Domain 4 Flashcards
A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operates on wireless network connections and laptops. Which of the following tools will help audit the server’s security settings with the least amount of effort? (Select all that apply.)
tcpdump and tshark
tcpdump is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface.
tshark is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function that uses grep to search a file in Python. Validate the analyst’s choice.
filename= “sample.txt”
pattern = “test”
def search_file(name_of_file, grep_pattern)
file = open(filename, “r”)
for line in file:
if re.search(pattern, line):
print(line) search_file(filename, pattern) The correct Python script correctly defines its variables, uses def to indicate a function is being defined, uses proper indentation, and calls the function after it has been defined.
The code block that does not initialize the ‘filename’ or ‘pattern’ variables becomes incomplete. Therefore, the code will halt with an exception NameError.
The code block that uses the ‘==’ operator to assign variables is using the wrong syntax; it should use a single ‘=’ operator. The same code block is also calling the search_file function before it is defined which will result in an error.
The code block that defines the search_file function with func is using the wrong syntax. Instead the function should be defined with def.
A government agency is getting rid of older workstations. The agency will donate these workstations, along with other excess computer systems, to nearby schools. Management reminds the systems administrators about the data sanitization and disposal policy. What policy items are applicable for these IT systems, prior to donating to the schools? (Select all that apply.)
Use the DoD 5220.22-M method and Dequss media with a magnet.
The DoD 5220.22-M wipe method involves a three-phased pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods. The systems admin must use this method before sending equipment to public schools.
Degaussing is a method of erasing data on a hard drive with a powerful magnet. This is appropriate for preparing systems before use by public schools.
A penetration tester is experimenting with Nmap on a test network. The tester input the following Nmap command: nmap -O testwebsite.org. Conclude what the effect of this command will be.
Nmap -O =Scan with OS detection
The -O flag following the target IP is the standard method of enabling OS detection in the scan.
The -traceroute flag with the target IP or URL will perform traceroute alongside the scan.
The -T0 flag is a timing switch that enables ‘paranoid’ intrusion detection system evasion, attempting to evade detection by the host.
The -oG - flag following the target IP and followed by a filename will enable Nmap to output ‘grepable’ scan results to the screen. While this can be used alongside OS detection flags, it will not by itself perform OS detection by default.
Identify the command that will output the 15 oldest entries in the log file called hostnames.
had /var/log/hostnames -n 15
The head command, by default, outputs the oldest 10 lines in a file. The -n argument can specify a different number of lines to output.
A network admin troubleshoots a virtual host that currently restarted. The admin wants to know when the virtual host is reachable through the network. Which ping switch would provide the most useful information?
-t
The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.
Wrong-
The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.
The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.
The -r switch records the route for count hops. This is for IPv4 addresses.
Exploitation frameworks leverage vulnerabilities discovered by automated vulnerability scanning to exploit a target. Identify the software classified as exploitation frameworks. (Select all that apply.)
fireELF, Sn1per, Metasploit
The Metasploit Project is a cybersecurity framework that offers information on security flaws and assists in penetration testing and creation of IDS signatures.
Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.
FireELF is a fileless open source Linux malware framework that enables customers to build and manage payloads quickly.
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS. (Select all that apply.)
WinHex, and FTK Imager
WinHex is a hex and disk editor for Windows that, when preinstalled on the host system, allows live capture of system memory.
FTK Imager is a commercial suite of Windows-compatible forensic investigation software and includes the capability for live memory capture and saves the data in a proprietary .eo1 file format.
An administrator wants to quickly assess the open ports of a Windows server. Which command will provide the admin with the right information?
netstat
The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). The admin may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
A cybersecurity investigator is investigating an incident. Considering the possibility of an On-path attack, the investigator decides the first course of action is to check the MAC address of the default gateway IP to ensure it is the true MAC address of the router, to rule out spoofing. Dictate the topological tool or command the investigator can use for this purpose.
arp
The arp command is a TCP/IP command-line utility for viewing and modifying the local Address Resolution Protocol (ARP) cache, which contains recently resolved MAC addresses of Internet Protocol (IP) hosts on the network.
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function to search a keyword in a file using PowerShell on Windows. Validate the analyst’s choice.
Select-String -Path C:\temp\sample.txt -Pattern “Test”
The Select-String -Path C:\temp\sample.txt -Pattern “Test” command will search for the “Test” string in the entire file called sample.txt. The command works similarly to the grep command.
A penetration tester is testing a network’s vulnerability. The first test to perform is to test how well the network’s firewall responds to a flood-based Denial of Service (DoS) attack. Discriminate between the software tool that can perform both packet sniffing and a DoS attack and the tools that cannot.
hping
The open-source tool, known as hping, has packet sniffing and injection capabilities, as well as Denial of Service (DoS) testing features built right in.
A new site includes a Windows domain controller, a DHCP (dynamic host configuration protocol) server, a Linux file server, and a Windows web server. An independent auditing team arrived to assess basic security guidelines and company policies. Today, the auditing team will perform the following tasks: (1) dynamically assign addresses on client Windows computers, and (2) verify the installation of antivirus software. Which of these actions will provide any of the information needed for today’s assessment?
Run ipconfig /all on a client computer
The ipconfig /all is a Windows command. Running it on a client computer will output detailed network information for all connected network adapters. It will state if the address is dynamically assigned.
A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?
openssl genrsa -out server.key 1024
The openssl genrsa -out server.key 1024 command generates an RSA key and will output as server.key. 1024 represents the key size.
Identify the chmod command that will give all users read, write, and execute permissions for a file called newFile.
chmod a+rwx newfile
The a in the command signifies “all.” The + indicates permissions are being given. The letters r, w, and x mean read, write, and execute, respectively. The chmod a+rwx newFile command will grant read, write, and execute permissions to all users for the file newFile.
A new cybersecurity analyst is working at his first job. The analyst requires a penetration test reporting and evidence gathering framework that can run automated tests through integration with Metasploit. Recommend a framework that will fulfill the analyst’s needs.
sn1per
Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.
