Day 2 115-151

Question 1

2.115 A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?

A. Paros Proxy

B. BBProxy

C. BBCrack

D. Blooover

Answer 1

B. BBProxy

Question 2

2.116 What command would you use to show the current TCP/IP connections established?

A.Netstat

B.Net use connection

C.Net use

D.Netsh

Answer 2

A.Netstat

Question 3

2.117 Which of these security features found on switches works with the DHCP snooping database to prevent man-in-the-middle (MiTM) attacks?

A.Port security

B.Layer 2 Attack Prevention Protocol (LAPP)

C.Spanning Tree

D.Dynamic ARP Inspection (DAI)

Answer 3

D.Dynamic ARP Inspection (DAI)

Question 4

2.118 Normally SMTP is not encrypted when it sends mail between servers, however, you can upgrade the connection to use a TLS certificate to keep the e-mail secure and encrypted. What is the command to make SMTP transmit email over TLS?

A.FORCETLS

B.STARTTLS

C.UPGRADETLS

D.OPPORTUNISTICTLS

Answer 4

B.STARTTLS

Question 5

2.119 How is the public key distributed in an orderly, controlled fashion in order that the users can be sure of the sender’s identity?

A.Digital certificate

B.Hash value

C.Private key

D.Digital signature

Answer 5

A.Digital certificate

This one is very tricky! A Digital Signature certainly proves the sender’s identity, but this question is specifically asking about how the public-key is distributed, and digital signatures don’t distribute keys. A Digital Certificate, on the other hand, is your public key signed (verified) by a trusted third-party. You can now distribute your public key to others, and they can verify it’s legitimate by checking the third-party signature.

See why it’s tricky? Focusing on “how is the public key distributed..” gives us the answer (A), even though the process may involve another answer (D).

Question 6

2.120 With SSL/TLS we use both symmetric and asymmetric cryptography. What is an advantage of this?

A.Asymmetric cryptography is computationally expensive in comparison. However, it’s well suited to securely negotiate keys for use with symmetric cryptography.

B.Symmetric encryption allows the server to securely transmit the session keys out-of-band.

C.Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.

D.Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.

Answer 6

A.Asymmetric cryptography is computationally expensive in comparison. However, it’s well suited to securely negotiate keys for use with symmetric cryptography.

Question 7

2.121 Which of these is the plaintext attack used on DES where encrypting the plaintext with one DES key, and then encrypting it again with a second DES key, is no more secure than just using a single key?

A.Replay attack

B.Meet-in-the-middle attack

C.Man-in-the-middle attack

D.Traffic analysis attack

Answer 7

B.Meet-in-the-middle attack

When DES started getting old and less secure, they went to 2DES (double-DES) where they would just encrypt traffic with a DES twice, using two different keys. Unfortunately, the Meet-In-The-Middle attack was able to derive one of the keys, which then essentially reduced it back to single DES again. This is why these days we use 3DES as it avoids this problem.

Question 8

2.122 Which of these tools will show you (in real time) which ports are in an listening state or some other state?

A.Nmap

B.Loki

C.TCPView

D.Netstat

Answer 8

D.Netstat

This is a tricky one! Nmap can tell you the port states on remote computers and Netstat can show you the port states on your own computer. Since the question doesn’t specify which, we need to look for another clue. The “in real time” phrase helps here. You can have Netstat continuously refresh the information so you can see your port states as they change from state to state, like established, listening, waiting, etc. Try running the command “netstat -an 3”. This says to show the port states, with all the information, and refresh every 3 seconds. Press ctrl+c to cancel.

Question 9

2.123 Junior admin Bob is configuring a wireless router. He has disabled the SSID broadcast, set the authentication to “open”, and set the SSID to a 32-character string of random numbers and letters. Which is the best assessment of this scenario?

A.Disabling the SSID broadcast prevents 802.11 beacons from being transmitted from the access point, resulting in a valid setup leveraging “security through obscurity”.

B.The router is still vulnerable to wireless hacking attempts, because the SSID broadcast setting can be enabled using a specially crafted packet sent to the hardware address of the access point.

C.It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association..

