Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified Ethical Hacker v11 > Exam Questions - Misc > Flashcards

Exam Questions - Misc Flashcards

1
Q

What is a multipartite virus?

A

A multipartite virus (also known as a multipart virus or hybrid virus) combines the approach of file infectors and boot record infectors and attempts to simultaneously attack both the boot sector and the executable or program files. When the virus infects the boot sector, it will, in turn, affect the system files and vice versa. This type of virus re-infects a system repeatedly if it is not rooted out entirely from the target machine. Some examples of multipartite viruses include Invader, Flip, and Tequila.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a sparse infector virus?

A

Sparse infector viruses infect less often and try to minimize their probability of discovery. These viruses infect only occasionally upon satisfying certain conditions or infect only those files whose lengths fall within a narrow range

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the Google dork that helped Jude find the VoIP login portals?

inurl: 8080 intitle:”login” intext:”UserLogin” “English”
inurl: /voice/advanced/ intitle:Linksys SPA configuration
inurl: /remote/login?lang=en

!Host=*.* intext:enc_UserPassword=* ext:pcf

A

inurl:8080 intitle:”login” intext:”UserLogin” “English”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Karen, a security professional in an organization, performed a vulnerability assessment on the organization’s network to check for vulnerabilities. In this process, she used a type of location data examination scanner that resides on a single machine but can scan several machines on the same network.

Which of the following types of location and data examination tools did Karen use?

Network-based scanner

Agent-based scanner

Proxy scanner

Cluster scanner

A

Agent-based scanner.

  • Network-based scanners only scan the machine they’re running on
  • Proxy scanners scan the network performing only one scan at a time
  • Cluster scanners can perform multiple network scans at a time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an ip address decoy?

A

The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys

Example:

> nmap -D RND:10 10.10.10.10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Packet filtering firewall?

A

In a packet filtering firewall, each packet is compared with a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet and transmit it or send a message to the originator. The rules can include the source and the destination IP address, the source and the destination port number, and the protocol used. It works at the internet layer of the TCP/IP model or the network layer of the OSI model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a Circuit-level gateway firewall?

A

A circuit-level gateway firewall works at the session layer of the OSI model or transport layer of TCP/IP. It forwards data between networks without verification and blocks incoming packets from the host but allows the traffic to pass through itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Application-level firewall?

A

Application-based proxy firewalls focus on the application layer rather than just the packets. Application-level gateways (proxies) can filter packets at the application layer of the OSI model (or the application layer of TCP/IP). Incoming and outgoing traffic is restricted to services supported by the proxy; all other service requests are denied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an Application proxy?

A

An application-level proxy works as a proxy server and filters connections for specific services. It filters connections based on the services and protocols when acting as a proxy. For example, an FTP proxy will only allow FTP traffic to pass through while all other services and protocols will be blocked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a MarioNet attack?

A

MarioNet is a browser-based attack that runs malicious code inside the browser, and the infection persists even after closing or browsing away from the malicious web page through which the infection has spread. Most of the latest web browsers support a new API called Service Workers that allows the website to isolate operations that render the web page UI from intensive computational tasks to avoid freezing of the UI when large amounts of data are processed.

Attackers register and activate the Service Workers API through a website controlled by them. When the victim browses that website, the Service Workers API automatically activates, and it can run persistently in the background even when the user is not actively browsing the website. To keep the Service Workers API alive, attackers abuse the Service Workers SyncManager interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In which of the following techniques does an attacker use a combination of upper- and lower-case letters in an XSS payload to bypass the WAF?

  • Using hex encoding to bypass the WAF
  • Using ASCII values to bypass the WAF
  • Using obfuscation to bypass the WAF
  • Using ICMP tunneling
A

Using obfuscation to bypass the WAF.

In contrast, Using ASCII values looks like this:

String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a null cipher?

A

A technique used to hide the message within a large amount of useless data. The original data are mixed with the unused data in any order horizontally, diagonally, vertically, or in reverse so that no one can understand it other than those who know the order.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following cryptography attacks is similar to the chosen plaintext attack, except that the attacker can obtain ciphertexts encrypted under two different keys?

