Sample Questions 1 Flashcards by Nicholas Phelps

Hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive data or to perform any malicious attacks.

Black hat hackers are:

a) Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers
b) Individuals professing hacker skills and using them for defensive purposes and are also known as security analysts
c) Individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing 30 years in jail for their actions
d) Individuals who work both offensively and defensively at various times

a) Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers

How well did you know this?

Not at all

Perfectly

In order to compromise or to hack a system or network the hackers go through various phases of the hacking.
What is the first hacking phase that hackers perform to gather information about a target prior to launching an attack?

a) Reconnaissance
b) Scanning
c) Gaining Access
d) Maintaining Access
e) Clearing Track

a) Reconnaissance

How well did you know this?

Not at all

Perfectly

Penetration testing is a method of actively evaluating the security of an information system or network by simulating an attack from a malicious source. Which of the following technique is used to simulate an attack from someone who is unfamiliar with the system?

a) Black box pen testing
b) White box pen testing
c) Grey box pen testing
d) Maintaining Access
e) Announced pen testing

a) Black box pen testing

How well did you know this?

Not at all

Perfectly

Which of the following scanning technique attackers use to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic?

a) Stealth scanning technique
b) TCP connect scanning technique
c) Xmas scanning technique
d) Maintaining Access
e) FIN scanning technique

a) Stealth scanning technique

How well did you know this?

Not at all

Perfectly

OS fingerprinting is the method used to determine the operating system running on a remote target system. It is an important scanning method, as the attacker will have a greater probability of success if he/she knows the OS. Active stack fingerprinting is one of the types of OS fingerprinting.
Which of the following is true about active stack fingerprinting?

a) Uses password crackers to escalate system privileges
b) Is based on the fact that various vendors of OS implement the TCP stack differently
c) TCP connect scan
d) Uses sniffing techniques instead of the scanning techniques

b) Is based on the fact that various vendors of OS implement the TCP stack differently

How well did you know this?

Not at all

Perfectly

Proxy is a network computer that can serve as an intermediary for connecting with other computers.
Which of the following sentence is true about a proxy?

a) Protects the local network from outside access
b) Does not allow the connection of a # of PCs to the Internet when having only one IP address
c) Allows attacker to view the desktop of users system
d) Cannot be used to filter out unwanted content

a) Protects the local network from outside access

How well did you know this?

Not at all

Perfectly

IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else. Which of the following IP spoofing detection technique succeed only when the attacker is in a different subnet?

a) Direct TTL probes technique
b) IP identification number technique
c) TCP flow control method
d) UDP flow control method

a) Direct TTL probes technique

How well did you know this?

Not at all

Perfectly

Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Which of the following enumeration an attacker uses to obtain list of computers that belongs to a domain?

a) Netbios enumeration
b) SNMP enumeration
c) NTP enumeration
d) SMTP enumeration

a) Netbios enumeration

How well did you know this?

Not at all

Perfectly

Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.

Which of the following port NTP uses as its primary means of communication?

a) UDP port 123
b) UDP port 113
c) UDP port 161
d) UDP port 320

a) UDP port 123

How well did you know this?

Not at all

Perfectly

Rootkits are kernel programs having the ability to hide themselves and cover up traces of activities. It replaces certain operating system calls and utilities with its own modified versions of those routines. Which of the following rootkit modifies the boot sequence of the machine to load themselves instead of the original virtual machine monitor or operating system?

a) Hypervisor level rootkit
b) Kernel level rootkit
c) Boot loader level rootkit
d) Library level rootkits

a) Hypervisor level rootkit

How well did you know this?

Not at all

Perfectly

A virus is a self-replicating program that produces its own code by attaching copies of it into other executable codes.

Which of the following virus evade the anti-virus software by intercepting its requests to the operating system?

a) Stealth/Tunneling virus
b) Cluster virus
c) Macro virus
d) System or boot sector virus

a) Stealth/Tunneling virus

How well did you know this?

