Cyber Operator Flashcards
In order to execute a file in Linux the file must _____.
Be executable, contain executable code, and you must have permission to execute it
With a umask of 022, which of the following permissions are assigned when creating a new file?
rwxr-xr-x
In Linux this file is used to store hashed passwords and readable only by root.
shadow
This is a set of standards carrying out wireless local area networks.
IEEE 802.11
Which Windows 7 command can be used to perform a soft shutdown?
shutdown /s /f /t 00
A system that gathers and analyzes information from within a computer or a network, to identify
possible violations of security policy, including unauthorized access, as well as misuse is known as:
IDS
What is the default MIP2 firewall state prior to being connected to the network?
enabled and not allowing incoming connections
(U//FOUO) What are the three sub-missions of a Cyber Protection Team (CPT)?
Survey, Secure, Protect
Which Windows command can be used to configure the IP address either statically or to use Dynamic
Host Configuration Protocol (DHCP)?
netsh
(U//FOUO) Which document prioritizes and outlines the options and actions available, both technical
and procedural, to provide a greater level of mission assurance for the supported commander’s
mission through the consolidation of all squad recommendations?
Risk Mitigation Plan (RMP)
How can you stop a TCPdump capture?
Use Control-C
Which of the following is NOT contained in the CVA/Hunter Air Force Tactics, Techniques and
Procedures (AFTTP) 3-1?
Commercial Manuals
What is the purpose of crew logs?
To maintain an accurate and detailed record of all significant events
_____ focus primarily on qualitative analysis of ISR employment to determine ISR contribution to
mission objectives.
Measures of Effectiveness (MOE)
A program in which malicious or harmful code is contained inside apparently harmless programming
or data in such a way that it can get control and do its chosen form of damage is known as what?
Trojan
It is important to review _______________ during the sortie brief because it will affect the choice of
TTPs and the accomplishment of tactical tasks during sortie execution.
Intelligence Updates, Mission Partner Activity, Rules of Engagement, Crew and Mission Risks, All of the above
In Linux, how are trusted and target IP addresses added or removed?
By editing the /etc/trusted.hosts and /etc/target.hosts files
Techniques are __________.
Non-prescriptive ways or methods used to perform missions, functions or tasks
_____ focus on task execution and quantitative mission achievement.
Measures of Performance (MOP)
Which of the following is the Linux command for securely copying a file from a remote machine to
your home directory?
scp 10.10.20.100:/ios/data/assess/file.txt /home/usr/
Null sessions are __________.
an anonymous (no user, no password) connection to a freely accessible remote share called IPC$ on Windows-based servers.
Software applications that run automated tasks and can be remotely controlled, normally used in
DDoS are commonly referred to as what?
Bots
When validating DIP sensor processes what command verifies that the processes are running?
/usr/local/bin/checkstatus
What type of malware spreads from computer to computer and has the capability to travel without
any human action?
Worm
Which bit allows execution of an application as a member of this group?
SGID
Which interceptor platform consists of a single laptop, is used by one crew member and can run
limited VMs concurrently?
Mobile Interceptor Platform (MIP)
Which of the following Deployable Interceptor Platform (DIP) sub-components serves as a data
Collector and VM server?
DL-160
In VMware what do you press to exit a virtual environment?
CONTROL+ALT
Which of the following Deployable Interceptor Platform (DIP) sub-components is deployed on the
MPNet and primarily captures and stores network traffic?
Cywarfius sensor
Which of the following are the default ports for web traffic?
80 and 443
What is the TCPdump option that saves the packet data to a file?
-w
(U//FOUO) Which Cyber Protection Team (CPT) squad analyzes the supporter commander’s identified
cyberspace dependencies, essential and critical assets and cyberspace key terrain (C-KT)?
Mission Protection
A type of password cracking where a word list is used against a given encrypted password.
Dictionary Attack
Which of the following is NOT a private or non-routable IP address?
172.168.1.1
In Linux, user account information is contained in which file?
/etc/passwd
Where are the Bro sensor logs kept?
DIP2
Which vi command will bring you into insert mode?
I
Which of the following is NOT a tasking document used for CVA/Hunter missions?
Task Management Tool (TMT) Tasker
Which interceptor platform consists of Cywarfius sensors, Informaiton Operations Platform (IOP), and
fits in a hardened case?
Deployable Interceptor Platform (DIP)
How is the encrypted partition unmounted?
Double click the “UnMount…” desktop icon
PowerShell Cmdlets follow which naming convention?
Verb-noun
A path that contains the root directory and all subdirectories of the location is called?