D.Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute-force attacks.

Answer 9

C.It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association..

Question 10

2.124 Which firewall rule would ensure devices on the 192.168.5.0/24 network can only reach a website at 10.10.5.10 using https?

A.if (source matches 192.168.5.0/24 and destination matches 10.10.5.10 and port matches 443) then permit

B.if (source matches 192.168.5.0/24 and destination matches 10.10.5.10 and port matches 80 or 443) then permit

C.If (source matches 10.10.5.10 and destination matches 192.168.5.0/24 and port matches 443) then permit

D.If (sources matches 192.168.5.0 and destination matches 10.10.5.10 and port matches 443) then permit

Answer 10

A.if (source matches 192.168.5.0/24 and destination matches 10.10.5.10 and port matches 443) then permit

Question 11

2.125 You’re preparing for a security assessment next week. Which of these should you do to determine inconsistencies in the secure assets database and to verify that the system is compliant to the minimum security baseline?

A.Data items and vulnerability scanning

B.Source code review

C.Reviewing the firewalls configuration

D.Interviewing employees and network engineers

Answer 11

A.Data items and vulnerability scanning

Question 12

2.126 Which of these is a tool that performs a DoS attack against web applications by starving the web server of available sessions? It does this by using continuous POST transmissions and sending large content-length header values.

A.LOIC

B.MyDoom

C.R-U-Dead-Yet? (RUDY)

D.Stacheldraht

Answer 12

A.R-U-Dead-Yet? (RUDY)

MyDoom is a Windows worm that sends junk e-mail. LOIC (Low-Orbit-Ion-Cannon) is a network stress-testing tool that sends many TCP, UDP, and GET requests as part of a botnet doing a DDoS attack. Stacheldraht is another botnet tool for doing DDoS attacks. R.U.D.Y. is a popular low and slow attack tool that is designed to crash a web server by submitting long form fields.

The attack is executed via a DoS tool which browses the target website and detects embedded web forms. Once the forms have been identified, R.U.D.Y. sends a legitimate HTTP POST request with an abnormally long ‘content-length’ header field. By sending numerous small packets, at a very slow rate, R.U.D.Y. creates a massive backlog of application threads, while the long ‘’Content-Length’ field prevent the server from closing the connection. Ultimately, the attack exhausts the targeted server’s connection table, causing the server to crash.

Question 13

2.127 Which layer-3 protocol would give you end-to-end encryption for FTP traffic?

A.FTPS

B.SFTP

C.SSL

D.IPSec

Answer 13

D.IPSec

First of all, there is only one layer-3 protocol listed here, which is IPSec. If it has “IP” in the name, it’s probably layer 3! Secondly, there are many ways to secure any type of traffic, including FTP. While IPSec is most commonly used to secure VPN traffic, it has many other uses. You can create an IPSec tunnel to securely transmit your FTP traffic.

Question 14

2.128 A cryptographic hash gives us which of these security services?

A.Message authentication and collision resistance

B.Integrity and computational infeasibility

C.Integrity and collision resistance

D.Integrity and ease of computation

Answer 14

B.Integrity and computational infeasibility

This is another very tricky question! First off, answer A is right out because by itself a hash doesn’t give us message authentication.

All of the rest of the answers could be correct! Integrity is certainly correct, but then we have to choose between computational infeasibility, collision resistance, and ease of computation. Well, we can rule that last one out because ease of computation isn’t really a security service that we look to hashing to fulfill for us.

That leaves us deciding between collision resistance and computational infeasibility. The latter gives us more mileage, because it should be computationally infeasible to A) have a collision, and B) reverse-engineer the original message back out of the message digest. Because this answer provides more services, computational infeasibility slightly wins out here.

Question 15

2.129 Which of these is a way for a hacker on the outside of a network to move a protected inside host behind a firewall, and that lets the hacker see which ports are open and if the packets can pass through the packet-filtering of the firewall?

A.Network sniffing

B.Session hijacking

C.Firewalking

D.Man-in-the-middle

Answer 15

C.Firewalking

Question 16

2.130 What’s the difference between RSA and AES?

A.Both are symmetric algorithms, but AES uses 256-bit keys.

