Practice Exam Sept 2023 Flashcards

Question 1

Q

Module 01 Introduction to Ethical Hacking

Which set of regulations is concerned with protecting a patient’s medical records?

A. ISO 2002
B. PCI DSS
C. PII
D. HIPAA/PHI

Question 2

Q

Module 01 Introduction to Ethical Hacking

In which phase of the Cyber Kill Chain would an attacker exfiltrate data from your organization?

A. Weaponization
B. Delivery
C. Actions on Objectives
D. Command and Control
E. Exploitation

Question 3

Q

Module 01 Introduction to Ethical Hacking

Which security strategy requires using several, varying methods to protect IT systems against attacks?

A. Three-way handshake
B. Exponential backoff algorithm
C. Covert channels
D. Defense in depth

Question 4

Q

Module 01 Introduction to Ethical Hacking

During a pen-test, you’ve obtained several employee e-mail addresses from their company website. At which phase of the Cyber Kill Chain would you then create a client-side backdoor in order to send it to the victims via e-mail?

A. Reconnaissance
B. Weaponization
C. Delivery
D. Exploitation
E. Installation
F. Command and Control
G. Actions on Objectives

Answer

A

B

In this scenario, the penetration tester has already completed the first stage of reconnaissance by harvesting the employees’ email addresses from public sources. They are now in the second stage of weaponization, where they are creating a client-side backdoor and attaching it to an email in order to deliver it to the employees.

The next stages of the kill chain would be delivery, where the email is sent to the employees, followed by exploitation, installation, and command and control, where the attacker gains access to the target system and establishes a channel for ongoing communication.

Question 5

Q

Module 01 Introduction to Ethical Hacking

In which phase of Incident Handling & Response (IH&R) do you analyze the compromised device to find details like type of attack, severity, target, impact, method of propagation, and vulnerabilities exploited?

A. Preparation
B. Incident Recording and Assignment
C. Incident Triage
D. Notification
E. Containment
F. Evidence Gathering and Forensic Analysis
G. Eradication
H. Recovery
I. Post-Incident Activities

Answer

A

C

In this phase, the identified security incidents are analyzed, validated, categorized, and prioritized. The IH&R team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited

Question 6

Q

Module 01 Introduction to Ethical Hacking

Which of these best describes step 3, Delivery, in the Cyber Kill Chain methodology?

A. An intruder creates malware to be used as a malicious attachment to an email.
B. An intruder sends a malicious attachment via email to a target.
C. An intruder’s malware is installed on a target’s machine.
D. An intruder’s malware is triggered when a target opens a malicious email attachment.

Question 7

Q

Module 01 Introduction to Ethical Hacking

What is the process called that can record, log, and resolve events that happen in your company?

A. Metrics
B. Incident management process
C. Internal procedure
D. Security policy

Question 8

Q

Module 01 Introduction to Ethical Hacking

Which best describes white-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Question 9

Q

Module 01 Introduction to Ethical Hacking

Which of these laws was designed to improve the accuracy and accountability of corporate disclosures, and to protect the public from accounting errors and fraudulent activities?

A. SOX
B. HIPAA
C. FedRAMP
D. PCI DSS

Answer

A

The Sarbanes-Oxley Act (SOX) was passed by the Congress of the United States in 2002 and is designed to protect members of the public from being defrauded or falling victim to financial errors on the part of businesses or financial entities. SOX compliance is both a matter of staying in line with the law and making sure your organization engages in sound business principles that benefit both the company and its customers.

Question 10

Q

Module 01 Introduction to Ethical Hacking

Which phase of ethical hacking involves infecting a system with malware, and using phishing to gain access to a system or website?

A. Reconnaissance
B. Scanning
C. Gaining access
D. Maintaining access

Question 11

Q

Module 01 Introduction to Ethical Hacking

You just got an e-mail from someone you’ve never met, claiming that your public website has a zero day vulnerability. The e-mail describes the problem and what you can do to protect yourself from this vulnerability. The e-mail has also been carbon-copied to Microsoft, informing them of the problem that their systems are exposed to. Which type of hacker sent you this e-mail?

A. Black hat
B. Red hat
C. Grey hat
D. White hat

Question 12

Q

Module 01 Introduction to Ethical Hacking

Which best describes gray-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Question 13

Q

Module 01 Introduction to Ethical Hacking

After finding and mitigating the vulnerabilities on your network, some small amount of risk still remains. What is this called?

A. Impact risk
B. Deferred risk
C. Residual risk
D. Inherent risk

Question 14

Q

Module 01 Introduction to Ethical Hacking

Which type of hacker sometimes works offensively, and sometimes works defensively?

A. Suicide hacker
B. Black hat
C. Gray hat
D. White hat

Question 15

Q

Module 01 Introduction to Ethical Hacking

Before a penetration tester can start any hacking activities, it’s most important for her to do which of these?

A. Creating action plan
B. Finding new exploits which can be used during the pentest
C. Preparing a list of targeted systems
D. Ensuring that her activity will be authorized and she will have proper agreement with owners of the targeted system

Question 16

Q

Module 01 Introduction to Ethical Hacking

There has been data-leakage on a workstation, so you go to that station, turn off the power, then remove the keyboard, mouse, and ethernet cable. Which incident-handling step would these activities fall under?

A. Discovery
B. Eradication
C. Containment
D. Recovery

Question 17

Q

Module 01 Introduction to Ethical Hacking

Which type of hacker has no training and only uses basic techniques or tools they found on the internet?

A. White-Hat Hackers
B. Gray-Hat Hackers
C. Black-Hat Hackers
D. Script Kiddies

Question 18

Q

Module 01 Introduction to Ethical Hacking

What makes a penetration test more thorough than a vulnerability scan?

A. A penetration test actively exploits the vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
B. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
C. Vulnerability scans only do host discovery and port scanning by default.
D. It is not; a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.

Question 19

Q

Module 01 Introduction to Ethical Hacking

Which best describes black-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

Question 20

Q

Module 01 Introduction to Ethical Hacking

After assessing the risk of a breach in your web application, you find there is a 40% chance of breach. You implement some controls and now find that the risk of a breach is down to 15%, while your risk threshold for the web application is at 25%. Which of these risk strategies will you most likely employ to continue operations with the most business profit?

A. Avoid the risk
B. Mitigate the risk
C. Accept the risk
D. Introduce more controls to bring the risk to 0%

Question 21

Q

Module 01 Introduction to Ethical Hacking

Federal information systems should have security controls in place, as defined by which of these regulations?

A. PCI-DSS
B. HIPAA
C. NIST-800-53
D. EU Safe Harbor

Question 22

Q

Module 01 Introduction to Ethical Hacking

A risk assessment includes which of these components?

A. Physical security
B. Administrative safeguards
C. DMZ
D. Logical interface

Question 23

Q

Module 01 Introduction to Ethical Hacking

The chance of a hard drive failure is once every four years. The cost to buy a new hard drive is $400. It will require 5 hours to restore the OS and software to the new hard disk. It will require another 5 hours to restore the user data from the last backup to the new hard disk. The recovery tech earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).