Absolute Path
What could you use to redirect the output of a program to the input of another program on the
command line?
Pipe (|)
Which of the following documents contains an abbreviated version of the amplified Ops Manual Technical Order (TO-1)?
CVA/Hunter Cybercrew Checklists / Crew Aides
Which command will allow you to run TCPdump to monitor activity on a particular subnet?
tcpdump -w traffic net 10.10.20.0/24
Which of the following is NOT a rule for CVA/Hunter emergency procedures?
Act Immediately
Which of the following is the default port for SMTP?
25
What is a smurf attack?
Large amount of ICMP echo traffic to a network broadcast address with a spoofed source IP set to a victim
Host
Which of the following is the default port for Telnet?
23
In Windows, what command will enable the firewall and block incoming connections?
> netsh firewall set opmode enable disable
What does the following nmap scan do. nmap -O 10.10.20.1
Determines the OS of the machine
Traffic capture tools such as TCPdump and Wireshark provide _____ accountability of actions
performed on the weapon system.
Logical
When validating GIP functionality which of the following are operator responsibilities during initial
weapon system configuration? (I) Verify connectivity to an operational VM; (II) Modify Access
Control Lists (ACLs); (III) Install ArchSight Linux management console;
(IV) Verify that an operational VM has the appropriate IP in accordance with SPINS
I and IV
A file has an octal value of 755 this means:
The owner can read, write and execute; the group can read and execute; others can read and execute
A coworker uses the smb_share.pl to create a share. You are on a windows machine and using the net use command to mount the share. What user do you use when attempting to mount the share?
root
Which drive letter is used for the encrypted partition?
X:\
Which of the following Deployable Interceptor Platform (DIP) sub-components primarily serves as a
deployable network intrusion detection system?
IOP
What type of information in a tactical level mission tasking document describes communication
requirements and reporting?
Communication Contracts
What could you use to redirect the output of a program to a file on the command line?
Greater than symbol (>)
Which of the following is the Cisco IOS command to copy the running configuration to the starting
Configuration?
copy run start
What is the Unix environment variable which automatically sets file permissions on newly created
Files?
UMASK
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG),
information and mission impact pertaining to
SECRET
Traceroute executes by ___________.
increasing the time-to-live value of each successive batch of packets sent
A software system that consists of a program or combination of several programs designed to hide or
obscure the fact that a system has been compromised is known as what?
A rootkit
(U//FOUO) Which Cyber Protection Team (CPT) squad detects, illuminates and defeats previously
unknown adversary activity within a specified area of responsibility?
Discovery and Counter Infiltration
What is the SAM (Security Accounts Manager) file?
A database stored as a registry file containing users’ passwords in a hashed format
What does the broadcast address do?
Allows for information to be sent to all machines on a given subnet
A malfunction is designated an emergency when ___________.
individual troubleshooting efforts do not result in a weapon system fix.
What is a Tactics Improvement Proposal (TIP)?
Comprehensive idea to improve the military capability of a fielded system, overcome a tactical deficiency or
meet an emerging operational need
What does the following command do: C:> psexec \10.10.20.1 cmd
Launches an interactive command prompt
FTP uses which of the following ports?
20 and 21
Tactics are ______.
The employment and ordered arrangement of forces in relation to each other.
Which vi command will delete one line?
dd
Which of the following is NOT a primary purpose of a Tactics Improvement Proposal?
To request modification or acquisition of hardware or software
Which of the following items must be covered in a change over brief?
Factors of the current operational/tactical situation, Critical reports and findings from ending sortie, Active and planned mission partner activity
(U//FOUO) Which Cyber Protection Team (CPT) squad assesses an organization’s security posture
by closely resembling adversary offensive cyberspace activities in their processes and execution?
Cyber Threat Emulation
What are the two major DIP assembly components?
Server (DIP1) and Sensor (DIP2)
Two types of IDS are:
Network-based (NIDS) and host-based (HIDS)
What is the iptable option to clear all firewall rules?
-F
What is not a default chain for iptables?
ACCEPT
Which of the following octal codes allow a file to execute as the owner of that file?
4777
Which iptables target denies a packet and does not send back a rejection?
DROP
What is the technique whereby the sender of a packet can specify the route that a packet should take
through the network?
Source routing
Which of the following is NOT contained on the PEX sortie details report
Go/No Go Status
According to the communication contract shown, once maintenance implements a fix, who is
responsible of assigning an operator to conduct an operational check to determine the weapon system
Status?
cyberspace operations controller
How is the encrypted partition mounted?