Not at all

Perfectly

Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment. It can constantly read all information entering the computer through the NIC by decoding the information encapsulated in the data packet. Passive sniffing is one of the types of sniffing. Passive sniffing refers to:

a) Sniffing through a hub
b) Sniffing through a router
c) Sniffing through a switch
d) Sniffing through a bridge

a) Sniffing through a hub

How well did you know this?

Not at all

Perfectly

Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address that is recognized in the local network. ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload:

a) Switch
b) Router
c) Hub
d) Bridge

a) Switch

How well did you know this?

Not at all

Perfectly

Denial of Service (DoS) is an attack on a computer or network that prevents legitimate use of its resources. In a DoS attack, attackers flood a victim system with non-legitimate service requests or traffic to overload its resources, which prevents it from performing intended tasks. Which of the following is a symptom of a DoS attack?

a) Unavailability of a particular website
b) Decrease in the amount of spam emails received
c) Automatic increase in network bandwidth
d) Automatic increase in network performance

a) Unavailability of a particular website

How well did you know this?

Not at all

Perfectly

Session Hijacking refers to the exploitation of a valid computer session where an attacker takes over a session between two computers.
Which of the following factor contribute to a successful session hijacking attack?

a) Account lockout for invalid session IDs
b) Definite session expiration time
c) Weak session ID generation algorithm
d) No clear text transmission

c) Weak session ID generation algorithm

How well did you know this?

Not at all

Perfectly

Buffer Overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold. Buffer overflow attacks allow an attacker to modify the ___________ in order to control the process execution, crash the process and modify internal variables.

a) Target process’s address space
b) Target remote access
c) Target rainbow table
d) Target SAM file

a) Target process’s address space

How well did you know this?

Not at all

Perfectly

Which wireless standard has bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz?

a) 802.11a
b) 802.11b
c) 802.11g
d) 802.11i

a) 802.11a

How well did you know this?

Not at all

Perfectly

Which device in a wireless local area network (WLAN) determines the next network point to which a packet should be forwarded toward its destination?

a) Wireless modem
b) Antenna
c) Wireless router
d) Mobile station

c) Wireless router

How well did you know this?

Not at all

Perfectly

Wireless antenna is an electrical device which converts electric currents into radio waves, and vice versa. Which of the following antenna used in wireless base stations and provides a 360 degree horizontal radiation pattern?

a) Omnidirectional antenna
b) Parabolic grid antenna
c) Yagi antenna
d) Dipole antenna

a) Omnidirectional antenna

How well did you know this?

Not at all

Perfectly

Firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. A firewall examines all traffic routed between the two networks to see if it meets certain criteria. Packet filter is one of the categories of firewall. Packet filtering firewall works at which of these layers of the OSI model?

a) Network layer
b) Physical layer
c) Session layer
d) Application layer

a) Network layer

How well did you know this?

Not at all

Perfectly

Keystroke loggers are stealth software packages that are used to monitor keyboard activities. Which is the best location to place such keyloggers?

a) Keyboard hardware & the operating system
b) UPS and keyboard
c) Operating system and UPS
d) Monitor and keyboard software

a) Keyboard hardware & the operating system

How well did you know this?

Not at all

Perfectly

You have invested millions of dollars for protecting your corporate network. You have the best IDS, firewall with strict rules and routers with no configuration errors. Which of the following techniques practiced by an attacker exploits human behavior to make your network vulnerable to attacks?

a) Social Engineering
b) Buffer overflow
c) Denial of Service
d) SQL injection

a) Social Engineering

How well did you know this?

Not at all

Perfectly

Nmap is a free open source utility, which is designed to rapidly scan large networks. Identify the Nmap Scan method that is often referred to as half open scan because it does not open a full TCP connection.

a) ACK Scan
b) SYN Stealth
c) Half open
d) Windows Scan

b) SYN Stealth

How well did you know this?

Not at all

Perfectly

As a system administrator, you are responsible for maintaining the website of your company which deals in online recharge of mobile phone cards. One day to your surprise, you find the home page of your company’s website defaced. What is the reason for webpage defacement?

a) Denial of Service attack
b) Session Hijacking
c) DNS attack through cache poisoning
d) Buffer overflow

c) DNS attack through cache poisoning

How well did you know this?

