Practice Test Questions

Question 1

A company’s policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees don’t like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers.

A. tcp.port = 23
B. tcp.port == 21
C. tcp.port != 21
D. tcp.port == 21 || tcp.port == 22

Answer 1

B. tcp.port == 21

Question 2

Bob is working as a pen-tester in an organization in Dallas. He performs penetration testing on the IDS to find ways an attacker might evade the IDS. Bob sends large amounts of packets to the IDS which generates a large number of alerts. This enables Bob to hide the real traffic. What type of method is Bob using to evade the IDS?

A. Denial of service
B. Insertion Attack
C. False Positive Generation
D. Obfuscating

Answer 2

C. False Positive Generation

Question 3

This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach.

Which of the following organizations is being described?

A. Institute of Electrical Electronics Engineers (IEEE)
B. Center of Disease Control (CDC)
C. Payment Card Industry (PCI)
D. International Security Industry Organization (ISIO)

Answer 3

C. Payment Card Industry (PCI)

Question 4

True or False; An anomaly-based IDS can identify unknown attacks (attacks without signatures) and signature-based IDS cannot.

True
False

Answer 4

True

Question 5

Which of the following password protection techniques adds a random string of characters to the password before calculating their hashes?

A. Double Hashing
B. Key Stretching
C. Keyed Hashing
D. Salting

Answer 5

D. Salting

Question 6

Which of the following commands will perform an Xmas scan using nmap?

A. nmap -sX 192.168.1.250
B. nmap -sA 192.168.1.250
C. nmap -sV 192.168.1.250
D. nmap -sP 192.168.1.250

Answer 6

A. nmap -sX 192.168.1.250

Question 7

Which of the following is the BEST way to defend against network sniffing?

A. Using encryption protocols to secure network communications
B. Register all machines MAC address in a centralized Database
C. Use Static IP Address
D. Restrict Physical Access to Server Rooms hosting Critical Servers

Answer 7

A. Using encryption protocols to secure network communications

Question 8

What is the process for allowing or blocking a specific port in the Windows firewall? (For example, TCP port 22 inbound)

A. This is not possible without installing third-party software, since Windows only allows changing firewall settings for individual applications.
B. A rule matching these requirements can be created in “Windows Firewall with Advanced Security”, located in the control panel.
C. The only way to implement a specific rule like this is to use the “netsh” program on the command-line.
D. The firewall rule must be added from within the application that is using that port.

Answer 8

B. A rule matching these requirements can be created in “Windows Firewall with Advanced Security”, located in the control panel.

Question 9

You perform a scan of your company’s network and discover that TCP port 123 is open. What services by default run on TCP port 123?

A. DNS
B. Telnet
C. Network Time Protocol
D. POP3

Answer 9

C. Network Time Protocol

Question 10

When configuring wireless on his home router, Javik disables SSID broadcast. He leaves authentication “open”, but sets the SSID to a 32 character string of random letter and numbers. What is an accurate assessment of this scenario from a security perspective?

A. Javik’s router is still vulnerable to wireless hacking attempts, because the SSID broadcast setting can be enables using a specially crafted packet sent to the hardware address of the access point.
B. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association.
C. Disabling SSID broadcast prevents 802.11 beacons from being transmitted from the access point,
resulting in a valid setup leveraging “security through obscurity”.
D. Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute-force attacks.

Answer 10

B. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless
association.

Question 11

In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Metasploit Framework has a module for the technique; psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as
penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump,pwdump, or cachedump and then utilize rainbow tables to crack
those hash values. 

Which of the following is true hash type and sort order that is used in the psexec module’s ‘smbpass’

A. NTLM:LM
B. LM:NT
C. LM:NTLM
D. NT:LM

Answer 11

C. LM:NTLM

Question 12

Identify the UDP port that the Network Time Protocol (NTP) uses as it’s primary means of communication.

A. 113
B. 161
C. 69
D. 123

Answer 12

D. 123

Question 13

A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm’s public facing web servers. The engineer decides to start using netcat to port 80. The engineer receives this output:

HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type:text/html Accept Ranges: bytes Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369

Which of the following is an example of what the engineer performed?

A. Cross-site scripting
B. Whois database query
C. SQL injection
D. Banner grabbing

Answer 13

D. Banner grabbing

Question 14

You type the following command at a Linux command prompt:

hping3-c 65535 -i u1 -S -p 80 –rand-source www.targetcorp.com

What action are you performing?

A. Ping of death
B. Port scan of all UDP ports
C. Idle scan of TCP port 80
D. SYN flood

Answer 14

D. SYN flood

Question 15

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?

A. Error-based SQL injection
B. Blind SQL injection
C. Union-based SQL injection
D. NoSQL injection

Answer 15

B. Blind SQL injection

Question 16

How can rainbow tables be defeated?

A. All uppercase character passwords
B. Passwords salting
C. Use of non-dictionary words
D. Lockout accounts under brute force password cracking attempts

Answer 16

B. Passwords salting

Question 17

You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You see the IP’s owned by XYZ (internal) and private IP’s are communicating to a Single Public IP is a blacklisted IP, and the internal communicating devices are compromised.

What kind of attack does the above scenario depict?

A. Rootkit Attack
B. Botnet Attack
C. Spear Phishing Attack
D. Advanced Persistent Threats

Answer 17

B. Botnet Attack

Question 18

The name for tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

A. Network Sniffer
B. Intrusion Prevention Server
C. Vulnerability Scanner
D. Security Incident and Event Monitoring

Answer 18

D. Security Incident and Event Monitoring

Question 19

In the field of cryptanalysis, what is meant by a “rubber-hose” attack?

A. A backdoor placed into a cryptographic algorithm by its creator.
B. Extraction of cryptographic secrets through coercion or torture.
C. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC.
D. Attempting to decrypt cipher text by making logical assumptions about the contents of the original plaintext.

Answer 19

B. Extraction of cryptographic secrets through coercion or torture.

Question 20

While scanning with Nmap, Patin found several hosts which have the IP ID sequence of incremental. He then decided to conduct: map - Pn -p- -sl kiosk.adobe.com www.riaa.com Whereas kiosk.adobe.com is the host with incremental IP ID sequence. What is the purpose of using “-sl” with Nmap?

A. Conduct silent scan
B. Conduct stealth scan
C. Conduct ICMP scan
D. Conduct IDLE scan

Answer 20

D. Conduct IDLE scan

Question 21

What TCP scanning method is unlikely to set off network IDS?

A. TCP connect scan
B. TCP SYN scan
C. TCP FIN scan
D. TCP ACK scan

Answer 21

B. TCP SYN scan

Question 22

A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client.

What is a possible source of this problem?

A. Client is configured for the wrong channel
B. The WAP does not recognize the client’s MAC address
C. The client cannot see the SSID of the wireless network
D. The wireless client is not configured to use DHCP

Answer 22

B. The WAP does not recognize the client’s MAC address

Question 23

If an attacker uses the command SELECT*FROM user WHERE name =’x’ AND userid IS NULL;– which type of SQL injection attack is the attacker performing?

A. Illegal/Logically Incorrect Query
B. Tautology
C. End of Line Comment
D. UNION SQL Injection

Answer 23

C. End of Line Comment

Question 24

In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?

A. Vulnerabilities in the application layer are greatly different from IPv4
B. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addressed
D. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation
techniques are almost identical.

Answer 24

D. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation
techniques are almost identical.

Question 25

Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?

A. UDP 415
B. UDP 123
C. UDP 514
D. UDP 541

Answer 25

C. UDP 514

Note: This is the SYSLOG Port

Question 26

You are monitoring the network of your organization. You notice the following;

1. There are huge outbound connections from your internal network to
   external ip’s
2. On further investigation you see that the external ip’s are blacklisted
3. Some of the connections are accepted and some are dropped.
4. You find that it’s a CnC communication.

Which of the following would you suggest as a fix?

A. A. Update to the latest signatures on your IDS/IPS
B. C. Clean the likely malware that’s trying to communicate with the external blacklisted IP’s
C. Both B and C
D. B. Block the blacklist IP’s at the firewall

Answer 26

C. Both B and C

Question 27

What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall.

A. Man-in-the-middle attack
B. Session hijacking
C. Firewalking
D. Network sniffing

Answer 27

C. Firewalking

Question 28

User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?

A. Application
B. Presentation
C. Transport
D. Session

Answer 28

A. Application

Question 29

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

A. Broadcast ping
B. TCP ping
C. Traceroute
D. Hping

Answer 29

D. Hping

Question 30

You are the network administrator at a big university. The
university provides only wifi internet access to students. Ethernet ports are reserved for faculty and some special guests. You discover that students are plugging into ethernet ports and surfing the web from their rooms, which is also causing malware to end up on the faculty network.

What should you do to remedy this problem?

A. Disable unused ports in the switch
B. Ask students to only use the wireless network
C. Use the 801.1x protocol.
D. Separate students into a different VLAN.

Answer 30

C. Use the 801.1x protocol.

Question 31

How is the public key distributed in an orderly, controlled fashion in order that users can be sure of the sender’s identity?

A. Hash value
B. Digital certificate
C. Digital signature
D. Private keys

Answer 31

B. Digital certificate

Question 32

Why should the security analyst disable/remove unnecessary ISAPI filters?

A. To defend against webserver attacks
B. To defend against social engineering attacks.
C. To defend against jailbreaking
D. To defend against wireless attacks

Answer 32

A. To defend against webserver attacks

Question 33

DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switches leverages the DHCP snooping databases to help prevent man-in-the-middle attacks?

A. Dynamic ARP Inspection (DAI)
B. Spanning tree
C. Layer 2 Attack Prevention Protocol (LAPP)
D. Port Security

Answer 33

A. Dynamic ARP Inspection (DAI)

Question 34

When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what is is meant by processing?