Double click the “Mount X Drive” desktop icon and enter the password
The accuracy of IPs and MAC addresses are of critical safety concern because _________ .
They are used as targeting information
Which of the following is the Linux command for logging into 10.10.20.100 as assessor?
ssh assessor@10.10.20.100
Which of the following are key elements in a tactical level mission tasking document?
CVA/Hunter IP Ranges, Rules of Engagement (RoE), Cyberspace Key Terrain (C-KT), Tactical Objectives, All of the Above
Which vi command will allow you to save and quit?
:wq
You want to create a new share using the smb_share.pl script. You attempt to execute the command
but is tells you the “command is not found”. What might be the cause?
You did not mount the encrypted partition
Using Wireshark to follow a TCP Stream means:
You can view data from a TCP conversation
Exploitation of a valid computer session where an attacker takes over a session between two
computers is known as what?
Session Hijacking
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG), a
report on vulnerabilities associated with a specific NIPR AF information system has what
Classification?
CONFIDENTIAL
Which bit allows the execution of an application as the owner of that file?
SUID
Which of the following is the proper way to ensure you are green on your CIF Go/No Go?
complete and sign off the CIF in PEX before the sortie
Which of the following Nmap commands would perform a ping sweep of 10.10.20.0/24 subnet,
without resolving IP addresses to hostnames?
nmap -n -sn 10.10.20.0/24
In Linux, which of the following represent the current directory you are in?
A single dot (.)
Which of the following is NOT a purpose of a sortie debrief?
Determine whom to attribute mission failures
You just performed a FIN scan with nmap against a target. The machine sends back no response for
a particular port. This means that the port is _____.
Open
Which command can be used to perform a soft shutdown of a Linux machine?
init 0
Which directory normally holds log files?
/var/log
For Ubuntu Linux, what command is used to turn off the firewall?
fw_iptables.pl allow -i eth0
You are logged into the Linux side of the clone, which command gives you a root shell?
sudo -s
What type of information in a tactical level mission tasking document describes the agreement with
the mission partner on what cybercrew actions are approved during CVA/Hunter missions?
Rules of Engagement (RoE)
Which Linux command is used to connect to a share?
mount
Which vi command will delete one character?
x
With a umask of 002, which of the following permissions will be assigned when creating a new
Directory?
rwxrwxr-x
Writing hidden messages in such a way that no-one, apart from the sender and intended recipient,
suspects the existense of the message, a form of security through obscurity is known as what?
Steganography
Procedures are __________.
Standard, detailed steps that prescribe how to perform specific tasks.
Which interceptor platform consists of Thin Clients, a BladeCenter, is use by multiple crew members
and contains multiple NICs plus Lights-out Management?
Garrison Interceptor Platform (GIP)
Which of the following are NOT part of proper safety procedures?
Replace components inside the equipment to prevent mission failure.
Which of the following is NOT a purpose of a CVA/Hunter cybercrew checklist / crew aid?
Replaces the amplified TO-1
Which of the following octal codes allow a file to execute as the group of that file?
2777
The environment variable that contains a list of directories the shell will look for commands is called:
PATH
Which of the following steps come before accessing the Virtual Machines on the MIP2?
Mounting the encrypted drive
On a Cisco IOS device, which of the following symbols corresponds to Privileged EXEC (enable)
Mode?
#
How many usable IP addresses are there in a C class network?
254
Which key do you use in vi to return to command mode?
Esc
Which is the octal value for the owner can write; the group can read and execute; others can read?
254
Which of the following is NOT a valid PowerShell command for viewing help information?
read-help
Which command in Linux, displays the default gateway?
route
Which of the following is the Linux command for securely logging into 10.10.20.100 as assessor?
ssh 10.10.20.100
In Linux, a hidden file starts with a _____.
period
A path that begins from the user’s current location is called:
Relative Path
According to the communication contract shown what does the operations controller do when a crew
member notifies them via the chat program that they have a maintenance issue?
The operations controller communicates to both maintenance and the crew commander by issuing a
maintenance ticket.
Admin$ serves as ____________.
the hidden share that points to the windows folder
Which of the following does not describe the clone?
A computer you can install any software you need without authorization to complete your mission
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG),
information pertaining to cyberspace operations functions and processes with reference to mission,
capability or location has what classification?
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Which Windows command is used to connect to a share?
net use
Which port should be allowed through the firewall in order to enable file sharing?
445
(U//FOUO) Which Cyber Protection Team (CPT) squad performs targeted evaluations to review the
effectiveness of the current cyber security program and provides reviews of cyber assets based on
DOD policies and regulations?