Not at all

Perfectly

Which of the following protocols are susceptible to sniffing? a) SNMP b) FTP c) NNTP d) Telnet

d) Telnet

Which of the following cryptographic attack refers to extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture? a) Ciphertext-only Attack b) Chosen-ciphertext Attack c) Adaptive Chosen-plaintext Attack d) Rubber Hose Attack

d) Rubber Hose Attack

Firewall implementation and design for an enterprise can be a daunting task. Choices made early in the design process can have far-reaching security implications for years to come. Which of the following firewall architecture is designed to host servers that offer public services? a) Bastion Host b) Screened subnet c) Screened host d) Screened

b) Screened subnet

Attackers craft malicious probe packets and scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMTPS) and IMAP over SSL (IMAPS) to detect honeypots in a network. Which of the following condition shows the presence of a honeypot? a) Ports show a particular service running but deny a three-way handshake connection b) Ports show a particular service running and allow a three-way handshake connection c) Ports do not show any particular service running d) Scan shows that no scanned port is live on the NW

a) Ports show a particular service running but deny a three-way handshake connection

Identify the denial-of-service attack that is carried out using a method known as “bricking a system.” Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware. a) ICMP Flood Attack b) Application Level Flood Attacks c) Phlashing d) Bandwidth Attacks

c) Phlashing

Which of the following Wi-Fi chalking method refers to drawing symbols in public places to advertise open Wi-Fi networks? a) WarWalking b) WarFlying c) WarChalking d) WarDriving

c) WarChalking

Bluetooth hacking refers to exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks. Which of the following Bluetooth attack refers to sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones? a) Bluesmacking b) Bluejacking c) Blue Snarfing d) BlueSniff

b) Bluejacking

Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Which of the following command can be used in UNIX environment to enumerate the shared directories on a machine? a) showmount b) finger c) rpcinfo d) rpcclient

a) showmount

CAM table in switch stores information such as MAC addresses available on physical ports with their associated VLAN parameters. What happens when the CAM table is full? a) Additional ARP request traffic will not be forwarded to any port on the switch b) The switch will stop functioning and get disconnected from network c) Additional ARP request traffic will flood every port on the switch d) It does not affect the switch functioning

c) Additional ARP request traffic will flood every port on the switch

Identify the web application attack where attackers exploit webpage vulnerabilities to force an unsuspecting user’s browser to send malicious requests they did not intend. The victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user’s session, compromising its integrity a) Cross-Site Scripting (XSS) b) Cross-Site Request Forgery (CSRF) c) LDAP Injection attack d) SQL injection attack

b) Cross-Site Request Forgery (CSRF)

Jason, a penetration tester, is testing a web application that he knows is vulnerable to an SQL injection but the results of the injection are not visible to him. He tried waitfor delay command to check the SQL execution status which confirmed the presence of the SQL injection vulnerability. Which type of SQL injection Jason is attempting on the web application? a) Blind SQL injection b) Error-based SQL injection c) UNION SQL Injection d) Simple SQL Injection

a) Blind SQL injection

Consider the attack scenario given below: Step 1: User browses a web page Step 2: Web server replies with requested page and sets a cookie on the user’s browser Step 3: Attacker steals cookie (Sniffing, XSS, phishing attack) Step 4: Attacker orders for product using modified cookie Step 5: Product is delivered to attacker’s address Identify the web application attack. a) Session fixation attack b) Unvalidated redirects attack c) Cookie poisoning attack d) Denial-of-Service (DoS) attack

c) Cookie poisoning attack

Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Multiple Recognition on the switch

A. Configure Port Security on the switch

This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments & the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Routing or Packet Dropping B. IDS Spoofing or Session Assembly C. IP Fragmentation or Session Splicing D. IP Splicing or Packet Reassembly

C. IP Fragmentation or Session Splicing

If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. How would you prevent such type of attacks? A. It is impossible to block these attacks B. Hire the people through third-party job agencies who will vet them for you C. Conduct thorough background checks before you engage them D. Investigate their social networking profiles