B.AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data.

C.Both are asymmetric algorithms, but RSA uses 1024-bit keys.

D.RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.

Answer 16

D.RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.

Question 17

2.131 You analyze a suspicious connection from your e-mail server to an unknown IP address, and you determine that this is a security breach. What is the first thing you should do before contacting the incident response team?

A.Disconnect the email server from the network.

B.Leave it be and contact the incident response team right away.

C.Block the connection to the suspicious IP address from the firewall.

D.Migrate the connection to the backup email server.

Answer 17

C.Block the connection to the suspicious IP address from the firewall.

Question 18

2.132 You want to allow TCP port 80 inbound to your computer. How do you block or allow specific ports within Windows Firewall.

A.This is not possible without installing third-party software, since Windows only allows changing firewall settings for individual applications.

B.The firewall rule must be added from within the application that is using that port.

C.The only way to implement a specific rule like this is to use the “netsh” program on the command-line.

D.A rule matching these requirements can be created in “Windows Firewall with Advanced Security”, located in Control Panel

Answer 18

D.A rule matching these requirements can be created in “Windows Firewall with Advanced Security”, located in Control Panel

Question 19

2.133 Your application developers have created a 3-tier web application for your customers out on the internet. In which network should you place the Presentation Tier (your front-end web server)?

A.Mesh network

B.Internal network

C.DMZ network

D.Isolated vlan network

Answer 19

C.DMZ network

Question 20

2.134 Your company’s procedure for creating firewall rules is to have management approval before creating any new rules. You notice a recently created rule in your firewall, but you can’t find any management approval for the rule. What would be a good step to have in your procedures for situations like this?

A.Immediately roll back the firewall rule until a manager can approve it.

B.Don’t roll back the firewall rule as the business may be relying upon it, but try to get manager approval as soon as possible.

C.Monitor all traffic using the firewall rule until a manager can approve it.

D.Have the network team document the reason why the rule was implemented without prior manager approval.

Answer 20

C.Monitor all traffic using the firewall rule until a manager can approve it.

Question 21

2.135 What is the name and syntax of the Linux OpenSSL tool that will test TLS by connecting to a web server?

A.openssl s_client -site www.bigcorp.com:443

B.openssl_client -site www.bigcorp.com:443

C.openssl s_client -connect www.bigcorp.com:443

D.openssl_client -connect www.bigcorp.com:443

Answer 21

C.openssl s_client -connect www.bigcorp.com:443

Question 22

2.136 Which of these encryption algorithm is the fastest?

A.SHA-1

B.SHA-2

C.ECC

D.AES

Answer 22

D.AES

Question 23

2.137 You are reviewing a suspicious java script, but the code is very hard to understand and all of the code is different from typical java script. What is the technique called that will hide the code and make it take longer to analyze?

A.Encryption

B.Obfuscation

C.Steganography

D.Code encoding

Answer 23

B.Obfuscation

Question 24

2.138 You want to send Bob an e-mail and make sure it’s encrypted so only he can read it. At what layer of the OSI model does encryption and decryption of e-mails take place?

A.Application

B.Presentation

C.Session

D.Transport

Answer 24

B.Presentation

File encryption and, in this case, e-mail encryption, takes place at layer-6 or the Presentation Layer.

Question 25

2.139 Which of these IP’s would be within the last 100 usable IP addresses of the 192.168.5.0/23 subnet?

A.192.168.5.156

B.192.168.255.200

C.192.168.5.254

D.192.168.6.200

Answer 25

D.192.168.6.200

Without getting deep into sub-netting, remember that every time you add one more bit to the hosts side of a subnet mask you double the number of usable addresses. For example if this was 192.168.5.0/24, you would have 254 usable hosts in the range of 192.168.5.1 - 192.168.5.254. Since this is a /23 (in binary, one less 1 on the network, or “left” side, which means one more zero on the hosts, or “right” side of the IP address) this means we double the number of usable hosts. Now the range would be 192.168.5.1 - 192.168.6.254. The last 100 usable IP’s then, would be 192.168.6.154 - 192.168.6.254

Question 26

2.140 After gaining access to a list of logins and hashed passwords, which of these would be the fastest way to crack the passwords?