Cyber Readiness
A type of attack where a multitude of compromised systems attack a single target, thereby causing
denial of service for users of the targeted system is known as what?
Distributed Denial Of Service
When validating DIP sensor processes what running processes must be verified? I. Bro II. Snort III. tcpdump IV. nessus
I, II and III
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG),
descriptions of cyberspace operations, functions, processes, systems and tools associated with
standard commercial capabilities without reference to mission, capability or location have what
Classification?
UNCLASSIFIED
(U//FOUO) Which document outlines the residual mission risks and illustrates how CPT capabilities
will be integrated into and coordinated with the local cyberspace defenders to enhance the cyberspace
defense of a supported commander’s mission?
Mission Defense Plan (MDP)
In Windows, which command can be used to change the hostname?
wmic
Which of the following documents contains weapon system capabilities and limitations as well as
threat considerations?
CVA/Hunter Air Force Tactics, Techniques and Procedures 3-1
In Red Hat Linux, what command will turn the firewall on and not allow incoming connections?
firewall
The Xmas scan with nmap means:
The FIN, PSH, URG flags are set
You press CONTROL+ALT+_____ to log into a locked Windows virtual machine.
INSERT
Which command sets a file to be executable?
chmod +x file
Which is the octal value such that the owner can read and execute;,the group can write and execute
and others can execute?
531
You have just used the smb_share.pl script to create a shared directory for the team. Where is that
directory created on your system?
In the working directory
A file has an octal value of 644 this means:
The owner can read and write; the group can read; others can read
What is a “NTFS Alternate Data Stream”?
A separate buffer to hold information on a per file bases found on a Windows machine
In classful network design, in which class network is 191.50.0.0 defined?
Class B
If you are unable to successfully connect to a share using a Linux machine, which file could you
check to verify the share configurations?
/etc/samba/smb.conf
Which of the following describes authorities for foreign intelligence operations?
Title 50
Which of the following is the default port for DNS?
53
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG),
association of an IP address which poses a threat to national security to a foreign nation is at what
Classification?
SECRET
During a debrief, determining the debrief focal point (DFP) is ___________.
a process of determining aspects of mission planning and execution impeding achievement of tactical
Objectives.
In Linux, which file contains the system’s network parameters such as IP address, subnet mask and
default gateway?
/etc/network/interfaces
Which of the following documents describes general CVA/Hunter equipment maintenance
Procedures?
CVA/Hunter Technical Order (TO-2)
Which netstat option displays all connections and listening ports?
-a
Which of the following are default NETBIOS ports?
137, 139, and 445
Which of the following is NOT a required element of a mission/sortie brief?
Crew Information Files (CIF)
The Nmap option “-O” performs what function?
OS detection
____ is an open-source and/or licensed signature driven IDS that requires specific syntax to be
followed in order for the signature to be deployed to the sensor successfully.
Snort
Which of the following is NOT a reason to review weapon system status during a sortie brief?
The operator will be primarily responsible for fixing major weapon system issues.
How is mounting to a local drive within a virtual machine accomplished using Vmware?
In the VMware GUI click ‘VM Setting’ then ‘Shared Folders’ and add the drive’s file path
A type of password cracking where each possible combination of letters, numbers, and etc. are used
to find the passsword.
Brute Force
On a Cisco IOS device, which of the following symbols corresponds to User EXEC mode?
>
Which of the following is the default port for POP3?
110
What are the responsibilities of an oncoming crew member during a crew change over brief?
Ensure change over checklists are accomplished, Ask questions as applicable to ensure mission effectiveness, Remain attentive to crew commander change over briefing, All of the above
You are traveling with your clone. While boarding the plane, a flight attendant states that the laptop
must be stowed below. What should you do?
Remove the hard drive from the computer prior to handing over the laptop
In Linux, you can search for a file with which two commands?
find and locate
What is a SYN Flood?
Using up all processes on a particular system, starting a handshake but not finishing
Software for privilege users is located in which directory?
sbin
What type of virtual machine network adapter configuration creates a private network that is
completely contained within the host computer?
Host-Only
Select the correct order of steps in a debrief. (I) Determine the Root Cause (RC) of the Debrief Focal Point (DFP); (II) Develop the Lesson Learned (LL) with and Instructional Fix (IF) to address the Root Cause (RC); (III) Determine Contributing Factors (CF) related to the Debrief Focal Point (DFP); (IV) Reconstruct an event and identify the Debrief Focal; Point (DFP)
IV, III, I, II
Which of the following is NOT a key element in a tactical level mission tasking document?
