Day 4 39-75

Question 1

4.39 The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24.

Which of the following has occurred?

A. The Gateway and the computer are not on the same network
B. The computer is not using a private IP address
C. The computer is using an invalid IP address
D. The gateway is not routing to a public IP address

Answer 1

D. The gateway is not routing to a public IP address

Question 2

4.40 What results will the following command yield: ‘NMAP –sS –O –p 123-153 192.168.100.3?

A. A stealth scan, checking open ports 123 to 153
B. A stealth scan, checking all open ports excluding ports 123 to 153
C. A stealth scan, opening port 123 and 153
D. A stealth scan, determine operating system, and scanning ports 123 to 153

Answer 2

D. A stealth scan, determine operating system, and scanning ports 123 to 153

Question 3

4.41 Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

A. Hashing is faster compared to more traditional encryption algorithms
B. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained
C. Passwords stored using hashes are nonreversible, making finding the password much more difficult
D. If a user forgets the password, it can be easily retrieved using the hash key stored by administrators

Answer 3

C. Passwords stored using hashes are nonreversible, making finding the password much more difficult

Question 4

4.42 A botnet can be managed through which of the following?

A. Email
B. LinkedIn and Facebook
C. A vulnerable FTP server
D. IRC

Answer 4

D. IRC

IRC = Internet Relay Chat. This is a protocol that allows you to relay text messages via discussion forums. IRC is often used as a means to control infected “bots” or “zombies”.

Question 5

4.43 Fingerprinting VPN firewalls is possible with which of the following tools?

A. arp-scan
B. ike-scan
C. Nikto
D. Angry IP

Answer 5

B. ike-scan

http://sectools.org/tool/ike-scan/

Question 6

4.44 What is the outcome of the command ”nc -l -p 3030 | nc 192.168.5.10 5555”?

A. Netcat will listen on the 192.168.5.10 interface for 5555 seconds on port 3030.

B. Netcat will listen on port 3030 and output anything received to a remote connection on 192.168.5.10 port 5555.

C. Netcat will listen for a connection from 192.168.5.10 on port 5555 and output anything received to port 3030.

D. Netcat will listen on port 3030 and then output anything received to local interface 192.168.5.10.

Answer 6

B. Netcat will listen on port 3030 and output anything received to a remote connection on 192.168.5.10 port 5555.

Question 7

4.45 What information should an IT system analysis provide to the risk assessor?

A. Threat statement
B. Impact analysis
C. Security architecture
D. Management buy-in

Answer 7

C. Security architecture

Question 8

4.46 Which security strategy requires using several, varying methods to protect IT systems against attacks?

A. Three-way handshake
B. Exponential backoff algorithm
C. Covert channels
D. Defense in depth

Answer 8

D. Defense in depth

Question 9

4.47 Which of the following business challenges could be solved by using a vulnerability scanner?

A. Auditors want to discover if all systems are following a standard naming convention
B. There is an emergency need to remove administrator access from multiple machines for an employee that quit
C. A Web server was compromised and management needs to know if any further systems were compromised
D. There is a monthly requirement to test corporate compliance with host application usage and security policies

Answer 9

D. There is a monthly requirement to test corporate compliance with host application usage and security policies

Question 10

4.48 If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?

A. SDLC process
B. Honeypot
C. SQL injection
D. Trapdoor

Answer 10

D. Trapdoor

Question 11

4.49 At midnight your firewall logs are at the expected size of 4MB. Exactly 2 hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again. Which of the following actions should be taken?

A. Run an antivirus scan because it is likely the system is infected by malware
B. Log the event as suspicious activity, continue to investigate, and act according to the site’s security policy
C. Log the event as suspicious activity, call a manager, and report this as soon as possible
D. Log the event as suspicious activity and report this behavior to the incident response team immediately

Answer 11

B. Log the event as suspicious activity, continue to investigate, and act according to the site’s security policy

Question 12

4.50 Which of the following open source tools would be the best choice to scan a network for potential targets?

A. NIKTO
B. CAIN
C. John the Ripper
D. NMAP

Answer 12

D. NMAP4.51 Which tool can be used to silently copy files to USB devices?

Question 13

4.51 Which tool can be used to silently copy files to USB devices?

A. USB dumper
B. USB sniffer
C. USB grabber
D. USB Snoopy

Answer 13

C. USB grabber

Question 14

4.52 How can a policy help improve an employee’s security awareness?

A. By implanting written security procedures, enabling employee’s security training, and promoting the benefits of security
B. By using informal networks of communication, establishing secret passing procedures, and immediately terminating employees
C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative helpline
D. By decreasing an employee’s vacation time, addressing ad hoc employment clauses, and ensuring that managers no employee strengths

Answer 14

A. By implanting written security procedures, enabling employee’s security training, and promoting the benefits of security

Question 15

4.53 In the software security development lifecycle process, threat modeling occurs in which phase?

A. Design
B. Requirements
C. Verification
D. Implementation

Answer 15

A. Design

Question 16

4.54 Which statement is true regarding network firewalls preventing Web application attacks?

A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic
B. Network firewalls can prevent attacks if they are properly configured
C. Network firewalls cannot prevent attacks because ports 80 and 443 must be open
D. Network firewalls cannot prevent attacks because they are too complex to configure

Answer 16

C. Network firewalls cannot prevent attacks because ports 80 and 443 must be open

Question 17

4.55 Which of the following is used to indicate a single line comment in structured query language (SQL)?

A. –
B. %%
C. “
D. #

Answer 17

A. –

Question 18

4.57 Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?

