Day 3 39-75

Question 1

3.39 During security testing, you are attempting to flood the ARP cache of your switches using the Macof tool. What would be the result if the ARP cache is successfully flooded?

A. The switches will drop into hub mode if the ARP cache is successfully flooded.

B. If the ARP cache is flooded,the switches will drop into pix mode making it less susceptible to attacks.

C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch.

D. The switches will route all traffic to the broadcast address created collisions.

Answer 1

A. The switches will drop into hub mode if the ARP cache is successfully flooded.

Question 2

3.40 This TCP flag instructs the sending system to transmit all buffered data immediately.

A. SYN

B. RST

C. PSH

D. URG

E. FIN

Answer 2

C. PSH

Question 3

3.41 A SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains:

A. The source and destination address having the same value.

B. A large number of SYN packets appearing on a network without the corresponding final reply packets.

C. The source and destination port numbers having the same value.

D. A large number of SYN packets appearing on a network with the corresponding reply packets.

Answer 3

B. A large number of SYN packets appearing on a network without the corresponding final reply packets.

Question 4

3.42 Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows products?

A. Microsoft Security Baseline Analyzer

B. Retina

C. Core Impact

D. Microsoft Baseline Security Analyzer

Answer 4

D. Microsoft Baseline Security Analyzer

Question 5

3.43 LDAP uses which port number?

A. 110

B. 389

C. 464

D. 445

Answer 5

B. 389

Question 6

3.44 From an external IP address, you want to try and trick a switch into thinking it already has established a session with your computer. How can you accomplish this?

A. Send an IP packet with the RST/SYN bit and the source address of your computer.

B. Send an IP packet with the SYN bit and the source address of your computer.

C. Send an IP packet with the ACK bit set to zero and the source address of the switch.

D. Send an IP packet to the switch with the ACK bit and the source address of your machine.

Answer 6

D. Send an IP packet to the switch with the ACK bit and the source address of your machine.

Question 7

3.45 To see how some of the hosts on your network react, you send out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established, you send RST packets to those hosts to stop the session. You have done this to see how your intrusion detection system will log the traffic. What type of scan is this?

A. You are attempting to find live hosts on your company’s network by using an XMAS scan.

B. You are utilizing a SYN scan to find live hosts that are listening on your network.

C. This type of scan you are using is called a NULL scan.

D. You are using a half-open scan to find live hosts on your network.

Answer 7

D. You are using a half-open scan to find live hosts on your network.

Question 8

3.46 Bob runs a Web server, IDS and firewall on his network. Recently his Web server has been under constant hacking attacks. He looks up the IDS log files and sees no intrusion attempts but the Web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. Bob becomes suspicious and views the Firewall logs and he notices huge SSL connections constantly hitting his Web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and that was the reason the IDS did not detect the intrusions. How would Bob protect his network from these types of attacks?

A. Install a proxy server and terminate SSL at the proxy

B. Enable the IDS to filter encrypted HTTPS traffic

C. Install a hardware SSL “accelerator” and terminate SSL at this layer

D. Enable the Firewall to filter encrypted HTTPS traffic

Answer 8

A. Install a proxy server and terminate SSL at the proxy

Question 9

3.47 Which port number is NTP?

A. TCP Port 124

B. UDP Port 125

C. UDP Port 123

D. TCP Port 126

Answer 9

C. UDP Port 123

Question 10

3.48 The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of “public”. This is the so-called “default public community string”. How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)

A. Enable SNMPv3 which encrypts username/password authentication

B. Use your company name as the public community string replacing the default ‘public’

C. Enable IP filtering to limit access to SNMP device

D. The default configuration provided by device vendors is highly secure and you don’t need to change anything

Answer 10

A and C

A. Enable SNMPv3 which encrypts username/password authentication

C. Enable IP filtering to limit access to SNMP device

Question 11

3.49 During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 24333 from a zombie. If the target’s port is closed, what will be the final response from the zombie?

A. The zombie computer will respond with an IPID of 24334.

B. The zombie computer will respond with an IPID of 24333.

C. The zombie computer will not send a response.

D. The zombie computer will respond with an IPID of 24335.

Answer 11

A. The zombie computer will respond with an IPID of 24334.

Question 12

3.50 You want to build a web form that will ask the user for his/her credit card information. You know that the GET method is insecure as it would append the card number to the URL, and that can be cached and logged by browsers and server log files. How would you protect the credit card information from this type of data leakage?

