Day 4 115-151

Question 1

4.115 Which tool could let you view wireless traffic going to and from your WAP?

A. Nessus
B. Wireshark
C. Netcat
D. Netstat

Answer 1

B. Wireshark

Question 2

4.116 Wireshark uses which format as the default view for data in the currently selected packet?

A. ASCII
B. Binary
C. Decimal
D. Hexadecimal

Answer 2

D. Hexadecimal

Question 3

4.117 Replace the * in this command by viewing the command and the corresponding output:
Ping -* 7 192.168.5.10
Pinging 192.168.5.10 with 32 bytes of data:
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Reply from 192.168.5.10: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.5.10:
Packets: Sent = 7, Received = 7, Lost = 0 (0% loss)

A. t
B. n
C. s
D. a

Answer 3

B. n

Ping –n 7 192.168.5.10 means to send 7 echo requests to 192.168.5.10. In Windows, the default is to send 4 requests, but with the –n (number) switch, you can specify exactly how many to send (in this case, 7 requests).

Question 4

4.118 You get a security alert and you need to analyze a public IP address listed in the alert. Which of these would be the LEAST important information to review?

A. ARP
B. Whois
C. DNS
D. Geolocation

Answer 4

A. ARP

Whois will tell you who registered the domain. DNS could tell you the FQDN and other important information about the IP address. Geolocation would tell you where the IP is located. ARP is a mapping of IP address to MAC address, but this really wouldn’t be relevant to public IP’s out on the internet, and wouldn’t give you any useful information here.

Question 5

4.119 Which list of activities would give you the most information about a system’s security posture?

A. Social engineering, company website browsing, tailgating
B. Phishing, spamming, sending trojans
C. Port scanning, banner grabbing, service identification
D. Wardriving warchalking, social engineering

Answer 5

C. Port scanning, banner grabbing, service identification

Question 6

4.120 Which type of system could generate an alert when any computer sends “many” packets based on the typical number of packets sent by all your computers, and using some defined threshold values?

A. A behavior-based IDS
B. A hybrid IDS
C. A signature-based IDS
D. Just a network monitoring tool

Answer 6

A. A behavior-based IDS

Question 7

4.121 What’s the BEST reason to implement a DMZ on your network?

A. To contain the network devices you want to protect
B. To provide a place to put the honeypot
C. To only provide direct access to nodes within the DMZ and protect the network behind it
D. To scan all traffic coming through the DMZ to the internal network

Answer 7

C. To only provide direct access to nodes within the DMZ and protect the network behind it

Question 8

4.122 Which type of test is it where the tester has only partial knowledge of the system he/she’s testing?

A. White-box
B. Grey-box
C. Black-box
D. Announced

Answer 8

B. Grey-box

Question 9

4.123 You encrypt your data with your public key, then copy the data to a commercial cloud-based storage solution. Which of these scenarios would compromise the privacy of your data?

A. A hacker compromises the cloud server and steals the encrypted data.
B. The FBI forces you to give them your private key, however, since they have no warrant, the cloud service provider refuses to give the FBI access to the stored data.
C. You also store your private key on the cloud server, and an attacker has gained access to the server.
D. None of these scenarios would compromise the privacy of your data.

Answer 9

C. You also store your private key on the cloud server, and an attacker has gained access to the server.

Question 10

4.124 All of these are PCI compliance recommendations EXCEPT for which?

A. Use a firewall between the public network and the payment card data.
B. Limit access to card holder data to as few employees as possible.
C. Use encryption to protect all transmission of card holder data over any public network.
D. Rotate employees handling credit card transactions on a yearly basis to different departments.

Answer 10

D. Rotate employees handling credit card transactions on a yearly basis to different departments.

Question 11

4.125 Which keys are shared to enable the process of encryption and decryption of data?

A. User passwords
B. Public and private keys
C. Public keys
D. Private keys

Answer 11

C. Public keys

Question 12

4.126 What’s it called when a company employs multiple layers of security controls in order to improve its security posture?

