Examen 2 Flashcards by Maria Hitz

You have initiated an active operating system fingerprinting attempt with nmap against a target system:
What operating system is the target host running based on the open ports shown above?
A. Windows XP
B. Windows 98 SE
C. Windows NT4 Server
D. Windows 2000 Server

D. Windows 2000 Server

How well did you know this?

Not at all

Perfectly

In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for
vulnerabilities.
A. Maintaining Access
B. Gaining Access
C. Reconnaissance
D. Scanning and Enumeration

C. Reconnaissance

How well did you know this?

Not at all

Perfectly

A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
B. Attempts by attackers to access the user and password information stored in the company’s SQL database.
C. Attempts by attackers to access passwords stored on the user’s computer without the user’s
knowledge.
D. Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.

A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.

How well did you know this?

Not at all

Perfectly

Which of the following are well known password-cracking programs?
A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper

A. L0phtcrack

E. John the Ripper

How well did you know this?

Not at all

Perfectly

One of your team members has asked you to analyze the following SOA record. What is the version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose
four.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800

A. 200303028

How well did you know this?

Not at all

Perfectly

LM hash is a compromised password hashing function. Which of the following parameters describe LM Hash:?
I - The maximum password length is 14 characters.
II - There are no distinctions between uppercase and lowercase.
III - It’s a simple algorithm, so 10,000,000 hashes can be generated per second.
A. I
B. I, II, and III
C. II
D. I and II

B. I, II, and III

How well did you know this?

Not at all

Perfectly

Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?
A. -T0
B. -T5
C. -O
D. -A

B. -T5

How well did you know this?

Not at all

Perfectly

Which of the following program infects the system boot sector and the executable files at the same time?
A. Stealth virus
B. Polymorphic virus
C. Macro virus
D. Multipartite Virus

D. Multipartite Virus

How well did you know this?

Not at all

Perfectly

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?
A. Running a network scan to detect network services in the corporate DMZ
B. Reviewing the need for a security clearance for each employee
C. Using configuration management to determine when and where to apply security patches
D. Training employees on the security policy regarding social engineering

A. Running a network scan to detect network services in the corporate DMZ

How well did you know this?

Not at all

Perfectly

Which is the first step followed by Vulnerability Scanners for scanning a network?
A. TCP/UDP Port scanning
B. Firewall detection
C. OS Detection
D. Checking if the remote host is alive

D. Checking if the remote host is alive

How well did you know this?

Not at all

Perfectly

While testing the company’s web applications, a tester attempts to insert the following test script into the search area on the company’s web site:
< script>alert(“ Testing Testing Testing “)
Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:
“Testing Testing Testing”. Which vulnerability has been detected in the web application?
A. Buffer overflow
B. Cross-site request forgery
C. Distributed denial of service
D. Cross-site scripting

D. Cross-site scripting

How well did you know this?

Not at all

Perfectly

Which system consists of a publicly available set of databases that contain domain name registration contact information?
A. WHOIS
B. IANA
C. CAPTCHA
D. IETF

A. WHOIS

How well did you know this?

Not at all

Perfectly

A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscuous mode?
A. Libpcap
B. Awinpcap
C. Winprom
D. Winpcap

D. Winpcap

How well did you know this?

Not at all

Perfectly

You perform a scan of your company's network and discover that TCP port 123 is open. What services by default run on TCP port 123?
A. Telnet
B. POP3
C. Network Time Protocol
D. DNS

C. Network Time Protocol

How well did you know this?

Not at all

Perfectly

What does the option * indicate?
ping-* 6 192.168.0.101
output
Pinging 192.168.0.101 with 32 bytes of data:
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
A. s
B. t
C. n
D. a

C. n

How well did you know this?

Not at all

Perfectly

Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
A. tcpdump
B. nessus
C. etherea
D. Jack the ripper

A. tcpdump

How well did you know this?

Not at all

Perfectly

Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students. He identified this when the IDS alerted for malware activities in the network.
What should Bob do to avoid this problem?
A. Disable unused ports in the switches
B. Separate students in a different VLAN
C. Use the 802.1x protocol
D. Ask students to use the wireless network

C. Use the 802.1x protocol

How well did you know this?

Not at all

Perfectly

While performing ping scans into a target network you get a frantic call from the
organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor.
How can you modify your scan to prevent triggering this event in the IDS?
A. Scan more slowly.
B. Do not scan the broadcast IP.
C. Spoof the source IP address.
D. Only scan the Windows systems.

