Module 01 - Introduction to Ethical Hacking ( EC Mode ) Flashcards
Which technique is used by attackers to snoop on the communication between users or devices and record private information to launch passive attacks?
A. Eavesdropping
B. Spoofing
C. Session hijacking
D. Privilege escalation
Answer: A. Eavesdropping
Session Hijacking: It is an attack where active session of the user is intercepted and stolen by an attacker.
Privilege Escalation: It is a process of leveraging OS or application’s bug, design flaw or misconfiguration in order to obtain elevated access to their resources.
Spoofing: It is a process of fooling the target device or user by tampering the original message/request and pretending to be trusted origin.
Eavesdropping: It is the process of listening to the communication between users or devices and record private information to launch attacks.
Which warfare category involves the use of viruses, worms, Trojan horses, or sniffers to automatically shut down systems, corrupt data, steal information or services, send fraudulent messages, and access unauthorized data?
A. C2 warfare
B. Electronic warfare
C. Hacker warfare
D. Psychological warfare
Answer: C. Hacker warfare
Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one’s adversary in an attempt to succeed in battle.
Hacker warfare: The purpose of this type of warfare can vary from the shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data.
C2 warfare: In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.
Electronic warfare: It uses radio-electronic and cryptographic techniques to degrade the communication.
What is the name of the close-in attack technique where an attacker examines an organization’s trash for discarded sensitive information such as usernames, passwords, credit-card statements, bank statements, ATM receipts, social security numbers, and private telephone numbers?
A. Wiretapping
B. Dumpster diving
C. Pod slurping
D. Shoulder surfing
Answer: B. Dumpster diving
Pod slurping: Pod slurping is the act of using a portable data storage device such as an iPod digital audio player to illicitly download large quantities of confidential data by directly plugging it into a computer.
Shoulder surfing: It is a type of data theft where attackers steal personal information or confidential information by looking over the target’s shoulders.
Dumpster diving: Dumpster diving may even provide attackers with even more sensitive information, such as usernames, passwords, credit card statements, bank statements, ATM receipts, Social Security numbers, private telephone numbers, checking account numbers, or other sensitive data.
Wiretapping: Monitoring telephone and Internet-based conversations by a third party secretly.
Which category of information warfare refers to a sensor-based technology that can directly disrupt technological systems?
A. Electronic warfare
B. Economic warfare
C. Psychological warfare
D. Intelligence-based warfare
Answer: D. Intelligence-based warfare
Economic warfare: It can affect the economy of a business or nation by blocking the flow of information.
Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace.
Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one’s adversary in an attempt to succeed in battle.
Electronic warfare: Attempt to disrupt the means of sending information.
Which information security element includes a checksum and access control to verify that a given block of data is not changed in transit and ensures that only authorized personnel can update, add, or delete data?
A. Availability
B. Integrity
C. Confidentiality
D. Non-repudiation
Answer: B. Integrity
Non-Repudiation: Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Confidentiality: Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs).
Integrity: Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).
Availability: Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems.
Which category of information warfare involves the use of various techniques such as propaganda and terror to demoralize the adversary in an attempt to succeed in battle?
A. Intelligence-based warfare
B. Electronic warfare
C. Command and control warfare (C2 warfare)
D. Psychological warfare
Answer: D. Psychological warfare
Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.
Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace.
Electronic warfare: According to Libicki, electronic warfare uses radio-electronic and cryptographic techniques to degrade the communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.
Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one’s adversary in an attempt to succeed in battle.
Bob recently joined an organization and completed his training. His work involved dealing with important documents of the organization. On one Sunday, he connected to the corporate network by providing authentication credentials to access a file online from his residence.
Which element of information security was demonstrated in the scenario where Bob connects to the corporate network by providing authentication credentials to access a file online from his residence?
A. Integrity
B. Authenticity
C. Availability
D. Non-repudiation
Answer: C. Availability
Integrity: The trustworthiness of data or resources in terms of preventing improper or unauthorized changes.
Non-Repudiation: A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Authenticity: Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine.
Availability: Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users.
Sam, an attacker, was hired to launch an attack on an organization to disrupt its operations and gain access to a remote system for compromising the organization’s internal network. In the process, Sam launched an attack to tamper with the data in transit to break into the organization’s network.
What type of attack did Sam perform against the target organization by tampering with the data in transit to break into the organization’s network?