A. How long it takes to setup individual user accounts
B. The amount of time and resources that are necessary to maintain a biometric system
C. The amount of time it takes to be either accepted or rejected from when an individual provides
Identification and authentication information.
D. The amount of time it takes to convert biometric data into a template on a smart card

Answer 34

C. The amount of time it takes to be either accepted or rejected from when an individual provides
Identification and authentication information.

Question 35

Which of the following program infect the system boot sector and executable files at the same time?

A. Macro Virus
B. Multipartite Virus
C. Polymorphic Virus
D. Stealth Virus

Answer 35

B. Multipartite Virus

Question 36

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to Web server in the network’s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

A. Network sniffer
B. Intrusion Prevention System (IPS)
C. Protocol analyzer
D. Vulnerability scanner

Answer 36

C. Protocol analyzer

Question 37

You are logged in as a local admin on a Windows 7 system, and you need to launch the Computer Management Console from the command line.

Which command would you use?

A. c:\gpedit
B. c:\ncpa.cpl
C. c:\compmgmt.msc
D. c:\services.msc

Answer 37

C. c:\compmgmt.msc

Question 38

True or False: SYN/FIN scanning using IP fragments splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet.

True
False

Answer 38

True

Question 39

A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer’s software and hardware with the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes. Which of the following class of hacker refers to an individual who works both offensively and defensively at various times?

A. Suicide Hacker
B. Gray Hat
C. Black Hat
D. White Hat

Answer 39

B. Gray Hat

Question 40

Which of below hashing functions are not recommended for use:

A. SHA-1,ECC
B. SHA-2,SHA-3
C. MD5,SHA-5
D. MD5,SHA-1

Answer 40

D. MD5,SHA-1

Question 41

Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet-facing services, which OS did it not directly affect?

A. Linux
B. Windows
C. Unix
D. OS X

Answer 41

B. Windows

Question 42

PGP, SSL, and IKE are all examples of which type of cryptography?

A. Public Key
B. Hash Algorithm
C. Secret Key
D. Digest

Answer 42

A. Public Key

Question 43

Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets?

A. Oakley
B. IPsec Policy Agent
C. IPsec driver
D. Internet Key Exchange (IKE)

Answer 43

C. IPsec driver

Question 44

An IT staff person gets a call from one of the company’s top customers. The caller wanted to know about the company’s network infrastructure, systems and team. New opportunities of integration are in sight for both company and customer. What should this employee do?

A. The employee should not provide any information without previous management authorization.
B. The employee should provide the name of the person in charge.
C. Tell them all they want to know. It’s great customer service.
D. Disregard the call.

Answer 44

A. The employee should not provide any information without previous management authorization.

Question 45

What network security concept requires multiple layers of security controls to be placed through out the IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?

A. Defense in Depth
B. Network-Based Intrusion Detection System
C. Host-Based Instrusion Detection System
D. Security through obscurity

Answer 45

A. Defense in Depth

Question 46

Which of these devices is capable of searching for and locating rogue access points?

A. WIPS
B. NIDS
C. WISS
D. HIDS

Answer 46

A. WIPS

Question 47

What is the known plaintext attack used against DES which results in the result that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key

A. Replay attack
B. Man-in-the-middle attack
C. Meet-in-the-middle attack
D. Traffic analysis attack

Answer 47

C. Meet-in-the-middle attack

Question 48

An LDAP directory can be used to store information similar to a sql database. LDAP uses a ____ database structure instead of SQL’s ____structure. Because of this, LDAP has difficulty representing many-to-one relationships.

A. Relational, Hierarchical
B. Strict, Abstract
C. Simple, Complex
D. Hierarchical, Relational

Answer 48

D. Hierarchical, Relational

Question 49

Scenario: 1. Victim opens the attacker’s web site.

2. Attacker sets up a web site which contains interesting and attractive content like ‘Do you want to make $1000 in a day?”
3. Victim clicks to the interesting and attractive content url.
4. Attacker creates a transparent ‘iframe’ in front of the url which victim attempts to click, so victim thinks that he/she clicks to the ‘Do you want to make $1000 in a day?’ url but actually he/she clicks to the content or url that exists in the transparent ‘iframe’ which is setup by the attacker.

What is the name of the attack which is mentioned in the scenario?

A. ClickJacking Attack
B. HTML Injection
C. Session Fixation
D. HTTP Parameter Pollution

Answer 49

A. ClickJacking Attack

Question 50

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access?

A. He already has admin privileges, as shown by the “501” at the end of the SID.
B. He needs to disable antivirus protection.
C. He must perform privilege escalation.
Your answer
D. He needs to gain physical access.

Answer 50

C. He must perform privilege escalation.

Your answer

Question 51

Which of the following bluetooth hacking techniques does and attacker use to send messages to users without the recipient’s consent, similar to email spamming?

A. BlueSniffing
B. Bluesnarfing
C. Bluejacking
D. Bluesmacking

Answer 51

C. Bluejacking

Question 52

What type of analysis is performed when an attacker has partial knowledge of inner-workings of the application?

A. Black-box
B. Announced
C. Grey-box
D. White-box

Answer 52

C. Grey-box

Question 53

Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP doesn’t encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to
use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?

A. OPPORTUNISTICTLS
B. FORCETLS
C. STARTTLS
D. UPGRADETLS

Answer 53

A. OPPORTUNISTICTLS

Question 54

Which of the following attacks exploits web page vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intend?

A. File Injection Attack
B. Command Injection Attacks
C. Cross-Site Request Forgery
D. Hidden Field Manipulation Attack

Answer 54

C. Cross-Site Request Forgery

Question 55

This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

A. Aircrack-ng
B. Airguard
C. WLAN-crack
D. wificracker

Answer 55

A. Aircrack-ng

Question 56

By using a smart card and pin, you are using a two-factor authentication that satisfies

A. Something you have and something you know
B. Something you are and something you remember
C. Something you know and something you are
D. Something you have and something you are

Answer 56

A. Something you have and something you know

Question 57

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?

A. Exclamation mark
B. Single quote
C. Semicolon
D. Double quote

Answer 57

B. Single quote

Question 58

You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration?

alert tcp any any -> 192.168.100.0/24 21 (msg: “‘FTP on the
network!””;)

A. A firewall IPTable
B. A Router IPTable
C. FTP Server rule
D. An Intrusion Detection System

Answer 58

D. An Intrusion Detection System

Question 59

Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out of the network based on pre-defined sets of rules. Which of the following types of firewalls can protect against SQL injection attacks?

A. Stateful firewall
B. Data-driven firewall
C. Packet firewall
D. Web application firewall

Answer 59

D. Web application firewall

Question 60

A newly discovered flaw in a software application would be considered which kind of security vulnerability?

A. Time-to-check to time-to-use flaw
B. HTTP header injection vulnerability
C. Input validation flaw
D. 0-day vulnerability

Answer 60

D. 0-day vulnerability

Question 61

This proprietary information security standard wireless guidelines classify CDEs (Cardholder Data Environments) into three scenarios depending on WLANs deployment. What standard is being mentioned?

A. ISO 27001
B. HIPPA
C. SOX
D. PCI

Answer 61

D. PCI

Question 62

As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?

A. request smtp 25
B. smtp port
C. tcp.contains port 25
D. tcp.port eq 25

Answer 62

D. tcp.port eq 25

Question 63

What is the most important for a pen tester before he can start any hacking activities:

A. Finding new exploits which can be used during the pentest
B. Ensuring that his activity will be authorized and he will have proper agreement with owners of targeted
system
C. Creating action plan
D. Preparing a list of targeted systems

Answer 63

B. Ensuring that his activity will be authorized and he will have proper agreement with owners of targeted
system

Question 64

Cross-Site request forgery involves:

A. Modification of a request by a proxy between client and server
B. A request sent by a malicious user from a browser to a server
C. A server making a request to another server without the user’s knowledge
D. A browser making a request to a server without the user’s knowledge

Answer 64

D. A browser making a request to a server without the user’s knowledge

Question 65

What attack is used to crack passwords by using a precomputed table of hashed passwords?

A. Hybrid Attack
B. Rainbow Table Attack
C. Brute Force Attack
D. Dictionary Attack

Answer 65

B. Rainbow Table Attack

Question 66

Which of the following DoS tools is used to attack targets web applications by starvation of available sessions on the web server?

A. Stacheldraht
B. R-U-Dead-Yet? (RUDY)
C. MyDoom
D. LOIC

Answer 66

B. R-U-Dead-Yet? (RUDY)

Question 67

Jesse receives an email with an attachment labeled
“Court_Notice_21206.zip”. Inside the zip file is a file name
“Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating, “This word document is corrupt.” In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional
malicious binaries. What type of malware has Jesse encountered?

A. Macro Virus
B. Key-Logger
C. Worm
D. Trojan

Answer 67

D. Trojan

Question 68

When conducting a penetration test it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network. Which of the following cannot be performed by passive network sniffing?

A. Identifying operating systems, services, protocols and devices.
B. Capturing network trafifc for further analysis
C. Collecting unencrypted information about usernames and passwords.
D. Modifying and replaying captured network traffic.

Answer 68

D. Modifying and replaying captured network traffic.

Question 69

This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

A. Aircrack-ng
B. Airguard
C. WLAN-crack
D. wificracker

Answer 69

A. Aircrack-ng

Question 70

Identify the web application attack where attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users.

A. LDAP Injection attack
B. Cross Site Request Forgery (CSRF)
C. SQL Injection attack
D. Cross Site Scripting (XSS)

Answer 70

D. Cross Site Scripting (XSS)

Question 71

You’re doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out?

A. Scan servers with Nmap
B. Scan servers with MBSA
C. Telnet to every port on each server
D. Physically go to each server

Answer 71

A. Scan servers with Nmap

Question 72

On performing a risk assessment, your need to determine the potential impacts when some of the critical business processes of the company interrupt its’ service. What is the name of the process by which you can determine those critical businesses?