  • Ciphertext-only attack
  • Known-plaintext attack
  • Chosen-key attack
  • Related-key attack
A

Related-key attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following modbus-cli commands is used by attackers to manipulate the register values in a target PLC device?

  • modbus write 101 1 1 1 1 1 1 1 1 1 1
    modbus write %M100 1 1 1 1 1 1 1 1 1 1
  • modbus write %MW100 2 2 2 2 2 2 2 2
    modbus write 400101 2 2 2 2 2 2 2 2
  • modbus read 101 10 modbus read %M100 10
  • modbus read %MW100 10 modbus read 400101 10
A

modbus write %MW100 2 2 2 2 2 2 2 2
modbus write 400101 2 2 2 2 2 2 2 2

  • modbus write 101 1 1 1 1 1 1 1 1 1 1 and modbus write %M100 1 1 1 1 1 1 1 1 1 1 are not right, as these write to coils, not registers.
  • %MW or 400101+ references registers, while %M100 or 101+ references coils.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following attacks does not directly recover a WEP key and requires at least one data packet from a target AP for initiation?

  • MAC spoofing attack
  • Evil twin attack
  • Fragmentation attack
  • De-authentication attack
A

A successful fragmentation attack can obtain 1500 bytes of a pseudo-random generation algorithm (PRGA). However, this attack does not directly recover the WEP key. At least one data packet must be received from the target AP to initiate this attack.

The aircrack-ng suite helps the attacker obtain a small amount of keying material from the packet, following which it attempts to send ARP and/or logical link control (LLC) packets with known content to the AP. The attacker can gather a larger amount of keying information from the replay packet if the AP echoes this packet. An attacker repeats this cycle several times to obtain the PRGA. The attacker can use PRGA with packetforge-ng to generate packets for injection attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following modules establishes a communication channel between the Metasploit framework and a victim host?

  • Exploit module
  • Auxiliary module
  • Payload module
  • NOPS module
A

A payload module establishes a communication channel between the framework and the victim host. A Metasploit payload module can upload and download files from the system, take screenshots, and collect password hashes. It can even take over the screen, mouse, and keyboard to control a computer remotely. The payload Module establishes a communication channel between the Metasploit framework and victim host. It combines arbitrary code that is executed as the result of an exploit succeeding.

In contrast:

  • An exploit module is used to encapsulate a single exploit, using which users target many platforms. This module has simplified meta-information fields. Using the Mixins feature, users can also dynamically modify exploit behavior, perform brute-force attacks, and attempt passive exploits. In short, the exploit module is the way into the target system.
  • A NOPS module is used to generate various NOPS sleds which may vary by architecture/detection, for use in shellcode or other applications as part of the exploit process.
  • An auxiliary module can be used to perform arbitrary, one-off actions such as port scanning, DoS, and even fuzzing. It includes tools and modules that assess the security of the target as well as auxiliary modules such as scanners, DoS modules, and fuzzers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

In which of the following stages of the web server attack methodology does an attacker determine the web server’s remote access capabilities, its ports and services, and other aspects of its security?

  • Information gathering
  • Web server footprinting
  • Website mirroring
  • Vulnerability scanning
A

Web Server Footprinting. The purpose of web server footprinting is to gather information about the security aspects of a web server with the help of tools or footprinting techniques. Through footprinting, attackers can determine the web server’s remote access capabilities, its ports and services, and other aspects of its security.

In contrast:

  • Information gathering involves trying to collect as much information as possible about the target web server. The attacker gathers the information and then analyzes it to find lapses in the current security mechanisms of the web server. In essence, this is a vague catch-all term.
  • Website mirroring is a method of copying a website and its content onto another server or to a local filesystem for offline browsing. With a mirrored website, an attacker can view the detailed structure of the website.
  • Vulnerability scanning is a method of finding the vulnerabilities and misconfigurations of a web server. Attackers scan for vulnerabilities with the help of automated tools known as vulnerability scanners
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An attacker aims to hack an organization and gather sensitive information. In this process, they lure an employee of the organization into clicking on a fake link, which appears legitimate but redirects the user to the attacker’s server. The attacker then forwards the request to the legitimate server on behalf of the victim.