A. Insider attack
B. Distribution attack
C. Active attack
D. Passive attack
Answer: C. Active attack
Passive Attacks: Passive attacks do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network.
Insider Attacks: Insider attacks involve using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems.
Distribution Attacks: Distribution attacks occur when attackers tamper with hardware or software prior to installation.
Active Attacks: Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems.
Don, a professional hacker, was hired to break into an organization’s network and extract sensitive data. In the attack process, Don found that the organization has purchased new hardware. He accessed the new hardware while it was in transit and tampered with it to launch further attacks on the target organization.
What type of attack did Don perform on the target organization by tampering with the new hardware while it was in transit to launch further attacks?
A. Passive attack
B. Active attack
C. Insider attack
D. Distribution attack
Answer: D. Distribution attack
Passive Attacks: Passive attacks do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network.
Insider Attacks: Insider attacks involve using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems.
Distribution Attacks: Distribution attacks occur when attackers tamper with hardware or software prior to installation.
Active Attacks: Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems.
Which of the following fundamental elements of information security refers to an assurance that the information is accessible only to those authorized to have access?
A. Authenticity
B. Integrity
C. Availability
D. Confidentiality
Answer: D. Confidentiality
Confidentiality: Confidentiality is the assurance that the information is accessible only to those who are authorized to have access. Confidentiality controls include data classification, data encryption, and proper equipment disposal (i.e. of DVDs, CDs, etc.).
Integrity: Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum, access control, etc.
Availability: Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include redundant systems’ disk arrays and clustered machines, antivirus software to stop malware from destroying networks, and distributed denial-of-service (DDoS) prevention systems.
Authenticity: Authenticity refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine, one who he / she claims to be. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, or documents.
Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. Employees, when in the office, utilize desktop computers that have Windows 10, Microsoft Office, anti-malware/virus software, and an insurance application developed by a contractor. All the software updates and patches are managed by the IT department of Highlander, Incorporated. Group policies are used to lock down the desktop computers, including the use of Applocker to restrict the installation of any third-party applications.
There are one hundred employees who work from their home offices. Employees who work from home use their own computers, laptops, and personal smartphones. They authenticate to a cloud-based domain service, which is synchronized with the corporate internal domain service. The computers are updated and patched through the cloud-based domain service. Applocker is not used to restrict the installation of third-party applications.
The laptops utilize direct access to automatically connect their machines to the Highlander, Incorporated, network when they are not in the regional offices. The laptops are set up to use IPsec when communicating with the cloud-based file server. The protocol that they have chosen is Authentication Header (AH).
The database that hosts the information collected from the insurance application is hosted on a cloud-based file server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based file server, and the company uses work folders to synchronize offline copies back to their devices.
Based on the knowledge of the network topology, which of the main elements of information security has Highlander, Incorporated, NOT addressed in its plans for its laptops?
A. Confidentiality
B. Availability
C. Integrity
D. Authenticity
Answer: A. Confidentiality
Explanation:
Highlander, Incorporated, has not addressed confidentiality.
They have chosen to use Authentication Header, which will digitally sign the packets. That will allow the company to guarantee integrity, authenticity, and non-repudiation. The use of work folders will allow employees to gain access to data, even when the network connection fails. Direct access is used when connecting to the Highlander, Incorporated, hosted network, not the cloud-based file servers.
Which of the following close-in attacks is performed by an attacker to gather information by observing the target’s activity at the closest proximity?
A. ARP poisoning
B. Denial of service
C. Shoulder surfing
D. DNS spoofing
Answer: C. Shoulder surfing
Shoulder surfing: Performed by observing the target’s activity at closest proximity. Shoulder surfing steals personal information or confidential information by peering over the target’s shoulders.
Denial-of-service (DoS): Causing the services to be unavailable for the target system.
ARP poisoning: ARP poisoning technique generally used by attackers to perform sniffing on a target network.
DNS Spoofing: DNS spoofing, the attacker tricks a DNS server into believing that it has received authentic information when, in reality, it has not received any.
Which category of information warfare involves the use of information systems against the virtual personas of individuals or groups and includes information terrorism, semantic attacks, and simula-warfare?
A. Intelligence-based warfare
B. Electronic warfare
C. Economic warfare
D. Cyberwarfare
Answer: D. Cyberwarfare
Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use).
Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world.
Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace.
Electronic warfare: According to Libicki, electronic warfare uses radio-electronic and cryptographic techniques to degrade the communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.
James, a professional hacker, is performing an attack on a target organization. He succeeded in gathering information about the target and identified vulnerabilities existing in the target network. He is now in the process of exploiting the vulnerabilities to enter the target’s network and escalate privileges so that he can have complete access to the target system.
Which phase of hacking is James currently in where he has identified vulnerabilities and is exploiting them to enter the target’s network and escalate privileges to gain complete access?
A. Reconnaissance
B. Maintaining access
C. Scanning
D. Gaining access
Answer: D. Gaining access
Reconnaissance: Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack
Gaining Access: Gaining access refers to the point where the attacker obtains access to the operating system or applications on the target computer or network. The attacker can escalate privileges to obtain complete control of the system. In this process, the target’s connected intermediate systems are also compromised
Scanning: Scanning refers to the pre-attack phase when the attacker scans the network for specific information based on information gathered during reconnaissance
Maintaining Access: Maintaining access refers to the phase when the attacker tries to retain their ownership of the system
In which hacking phase does an attacker create a profile of the target organization and obtain information such as its IP address range, namespace, and employees?
A. Enumeration
B. Scanning
C. Footprinting
D. Vulnerability analysis
Answer: C. Footprinting
Scanning: Attackers use different types of scanning methods or tools for host discovery, port and service discovery, operating system (OS) discovery, and evading endpoint security devices such as intrusion detection systems (IDSs) and firewalls.
Vulnerability Analysis: Process to identify security loopholes in the target organization’s network, communication infrastructure, and end systems.
Footprinting: Vulnerability assessment is an examination of the ability of a system or application, including its current security procedures and controls, to withstand the assault. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
Enumeration: Enumeration is a method of intrusive probing, through which attackers gather information such as network user lists, routing tables, security flaws, and Simple Network Management Protocol (SNMP) data.
In which of the following hacking stages does an attacker use Trojans, spyware, backdoors, and keyloggers to create and maintain remote access to a system?
A. Executing applications
B. Covering tracks
C. Gaining access
D. Escalating privileges
Answer: A. Executing applications
Which of the following techniques is used by an attacker for identifying the active hosts, open ports, and unnecessary services enabled on target hosts?
A. Vulnerability analysis
B. Scanning
C. Footprinting
D. Enumeration
Answer: B. Scanning
Footprinting: Footprinting is the process of accumulating data about a specific network environment. In the footprinting phase, the attacker creates a profile of the target organization and obtains information such as its IP address range, namespace, and employees.
Enumeration: Enumeration is a method of intrusive probing, through which attackers gather information such as network user lists, routing tables, security flaws, and Simple Network Management Protocol (SNMP) data. This is of significance, because the attacker ranges over the target territory to glean information about the network, and shared users, groups, applications, and banners.
Scanning: Scanning is a procedure used for identifying active hosts, open ports, and unnecessary services enabled on particular hosts. Attackers use different types of scanning methods for host discovery, port and service discovery, operating system (OS) discovery, and evading endpoint security devices such as intrusion detection systems (IDSs) and firewalls.
Vulnerability Analysis: Vulnerability assessment is an examination of the ability of a system or application, including its current security procedures and controls, to withstand the assault. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
Joel, a professional hacker, has targeted an organization to steal sensitive information remotely. He was successful in the attack and was able to access sensitive data of the organization. He is now trying to wipe out the entries corresponding to his activities in the system to remain undetected.
Which of the following hacking steps is Joel performing now?
A. Gaining access
B. Escalating privileges
C. Clearing logs
D. Maintaining access
Answer: C. Clearing logs
Gaining Access: Password cracking involves gaining access to low-privileged user accounts by cracking passwords using techniques such as brute-forcing, password guessing, and social engineering. Attackers exploit the identified vulnerabilities, such as buffer overflows, to gain root-level access to the target system.
Escalating Privileges: After gaining access, attackers then escalate their privileges to administrative levels, to perform a protected operation. Attackers exploit vulnerabilities that exist in OSs and software applications to escalate privileges.
Clearing Logs: To maintain future system access, attackers attempt to avoid recognition by legitimate system users. To remain undetected, attackers wipe out the entries corresponding to their activities in the system logs, thus avoiding detection by users.