A. Risk Mitigation
B. Disaster Recovery Planning (DRP)
C. Emergency Plan Response (EPR)
D. Business Impact Analysis (BIA)

Answer 72

D. Business Impact Analysis (BIA)

Question 73

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

A. DNSSEC
B. DynDNS
C. Split DNS
D. DNS Scheme

Answer 73

C. Split DNS

Question 74

Which command can be used to show current TCP/IP connections.

A. Net use
B. Net use connection
C. Netsh
D. Netstat

Answer 74

D. Netstat

Question 75

A hacker named Bob is trying to compromise a bank’s computer system. He needs to know the operating system of that computer to launch further attacks. What process would help him?

A. Banner Grabbing
B. SSDP Scanning
C. IDLE Scanning
D. UDP Scanning

Answer 75

A. Banner Grabbing

Question 76

Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?

A. A race condition is being exploited, and the operating system is containing the malicious process
B. A page fault is occurring, which forces the operating system to write data from the hard drive
C. Malicious code is attempting to execute instruction in a non executable memory region.
D. Malware is executing in either ROM or a cache memory area

Answer 76

C. Malicious code is attempting to execute instruction in a non executable memory region.

Question 77

How does Address Resolution Protocol (ARP) work?

A. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
B. It sends a request packet to all the network elements, asking for the domain name from specific IP.
C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
D. It sends a reply packet for a specific IP, asking for the MAC address.

Answer 77

C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.

Question 78

Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens

A. The port will send an ACK
B. The port will ignore the packets.
C. The port will send an RST
D. The port will send a SYN

Answer 78

B. The port will ignore the packets.

Question 79

In Wireshark, the packet bytes panes show the data of the current packet in which format?

A. ASCII only
B. Hexadecimal
C. Binary
D. Decimal

Answer 79

B. Hexadecimal

Question 80

Matthew executed a scan against a target and found several vulnerabilities. A few minutes later he scanned again and the target responded with no vulnerabilities and all ports appeared to be closed. What was the most probably the root cause of these changing results?

A. Administrator of the scanned system updated most of the vulnerabilities
B. The second the scan was blocked by an IPS
C. Mathew’s scan was blocked by Firewall
D. The second scan was blocked by an IDS

Answer 80

B. The second the scan was blocked by an IPS

Question 81

Your company provides data analytics services to several large clients. A new client says that your company is required to sign a Business Associate Agreement (BAA) document before they will transfer any data to your company will handle the client’s data and specific security requirements.

What regulation, which requires a Business Associate Agreement for some vendors, is the client following?

A. ISO 27001
B. SOC
C. HIPAA
D. PCI

Answer 81

C. HIPAA

Question 82

This type of virus tries to install itself inside of a file.

A. Polymorphic Virus
B. Stealth Virus
C. Cavity virus
D. Tunneling Virus

Answer 82

C. Cavity virus

Question 83

Which method of password cracking takes the most time and effort?

A. Shoulder surfing
B. Dictionary attack
C. Rainbow tables
D. Brute force

Answer 83

D. Brute force

Question 84

Log monitoring tools performing behavioral analysis have alerted to several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activity it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes that the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?

A. NTP
B. Timekeeper
C. OSPF
D. PPP

Answer 84

A. NTP

Question 85

Darius just received a call:

Unknown caller: Hello, my name is Rashad and I’m a security engineer from Microsoft Corporation. We have observed suspicious activity originating from your system and we would like to stop this threat. To do so I would ask you to install some updated on your system. Would
you prefer to send me your link or an attachment within this email?

Darius: Hello, please send me an email with the attachment at darius@protonmail.com

Unknown caller: Thank you for your cooperation I’m sending instruction and all files.

What Darius just faced?

A. Piggybacking
B. Just normal call from Microsoft Cyberdivision
C. Social Engineering Attack
D. Tailgating

Answer 85

C. Social Engineering Attack

Question 86

After trying multiple exploits, you’ve gained root access to a Centos 6 server. To ensure you maintain access, what would you do first?

A. Download and Install Netcat
B. Disable IPTables
C. Disable Key Services
D. Create User Account

Answer 86

A. Download and Install Netcat

Question 87

env x=() { :;};echo exploit bash -c ‘cat /etc/passwd’
What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?

A. Add new user to the passwd file
B. Changes all passwords in passwd
C. Removes the passwd file
D. Display passwd content to prompt

Answer 87

D. Display passwd content to prompt

Question 88

What is the most common method to exploit the “Bash Bug” or “ShellShock” vulnerability?

A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment
variable to a vulnerable Web server
B. SSH
C. SYN Flood
D. Manipulate format strings in text fields

Answer 88

A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment
variable to a vulnerable Web server

Question 89

Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy, Information Security Policy, Network Security Policy, Physical Security Policy, Remote Access Policy, and User Account Policy. What is the main theme of the sub-policies for Information Technologies?

A. Authenticity, Integrity, Non-repudiation
B. Confidentiality, Integrity, Availability
C. Availability, Nonrepudiation, Confidentiality
D. Authenticity, Confidentiality, Integrity

Answer 89

B. Confidentiality, Integrity, Availability

Question 90

The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of control objectives. Each objective contains one or more requirements, which must be followed in order to achieve compliance.

Which of the following requirements would best fit under the objective, “Implement strong access control measures”?

A. Regularly test security systems and processes.
B. Use and regularly update anti-virus software on all systems commonly affected by malware.
C. Assign a unique ID to each person with computer access
D. Encrypt transmission of cardholder data across open, public networks

Answer 90

C. Assign a unique ID to each person with computer access

Question 91

Your computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When a technician examines the IP address and default gateway, they are both on the 192.168.1.0/24 network. Which of the following has occurred?

A. The gateway is not routing to the public IP address
Your answer
B. The gateway and the computer are not on the same network.
C. The computer is not using a private IP address
D. The computer is using an invalid IP address

Answer 91

A. The gateway is not routing to the public IP address

Your answer

Question 92

Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics:

• Verifies success or failure of an attack
• Monitors System Activities
• Detects attacks that a network based IDS fail to detect
• Near real time detection and response
• Does not require additional hardware
• Lower entry cost

Which type of IDS is best suited for Tremp’s requirements?

A. Gateway based IDS
B. Host based IDS
C. Network based IDS
D. Open source based IDS

Answer 92

B. Host based IDS

Question 93

During the process of encryption and decryption, what keys are shared?

A. Public keys
B. Private keys
C. Public and private keys
D. User passwords

Answer 93

A. Public keys

Question 94

Your company has web servers, DNS servers, and mail servers in a DMZ that are accessible from the Internet. Hackers have been scanning your public IP addresses and you even suspect they have begun enumerating some targets. Your company performs daily Nessus scans to find live hosts, open ports, and vulnerabilities. The Nessus scanner is connected to your internal network.

A. Have the firewall rules modified so that the Nessus server on the internal network is able to scan the hosts in the DMZ.
B. Leave the Nessus server in the internal network but add a second network card so that it can be connected to a switch in the DMZ. This will allow the Nessus server to have access to the internal and DMZ networks.
C. Run Nessus from a server that resides in the DMZ so that no firewalls, IPS or other security products interfere
with the scan.
D. Run Nessus from a location on the Internet which is separate from the company’s network so that no
firewalls, IPS, or other security products interfere with the scan.

Answer 94

D. Run Nessus from a location on the Internet which is separate from the company’s network so that no
firewalls, IPS, or other security products interfere with the scan.

Question 95

Which of the following is true regarding a PKI system?

A. The RA verifies an applicant to the system
B. The RA issues all certificates
C. The CA encrypts all messages
D. The CA is the recovery agent for lost certificates

Answer 95

A. The RA verifies an applicant to the system

Question 96

You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator’s bank account password and login information for the administrator’s bitcoin account. What should you do?

A. Do not report it and continue the penetration test.
B. Transfer money from the administrator’s account to another account.
C. Report immediately to the administrator.
D. Do not transfer the money but steal the bitcoins.

Answer 96

C. Report immediately to the administrator.

Question 97

Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

A. msfencode
B. msfd
C. msfcli
D. msfpayload

Answer 97

A. msfencode

Question 98

An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?

A. Redirection of the traffic cannot happen unless the admin allow it explicitly
B. Make sure that legitimate network routers are configured to run routing protocols with authentication.
C. Disable all routing protocols and only use static routes
D. Only using OSPFv3 will mitigate this risk.

Answer 98

B. Make sure that legitimate network routers are configured to run routing protocols with authentication.

Question 99

Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?

A. Scanning
B. System Hacking
C. Enumeration
D. Footprinting

Answer 99

D. Footprinting

Question 100

What is the correct process for the TCP three-way handshake connection establishment and connection termination?

A. Connection Establishment: FIN, ACK-FIN, ACK Connection Termination: SYN, SYN-ACK, ACK
B. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: ACK, ACK-SYN, SYN
C. Connection Establishment: ACK, ACK-SYN, SYN Connection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK

Answer 100

D. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK

Question 101

Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to his spouse the network’s SSID and password and you hear them both clearly. What do you do with this
information?

A. Only use his network when you have large downloads so you don’t tax your own network
B. Nothing, but suggest to him to change the network’s SSID and password
C. Log onto his network, after all its his fault that you can get it.
D. Sell his SSID and password to friends that come to your house, so it doesn’t slow down your network.

Answer 101

B. Nothing, but suggest to him to change the network’s SSID and password

Question 102

What does a firewall check to prevent particular ports and applications from getting packets into an organization?

A. Application layer port numbers and the transport layer headers
B. Presentation layer headers and the session layer port numbers
C. Transport layer port numbers and application layer headers
D. Network layer headers and the session layer port numbers

Answer 102

C. Transport layer port numbers and application layer headers

Question 103

An enterprise recently moved to a new office and the neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?

A. Use fences in the entrance doors
B. Install a CCTV with cameras pointing to the entrance doors and the street
C. Use lights in all the entrance doors and along the company’s perimeter
D. Use and IDS in the entrance doors and install some of them near the corners

Answer 103

B. Install a CCTV with cameras pointing to the entrance doors and the street

Question 104

Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the best protection that will work for her?