C. Conduct thorough background checks before you engage them

This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do. A. UDP Scanning B. IP Fragment Scanning C. Inverse TCP flag scanning D. ACK flag scanning

B. IP Fragment Scanning

Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate. How would you call this type of activity? A. Dumpster Diving B. Scanning C. CI Gathering D. Garbage Scooping

A. Dumpster Diving

Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him ''just to double check our records.'' Jane does not suspect anything amiss, and parts with her password. Jack can now access Brown Co.'s computers with a valid user name & password, to steal the cookie recipe. What kind of attack is being illustrated here? A. Reverse Psychology B. Reverse Engineering C. Social Engineering D. Spoofing Identity E. Faking Identity

C. Social Engineering

How do you defend against ARP Spoofing? **Select three**. A. Use ARPWALL system and block ARP spoofing attacks B. Tune IDS Sensors to look for large amount of ARP traffic on local subnets C. Use private VLANS D. Place static ARP entries on servers,workstation and routers

A. Use ARPWALL system and block ARP spoofing attacks C. Use private VLANS D. Place static ARP entries on servers,workstation and routers

TCP SYN Flood attack uses the three-way handshake mechanism. 1. An attacker at system A sends a SYN packet to victim at system B. 2. System B sends a SYN/ACK packet to victim A. 3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. This status of client B is called \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ A. "half-closed" B. "half open" C. "full-open" D. "xmas-open"

B. "half open"

SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains: A. The source and destination address having the same value B. A large number of SYN packets appearing on a network without the corresponding reply packets C. The source and destination port numbers having the same value D. A large number of SYN packets appearing on a network with the corresponding reply packets

B. A large number of SYN packets appearing on a network without the corresponding reply packets

Which of the following type of scanning utilizes automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Port Scanning B. Single Scanning C. External Scanning D. Vulnerability Scanning

D. Vulnerability Scanning

What are the limitations of Vulnerability scanners? **(Select 2)** A. There are often better at detecting well-known vulnerabilities than more esoteric ones B. The scanning speed of their scanners are extremely high C. It is impossible for any one scanning product to incorporate all known vulnerabilities in a timely manner D. The more vulnerabilities detected, the more tests required E. They are highly expensive and require per host scan license

A. There are often better at detecting well-known vulnerabilities than more esoteric ones C. It is impossible for any one scanning product to incorporate all known vulnerabilities in a timely manner

Dan is conducting penetration testing and has found a vulnerability in a Web App which gave him the sessionID token via a XSS vulnerability. Dan wants to replay this token. However, the sessionID manager checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The scenario is incorrect as Dan can spoof his IP and get responses C. The server will send replies back to the spoofed IP address D. Dan can establish an interactive session only if he uses a NAT

C. The server will send replies back to the spoofed IP address

An attacker finds a web page for a target organization that supplies contact info for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential info, such as a NW admin. The email asks the employee to log into a bogus page that requests the employee's user name & password or click on a link that will download spyware or other malicious programming. Google's Gmail was hacked using this technique & attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company. What is this deadly attack called? A. Spear phishing attack B. Trojan server attack C. Javelin attack D. Social networking attack

A. Spear phishing attack

Vulnerability scanners are automated tools that are used to identify vulnerabilities and misconfigurations of hosts. They also provide information regarding mitigating discovered vulnerabilities. Which of the following statements is incorrect? A. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. B. Vulnerability scanners can help identify out-of-date software versions, missing patches, or system upgrades C. They can validate compliance with or deviations from the organization's security policy D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities without user intervention

D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities without user intervention

How does traceroute map the route a packet travels from point A to point B? A. Uses a TCP timestamp packet that will elicit a time exceeded in transit message B. Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message C. Uses a protocol that will be rejected by gateways on its way to the destination D. Manipulates the flags within packets to force gateways into generating error messages

B. Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message

How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack

B. Enable DHCP snooping on the switch

Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this? A. Jayden can use the command ip binding set. B. Jayden can use the command no ip spoofing. C. She should use the command no dhcp spoofing. D. She can use the command ip dhcp snooping binding.

