Day 4 1-38

Question 1

4.1 When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

A. Network tap
B. Layer 3 switch
C. Network bridge
D. Application firewall

Answer 1

A. Network tap

Question 2

4.2 SSL has been seen as the solution to a lot of common security problems. Administrator will often make use of SSL to encrypt communications from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

A. SSL is redundant if you already have IDS’s in place
B. SSL will trigger rules at regular interval and force the administrator to turn them off
C. SSL will slow down the IDS while it is breaking the encryption to see the packet content
D. SSL will hide the content of the packets and Intrusion Detection Systems will not be able to detect them

Answer 2

D. SSL will hide the content of the packets and Intrusion Detection Systems will not be able to detect them

Question 3

4.3 Which TWO types of detection methods are employed by Network Intrusion Detection Systems (NIDS)?

A. Signature
B. Anomaly
C. Passive
D. Reactive

Answer 3

A. Signature

B. Anomaly

Question 4

4.4 Which of the following problems can be solved by using Wireshark?

A. Tracking version changes of source code
B. Checking creation dates on all webpages on a server
C. Resetting the administrator password on multiple systems
D. Troubleshooting communication resets between two systems

Answer 4

D. Troubleshooting communication resets between two systems

Question 5

4.5 Your IDS generated an alert because there was a lot of traffic hitting your SQL server. You investigate the server, but there is no indication of an attack and everything looks fine. How then should you classify the IDS alert?

A. True negatives
B. False negatives
C. True positives
D. False positives

Answer 5

D. False positives

Question 6

4.6 You logged in to your corporate firewall to do some work, but the IDS logged your activity as an attack. How would you categorize the alert?

A. False positive
B. False negative
C. True positive
D. True negative

Answer 6

A. False positive

Question 7

4.7 What hardware requirement should your IDS, IPS, or proxy server have as a best-practice?

A. Fast processor to help with network traffic analysis
B. They should be dual-homed
C. Similar RAM requirements
D. Fast network interface cards

Answer 7

B. They should be dual-homed

Question 8

4.8 A hacker has been attacking your network. You find that your IDS wasn’t configured correctly and couldn’t notify you about the attacks. Which type of alert is the IDS giving?

A. True positives
B. True negatives
C. False positives
D. False negatives

Answer 8

D. False negatives

Question 9

4.9 A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique that the tester should consider using?

A. Spoofing an IP address
B. Tunneling scan over SSH
C. Tunneling over high port numbers
D. Scanning using fragmented IP packets

Answer 9

B. Tunneling scan over SSH

Question 10

4.10 This IDS defeating technique works by splitting a datagram (or packet) into a continuous stream of multiple (small) fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network.
What is this technique called?

A. IP Routing or Packet Dropping
B. IDS Spoofing or Session Assembly
C. IP Fragmentation or Session Splicing
D. IP Splicing or Packet Reassembly

Answer 10

C. IP Fragmentation or Session Splicing

Question 11

4.11 In keeping with the best practices of layered security, where are the best places to place intrusion detection/intrusion prevention systems? (Choose two.)

A. HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)

B. NID/NIP (Node-based Intrusion Detection/Node-based Intrusion Prevention)

C. NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)

D. CID/CIP (Computer-based Intrusion Detection/Computer-based Intrusion Prevention)

Answer 11

A. HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)

C. NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)

Question 12

4.12 Which FOUR of these techniques could you use to evade an IDS, or at least protect yourself, during a port scan?

A. Use fragmented IP packets
B. Spoof your IP address when launching attacks and sniff responses from the server
C. Overload the IDS with Junk traffic to mask your scan
D. Use source routing (if possible)
E. Connect to proxy servers or compromised Trojan’d machines to launch attacks

Answer 12

A. Use fragmented IP packets
B. Spoof your IP address when launching attacks and sniff responses from the server
D. Use source routing (if possible)
E. Connect to proxy servers or compromised Trojan’d machines to launch attacks