A. BIOS password
B. Password protected files
C. Hidden folders
D. Full disk encryption

Answer 104

D. Full disk encryption

Question 105

Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system?

A. Wireshark
B. Metasploit
C. Nessus
D. Maltego

Answer 105

B. Metasploit

Question 106

The purpose of a _______ is to deny network access to local area networks and other information assets by unauthorized wireless devices.

A. Wireless Access Point
B. Wireless Analyzer
C. Wireless Access Control List
D. Wireless Intrusion Prevention System

Answer 106

D. Wireless Intrusion Prevention System

Question 107

The company ABC recently contract a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the account was not modified once he approved it. What of the following options can be useful to ensure the integrity of the data?

A. The document can be sent to the accountant using an exclusive USB for that document
B. he CFO can use an excel file with a password
C. The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can
compare both to be sure is the same document
D. The CFO can use a hash algorithm in the document once he approved the financial statements

Answer 107

D. The CFO can use a hash algorithm in the document once he approved the financial statements

Question 108

You are performing a web application penetration test for one of your clients. The app uses HTTPS exclusively. You configure your browser to use Burp Suite as a proxy, but immediately receive a certificate error when attempting to visit the website. Which steps would you follow to remove this warning for all websites, and what
would be the associated security risk?

A. Add the Burp Suite certificate as a trusted root CA for your browser/OS. This would expose you to man-
in-the-middle attacks from anyone possessing the same certificate.
B. Configure your browser to ignore all SSL/TLS certificate warning. This would make your HTTPS sessions
C. Start sslstrip and redirect port 443 to its listening port. This ensures that plaintext sessions are not upgraded to
SSL/TLS.
D. Force your browser to connect over port 80. Data would be transmitted in cleartext, removing the need for
certificated. vulnerable to ARP spoofing on the local LAN.

Answer 108

A. Add the Burp Suite certificate as a trusted root CA for your browser/OS. This would expose you to man-
in-the-middle attacks from anyone possessing the same certificate.

Question 109

You want to analyze packets on your wireless network. Which program would you use?

A. Wireshark with Airpcap
B. Ethereal with Winpcap
C. Wireshark with Winpcap
D. Airsnort with Airpcap

Answer 109

A. Wireshark with Airpcap

Question 110

Some clients of Cake Bosses were redirected to a malicious site when they tried to access the Cake Bosses website. Jon, the system administrator at Cake Bosses, found that they were a victim of DNS Cache Poisoning. What should Jon recommend to deal with such a threat?

A. The use of security agents in clients computers
B. The use of double-factor authentication
C. Client awareness
D. The use of DNSSEC

Answer 110

D. The use of DNSSEC

Question 111

Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?

A. SFTP
B. Ipsec
C. SSL
D. FTPS

Answer 111

B. Ipsec

Question 112

Sid is a judge for a programming contest. Before the code reaches him it goes through a restricted OS and is tested there. If it passes, then it moves onto Sid. What is the middle step called

A. String validating the code
B. Fuzzy-testing the code
C. Third party running the code
D. Sandboxing the code

Answer 112

D. Sandboxing the code

Question 113

Bob, your senior colleague, has sent you an email regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bob denies that he had ever sent an email. What do you want to “know” to prove yourself that it was Bob who had sent the email.

A. Integrity
B. Non- Repudiation
C. Confidentiality
D. Authentication

Answer 113

B. Non- Repudiation

Question 114

Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?

A. Burp
B. Whisker
C. tcpslice
D. Hydra

Answer 114

C. tcpslice

Question 115

You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?

A. A web server and the database server facing the Internet, an application server on the internal network.
B. A Web server facing the internet, an application server on the internal network, a database server on the
internal network.
C. All three servers need to be place internally
D. All three servers need to face the Internet, so they can communicate between themselves.

Answer 115

B. A Web server facing the internet, an application server on the internal network, a database server on the
internal network.

Question 116

Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

A. ESP confidential
B. AH Tunnel mode
C. AH promiscuous
D. ESP transport

Answer 116

D. ESP transport

Question 117

Which of the following programming languages is not susceptible to buffer overflow attacks, due to its lack of a built-in bounds checking mechanism?
Code:

#include
int main () {
char buffer[8];
strcpy(buffer,""11111111111111111111111111111"");
}

Output:
Segmentation fault

A. C++
B. Java
C. C#
D. Python

Answer 117

B. Java

Question 118

A pen tester is configuring a windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscuous mode?

A. Libpcap
B. Winprom
C. Winpcap
D. Winpsw

Answer 118

C. Winpcap

Question 119

If you want to scan even fewer ports than the default 1000 Nmap scans, which option would you use?

A. -r
B. -sP
C. -F
D. -P

Answer 119

C. -F

Question 120

Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

A. Cavity virus
B. Stealth virus
C. Tunneling virus
D. Polymorphic virus

Answer 120

C. Tunneling virus

Question 121

The network team has well established procedures to follow for creating new rules on the firewall. This includes having approval from a manager prior to implementing any new rules. While reviewing the firewall configuration you notice a recently implemented rule but can’t locate manager approval for it. What would be a good step to have in the procedures for a situation like this?

A. Immediately roll back the firewall rule until a manager can approve it.
B. Don’t roll back the firewall rule as the business may be relying upon it, but try to get manager approval as soon
as possible.
C. Have the network team document the reason why the rule was implemented without prior manager
approval.
D. Monitor all traffic using the firewall rule until a manager can approve it.

Answer 121

C. Have the network team document the reason why the rule was implemented without prior manager
approval.

Question 122

Which is faster: passive reconnaissance or active reconnaissance?

A. passive reconnaissance
B. active reconnaissance
C. They are the same

Answer 122

B. active reconnaissance

Question 123

During an investigation you discover that a blacklisted IP is being communicated from within your network from specific internal devices, meaning these devices are compromised. What is likely the kind of attack depicted?

A. Rootkit Attack
B. Advanced Persistent Threats
C. Spear Phishing Attack
D. Botnet Attack

Answer 123

B. Advanced Persistent Threats

Question 124

Which of the following statements is FALSE with respect to Intrusion Detection Systems?

A. Intrusion Detection Systems require constant update of the signature library
B. Intrusion Detection Systems can examine the contents of the data in context of the network protocol
C. Intrusion Detection Systems can be configured to distinguish specific content in network packets
D. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic

Answer 124

D. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic

Question 125

A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible
threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the Prometric Online Testing - Reports https://ibt1.prometric.com/users/custom/report_queue/rq_str…corporate network. What tool should the analyst use to perform a Blackjacking attack?

A. BBCrack
B. Blooover
C. Paros Proxy
D. BBProxy

Answer 125

D. BBProxy

Question 126

Which of the following is incorrect concerning the associated
ranges?

A. 802.16(WiMax) = 30 miles
B. 802.11g = 150ft
C. 802.11a = 150ft
D. 802.11b = 150ft

Answer 126

C. 802.11a = 150ft

Question 127

Which of the following is NOT correct about the usefulness of vulnerability scanning:

A. Provide information on how to mitigate discovered vulnerabilities
B. Provide the environment to be able to safely penetrate vulnerable systems
C. Provide information on targets for penetration testing
D. Check compliance with host application usage and security policies

Answer 127

B. Provide the environment to be able to safely penetrate vulnerable systems

Question 128

In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account’s confidential files and information; How can he achieve this?

A. Hacking Active Directory
B. Port Scanning
C. Privilege Escalation
D. Shoulder-Surfing

Answer 128

C. Privilege Escalation

Question 129

Which of the following is considered to be one of the most reliable forms of TCP scanning?

A. NULL Scan
B. TCP Connect/Full Open Scan
C. Half-open Scan
D. Xmas Scan

Answer 129

B. TCP Connect/Full Open Scan

Question 130

The systems administrator for one of your clients has just called you, explaining that one of their critical servers has been breached. You let her know that your incident response team is on the way, and instruct her not to power off the compromised system at this time.

A. Actually, the correct procedure in this case is to power of the server. This helps prevent the attacker from
spreading deeper into the network.
B. The incident response team needs to retrieve information stored in volatile memory such as RAM.
C. The attacker may have placed a logic bomb, which will trigger when the shutdown command is issued.
D. This will alert the attacker that they’ve been discovered, promoting them to delete data or install ransomware
before their foothold in the network is served.

Answer 130

B. The incident response team needs to retrieve information stored in volatile memory such as RAM.

Question 131

A hacker gained access to database with logins and hashed passwords. To speed up cracking these passwords the best method would be:

A. Rainbow tables
B. Collision
C. Decryption
D. Brute force

Answer 131

A. Rainbow tables

Question 132

Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a linux platform?

A. Netstumbler
B. Abel
C. Nessus
D. Kismet

Answer 132

D. Kismet

Question 133

Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms ?

A. Key districution
B. Security
C. Scalability
D. Speed

Answer 133

D. Speed

Question 134

The I.T. Helpdesk at XYZ Company has begun receiving several phone calls from concerned staff regarding a suspicious email they have received. One employee has forwarded a copy of the suspicious email to you for further investigation. Your manager is asking for immediate information to determine if this is a phishing attack. The email message looks like this:

From: news@xyzcompany.com
To: jdoe@xyzcompany.com
Date: 4/10/17 2:35 pm
Subject: New corporate HR sign up today!
Priority: High

You want to quickly determine who sent this email message so you look at the envelope headers and see this information:

Received from known (209.85.213.50)
by mail.xyzcompany.com
id 2BqvU15YHBK: 10 Apr 2017 14:33:50

You perform a DNS query to determine more information about 209.85.213.50 but no record is found.

What website will allow you to quickly find out more information about 209.85.213.50 including the owner of the IP address?

A. https://www.tucowsdomains.com/whois
B. https://whois.arin.net
C. https://www.networksolutions.com/whois
D. https://www.godaddy.com/whois

Answer 134

B. https://whois.arin.net

Question 135

To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?