Which of the following types of attack is performed by the attacker in the above scenario?

  • Man-in-the-middle attack
  • Cross-site script attack
  • Session replay attack
  • Session hijacking using proxy servers
A

This is a Session hijacking using proxy servers attack. In this attack, an attacker lures the victim to click on a fake link, which appears legitimate but redirects the user to the attacker’s server. The attacker then forwards the request to the legitimate server on behalf of the victim and serves as a proxy for the entire transaction. Acting as a proxy, the attacker captures the session information during the interaction between the legitimate server and user.

In contrast:

  • A man-in-the-middle (MITM) attack is used to intrude into an existing connection between systems and to intercept messages being transmitted. In this attack, attackers use different techniques and split a TCP connection into two: a client-to-attacker connection and an attacker-to-server connection. After the successful interception of a TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an HTTP transaction, the TCP connection between the client and server is the target.
  • A cross-site script attack is a client-side attack in which the attacker compromises a session token by using malicious code or programs. This type of attack occurs when a dynamic web page receives malicious data from the attacker and executes it on the user’s system
  • In a session replay attack, the attacker captures the authentication token of a user by listening to a conversation between the user and server. Once the authentication token is captured, the attacker replays the authentication request to the server with the captured authentication token to dodge the server; consequently, they gain unauthorized access to the server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In which of the following attacks does an attacker dump memory by rebooting a victim’s device with a malicious OS and then extract sensitive data from the dumped memory?

  • iOS jailbreaking
  • OS data caching
  • Carrier-loaded software
  • User-initiated code
A

OS Data Caching. An OS cache stores used data/information in memory on a temporary basis in the hard disk. An attacker can dump this memory by rebooting the victim’s device with a malicious OS and extract sensitive data from the dumped memory.

In contrast:

  • iOS jailbreaking undermines built-in security mechanisms, allowing malware to more easily exploit the device
  • Carrier-loaded software involves pre-installed software or apps on devices which may contain vulnerabilities that an attacker can exploit to perform malicious activities such as deleting, modifying, or stealing data on the device, eavesdropping on calls, and so on.
  • User-initiated code is an activity that tricks the victim into installing malicious applications or clicking links that allow an attacker to install malicious code to exploit the user’s browser, cookies, and security permissions
20
Q

Which of the following types of password attacks does not require any technical knowledge about hacking or system exploitation and includes techniques such as shoulder surfing, social engineering, and dumpster diving?

  • Active online attacks
  • Passive online attacks
  • Non-electronic attacks
  • Offline attacks
A

Non-electronic attacks. Non-electronic, or non-technical, attacks do not require technical knowledge of methods of system intrusion. There are three types of non-electronic attacks: social engineering, shoulder surfing, and dumpster diving

In contrast:

  • Offline attacks involve the intruder checks the validity of passwords from a readable file or database dump. This is an offline attack as the affected server or organization cannot know what’s being done with the database once it’s been stolen, and the attack can be ran offline.
  • Active online attacks involve password cracking/bruteforcing/dictionary attacks/etc which directly interact with the system of authority (e.g. the login server or web server’s login endpoint, or an end user’s system). Others include a kerberos pass-the-ticket attack, or trojans, spyware and keyloggers.
  • Passive online attacks include wire sniffing, man-in-the-middle attacks, and replay attacks.
21
Q

Which of the following commands is used by the SNMP manager continuously to retrieve all the data stored in an array or table?

  • GetResponse
  • GetNextRequest
  • GetRequest
  • SetRequest
A

GetNextRequest.