A. Never include sensitive information in a script

B. Use HTTPS SSLv3 to send the data instead of plain HTTPS

C. Replace the GET with POST method when sending data

D. Encrypt the data before you send using GET method

Answer 12

C. Replace the GET with POST method when sending data

Question 13

3.51 You are examining some traffic logs on a server and come across some inconsistencies. You find some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can you infer from this traffic log?

A. The initial traffic from 192.168.12.35 was being spoofed.

B. The traffic from 192.168.12.35 is from a Linux computer.

C. The TTL of 21 means that the client computer is on wireless.

D. The client computer at 192.168.12.35 is a zombie computer.

Answer 13

A. The initial traffic from 192.168.12.35 was being spoofed.

Question 14

3.52 You are going to send a confidential e-mail to a client. You need to know if that client forwards the e-mail to anyone else, because that would violate the non-disclosure agreement. What can you use to accomplish this?

A. You can use a split-DNS service to ensure the email is not forwarded on.

B. A service such as HTTrack would accomplish this.

C. You could use MetaGoofil tracking tool.

D. You can use a service such as ReadNotify tracking tool.

Answer 14

D. You can use a service such as ReadNotify tracking tool.

Question 15

3.53 You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?

A. Ping packets cannot bypass firewalls

B. Hping2 uses TCP instead of ICMP by default

C. Hping2 uses stealth TCP packets to connect

D. You must use ping 10.2.3.4 switch

Answer 15

B. Hping2 uses TCP instead of ICMP by default

Question 16

3.54 An attacker is attempting to telnet into a corporation’s system in the DMZ. The attacker doesn’t want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. What could be the reason?

A. The firewall is blocking port 23 to that system

B. He needs to use an automated tool to telnet in

C. He cannot spoof his IP and successfully use TCP

D. He is attacking an operating system that does not reply to telnet even when open

Answer 16

C. He cannot spoof his IP and successfully use TCP

Question 17

3.55 During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 31400 from a zombie. If the target’s port is open, what will be the final response from the zombie?

A. 31400

B. 31402

C. The zombie will not send a response

D. 31401

Answer 17

B. 31402

Question 18

3.56 Trojan horse attacks pose one of the most serious threats to computer security. There are many different ways a Trojan can get into a system. Which is the easiest and most convincing way to infect a computer?

A. IRC (Internet Relay Chat)

B. Legitimate “shrink-wrapped” software packaged by a disgruntled employee

C. NetBIOS (File Sharing)

D. Downloading files, games and screensavers from Internet sites

Answer 18

B. Legitimate “shrink-wrapped” software packaged by a disgruntled employee

Question 19

3.57 What type of scan is this?

Open port:

SYN->

<-SYN + ACK

RST->

Closed port:

SYN->

<-RST

A. Stealth Scan

B. Full Scan

C. XMAS Scan

D. FIN Scan

Answer 19

A. Stealth Scan

Question 20

3.58 SOAP services use which technology to format information?

A. SATA

B. PCI

C. XML

D. ISDN

Answer 20

C. XML

Question 21

3.59 What type of scan is this?

NMAP –n –sS –P0 –p 80 ***.***.**.**

A. Quick scan

B. Intense scan

C. Stealth scan

D. Comprehensive scan

Answer 21

C. Stealth scan

Question 22

3.60 A company has made the decision to host their own email and basic web services. The administrator needs to set up the external firewall to limit what protocols should be allowed to get to the public part of the company’s network. Which ports should the administrator open? (Choose three.)

