Practice Exam 1 (81 - 125) Flashcards
What kind of attack is an example of IP spoofing?
A. SQL injections
B. Man-in-the-middle
C. Cross-site scripting
D. ARP poisoning
B. Man-in-the-middle
Explanation
OBJ-4.1: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
A. Proxy server
B. Authentication server
C. IPS
D. IDS
D. IDS
Explanation
OBJ-4.5: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic?
A. Intrusion detection system
B. Application-aware firewall
C. Stateful packet inspection
D. Stateless packet inspection
B. Application-aware firewall
Explanation
OBJ-4.5: A Web Application Firewall (WAF) or Application-Aware Firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious, whereas Stateless would inspect port number used by the traffic leaving. IDS only analyzes incoming traffic. Therefore it would not be able to see this activity as suspicious.
You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using?
A. Intimidation
B. Consensus
C. Familiarity
D. Trust
A. Intimidation
Explanation
OBJ-4.2: Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.
Your company’s Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network’s file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network’s file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?
A. Spyware
B. Botnet
C. Rootkit
D. Ransomware
B. Botnet
Explanation
OBJ-4.3: A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet.
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select?
A. IDS
B. IPS
C. Proxy server
D. Syslog server
B. IPS
Explanation
OBJ-4.5: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them.
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here?
A. Familiarity
B. Scarcity
C. Intimidation
D. Trust
B. Scarcity
Explanation
OBJ-4.2: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as “supplies are limited,” “only available for the next 4 hours”, and other such artificial limitations being used.
Which of the following tools provides a penetration tester with a framework to conduct technical social engineering attacks like phishing against an organization’s employees?
A. Kismet
B. SET
C. Proxychains
D. Censys
B. SET
Explanation
OBJ-4.2: SET (Social Engineer Toolkit) is an open-source penetration testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Censys is a search engine that returns information about the types of devices connected to the Internet.
Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn’t possible since they performed input validation using REGEX to alert on any strings that contain the term “[Ss]cript” in them. Which of the following statements concerning this attack is true?
A. An SQL injection must have occurred since their input validation would have prevented < SCRIPT> or < script> from being used
B. The server has insufficient logging and monitoring configured
C. The REGEX expression to filter using “[Ss]cript” is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it
D. The attacker has modified the logs to cover their tracks and prevent a successful investigation
C. The REGEX expression to filter using “[Ss]cript” is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it
Explanation
OBJ-4.5: The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the < script> and < /script> HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter.
You have been contracted by Dion Training to conduct a penetration test against its learning management system (LMS). The LMS is a web application that is hosted in the organization’s DMZ. Which of the following appliances should the organization whitelist your source IP in before the engagement begins?
A. WAF
B. HIDS
C. NIDS
D. DLP
A. WAF
Explanation
OBJ-4.5: Whitelisting allows the IP address to be excluded from ACL rules and other signatures. This prevents an active device, like a web application firewall (WAF), layer 4 firewall, or an intrusion protection system (IPS) from blocking the penetration tester during the assessment. By having your IP added to the whitelist, you can focus your time and efforts on finding vulnerabilities with the servers themselves instead of trying to break through a compensating control like a WAF or IPS.
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card’s hardware address?
A. MAC filtering
B. WEP
C. Disable SSID broadcast
D. WPS
A. MAC filtering
Explanation
OBJ-4.1: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won’t stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device’s physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:
- =-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
10. 1.1.1 - - [10/Jan/2020:13:23:51 +0000] “POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT “
10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] “GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1” 200 941 “-“ “USERAGENT”
- 1.1.1 - - [10/Jan/2020:16:12:31 +0000] “POST /vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT”
- =-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
What type of attack was most likely being attempted by the attacker?
A. SQL injection
B. Directory traversal
C. XML injection
D. Password spraying
B. Directory traversal
Explanation
OBJ-5.2: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
A. Perform an unauthenticated vulnerability scan on all servers in the environment
B. Perform a scan for the specific vulnerability on all web servers
C. Perform a web vulnerability scan on all servers in the environment
D. Perform an authenticated scan on all web servers in the environment
B. Perform a scan for the specific vulnerability on all web servers
Explanation
OBJ-5.1: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
In 2014, Apple’s implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
A. Use of insecure functions
B. Insufficient logging and monitoring
C. Improper error handling
D. Insecure object reference
C. Improper error handling
Explanation
OBJ-5.2: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple’s GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
You are analyzing the logs of a web server and see the following entry:
- =-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
192. 168.1.25 – – [05/Aug/2020:15:16:42 -0400] “GET /%27%27;!–%22%3CDION%3E=&{()} HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ - =-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on this entry, which of the following attacks was attempted?
A. XML injection
B. Buffer overflow
C. XSS
D. SQL injection
C. XSS
Explanation
OBJ-5.2: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.
Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
POST /www/default.php HTTP/1.1
HOST: < external IP address>.123
Content-Length: 147
Cache-Control: no-cache
Origin: chrome-extension://ghwjhwrequsds
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Content-Type: multipart/form-data; boundary=—-
WebKitFormBoundaryaym16ehT29q60rUx
Accept:/
Accept-Language: zh, en-us; q=0.8, en; q=0.6
Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske
——WebKitFormBoundaryaym16ehT29q60rUx
Content-Disposition: form-data; name=”q”
cat /etc/passwd
- —–WebKitFormBoundaryaym16ehT29q60rUx
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following statements is true?
A. The /etc/passwd file was just downloaded through a webshell by an attacker
B. This is a normal request from a host to your web server in the DMZ
C. A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded
D. The web browser used in the attack was Microsoft Edge
C. A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded
Explanation
OBJ-5.2: This is a post request to run the “cat /etc/passwd” command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser’s default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor’s true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is definitely worth your time to look over and learn how a remote access web shell is used as an exploit.
You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner’s findings in the automated report. Which of the following is MOST likely to be a false positive?
A. Reflected XSS
B. Insecure HTTP methods allowed
C. Command injection allowed
D. Directory listing enabled
C. Command injection allowed
Explanation
OBJ-5.1: A command injection is unlikely since this is a static webpage and does not accept any user input. A command injection allows the user to supply malicious input to the web server and then passes that data to a system shell for execution. In this sense, command injection does create new instances of execution and can, therefore, leverage languages that the web app does not directly support.
You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to a SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request?
A. Semicolon
B. Single quote
C. Exclamation mark
D. Double quote
B. Single quote
Explanation
OBJ-5.3: The single quote character (‘) is the character limiter in SQL. With a single quote,’ you delimit strings, and therefore you can test whether the programmer has properly escaped the strings in the targeted application. If not escaped directly, you can end any string supplied to the application and add other SQL code after it. This is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark comments a line of code in several languages. Double quotes contain a string that is passed to a variable.