In contrast:

  • GetResponse is used by the SNMP manager to request information from an SNMP agent
  • GetRequest is used by an SNMP agent to satisfy a request made by the SNMP manager
  • SetRequest is used by the SNMP manager to modify the value of a parameter within an SNMP agent’s management information base (MIB)
  • Trap is used by an SNMP agent to inform the pre-configured SNMP manager of a certain event
22
Q

Which of the following web-server components is located between the web client and web server to pass all the requests and is also used to prevent IP blocking and maintain anonymity?

  • Server root
  • Web proxy
  • Virtual document tree
  • Virtual hosting
A

Web Proxy.

In contrast:

  • A virtual document tree provides storage on a different machine or disk after the original disk is filled up
  • A virtual host is the technique of hosting multiple domains or websites on the same server
  • The server root stores server’s configuration, error, executable, and log files
23
Q

Which of the following drozer commands is used by an attacker to find the list of various exported activities, services, broadcast receivers, and content providers in a target mobile device?

dz> run app.package.attacksurface

dz> run app.activity.start –-component

dz> run app.package.list

dz> run app.package.info -a

A

dz> run app.package.attacksurface

Use run app.package.list to get installed apps, then use the above command to get its attack surface.

24
Q

Which of the following is an attack technique where the only information available to the attacker is some plaintext blocks along with the corresponding ciphertext and algorithm used to encrypt and decrypt the text?

  • Ciphertext-only attack
  • Adaptive chosen-plaintext attack
  • Chosen-plaintext attack
  • Known-plaintext attack
A

A known-plaintext attack. In this scenario, the attacker has knowledge of some part of the plain text; using this information, the key used to generate ciphertext is deduced to decipher other messages

In contrast:

  • Ciphertext-only attack: Attacker has access to the cipher text; the goal of this attack is to recover the encryption key from the ciphertext
  • Adaptive chosen-plaintext attack: Attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions
  • Chosen-plaintext attack: Attacker defines their own plaintext, feeds it into the cipher, and analyzes the resulting ciphertext
25
Q

Which of the following IDS/firewall evasion techniques is used by an attacker to bypass Internet censors and evade certain IDS and firewall rules?

  • IP address decoy
  • Sending bad checksums
  • Source port manipulation
  • Anonymizers
A

Anonymizers

26
Q

In one of the following social engineering techniques, an attacker assumes the role of a knowledgeable professional so that the organization’s employees ask them for information. The attacker then manipulates questions to draw out the required information. Which is this technique?

Baiting

Quid pro quo

Reverse social engineering

Dumpster diving

A

Reverse social engineering.

27
Q

In which of the following types of attack does an attacker exploit the carrier-sense multiple access with collision avoidance (CSMA/CA) clear channel assessment (CCA) mechanism to make a channel appear busy?

  • Beacon flood
  • Denial of service
  • Access point theft
  • EAP failure
A

Denial of Service.

  • Beacon Flood:Generating thousands of counterfeit 802.11 beacons to make it difficult for clients to find a legitimate AP. This can be done with a tool called FakeAP
  • Access Point Theft: Physical removal of Access Point
  • EAP Failure: Observing a valid 802.1X EAP exchange and then sending the client a forged EAP-Failure message. Can be done with File2air or Airtool.
28
Q

Jim, a professional hacker, was hired to perform an attack on an organization. In the attack process, Jim targeted the SMTP server of the target organization and performed SMTP enumeration using the smtp-user-enum tool. He used some options in the tool to gather the usernames of the target organization’s employees.

Which of the following options did Jim use in the SMTP command for guessing the username from among EXPN, VRFY, and RCPT TO?

  • m n
  • u user
  • M mode
  • p port
A

-M mode

29
Q

A certain type of port scanning technique is similar to the TCP SYN scan and can be performed quickly by scanning thousands of ports per second on a fast network that is not obstructed by a firewall, offering a strong sense of security. Which of the following is this type of port scanning technique?

IDLE/IPID header scanning

SCTP COOKIE ECHO scanning

SSDP scanning

SCTP INIT scanning

A

SCTP INIT scanning.