A. Protocol analyzer
B. Port scanner
C. Vulnerability scanner
D. Intrusion Detection System

Answer 135

C. Vulnerability scanner

Question 136

Which of the following statements is TRUE?

A. Sniffers operate at layer 3
B. Sniffers operate at layer 1
C. Sniffers operate at layer 4
D. Sniffers operate at Layer 2 of the OSI model.

Answer 136

D. Sniffers operate at Layer 2 of the OSI model.

Data-Link Layer

Question 137

What would you enter if you wanted to perform a stealth scan using Nmap?

A. nmap -sM
B. nmap -sU
C. nmap -sS
D. nmap -sT

Answer 137

C. nmap -sS

Question 138

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the
information in all of the logs, the sequence of many of the logged events do not match up.

What is the most likely cause?

A. Proper chain of custody was not observed while collecting the logs.
B. The network devices are not all synchronized.
C. The security breach was a false positive.
D. The attacker altered or erased events from the logs.

Answer 138

D. The attacker altered or erased events from the logs.

Question 139

Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message, The technique provides ‘security through obscurity’.

What technique is Ricardo using?

A. Steganography
B. RSA algorithm
C. Public-key cryptography
D. Encryption

Answer 139

A. Steganography

Question 140

Code injection is a form of attack in which a malicious user:

A. Inserts text into a data field that gets interpreted as code
B. Gains access to the codebase on the server and inserts new code
C. Gets the server to execute arbitrary code using a buffer overflow.
D. Inserts additional code into the JavaScript running in the browser.

Answer 140

A. Inserts text into a data field that gets interpreted as code

Question 141

In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?

A. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering
B. Both pharming and phishing attacks are identical
C. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or
by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that
is either misspelled or looks similar to the actual websites domain name
D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by
exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either
misspelled or looks very similar to the actual websites domain name

Answer 141

C. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or
by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that
is either misspelled or looks similar to the actual websites domain name

Question 142

An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps?

A. The port scan alone is adequate, This way he saves time.
B. The sequence does not matter. Both steps have to be performed against all hosts.
C. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests.
D. First the ping sweep to identify live hosts and then the port scan on the live hosts. The way he saves time.

Answer 142

D. First the ping sweep to identify live hosts and then the port scan on the live hosts. The way he saves time.

Question 143

What is not a PCI compliance recommendation?

A. Use a firewall between the public network and the payment card data
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Limit access to card holder data to as few individuals as possible.

Answer 143

C. Rotate employees handling credit card transactions on a yearly basis to different departments.

Question 144

When a security analyst prepares for the formal security assessment - what of the following should be done to determine inconsistencies in the secure assets database and verify that the system is compliant to the minimum security baseline?

A. Source code review
B. Interviewing employees and network engineers
C. Reviewing the firewalls configuration
D. Data items and vulnerability scanning

Answer 144

D. Data items and vulnerability scanning

Question 145

Which of the following steps for risk assessment methodology refers to vulnerability identification?

A. Determines risk probability that vulnerability will be exploited (High, Medium, Low)
B. Determine if any flaws exist in systems, policies or procedures
C. Identify sources of harm to an IT system. (Natural, Human, Environmental)
D. Assigns values to risk probabilities, Impact values.

Answer 145

B. Determine if any flaws exist in systems, policies or procedures

Question 146

Which is the first step followed by vulnerability scanners for scanning a network?

A. Checking to see if the remote host is alive
B. Firewall detection
C. OS Detection
D. TCP / UDP Port scanning

Answer 146

A. Checking to see if the remote host is alive

Question 147

What is the role of test automation in security testing?

A. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup
inconsistencies
B. It is an option but it tends to be very expensive
C. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace
manual testing completely.
D. Test automation is not usable in security due to the complexity of the tests

Answer 147

C. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.

Question 148

Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

A. Maltego
B. Metasploit
C. Wireshark
D. Cain and Abel

Answer 148

A. Maltego

Question 149

Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT security. Several information security issues Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn’t log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons. Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand the importance of keeping confidential information a secret?

A. Developing a strict information security policy
B. Conducting a one to one discussion with the other employees about the importance of information security
C. Information security awareness training
D. Warning to those who write password on a post it note and put it on his/her desk

Answer 149

C. Information security awareness training

Question 150

These hackers have limited or no training and know how to use only basic techniques or tools. What kind of hacker are we talking about?

A. Black-Hat Hackers
B. Script Kiddies
C. Gray-Hat Hacker
D. White-Hat Hackers

Answer 150

B. Script Kiddies

Question 151

_________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.

A. Resource records
B. Zone transfer
C. Resource transfer
D. DNSSEC

Answer 151

D. DNSSEC

Question 152

Which Intrusion Detection System is most applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?

A. Host-based intrusion detection system (HIDS)
B. Firewalls
C. Honeypots
D. Network-based intrusion detection system (NIDS)

Answer 152

D. Network-based intrusion detection system (NIDS)

Question 153

During a Xmas scan what indicates a port is closed?

A. ACK
B. SYN
C. No return response
D. RST

Answer 153

D. RST

Question 154

What is the difference between the AES and RSA algorithms?

A. AES is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.
B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.
C. Both are symmetric algorithms, but AES uses 256-bit keys.
D. Both are asymmetric algorithms, but RSA uses 1024-bit keys.

Answer 154

B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.

Question 155

Which of the following Nmap commands will produce the following output?

Output:
Starting Nmap 6.47 (http://nmap.org) at 2015-05-26 12:50 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00042s latency).
Not shown: 65530 open|filtered ports, 65529 filtered ports
PORT STATE SERVICE
111/tcp open rpcbind
999/tcp open garcon
1017/tcp open unknown
1021/tcp open exp1
1023/tcp open netvenuechat
2049/tcp open nfs
17501/tcp open unknown
111/udp open rpcbind
123/udp open ntp
137/udp open netbios-ns
2049/udp open nfs
5353/udp open zeroconf
17501/udp open|filtered unknown
51857/udp open|filtered unknown
54358/udp open|filtered unknown
56228/udp open|filtered unknown
57598/udp open|filtered unknown
59488/udp open|filtered unknown
60027/udp open|filtered unknown

A. nmap -sT -sX -Pn -p 1-65535 192.168.1.1
B. nmap -sN -Ps -T4 192.168.1.1
C. nmap -sS -Pn 192.168.1.1
D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1

Answer 155

D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1

Question 156

A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?

A. There is no need for specific security measures on the network elements as long as firewalls and IPS systems
exist
B. The operator knows that attacks and down time are inevitable and should have a backup site
C. Network elements must be hardened with user ids and strong passwords. Regular security tests and
audits should be performed.
D. As long as the physical access to the network elements is restricted, there is no need for additional measures

Answer 156

C. Network elements must be hardened with user ids and strong passwords. Regular security tests and
audits should be performed.

Question 157

You want to do an ICMP scan on a remote computer using hping2.

What is the proper syntax?

A. hping2 -i host.domain.com
B. hping2 host.domain.com
C. hping2 –set-ICMP host.domain.com
D. hping2 -1 host.domain.com

Answer 157

D. hping2 -1 host.domain.com

Question 158

The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).

What is the closest approximate cost of this replacement and recovery operation per year?

A. $440
B. $100
C. $146
D. $1320

Answer 158

C. $146

Question 159

#!/usr/bin/python
import socket
buffer=[""A""]
counter=50
while len(buffer) <=100:
buffer.append(""A""*counter)
counter=counter+50
commands=[""HELP"",""STATS ."",""RTIME ."",""LTIME ."",""SRUN
."",""TRUN ."",""GMON ."",""GDOG ."",""KSTET ."",""GTER
."",""HTER ."",""LTER ."",""KSTAN .""]
for command in commands:
for buffstring in buffer:
print ""Exploiting "" +command +"":""+str(len(buffstring))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.00.1',9999))
s.recv(50)
s.send(command + buffstring)
s.close ()

A. Bruteforce
B. Encryption
C. Denial-of-service (DoS)
D. Buffer Overflow

Answer 159

D. Buffer Overflow

Question 160

In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following best describes what spammers use to hide the origin of these types of emails?

A. Tools that will reconfigure a mail server’s relay component to send the e-mail back to the spammers occasionally.
B. A blacklist of companies that have their mail server relays configured to be wide open.
C. A blacklist of companies that have their mail server relays configured to allow traffic only to their specific domain name.
D. Mail relaying, which is a technique of bouncing e-mail from internal to external mail servers continuously.

Answer 160

B. A blacklist of companies that have their mail server relays configured to be wide open.

Question 161

Which utility will tell you in real time which ports are listening or in another state?

A. Loki
B. Netstat
C. Nmap
D. TCPView

Answer 161

B. Netstat

Question 162

Module Search results are sorted by Disclosure date descending by default.

True
False

Answer 162

True

Question 163

Which of the following programs is usually targeted at Microsoft Office products?

A. Macro virus
B. Polymorphic virus
C. Multipart virus
D. Stealth virus

Answer 163

A. Macro virus

Question 164

Using spoofed IP address to generate port responses during a scan while using a SYN flag is a technique related to:

A. FIN
B. XMAS
C. IDLE (side-channel)
D. SYN

Answer 164

C. IDLE (side-channel)

Question 165

Which of the following is an incorrect definition or characteristic concerning SOAP?

A. Based on XML
B. Only compatible with the application protocol HTTP
C. Exchanges data between web services.
D. Provides a structured model for messaging

Answer 165

B. Only compatible with the application protocol HTTP

Question 166

Which of the following is an adaptive SQL injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output?

A. Static Testing
B. Fuzzing Test
C. Static Testing
D. Dynamic Testing

Answer 166

B. Fuzzing Test

Question 167

In order to have an anonymous Internet surf, which of the following is best choice?

A. Use SSL sites when entering personal information
B. Use public VPN
C. Use Tor network with multi-node
D. Use shared wifi

Answer 167

C. Use Tor network with multi-node

Question 168

A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted.

