Review Questions

Question 1

What is/are the countermeasure(s) against MAC Flood and MAC Spoofing attacks?

Answer 1

1) port security
2) binding
3) ip source guard
4) dynamic ARP inspection (DAI)
5) ARP watch
6) ARP wall

Question 2

Describe DHCP starvation attack and the countermeasures.

Answer 2

1) Exhausting the pool of IPs on a DHCP server

2) Port security

Question 3

Describe Rouge DHCP attack and the countermeasures.

Answer 3

1) An unauthorized DHCP server on the network.

2) DHCP snooping

Question 4

How do you evade IDS Signature detection and IDS anomaly detection?

Answer 4

Encryption and IP Fragmentation (also called Fragment scanning) evades Signature detection. Session splicing evades anomaly detection. Ex 1. timing channel. Ex 2 Timing template- setting in nmap

Question 5

Anonymizers and proxies protect-privacy (security through obscurity) and__________________

Answer 5

Content filtering (data commands)

Question 6

ARPWALL, ARPWatch, Private VLANs, Using Static ARP entries for servers, routers etc…helps you defend against______________

Answer 6

MAC spoofing

Question 7

Explain full open scan (connect scan).

Answer 7

Syn, syn-ack, ack, rst

Question 8

Explain half open scan

Answer 8

SYN, SYN-ACK, RST

Question 9

Explain XMAS Scans

Answer 9

All flags (or PUF)

Question 10

NMAP Syntex Review

• TCP Connect/Full open scan
• Stealth Scan/half open
• Xmas
• FIN
• Null

Answer 10

• TCP Connect/Full open scan: completes 3-way handshake: -sT
• Stealth Scan/half open: can spoof IP, bypasses firewall rules (Anti-spoof): -sS
• Xmas: FIN, URG, PSH: -sX
• FIN: FIN: -sF
• Null: No flags: -sN

Question 11

NMAP Syntex review

-Idle

Answer 11

Idle: You need a Zombie, to help you determine if a port is open/closed: -sI

Question 12

Write the NMAP syntax for:

Network scan of the entire subnet of 192.168.10.0.

Answer 12

-nmap -sn 192.168.10.0 0/24
or
-nmap -p 192.168.10.0 0/24

Question 13

Write the NMAP syntax for:

Network scan all hosts from 192.168.10.200 to 192.168.10.250.

Answer 13

-nmap -sn 192.168.10.200-250

Question 14

List the ICMP message types.

Answer 14

8-Echo request
0-Echo reply
3-Destination unreachable
11-TTL expired in transit

Question 15

Describe multi-factor authentication -types and examples

Answer 15

Something you
-know
-have
-are
(2 or more)

Question 16

Explain the differences between polymorphic (XOR’d) shellcode and Metamorphic virus.

Answer 16

Poly-algorithm doesn’t change, only the signature.

Met-both algorithm and signature change

Question 17

Describe vulnerability scanning and what are the limitations.

Answer 17

Identifies vulnerabilities in a system

Detects only known vulnerabilities

Question 18

What is the difference between auditing, vulnerability scanning and penetration testing?

Answer 18

Auditing-testing for compliance
Vulnerability testing-passive testing for vulnerability
Penetration testing-active testing for vulnerabilities

Question 19

Describe the following SQL Injection commands

1) ‘
2) –
3) +
4) ||
5) UNION

Answer 19

1) used to test if a DB is susceptible to SQL injection
2) end of line or single line comments
3) concatenation operators
4) concatenation operators
5) joining multiple queries

Question 20

Describe the following SQL Injection commands

1) UPDATE
2) DROPTABLE
3) Xp_cmdshell
4) OPENROWSET

Answer 20

1) update a table
2) delete a table
3) spawns a command shell
4) makes offline copy of a database

Question 21

Write a typical SQL Injection syntax.

Answer 21

blah’ or 1=1 –

If you know the admin

Admin’ –

Question 22

Difference between session hijacking and spoofing

Answer 22

Session hijacking-taking over a active session

Spoofing-attacker doesn’t see results (goes to spoofed address)

Question 23

Difference between image steganography and SNOW.

Answer 23

Steganography-hides info in images

SNOW-hides info in white space

Question 24

Difference between sparse infector, stealth and Macro viruses

Answer 24

Sparse infector-time trigger activated (Friday the 13th)
Stealth-hides between kernels and apps and intercepts system calls
Micro virus-targets office apps

Question 25

Difference between trojans, viruses and worms.

Answer 25

Trojans-require host file;can't self replicate/propagate Virus-requires host file;can self replicate/can't self propagate Worms-don't require host file;can self replicate/self propagate

Question 26

Difference between phishing, spear phishing and whaling.

