1.55.10.0.0.1 to “file” on a Cisco router using a community string with read/write access do?
Cause the target router to upload its configuration file to the TFTP server at 10.0.0.1 as a file called “file”.
What RPC authentication mechanism does NFS v2 and v3 use?
AUTH_SYS, using Unix UID and GID
Which of these statements about the Windows built in administrator account is correct?
It always has RID 500
What does the “Root Squash” option on an NFS export do?
Makes the root user on the NFS client access files as nobody on the server
With blind SQL injection, the results of the injection are not visible, and no errors are displayed. How can blind SQL injection be detected?
The web server behaviour changes when a successful injection is performed.
What does the phrase “Inherent Risk” mean in risk management?
A risk that is implicitly associated with an activity or location.
Which of the following cipher modes use a block cipher to generate a key stream that can be used as a stream cipher?
CFB
What is the digest length for the SHA1 hash function?
160 bits
What is the default password for the DBSNMP user on Oracle 9i?
DBSNMP
Which of these groups of tools are commonly used for packet crafting?
hping2, hping3 and scapy
The active directory database file is:
NTDS.DIT
Which nmap flag enables OS TCP/IP stack fingerprinting?
-O
Which of the following is NOT an EAP method?
EAP-RSA
What is the significance of the string “SEP” in the configuration filename of a Cisco IP phone?
It stands for Selsius Ethernet Phone, which was the original name of the Cisco IP phone.
Which of these is an IP option?
Record Route
Which of the following are all ONC/RPC services?
cmsd, kcms_server, sadmind, snmpXdmid.
When was the Apache chunked encoding vulnerability fixed in version 1.3?
1.3.26
An accepted limitation of Diffie-Hellman key agreement protocol is
It is vulnerable to a man-in-the-middle attack
What are the privileged TCP and UDP ports, which only a privileged user can listen on?
0 - 1023 inclusive
What attack can be used to force some switches to forward frames to all ports?
MAC flooding
Which of the following protocols is the most secure?
WPA with CCMP (AES)
What command would you use to display the version number of a Microsoft SQL Server database if you are connected with a command line client?
select @@version;
A web server returns “Server: Microsoft-IIS/5.0” in the HTTP headers. What operating system is it probably using?
Windows 2000 Server
Some older TCP implementations are vulnerable to a DoS attack that exploits the small queue for connections in progress?
SYN flood
What is the function of the /etc/ftpusers file on a Unix FTP server?
It lists the users that are NOT permitted to use the FTP server.
In active directory, what does FSMO (pronounced “Fizz-Mo”) stand for?
Flexible Single Master Operations
What TCP port does Microsoft SQL Server listen on in hidden mode?
2433
During a penetration test, you gain access to a database containing personal details of staff. What is the best course of action?
Note the issue but do not store any of the personal data on your system.
When should the scope of work be defined?
Before testing is started
Which of these techniques is commonly implemented in modern C compilers to prevent buffer overflow exploitation?
Canary values
Which of the following encryption algorithms is an asymmetric cipher?
RSA
What are the valid key lengths for the AES encryption cipher?
128, 192 and 256
Which are the six base SIP methods?
REGISTER, INVITE, ACK, CANCEL, BYE, OPTIONS
Which scan would be most likely to discover a firewall that blocks all traffic to itself from the interface connected to the network you are scanning from?
ARP scan
You find a system that is offering the NFS RPC service. What is the logical next step?
Run “showmount -e” to list the NFS exports.
What is this: password 7 052D131D33556C081D021200
A password encoded with the reversible Cisco vigenere algorithm
What identifies the superuser on a Unix or Linux system?
Any user with UID 0 (zero) in the password file
Which command will retrieve the version number from default installations of the BIND nameserver software?
dig @nameserver version.bind txt chaos
The UK Government protective marking levels are, from lowest to highest protection:
NPM, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET
What are the SIP and RTP protocols used for in VoIP?
SIP is used for setting up and closing down calls, and RTP is used for audio data transmission.
What is the primary legal reason for obtaining written permission before starting a test?
Because otherwise the penetration test might breach the Computer Misuse Act
Which of the following statements about the time protocols “time”, “daytime” and “NTP” are correct?
“time” represents the time as a 32-bit value, “daytime” uses an ASCII string, and “NTP” uses a 64-bit value.
Which of these is not a valid IP address?
192.168.300.1
What command would you use to list the installed patches on a Solaris system?
showrev -a or showrev -p
On a Unix system, what is the effect of the execute bit on a directory?
It allows the directory to be traversed
What is this: 17:58:01.396446 CDPv2, ttl: 180s, Device-ID ‘chestnut.nta-monitor.com’, length 404
A CDP broadcast
What are the four mandatory transform attributes for an IKE Phase-1 SA?
Encryption Algorithm, Hash Algorithm, Authentication Method, Diffie Hellman Group
What command would you use to list the installed packages on a Redhat or Fedora system?
rpm -qa
Where are the encrypted passwords stored on a FreeBSD system?
/etc/master.passwd
You discover a vulnerability on an Internet accessible web server which allows you to execute commands as a non-privileged user. The web server is behind a firewall that allows only TCP
port 80 inbound and permits all outbound traffic. What technique could be used to get shell access to the webserver?
Run a shell on the webserver and connect its control channel back to a TCP port on your local system
If you find TCP port 111 open on a Unix system, what is the next logical step to take?
Run “rpcinfo -p” to enumerate the RPC services.
Which protocol and port does a normal DNS lookup use?
UDP port 53
Which of the following web application technologies would you expect to be most secure?
A pure Java application.
Which nmap command performs a half-open or “SYN” TCP portscan?
nmap -n -P0 -v -sS -p1-1024 hostname
Which command will perform a DNS zone transfer of the domain “company.com” from the nameserver at 10.0.0.1?
dig @10.0.0.1 company.com axf
What is this: 17:57:57.850175 802.1d config 8064.00:0c:85:f1:3f:80.8010 root 8064.00:0b:46:48:29:80 pathcost 19 age 1 max 20 hello 2 fdelay 15
A Spanning Tree Protocol broadcast
Which of these is not an ICMP message type?
Host unreachable
What version of NFS includes strong security, including strong authentication and encryption?
version 4
The DNS entries for www.customer.com and www.example.com both point to the same IP address. How does the web server know which domain is being requested by the browser?
It uses the HTTP Host: header.
If an attacker gained access to a Microsoft SQL server using the “sa” account, which stored procedure would he use to add a user account?
xp_cmdshell
Which of these is an Ethernet multicast MAC address?
01:00:0c:cc:cc:cc
what technique forwards traffic to an attacker’s system by associating the attacker’s MAC address with the IP address of the target system?
ARP spoofing or ARP poisoning
Which of these methods is the best way to determine if a remote host is running an X Window server that allows remote connections from the local host?
Run “xdpyinfo -display remotehost:0.0”
What is the default password for the SYS user on Oracle 10g?
CHANGE_ON_INSTALL
UDP port 1434 is commonly used by which database?
Microsoft SQL Server
AJAX is
Asynchronous Javascript and XML