Which cryptography attack is the student attempting?

A. Session hijacking
B. Brute-force attack
C. Man-in-the-middle attack
D. Dictionary attack

Answer 168

D. Dictionary attack

Question 169

Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious java scripts. After opening one of them he noticed that it’s very hard to understand the code and all code differs from typical java script. What is the name of this technique to hide the code and extend analysis time?

A. Steganography
B. Encryption
C. Obfuscation
D. Code encoding

Answer 169

C. Obfuscation

Question 170

Which service in a PKI will vouch for the identity of an individual or company?

A. CA
B. CR
C. KDC
D. CBC

Answer 170

A. CA

Question 171

What is used to prove that someone did something without a doubt. For example, can’t deny sending an email?

A. Authentication
B. Confidentiality
C. Non-repudiation
D. Integrity

Answer 171

C. Non-repudiation

Question 172

You were hired by a small health provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

A. Use a scan tool like Nessus
B. Use the built in Windows Update utility.
C. Create a disk image of a clean Windows installation
D. Check MITRE.org for the latest list of CVE findings

Answer 172

A. Use a scan tool like Nessus

Question 173

nmap -sX host.site.com

An attacker scans a host with the below command. Which three flags are set?

A. This is a XMAS scan. SYN and ACK flags are set.
B. This is a Xmas scan. URG, PUSH, FIN are set.
C. This is a ACK scan. ACK flag is set.
D. This is a SYN scan. Syn flag is set.

Answer 173

B. This is a Xmas scan. URG, PUSH, FIN are set.

Question 174

When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can
test parameter and headers manually to get more precise results than if using web vulnerability scanners.

What proxy tool will help you find web vulnerabilities?

A. Proxychains
B. Maskgen
C. Burpsuite
D. Dimitry

Answer 174

C. Burpsuite

Question 175

You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity. What tool would you most likely select?

A. Snort
B. Nessus
C. Nmap
D. Cain & Abel

Answer 175

A. Snort

Question 176

An attacker tries to do banner grabbing on a remote web server and executes the following command. $nmap -sV host.domain.com -p 80 He gets the following output.

Starting Nmap 6.47 (http://nmap.org) at 2014-12-08 19:10 EST Nmap scan report for host.domain.com (108.61.158.211) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

What did the hacker accomplish?

A. nmap can’t retrieve the version number of any running remote service.
B. The hacker failed to do banner grabbing as he didn’t get the version of the Apache web server
C. The hacker successfully completed the banner grabbing.
D. The hacker should’ve used nmap -O host.domain.com

Answer 176

B. The hacker failed to do banner grabbing as he didn’t get the version of the Apache web server

Question 177

You’re the security administrator of a company. You got an alert from your IDS that indicates one of the PC’s on your intranet connected to a blacklisted IP address (C2 Server) on the Internet. The ip address was blacklisted just before the alert. You are starting an investigation to
find out the severity of the situation. Which of the following would you analyze first?

A. IDS log
B. Event logs on the PC
C. Internet Firewall/Proxy log
D. Event logs on your Domain Controller.

Answer 177

C. Internet Firewall/Proxy log

Question 178

The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28

Why he cannot see the servers?

A. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that
range
B. He needs to change the address to 192.168.1.0 with the same mask
C. He needs to add the command ““ip address”” just before the IP address
D. The network must be down and the nmap command and IP address are ok

Answer 178

A. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that
range

Question 179

Gavin owns a white-hat firm, and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfiguration and outdated software versions. Which of the following tools is he most likely using?

A. Nmap
B. Armitage
C. Nikto
D. Metasploit

Answer 179

C. Nikto

Question 180

Due to a slow down of normal network operations, IT department decided to monitor internet traffic for all of the employees. From a legal stand point, what would be troublesome to take this kind of measure?

A. All of the employees would stop normal work activities
B. Not informing the employees that they are going to be monitored could be an invasion of privacy.
C. The network could still experience traffic slow down.
D. IT department would be telling employees who the boss is

Answer 180

B. Not informing the employees that they are going to be monitored could be an invasion of privacy.

Question 181

Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?

A. An authentication system that creates one-time passwords that are encrypted with secret keys
B. A biometric system that bases authentication decisions on behavioral attributes
C. An authentication system that uses passphrases that are converted into virtual passwords
D. A biometric system that bases authentication decisions on physical attributes.

Answer 181

A. An authentication system that creates one-time passwords that are encrypted with secret keys

Question 182

Jason, a system administrator at Infosec Institute, concluded one day that a DMZ is not needed in the environment if firewalls are configured properly to allow access to servers and ports which should have direct access to the internet. Jason also says that DMZ’s only make sense when a stateful firewall is available. What would you assess about Jason’s assumptions?

A. He doesn’t need seperate networks. So there’s no point for DMZ’s.
B. Jason is exactly right. DMZ’s are no longer used.
C. Jason is completely wrong. DMZ’s are always relevant when a organization has internet servers and workstations and other devices not intended to have direct access from the internet.
D. Jason could be right. DMZ’s are only useful when combined with stateful firewalls.

Answer 182

C. Jason is completely wrong. DMZ’s are always relevant when a organization has internet servers and workstations and other devices not intended to have direct access from the internet.

Question 183

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

Time:Mar 12 17:30:15
Port: 20 
Source: 192.168.1.103 
Destination: 192.168.1.106 
Protocol: TCP
Time: Mar 13 17:30:17 
Port: 21 
Source: 192.168.1.103
Destination: 192.168.1.106 
Protocol: TCP 
Time: Mar 13 17:30:19 
Port: 22
Source: 192.168.1.103 
Destination 192.168.1.106 
Protocol: TCP 
Time: Mar 13 17:30:21 
Port: 23 
Source: 192.168.1.103 
Destination: 192.168.1.106
Protocol: TCP 
Time: Mar 13 17:30:22 
Port: 25 
Source: 192.168.1.103
Destination: 192.168.1.106
Protocol: TCP 
Time: Mar 12 17:30:23 
Port: 80 
Source: 192.168.1.103
Destination: 192.168.1.106 
Protocol: TCP 
Time: Mar 13 17:30:30 
Port: 443
Source: 192.168.1.103 
Destination: 192.168.1.106 
Protocol: TCP 

What type of activity has been logged?

A. Teardrop attack targeting 192.168.1.106
B. Port scan targeting 192.168.1.103
C. Port scan targeting 192.168.1.106
D. Denial of service attack targeting 192.168.1.103

Answer 183

C. Port scan targeting 192.168.1.106

Question 184

A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files and one is a binary file named nc (netcat). The logs show the user logged in anonymously, uploaded the files, extracted the
contents and ran the script using a function provided by the ftp servers software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability had to have existed to make this remote attack possible?

A. Brute Force Login
B. File system permissions
C. Directory Traversal (might be spelled wrong on the real test)
D. Privilege Escalation

Answer 184

B. File system permissions

Question 185

Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?

A. Compound SQLi
B. Blind SQLi
C. DMS-specific SQLi
D. Classic SQLi

Answer 185

B. Blind SQLi

Question 186

Which of the following provides a security professional with the most information about the system’s security posture?

A. port scanning, banner grabbing, service identification
B. phishing, spamming, sending trojans
C. wardriving, warchalking, social engineering
D. social engineering, company site browsing, tailgating

Answer 186

A. port scanning, banner grabbing, service identification

Question 187

Darius is analyzing logs from IDS. He wants to understand what have triggered one alert and verify if it’s true positive or false positive. Looking at the logs he copy and paste basic details like below:

source IP: 192.168.21.100
source port: 80
destination IP: 192.168.10.23
destination port: 63221
What is the most proper answer:

A. This is most probably true negative.
B. This is most probably false - positive, because an alert triggered on reversed traffic.
C. This is probably true positive which triggered on secure communication between client and server.
D. This is probably false - positive because IDS is monitoring one direction traffic.

Answer 187

D. This is probably false - positive because IDS is monitoring one direction traffic.

Question 188

Which of the following techniques are NOT relevant in preventing arp spoof attack?

A. Kernel based patches
B. Static MAC Entries
C. Arpwatch
D. Secure ARP Protocol

Answer 188

A. Kernel based patches

Question 189

Which of the following security policies defines the use of VPN for gaining access to an internal corporate network?

A. Information protection policy
B. Network security policy
C. Remote access policy
D. Access control policy

Answer 189

C. Remote access policy

Question 190

In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for vulnerabilities Example:allintitle:root passwd

A. Gaining access
B. Scanning and Enumeration
C. Reconnaissance
D. Maintaining Access

Answer 190

C. Reconnaissance

Question 191

Which of the below encryption algorithms are the fastest?

A. SHA-2
B. SHA-1
C. ECC
D. AES

Answer 191

D. AES

Question 192

……. is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a
laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting user by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.

Fill in the blank with appropriate choice.

A. Evil Twin Attack
B. Sinkhole Attack
C. Signal Jamming Attack
D. Collision Attack

Answer 192

A. Evil Twin Attack

Question 193

You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection System (NIDS).

What is the best say to evade the NIDS?

A. Alternate Data Streams
B. Encryption
C. Protocol Isolation
D. Out of band signalling

Answer 193

B. Encryption

Question 194

What is the purpose of DNS AAAA record?

A. Address database record
B. Authorization, Authentication and Auditing record
C. IPv6 address resolution record
D. Address prefix record

Answer 194

C. IPv6 address resolution record

Question 195

command = ping -* 6 192.168.0.101

output =
pinging 192.168.0.101 with 32 bytes of data:
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Reply from 192.168.0.101: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.101:
Packets: Sent=6, Received=6, Lost=0(0% loss)

What actually goes where the -* is to complete this command and make it work as illustrated? (the * is used to subsititute for what would go there if the command were real, which is what you are supposed to answer).

A. ‘t
B. ‘n
C. ‘a
D. ‘s

Answer 195

B. ‘n

Question 196

Nedved is an IT Security Manager of a Bank is his country. One day,he found out that there is a security breach to his company’s email server based on analysis of a suspicious connection from the email server to an unknown IP address.