A. Security through obscurity
B. Defense in depth
C. Host-based intrusion detection
D. Network-based intrusion detection

Answer 12

B. Defense in depth

Question 13

4.127 Which password cracking technique is the slowest?

A. Dictionary attack
B. Shoulder surfing
C. Brute force
D. Rainbow tables

Answer 13

C. Brute force

Question 14

4.128 Which of these is the best way to evade a NIDS?

A. Out of band signaling
B. Protocol isolation
C. Alternate Data Streams
D. Encryption

Answer 14

D. Encryption

Question 15

4.129 There are many different types of security policies. For example, there are Network Security Policies, Remote Access Policies, User Account Policies, Information Security Policies, etc. What is the main theme of these policies?

A. Confidentiality, Integrity, Availability
B. Authenticity, Confidentiality, Integrity
C. Availability, Non-repudiation, Confidentiality
D. Authenticity, Integrity, Non-repudiation

Answer 15

A. Confidentiality, Integrity, Availability

Question 16

4.130 There has been data-leakage on a workstation, so you go to that station, turn off the power, then remove the keyboard, mouse, and ethernet cable. Which incident-handling step would these activities fall under?

A. Discovery
B. Eradication
C. Containment
D. Recovery

Answer 16

C. Containment

Question 17

4.131 You need to allow http traffic from 192.168.5.10 and UDP traffic to the syslog server at 10.0.1.2. At same time you need to allow SMTP traffic to everyone else so they can send e-mail. You create the following ACL’s, but then you find nobody can access the internet or use e-mail. Look at this configuration and choose the reason why these problems are happening.

Access-list 100 deny tcp any any
Access-list 105 permit udp host 10.0.1.2
Access-list 108 permit tcp host 192.168.5.10 eq www any
Access-list 106 permit tcp any eq smtp any

A. The first ACL is denying all TCP traffic and the other ACL’s are being ignored by the router.
B. The ACL 108 needs to be changed to port 80
C. The ACL 105 needs to be first because it’s UDP
D. The ACL for SMTP must be before the ACL 108

Answer 17

A. The first ACL is denying all TCP traffic and the other ACL’s are being ignored by the router.

Question 18

4.132 While monitoring traffic, you find that there are very large outbound connections from your LAN to some external IP’s that are blacklisted. When you examine further, you find that the connections are CnC communications. What should you do?

A. Block the blacklist IP’s at the firewall.
B. Update the latest signatures on your IDS/IPS.
C. Clean the malware that’s trying to communicate with the external blacklisted IP’s.
D. Both A and C

Answer 18

A. Block the blacklist IP’s at the firewall.
C. Clean the malware that’s trying to communicate with

If you block those IP’s then the infected machines can’t receive instructions from the Command-and-Control center (CnC). After that clean the malware from the infected machines. Answer B may or may not help with this problem because that particular malware may or may not have a signature for it yet.

Question 19

4.133 Which service runs on TCP port 123?

A. POP3
B. DNS
C. Network Time Protocol
D. Telnet

Answer 19

C. Network Time Protocol

More commonly NTP runs on UDP port 123, but it can be configured to use TCP instead. NTP is the only acceptable answer here in any event.

Question 20

4.134 BigCorp is a large company and has a huge data center full of Linux servers. The perimeter of the data center is secured with IPS and firewalls. Which of these is the best security policy for this setup?

A. The operator knows that attacks and downtime are inevitable and should have a backup site.
B. As long as the physical access to the network elements is restricted, there is no need for additional measures.
C. Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.
D. There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.

Answer 20

C. Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.

Question 21

4.135 During an investigation you are reviewing the IDS logs. You see nothing suspicious and see an alert that triggered on normal web traffic. How would you label this alert?

A. False negative
B. False positive
C. False signature
D. True positive

Answer 21

B. False positive

Question 22

4.136 Your IDS shows this in the logs:
source IP: 10.10.10.10
source port: 80
destination IP: 192.168.5.27
destination port: 52191
You want to verify if this is a true positive or false positive. Which of these is the most proper answer?

A. This is most probably false-positive because the IDS is monitoring one direction traffic.
B. This is most probably true positive which triggered on secure communication between client and server.
C. This is most probably true negative.
D. This is most probably false-positive, because an alert triggered on reversed traffic

Answer 22

D. This is most probably false-positive, because an alert triggered on reversed traffic

Question 23

4.137 Which of these encryption algorithms is used for encrypting Kerberos traffic?

A. DSA
B. RSA
C. DES
D. ECC

Answer 23

C. DES

Kerberos versions 1-4 used DES for encryption. Version 5 switched to AES, which isn’t listed as an answer choice here. DSA (Digital Signature Algorithm) is only used for signing. RSA and ECC are asymmetric which is much slower than symmetric so they’re not used with Kerberos.