Answer 26

Phishing-soliciting mail to mass amounts of people Spear phishing-targeted attack Whaling-targeting upper level management

Question 27

Describe firewalking and name some of the tools and techniques used for firewalking.

Answer 27

1) Tracert-used to gather IP addresses of firewalls and routers on target network 2) Ack-scan-to assess if the FW is stateful or non stateful (also use a UDP scan) 3) Ike scan tool- to find out if the FW is IPSec based or not 4) Scan for vendor specific ports 5) Banner grabbing

Question 28

Describe session fixation attack

Answer 28

Takes advantage of fixed session IDs

Question 29

How can you browse the internet anonymously?

Answer 29

TOR Proxy VPN HTTP tunneling

Question 30

What are techniques of sniffing on the switch?

Answer 30

``` Port span MAC flood ARP poisoning DNS poisoning Manipulating proxy Rogue DHCP server ```

Question 31

What is the default RID for a windows administrator account?

Answer 31

500

Question 32

``` What are the number of bits for the following hashing algorithms? MD4 MD5 SHA-1 SHA2 ```

Answer 32

128. 32 characters 128 160. 40 characters 160

Question 33

What is syskey used for and what key-length and type of encryption used for syskey?

Answer 33

It is used to encrypt the SAM file. It uses 128 bit RC4 encryption

Question 34

FTP

Answer 34

Ports 20, 21

Question 35

TFTP

Answer 35

Port 69

Question 36

Syslog

Answer 36

Port 514

Question 37

RDP

Answer 37

Port 3389

Question 38

SSH

Answer 38

Port 22

Question 39

SSL

Answer 39

Port 443

Question 40

SMB over netbios

Answer 40

Port 139

Question 41

SMB over TCP/IP

Answer 41

Port 445

Question 42

Kerberos

Answer 42

Port 88

Question 43

DNS zone transfer

Answer 43

Port 53 (TCP)

Question 44

DNS lookup

Answer 44

Port 53 (UDP)

Question 45

Network printing

Answer 45

Ports 515, 631, 9100

Question 46

POP3

Answer 46

Port 110 (incoming mail)

Question 47

SMTP

Answer 47

Port 25 (outgoing mail)

Question 48

SNMP

Answer 48

Ports 161, 162

Question 49

LDAP

Answer 49

Port 389

Question 50

NTP

Answer 50

Port 123

Question 51

IKE

Answer 51

Port 500

Question 52

IMAP

Answer 52

Port 143 (incoming mail)

Question 53

DHCP

Answer 53

Port 67, 68

Question 54

What does the following command achieve? type trojan.exe c:\windows\system32\ping.exe:trojan.exe or copy

Answer 54

ADS alternate data streams (NTFS streams)

Question 55

Describe the difference between simple SQL Injection and bling SQL Injection.

Answer 55

Simple-attacker sees results | Blind-attacker doesn't see results

Question 56

Describe the difference between sniffing on a hub network vs switch network.

Answer 56

Sniffing hub-passive | Sniffing switch-active

Question 57

Name the tool used for whitespace steganography and the type of encryption used by this tool.

Answer 57

SNOW | Ice encryption

Question 58

Describe the 6 techniques of anti-spoofing

Answer 58

1) packets from outside have inside IP as source IP. 2) packets from inside have outside IP as source IP. 3) for packets from new network send test packets 4) TTL mismatch (huge difference in TTL) 5) IPID mismatch 6) exceeding the window size

Question 59

Write the Wireshark filter syntax | All packets going to and from 10.10.1.1

Answer 59

ip.addr==10.10.1.1

Question 60

Write the Wireshark filter syntax | All packets coming from 10.10.1.1

Answer 60

ip.src==10.10.1.1

Question 61

Write the Wireshark filter syntax | All packets going to 10.10.1.1 destination port 80

Answer 61

ip.dst==10.10.1.1&&tcp.dstport==80

Question 62

Write the Wireshark filter syntax | All packets with reset flags set

Answer 62

tcp.flags.reset==1

Question 63

Write the Wireshark filter syntax | Search http text 'Wireshark'

Answer 63

tcp contains wireshark

Question 64

What are html entities?

Answer 64

Substituting non-alphanumeric characters w/alphanumeric characters

Question 65

Describe IDS/IPS.

Answer 65

IDS-detection | IPS-preventive

Question 66

What are the two types of input validation? Identify the risk each one of those pose.

Answer 66

Data type-susceptible to injection attacks | Data boundary-susceptible to buffer overflow attacks

Question 67

What does overwriting the EIP (Extended Instruction Pointer) mean?