Question 13

4.13 Which of these will recognize attempts to penetrate the network?

A. Router
B. Firewall
C. Proxy
D. Intrusion Detection System

Answer 13

D. Intrusion Detection System

Question 14

4.14 Which of these would be the best way to evade the NIDS?

A. Encryption
B. Out of band signaling
C. Protocol Isolation
D. Alternate Data Streams

Answer 14

A. Encryption

Question 15

4.15 How can telnet be used to fingerprint a web server?

A. telnet webserverAddress 80
HEAD / HTTP/1.0
B. telnet webserverAddress 80
PUT / HTTP/1.0
C. telnet webserverAddress 80
HEAD / HTTP/2.0
D. telnet webserverAddress 80
PUT / HTTP/2.0

Answer 15

A. telnet webserverAddress 80

HEAD / HTTP/1.0

Question 16

4.16 On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured?

A. nessus +
B. nessus *s
C. nessus &
D. nessus -d

Answer 16

C. nessus &

Question 17

4.17 What is it called when an IDS can discover attacks but not stop them?

A. Detective
B. Passive
C. Intuitive
D. Reactive

Answer 17

B. Passive

Question 18

4.18 A Security Engineer has been tasked with discovering how much information can be obtained from the firm’s public facing web servers. The engineer decides to start by using netcat to port 80. The engineer receives this output:

HTTP/1.1 200 OK
Server: Microsoft-IIS/6
Expires: Tue, 17 Jan 2011 01:41:33 GMT
DatE. Mon, 16 Jan 2011 01:41:33 GMT
Content-TypE. text/html
Accept-Ranges: bytes
Last-ModifieD. Wed, 28 Dec 2010 15:32:21 GMT

Which of the following is an example of what the engineer performed?

A. Cross-site scripting
B. Banner grabbing
C. SQL injection
D. Whois database query

Answer 18

B. Banner grabbing

Question 19

4.19 What’s the best approach to tuning security alerts?

A. Raise false positives and raise false negatives.
B. Decrease false negatives.
C. Tune to avoid false positives and false negatives.
D. Decrease false positives

Answer 19

C. Tune to avoid false positives and false negatives.

Question 20

4.20 Which type of scanning technique splits the TCP header into many packets so that it becomes hard for network monitoring devices to figure out what the packets are meant for?

A. Ack flag scanning
B. IP fragment scanning
C. TCP scanning
D. Inverse TCP flag scanning

Answer 20

B. IP fragment scanning

Question 21

4.21 What’s it called when someone sends a large amount of traffic, in order generate a large amount of alerts on the IDS, in an attempt to hide the real traffic?

A. Insertion attack
B. Denial-of-Service
C. Obfuscating
D. False Positive Generation

Answer 21

D. False Positive Generation

An Obfuscation Technique will encode the payload in such a way that the IDS can’t understand it, but the target can understand. A False Positive Generation Attack attempts to hide the attack traffic in a large volume of false positive alerts.

Question 22

4.22 Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

A. They are written in Java.
B. They send alerts to security monitors.
C. They use the same packet analysis engine.
D. They use the same packet capture utility.

Answer 22

D. They use the same packet capture utility.

Question 23

4.23 Which of the following does proper basic configuration of snort as a network intrusion detection system require?

A. Limit the packets captured to the /var/log/snort directory
B. Capture every packet on the network segment
C. Limit the packets captured to a single segment
D. Limit the packets captured to the snort configuration file

Answer 23

D. Limit the packets captured to the snort configuration file

Question 24

4.24 When discussing trojans, what is a wrapper?

A. An encryption tool to protect the Trojan
B. A tool used to bind the Trojan with a legitimate file
C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan
D. A tool used to encapsulate packets within a new header and footer

Answer 24

B. A tool used to bind the Trojan with a legitimate file

Question 25

4.25 What is the problem with low humidity in a data-center?

A. Heat
B. Corrosion
C. Static electricity
D. Airborne contamination

Answer 25

C. Static electricity

Question 26

4.26 The use of technologies like IPsec can help guarantee the following: authenticity, integrity, confidentiality and

A. Operability
B. Security
C. Non-repudiation
D. Usability

Answer 26

C. Non-repudiation

IPSec offers many functions for security, including confirmation of the data’s origin (non-repudiation/signing)

Question 27

4.27 Company a and Company B have just merged and each has its own public key infrastructure (PKI). What must the certificate authority establish so that the private PKIs for company A and company B trust one another and each private PKI can validate digital certificates from the other company?