30
Q

One of the following techniques redirects all malicious network traffic to a honeypot after any intrusion attempt is detected. Attackers can identify such honeypots by examining specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP timestamp. Which is this technique?

Fake AP

Snort_inline

User-Mode Linux (UML)

Bait and switch

A

Bait and switch.

  • Fake AP: Fake access points only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly note the presence of fake AP.
  • Snort_inline: Snort_inline is a modified version of Snort IDS that is capable of packet manipulation. It can rewrite rules in the iptables and is mainly used in GenII (2nd generation) honeynets to block known attacks and avoid attacker bouncing. Attackers can identify these honeypots by analyzing the outgoing packets. If an outgoing packet is dropped, it might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification.
  • User-Mode Linux is an open-source software under GNU, which is used to create virtual machines and is efficient in deploying honeypots. Attackers can identify the presence of UML honeypots by analyzing files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information
31
Q

Which of the following OS discovery techniques is used by an attacker to identify a target machine’s OS by observing the TTL values in the acquired scan result?

OS discovery using Nmap

OS discovery using Unicornscan

OS discovery using Nmap Script Engine

OS discovery using IPv6 fingerprinting

A

OS discovery using Unicornscan

32
Q

Which of the following types of malware remains dormant until the user performs an online financial transaction, replicates itself on the computer, and edits the registry entries each time the computer starts?

TAN grabber

Covert credential grabber

HTML injection

Form grabber

A

Covert credential grabber. This type of malware remains dormant until the user performs an online financial transaction. It works covertly to replicate itself on the computer and edits the registry entries each time the computer is started. The Trojan also searches the cookie files that had been stored on the computer while browsing financial websites. Once the user attempts to make an online transaction, the Trojan covertly steals the login credentials and transmits them to the hacker

  • TAN grabber: A Transaction Authentication Number (TAN) is a single-use password for authenticating online banking transactions. Banking Trojans intercept valid TANs entered by users and replace them with random numbers. The bank will reject such invalid random numbers. Subsequently, the attacker misuses the intercepted TAN with the target’s login details.
  • Form grabber: A form grabber is a type of malware that captures a target’s sensitive data such as IDs and passwords, from a web browser form or page. It is an advanced method for collecting the target’s Internet banking information. It analyses POST requests and responses to the victim’s browser. It compromises the scramble pad authentication and intercepts the scramble pad input as the user enters his/her Customer Number and Personal Access Code
  • HTML injection: The Trojan creates fake form fields on e-banking pages, thereby enabling the attacker to collect the target’s account details, credit card number, date of birth, etc. The attacker can use this information to impersonate the target and compromise his/her account.
33
Q

In one of the following types of identity theft, the perpetrator obtains information from different victims to create a new identity by stealing a social security number and uses it with a combination of fake names, date of birth, address, and other details required for creating a new identity. Which is this type of identity theft?

  • Social identity theft
  • Synthetic identity theft
  • Child identity theft
  • Medical identity theft
A

Synthetic identity theft.

  • Medical Identity Theft: This is the most dangerous type of identity theft where the perpetrator uses the victim’s name or information without the victim’s consent or knowledge to obtain medical products and claim health insurance or healthcare services. Medical identity theft results in frequent erroneous entries in the victim’s medical records, which could lead to false diagnoses and life-threatening decisions by the doctors.
  • Social identity theft: This is a common type of identity theft where the perpetrator steals victim’s Social Security Number in order to derive various benefits such as selling it to an undocumented person, using it to defraud the government by getting a new bank account, loans, credit cards, or applying for and obtaining a new passport.
  • Child identity theft: This type of identity theft occurs when the identity of a minor is stolen. This is desirable because it may go undetected for a long time. After birth, parents apply for a Social Security Number for their child, which along with a different date of birth, is used by identity thieves to apply for credit accounts, loans or utility services, or to rent a place to live and apply for government benefits
34
Q

Ray, a security professional in an organization, was instructed to identify all potential security weaknesses in the organization and fix them before an attacker can exploit them. In the process, he consulted a third-party consulting firm to run a security audit of the organization’s network.