What is the closest approximate cost of this replacement and recovery operation per year?

A. $100
B. $125
C. $500
D. $1500

Answer

A

B

single loss expectancy (SLE)
value of the asset (AV)
exposure factor (EF)
SLE = AV x EF

Annualized rate of occurrence (ARO)
annualized loss expectancy (ALE)
ALE = SLE x ARO

Question 24

Q

Module 01 Introduction to Ethical Hacking

After being hired to do a pen-test, you and the customer fill out a document that describes all the details of the test. This document protects both the customer as well as your legal liabilities as the tester. Which document is being described?

A. Project Scope
B. Service Level Agreement
C. Rules of Engagement
D. Non-Disclosure Agreement

Answer

A

C. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.

B. A service-level agreement (SLA) sets the expectations between the service provider and the customer and describes the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.

Question 25

Q

Module 01 Introduction to Ethical Hacking

Which of these is a security standard for protecting credit-card information?

A. FISMA
B. PCI-DSS
C. HITECH
D. SOX

Question 26

Q

Module 01 Introduction to Ethical Hacking

In which phase of incident-handling do you define processes/procedures/rules, and create and test back-up and response plans?

A. Preparation phase
B. Identification phase
C. Containment phase
D. Recovery phase

Question 27

Q

Module 01 Introduction to Ethical Hacking

What is the role of test automation in security testing?

A. It is an option but it tends to be very expensive.
B. Test automation is not usable in security due to the complexity of the tests.
C. It can accelerate benchmark tests and repeat them with a consistent setup. But it cannot replace manual testing completely.
D. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.

Question 28

Q

Module 01 Introduction to Ethical Hacking

All of these are PCI compliance recommendations EXCEPT for which?

A. Use a firewall between the public network and the payment card data.
B. Limit access to card holder data to as few employees as possible.
C. Use encryption to protect all transmission of card holder data over any public network.
D. Rotate employees handling credit card transactions on a yearly basis to different departments.

Question 29

Q

Module 01 Introduction to Ethical Hacking

What should you do if during a pen-test you discover information on the network that implies the client is involved with human trafficking?

A. Copy the data to removable media and keep it in case you need it
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Immediately stop work and contact the proper legal authorities
E. Go all “Rambo” on the client and free the prisoners immediately.

Question 30

Q

Module 01 Introduction to Ethical Hacking

In order to protect your network from imminent threats, you feed threat intelligence into your security devices in a digital format, in order to identify and block malicious traffic. Which type of threat intelligence are you using here?

A. Tactical threat intelligence
B. Operational threat intelligence
C. Strategic threat intelligence
D. Technical threat intelligence

Answer

A

D

Strategic Cyber Intelligence: The audience does not need technical knowledge. High-level information on changing risks. High-level information on risk-based
intelligence is used by high-level decision-makers (Executives and management). Whitepapers, policy documents, and publications are examples of strategic cyber intelligence.

Operational Cyber Intelligence: Actionable information about specific incoming attacks. It is infiltrating hacker chat rooms to anticipate the incoming attacks.
Tactical Cyber Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs).

Technical Cyber Intelligence: It means technical threat indicators such as specific IOC for SOC Staff.

Question 31

Q

Module 01 Introduction to Ethical Hacking

Alice gathers info about specific threats to your company. She collected this info from humans, social media, chat rooms, as well as from events that resulted in cyberattacks. She created a report that outlined the malicious activities, warnings for emerging attacks, and a recommended course of action. Which type of threat intelligence is this?

A. Tactical threat intelligence
B. Operational threat intelligence
C. Strategic threat intelligence
D. Technical threat intelligence

Question 32

Q

Module 02 Footprinting and Reconnaissance

Which of these is an open-source framework for doing automated recon and info-gathering activities to learn about a target organization?

A. OSINT Framework
B. SpeedPhish Framework
C. WebSploit Framework
D. Browser Exploitation Framework

Answer

A

The OSINT framework is a methodology that integrates data, processes, methods, tools and techniques to help the security team identify information about an adversary or their actions quickly and accurately. An OSINT framework can be used to: Establish the digital footprint of a known threat.

WebSploit is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilites. This tool is very powerful and supports multiple vulnerabilities.

Question 33

Q

Module 02 Footprinting and Reconnaissance

Which of these Google Dork (Google hacking) operators would you use to show certain file extensions on a website?

A. ext
B. filetype
C. inurl
D. allinurl
E. site
F. location

Question 34

Q

Module 02 Footprinting and Reconnaissance

Passive reconnaissance involves collecting information through which of the following?

A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources

Question 35

Q

Module 02 Footprinting and Reconnaissance

Which type of footprinting involves gathering domain information, such as domain name, contact details of the owner, and creation & expiration dates?

A. VoIP footprinting
B. Whois footprinting
C. VPN footprinting
D. Email footprining

Question 36

Q

Module 02 Footprinting and Reconnaissance

In order to make convincing phishing e-mails, it helps to know about the company you are going to impersonate. The time you spend on researching this information is called what?

A. Exploration
B. Reconnaissance
C. Investigation
D. Enumeration

Question 37

Q

Module 02 Footprinting and Reconnaissance

You need to monitor your corporate website to analyze the traffic and learn things such as the geographical location of people visiting the site. Which tool would be best suited for this?

A. Webroot
B. Web-Stat
C. WAFW00F
D. WebSite-Watcher

Question 38

Q

Module 02 Footprinting and Reconnaissance

What is the collection of overt and publicly available information known as?

A. Real intelligence
B. Human intelligence
C. Open-source intelligence
D. Social intelligence

Question 39

Q

Module 02 Footprinting and Reconnaissance

Which of these would be the best choice to surf the internet anonymously?

A. Use shared WiFi
B. Use public VPN
C. Use SSL sites when entering personal information
D. Use Tor network with multi-node

Question 40

Q

Module 02 Footprinting and Reconnaissance

Which of these tools can perform DNS lookups and find info such as DNS domain names, computer names, IP addresses, DNS records, and network Whois records?

A. Bluto
B. zANTI
C. Knative
D. Towelroot

Answer

A

A - Bluto is a Python-based tool for DNS recon, DNS zone transfer testing, DNS wild card checks, DNS brute forcing, e-mail enumeration and more.

zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using your mobile device for free download.

Knative enables serverless workloads to run on Kubernetes clusters, and makes building and orchestrating containers with Kubernetes faster and easier.

Towelroot allows most Android smartphones users to root their Android device with one click only, as long as it has an unpatched version of the Linux kernel

Question 41

Q

Module 02 Footprinting and Reconnaissance

You have been sent a suspicious e-mail message and want to see who sent it. After looking at the header you see that it was received from an unknown sender at the IP address 145.146.50.60. What web site will allow you to find out more information about an IP address, including who owns that IP?