A. Migrate the connection to the backup email server
B. Leave it be and contact the incident response team right away
C. Blocks the connection to the suspicious IP address from the firewall
D. Disconnects the email server from the network

Answer 196

B. Leave it be and contact the incident response team right away

Question 197

Darius is analyzing IDS logs. During the investigation he noticed that there were nothing suspicious found and an alert triggered on normal web application traffic. He can mark this alert as:

A. False-Negative
B. False-Positive
C. False-Signature
D. True-Positive

Answer 197

B. False-Positive

Question 198

A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd How can he use it?

A. He can open it and read the user ids and corresponding passwords.
B. The password file does not contain the passwords themselves.
C. He cannot read it because it is encrypted
D. The file reveals the passwords to the root user only.

Answer 198

B. The password file does not contain the passwords themselves.

Question 199

Max saw a guy (Mario) who looked like a janitor who was holding a lot of boxes. Max held the door open for Mario. Mario was able to access the company without identification. What kind of attack is this?

A. Phishing
B. Tailgating
C. None of them
D. Session Hijacking

Answer 199

B. Tailgating

Question 200

Which of the following is the successor of SSL?

A. IPSec
B. TLS
C. GRE
D. RSA

Answer 200

B. TLS

Question 201

The “white box testing” methodology enforces what kind of restriction?

A. The internal operation of a system is only partly accessible to the tester.
B. The internal operation of a system is completely known to the tester.
C. Only the internal operation of a system is known to the tester.
D. Only the external operation of a system is accessible to the tester.

Answer 201

B. The internal operation of a system is completely known to the tester.

Question 202

OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?

A. openssl_client-site www.website.com:443
B. openssl s_client-connect www.website.com:443
C. openssl s_client-site www.website.com:443
D. openssl s_client www.website.com:443

Answer 202

B. openssl s_client-connect www.website.com:443

Question 203

Which of the following act requires employers standard national numbers to identify them on standard transactions?

A. DCMA
B. HIPAA
C. PCI-DSS
D. SOX

Answer 203

B. HIPAA

Question 204

If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

A. TCP SYN
B. Idle Scan
C. TCP Connect scan
D. Spoof Scan

Answer 204

C. TCP Connect scan

Question 205

This asymmetry cipher is based on factoring the product of two large prime number. What cipher is described above ?

A. MD5
B. RSA
C. SHA
D. RC5

Answer 205

B. RSA

Question 206

A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server?

A. Botnet Trojan
B. Turtle Trojans
C. Ransomware Trojans
D. Banking Trojans

Answer 206

A. Botnet Trojan

Question 207

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

A. if (source matches 10.20.20.1 and destination matches 10.10.0/24 and port matches 443) then permit.
B. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then permit
C. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit.
D. if (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit

Answer 207

C. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit.

Question 208

This anti-virus analysis method works by executing malicious code on a virtual machine to simulate CPU and memory activities.

A. Code emulation
B. Heuristic Analysis
C. Integrity checking
D. Scanning

Answer 208

A. Code emulation

Question 209

It is discovered that someone has caused information leakage on your computer (might be referred to as spillage). You disconnect it from the network, power it down and remove the keyboard and mouse. What step in incident handling did you just complete?

A. Containment
B. Discovery
C. Recovery
D. Eradication

Answer 209

A. Containment

Question 210

In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data through a technique known as wardriving.

Which Algorithm is this referring to?

A. Temporal Key Integrity Protocol (TKIP)
B. Wi-Fi Protected Access 2 (WPA2)
C. Wired Equivalent Privacy (WEP)
D. Wi-Fi Protected Access (WPA)

Answer 210

C. Wired Equivalent Privacy (WEP)

Question 211

What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it’s made on the provider’s environment.

A. Cloud based
B. Honypot based
C. Heuristics based
D. Behavioral based

Answer 211

A. Cloud based

Question 212

An attacker changes the profile picture information of a particular user (victim) on the target website. The attacker uses this string to update the victim’s profile to a text file and then submit the data to the attacker’s database.
< /iframe >

What is this type of attack (that can use either HTTP GET or HTTP POST) called?

A. Cross-Site Scripting
B. Cross-Site Request Forgery
C. Browser Hacking
D. SQL Injection

Answer 212

B. Cross-Site Request Forgery

Question 213

Mary found a high vulnerability during a vulnerability scan and notified her server team. After analysis, they sent her proof that a fix to that issue had already been applied. The vulnerability that Marry found is called what?

A. False-negative
B. False-positive
C. Backdoor
D. Brute force attack

Answer 213

B. False-positive

Question 214

Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.

A. nmap -p 445 -n - T4 –open 10.1.0.0/16
B. nmap -s 445 -sU -T5 10.1.0.0/16
C. nmap -p 445 –max -Pn 10.1.0.0/16
D. nmap -sn -sF 10.1.0.0/16 445

Answer 214

A. nmap -p 445 -n - T4 –open 10.1.0.0/16

Question 215

Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries). More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries and that are related to various
aspects in information security such as data confidentiality, data integrity, authentication, and non repudiation. Modern cryptography intersects the disciplines of mathematics, computer science, and
electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Basic example to understand how cryptography works is given below:

SECURE (plain text) +1 (+1 next letter. for example, the letter ““T”” is used for ““S”” to encrypt.) TFDVSF (encrypted text) + = logic => Algorithm 1= Factor => Key
Which of the following choices are true about cryptography?

A. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the shared
session key and to achieve a communication way.
B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different cryptographic keys for both encryption of plaintext and decryption of ciphertext
C. Algorithm is not the secret, key is the secret.
D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private key is for
encrypt.

Answer 215

C. Algorithm is not the secret, key is the secret.

Question 216

There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the process. A term describes when two pieces of data result in the same value is ?

A. Polymorphism
B. Escrow
C. Collusion
D. Collision

Answer 216

D. Collision

Question 217

Why is a penetration test considered to be more thorough than vulnerability scan?

A. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
B. It is not - a penetration test is often performed by an automated tool, while a vulnerability scan requires active
engagement.
C. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability
scan does not typically involve active exploitation.
D. Vulnerability scans only do host discovery and port scanning by default.

Answer 217

C. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability
scan does not typically involve active exploitation.

Question 218

You have compromised a server. You want to communicate and pivot traffic from one place to the next over the network securely and evade detection by IDS, etc. What is the best approach?

A. Install cryptcat and encrypt all outgoing packets from this server.
B. Use Http
C. Install and use telnet which is by default encrypted.
D. Use ADS

Answer 218

A. Install cryptcat and encrypt all outgoing packets from this server.

Question 219

During the Evidence Gathering and Handling phase of the incident response, what is the most important thing to do?

A. Creating detailed notes about lessons learned from the incident.
B. Recording the date and time when evidence is gathered, and the location where the evidence is stored.
C. Recording what is discussed at every incident response meeting.
D. Reviewing the evidence in careful detail to identify the attacking hosts.

Answer 219

B. Recording the date and time when evidence is gathered, and the location where the evidence is stored.

Question 220

Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, president, or managers. The time a hacker spends performing research to locate this information about a company is known as?

A. Exploration
B. Enumeration
C. Investigation
D. Reconnaissance

Answer 220

D. Reconnaissance

Question 221

The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?

A. Public
B. Shared
C. Private
D. Root

Answer 221

C. Private

Question 222

Identify the web application attack where attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users.

A. LDAP Injection attack
B. Cross Site Request Forgery (CSRF)
C. SQL Injection attack
D. Cross Site Scripting (XSS)

Answer 222

D. Cross Site Scripting (XSS)

Question 223

Which of the following is true hash type and sort order that is utilized when using psexec’s smbpass option?

A. LM:NTLM
B. LM:NT
C. NTLM:LM
D. NT:LM

Answer 223

A. LM:NTLM

Question 224

What term describes the amount of risk that remains after the vulnerabilities are classified, and the countermeasures have been deployed?

A. Impact risk
B. Inherent risk
C. Residual risk
D. Deferred risk

Answer 224

C. Residual risk

Question 225

You are performing a penetration test for a client, and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain. If the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command

would you type at the nslookup prompt to attempt a zone transfer?

A. Is-d abccorp.local
B. Server 192.168.10.2 -t all
C. list server=192.168.10.2 type=all
D. list domain=abccorp.local type=zone

Answer 225

A. Is-d abccorp.local

Question 226

What is the main security service a cryptographic hash provides?

A. Integrity and computational infeasibility
B. Message authentication and collision resistance
C. Integrity and ease of computation
D. Integrity and collision resistance

Answer 226

D. Integrity and collision resistance

Question 227

You are analyzing a traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs - 192.168.8.0/24.

What command would you use?

A. wireshark–capture–local–maksed 192.168.8.0–range 24
B. sudo tshark -f”net 192.168.8.0/24”
C. tshark-net 192.255.255.255 mask 192.168.8.0
D. wireshark–fetch “192.168.8.*”

Answer 227

A. wireshark–capture–local–maksed 192.168.8.0–range 24

Question 228

Why containers are less secure that virtual machines?

A. Host OS on containers has a larger surface attack.Your answer
B. Containers may fulfill disk space of the host.
C. Containers are attached to the same virtual network.
D. A compromise container may cause a CPU starvation of the host.

Answer 228

C. Containers are attached to the same virtual network.

Question 229

A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed?

A. Acceptable-use policy
B. Firewall-management policy
C. Permissive policy
D. Remote- access policy

Answer 229

C. Permissive policy

Question 230

John finished a C programming course and created a small C program to monitor network traffic and to produce alerts when any origin sends “many” IP packets, based on the average number of packets sent by all devices based on some thresholds. The solution is conceptually which of the following?

A. A hybrid IDS
B. A signature IDS
C. A behavioral IDS
D. Just a network monitoring tool.

Answer 230

C. A behavioral IDS

Question 231

What two conditions must a digital signature meet?

A. Has to be legit and neat.
B. Has to be unforgeable, and has to be authentic.
C. Has to be the same number of characters as a physical signature and must be unique.
D. Must be unique and have special characters.

Answer 231

B. Has to be unforgeable, and has to be authentic.

Question 232

What does mean the line 7 of the traceroute:

ark@debian-lxde:~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8(8.8.8.8), 30 hops max, 60 byte packets
1 192.168.2.1 0.914 ms 1.000 ms 1.054 ms
2 192.168.1.1 2.364 ms 1.983 ms 2.126 ms
3 ***
4 193.253.85.230 2.313 ms 3.021 ms 2.848 ms
5 81.253.182.230 3.086 ms 2.868 ms 4.077 ms
6 81.253.184.82 10.248 ms 10.268 ms 10.085 ms
7 81.52.200.209 6.970 ms 81.52.200.217 6.454 ms 81.52.200.2097.179 -ms
8 81.52.186.142 6.766 ms 7.278 ms 7.206 ms
9 209.85.244.252 8.847 ms 8.644 ms 8.639 ms
10 8.8.8.8 9.289 ms 9.123 ms 9.024 ms
ark@debian-lxde:~$

A. MPLS is used between router 6 and router 7
B. The traffic is encapsulated by a GRE tunnel between router 3 and *
C. The 81.52.200.217 address is a host which has redirected the traffic
D. Router 81.253.184.82 has two equivalent paths toward destination

Answer 232

C. The 81.52.200.217 address is a host which has redirected the traffic

Question 233

Developers at your company are creating a web application which will be available for use by anyone on the Internet. The developers have taken the approach of implementing a Three-Tier Architecture for the web application. The developers are now asking you which network should the Presentation Tier (front-end web server) be placed in?

A. DMZ network
B. Mesh network
C. Isolated vlan network
D. Internal network

Answer 233

A. DMZ network

Question 234

Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implanted the necessary controls. After that another security risk assessment was performed showing that risk has decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions will be the best for the project in terms of its successful continuation with most business profit?

A. Accept the risk
B. Introduce more controls to bring risk to 0%
C. Mitigate the risk
D. Avoid the risk

Answer 234

A. Accept the risk

Question 235

You are tasked to configure to DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following IP addresses could be leased as a result of the configuration?

A. 10.1.5.200
B. 10.1.4.156
C. 10.1.255.200
D. 10.1.4.254

Answer 235

A. 10.1.5.200

10.1.4.0/24 = 10.1.4.1-255 or a mask of 255.255.255.0
10.1.4.0/23 = 10.1.4.1-10.1.5.255 or a mask of 255.255.254.0
A bit is borrowed from the mask to create an additional network (10.1.5 network).

Question 236

The database used by Metaspoilt Pro to store host data is

A. IBMDB2
B. Postgres DB
C. Oracle DB
D. MySQL

Answer 236

B. Postgres DB

Question 237

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router no body can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network?
access-list 102 deny tcp any any
access-list 104 permit udp host 10.0.0.3 any
access-list 110 permit tcp host 10.0.0.2 eq www any
access-list 108 permit tcp any eq ftp any
access-list 102 deny tcp any any

A. The ACL 104 needs to be first because is UDP
B. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
C. The ACL for FTP must be before the ACL 110
D. The ACL 110 needs to be changed to port 80

Answer 237

B. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

Question 238

An attacker using a rogue wireless AP, performed a MITM attack and injected HTML code to embed a malicious applet in all the HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which of the following tools did the attacker probably use to inject the HTML code?

A. Ettercap
B. Tcpdump
C. Wireshark
D. Aircrack-ng

Answer 238

A. Ettercap

Question 239

When tuning security alerts, what is the best approach?

A. Raise false postives, raise false negatives
B. Decrease false negatives
C. Tune to avoid false positives and false negatives
D. Decrease false positives.

Answer 239

C. Tune to avoid false positives and false negatives

Question 240

A Multihomed firewall has a minimum of how many network connections?

A. 5
B. 2
C. 3
D. 4

Answer 240

B. 2

Question 241

Which regulation defines security and privacy controls for Federal information systems and organizations?

A. PCI-DSS
B. HIPAA
C. EU Safe Harbor
D. NIST-800-53

Answer 241

D. NIST-800-53

Question 242

Jim’s company regularly performs backups of their critical severs. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored offsite. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?

A. Degauss the backup tapes and transport them in a lock box.
B. Encrypt the backup tapes and use a courier to transport them.
C. Encrypt the backup tapes and transport them in a lock box.
D. Hash the backup tapes and transport them in a lock box.

Answer 242

C. Encrypt the backup tapes and transport them in a lock box.

Question 243

Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?

A. -O
B. -T5
C. -T0
D. -A

Answer 243

B. -T5

Question 244

Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except.

A. Protect the payload and the headers
B. Work at the Data Link Layer
C. Encrypt
D. Authenticate

Answer 244

B. Work at the Data Link Layer

Question 245

Which of the following is a series vulnerability in the popular OpenSSl cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet>

A. Heartbleed Bug
B. Shellshock
C. SSL/TLS Renegotiation Vulnerability
D. POODLE

Answer 245

A. Heartbleed Bug

Question 246

You are performing information gathering for an important penetration test. You have found pdf, doc,and images in your objective. You decide to extract metadata from these files and analyze it.

What tool will help you with the task?

A. Dimitry
B. Metagoofil
C. Armitage
D. cdpsnarf

Answer 246

B. Metagoofil

Question 247

An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and redirect the direction www.google.com to his own IP address. Now when the employees of the office wants to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?

A. Smurf Attack
B. MAC flooding
C. ARP Poisoning
D. DNS spoofing

Answer 247

D. DNS spoofing

Question 248

You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines has 2 connections, one wired and the other wireless. When you verify the configuration of his Windows system you find two static routes:route add 10.0.0.0 mask 255.0.0.0 10.0.0.1route add 0.0.0.0 mask 255.0.0.0 199.168.0.1 What is
the main purpose of those static routes?

A. The first static route indicated that the internal traffic will use an external gateway and the second static route
indicates that the traffic will be rerouted
B. Both static routes indicate that the traffic is internal with different gateway
C. Both static routes indicate that the traffic is external with different gateway
D. The first static route indicates that the internal addresses are using the internal gateway and the
static route indicated that all the traffic that is not internal must go to and external gateway

Answer 248

D. The first static route indicates that the internal addresses are using the internal gateway and the
static route indicated that all the traffic that is not internal must go to and external gateway

Question 249

You have successfully logged on a linux system. You want now cover your track. Your login attempt may be logged on several files located in /var/log.

Which file does NOT belong to the list:

A. btmp
B. user.log
C. auth.log
D. wtmp

Answer 249

A. btmp

Question 250

Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

A. Object Oriented Architecture
B. Lean Coding
C. Service Oriented Architecture
D. Agile Process

Answer 250

C. Service Oriented Architecture

Question 251

What does the -oX flag do in an Nmap scan?

A. Perform an eXpress scan
B. Output the results in XML format to a file
C. Perform a Xmas scan
D. Output the results in truncated format to the screen

Answer 251

B. Output the results in XML format to a file

Question 252

An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to “www.MyPersonalBank.com”, that the user is directed to a phishing site.

Which file does the attacker need to modify?

A. Hosts
B. Sudoers
C. Networks
D. Boot.ini

Answer 252

A. Hosts

Question 253

Which of the following algorithms is used for Kerberos encryption?

A. DSA
B. ECC
C. DES
D. RSA

Answer 253

A. DSA

Question 254

What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

A. Asymmetric cryptography is computationally expensive in comparison. However, it’s well-suited to
securely negotiate keys for use with symmetric cryptography.
B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
C. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric
encryption instead.
D. Symmetric encryption allows the server to securely transmit the session keys out-of-band.

Answer 254

A. Asymmetric cryptography is computationally expensive in comparison. However, it’s well-suited to
securely negotiate keys for use with symmetric cryptography.

Question 255

Jimmy is standing outside a secure entrance to a facility. He is pretending to having a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?

A. Tailgating
B. Phishing
C. Whaling
D. Masquerading

Answer 255

A. Tailgating

Question 256

What is the least important information when you analyse a public IP address in a security alert?]

A. Geolocation
B. Whois
C. DNS
D. ARP

Answer 256

D. ARP

Question 257

The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?

A. ACK
B. SYN-ACK
C. RST
D. SYN

Answer 257

D. SYN

Question 258

Seth is starting a penetration test from inside the network. He hasn’t been given any information about the network. What type of test is he conducting?

A. Internal, Blackbox
B. External, Blackbox
C. Internal, Whitebox
D. External, Whitebox

Answer 258

A. Internal, Blackbox

Question 259

Which of the following is the best countermeasuer against encrypting Ransomware?

A. Use multiple antivirus softwares
B. Analyze the ransomware to get decryption keys of encrypted data
C. Keep some generation of off-line backup
D. Pay a ransom

Answer 259

C. Keep some generation of off-line backup

Question 260

This configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described.

A. Multicast
B. Port forwarding
C. WEM
D. Promiscuous Mode

Answer 260

D. Promiscuous Mode

Question 261

If you are dealing with a firewall misconfiguration that causes you to not be able to browse to websites by domain name, but you’re able to by entering the websites ip address, which port is likely being blocked to cause this issue?

A. Traffic is blocked on UDP port 80
B. Traffic is blocked on TCP port 54
C. Traffic is blocked on UDP port 53
D. Traffic is blocked on TCP port 80

Answer 261

C. Traffic is blocked on UDP port 53

Question 262

Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting

A. Results matching “accounting” in domain target.com but not on the site Marketing.target.com
B. Results matching all words in the query
C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the
word accounting
D. Results for matches on target.com and Marketing.target.com that include the word “accounting”

Answer 262

A. Results matching “accounting” in domain target.com but not on the site Marketing.target.com