Answer 67

``` Buffer overflow attack also Overwriting EIP Return pointer Return address Return registry ```

Question 68

What is a canary word used for?

Answer 68

To detect if a buffer overflow has been attempted

Question 69

How do you prevent google, yahoo and bing from accessing certain pages on the web server.

Answer 69

Robots.txt

Question 70

Cain and Abel is a multipurpose tool-list some of the uses of this tool.

Answer 70

``` ARP poisoning tool Sniffing VOIP sniffing PW cracker WEP cracking ```

Question 71

Describe the hybrid password attack technique.

Answer 71

A combination of dictionary and brute force attacks

Question 72

What is the key length used by Diffie Hellman

Answer 72

1536

Question 73

What is the key length used by RSA?

Answer 73

Min 1024, mostly 2048

Question 74

What is the key length used by DES?

Answer 74

Total 64 | Actual 56

Question 75

What is the key length used by 3DES?

Answer 75

Actual 168 | Effective 112

Question 76

What is the key length used by AES?

Answer 76

Min 128 Protocol CCMP Algorithm Rijndael

Question 77

Name the different tools used to verify integrity of system files and data files?

Answer 77

Tripwire, FCIV

Question 78

Name the different tools (including Microsoft's own solution) used to verify authenticity of program files

Answer 78

MS-sigverif | Universal-bit9

Question 79

Which of these systems inspects traffic vs blocks traffic?

Answer 79

IDS-blocks | IPS-inspects

Question 80

Describe the difference between hardware and software key loggers and the detection methods for each.

Answer 80

SW-malicious if signatures re known | HW-imbedded visual inspection to detect, physical security to prevent

Question 81

What is the difference between HW and SW disc encryption? What is Microsoft's?

Answer 81

HW-TPM, MBR is encrypted and provides whole disc encryption. SW-MBR encrypted-provided partial disc encryption. MS tool EFS (Encrypted File System)

Question 82

Describe a SMURF attack

Answer 82

(TCP) pings broadcast network and spoofs source IP as the target

Question 83

Describe a Fraggle attack.

Answer 83

(UDP) pings broadcast network and spoofs source IP as the target

Question 84

Describe a Land attack

Answer 84

Takes advantage of the TCP 3 way handshake-SYN packet sent to target w/source and destination packets sent to target.

Question 85

Describe a Teardrop attack

Answer 85

Sending overlapping fragments of data to target server which overwhelms and crashes.

Question 86

Describe a SYN flood attack.

Answer 86

SYN packet sent to target w/source IP spoof to be non existent IPs

Question 87

Describe a ping of death attack

Answer 87

Sending oversized ping packets to target.

Question 88

What is the difference between XSS and CSRF?

Answer 88

XSS-embedding malicious links within web pages, emails, etc | CSRF-takes advantage of a dread authenticated session.

Question 89

If the second half of an LM Hash contains a hash value of -AAD3B435B51404EE, it indicates that______________

Answer 89

The PW is 7 characters or less.

Question 90

Describe the algorithm of RSA encryption.

Answer 90

Factorization of large prime numbers.

Question 91

Symmetric encryption provides which of the following cryptographic objectives?

Answer 91

Confidentiality Integrity Authentication

Question 92

Asymmetric encryption provides which of the following cryptographic objectives?

Answer 92

Confidentiality Integrity Authentication Non-repudiation

Question 93

Digital signature provides which of the following cryptographic objectives?

Answer 93

Integrity Authentication Non-repudiation

Question 94

With a digital signature the hash is encrypted with ______________

Answer 94

The senders private key

Question 95

For authentication the hash/message is encrypted with_________

Answer 95

Bulk encryption

Question 96

What are the disadvantage of Symmetric encryption?