B. Do not scan the broadcast IP.

How well did you know this?

Not at all

Perfectly

While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan. What would be the response of all open ports?
A. The port will send an ACK
B. The port will send a SYN
C. The port will ignore the packets
D. The port will send an RST

C. The port will ignore the packets

How well did you know this?

Not at all

Perfectly

Which of the following techniques will identify if computer files have been changed?
A. Network sniffing
B. Permission sets
C. Integrity checking hashes
D. Firewall alerts

C. Integrity checking hashes

How well did you know this?

Not at all

Perfectly

Which tool would be used to collect wireless packet data?
A. NetStumbler
B. John the Ripper
C. Nessus
D. Netcat

A. NetStumbler

How well did you know this?

Not at all

Perfectly

You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?
A. Event logs on the PC
B. Internet Firewall/Proxy log
C. IDS log
D. Event logs on domain controller

B. Internet Firewall/Proxy log

How well did you know this?

Not at all

Perfectly

The network administrator for a company is setting up a website with e-commerce
capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?
A. Asymmetric
B. Confidential
C. Symmetric
D. Non-confidential

A. Asymmetric

How well did you know this?

Not at all

Perfectly

Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?
A. Time Keeper
B. NTP
C. PPP
D. OSPP

B. NTP

How well did you know this?

Not at all

Perfectly

``` Which command line switch would be used in NMAP to perform operating system detection? A. -OS B. -sO C. -sP D. -O ```

D. -O

Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments? A. Network-based intrusion detection system (NIDS) B. Host-based intrusion detection system (HIDS) C. Firewalls D. Honeypots

A. Network-based intrusion detection system (NIDS)

``` Which tool can be used to silently copy files from USB devices? A. USB Grabber B. USB Dumper C. USB Sniffer D. USB Snoopy ```

B. USB Dumper

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: What type of activity has been logged? A. Port scan targeting 192.168.1.103 B. Teardrop attack targeting 192.168.1.106 C. Denial of service attack targeting 192.168.1.103 D. Port scan targeting 192.168.1.106

D. Port scan targeting 192.168.1.106

How does a denial-of-service attack work? A. A hacker prevents a legitimate user (or group of users) from accessing a service B. A hacker uses every character, word, or letter he or she can think of to defeat authentication C. A hacker tries to decipher a password by using a system, which subsequently crashes the network D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person

A. A hacker prevents a legitimate user (or group of users) from accessing a service

``` Which type of security document is written with specific step-by-step details? A. Process B. Procedure C. Policy D. Paradigm ```

B. Procedure

``` On performing a risk assessment, you need to determine the potential impacts when some of the critical business process of the company interrupt its service. What is the name of the process by which you can determine those critical business? A. Risk Mitigation B. Emergency Plan Response (EPR) C. Disaster Recovery Planning (DRP) D. Business Impact Analysis (BIA) ```

D. Business Impact Analysis (BIA)

Why would an attacker want to perform a scan on port 137? A. To discover proxy servers on a network B. To disrupt the NetBIOS SMB service on the target host C. To check for file and print sharing on Windows systems D. To discover information about a target host using NBTSTAT

D. To discover information about a target host using NBTSTAT

Which of the following is an example of two factor authentication? A. PIN Number and Birth Date B. Username and Password C. Digital Certificate and Hardware Token D. Fingerprint and Smartcard ID

D. Fingerprint and Smartcard ID

Which of the following is the BEST way to defend against network sniffing? A. Using encryption protocols to secure network communications B. Register all machines MAC Address in a Centralized Database C. Restrict Physical Access to Server Rooms hosting Critical Servers D. Use Static IP Address

A. Using encryption protocols to secure network communications

Bob finished a C programming course and created a small C application to monitor the network traffic and produce alerts when any origin sends "many" IP packets, based on the average number of packets sent by all origins and using some thresholds. In concept, the solution developed by Bob is actually: A. Just a network monitoring tool B. A signature-based IDS C. A hybrid IDS D. A behavior-based IDS

A. Just a network monitoring tool

``` An NMAP scan of a server shows port 25 is open. What risk could this pose? A. Open printer sharing B. Web portal data leak C. Clear text authentication D. Active mail relay ```

D. Active mail relay

Which of the following problems can be solved by using Wireshark? A. Tracking version changes of source code B. Checking creation dates on all webpages on a server C. Resetting the administrator password on multiple systems D. Troubleshooting communication resets between two systems

D. Troubleshooting communication resets between two systems

``` What kind of risk will remain even if all theoretically possible safety measures would be applied? A. Residual risk B. Inherent risk C. Impact risk D. Deferred risk ```

A. Residual risk

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor". Here is the output of the SIDs: "S115-...-500Chang" From the above list identify the user account with System Administrator privileges. A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

F. Chang

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack? A. Attacker generates TCP SYN packets with random destination addresses towards a victim host B. Attacker floods TCP SYN packets with random source addresses towards a victim host C. Attacker generates TCP ACK packets with random source addresses towards a victim host D. Attacker generates TCP RST packets with random source addresses towards a victim host

B. Attacker floods TCP SYN packets with random source addresses towards a victim host

``` An NMAP scan of a server shows port 69(TFTP) is open. What risk could this pose? A. Unauthenticated access B. Weak SSL version C. Cleartext login D. Web portal data leak ```

A. Unauthenticated access

``` Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company? A. Height and Weight B. Voice C. Fingerprints D. Iris patterns ```

A. Height and Weight

``` Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets? A. Internet Key Exchange (IKE) B. Oakley C. IPsec Policy Agent D. IPsec driver ```

A. Internet Key Exchange (IKE)

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use a scan tool like Nessus B. Use the built-in Windows Update tool C. Check MITRE.org for the latest list of CVE findings D. Create a disk image of a clean Windows installation

A. Use a scan tool like Nessus

``` Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN? A. ESP transport mode B. AH permiscuous C. ESP confidential D. AH Tunnel mode ```

A. ESP transport mode

``` Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs? A. Nikto B. Snort C. John the Ripper D. Dsniff ```

A. Nikto

``` In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack? A. Full Blown B. Thorough C. Hybrid D. BruteDics ```

C. Hybrid

A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users? A. Perform a dictionary attack. B. Perform a brute force attack. C. Perform an attack with a rainbow table. D. Perform a hybrid attack.

C. Perform an attack with a rainbow table.

Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario? A. Watering Hole Attack B. Heartbleed Attack C. Shellshock Attack D. Spear Phising Attack

A. Watering Hole Attack

Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team? A. Leave it as it Is and contact the incident response te3m right away B. Block the connection to the suspicious IP Address from the firewall C. Disconnect the email server from the network D. Migrate the connection to the backup email server

C. Disconnect the email server from the network

A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester come across a perl script that runs the following msadc functions: testfile, nc.exe, etc Which exploit is indicated by this script? A. A buffer overflow exploit B. A chained exploit C. A SQL injection exploit D. A denial of service exploit

B. A chained exploit

From the two screenshots below, which of the following is occurring? A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan Against 10.0.0.2. B. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2. C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2. D. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.

A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan Against 10.0.0.2.

``` What tool can crack Windows SMB passwords simply by listening to network traffic? A. This is not possible B. Netbus C. NTFSDOS D. L0phtcrack ```

D. L0phtcrack

What is the difference between the AES and RSA algorithms? A. Both are asymmetric algorithms, but RSA uses 1024-bit keys. B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data. C. Both are symmetric algorithms, but AES uses 256-bit keys. D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data.

B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.

``` What port number is used by LDAP protocol? A. 110 B. 389 C. 464 D. 445 ```

B. 389

``` Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access? A. Bootrom Exploit B. iBoot Exploit C. Sandbox Exploit D. Userland Exploit ```

D. Userland Exploit

Jack was attempting to fingerprint all machines in the network using the following Nmap syntax: invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! Obviously, it is not going through. What is the issue here? A. OS Scan requires root privileges B. The nmap syntax is wrong. C. The outgoing TCP/IP fingerprinting is blocked by the host firewall D. This is a common behavior for a corrupted nmap application

A. OS Scan requires root privileges

What did the following commands determine? C: user2sid \earth guest s-1-5-21-343818398-789336058-1343024091-501 C :sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH A. That the Joe account has a SID of 500 B. These commands demonstrate that the guest account has NOT been disabled C. These commands demonstrate that the guest account has been disabled D. That the true administrator is Joe E. Issued alone, these commands prove nothing

D. That the true administrator is Joe

Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system? A. A biometric system that bases authentication decisions on behavioral attributes. B. A biometric system that bases authentication decisions on physical attributes. C. An authentication system that creates one-time passwords that are encrypted with secret keys. D. An authentication system that uses passphrases that are converted into virtual passwords.

C. An authentication system that creates one-time passwords that are encrypted with secret keys.

``` WPA2 uses AES for wireless data encryption at which of the following encryption levels? A. 64 bit and CCMP B. 128 bit and CRC C. 128 bit and CCMP D. 128 bit and TKIP ```

C. 128 bit and CCMP

While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective? A. Block port 25 at the firewall. B. Shut off the SMTP service on the server. C. Force all connections to use a username and password. D. Switch from Windows Exchange to UNIX Sendmail. E. None of the above.

E. None of the above.

``` You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c What is the hexadecimal value of NOP instruction? A. 0x60 B. 0x80 C. 0x70 D. 0x90 ```

D. 0x90

``` A virus that attempts to install itself inside the file it is infecting is called? A. Tunneling virus B. Cavity virus C. Polymorphic virus D. Stealth virus ```

B. Cavity virus

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? A. NMAP -PN -A -O -sS 192.168.2.0/24 B. NMAP -P0 -A -O -p1-65535 192.168.0/24 C. NMAP -P0 -A -sT -p0-65535 192.168.0/16 D. NMAP -PN -O -sS -p 1-1024 192.168.0/8

B. NMAP -P0 -A -O -p1-65535 192.168.0/24

Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? A. The port will ignore the packets. B. The port will send an RST. C. The port will send an ACK. D. The port will send a SYN.

A. The port will ignore the packets.

``` Which type of security feature stops vehicles from crashing through the doors of a building? A. Turnstile B. Bollards C. Mantrap D. Receptionist ```

B. Bollards

``` Which of the following programs is usually targeted at Microsoft Office products? A. Polymorphic virus B. Multipart virus C. Macro virus D. Stealth virus ```

C. Macro virus

An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A. g++ hackersExploit.cpp -o calc.exe B. g++ hackersExploit.py -o calc.exe C. g++ -i hackersExploit.pl -o calc.exe D. g++ --compile -i hackersExploit.cpp -o calc.exe

A. g++ hackersExploit.cpp -o calc.exe

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive? A. Protocol analyzer B. Intrusion Prevention System (IPS) C. Network sniffer D. Vulnerability scanner

A. Protocol analyzer

``` A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host junk mails. What type of Trojan did the hacker use? A. Turtle Trojans B. Ransomware Trojans C. Botnet Trojan D. Banking Trojans ```

C. Botnet Trojan

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? A. The ACL 110 needs to be changed to port 80 B. The ACL for FTP must be before the ACL 110 C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router D. The ACL 104 needs to be first because is UDP

C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

hat results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'? A. A stealth scan, opening port 123 and 153 B. A stealth scan, checking open ports 123 to 153 C. A stealth scan, checking all open ports excluding ports 123 to 153 D. A stealth scan, determine operating system, and scanning ports 123 to 153

D. A stealth scan, determine operating system, and scanning ports 123 to 153

``` What does a type 3 code 13 represent? (Choose two.) A. Echo request B. Destination unreachable C. Network unreachable D. Administratively prohibited E. Port unreachable F. Time exceeded ```

B. Destination unreachable | D. Administratively prohibited

``` Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems? A. Role Based Access Control (RBAC) B. Discretionary Access Control (DAC) C. Windows authentication D. Single sign-on ```

D. Single sign-on

``` A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use? A. -sO B. -sP C. -sS D. -sU ```

A. -sO

The following is a sample of output from a penetration tester's machine targeting a machine with the IP address of 192.168.1.106: (Ver la foto) What is most likely taking place? A. Ping sweep of the 192.168.1.106 network B. Remote service brute force attempt C. Port scan of 192.168.1.106 D. Denial of service attack on 192.168.1.106

B. Remote service brute force attempt

``` Company XYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of Company XYZ. The employee of Company XYZ is aware of your test. Your email message looks like this: From: jim_miller@companyxyz.com To: michelle_saunders@companyxyz.com Subject: Test message Date: 4/3/2017 14:37 The employee of Company XYZ receives your email message. This proves that Company XYZ's email gateway doesn't prevent what? A. Email Phishing B. Email Masquerading C. Email Spoofing D. Email Harvesting ```

C. Email Spoofing

``` Which of the following LM hashes represent a password of less than 8 characters? (Choose two.) A. BA810DBA98995F1817306D272A9441BB B. 44EFCE164AB921CQAAD3B435B51404EE C. 0182BD0BD4444BF836077A718CCDF409 D. CEC52EB9C8E3455DC2265B23734E0DAC E. B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D ```

B. 44EFCE164AB921CQAAD3B435B51404EE | E. B757BF5C0D87772FAAD3B435B51404EE

``` A software tester is randomly generating invalid inputs in an attempt to crash the program. Which of the following is a software testing technique used to determine if a software program properly handles a wide range of invalid input? A. Mutating B. Randomizing C. Fuzzing D. Bounding ```

C. Fuzzing

``` SOAP services use which technology to format information? A. SATA B. PCI C. XML D. ISDN ```

C. XML

``` Which type of sniffing technique is generally referred as MiTM attack? A. Password Sniffing B. ARP Poisoning C. Mac Flooding D. DHCP Sniffing ```

B. ARP Poisoning

``` When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement? A. AH Tunnel mode B. AH promiscuous C. ESP transport mode D. ESP confidential ```

C. ESP transport mode

``` You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out? A. Scan servers with Nmap B. Physically go to each server C. Scan servers with MBSA D. Telent to every port on each server ```

A. Scan servers with Nmap

Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks? A. Whisker B. tcpsplice C. Burp D. Hydra

A. Whisker

``` A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in? A. Information reporting B. Vulnerability assessment C. Active information gathering D. Passive information gathering ```

D. Passive information gathering

``` Advanced encryption standard is an algorithm used for which of the following? A. Data integrity B. Key discovery C. Bulk data encryption D. Key recovery ```

C. Bulk data encryption

``` Which of the following tools can be used to perform a zone transfer? A. NSLookup B. Finger C. Dig D. Sam Spade E. Host F. Netcat G. Neotrace ```

A. NSLookup C. Dig D. Sam Spade E. Host

By using a smart card and pin, you are using a two-factor authentication that satisfies A. Something you know and something you are B. Something you have and something you know C. Something you have and something you are D. Something you are and something you remember

B. Something you have and something you know

Your business has decided to add credit card numbers to the data it backs up to tape. Which of the following represents the best practice your business should observe? A. Hire a security consultant to provide direction. B. Do not back up cither the credit card numbers or then hashes. C. Back up the hashes of the credit card numbers not the actual credit card numbers. D. Encrypt backup tapes that are sent off-site.

A. Hire a security consultant to provide direction.

You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do? A. Report immediately to the administrator B. Do not report it and continue the penetration test. C. Transfer money from the administrator's account to another account. D. Do not transfer the money but steal the bitcoins.

A. Report immediately to the administrator

A company's policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers? A. tcp.port != 21 B. tcp.port = 23 C. tcp.port ==21 D. tcp.port ==21 || tcp.port ==22

C. tcp.port ==21

Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning. What should Bob recommend to deal with such a threat? A. The use of security agents in clients' computers B. The use of DNSSEC C. The use of double-factor authentication D. Client awareness

B. The use of DNSSEC

During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do? A. Identify and evaluate existing practices B. Create a procedures document C. Conduct compliance testing D. Terminate the audit

A. Identify and evaluate existing practices

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software? A. Cross-site scripting vulnerability B. Cross-site Request Forgery vulnerability C. SQL injection vulnerability D. Web site defacement vulnerability

A. Cross-site scripting vulnerability

Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)? A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost. B. The root CA stores the user's hash value for safekeeping. C. The CA is the trusted root that issues certificates. D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.

C. The CA is the trusted root that issues certificates.

``` Which service in a PKI will vouch for the identity of an individual or company? A. KDC B. CA C. CR D. CBC ```

B. CA

It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers). Which of the following vulnerabilities is being described? A. Shellshock B. Rootshock C. Rootshell D. Shellbash

A. Shellshock

``` What is the term coined for logging, recording and resolving events in a company? A. Internal Procedure B. Security Policy C. Incident Management Process D. Metrics ```

C. Incident Management Process

``` Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following choices would be a common vulnerability that usually exposes them? A. Cross-site scripting B. SQL injection C. Missing patches D. CRLF injection ```

C. Missing patches

``` Study the following log extract and identify the attack. (Ver foto) A. Hexcode Attack B. Cross Site Scripting C. Multiple Domain Traversal Attack D. Unicode Directory Traversal Attack ```

D. Unicode Directory Traversal Attack

Password cracking programs reverse the hashing process to recover passwords. (True/False.) A. True B. False

B. False

What does a firewall check to prevent particular ports and applications from getting packets into an organization? A. Transport layer port numbers and application layer headers B. Presentation layer headers and the session layer port numbers C. Network layer headers and the session layer port numbers D. Application layer port numbers and the transport layer headers

A. Transport layer port numbers and application layer headers

While reviewing the result of scanning run against a target network you come across the following: Which among the following can be used to get this output? A. A Bo2k system query. B. nmap protocol scan C. A sniffer D. An SNMP walk

D. An SNMP walk

``` _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes. A. Trojan B. RootKit C. DoS tool D. Scanner E. Backdoor ```

B. RootKit

``` Which of the following is a client-server tool utilized to evade firewall inspection? A. tcp-over-dns B. kismet C. nikto D. hping ```

A. tcp-over-dns

``` Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows products? A. Microsoft Security Baseline Analyzer B. Retina C. Core Impact D. Microsoft Baseline Security Analyzer ```

D. Microsoft Baseline Security Analyzer

Which set of access control solutions implements two-factor authentication? A. USB token and PIN B. Fingerprint scanner and retina scanner C. Password and PIN D. Account and password

A. USB token and PIN

An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps? A. The sequence does not matter. Both steps have to be performed against all hosts. B. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests. C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time. D. The port scan alone is adequate. This way he saves time.

C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.

``` Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them? A. Detective B. Passive C. Intuitive D. Reactive ```

B. Passive

In the field of cryptanalysis, what is meant by a "rubber-hose" attack? A. Attempting to decrypt cipher text by making logical assumptions about the contents of the original plain text. B. Extraction of cryptographic secrets through coercion or torture. C. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC. D. A backdoor placed into a cryptographic algorithm by its creator.

B. Extraction of cryptographic secrets through coercion or torture.

An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price? A. By using SQL injection B. By changing hidden form values C. By using cross site scripting D. By utilizing a buffer overflow attack

B. By changing hidden form values

``` Which of the following is an extremely common IDS evasion technique in the web world? A. unicode characters B. spyware C. port knocking D. subnetting ```

A. unicode characters

The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described? A. promiscuous mode B. port forwarding C. multi-cast mode D. WEM

A. promiscuous mode

Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA. In this context, what can you say? A. Bob can be right since DMZ does not make sense when combined with stateless firewalls B. Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one by one C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations D. Bob is partially right. DMZ does not make sense when a stateless firewall is available

C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"? A. Overloading Port Address Translation B. Dynamic Port Address Translation C. Dynamic Network Address Translation D. Static Network Address Translation

D. Static Network Address Translation

``` Which of the following is a passive wireless packet analyzer that works on Linux-based systems? A. Burp Suite B. OpenVAS C. tshark D. Kismet ```

D. Kismet

Which of the following is the greatest threat posed by backups? A. A backup is the source of Malware or illicit information. B. A backup is unavailable during disaster recovery. C. A backup is incomplete because no verification was performed. D. An un-encrypted backup can be misplaced or stolen.

D. An un-encrypted backup can be misplaced or stolen.

``` Which Type of scan sends a packets with no flags set? A. Open Scan B. Null Scan C. Xmas Scan D. Half-Open Scan ```

B. Null Scan

Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'security through obscurity'. What technique is Ricardo using? A. Steganography B. Public-key cryptography C. RSA algorithm D. Encryption

A. Steganography

Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next? A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53. B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443. C. Configure the firewall to allow traffic on TCP port 53. D. Configure the firewall to allow traffic on TCP port 8080.

A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.

Which of the following BEST describes the mechanism of a Boot Sector Virus? A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR C. Overwrites the original MBR and only executes the new virus code D. Modifies directory table entries so that directory entries point to the virus code instead of the actual program

A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR

You are looking for SQL injection vulnerability by sending a special character to web applications. Which of the following is the most useful for quick validation? A. Double quotation B. Backslash C. Semicolon D. Single quotation

D. Single quotation

Why should the security analyst disable/remove unnecessary ISAPI filters? A. To defend against social engineering attacks B. To defend against webserver attacks C. To defend against jailbreaking D. To defend against wireless attacks

B. To defend against webserver attacks

When a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline? A. Data items and vulnerability scanning B. Interviewing employees and network engineers C. Reviewing the firewalls configuration D. Source code review

A. Data items and vulnerability scanning

It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description? A. HIPAA B. ISO/IEC 27002 C. COBIT D. FISMA

A. HIPAA