Day 3 115-151

Question 1

3.115 You want to use Metasploit to exploit a server and then pivot to a LAN. How would you pivot using Metasploit?

A. Issue the pivot exploit and set the meterpreter.
B. Reconfigure the network settings in the meterpreter.
C. Set the payload to propagate through the meterpreter.
D. Create a route statement in the meterpreter.

Answer 1

D. Create a route statement in the meterpreter.

Question 2

3.116 Which is the best way to find vulnerabilities on a Windows-based computer?

A. Check MITRE.org for the latest list of CVE findings
B. Use the built-in Windows Update tool
C. Create a disk image of a clean Windows installation
D. Use a scan tool like Nessus

Answer 2

D. Use a scan tool like Nessus

Question 3

3.117 What is one thing a tester can do to ensure that the software is trusted and is not changing or tampering with critical data on the back end of a system it is loaded on?

A. System security and architecture review
B. Secure coding principles
C. Proper testing
D. Analysis of interrupts within the software

Answer 3

C. Proper testing

Question 4

3.118 Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?

A. Vulnerability scanning
B. Access control list reviews
C. Penetration testing
D. Social engineering

Answer 4

C. Penetration testing

Question 5

3.119 A computer technician is using a new version of a word-processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?

A. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix
B. Find an underground bulletin board and attempt to sell the book to the highest bidder
C. Create a document that will crash the computer when opened and send it to friends
D. Ignore the problem completely and let someone else deal with it

Answer 5

A. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix

Question 6

3.120 Which cipher encrypts the plaintext digit (bit or byte) one by one?

A. Classical cipher
B. Block cipher
C. Modern cipher
D. Stream cipher

Answer 6

D. Stream cipher

Stream ciphers encrypt data one bit or byte at a time as the data is being sent. A block cipher grabs one large block of data, encrypts it, sends it, then grabs the next block and so on.

Question 7

3.121 Fire walk (firewall probing) has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on the scan results?
TCP port 21 – no response
TCP port 22 – no response
TCP ports 23 – time to live exceeded

A. The lack of response from port 21 and 22 indicate that those services are not running on the destination server
B. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host
C. The scan port on 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error
D. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall

Answer 7

D. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall

Question 8

3.122 WPA2 uses AES for wireless data encryption at which of the following encryption levels?

A. 128 bit and TKIP
B. 64 bit and CCMP
C. 128 bit and CRC
D. 128 bit and CCMP

Answer 8

D. 128 bit and CCMP

Question 9

3.123 How can you exploit MS SQL 2000 that is running under a Local System account with the default credentials?

A. Using the Metasploit psexec module setting the SA / Admin credential
B. Invoking the stored procedure xp_shell to spawn a Windows command shell
C. Invoking the stored procedure cmd_shell to spawn a Windows command shell
D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

Answer 9

D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

Question 10

3.124 Which type of scan measures a person’s external features through a digital video camera?

A. Facial recognition scan
B. Signature kinetics scan
C. Iris scan
D. Retinal scan

Answer 10

A. Facial recognition scan

Question 11

3.125 You are concerned that the existing security controls have not been designed properly. Currently, the administrator is responsible for approving and issuing proximity card access to the server room, as well as reviewing the electronic access logs on a weekly basis.

Which of the following is an issue with the situation?

A. Undue influence
B. Lack of experience
C. Segregation of duties
D. Inadequate disaster recovery plan

Answer 11

C. Segregation of duties

Question 12

3.126 An NMAP scan of a server shows port 69 is open. What risk could this pose?

A. Cleartext login
B. Weak SSL version
C. Web portal data leak
D. Unauthenticated access

Answer 12

D. Unauthenticated access

Port 69 is for TFTP (the UDP version of FTP). TFTP lacks any form of security and allows anyone access to upload and download files.

Question 13

3.127 Which security control role does encryption meet?

A. Preventative
B. Defensive
C. Detective
D. Offensive

Answer 13

A. Preventative

Question 14

3.128 You run daily Nessus scans on your internal network as part of your vulnerability management program. In your DMZ you have web, mail, and DNS servers, but you think that your firewall may be blocking Nessus from scanning the servers in the DMZ. Which of these solutions would give Nessus the same “visibility” of the DMZ as that of the outside world?

A. Run Nessus from a server that resides in the DMZ so that no firewalls, IPS, or other security products interfere with the scan.
B. Have the firewall rules modified so that the Nessus server on the internal network is able to scan the hosts in the DMZ.
C. Run Nessus from a location on the internet which is separate from the company’s network so that no firewalls, IPS, or other security products interfere with the scan.
D. Leave the Nessus server in the internal network but add a second network card so that it can be connected to a switch in the DMZ. This will allow the Nessus server to have access to the internal and DMZ networks.