A. Ping of death
B. Smurf attack
C. TCP hijacking
D. SYN flood

Answer 18

A. Ping of death

Question 19

4.58 What statement is true regarding LM hashes?

A. LM hashes are not generated when the password length exceeds 15 characters
B. Uppercase characters in the password are converted to lowercase
C. LM hashes consist in 48 hexadecimal characters
D. LM hashes are based on AES 128 cryptographic standard

Answer 19

A. LM hashes are not generated when the password length exceeds 15 characters

Question 20

4.59 After gaining access to the password hashes used to protect access to a web-based application, knowledge of which cryptographic algorithms would be useful to gain access to the application ?

A. SHA1
B. AES
C. RSA
D. Diffie Hellman

Answer 20

A. SHA1

Question 21

4.60 Which of the following problems can be solved by using Wireshark?

A. Tracking version changes of source code
B. Resetting the administer password on multiple systems
C. Troubleshooting communication resets between two systems
D. Checking creation dates on all webpages on a server

Answer 21

C. Troubleshooting communication resets between two systems

Question 22

4.61 A newly discovered flaw in a software application would be considered which kind of security vulnerability?

A. Input validation flaw
B. HTTP header injection vulnerability
C. Time to check to time to use flaw
D. 0-day vulnerability

Answer 22

D. 0-day vulnerability

Question 23

4.62 What is the command used to create a binary log file using tcpdump?

A. tcpdump -w ./log
B. tcpdump -r log
C. tcpdump -vde logtcpdump -vde ? log
D. tcpdump -l /var/log/

Answer 23

A. tcpdump -w ./log

Question 24

4.63 The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

A. Thresholding interferes with the IDS’s ability to reassemble fragmented packets
B. An attacker, working slowly enough, can evade detection by the IDS
C. Network packets are dropped if the volume exceeds the threshold
D. The IDS will not distinguish among packets or originating from different sources

Answer 24

B. An attacker, working slowly enough, can evade detection by the IDS

An alert threshold (in snort for example) says to only alert me when you see more than X number of matches per time-period. For example, when you see more than 10 matching packets per minute.

Question 25

4.64 Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?

A. Banner grabbing
B. Port scanning
C. Injecting arbitrary data
D. Analyzing service response

Answer 25

D. Analyzing service response

Question 26

4.65 Which of the following defines the role of a root CA in a public key infrastructure?

A. The root CA stores the users hash value for safekeeping
B. The CA is the trusted root that issues certificates
C. The root CA is the recovery agent used to encrypt data when a user certificate is lost
D. The root CA is used to encrypt email messages to prevent unintended disclosure of data

Answer 26

B. The CA is the trusted root that issues certificates

Question 27

4.66 The precaution of prohibiting employees from bringing personal computer devices into a facility is what type of security control?

A. Procedural
B. Compliance
C. Physical
D. Technical

Answer 27

A. Procedural

Question 28

4.67 You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2 tool, you send SYN packets with the exact TTL of the target system starting at port 1 and going to port 1024. What is this process called?

A. Footprinting
B. Firewalking
C. Enumeration
D. Idle Scanning

Answer 28

B. Firewalking

Question 29

4.68 You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this?

A. copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt
B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt
C. copy secret.txt c:\windows\system32\tcpip.dll |secret.txt
D. copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt

Answer 29

B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt

Question 30

4.69 Which of these has built-in functionality to decode Cisco passwords contained in .pcf config files?

A. Cupp
B. Nessus
C. Cain and Abel
D. John The Ripper Pro

Answer 30

C. Cain and Abel

Question 31

4.70 Which of these tools can automate SQL injections?

A. DataThief
B. NetCat
C. Cain and Abel
D. SQLInjector

Answer 31

D. SQLInjector

Question 32

4.71 Which tool can scan web servers for problems like potentially dangerous files and vulnerable CGI’s?

A. Snort
B. Dsniff
C. Nikto
D. John the Ripper

Answer 32

C. Nikto

Niktois an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.

Question 33

4.72 Which port number is involved with file sharing on a Windows computer?

A. 445
B. 3389
C. 1433
D. 161

Answer 33

A. 445

Question 34

4.73 You are combing through event logs from your firewall, IDS, and proxy server looking for a possible security breach. When you correlate the data from the logs, you find that the sequence of many of the events don’t match up. What is the most likely reason for this?

A. The network devices are not all synchronized
B. Proper chain of custody was not observed while collecting the logs
C. The attacker altered or erased events from the logs
D. The security breach was a false positive

Answer 34

C. The attacker altered or erased events from the logs

Question 35

4.74 From your computer, which of these is the best way to send traffic through the network undetected, evading the IDS?

A. Use Alternate Data Streams to hide the outgoing packets
B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal IDS
C. Install Cryptcat and encrypt outgoing packets
D. Install and use telnet to encrypt all outgoing traffic

Answer 35

C. Install Cryptcat and encrypt outgoing packets

Question 36

4.75 In which type of system would have a configuration file containing a rule like this:alert tcp any any -> 192.168.100.0/24 21 (msg: “FTP on the network!”;)

A. FTP Server rule
B. An Intrusion Detection System
C. A router IPTable
D. A firewall IPTable

Answer 36

B. An Intrusion Detection System