Tactics, Techniques and Procedures (TTPs)
Tactics, Techniques and Procedures (TTPs) are _______ in nature.
authoritative
What net command do you use to start the server service?
net start server
TCP stands for
Transmission Control Protocol
Which of the following best describes the order of precedence for iptables’ rules in Linux?
Individual reject, accept, block all
Flooding a switch with numerous requests causing the switch to lose track of which MAC address is
on which port, thus causing it to reset into learning mode is known as what?
MAC Flooding
Why is it important to keep operator notes and crew logs?
It provides a record of activity that can be reviewed to deconflict issues involving the crew and the mission
Partner
Which is connection-oriented protocol?
TCP
What Linux command prints the current network configuration to the screen?
ifconfig
A type of computer security vulnerability typically found in web applications which allow code
injection by malicious web users into the pages viewed by others is known as:
cross-site scripting
Which of the following is NOT an element of a mission/sortie brief?
Squadron Announcements
What is a netmask?
A 32-bit number used to divide an IP address into subnets
During a debrief, determining an instructional fix is ___________ .
a process of determining how to prevent a debrief focal point from happening again.
The purpose of ___ is to serve as a network based IDS used to monitor MPNETs in a passive (nonblock)
Mode.
Bro
Which properties of the Windows VM network device must be on in order to allow the creation of a
mission share?
“Client for Microsoft Networks” and “File and Printer Sharing for Microsoft Networks”
In classful network design, which class is 126.0.0.0 network defined in?
Class A
Which vi command will quit?
:q
In Linux, what is the difference between permanent and temporary IP address configuration?
A permanent IP configuration ensures the host will reboot with the same IP whereas temporary does not
Configuration files are normally located in which directory?
etc
Which of the following is NOT part of the procedures to sign a crew information file (CIF)?
Email Stan Eval that CIF has been signed off
Which of the following is the default port for SNMP?
161
(U//FOUO) According to the AFSPC Cyberspace Operations Security Classification Guide (SCG),
information and mission impact pertaining to the availability of services or network outages for AF
information systems has what classification?
SECRET
Which of the following IS a tasking document used for CVA/Hunter missions?
Cyber Tasking Order (CTO)
During a debrief, event reconstruction is ____________
a process of looking back at the mission and determining the facts/observations
What is a Teardrop DoS attack?
Sending mangled IP fragments with overlapping, oversized, payloads to the target machine
In Windows, what command will enable the firewall and allow exceptions?
> netsh firewall set opmode enable enable
In BASH script, which is an acceptable first line to the file?
!/bin/bash
What is the Windows SAM?
A database stored as a registry file containing users passwords in a hashed format
Which of the following is a tool that analyzes ICMP probe responses to perform OS fingerprinting?
xprobe2
A covert channel is ______________.
the transfer of information hidden within the medium of a legitimate communications channel.
Who is responsible for the configuration management of the MIP2 clone image?
A member of the maintenance flight
Which of the following describes authorities for national guard?
Title 32
You have mounted the encrypted partition in Linux, where is the ‘working directory’ located?
/ios/data/assess
Which of the following commands will securely copy a file from your machine to a remote machine?
scp file user@remoteIP:/tmp
The ___ is a collection of servers and devices that provide sustainment, maintenance, and support
for CVA/Hunter remote operation.
GIP
How does a hub function?
Any message that comes in one port is sent to all ports
(U//FOUO) Which Cyber Protection Team (CPT) squad conducts terrain mapping and works closely
with the organic network operators and defenders to plan, train, and deploy mitigations?
Cyber Support
Linux is ____ .
case sensitive
Which directory contains virtual files with kernel information?
proc
What is Nessus?
A vulnerability scanner
UDP Stands for ________.
User Datagram Protocol
A malfunction is characterized by _____________.
Any weapon system component degradation limited to an individual’s VM or host.
Which of the following provides authority for active duty warfighting?
Title 10
A TCP Null scan with nmap means:
No flags are set
Which of the following is not a Layer 3 protocol used by Cisco IOS devices?
STP
Which of the following is a rule for CVA/Hunter emergency procedures?
Maintain Control
A special text string for describing a search pattern is known as what?
Regular Expression
What protocol is not vulnerable to sniffing?
ssh
In Ubuntu Linux, what command is used to enable the firewall?
fw_iptables.pl enable -i eth0
Broadcasting fake ARP messages with the aim is to associate the attacker’s MAC address with the IP
address of another node is known as what?
ARP Spoofing
An intrusion detection system that is behaving actively, meaning it can block traffic in real-time, is
commonly referred to as:
Intrusion prevention system