Answer 96

``` Key management (not scaleable) Key distro (relies on out of band dustrobution) No non-repudiation ```

Question 97

Which Wifi encryption uses 48 bit IV and 128 bit AES encryption?

Answer 97

WPA2 | WPA 128 bit TKIP

Question 98

Why is WEP considered to be an inherently weak wifi encryption standard?

Answer 98

It uses a 24 bit IV and lacks randomization

Question 99

Identify the hashing algorithms for the following Windows Authentication methods. LMHash NTLMv1 NTLMv2

Answer 99

LMHash-DES NTLMv1-MD4 NTLMv2-MD5

Question 100

What happens to a switch when a CAM table is flooded?

Answer 100

It behaves like a hub.

Question 101

What is the broadcast address for 180.160.172.0/22?

Answer 101

180.160.175.255

Question 102

How do you secure SNMP?

Answer 102

Use version 3 Change default PWs for read and write Use group policies to disable anonymous access

Question 103

What are the two methods of banner grabbing using Telnet?

Answer 103

GET / HTTP/1.0 | HEAD / HTTP/1.0

Question 104

Is it possible to block all reconnaissance traffic completely? (Ping, tracert, DNS etc.)

Answer 104

No

Question 105

List the truth table for XOR.

Answer 105

0+0=0 0+1=1 1+0=1 1+1=0

Question 106

Identify the purpose/roles for | CSIRT

Answer 106

Compute Security Incident Response Team

Question 107

Identify the purpose/roles of | OSSTMM.

Answer 107

Open Source Security Testing Methodology Manual: Non-profit entity which provides guidelines & controls for securing open source

Question 108

Identify the purpose/roles of | OWASP

Answer 108

Open Web Application Security Project: non-profit entity which provides common web application flaws and how to fix them-also provides OWASP top ten. (Webgoat similar to badstore)

Question 109

Describe: SOX PCI-DSS

Answer 109

SOX (Sarbanes-Oxley) enforces financial accountability | PCI-DSS (Payment Card Industry Data Security Standard) protects PII

Question 110

List the different types of root kits.

Answer 110

``` Hyper visor Bios Kernel Boot loader Application Dll ```

Question 111

What is the difference between Key Escrow and Recovery Agent?

Answer 111

Key Escrow: used for external issued certs. Private key is split into 2 or more parts and each part is given to a CA for safe keeping. Recovery Agent: used in internal PKI environment by nominating an account as the recovery agent.

Question 112

Describe N-tier architecture in the following contexts- Infrastructure Architecture Application Architecture

Answer 112

``` Infrastructure: Network segregation/network segmentation where servers are logically grouped by function within each VLAN segment. Application: designing apps in a modular fashion where changes to one module doesn't impact other modules ```

Question 113

What do the following tools have in common? | Brutus, John the Ripper, Cain and Abel, Kerbcrack, and Hydra

Answer 113

Password Crackers

Question 114

Explain the following: Port security NAC/NAP EAP/802.1x

Answer 114

Port security: limits the number of MACs on each port/switch port NAC/NAP: Network Access Control/Network Access Protection - sets and enforces the baseline on systems connected to the network. EAP/802.1x: Extensible Authentication Protocol- gives you the strongest authentication

Question 115

Describe the 3 methods of disabling LMHashes.

Answer 115

1) best- Using PWs greater than 14 characters (min 15 characters) 2) middle- use GPO to disable (most popular) 3) worst- edit registry to disable it

Question 116

Name the 2 trust models and examples for each.

Answer 116

Hierarchical- PKI | Web of trust- PGP (transitive trust)

Question 117

Describe the following: Shellshock Heartbleed Collision

Answer 117

Shellshock: A BASH (Born Again Shell) vul where an attacker takes advantage of lack of i put validation in CGI scripts to gain access to the shell of the system. Heartbleed: an open SSL vul which gives the attacker access to memory content (thus gain access to private key) Collision: when 2 different pieces of text produce the same hash value, it produces a collision (collision is a sign of weakness, hashing algorithms must be collision resistant)

Question 118

Risk Management: identify the formula for: 1) SLE 2) ALE 3) Risk

Answer 118

1) SLE-Threat x Vul x Asset 2) ALE-Asset value x Exposure 3) Risk-Asset value x Exposure x Annualized Rate of Occurrence (ARO)

Question 119

Write the Google search rule for locating .pdf files on www.cisco.com

Answer 119

Insite:www.cisco.com filetype:pdf

Question 120

Which NMAP script will help test what methods, such as GET, PUT, POST etc, are allowed on a HTTP Server?

Answer 120

HTTP Methods

Question 121

Netcat is a plaintext protocol-which equivalent tool can be used to have an encrypted Netcat like connection?

Answer 121

Cryptcat

Question 122

What is the difference between Stateful Inspection FW AND WEb Application FW?

Answer 122

Stateful Inspection FW-enforces 3 way handshake and tracks state of connection (multilayer) Web Application FW- does deep packet inspection (application layer)

Question 123

What is the difference between CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol)

Answer 123

CRL- public cert goes on CRL | OCSP- checks the CRL to see if cert is good or not

Question 124

Describe the following tools 1) CHNTPW 2) Metagoofil 3) DIAMETER

Answer 124

1) CHNTPW: change password-a Linux tool to change Windows PWs 2) Metagoofil: tool used to scrape metadata off target 3) DIAMETER: Radius 2.0 - enhanced version of radius, provides better reliability (uses TCP) and mobility support