Which of the following types of solutions did Ray implement in the above scenario?

  • Product-based solution
  • Service-based solution
  • Tree-based assessment
  • Inference-based assessment
A

Service-based solution.

  • A product-based solution is installed in the company’s network, in private or non-routable network space in the network. It cannot always detect or test external attacks as a result.
  • In a tree-based assessment, the auditor selects different strategies for each machine or component of the Information System (IS). For example, one scanner for windows servers, another for linux servers, another for windows web servers. This approach relies on the administrator providing a starting shot of intelligence, and then scanning continuously without incorporating any information found at the time of scanning
  • Inference-based scanning starts by building an inventory of protocols found on the machine. After finding a protocol, the scanning process detects which ports are attached to services, such as an email server, web server, or database server After finding services, the process selects vulnerabilities on each machine and starts to execute only the relevant tests
35
Q

Sam, an ethical hacker, is launching an attack on a target company. He performed various enumeration activities to detect any existing vulnerabilities on the target network and systems. In this process, he performed NTP enumeration and executed some commands to acquire the list of hosts connected to the NTP server.

Which of the following NTP enumeration commands helps Sam in collecting system information such as the number of time samples from several time sources?

  • ntptrace
  • ntpdc
  • ntpdate
  • ntpq
A

ntpdate

  • **ntpdate: this command collects the number of time samples from several time sources.

ntpdate [-46bBdqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [-U user_name] server […]**

  • **ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network.

ntpdc [-ilnps] [-c command] [hostname/IP_address]**

  • **ntptrace: This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network.

ntptrace [-n] [-m maxhosts] [servername/IP_address].
The ntp equivalent to tracert, essentially.**

  • **ntpq: This command monitors the operations of the NTP daemon ntpd and determines performance.

ntpq [-inp] [-c command] [host/IP_address]**

36
Q

Which of the following DNS poisoning techniques is used by an attacker to infect a victim’s machine with a Trojan and remotely change their DNS IP address to that of the attacker’s?

  • DNS cache poisoning
  • Proxy server DNS poisoning
  • Internet DNS spoofing
  • Intranet DNS spoofing
A

In the proxy server DNS poisoning technique, the attacker sets up a proxy server on the attacker’s system. The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server. The attacker changes the proxy server settings of the victim with the help of a Trojan.

*

37
Q

Which of the following is an IDS evasion technique used by attackers to encode an attack packet payload in such a manner that the destination host can decode the packet but not the IDS?

  • Evasion
  • Session splicing
  • Obfuscating
  • Fragmentation
A

Obfuscating. Obfuscating involves encoding the payload so the IDS can’t determine what’s in it but the intended recipient host can decode it. The other methods are all IDS bypasses but do not involve encoding.

38
Q

Which of the following commands is used by an attacker to delete only the history of the current shell and retain the command history of other shells?

  • cat /dev/null > ~/.bash_history && history –c && exit
  • history -w
  • export HISTSIZE=0
  • history –c
A

history -w.

  • history -c clears the stored history (i.e. not flushed to file yet)
  • export HISTSIZE=0 prevents history from being stored from then on in that session
  • cat /dev/null >~/.bash_history && history -c && exit clears full history in bash for the current user (assuming a bash session) and exits the session.
39
Q

What are semagrams?

A

Semagrams involve a steganography technique that hides information with the help of signs or symbols. In this technique, the user embeds some objects or symbols in the data to change the appearance of the data to a predetermined meaning. The classification of semagrams is as follows:

  • Visual Semagrams: This technique hides information in a drawing, painting, letter, music, or a symbol.
  • Text Semagrams: A text semagram hides the text message by converting or transforming the appearance of the carrier text message, such as by changing font sizes and styles, adding extra spaces as whitespaces in the document, and including different flourishes in letters or handwritten text.
40
Q

What are jargon codes?