D. She can use the command ip dhcp snooping binding.

This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site. A. Wiresharp attack B. Switch and bait attack C. Phishing attack D. Man-in-the-Middle attack

C. Phishing attack

Which of the following statements would NOT be a proper definition for a Trojan Horse? A. An authorized program that has been designed to capture keyboard keystroke while the user is unaware of such activity being performed B. An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user C. A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user

A. An authorized program that has been designed to capture keyboard keystroke while the user is unaware of such activity being performed

In the context of Trojans, what is the definition of a Wrapper? A. An encryption tool to protect the Trojan B. A tool used to bind the Trojan with a legitimate file C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan D. A tool used to encapsulate packets within a new header and footer

B. A tool used to bind the Trojan with a legitimate file Explanation: Wrapper does not change header or footer of any packets but it mix between legitimate file and Trojan file.

Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sys Which step would you perform to detect this type of Trojan? A. Scan for suspicious startup programs using msconfig B. Scan for suspicious network activities using Wireshark C. Scan for suspicious device drivers in c:\windows\system32\drivers D. Scan for suspicious open ports using netstat

C. Scan for suspicious device drivers in c:\windows\system32\drivers

Which type of hacker represents the highest risk to your network? A. black hat hackers B. grey hat hackers C. disgruntled employees D. script kiddies

C. disgruntled employees

What port number is used by Kerberos protocol? A. 88 B. 44 C. 487 D. 419

A. 88

What does FIN in TCP flag define? A. Used to abort a TCP connection abruptly B. Used to close a TCP connection C. Used to acknowledge receipt of a previous packet or transmission D. Used to indicate the beginning of a TCP connection

B. Used to close a TCP connection

Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is invalid on the server. Why do you think this is possible? A. It works because encryption is performed at the application layer (single encryption key) B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. Any cookie can be replayed irrespective of the session status

A. It works because encryption is performed at the application layer (single encryption key)

This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker. A. Unique SQL Injection B. Blind SQL Injection C. Generic SQL Injection D. Double SQL Injection

B. Blind SQL Injection

A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service. Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus. Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments. Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail. How do you ensure if the e-mail is authentic and sent from fedex.com? A. Verify the digital signature attached with the mail,the fake mail will not have Digital ID at all B. Check the Sender ID against the National Spam Database (NSD) C. Fake mail will have spelling/grammatical errors D. Fake mail uses extensive images, animation and flash content

A. Verify the digital signature attached with the mail,the fake mail will not have Digital ID at all

What file system vulnerability does the following command take advantage of? type c:\anyfile.exe \> c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. Backdoor access C. XFS D. ADS

D. ADS

You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached cell phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation? A. Reconfigure the firewall B. Enforce the corporate security policy C. Install a network-based IDS D. Conduct a needs analysis

B. Enforce the corporate security policy

What is a sniffing performed on a switched network called? A. Spoofed sniffing B. Passive sniffing C. Direct sniffing D. Active sniffing

D. Active sniffing

A rootkit is a collection of tools that enable admin-level access to a PC. This program hides itself deep into an OS for malicious activity & is extremely difficult to detect. The malicious SW operates in a stealth fashion by hiding its files, processes & registry keys & may be used to create a hidden directory or folder designed to keep out of view from a user's OS & security SW. What privilege level does a rootkit require to infect successfully on a Victim's PC? A. User level privileges B. Ring 3 Privileges C. System level privileges D. Kernel level privileges

D. Kernel level privileges

Which Steganography technique uses Whitespace to hide secret messages? A. snow B. beetle C. magnet D. cat

A. snow

David is a security administrator working in Boston. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email. How can David block POP3 at the firewall? A. David can block port 125 at the firewall. B. David can block all EHLO requests that originate from inside the office. C. David can stop POP3 traffic by blocking all HELO requests that originate from inside the office. D. David can block port 110 to block all POP3 traffic.