A. http://www.tucowsdomains.com/whois
B. https://whois.arin.net
C. https://www.networksolutions.com/whois
D. https://www.godaddy.com/whois

Answer

A

B - ARIN’s Whois service is a public resource that allows a user to retrieve information about IP number resources, organizations, POCs, customers, and other entities.

GoDaddy WHOIS search is designed to help you by diving into the WHOIS database for information on domain registration and availability.

Question 42

Q

Module 02 Footprinting and Reconnaissance

Where can you go to see past versions and pages of a website?

A. Samspade.org
B. Search.com
C. Archive.org
D. AddressPast.com

Question 43

Q

Module 02 Footprinting and Reconnaissance

During which hacking process do you surf the internet looking for information about your target company?

A. Scanning
B. Enumerating
C. Footprinting
D. System Hacking

Question 44

Q

Module 02 Footprinting and Reconnaissance

Which Google search operator would limit searches to one domain?

A. [location:]
B. [site:]
C. [allinurl:]
D. [link:]

Answer

A

B

allinurl - Searches for multiple words in the url of the search result.

Question 45

Q

Module 02 Footprinting and Reconnaissance

Which regional internet registry should you use to get detailed info about an IP address in France?

A. ARIN
B. APNIC
C. LACNIC
D. RIPE

Answer

A

D

The major RIRs include:
ARIN (American Registry for Internet Numbers) (https://www.arin.net)
AFRINIC (African Network Information Center) (https://www.afrinic.net)
APNIC (Asia Pacific Network Information Center) (https://www.apnic.net)
RIPE (Réseaux IP Européens Network Coordination Centre) (https://www.ripe.net)
LACNIC (Latin American and Caribbean Network Information Center) (https://www.lacnic.net)

Question 46

Q

Module 02 Footprinting and Reconnaissance

Your network has been breached. You review your logs and discover that an unknown IP address has accessed the network through a high-level port that was not closed. You trace the IP to a proxy server in Argentina. After calling the company that owns the server, they trace it to another proxy in Germany. You call them and they trace it to another proxy in China. What proxy tool has the attacker used to cover his tracks?

A. ISA proxy
B. IAS proxy
C. TOR proxy
D. Cheops proxy

Question 47

Q

Module 02 Footprinting and Reconnaissance

Hacker Joe is using specialized tools and search engines that encrypt his web traffic and allows him to anonymously gather information on the internet. After gathering information, he performs attacks on target organizations without being traced. Which technique was used here?

A. VoIP footprinting
B. VPN footprinting
C. Website footprinting
D. Dark web footprinting

Answer

A

D

Deep Web: Consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines

Dark Web Darknet: The subset of deep web that enables anyone to navigate anonymously without being traced

Tools: Tor Browser ExoneraTor

Question 48

Q

Module 02 Footprinting and Reconnaissance

You find job listings for network administrators at your competitor’s company. How can reviewing this listing help you footprint their company?

A. To learn about the IP range used by the target network

B. To identify the number of employees working for the company

C. To test the limits of the corporate security policy enforced in the company

D. To learn about the operating systems, services and applications used on the network

Question 49

Q

Module 02 Footprinting and Reconnaissance

Which of these tools can track e-mails and provide info such as sender identities, mail servers, sender IP address, and sender location?

A. Infoga
B. Netcraft
C. Zoominfo
D. Factiva

Answer

A

A - Infoga is used for scanning email addresses using different websites and search engines for information gathering and finding information about leaked information on websites and web apps.

Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries.

ZoomInfo is sales intelligence software that provides a database of business and professional contact information.

Factiva is a business intelligence platform that includes content from 33,000 news, data and information sources from 200 countries and 32 languages. The platform contains millions of corporate profiles, as well as research tools to analyze media coverage.

Question 50

Q

Module 02 Footprinting and Reconnaissance

Which of these online tools would allow you gather a competitor’s server’s IP address using Whois footprinting, then using that IP, can tell you info such as the network range and topology?

A. AOL
B. Baidu
C. DuckDuckGo
D. ARIN

Answer

A

D

Doing a Whois search on ARIN will tell you a company’s IP range (the IP addresses that have been assigned to them). Using that info, you can scan their IP’s go gain more info. For example, if you find that one of those IP’s is a DNS server, that’s an opportunity to get even more info. If that DNS server is improperly configured, you might be able to get the IP’s of even their internal devices.

Question 51

Q

Module 02 Footprinting and Reconnaissance

Using an image as a search query, which footprinting technique would you use to find information about the image, such as the original source and details, photographs, profile pictures, and memes?

A. Advanced image search
B. Reverse image search
C. Google advanced search
D. Meta search engines

Question 52

Q

Module 02 Footprinting and Reconnaissance

Which of these is a tool to gather a list of words from a target website?

A. Psiphon
B. Shadowsocks
C. Orbot
D. CeWL

Answer

A

D

Orbot and Psiphon are anonymizer tools. Shadowsocks is a proxy tool for mobile. CeWL is an automated tool to “crawl” through a target website to make a list of words or terms. This is very handy if you want to crawl a site to find all the listed e-mail addresses for example. The syntax is easy. For example: #cewl www.moviescope.com

Question 53

Q

Module 02 Footprinting and Reconnaissance

Which of these Google Advanced Search Operators would help you gather info about websites that are similar to a specific URL that you type in?

A. info:
B. related:
C. site:
D. inurl:
E. filetype:

Question 54

Q

Module 02 Footprinting and Reconnaissance

Which tool can scan social media sites for information about a target, including finding their geolocation by using location tags in their photographs?

A. Hootsuite
B. VisualRoute
C. HULK
D. ophcrack

Question 55

Q

Module 02 Footprinting and Reconnaissance

What would you get from this Google query?
site:amazon.com -site:books.amazon.com iphone

A. Results matching all words in the query

B. Results matching “iphone” in domain amazon.com but not on the site books.amazon.com

C. Results from matches on the site books.amazon.com that are in the domain amazon.com but do not include the word iphone

D. Results for matches on amazon.com and books.amazon.com that include the word “iphone”

Question 56

Q

Module 02 Footprinting and Reconnaissance

Which of these is an anonymizer site that would mask and protect your identity as you surf the web?

A. www.baidu.com
B. www.karmadecay.com
C. www.guardster.com
D. www.wolframalpha.com

Answer

A

C

Baidu and Wolfram Alpha are search engines. Karmadecay is an image search engine for Reddit. On this list, only Guardster is a proxy surfing site to hide your IP address and identity as you surf the web.

Question 57

Q

Module 03 Scanning Networks

Which type of message would begin a TCP 3-way handshake?

A. SYN-ACK
B. SYN
C. ACK
D. RST

Question 58

Q

Module 03 Scanning Networks

Which one of these activities would allow an attacker to create a map or outline of the network infrastructure to learn about the environment before attempting to hack it?

A. Enumeration
B. Vulnerability analysis
C. Scanning networks
D. Malware analysis

Question 59

Q

Module 03 Scanning Networks

If you want to check if a host is up and running on your network using nmap, you can perform a “ping scan”. There are several methods for doing this, such as an ARP ping, an ACK ping, etc. Which command below will tell nmap to perform a TCP SYN ping scan?

A. nmap -sn -PO <target>
B. nmap -sn -PA <target>
C. nmap -sn -PS <target>
D. nmap -sn -PP <target></target></target></target></target>

Answer

A

C

-PS/PA/PU/PY[portlist]

TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific)

Question 60

Q

Module 03 Scanning Networks

Which scanning technique will use a spoofed IP address and a SYN flag to generate port responses?

A. FIN
B. SYN
C. IDLE (side-channel)
D. XMAS

Question 61

Q

Module 03 Scanning Networks

What type of scan is this?
Open port:
SYN->
<-SYN + ACK
RST->

Closed port:
SYN->
<-RST

A. Stealth Scan
B. Full Scan
C. XMAS Scan
D. FIN Scan

Question 62

Q

Module 03 Scanning Networks

You are scanning a network to ensure it is as secure as possible. You send a TCP probe packet to a host with a FIN flag and you receive a RST/ACK response. What does this mean about the port you are scanning?

A. This response means the port is open.
B. The RST/ACK response means the port is disabled.
C. This means the port is half open.
D. This means that the port is closed.

Question 63

Q

Module 03 Scanning Networks

TCP SYN Flood attack abuses the three-way handshake mechanism.

An attacker at system A sends a SYN packet to victim at system B.
System B sends a SYN/ACK packet to A.
Normally, A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.
This status of client B is called _________________

A. “half-closed”
B. “half open”
C. “full-open”
D. “xmas-open”

Question 64

Q

Module 03 Scanning Networks

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP
Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

What type of activity has been logged?

A. Port scan targeting 192.168.1.103
B. Teardrop attack targeting 192.168.1.106
C. Denial of service attack targeting 192.168.1.103
D. Port scan targeting 192.168.1.106

Answer 18

A

-sT TCP Connect Scan
-O reveal further operating system information
-A discover the operating system information

Answer 19

A

B

-sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
-v nmap 192.168.1.1 -v Increase the verbosity level (use -vv or more for greater effect)
-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.

Answer 20

A

D

-O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)

Answer 21

A

A Whois domain lookup allows you to trace the ownership and tenure of a domain name.

Answer 22

A

B

Disable Port Scan (-sn)
This option tells Nmap not to run a port scan after host discovery. When used by itself, it makes Nmap do host discovery, then print out the available hosts that responded to the scan. This is often called a “ping scan”.

Answer 23

A

C

Fire walking is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall.

Answer 24

A

E

-F Fast port scan (100 ports)

Answer 25

A

C

-O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting

Answer 26

A

-sA TCP ACK port scan
-sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege)
-sX XMAS scan
-sF FIN scan

Answer 27

A

B

-D Send scans from spoofed IPs
-g Use given source port number

-A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute
-f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters

Answer 28

A

D

-Pn (No ping)
-PU <port> (UDP Ping)
-PY <port> (SCTP INIT Ping)
-PE; -PP; -PM (ICMP Ping Types)</port></port>

An ICMP timestamp ping is a good option if the admin has blocked ICMP ECHO pings. The ICMP timestamp feature is used to synchronize clocks. If you send a timestamp packet, and get a reply, you know the host is up!

Answer 29

A

C

An Idle scan is very stealthy and helps evade an IDS. A Connect scan mimics normal network traffic and is unlikely to be flagged as suspicious. There’s no such thing as a “spoof scan”. A TCP SYN scan, also called a Stealth scan or a Half-Open scan, “attempts” to be stealthy, but it’s an old trick, and is very likely to be flagged by an Intrusion Detection System (IDS).

Answer 30

A

C

ACK scan packets wouldn’t make it to the devices if ports are filtered on that firewall. Nor would a UDP scan. A Maimon scan is an older version of an XMAS, Fin, or Null scan, and also wouldn’t make it through a restrictive firewall. The ARP protocol, on the other hand, would not typically be blocked on a firewall or your network wouldn’t function properly. As long as the target systems are on your same subnet, an ARP ping scan is a great way to discover running hosts.

Answer 31

A

Hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner.

Answer 32

A

B

https://nmap.org/nsedoc/scripts/http-methods.html

Answer 33

A

B
D - Wrong Xmas Scan (-sX)

Answer 34

A

C

NTLM (Windows NT LAN Manager) is a suite of protocols used to authenticate a client to a resource in an Active Directory domain. This suite includes NTLMv1, NTLMv2, and NTLM2 Session protocols.

Answer 35

A

B

*DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts
*HOSTMIB.MIB: Monitors and manages host resources
*LNMIB2.MIB: Contains object types for workstation and server services
*MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system
*WINS.MIB: For the Windows Internet Name Service (WINS)

Answer 36

A

B

Try running this command from a Windows machine! If nothing shows up, then you don’t have access to any shares at the moment.

Answer 37

A

D

VRFY: It is used to validate the user on the server.
EXPN: It is used to find the delivery address of mail aliases
RCPT TO: It points to the recipient’s address.

Answer 38

A

NetBIOS Suffixes

D

00: Workstation Service (workstation name)
03: Windows Messenger service.
06: Remote Access Service.
20: File Service (also called Host Record)
21: Remote Access Service client.
1B: Domain Master Browser – Primary Domain Controller for a domain.
1D: Master Browser.

Answer 39

A

C

JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. It is highly flexible and can be extended and customised in a number of ways.

Answer 40

A

B

In NSLOOKUP, the -d switch “dumps” all the records for requested zone (domain).

Answer 41

A

C

The -norecursive switch tells nslookup to look for the entry in the cache without going out to the internet to ask other servers for the answer. If the specified entry is present in the cache, then the user must have queried for that information earlier.

Answer 42

A

D

ns: name server
SOA (start of authority)
The -a (all) option is equivalent to setting the -v option and asking host to make a query of type ANY.

Answer 43

A

B

DNS cache snooping is when someone queries a DNS server in order to find out (snoop) if the DNS server has a specific DNS record cached, and thereby deduce if the DNS server’s owner (or its users) have recently visited a specific site

Zone Walking is a technique that is used by attackers to enumerate the full content of DNSSEC-signed DNS zones.

Answer 44

A

B

The order of scanning would be:
1. Check for live systems (ping sweeps, etc)
2. Check for open ports (this tells you the likely services listening on the target)
3. Banner grabbing (tells you the OS)
4. Vulnerability scanning (looks for vulns & flaws on the target)

It helps to know the OS before doing a vulnerability scan because entering the target’s Operating System will help tune the vuln scanner so it can find more information and run scans relevant to that particular OS.

Answer 45

A

D

CVSS v3.0 Ratings
None 0.0
Low 01.-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

Answer 46

A

C

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Answer 47

A

C

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.

SNORT is a powerful open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that provides real-time network traffic analysis and data packet logging. SNORT uses a rule-based language that combines anomaly, protocol, and signature inspection methods to detect potentially malicious activity.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).

Answer 48

A

C

When considering vulnerabilities that could expose sensitive files, databases, and passwords on a Windows file server, the most common issue is often missing patches. Attackers exploit known security flaws that haven’t been patched to gain unauthorized access. In contrast, SQL injection, Cross-site scripting, and CRLF injection are vulnerabilities more commonly associated with web applications rather than file servers.

Answer 49

A

D

A rainbow table uses these pre-computed hash values as a means to crack password databases that do not store their information as plaintext. These tables allow attackers to access secure systems without guessing a password

Answer 50

A

B

Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations.

Answer 51

A

B

C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they don’t have built-in safeguards against overwriting or accessing data in their memory.

Answer 52

A

If you get someone’s hash, you don’t even need to crack it to log-on to a Windows network. You can just transmit (pass) the hash to the server you want to log-on to. Metasploit (and other tools) has a pass-the-hash module for doing this. Defenses for this include 1) not letting an attacker get your hashes in the first place, 2) Multi-factor authentication, 3) Network segmentation, etc.

Answer 53

A

B

Chntpw is a utility to view some information and reset user passwords in a Windows NT/2000 SAM user database file used by Microsoft Windows Operating System, specifically in NT3.x and later versions.

Answer 54

A

D

Once you gain access to a user account, a successful privilege escalation attack could allow you to gain the rights of another user or admin.

Answer 55

A

B

The correct MSFvenom syntax for generating a Windows reverse TCP shellcode is option (b), with the appropriate LHOST and LPORT values set, format specified as exe, and output redirected to a file named shell.exe.

The parameters LHOST and LPORT should be replaced with your local IP address and the port you wish to use for the reverse connection. The f flag specifies the output format, which in this case is an executable (exe). The ‘>’ operator is used to redirect the generated shellcode into a file named shellcode.exe.

The -p flag specifies the payload to generate. In this case, we are using the windows/shell_reverse_tcp payload, which creates a reverse TCP shell.

The LHOST and LPORT options are used to specify the IP address and port on which the shell will connect back to.

Answer 56

A

Netcat is a tool for reading from, and writing to TCP and UDP network connections. It has nothing to do with cracking passwords, however the other 3 listed tools do.

Answer 57

A

Shellshock, also known as the Bash or Bashdoor vulnerability, was a major security flaw discovered in September 2014. It affected the Bash shell, which is commonly found in Unix-based operating systems, such as Linux, Unix, and OS X (now macOS). Windows, on the other hand, does not use the Bash shell by default and was not directly affected by the Shellshock vulnerability.

Answer 58

A

After exploiting a vulnerability on a Windows system and getting a Meterpreter command prompt back from the victim, the getsystem command will automatically perform several privilege escalation attacks to get “system” privileges, which is basically administrator-level privileges.

The getuid command shows the currently logged-in user’s ID. The autoroute command will allow you to pivot through the victim’s machine to attack yet other machines. There is no keylogrecorder command.

Answer 59

A

C

The multipartite virus has the ability to attack both the boot sector and program files at the same time, causing greater harm than any other virus.

Answer 60

A

Fileless malware uses pre-existing, legitimate tools built into an OS to perform malicious actions. Since these are valid tools, they won’t be flagged by AV or IDPS, and won’t be blocked by whitelisting software.

Answer 61

A

C

A Cavity Virus attempts to install itself inside of the file it is infecting, rather than appending itself to the end of the file like most viruses do. This is a stealth technique that tries to keep the size of the file the same to avoid detection. This is hard to do though, so it’s rare.

Answer 62

A

C

Both the Stealth virus and Cavity virus try to avoid detection using various techniques. A Stealth virus, however, actively and purposefully performs several techniques to hide from your antivirus program. A Cavity virus merely hides inside an executable without changing the original file size. This may trick an end-user, but can still be discovered by antivirus programs.

Answer 63

A

C

Spanning Tree Protocol (STP) is a networking protocol that prevents loops in network topology by disabling redundant paths and determining the shortest path to the root bridge. This is done by electing a root bridge and calculating the shortest path to it, using factors such as port cost and priority. Spanning Tree Protocol is a critical protocol in network infrastructure, but it also has vulnerabilities that can be exploited by attackers. It is essential to configure STP correctly and implement security measures to prevent STP attacks, such as disabling unused switch ports, enabling port security, and using BPDU guard and root guard.

Is it a spanning Tree Protocol attack?
Spanning Tree Protocol (STP) attacks exploit vulnerabilities in the protocol to create network loops or bring down the network. Attackers can use a variety of methods, such as sending malicious Bridge Protocol Data Units (BPDU), to interfere with the STP calculations and force the network to use a sub-optimal path or even create a loop. STP attacks can cause network congestion, broadcast storms, and even network failures, which can have severe consequences for organizations. To prevent STP attacks, network administrators should disable unused switch ports, enable port security, and use BPDU guards and root guards.

Answer 64

A

B

Sniffers usually work at layer 2 of the OSI model. Your NIC grabs frames off the wire. While it’s true that you can then see all the upper layer protocols, the “grabbing” of packets works via your NIC, which is layer 2.

Answer 65

A

B

In an STP manipulation attack, an attacker connects to a switch port and either directly themselves, or through the use of a rogue switch,
attempts to manipulate Spanning Tree Protocol (STP) parameters to become the root bridge. Because the root bridge is responsible for calculating the spanning tree from topology changes advertised by non-root bridges, attackers see a variety of frames that they would

Answer 66

A

Configuring Port Security on the switch is an effective countermeasure against both MAC flood and MAC spoofing attacks. Port Security allows the switch to limit the number of MAC addresses that can be learned on a specific port. This prevents MAC flooding attacks where an attacker floods the switch with fake MAC addresses, overwhelming its memory. Additionally, Port Security can also detect and prevent MAC spoofing attacks by only allowing specific MAC addresses to communicate on a port, blocking any unauthorized MAC addresses. This helps to ensure the integrity and security of the network.

Answer 67

A

C

When you modify and then re-play the traffic back onto the wire, you’ve moved past passive sniffing and now you are doing “active” actions. Passive is merely “watching” and recording, and does not involve sending any traffic.

Answer 68

A

C

21
File Transfer Protocol (FTP) Command Control / session control

22
Secure Shell (SSH) / Secure Copy (SCP)

23
Telnet - Remote login service, unencrypted text messages

Answer 69

A

D

Because it switches segment traffic and knows which particular port to send traffic to

Answer 70

A

B

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: * Validates DHCP messages received from untrusted sources and filters out invalid messages.

Answer 71

A

D

Dynamic ARP Inspection (DAI) is a security feature in MS switches that protects networks against man-in-the-middle ARP spoofing attacks. DAI inspects Address Resolution Protocol (ARP) packets on the LAN and uses the information in the DHCP snooping table on the switch to validate ARP packets.

Answer 72

A

D

After a packet trace is captured between hosts participating in a performance test, tools such as tcptrace can be used to analyze the behavior of the flow. In addition to printing a summary of behavior, tcptrace can output files suitable for use with the xplot tool.

Answer 73

A

C

While nmap can certainly do OS fingerprinting, it is considered active because you send traffic to the target. Tcpdump, on the other hand, is a sniffer, and by observing differences in the traffic you capture, you can determine the OS that sent the traffic. Tcpdump is passive as it does not send traffic to the target.

Answer 74

A

D

Slowloris and PyLoris are DoS attack tools. PLCinject is for attacking PLC’s (Programmable Logic Controller) and OT networks. Evilginx, on the other hand, is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service.

Answer 75

A

C

The proper term here is masquerading. Yes, it is a form of spoofing, but masquerading is the official term for spoofing the source address to make it appear that the email came from an internal source.

Answer 76

A

C

A Zero-Day attack exploits a previously unknown vulnerability.

Answer 77

A

C

Slowloris is a denial-of-service attack program which allows an attacker to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target.

Answer 78

A

D

A Ping of death (PoD) attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.

Answer 79

A

D

Process of elimination helps with this one! Peer-to-peer attacks use file-sharing hubs, but that’s not mentioned. Ping-of-death uses malformed or oversized packets, but that’s not mentioned in this question either. UDP has no flags, so that’s right out. TCP uses the flags listed above, and is used in creating sessions, thus answer D is the best using process of elimination alone!

Answer 80

A

D

Cognitive radio (CR) is a form of wireless communication in which a transceiver can intelligently detect which communication channels are in use and which are not. It instantly moves into vacant channels while avoiding occupied ones. Thus, if some channels are being jammed or scrambled, the CR can automatically move your communications to an unused (un-attacked) channel.

Answer 81

A

B

TCP/IP hijacking involves the following processes. *The hacker sniffs the communication between the victim and host to obtain the victim’s ISN. *By using this ISN, the attacker sends a spoofed packet from the victim’s IP address to the host system. *The host machine responds to the victim, assuming that the packet arrived from it. This increments the sequence number.

Answer 82

A

D

The session fixation attack “fixes” an established session on the victim’s browser, so the attack starts before the user logs in. Session fixation attacks are designed to exploit authentication and session management flaws.

Answer 83

A

B

Transmission Control Protocol Session Hijacking If a would-be hijacker were to correctly guess the sequence number of TCP segments between the two nodes, then it is quite possible that the hijacker could hijack the session before that session gets established between the original TCP client and the server.

Answer 84

A

B

In this context, the “counter” is the One-Time-Password that the user must have in order to log-in to the system.

Answer 85

A

D

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.

Answer 86

A

B

StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL. StartTLS is used with SMTP and IMAP, while POP3 uses the slightly different command for encryption, STLS.

Answer 87

A

C

IPSec can work in either AH mode or ESP mode. In the older AH mode, it authenticates the sender and provides an integrity check for the data. ESP mode does all of this, but also adds encryption to the mix to protect the payload as well as the headers (if it’s in Tunnel mode).

Answer 88

A

Transport Mode is a method of sending data over the Internet where the data is encrypted but the original IP address information is not. The Encapsulating Security Payload (ESP) operates in Transport Mode or Tunnel Mode. In Transport Mode, ESP encrypts the data but the IP header information is viewable.

Answer 89

A

D

This one comes down to remembering the subtle differences between ARP poisoning and ARP/MAC flooding. With ARP poisoning (spoofing), the attacker spoofs his/her IP address to appear to be the same as the Default Gateway (for example), using his/her own MAC address. Thus, conceptually, there would appear to be 1 IP with 2 different MAC addresses.

Answer 90

A

C

Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Answer 91

A

B

Wireshark is a protocol analyzer but does not allow you to perform attacks like ARP poisoning. Gobbler is a DHCP starvation attack tool. DerpNSpoof is a DNS poisoning tool (look at the capital letters). BetterCAP is an ARP poisoning tool and can allow you to intercept traffic, do session hijacking, steal/modify/block data, and more.

Answer 92

A

D

First of all, there is only one layer-3 protocol listed here, which is IPSec. If it has “IP” in the name, it’s probably layer 3! Secondly, there are many ways to secure any type of traffic, including FTP. While IPSec is most commonly used to secure VPN traffic, it has many other uses. You can create an IPSec tunnel to securely transmit your FTP traffic.

Answer 93

A

B

File encryption and, in this case, e-mail encryption, takes place at layer-6 or the Presentation Layer.

Answer 94

A

C

If you know the port is closed (not open, not filtered/blocked), then a stateless firewall would allow that packet in, but then it would respond with a RST. A stateful firewall, on the other hand, only allows traffic past if it’s part of an established conversation (only allow traffic past if we asked for it). Since you got no response (no RST), it must not have allowed that packet in, thus we infer it’s a stateful firewall.

Answer 95

A

D

A Network-based intrusion detection system (NIDS) is the most suitable Intrusion Detection System for large environments where critical assets on the network need extra security, as it monitors and analyzes the entire network’s traffic and alerts administrators in case of possible breaches.

Answer 96

A

C

Unicode is an international encoding standard for use with different languages and scripts, by which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs.

An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.

Answer 97

A

C

If both IRC and HTTP are using port 80, but the IRC is blocked and HTTP allowed, something must be inspecting the payload itself and not just the port numbers. An Application-layer (layer 7) firewall can do this.

Answer 98

A

Your junior admin needs more training. ANY time you let outside traffic in, you restrict it to the DMZ only. For example, if you employ answer B and only allow outside traffic to one IP, what if that server gets compromised? The attacker could then pivot and attack the rest of the network. By restricting outside traffic to the DMZ only, any compromise can’t reach the internal LAN.

Answer 99

A

D

Only the web server should be accessible from the internet (place it in the DMZ). From there the server itself can access the internal app & DB servers, but no direct contact should be allowed from internet customers to the app & DB servers.

Answer 100

A

D

The 192.168.1.0/24 address block is a Private address block and without a public IP assigned to the host (normally via DHCP) it will be unable to route traffic to the interne

Answer 101

A

D

Honeyd is a widely used honeypot daemon. A big indicator that’s what you’re talking to is by doing the following: Send a manual Syn flag to the target. You’ll get a SYN/ACK back. A normal computer will re-send the SYN/ACK if it doesn’t get the final ACK in a timely manner. A Honeyd honeypot will not re-send!

Answer 102

A

C

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

Answer 103

A

C

A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This is used mainly to avoid overloading your site with requests; it is not a mechanism for keeping a web page out of Google.

Answer 104

A

HEAD – The HEAD request type only returns the header information and not the actual body of the webpage. This command is useful when you are not interested in returning the body of the page.

GET – In contrast to the last command GET return both the head as well as the body.

Answer 105

A

B

When you enter the wrong credentials to log-in to an application, it should not tell you whether you had the username wrong, or the password wrong! If it does, then you could just keep entering usernames to see which are valid, and which are invalid. Doing that would let you enumerate the valid usernames. In this scenario, the “failure messages” were too verbose. Instead, the app should just use the generic message “incorrect username or password”.

Answer 106

A

D

ISAPI filters are DLL files that can modify incoming or outgoing data to a Microsoft IIS webserver. Among other things, they can sanitize incoming data to protect against many common threats. Be sure to disable unnecessary ISAPI filters though because some of the default filters have known vulnerabilities.

Answer 107

A

D

With the wget command, the -q switch is “quiet” which turns off the screen output (makes it not verbose), and the -S switch is to grab the page’s header or banner information.

Answer 108

A

A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. The end goal is to infect the user’s computer with malware and gain access to the organization’s network.

Answer 109

A

D

Burp Suite is a Java application that can be used to secure or penetrate web applications. The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.

Answer 110

A

C

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Answer 111

A

B

A webhook is an HTTP request, triggered by an event in a source system and sent to a destination system, often with a payload of data. Webhooks are automated, in other words they are automatically sent out when their event is fired in the source system.

Answer 112

A

D

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Answer 113

A

Connection string parameter pollution (CSPP) is a problem that can be found in many ethical hacking engagements. It refers to the practice of using more than one connection string for a given target or exploit. A compromised system may have multiple connections open, allowing an attacker access to files and systems across organizations by exploiting vulnerabilities in any of those connected applications. Because PHP-FPM is used as the web server engine on many websites, it has been targeted numerous times by attackers looking for CSSP opportunities.

Answer 114

A

BC

Answers B and C are both correct on this one. With Gobuster, you do directory and file brute-forcing with a wordlist, and 10 threads is the default. If you chose either answer here you are correct.

Answer 115

A

Server-Side Includes (SSI) are directives on a web application that allows the contents of files to be automatically loaded into a web page. Examples include headers, footers, logos, navigation menus, etc. Unfortunately, this is susceptible to malicious user input, which is why (once again) we need Input Validation!

Answer 116

A

C

SOAP is a protocol for transferring data between different web services. WS-Security (Web Services-Security) is the component that encrypts the SOAP messages between different web applications, and is often used for transmitting user credentials to authenticate users.

Answer 117

A

D

A .stm file is an html file that contains server-side includes. The .shtm and .shtml are two more types that could also be vulnerable to this type of attack.

Answer 118

A

Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications and web services, to identify security flaws. Infoga is a tool for gathering e-mail account information from public sources. WebCopier Pro and Ncollector Studio are tools for mirroring an entire website. While that can be useful for searching for vulnerabilities on the site, they are not, in themselves, vulnerability scanners.

Answer 119

A

One of the most effective ways to minimize the chances of successful SQL injection is by using a web application firewall (WAF)

Answer 120

A

B

This is an XML External Entity (XXE) attack, which is #4 on the OWASP top 10 list. It’s basically a Server-Side Request Forgery (SSRF) attack that can occur when a webserver is not doing input validation against incoming XML input. This attack allows the attacker to access protected files and services from servers or connected networks. In the scenario above, Hacker Joe is trying to get the password file from a Linux machine.

The clues to look for in this type of question are the DOCTYPE and ENTITY keywords. These are XML terms and are a big hint that you’re looing at an XXE attack.

Answer 121

A

D

The first line makes a character-based array of variables called “buff”, which should hold 20 values. These values start at “index” number 0 and goes up to number 19 (0-19 is 20 values). The second line tries to put the value ‘x’ in index number 20, but there is no such position. This is attempting overflow that memory buffer, which could cause problems on the target machine.

Answer 122

A

D

The Syhunt Hybrid scanner automates web application security testing and guards the organization’s web infrastructure against web application security threats. Syhunt Hybrid dynamically crawls websites and detects XSS, directory traversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks.

Answer 123

A

Time-based Injection: This type of SQL injection involves introducing a delay in the SQL query’s execution to observe if there’s a delay in the server’s response. By injecting malicious code that causes a delay, the attacker can infer whether a true condition is met or not based on the delay in the server’s response. If the response time is significantly different, it can indicate the success of the injected condition.

Union-based Injection: Union-based injection involves exploiting SQL queries that use the UNION SQL operator to combine results from multiple SELECT statements. By injecting a crafted UNION query, the attacker can combine their own query results with the original query’s results. This can help the attacker retrieve additional data or test conditions based on the structure of the query.

Answer 124

A

C

Whitelist Validation, Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion.

Answer 125

A

C

Wardriving is a method of hacking that can allow unauthorized users to gain access to a Wi-Fi network.

Answer 126

A

A wireless intrusion prevention system (WIPS) is a dedicated security device or integrated software application that monitors a wireless LAN network’s radio spectrum for rogue access points and other wireless threats.

Answer 127

A

B

DragonBlood attack
The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups.

Answer 128

A

E

Wired Equivalent Privacy (WEP)

Answer 129

A

D

The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext.

Answer 130

A

D

An evil twin attack takes place when an attacker sets up a fake Wi-Fi access point hoping that users will connect to it instead of a legitimate one. When users connect to this access point, all the data they share with the network passes through a server controlled by the attacker. An attacker can create an evil twin with a smartphone or other internet-capable device and some readily available software. Evil twin attacks are more common on public Wi-Fi networks which are unsecured and leave your personal data vulnerable.

Answer 131

A

D

Bluesmack is a cyber-attack done on Bluetooth-enabled devices. Basically, it is the type of DoS attack for Bluetooth. When the victim’s device is overwhelmed by huge packets it is known as Blusmacking.

Bluebugging - A cyberattack that seeks to infiltrate the victim’s device through a discoverable Bluetooth connection.

Answer 132

A

C

A possible source of the problem could be that the Wireless Access Point (WAP) does not recognize the client’s MAC address. MAC address filtering is a security feature commonly used in wireless networks to restrict access based on the MAC addresses of devices. If the WAP’s MAC address filtering is enabled and the client’s MAC address is not added to the list of allowed addresses, the WAP will not respond to the client’s association requests.

Answer 133

A

B

KRACK is short for Key Reinstallation Attack. It is an attack that leverages a vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol, which keeps your Wi-Fi connection secure. For hackers, KRACK is a tool they use when in close range of one of their targets to access encrypted data.

Answer 134

A

D

Downgrade style attacks in general force victims into using older, less secure protocols. In this scenario you’d prefer everyone to use WPA3, but here an attacker “downgraded” a victim’s session to use the older protocol, which the attacker was able to crack.

Answer 135

A

B

TCPDump and Wireshark are protocol analyzers that let you inspect traffic, but they’re not for modifying traffic. Aircrack-ng is a wireless tool that can monitor the wireless network, crack the encryption and authentication, and do other useful wireless activities.

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Answer 136

A

D

With 802.1x you can control access to the network by authorizing only specific user accounts to access these ports.

Answer 137

A

B

If you are interested in BlueTooth pen-testing, more info on the BtleJack tool can be found here: https://github.com/virtualabs/btlejack

Answer 138

A

B

WPA3-Personal replaces the PSK concept used in WPA2 because it uses a modern key establishment protocol called SAE (also known as Dragonfly Key Exchange), which is more secure than a simple pre-shared key. Basically it uses a password that the user can remember, then turns that into a one-time key (that can never be used again) for authentication. This makes it resistant to offline dictionary attacks.

Answer 139

A

B

A Spearphone attack is where a malicious Android app installed on your phone can “listen” to what’s being played through your phone’s loudspeaker. It uses the phone’s accelerometer, which requires no special permissions, to “listen” to your loudspeaker via the vibrations it creates. The app can then transmit that information to an attacker. This lets the bad-guy listen to your phone calls, your Google Assistant, or whatever is coming out of your loudspeaker. Crafty!

Answer 140

A

C

Androrat attacks Android devices. DroidSheep is a session hijack tool that runs on Android. Zscaler is a Security-as-a-Service company. Of the listed answer choices, only Trident attacks an iPhone with the above techniques.

Answer 141

A

B

The Flowmon solution provides IP flow-based monitoring to networks from 10 Mbps to 100 Gbps. It provides network monitoring, security, troubleshooting, IP accounting and billing, capacity planning, user and application monitoring, law fulfilling data retention, Network Performance Monitoring (NPM) and more.

Answer 142

A

D

Wapiti is a SQL injection detection tool. Lacework and NeuVector are container security tools. Censys is an IoT search engine, similar to Shodan and Thingful, that can give you info about a target IoT device, such as manufacturer, geographic location, IP address, hostname, open ports, etc.

Answer 143

A

B

Mirai creates a botnet of IoT devices to then launch DDoS attacks against the attackers chosen victim.

Answer 144

A

B

Human–Machine Interfaces (HMIs) are often called Hacker–Machine Interfaces. Even with the advancement and automation of OT, human interaction and control over the operational process remain challenges due to the underlying vulnerabilities. The lack of global standards for developing HMI software without any defense-in-depth security measures leads to many security problems. Attackers exploit these vulnerabilities to perform various attacks such as memory corruption, code injection, privilege escalation, etc. on target OT systems.

Answer 145

A

D

Optical, Electromagnetic Fault Injection (EMFI):
The main objective of these attacks is to inject faults into devices by PROJECTING LASERS and electromagnetic pulses that are used in analog blocks.

Power/Clock/Reset Glitching:
These types of attacks occur when faults or glitches are INJECTED into the Power supply that can be used for remote execution.

Answer 146

A

B

The Docker daemon ( dockerd ) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes.

Answer 147

A

C

The Zero Trust model assumes that every incoming connection is suspect and must undergo strict authentication and access control processes. It follows the principal “Trust no one and validate before providing a cloud service”

Answer 148

A

C

Cloud Carrier - An intermediary for providing connectivity and transport services between cloud consumers and providers.

Answer 149

A

In the Cloudborne scenario, an attacker can first use a known vulnerability in Supermicro hardware to overwrite the firmware of a Baseboard Management Controller (BMC).

Answer 150

A

Vendor lock-in refers to a situation where the cost of switching to a different vendor is so high that the customer is essentially stuck with the original vendor. Because of financial pressures, an insufficient workforce, or the need to avoid interruptions to business operations, the customer is “locked in” to what may be an inferior product or service.

Answer 151

A

D

An adaptive chosen plaintext attack is a chosen plaintext attack scenario in which the attacker has the ability to make his or her choice of the inputs to the encryption function based on the previous chosen plaintext queries and their corresponding ciphertexts. The scenario is more powerful than the basic chosen plaintext attack.

Answer 152

A

C

The big clue here is the word “free”. PGP is only free for 30 days, but after that you have to pay for it. GPG (GNU Privacy Guard) is free.

Answer 153

A

B

Web Of Trust is a model used by PGP, OpenPGP, and GPG where each user acts as a Certificate Authority (CA) and signs each other’s public keys for distribution. In a WoT network, every user has a “ring of public keys” (other user’s keys) to encrypt data to keep it secure.

Answer 154

A

C

Certificate Authority (CA): A CA is a trusted entity responsible for issuing, revoking, and managing digital certificates. It verifies the identity of certificate applicants before issuing certificates, thus establishing a chain of trust.
Registration Authority (RA): The RA assists the CA in the identity verification process. It collects and validates identity information from certificate applicants before passing it to the CA for certificate issuance.

Answer 155

A

D

While both HTTPS and FTPS both use encryption and digital certificates, this scenario specifically talks about file transfers. The best tool here then, would be FTP Secure, which is specifically for file transfers, uses digital certificates and encryption, and would protect sensitive credentials as you log-in to the FTP server.

Answer 156

A

D

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

Answer 157

A

B

In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture—such as beating that person with a rubber hose, hence the name—in contrast to a mathematical or technical cryptanalytic attack.

Answer 158

A

C

Single sign-on would verify an employee’s identity while logging on to the network, but in this scenario two people want to exchange data. With PKI, they can exchange certificates with each other, which would validate each user’s identity.

Answer 159

A

The correct answer is ‘Public Key’. Not sure if this is a good question. they all involve the private and public key. … EDIT: Because all these methods use both private and public key, both choices (private and public) key are correct. therefor, i changed the last option from “Private” to “Shared” key. this way the question is a lot less confusion., and it’s only 1 correct answer.

Answer 160

A

C

If the server version is vulnerable to Heartbleed, cybercriminals can retrieve the private key and impersonate the server. The consequences can be quite dire, as secure connections to the server are not possible anymore, and private information can be easily exposed

Answer 161

A

B

When DES started getting old and less secure, they went to 2DES (double-DES) where they would just encrypt traffic with a DES twice, using two different keys. Unfortunately, the Meet-In-The-Middle attack was able to derive one of the keys, which then essentially reduced it back to single DES again. This is why these days we use 3DES as it avoids this problem.

Answer 162

A

C

AES: 128, 192, or 256 bit keys, 128 bit blocks, 10, 12, or 14 rounds
GOST: 256 bit key, 64 bit blocks, 32 rounds
CAST-128: 40-128 bit keys, 64 bit blocks, 12 or 16 rounds
DES: 56-bit key, 64-bit blocks, 16 rounds

Answer 163

A

C

RC5: 128 bit keys, variable block size & number of rounds
TEA: 128 bit keys, 64 bit blocks, 64 rounds
CAST-128: 40-128 bit keys, 64 bit blocks, 12 or 16 rounds
Serpent: 128, 192, or 256 bit keys, 4x32-bit blocks, 32 rounds

Answer 164

A

D

Port 445 is a Microsoft networking port which is also linked to the NetBIOS service present in earlier versions of Microsoft Operating Systems. It runs Server Message Block (SMB), which allows systems of the same network to share files and printers over TCP/IP.

Answer 165

A

C

53
Domain Name System (DNS) service - UDP queries and replies | TCP zone transfers

Answer 166

A

This is one of the many reasons we need to use NTP (or a similar protocol) to synchronize the time on all of your devices!

Brainscape's Knowledge GenomeTM

Practice Exam Sept 2023 Flashcards

Brainscape's Knowledge Genome^TM