A

In jargon codes, a certain language is used that can be understood by the particular group of people to whom it is addressed, while being meaningless to others. A jargon message is like a substitution cipher in many respects, but instead of replacing individual letters, the words themselves are changed. An example of a jargon code is “cue” code. A cue is a word that appears in the text and then transforms the message

41
Q

What are grille ciphers?

A

A technique used to encrypt plaintext by writing it onto a sheet of paper through a pierced (or stenciled) sheet of paper, cardboard, or any other similar material. In this technique, one can decipher the message using an identical grille. This system is thus difficult to crack and decipher, as only someone with the correct grille will be able to decipher the hidden message.

42
Q

In which of the following attacks does an attacker install a fake communication tower between two authentic endpoints with the intention of misleading a user and interrupting the data transmission between the user and real tower to hijack an active session?

  • Rogue AP attack
  • Key reinstallation attack
  • Wardriving
  • aLTEr attack
A

An aLTEr attack.

In contrast:

  • Rogue AP attack: APs connect to client NICs by authenticating with the help of SSIDs. Unauthorized (or rogue) APs can allow anyone with an 802.11-equipped device to connect to a corporate network. An unauthorized AP can give an attacker access to the network.
    When a user turns on a computer, the rogue AP will offer to connect with the network user’s NIC. The attacker lures the user to connect to the rogue AP by sending the SSID. If the user connects to the rogue AP under the impression that it is a legitimate AP, all the traffic from the user passes through the rogue AP, enabling a form of wireless packet sniffing. The sniffed packets may even contain usernames and passwords.
  • Key Reinstallation Attack: The attacker exploits the four-way handshake of the WPA2 protocol by forcing Nonce reuse. In this attack, the attacker captures the victim’s ANonce key that is already in use to manipulate and replay cryptographic handshake messages. This attack works against all modern protected Wi-Fi networks (both WPA and WPA2); personal and enterprise networks; and the ciphers WPA-TKIP, AES-CCMP, and GCMP. It allows the attacker to steal sensitive information such as credit-card numbers, passwords, chat messages, emails, and photos
43
Q

Given below are the different phases of the APT lifecycle.

  • Initial intrusion
  • Persistence
  • Preparation
  • Cleanup
  • Expansion
  • Search and exfiltration

What is the correct sequence of phases in the APT lifecycle?

  • 1 -> 2 -> 3 -> 4 -> 5 -> 6
  • 3 -> 1 -> 5 -> 2 -> 6 -> 4
  • 5 -> 3 -> 2 -> 6 -> 4 -> 1
  • 2 -> 4 -> 6 -> 1 -> 5 -> 3
A

3 -> 1 -> 5 -> 2 -> 6 -> 4

Preparation -> Initial Intrusion -> Expansion -> Persistence -> Search and Exfiltration -> Cleanup

44
Q

In which of the following incident handling and response phases are the identified security incidents analyzed, validated, categorized, and prioritized?

  • Incident recording and assignment
  • Incident triage
  • Containment
  • Eradication
A

Incident triage. In this phase, the identified security incidents are analyzed, validated, categorized, and prioritized. The IH&R team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited.

  • Incident recording and assignment involves the initial reporting and recording of the incident. This phase handles identifying an incident and defining proper incident communication plans for the employees and also includes communication methods that involve informing IT support personnel or submitting an appropriate ticket
45
Q

In which of the following attack types does an attacker modify the content of a web page by examining its HTML code and identifying form fields that lack valid constraints?

  • Directory traversal
  • Buffer overflow attack
  • Command injection attack
  • Cross-site scripting (XSS) attack
A

Command injection attack.

Technically this question is stupidly worded, as client-side constraints alone don’t prevent XSS, command injection or buffer overflows and all three can be caused from the HTML side when providing data to the server.

46
Q

Which of the following scanning techniques is used by an attacker to send a TCP frame to a remote device with the FIN, URG, and PUSH flags set?

  • Xmas scan
  • TCP Maimon scan
  • ACK flag probe scan
  • IDLE/IPID header scan
A

Xmas scan.

Certified Ethical Hacker v11 (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions