Examen 6 Flashcards
For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key? A. Sender's public key B. Receiver's private key C. Receiver's public key D. Sender's private key
D. Sender’s private key
One advantage of an application-level firewall is the ability to
A. filter packets at the network level.
B. filter specific commands, such as http:post.
C. retain state information for each packet.
D. monitor tcp handshaking.
B. filter specific commands, such as http:post.
Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating, “This word document is corrupt.” In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.
What type of malware has Jesse encountered?
A. Trojan
B. Worm
C. Macro Virus
D. Key-Logger
A. Trojan
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?
A. A race condition is being exploited, and the operating system is containing the malicious process.
B. A page fault is occurring, which forces the operating system to write data from the hard drive.
C. Malware is executing in either ROM or a cache memory area.
D. Malicious code is attempting to execute instruction in a non-executable memory region.
D. Malicious code is attempting to execute instruction in a non-executable memory region.
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a benign user Ned. Which of the following requests best illustrates an attempt to exploit an insecure direct object
reference vulnerability?
A. “GET/restricted/goldtransfer?to=Rob&from=1 or 1=1’ HTTP/1.1Host: westbank.com”
B. “GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com”
C. “GET/restricted/bank.getaccount(‘Ned’) HTTP/1.1 Host: westbank.com”
D. “GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com”
B. “GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com”
Based on the below log, which of the following sentences are true?
Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip
A. SSH communications are encrypted it’s impossible to know who is the client or the server
B. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
C. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
D. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server
C. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
Which of the statements concerning proxy firewalls is correct?
A. Proxy firewalls increase the speed and functionality of a network.
B. Firewall proxy servers decentralize all activity for an application.
C. Proxy firewalls block network packets from passing to and from a protected network.
D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.
D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client.
What is a possible source of this problem?
A. The WAP does not recognize the client’s MAC address
B. The client cannot see the SSID of the wireless network
C. Client is configured for the wrong channel
D. The wireless client is not configured to use DHCP
A. The WAP does not recognize the client’s MAC address
Which method of password cracking takes the most time and effort? A. Brute force B. Rainbow tables C. Dictionary attack D. Shoulder surfing
A. Brute force
How can rainbow tables be defeated? A. Password salting B. Use of non-dictionary words C. All uppercase character passwords D. Lockout accounts under brute force password cracking attempts
A. Password salting
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy? A. A bottom-up approach B. A top-down approach C. A senior creation approach D. An IT assurance approach
B. A top-down approach
The “white box testing” methodology enforces what kind of restriction?
A. The internal operation of a system is completely known to the tester.
B. Only the external operation of a system is accessible to the tester.
C. Only the internal operation of a system is known to the tester.
D. The internal operation of a system is only partly accessible to the tester.
A. The internal operation of a system is completely known to the tester.
You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting? A. MD4 B. DES C. SHA D. SSL
B. DES
Which of the following business challenges could be solved by using a vulnerability scanner?
A. Auditors want to discover if all systems are following a standard naming convention.
B. A web server was compromised and management needs to know if any further systems were compromised.
C. There is an emergency need to remove administrator access from multiple machines for an employee that quit.
D. There is a monthly requirement to test corporate compliance with host application usage and security policies.
D. There is a monthly requirement to test corporate compliance with host application usage and security policies.
hat is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A. They do not use host system resources.
B. They are placed at the boundary, allowing them to inspect all traffic.
C. They are easier to install and configure.
D. They will not interfere with user interfaces.
A. They do not use host system resources.
An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key? A. Birthday attack B. Plaintext attack C. Meet in the middle attack D. Chosen ciphertext attack
D. Chosen ciphertext attack
One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that he wants to totally eliminate all risks. What is one of the first things you should do when hired?
A. Interview all employees in the company to rule out possible insider threats.
B. Establish attribution to suspected attackers.
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
D. Start the Wireshark application to start sniffing network traffic.
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
Which of the following types of firewall inspects only header information in network traffic? A. Packet filter B. Stateful inspection C. Circuit-level gateway D. Application-level gateway
A. Packet filter
In which of the following password protection technique, random strings of characters are added to the password before calculating their hashes? A. Keyed Hashing B. Key Stretching C. Salting D. Double Hashing
C. Salting
Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious Java scripts. After opening one of them, he noticed that it is very hard to understand the code and that all codes differ from the typical Java script. What is the name of this technique to hide the code and extend analysis time? A. Encryption B. Code encoding C. Obfuscation D. Steganography
C. Obfuscation
You've just gained root access to a Centos 6 server after days of trying. What tool should you use to maintain access? A. Disable Key Services B. Create User Account C. Download and Install Netcat D. Disable IPTables
B. Create User Account
E-mail scams and mail fraud are regulated by which of the following?
A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication
A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
The chance of a hard drive failure is known to be once every four years. The cost of a new hard drive is $500. EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE). A. $62.5 B. $250 C. $125 D. $65.2
A. $62.5
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this?
A. There is a NIDS present on that segment.
B. Kerberos is preventing it.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to web servers.
B. Kerberos is preventing it.
In the software security development life cycle process, threat modeling occurs in which phase? A. Design B. Requirements C. Verification D. Implementation
A. Design
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client? A. Reconnaissance B. Enumeration C. Scanning D. Escalation
A. Reconnaissance
Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command prompt, she types the following command.
For /f “tokens=1 %%a in (hackfile.txt) do net use * \10,1,2,3c$ /user:”Administrator” %%a
What is Eve trying to do?
A. Eve is trying to connect as a user with Administrator privileges
B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator
C. Eve is trying to carry out a password crack for user Administrator
You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal? A. Network-based IDS B. Firewall C. Proxy D. Host-based IDS
A. Network-based IDS
An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information. What is the name of the communications channel? A. Classified B. Overt C. Encrypted D. Covert
D. Covert
What does the -oX flag do in an Nmap scan?
A. Perform an express scan
B. Output the results in truncated format to the screen
C. Perform an Xmas scan
D. Output the results in XML format to a file
D. Output the results in XML format to a file
In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following best describes what spammers use to hide the origin of these types of e-mails?
A. A blacklist of companies that have their mail server relays configured to allow traffic only to their specific domain name.
B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers continuously.
C. A blacklist of companies that have their mail server relays configured to be wide open.
D. Tools that will reconfigure a mail server’s relay component to send the e-mail back to the spammers occasionally.
B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers continuously.
What is correct about digital signatures?
A. A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
B. Digital signatures may be used in different documents of the same type.
C. A digital signature cannot be moved from one signed document to another because it is a plain hash of the document content.
D. Digital signatures are issued once for each user and can be used everywhere until they expire.
A. A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system.
Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system.
Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445
Backing up data is a security must. However, it also has certain level of risks when
mishandled. Which of the following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information
B. A backup is incomplete because no verification was performed
C. A backup is unavailable during disaster recovery
D. An unencrypted backup can be misplaced or stolen
D. An unencrypted backup can be misplaced or stolen
What is the best description of SQL Injection?
A. It is an attack used to gain unauthorized access to a database.
B. It is an attack used to modify code in an application.
C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
D. It is a Denial of Service Attack.
A. It is an attack used to gain unauthorized access to a database.
company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0.
How can NMAP be used to scan these adjacent Class C networks?
A. NMAP -P 192.168.1-5.
B. NMAP -P 192.168.0.0/16
C. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
D. NMAP -P 192.168.1/17
A. NMAP -P 192.168.1-5.
Which of the following will perform an Xmas scan using NMAP? A. nmap -sA 192.168.1.254 B. nmap -sP 192.168.1.254 C. nmap -sX 192.168.1.254 D. nmap -sV 192.168.1.254
C. nmap -sX 192.168.1.254
_________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin
authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks
types.
A. DNSSEC
B. Zone transfer
C. Resource transfer
D. Resource records
A. DNSSEC
Which definition among those given below best describes a covert channel?
A. A server program using a port that is not well known.
B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure
B. Making use of a protocol in a way it is not intended to be used.
Which of the following is a restriction being enforced in “white box testing?”
A. Only the internal operation of a system is known to the tester
B. The internal operation of a system is completely known to the tester
C. The internal operation of a system is only partly accessible to the tester
D. Only the external operation of a system is accessible to the tester
B. The internal operation of a system is completely known to the tester
An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed? A. Reverse Social Engineering B. Tailgating C. Piggybacking D. Announced
B. Tailgating
A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the following:
Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.
Which of the following actions should the security administrator take?
A. Log the event as suspicious activity and report this behavior to the incident response team
immediately.
B. Log the event as suspicious activity, call a manager, and report this as soon as possible.
C. Run an anti-virus scan because it is likely the system is infected by malware.
D. Log the event as suspicious activity, continue to investigate, and act according to the site’s security policy.
D. Log the event as suspicious activity, continue to investigate, and act according to the site’s security policy.
Which of the following identifies the three modes in which Snort can be configured to run?
A. Sniffer, Packet Logger, and Network Intrusion Detection System
B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
D. Sniffer, Packet Logger, and Host Intrusion Prevention System
A. Sniffer, Packet Logger, and Network Intrusion Detection System
Which of the following statements about a zone transfer is correct? (Choose three.)
A. A zone transfer is accomplished with the DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfers cannot occur on the Internet
A. A zone transfer is accomplished with the DNS
C. A zone transfer passes all zone information that a DNS server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
A. Ignore it.
B. Try to sell the information to a well-paying party on the dark web.
C. Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability.
D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.
C. Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability.
You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines has 2 connections, one wired and the other wireless. When you verify the configuration of this Windows system you find two static routes.
route add 10.0.0.0 mask 255.0.0.0 10.0.0.1
route add 0.0.0.0 mask 255.0.0.0 199.168.0.1
What is the main purpose of those static routes?
A. Both static routes indicate that the traffic is external with different gateway.
B. The first static route indicates that the internal traffic will use an external gateway and the second static route indicates that the traffic will be rerouted.
C. Both static routes indicate that the traffic is internal with different gateway.
D. The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.
D. The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.
Which of the following statements regarding ethical hacking is incorrect?
A. Ethical hackers should never use tools or methods that have the potential of exploiting
vulnerabilities in an organization’s systems.
B. Testing should be remotely performed offsite.
C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting services.
D. Ethical hacking should not involve writing to or modifying the target systems.
A. Ethical hackers should never use tools or methods that have the potential of exploiting
Low humidity in a data center can cause which of the following problems? A. Heat B. Corrosion C. Static electricity D. Airborne contamination
C. Static electricity
Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting? A. Internal Whitebox B. External, Whitebox C. Internal, Blackbox D. External, Blackbox
C. Internal, Blackbox
Which type of scan measures a person's external features through a digital video camera? A. Iris scan B. Retinal scan C. Facial recognition scan D. Signature kinetics scan
C. Facial recognition scan
A security policy will be more accepted by employees if it is consistent and has the support of A. coworkers. B. executive management. C. the security officer. D. a supervisor.
B. executive management.
This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach.
Which of the following organizations is being described?
A. Payment Card Industry (PCI)
B. Center for Disease Control (CDC)
C. Institute of Electrical and Electronics Engineers (IEEE)
D. International Security Industry Organization (ISIO)
A. Payment Card Industry (PCI)
When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what it is meant by processing?
A. The amount of time it takes to convert biometric data into a template on a smart card.
B. The amount of time and resources that are necessary to maintain a biometric system.
C. The amount of time it takes to be either accepted or rejected form when an individual provides Identification and authentication information.
D. How long it takes to setup individual user accounts.
C. The amount of time it takes to be either accepted or rejected form when an individual provides Identification and authentication information.
While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place.
What Web browser-based security vulnerability was exploited to compromise the user?
A. Cross-Site Request Forgery
B. Cross-Site Scripting
C. Clickjacking
D. Web form input validation
A. Cross-Site Request Forgery
A big company, who wanted to test their security infrastructure, wants to hire elite pentesters like you. During the interview, they asked you to show sample reports from previous penetration tests. What should you do? A. Share reports, after NDA is signed B. Share full reports, not redacted C. Decline but, provide references D. Share full reports with redactions
C. Decline but, provide references
Eve stole a file named secret.txt, transferred it to her computer and she just entered these commands:
What is she trying to achieve?
A. She is encrypting the file.
B. She is using John the Ripper to view the contents of the file.
C. She is using ftp to transfer the file to another hacker named John.
D. She is using John the Ripper to crack the passwords in the secret.txt file.
D. She is using John the Ripper to crack the passwords in the secret.txt file.
Let’s imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company. How do you prevent DNS spoofing?
A. Install DNS logger and track vulnerable packets
B. Disable DNS timeouts
C. Install DNS Anti-spoofing
D. Disable DNS Zone Transfer
C. Install DNS Anti-spoofing
Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system? A. Wireshark B. Maltego C. Metasploit D. Nessus
C. Metasploit
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A. Cavity virus B. Polymorphic virus C. Tunneling virus D. Stealth virus
D. Stealth virus
There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the process. A term describes when two pieces of data result in the same value is? A. Collision B. Collusion C. Polymorphism D. Escrow
A. Collision
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28.
Why he cannot see the servers?
A. The network must be down and the nmap command and IP address are ok.
B. He needs to add the command ‘’'’ip address’’’’ just before the IP address.
C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
D. He needs to change the address to 192.168.1.0 with the same mask.
C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire? A. Network tap B. Layer 3 switch C. Network bridge D. Application firewall
A. Network tap
An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem? A. Insufficient input validation B. Insufficient exception handling C. Insufficient database hardening D. Insufficient security management
A. Insufficient input validation
What type of malware is it that restricts access to a computer system that it infects and demands that the user pay a certain amount of money, cryptocurrency, etc. to the operators of the malware to remove the restriction? A. Ransomware B. Riskware C. Adware D. Spyware
A. Ransomware
Scenario: What is the name of the attack which is mentioned in the scenario? A. HTTP Parameter Pollution B. HTML Injection C. Session Fixation D. ClickJacking Attack
D. ClickJacking Attack
You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for.
Which of the below scanning technique will you use?
A. ACK flag scanning
B. TCP Scanning
C. IP Fragment Scanning
D. Inverse TCP flag scanning
C. IP Fragment Scanning
You’ve just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case?
A. TCP/IP doesn’t support ICMP
B. ARP is disabled on the target server
C. ICMP could be disabled on the target server
D. You need to run the ping command with root privileges
C. ICMP could be disabled on the target server
How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?
A. Defeating the scanner from detecting any code change at the kernel
B. Replacing patch system calls with its own version that hides the rootkit (attacker’s) actions
C. Performing common services for the application process and replacing real applications with fake ones
D. Attaching itself to the master boot record in a hard drive and changing the machine’s boot sequence/options
D. Attaching itself to the master boot record in a hard drive and changing the machine’s boot sequence/options
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has
experienced a possible breach of security. When the investigator attempts to correlate the
information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?
A. The network devices are not all synchronized.
B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.
D. The security breach was a false positive.
A. The network devices are not all synchronized.
John the Ripper is a technical assessment tool used to test the weakness of which of the following? A. Usernames B. File permissions C. Firewall rulesets D. Passwords
D. Passwords
You are using NMAP to resolve domain names into IP addresses for a ping sweep later.
Which of the following commands looks for IP addresses?
A. >host -t a hackeddomain.com
B. >host -t soa hackeddomain.com
C. >host -t ns hackeddomain.com
D. >host -t AXFR hackeddomain.com
A. >host -t a hackeddomain.com
A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed? A. white box B. grey box C. red box D. black box
D. black box
Which of the following is a strong post designed to stop a car? A. Gate B. Fence C. Bollard D. Reinforced rebar
C. Bollard
Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations? A. Key registry B. Recovery agent C. Directory D. Key escrow
D. Key escrow
A hacker named Jack is trying to compromise a bank's computer system. He needs to know the operating system of that computer to launch further attacks. What process would help him? A. Banner Grabbing B. IDLE/IPID Scanning C. SSDP Scanning D. UDP Scanning
A. Banner Grabbing
Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. SYN flood C. Smurf attack D. Ping of death
A. Teardrop
What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?
A. Legal, performance, audit
B. Audit, standards based, regulatory
C. Contractual, regulatory, industry
D. Legislative, contractual, standards based
D. Legislative, contractual, standards based
In which of the following cryptography attack methods, the attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions? A. Chosen-plaintext attack B. Ciphertext-only attack C. Adaptive chosen-plaintext attack D. Known-plaintext attack
A. Chosen-plaintext attack
Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server?
The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
A. My Doom
B. Astacheldraht
C. R-U-Dead-Yet?(RUDY)
D. LOIC
C. R-U-Dead-Yet?(RUDY)
You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles.
You know that conventional hacking doesn’t work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems.
In other words, you are trying to penetrate an otherwise impenetrable system.
How would you proceed?
A. Look for “zero-day” exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank’s network
B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive information
C. Launch DDOS attacks against Merclyn Barley Bank’s routers and firewall systems using 100, 000 or more “zombies” and “bots”
D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the
Merclyn Barley Bank’s Webserver to that of your machine using DNS Cache Poisoning techniques
B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive information
What is the algorithm used by LM for Windows2000 SAM? A. MD4 B. DES C. SHA D. SSL
B. DES
A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The integrity of the encrypted email is dependent on the security of which of the following? A. Public key B. Private key C. Modulus length D. Email server certificate
B. Private key
Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?
A. ping 192.168.2.
B. ping 192.168.2.255
C. for %V in (1 1 255) do PING 192.168.2.%V
D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I “Reply”
D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I “Reply”
How do employers protect assets with security policies pertaining to employee surveillance activities?
A. Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness.
B. Employers use informal verbal communication channels to explain employee monitoring activities to employees.
C. Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes.
D. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.
D. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.
Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS? A. SYN scan B. ACK scan C. RST scan D. Connect scan E. FIN scan
D. Connect scan
> NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following? A. A ping scan B. A trace sweep C. An operating system detect D. A port scan
A. A ping scan
If the final set of security controls does not eliminate all risk in a system, what could be done next?
A. Continue to apply controls until there is zero risk.
B. Ignore any remaining risk.
C. If the residual risk is low enough, it can be accepted.
D. Remove current controls since they are not completely effective.
C. If the residual risk is low enough, it can be accepted.
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
What is odd about this attack? Choose the best answer.
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D. These packets were crafted by a tool, they were not created by a standard IP stack.
B. This is back orifice activity as the scan comes from port 31337.
DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache?
A. nslookup -fullrecursive update.antivirus.com
B. dnsnooping -rt update.antivirus.com
C. nslookup -norecursive update.antivirus.com
D. dns –snoop update.antivirus.com
C. nslookup -norecursive update.antivirus.com
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? A. Containment B. Eradication C. Recovery D. Discovery
A. Containment
Which of the following tools is used by pen testers and analysts specifically to analyze links between data using link analysis and graphs? A. Metasploit B. Wireshark C. Maltego D. Cain & Abel
C. Maltego
You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive.
When you attempt to boot the server and log in, you are unable to guess the password.
In your toolkit, you have an Ubuntu 9.10 Linux LiveCD.
Which Linux-based tool can change any user’s password or activate disabled Windows accounts?
A. John the Ripper
B. SET
C. CHNTPW
D. Cain & Abel
C. CHNTPW
Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige.
After 2 days, Bob denies that he had ever sent a mail.
What do you want to “know” to prove yourself that it was Bob who had send a mail?
A. Confidentiality
B. Integrity
C. Non-Repudiation
D. Authentication
C. Non-Repudiation
When does the Payment Card Industry Data Security Standard (PCI-DSS) require
organizations to perform external and internal penetration testing?
A. At least twice a year or after any significant upgrade or modification
B. At least once a year and after any significant upgrade or modification
C. At least once every two years and after any significant upgrade or modification
D. At least once every three years or after any significant upgrade or modification
B. At least once a year and after any significant upgrade or modification
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly.
What is the best nmap command you will use?
A. nmap -T4 -q 10.10.0.0/24
B. nmap -T4 -F 10.10.0.0/24
C. nmap -T4 -r 10.10.1.0/24
D. nmap -T4 -O 10.10.0.0/24
B. nmap -T4 -F 10.10.0.0/24