Maintaining Access: After successfully gaining access and escalating privileges to the target system, attackers ensure that high levels of access are maintained to perform malicious activities such as executing malicious applications and stealing, hiding, or tampering with sensitive system files.
In which of the following phases of the cyber kill chain methodology does an adversary select or create a tailored deliverable malicious payload using an exploit and a backdoor to send it to the victim?
A. Weaponization
B. Installation
C. Reconnaissance
D. Delivery
Answer: A. Weaponization
Reconnaissance: This phase involves an attacker gathering information about the target, such as IP addresses, domain names, email addresses, and user accounts.
Weaponization: In this phase, the attacker creates a malware payload or other type of exploit and bundles it into a deliverable format, such as a malicious email attachment or a website.
Delivery: This phase involves the attacker delivering the weaponized payload to the target, typically through phishing emails or other social engineering tactics.
Exploitation: In this phase, the attacker exploits a vulnerability in the target system to execute the payload and gain a foothold on the system.
Installation: Once the attacker gains a foothold on the target system, they can install additional tools and malware to establish persistence and maintain access to the system.
Command and Control (C2): After establishing persistence, the attacker creates a communication channel between the compromised system and a C2 server, which allows them to remotely control the system and execute further commands.
Actions on Objective: In the final phase, the attacker achieves their ultimate goal, which could include stealing sensitive data, disrupting operations, or deploying additional malware to other systems on the network.
Which of the following IoC categories is useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information?
A. Network indicators
B. Behavioral indicators
C. Host-based indicators
D. Email indicators
Answer: A. Network indicators
Explanation:
Network Indicators: They are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information.
Host-based Indicators: Host-based indicators are found by performing an analysis of the infected system within the organizational network.
Behavioral Indicators: Behavioral IoCs are used to identify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application.
Email Indicators: Socially engineered emails are preferred due to their ease of use and comparative anonymity.
A phase of the cyber kill chain methodology triggers the adversary’s malicious code, which utilizes a vulnerability in the operating system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration.
Which is this phase of the cyber kill chain methodology?
A. Exploitation
B. Weaponization
C. Reconnaissance
D. Installation
Answer: A. Exploitation
Reconnaissance: An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before attacking.
Weaponization: The adversary selects or creates a tailored deliverable malicious payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim.
Exploitation: Exploitation triggers the adversary’s malicious code to exploit a vulnerability in the operating system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration.
Installation: The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period.
Lisa, a security analyst, was tasked with analyzing and documenting the possibility of cyberattacks against an organization. In this task, she followed the diamond model of intrusion analysis. During the initial analysis, Lisa started determining the strategies, methods, procedures, or tools that an attacker might use against the organization’s network.
Which of the following features of the diamond model did Lisa employ in the above scenario?
A. Adversary
B. Victim
C. Infrastructure
D. Capability
Answer: D. Capability
Victim: The victim is the target that has been exploited or the environment where the attack was performed. The adversary exploits the vulnerabilities or security loopholes in the victim’s infrastructure by using their resources.
Adversary: An adversary often refers to an opponent or hacker responsible for the attack event. An adversary takes advantage of a capability against the victim to perform a malicious activity for financial benefit or to damage the reputation of the victim.
Capability: Capability refers to all the strategies, methods, and procedures associated with an attack. It can also be malware or a tool used by an adversary against the target.
Infrastructure: Infrastructure refers to the hardware or software used in the network by the target that has a connection with the adversary. It refers to “what” the adversary has used to reach the victim.
Which meta-feature of the diamond model can help a security analyst analyze how an attacker was routed to the target network or system?
A. Resource
B. Result
C. Timestamp
D. Direction
Answer: D. Direction
Resource: Resource feature entails the use of external resources like tools or technology used to perform the attack. It includes hardware, software, access, knowledge, data, etc.
Timestamp: This feature can reveal the time and date of an event. It is important as it can indicate the beginning and end of the event. It also helps in analysis and determining the periodicity of the event.
Result: The result is the outcome of any event. For example, the result of an attack can be success, failure, or unknown.
Direction: This feature refers to the direction of the attack. For instance, the direction can indicate how the adversary was routed to the victim. This feature can be immensely helpful when describing network-based and host-based events.