D. David can block port 110 to block all POP3 traffic.

You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? A. display==facebook B. traffic.content==facebook C. tcp contains facebook D. list.display.facebook

C. tcp contains facebook

How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Hijacking B. Session Stealing C. Session Splicing D. Session Fragmentation

C. Session Splicing

Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? A. Smooth Talking B. Swipe Gating C. Tailgating D. Trailing

C. Tailgating

While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for all the pings you have sent out. What is the most likely cause of this? A. The firewall is dropping the packets B. An in-line IDS is dropping the packets C. A router is blocking ICMP D. The host does not respond to ICMP packets

C. A router is blocking ICMP

An attacker has successfully compromised a remote computer. Which of the following comes as one of the last steps that should be taken to ensure that the compromise cannot be traced back to the source of the problem? A. Install patches B. Setup a backdoor C. Install a zombie for DDOS D. Cover your tracks

D. Cover your tracks

Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered? A. Ursula would be considered a gray hat since she is performing an act against illegal activities. B. She would be considered a suicide hacker. C. She would be called a cracker. D. Ursula would be considered a black hat.

B. She would be considered a suicide hacker.

What sequence of packets is sent during the initial TCP three-way handshake? A. SYN,SYN-ACK,ACK B. SYN,URG,ACK C. SYN,ACK,SYN-ACK D. FIN,FIN-ACK,ACK

A. SYN,SYN-ACK,ACK

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated? A. Visit Google's search engine and view the cached copy B. Crawl the entire website and store them into your computer C. Visit Archive.org web site to retrieve the Internet archive of the company's website D. Visit the company's partners and customers website for this information

C. Visit Archive.org web site to retrieve the Internet archive of the company's website

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. Image Hide B. Snow C. Gif-It-Up D. NiceText

B. Snow

WPA2 uses AES for wireless data encryption at which of the following encryption levels? A. 64 bit and CCMP B. 128 bit and CRC C. 128 bit and CCMP D. 128 bit and TKIP

C. 128 bit and CCMP

Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft? A. signverif.exe B. sigverif.exe C. msverif.exe D. verifier.exe

B. sigverif.exe

Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Suxtnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called? a) zero-hour b) zero-sum c) zero-day d) no-day

c) zero-day

This kind of malware is installed by criminals on your computer so they can lock it from a remote location. This malware generates a popup window, webpage, or email warning from what looks like an official authority such as the FBI. It explains your computer has been locked because of possible illegal activities and demands payment before you can access your files and programs again. Which term best matches this definition?

Ransomware

An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem/issue?

Insufficient input validation

Which of the layered approaches to security hides data in ICMP traffic?

Covert channels

You are doing a pentest against an organization that has just recovered from a major cyber attack. The CISO and CIO want to completely and totally eliminate risk. What is one of the first things you should explain to these individuals?

Explain that you cannot eliminate all risk but you will be able to reduce risk to acceptable levels.

During a routine assessment you discover information that suggests the customer is involved in human trafficking.

Immediately stop work and contact the proper legal authorities

What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?

Residual Risk

What is the best way to defend against network sniffing?

Using encryption protocols on network communications

The TJ Maxx breach happened in part because this type of weak wireless security was implemented.

Wired Equivalent Privacy (WEP)

Which of the following techniques will identify if computer files have been changed?

Integrity checking hashes

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?

Rules of Engagement

It is an entity or event **with the potential** to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition? A. Threat B. Attack C. Vulnerability D. Risk

A. Threat

Initiating an attack against targeted businesses & organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario? A. Watering Hole Attack B. Heartbleed Attack C. Shellshock Attack D. Spear Phising Attack

A. Watering Hole Attack

You have successfully gained access to your client's internal network and succesfully comprised a linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled. Which port would you see listening on these Windows machines in the network? A. 445 B. 3389 C. 161 D. 1433

A. 445

It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition? A. Bluetooth B. Radio-Frequency Identification C. WLAN D. InfraRed

A. Bluetooth

A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Botnet Trojan B. Turtle Trojans C. Banking Trojans D. Ransomware Trojans

A. Botnet Trojan

It is a kind of malware (malicious SW) that criminals install on your PC so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition? A. Ransomware B. Adware C. Spyware D. Riskware

A. Ransomware

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? A. nmap -T4 -F 10.10.0.0/24 B. nmap -T4 -r 10.10.1.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap -T4 -q 10.10.0.0/24

A. nmap -T4 -F 10.10.0.0/24

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?