Question 24

4.138 Which statement about Intrusion Detection Systems is NOT correct?

A. Intrusion Detection Systems require constant update of the signature library.
B. Intrusion Detection Systems can easily distinguish a malicious payload in encrypted traffic.
C. Intrusion Detection Systems can examine the contents of the data in the context of the network protocol.
D. Intrusion Detection Systems can be configured to distinguish specific content in network packets.

Answer 24

B. Intrusion Detection Systems can easily distinguish a malicious payload in encrypted traffic.

Question 25

4.139 You need to set up Wireshark on a Windows laptop. What driver and library are needed to allow your NIC to go into promiscuous mode?

A. Winpcap
B. Winprom
C. Winpsw
D. Libpcap

Answer 25

A. Winpcap

Question 26

4.140 You’re trying to run a Linux cron job to have Wireshark grab traffic from the IP range of 192.168.5.0/24. Which command will achieve this?

A. wireshark –fetch “192.168.5.*”
B. wireshark –capture –local –masked 192.168.5.0 –range 24
C. tshark -net 192.255.255.255 mask 192.168.5.0
D. sudo tshark -f “net 192.168.5.0/24”

Answer 26

D. sudo tshark -f “net 192.168.5.0/24”

First, cron is the task-scheduling tool in Linux. Second, the key-word sudo means “superuser-do”. in other words, it says to “run this job as the root user”. Tshark is wireshark’s terminal-line tool (command -line tool). The -f switch means “filter” (capture filter). The “net” key-word specifies a network to capture, in this case the whole 192.168.5.0 network.

Question 27

4.141 Which is these is NOT a method of preventing an ARP spoofing attack?

A. Kernel based patches
B. ARPWatch
C. Static MAC entries
D. Secure ARP protocol

Answer 27

A. Kernel based patches

Question 28

4.142 You found a vulnerability on the network and reported it. After reviewing your report, the network team provides you proof that they’ve already fixed this issue. The vulnerability you found would be called which of these?

A. Backdoor
B. Brute force attack
C. False-positive
D. False-negative

Answer 28

C. False-positive

Question 29

4.143 Two pen-testers performed the exact same vulnerability scan, at the same time, with the same tool, on the same IP ranges, but one of them showed more results than the other. Which of these is the MOST likely reason for this?

A. One scan was blocked by the firewall.
B. One scan was blocked by the IDS
C. One scan was blocked by the IPS.
D. The admin of the scanned system updated most of the vulnerabilities.

Answer 29

C. One scan was blocked by the IPS.

Perhaps the IPS thought it was an attack when the second person’s traffic came in? Perhaps it looked suspicious by that point? The firewall is too static to adapt its behavior like this, and the IDS doesn’t block anything.

Question 30

4.144 What makes a penetration test more thorough than a vulnerability scan?

A. A penetration test actively exploits the vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
B. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
C. Vulnerability scans only do host discovery and port scanning by default.
D. It is not; a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.

Answer 30

A. A penetration test actively exploits the vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.

Question 31

4.145 Which Wireshark filter will show you just SMTP traffic?

A. request smtp 25
B. smtp port
C. tcp.port eq 25
D. tcp.contains port 25

Answer 31

C. tcp.port eq 25

Question 32

4.146 Which of these would you use as a Wireshark display filter to find unencrypted file transfers?

A. tcp.port == 21 || tcp.port == 22
B. tcp.port != 21
C. tcp.port == 21
D. tcp.port = 23

Answer 32

C. tcp.port == 21

Question 33

4.147 Which protocol is used to synchronize the time on a Linux machine?

A. PPP
B. TimeKeeper
C. OSPF
D. NTP

Answer 33

D. NTP

Question 34

4.148 Which document includes step-by-step instructions?

A. Process
B. Procedure
C. Policy
D. Paradigm

Answer 34

B. Procedure

Question 35

4.149 What is the port number for SNMP?

A. 150
B. 161
C. 169
D. 69

Answer 35

B. 161

Question 36

4.150 A penetration tester is hired to do a risk assessment of a company’s DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed?

A. white box
B. grey box
C. red box
D. black box

Answer 36

D. black box