A. Poly key reference
B. Cross certification
C. Cross exchange
D. poly key exchange

Answer 27

B. Cross certification

They must exchange certificates with each other so that they can validate any future certificates issued by the other company’s CA.

Question 28

4.28 On a Windows 2008 server, how many bits does Syskey use to encrypt password hashes?

A. 40-bit encryption
B. 128-bit encryption
C. 256-bit encryption
D. 64-bit encryption

Answer 28

B. 128-bit encryption

Question 29

4.29 Study the snort rule given below and interpret the rule. When would an alert be generated?
alert tcp any any –> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg “mountd access”;)

A. When a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

B. When any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

C. When a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

D. When a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Answer 29

D. When a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Question 30

4.30 What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected?

A. nc -port 56 -s cmd.exe
B. nc -p 56 -p -e shell.exe
C. nc -r 56 -c cmd.exe
D. nc -l 56 -t -e cmd.exe

Answer 30

D. nc -l 56 -t -e cmd.exe

Question 31

4.31 A corporation hired an ethical hacker to test if it is possible to obtain users’ login credentials using methods other than social engineering. Access to offices and to a network node is granted. Results from server scanning indicate all are adequately patched and physical access is denied, thus, administrators have access only through Remote Desktop. Which technique could be used to obtain login credentials?

A. Capture every users’ traffic with Ettercap.
B. Capture LANMAN Hashes and crack them with LC6.
C. Guess passwords using Medusa or Hydra against a network service.
D. Capture administrators RDP traffic and decode it with Cain and Abel.

Answer 31

D. Capture administrators RDP traffic and decode it with Cain and Abel.

Question 32

4.32 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

A. tcp.src == 25 and ip.host == 192.168.0.125
B. host 192.168.0.125:25
C. port 25 and host 192.168.0.125
D. tcp.port == 25 and ip.host == 192.168.0.125

Answer 32

C. port 25 and host 192.168.0.125

Question 33

4.33 What file system vulnerability does the following command take advantage of?

type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe

A. HFS
B. Backdoor access
C. XFS
D. ADS

Answer 33

D. ADS

Question 34

4.34 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

A. Drops the packet and moves on to the next one
B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Blocks the connection with the source IP address in the packet

Answer 34

B. Continues to evaluate the packet until all rules are checked

Question 35

4.35 What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They are placed at the boundary, allowing them to inspect all traffic
B. They are easier to install and configure
C. They do not use host system resources
D. They will not interfere with user interfaces

Answer 35

C. They do not use host system resources

A is out because your IDS is not necessarily at your boundary. Also, they can’t inspect “all” traffic as there could be a threat within your company already and that traffic wouldn’t pass through the boundary devices.

Question 36

4.36 Which of the following identifies the three modes in which Snort can be configured to run?

A. Sniffer, Packet Logger, and Network Intrusion Detection System
B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
D. Sniffer, Packet Logger, and Host Intrusion Prevention System

Answer 36

A. Sniffer, Packet Logger, and Network Intrusion Detection System

Question 37

4.37 Tom is writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets?
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msG. “BACKDOOR SIG – SubSseven 22”;flags: A+; content: “|0d0a5b52504c5d3030320d0a|”; reference:arachnids, 485;) alert

A. The payload of 485 is what this Snort signature will look for.
B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload.
C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged.
D. From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

Answer 37

B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

Question 38

4.38 Your IDS suddenly alerts you to multiple attacks against several different company servers and devices. In which order should you investigate?

A. Investigate based on the maintenance schedule of the affected systems.
B. Investigate based on the service level agreements of the systems.
C. Investigate based on the potential effect of the incident.
D. Investigate based on the order that the alerts arrived in.

Answer 38

C. Investigate based on the potential effect of the incident.