A. Port 22

B. Port 23

C. Port 25

D. Port 53

E. Port 80

F. Port 139

G. Port 445

Answer 22

C. Port 25

D. Port 53

E. Port 80

Question 23

3.61 Which of the following types of firewall inspects only header information in network traffic?

A. Packet filter

B. Stateful inspection

C. Circuit-level gateway

D. Application-level gateway

Answer 23

D. Application-level gateway

Question 24

3.62 Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

A. Timing options to slow the speed that the port scan is conducted

B. Fingerprinting to identify which operating systems are running on the network

C. ICMP ping sweep to determine which hosts on the network are not available

D. Traceroute to control the path of the packets sent during the scan

Answer 24

A. Timing options to slow the speed that the port scan is conducted

Question 25

3.63 A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

A. Implementing server-side PKI certificates for all connections

B. Mandating only client-side PKI certificates for all connections

C. Requiring client and server PKI certificates for all connections

D. Requiring strong authentication for all DNS queries

Answer 25

C. Requiring client and server PKI certificates for all connections

Question 26

3.64 Which NMAP switch does operating system detection?

A. -OS

B. -sO

C. -sP

D. -O

Answer 26

D. -O

Question 27

3.65 What kind of attack exploits the weaknesses in the fragment reassembly functionality of TCP/IP?

A. Teardrop

B. SYN flood

C. Smurf attack

D. Ping of death

Answer 27

A. Teardrop

Question 28

3.66 Which is true about proxy firewalls?

A. Proxy firewalls increase the speed and functionality of a network.

B. Firewall proxy servers decentralize all activity for an application.

C. Proxy firewalls block network packets from passing to and from a protected network.

D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

Answer 28

D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

Question 29

3.67 What does NMAP need to be used as a vulnerability scanner covering several different protocols like HTTP, SMTP, FTP, DNS, etc?

A. Metasploit scripting engine

B. Nessus scripting engine

C. NMAP scripting engine

D. SAINT scripting engine

Answer 29

C. NMAP scripting engine

Question 30

3.68 Consider this output from a hacker’s machine targeting another machine with the IP address of 192.168.3.10:

[ATTEMPT] target 192.168.3.10 – login “root” – pass “a” 1 of 20

[ATTEMPT] target 192.168.3.10 – login “root” – pass “123” 2 of 20

[ATTEMPT] target 192.168.3.10 – login “admin” – pass “a” 3 of 20

[ATTEMPT] target 192.168.3.10 – login “admin” – pass “123” 4 of 20

[ATTEMPT] target 192.168.3.10 – login “guest” – pass “a” 5 of 20

[ATTEMPT] target 192.168.3.10 – login “guest” – pass “123” 6 of 20

[ATTEMPT] target 192.168.3.10 – login “” – pass “a” 7 of 20

[ATTEMPT] target 192.168.3.10 – login “” – pass “123” 8 of 20

Which is most likely taking place here?

A. Ping sweep of the 192.168.3.10 network

B. Remote service brute force attempt

C. Port scan of 192.168.3.10

D. Denial of service attack on 192.168.3.10

Answer 30

B. Remote service brute force attempt

Question 31

3.69 Your company has three security zones set up:

Internet – (Remote network = 154.60.22.0/24)

DMZ – (10.0.3.0/24)

Intranet – (192.168.5.0/24)

You want to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

A. Permit 154.60.22.0/24 10.0.3.0/24 RDP 3389

B. Permit 154.60.22.6 10.0.3.30 RDP 3389

C. Permit 154.60.22.6 10.0.3.0/24 RDP 3389

D. Permit 154.60.22.0/24 10.0.3.30 RDP 3389

Answer 31

B. Permit 154.60.22.6 10.0.3.30 RDP 3389

Question 32

3.70 A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am. Which of the following programming languages would most likely be used?

A. PHP

B. C#

C. Python

D. ASP.NET

Answer 32

C. Python

Question 33

3.71 To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message?

A. Recipient’s private key

B. Recipient’s public key

C. Master encryption key

D. Sender’s public key

Answer 33

B. Recipient’s public key

Question 34

3.72 An attacker has been successfully modifying the purchase price of items purchased on the company’s web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the most likely way the attacker has been able to modify the purchase price?

A. By using SQL injection

B. By changing hidden form values

C. By using cross site scripting

D. By utilizing a buffer overflow attack

Answer 34

B. By changing hidden form values

Question 35

3.73 A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use?

A. -sO

B. -sP

C. -sS

D. -sU

Answer 35

C. -sS

Question 36

3.74 Which of the following is a hashing algorithm?

A. MD5

B. PGP

C. DES

D. ROT13

Answer 36

A. MD5

Question 37

3.75 What port number is involved with sending log messages?

A. UDP 123

B. UDP 541

C. UDP 514

D. UDP 415

Answer 37

C. UDP 514