The attacker altered or erased events from the logs.

While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?

Criss-Site Request Forgery (CSRF)

This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?

Footprinting

You are tasked to perform a pen test. While you are performing info gathering, you find an employee list in Google. You find the receptionist's email, & you send her an email changing the source email to her boss's email (boss@company ). In this email, you ask for a pdf with info. She reads your email & sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) & send back the modified pdf, saying that the links don't work. She reads your email, opens the links, & her machine gets infected. You now have access to the company NW. What testing method did you use?

Social Engineering

This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described?

PCI

What is the process of logging, recording, and resolving events that take place in an organization?

Incident Management Process

Perspective clients want to see sample reports from previous penetration tests. What should you do next?

Decline, just provide the details of the components that will be there in the report.

Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client?

Reconnaissance

You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS). What is the best way to evade the NIDS?

Encryption

It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?

HIPAA

Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

ESP transport mode

You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?

NIDS

Which of the following tools can be used for passive OS fingerprinting?

Tracert

Insufficient database hardening

Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

Maltego

You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account.

Report immediately to the administrator

Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'security through obscurity'. What technique is Ricardo using?

Steganography

The "black box testing" methodology enforces which kind of restriction?

Only the external operation of a system is accessible to the tester.

To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing?

Fuzzing

Jimmy is standing outside a secure entrance to a facility. He is pretending to having a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?

Tailgating

You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening?

ICMP could be disabled on the target server.

When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do?

Forward the message to your company's security response team and permanently delete the message from your computer.

You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract **metadata** from these files and analyze it. What tool will help you with the task?

Metagoofil (Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company.)

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?

Cross-site scripting vulnerability

An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site. Which file does the attacker need to modify?

HOSTS

Which method of password cracking takes the most time and effort?

Brute Force

A. Configure Port Security on the switch

Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? A. Jimmy can submit user input that executes an OS command to compromise a target system B. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access C. Jimmy can utilize an incorrect configuration that leads to access with higher-than expected privilege of the DB D. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system

D. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system

This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Routing or Packet Dropping B. IDS Spoofing or Session Assembly C. IP Fragmentation or Session Splicing D. IP Splicing or Packet Reassembly

C. IP Fragmentation or Session Splicing

C. Conduct thorough background checks before you engage them

B. IP Fragment Scanning

A. Dumpster Diving

Jack Hacker wants to break into Brown Co.'s computers to obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an admin from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him ''just to double check our records.'' Jane does not suspect anything amiss, and parts with her password. Jack can now access Brown Co.'s computers with a valid user name and password, to steal the cookie recipe. What kind of attack is being illustrated here? A. Reverse Psychology B. Reverse Engineering C. Social Engineering D. Spoofing Identity E. Faking Identity

C. Social Engineering

How do you defend against ARP Spoofing? Select three. A. Use ARPWALL system and block ARP spoofing attacks B. Tune IDS Sensors to look for large amount of ARP traffic on local subnets C. Use private VLANS D. Place static ARP entries on servers,workstation and routers

A. Use ARPWALL system and block ARP spoofing attacks C. Use private VLANS D. Place static ARP entries on servers,workstation and routers

B. "half open"

SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains: A. The source & destination address having the same value B. A large number of SYN packets appearing on a network without the corresponding reply packets C. The source and destination port numbers having the same value D. A large number of SYN packets appearing on a network with the corresponding reply packets

B. A large number of SYN packets appearing on a network without the corresponding reply packets

D. Vulnerability Scanning

A. There are often better at detecting well-known vulnerabilities than more esoteric ones C. It is impossible for any one scanning product to incorporate all known vulnerabilities in a timely manner

Dan is conducting penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The scenario is incorrect as Dan can spoof his IP and get responses C. The server will send replies back to the spoofed IP address D. Dan can establish an interactive session only if he uses a NAT

C. The server will send replies back to the spoofed IP address