Domain 4 Flashcards

1
Q

A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS

A

The Linux-based tool memdump can run against the /dev/mem device file provided a kernel driver, such as pmem or fmem, is installed.
WinHex is a hex and disk editor for Windows that, when preinstalled on the host system, allows live capture of system memory.
The common Linux tool dd is a file conversion and copying tool that can copy entire disks, including hard disk images and memory dump files such as the /dev/mem device file. This makes it useful for easily and simply obtaining captures of a system’s memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?

A

Meterpreter is a very advanced and dynamic exploit module (or payload) that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Nexpose

A

Managed by Rapid7 along with Metasploit, Nexpose is a vulnerability scanner that is similar to Nessus. and can find open ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Kali

A

or Kali Linux is a Debian-derived Linux distribution designed for system forensics and penetration testing. The Metasploit framework is included in this operating system image.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Nessus

A

is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

-t

A

switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

-n

A

switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

-S

A

switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

-r

A

switch records the route for count hops. This is for IPv4 addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

-O flag

A

following the target IP is the standard method of enabling OS detection in the scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

-A flag

A

following the target IP will enable OS detection as well as version detection, script scanning, and traceroute.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

-T0 flag

A

is a timing switch that enables ‘paranoid’ intrusion detection system evasion, attempting to evade detection by the host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

-oG - flag

A

following the target IP and followed by a filename will enable Nmap to output ‘grepable’ scan results to the screen. While this can be used alongside OS detection flags, it will not by itself perform OS detection by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

hping

A

is an open-source tool that has packet sniffing and injection as well as Denial of Service (DoS) testing features built right in. It does not gather OSINT data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

netstat

A

is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

netcat

A

is a computer networking utility for reading from and writing to network connections using TCP or UDP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Active KillDisk

A

is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

FTK Imager

A

is a commercial suite of Windows-compatible forensic investigation software and includes the capability for live memory capture and saves the data in a proprietary .eo1 file format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?

A

The openssl genrsa -out server.key 1024 command generates an RSA key and will output as server.key. 1024 represents the key size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The openssl rsa -in server.key -pubout

A

command will only print the public key of server.key, if it already exists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The openssl rsa -check -in server.key

A

command checks the private RSA key and prompts for the passphrase if one exists. This assumes a private RSA key already exists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The openssl x509 -x509toreq -in cert.pem -out server.csr -signkey server.key

A

command outputs a certificate signing request (CSR) from an existing certificate and private key. This assumes a private RSA key and certificate already exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function to search a keyword in a file using PowerShell on Windows. Validate the analyst’s choice.

A

The Select-String -Path C:\temp\sample.txt -Pattern “Test” command will search for the “Test” string in the entire file called sample.txt. The command works similarly to the grep command.

24
Q

A new cybersecurity analyst is working at his first job. The analyst requires a penetration test reporting and evidence gathering framework that can run automated tests through integration with Metasploit. Recommend a framework that will fulfill the analyst’s needs.

A

Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.

25
Q

Autopsy

A

is a digital forensics platform with a graphical user interface (GUI). It investigates events on a device.

26
Q

An administrator of a Linux network is writing a script to transfer a list of local host names, contained in a file called hostnames, directly into the syslog file. Predict the CLI command the admin is likely to use to accomplish this.

A

The logger command writes input to the local system log or to a remote syslog server. This example writes the contents of the file hostnames to the syslog file.

27
Q

A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operates on wireless network connections and laptops. Which of the following tools will help audit the server’s security settings with the least amount of effort?

A

tcpdump is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface.
tshark is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.

28
Q

A wireless scanner

A

scans for SSIDs (security set identifiers), frequency band, channel usage, and things of that nature. It is not applicable to this situation.

29
Q

AirPcap

A

is a wireless adapter designed specifically for packet capture. It is not applicable to this situation.

30
Q

FireELF

A

is a fileless open source Linux malware framework that enables customers to build and manage payloads quickly.

31
Q

During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function that uses grep to search a file in Python. Validate the analyst’s choice.

A

filename= “sample.txt”

pattern = “test”

def search_file(name_of_file, grep_pattern)

file = open(filename, “r”)

for line in file:

if re.search(pattern, line):

  print(line)

search_file(filename, pattern)
The correct Python script correctly defines its variables, uses def to indicate a function is being defined, uses proper indentation, and calls the function after it has been defined.

32
Q

A cybersecurity investigator is investigating a breach, and the method of entry is not yet known. The investigator decides to begin by checking for suspicious entries in the routing table. Select the command-line tool that will enable the investigator to directly access the table.

A

The route command views and configures the host’s local routing table. Entries that are unfamiliar or that are not routers can be considered suspicious.

33
Q

tracert command

A

uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network on Windows.

34
Q

traceroute

A

command performs route discovery from a Linux host using UDP probes rather than ICMP.

35
Q

A forensics analyst is attempting a live acquisition of the contents of the memory of a running Linux device. In order to copy the blocked /dev/mem file with memdump or dd, the analyst must install a kernel driver. Recommend a framework that will enable the analyst to install a kernel driver.

A

The Volatility Framework is widely used for system memory analysis and can install the pmem kernel driver, allowing tools such as memdump or dd to access the /dev/mem device memory file on Linux.

36
Q

A malware expert wants to examine a new worm that is infecting Windows devices. Verify the sandbox tool that will enable the expert to contain the worm and study it in its active state.

A

Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment. It does not scan for vulnerabilities.

37
Q

A white-hat penetration tester is simulating an attack to check for vulnerabilities. The first step is to determine if the pen tester can scan for ports or services that have been left open, without being detected by the Intrusion Prevention System (IPS). Recommend a tool that fits the pen tester’s requirements.

A

The scanless tool is a port scanner that runs its scans through third-party websites to evade detection. This allows for stealthy port scanning.

37
Q

A security administrator prepares to eavesdrop on the network and determine if there are any open ports. The admin will analyze the ports to determine if they are legitimate connections and if they should be open. Which tool will the admin most likely use?

A

Wireshark is both a sniffer and protocol analyzer tool. It is capable of parsing (interpreting) the headers of hundreds of network protocols and listing the contents of the data packets in plain view, if available. It can eavesdrop and scan open networks.

37
Q

tshark

A

is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.

38
Q

tcpdump

A

is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface.

39
Q

Nmap

A

is a versatile tool, allowing users to perform a Denial of Service (DoS) attack (for testing purposes) by using the Nmap Scripting Engine (NSE). The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability.

40
Q

SIEM (Security Information and Event Management) software

A

collects and collates security and log data from across a network in real-time, and organizes it for efficient threat analysis, with the ability to link events and related data into alertable reports.

41
Q

NXlog (nxlog.co)

A

is an open-source centralized log collection tool. It has similar features of a SIEM like alerting, normalization, aggregation, correlation, and retention. NXlog is multi-platform compatible.

42
Q

Syslog

A

is an industry-standard logging tool, commonly used to collect logs in a central location, but lacks advanced features like normalization or aggregation.

43
Q

journalctl utility

A

is for querying and displaying logs in Linux systems. Although it can be scripted, journalctl lacks any advanced normalization or aggregation features.

44
Q

An attacker has defaced a simple and up-to-date WordPress website running on a fully-patched Ubuntu Server that a web developer administers. The forensics team has taken the computer down after the developer reached out for assistance. The forensics team has isolated the server to preserve the current status of the device and its records. They blocked remote access to the attacker, preventing interaction with all other devices on the network. In continuing the investigation, what is the most appropriate next step to determine how or where the attack was initiated?

A

Checking network logs will provide clues to the attack. Logs may show external IP addresses representing the attacker’s location. Logs may also show protocols and actions used to carry out specific attacks to deface the website.

45
Q

What are the main features that distinguish a Test Access Point (TAP) from a switched port analyzer (SPAN)?

A

test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply ports being mirrored.

46
Q

A cybersecurity specialist working for an Internet Service Provider (ISP) noticed some unusual indicators of malicious activity and suspects that there may be a remote-access trojan or botnets present in the network. The specialist will begin looking at some Domain Name System (DNS) servers. Prescribe next steps that will assist in the investigation.

A

OSSEC is a host intrusion detection system (HIDS) that can collect DNS server logs for trend analysis. OSSEC can crosscheck these DNS server logs against a list of known malicious domains.
Wireshark can capture packets sniffing network ports and save that traffic to a .pcap file. tcpreplay can then replay the saved information to determine if there is malicious activity.
OSSEC can perform frequency-based trend analysis on NXDOMAIN errors received by comparing it to a baseline. Trends outside of the baseline may allude to malicious activity.

47
Q

A cybersecurity analyst is using a header analyzer to examine the headers of classified emails retained according to the organization’s email retention policy. What types of information might the analyst find in email headers?

A

The origin and authenticity of a message can be determined by reading the header. The header contains the email address of the sender.
Between the mail user agent (MUA), mail delivery agent (MDA), and the message transfer agent (MTA), the server information is added at every step. This information can be helpful in tracing the geographic origin of an email.
Spam checks are often performed by additional message transfer agents (MTAs), for instance, at mail security gateways. The results of these checks are then added to the header.

48
Q

Sinkhole

A

routing means suspicious traffic that is flooding a specific IP address routes to another network for analysis. This is a form of segmentation because it maintains the connection to other networks.

49
Q

A mortgage company’s firewall access control list blocks all traffic from bogon networks and a specific private address range but allows any HTTP, HTTPS, or SMTP traffic from any other source. Implicit denial occurs when traffic does not match any rule. At which point in the processing of an access control list is an implicit denial likely found?

A

The rules in the ACL of a firewall process top to bottom. Traffic will continue to be checked down the list of rules to determine if it may pass or not. Best practice is to set the implicit denial rule at the end, to block all traffic left unmatched.

50
Q

Blackholes

A

correspond to locations in the network that quietly discard (or “drop”) incoming or outgoing messages, without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique because they isolate the attacker from the network.

51
Q

Air gapping

A

indicates the physical isolation of a system from all network resources, often by being physically disconnected. The exploit becomes isolated to the disconnected device and cannot “escape.”

52
Q

A computer system was breached at a medium-sized business. IT personnel began an investigation immediately. Some steps taken included a virus scan and a reboot. What has this breach compromised?

A

Volatile storage (for example, system or cache RAM) is storage that is usually temporary and is easily erased or lost. Powering down a system will remove any potential evidence that is contained in volatile storage. The order of volatility can be used during an investigation, and is a general outline of components arranged from more to less volatile.

53
Q

After a recent incident, investigators are performing forensics on a Windows server. While using various tools to examine damaged data, they discover the timestamps on an NT file system (NTFS) volume do not seem correct and are a few hours different from local time. What determination should the experts conclude as the reason for the timestamp discrepancy?

A

Different file systems use different methods to identify the time when something occurred. NTFS uses UTC “internally,” but many file systems record timestamps as the local system time. In forensics, it is vital to note the offset between the local system time and UTC.