Answer 14

B. Have the firewall rules modified so that the Nessus server on the internal network is able to scan the hosts in the DMZ.

Question 15

3.129 Hacker Joe gains access to your DNS server and redirects queries for www.amazon.com to his own IP address. Now when your employees try to visit Amazon’s website they are redirected to Hacker Joe’s machine. What is the name for this attack?

A. ARP poisoning
B. Smurf attack
C. MAC flooding
D. DNS spoofing

Answer 15

D. DNS spoofing

Question 16

3.130 If you were doing a pen-test for BigCorp and wanted to enumerate the network, you’d first attempt a zone transfer. If you were on a Windows machine, you’d use the nslookup command. Assuming the DNS server is at 10.10.10.10 and the domain name is bigcorp.local, what command would you type in the nslookup shell to achieve the zone transfer?

A. lserver 10.10.10.10 -t all
B. ls -d bigcorp.local
C. list server=10.10.10.10 type=all
D. list domain=bigcorp.local type=zone

Answer 16

B. ls -d bigcorp.local

In NSLOOKUP, the -d switch “dumps” all the records for requested zone (domain).

Question 17

3.131 Hacker Joe got a meterpreter session on one of your company computers. Checking his current SID he sees that it is S-1-5-21-2501610842-734108683-3373192635-501. What needs to happen before he has full admin access?

A. He needs to gain physical access.
B. He already has admin privileges, as shown by the “501” at the end of the SID.
C. He needs to disable antivirus protection.
D. He must perform privilege escalation.

Answer 17

D. He must perform privilege escalation.

An SID ending in 501 is the guest account. Admin ends in 500. To see the SID’s and user accounts on your Windows machine, from a command prompt type “wmic useraccount get name,sid”

Question 18

3.132 Before a penetration tester can start any hacking activities, it’s most important for her to do which of these?

A. Creating action plan
B. Finding new exploits which can be used during the pentest
C. Preparing a list of targeted systems
D. Ensuring that her activity will be authorized and she will have proper agreement with owners of the targeted system

Answer 18

D. Ensuring that her activity will be authorized and she will have proper agreement with owners of the targeted system

Question 19

3.137 Google hacking involves creating a search string with specific operators to search for vulnerable systems. For example: allintitle:root passwd. During which phase of a penetration test would you employ this technique?

A. Scanning and enumeration
B. Reconnaissance
C. Gaining access
D. Maintaining access

Answer 19

B. Reconnaissance

Question 20

3.134 During which hacking process do you surf the internet looking for information about your target company?

A. Scanning
B. Enumerating
C. Footprinting
D. System Hacking

Answer 20

C. Footprinting

Question 21

3.135 In order to make convincing phishing e-mails, it helps to know about the company you are going to impersonate. The time you spend on researching this information is called what?

A. Exploration
B. Reconnaissance
C. Investigation
D. Enumeration

Answer 21

B. Reconnaissance

Question 22

3.136 Which type of scan is least likely to trigger a network IDS?

A. TCP ACK scan
B. TCP connect scan
C. TCP SYN scan
D. TCP FIN scan

Answer 22

B. TCP connect scan

This one is tricky. The whole point of a SYN scan, otherwise known as a Stealth scan or half-open scan, is that it is “stealthier” in that it does not leave a trace of the connection in the target’s log files. However, modern Next-Generation firewalls and IDPS devices are very familiar with these types of scans, and they will generate an alert. A TCP connect scan on the other hand, mimicks normal network traffic and is less likely to be flagged. They do leave evidence in the target’s log file, but at least they didn’t get flagged as suspicious by the IDS.

Question 23

3.137 While pen-testing an HTTPS web application, you configure your browser to use BurpSuite as your proxy. Unfortunately, you immediately get certificate errors when trying to visit the website. Which of these should you do to remove this certificate error for all websites, and also what would be the security risk by doing this?

A. Configure your browser to ignore all SSL/TLS certificate warnings. This would make your HTTPS sessions vulnerable to ARP spoofing on the local LAN.
B. Start sslstrip and redirect port 443 to its listening port. This ensures that plaintext sessions are not upgraded to SSL/TLS.
C. Force your browser to connect over port 80. Data would be transmitted in cleartext, removing the need for certificates.
D. Add the BurpSuite certificate as a trusted root CA for your browser/OS. This would expose you to man-in-the-middle attacks from anyone possessing the same certificate.