A.Collision

B.Rainbow tables

C.Decryption

D.Brute force

Answer 26

B.Rainbow tables

Question 27

2.141 Which of these risk assessment steps refers to identifying vulnerabilities?

A.Determine if any flaws exist in systems, policies, or procedures.

B.Identify sources of harm to an IT system (Natural, Human, Environmental).

C.Assigns values to risk probabilities and impact values.

D.Determines risk probability that a vulnerability will be exploited (High, Medium, Low).

Answer 27

A.Determine if any flaws exist in systems, policies, or procedures.

Question 28

2.142 Which of these hashing functions are not recommended to be used any longer?

A.SHA-1, ECC

B.SHA-2, SHA-3

C.MD5, SHA-5

D.MD5, SHA-1

Answer 28

D.MD5, SHA-1

Question 29

2.143 Which of these cracks passwords by utilizing a pre-computed table of password hashes?

A.Dictionary attack

B.Brute Force attack

C.Hybrid attack

D.Rainbow Table attack

Answer 29

D.Rainbow Table attack

Question 30

2.144 With IPv6, what’s the main difference between application layer vulnerabilities compared to IPv4?

A.Due to the extensive security measures built into IPv6, application layer vulnerabilities do not need to be addressed.

B.Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.

C.Vulnerabilities in the application layer are greatly different from IPv4.

D. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical

Answer 30

D. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical

Question 31

2.145 Which is the true statement regarding PKI?

A.The CA encrypts all messages

B.The RA verifies an applicant to the system

C.The CA is the recovery agent for lost certificates

D.The RA issues all certificates

Answer 31

B.The RA verifies an applicant to the system

Question 32

2.146 What does line 6 of this traceroute mean?

PS C:\> tracert -d www.yahoo.com

Tracing route to atsv2-fp.wg1.b.yahoo.com [72.30.35.10]

over a maximum of 30 hops:

1 301 ms 614 ms 229 ms 10.19.10.1

2 89 ms 56 ms 308 ms 108.61.68.129

3 97 ms 78 ms 58 ms 108.61.244.129

4 * * * 108.61.2.78

5 88 ms 87 ms 64 ms 198.32.160.121

6 318 ms 74.6.227.137 90 ms 86.15.39.22 76 ms 74.6.227.137

7 246 ms 178 ms 198 ms 216.115.111.26

8 120 ms 319 ms 66 ms 98.139.128.75

9 313 ms 162 ms 77 ms 72.30.35.10

A.The traffic is encapsulated by a GRE tunnel between router 4 and 7.

B.MPLS is used between router 5 and 6.

C.The 74.6.227.137 address is a host which has redirected the traffic.

D.Router 198.32.160.121 has two equivalent paths towards the destination

Answer 32

D.Router 198.32.160.121 has two equivalent paths towards the destination

Question 33

2.147 What is the minimum number of network connections for a multihomed firewall?

A.2

B.3

C.4

D.5

Answer 33

A.2

Question 34

2.148 Which type of malware requires a “host” application to replicate?

A. Micro

B. Worm

C. Trojan

D. Virus

Answer 34

D. Virus

Question 35

2.149 Which type of “something-you-are” authentication measures blood vessels in your eye?

A. Facial recognition scan

B. Retinal scan

C. Iris scan

D. Signature kinetics scan

Answer 35

B. Retinal scan

Question 36

2.150 Your company is undergoing renovations. An attacker dresses up like a construction worker and waits in the lobby for an employee to pass through the main access door. The attacker follows the employee through the door to gain access to the building. Which type of attack has been done here?

A. Man trap

B. Tailgating

C. Shoulder surfing

D. Social engineering

Answer 36

B. Tailgating

Question 37

2.151 What’s the benefit of using established testing methods to perform a penetration test?

A. They provide a repeatable framework.

B. Anyone can run the command line scripts.

C. They are available at low cost.

D. They are subject to government regulation.

Answer 37

A. They provide a repeatable framework.