Answer 23

D. Add the BurpSuite certificate as a trusted root CA for your browser/OS. This would expose you to man-in-the-middle attacks from anyone possessing the same certificate.

To learn more: https://portswigger.net/burp/help/proxy_options_installingcacert

Question 24

3.138 What is an AAAA DNS record for?

A. Address prefix record
B. IPv6 address resolution record
C. Address database record
D. Authorization, Authentication, and Auditing record

Answer 24

B. IPv6 address resolution record

Question 25

3.139 Which type of hacker has no training and only uses basic techniques or tools they found on the internet?

A. White-Hat Hackers
B. Gray-Hat Hackers
C. Black-Hat Hackers
D. Script Kiddies

Answer 25

D. Script Kiddies

Question 26

3.140 Which scanning technique will use a spoofed IP address and a SYN flag to generate port responses?

A. FIN
B. SYN
C. IDLE (side-channel)
D. XMAS

Answer 26

C. IDLE (side-channel)

Question 27

3.141 Which Metasploit tools can help you to evade anti-virus systems?

A. msfd
B. msfpayload
C. msfencode
D. msfcli

Answer 27

C. msfencode

Question 28

3.142 Which tool would you be most likely to use to scan a website and look for common misconfigurations and outdated software versions?

A. Nmap
B. Metasploit
C. Nikto
D. Armitage

Answer 28

C. Nikto

Question 29

3.143 You have been sent a suspicious e-mail message and want to see who sent it. After looking at the header you see that it was received from an unknown sender at the IP address 145.146.50.60. What web site will allow you to find out more information about an IP address, including who owns that IP?

A. http://www.tucowsdomains.com/whois
B. https://whois.arin.net
C. https://www.networksolutions.com/whois
D. https://www.godaddy.com/whois

Answer 29

B. https://whois.arin.net

ARIN is the American Registry for Internet Numbers and can tell you who owns a particular IP address. The other three are domain registrars and can tell you who owns a domain name.

Question 30

3.144 While performing an Xmas scan, which of these would indicate that the target’s port is closed?

A. SYN
B. ACK
C. RST
D. No return response

Answer 30

C. RST

Question 31

3.145 You need to scan all the hosts on a /16 network to see who has TCP port 80 open. Assuming you don’t need to be stealthy, which of these would be the fastest way to do this?

A. nmap -s 80 -sU -T5 192.168.0.0/16
B. nmap -sn -sF 192.168.0.0/16 80
C. nmap -p 80 -n -T4 –open 192.168.0.0/16
D. nmap -p 80 –max -Pn 192.168.0.0/16

Answer 31

C. nmap -p 80 -n -T4 –open 192.168.0.0/16

The –open switch tells nmap to only show open (or possibly open) ports. This hides the closed & filtered ports, which speeds things up slightly.

Question 32

3.146 Which of these would be the best choice to surf the internet anonymously?

A. Use shared WiFi
B. Use public VPN
C. Use SSL sites when entering personal information
D. Use Tor network with multi-node

Answer 32

D. Use Tor network with multi-node

Question 33

3.147 What does this command do?

hping3 -c 65535 -i u1 -S -p 80 –rand-source www.bigcorp.com

A. Ping Of Death
B. Idle scan of TCP port 80
C. Port scan of all UDP ports
D. SYN flood

Answer 33

D. SYN flood

Question 34

3.148 Which of these is NOT true about vulnerability scanners?

A. Provides information on how to mitigate discovered vulnerabilities
B. Provides information on targets for penetration testing
C. Provides the environment to be able to safely penetrate vulnerable systems
D. Checks compliance with host application usage and security policies

Answer 34

C. Provides the environment to be able to safely penetrate vulnerable systems

Question 35

3.149 Nmap reports that one of your hosts at 10.10.10.20 has an IP ID sequence of “incremental”. Because of this finding, you run this command:
nmap -Pn -p -sI 10.10.10.20 10.10.10.50

What does the “-sI” (that’s a capital “i” ) switch do with Nmap?

A. Conducts an ICMP scan
B. Conducts an IDLE scan
C. Conducts a stealth scan
D. Conducts a silent scan

Answer 35

B. Conducts an IDLE scan

Question 36

3.150 What does the Nmap -oX flag do?

A. Performs an eXpress scan
B. Outputs the results in XML format to a file
C. Outputs the results in truncated format to the screen
D. Performs an Xmas scan

Answer 36

B. Outputs the results in XML format to a file