Sample Questions 3 Flashcards by Nicholas Phelps

Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

a. Metasploit
b. Cain & Abel
c. Maltego
d. Wireshark

c. Maltego

How well did you know this?

Not at all

Perfectly

What is not a PCI compliance recommendation?

a. Use a firewall between the public network and the payment card data.
b. Use encryption to protect all transmission of card holder data over any public network.
c. Rotate employees handling credit card transactions on a yearly basis to different departments.
d. Limit acces to card holder data to as few individuals as possible.

c. Rotate employees handling credit card transactions on a yearly basis to different departments.

How well did you know this?

Not at all

Perfectly

The “white box testing” methodology enforces what kind of restriction?

a. Only the internal operation of a system is known to the tester.
b. The internal operation of a system is completely known to the tester.
c. The internal operation of a system is only partly accessible to the tester.
d. Only the external opertion of a system is accessible to the tester.

b. The internal operation of a system is completely known to the tester.

How well did you know this?

Not at all

Perfectly

This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack , thus making the attack must faster compared to other WEP cracking tools. Which of the following tools is being described?

a. wificracker
b. Airguard
c. WLAN-crack
d. Aircrack-ng

d. Aircrack-ng

How well did you know this?

Not at all

Perfectly

Code injection is a form of attack in which a malicious user:

a. Inserts text into a data field that gets interpreted as code.
b. Gets the server to execute arbitrary code using a buffer overflow.
c. Inserts additional code into the JavaScript running in the browser.
d. Gains access to the codebase on the server and inserts new code.

a. Inserts text into a data field that gets interpreted as code.

How well did you know this?

Not at all

Perfectly

Which of the follwing will perform an Xmas scan using NMAP?

a. nmap -sA 192.168.1.254
b. nmap -sP 192.168.1.254
c. nmap -sX 192.168.1.254
d. nmap -sV 192.168.1.254

c. nmap -sX 192.168.1.254

How well did you know this?

Not at all

Perfectly

This asymmetric cipher is based on factoring the product of two large prime numbers. What cipher is described above?

a. SHA
b. RSA
c. MD5

D. RC5

b. RSA

How well did you know this?

Not at all

Perfectly

Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules. Which of the following types of firewalls can protect against SQL injeciton attacks?

a. Data-Driven Firewall
b. Stateful Firewall
c. Packet Firewall
d. Web Application Firewall

d. Web Application Firewall

How well did you know this?

Not at all

Perfectly

During a recent security assessment, you discover the organizatino has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

a. DnyDNS
b. DNS Scheme
c. DNSSEC
d. Split DNS

d. Split DNS

How well did you know this?

Not at all

Perfectly

Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intent?

a. Command Injection Attacks
b. File Injection Attack
c. Cross-Site Request Forgery (CSRF)
d. Hidden Field Manipulation Attack

c. Cross-Site Request Forgery (CSRF)

How well did you know this?

Not at all

Perfectly

Why two conditions must a digital signature meet?

a. Has to be legible and neat.
b. Has to be unforgeable, and has to be authentic
c. Must be unique and have special characters.
d. Has to be the same number of characters as a physical signature and must be unique.

b. Has to be unforgeable, and has to be authentic

How well did you know this?

Not at all

Perfectly

Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without the recipient’s consent, similar to email spamming?

A. Bluesmacking

B. Bluesniffing

C. Bluesnarfing

D. Bluejacking

How well did you know this?

Not at all

Perfectly

You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for.

Which of the below scanning technique will you use?

A. ACK flag scanning

B. TCP Scanning

C. IP Fragment Scanning

D. Inverse TCP flag scanning

C. IP Fragment Scanning

How well did you know this?

Not at all

Perfectly

An IT employee got a call from one of our best customers. The caller wanted to know about the company’s network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?

A. The employees cannot provide any information; but, anyway, he/she will provide the name of the

person in charge.

B. Since the company’s policy is all about Customer Service, he/she will provide information.

C. Disregarding the call, the employee should hang up.

D. The employee should not provide any information without previous management authorization.

How well did you know this?

Not at all

Perfectly

You are monitoring the network of your organizations. You notice that:

There are huge outbound connections from your Internal Network to External IPs. On further investigation, you see that the external IPs are blacklisted. Some connections are accepted, and some are dropped You find that it is a CnC communication

Which of the following solution will you suggest?

A. Block the Blacklist IP’s @ Firewall

B. Update the Latest Signatures on your IDS/IPS

C. Clean the Malware which are trying to Communicate with the External Blacklist IP’s

D. Both B and C

How well did you know this?

Not at all

Perfectly

Why should the security analyst disable/remove unnecessary ISAPI filters?

A. To defend against social engineering attacks

B. To defend against webserver attacks

C. To defend against jailbreaking

D. To defend against wireless attacks

B. To defend against webserver attacks

How well did you know this?

Not at all

Perfectly

To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program.

What term is commonly used when referring to this type of testing?

A. Randomizing

B. Bounding

C. Mutating

D. Fuzzing

How well did you know this?

Not at all

Perfectly

In Risk Management, how is the term “likelihood” related to the concept of “threat?”

A. Likelihood is the likely source of a threat that could exploit a vulnerability.

B. Likelihood is the probability that a threat-source will exploit a vulnerability.

C. Likelihood is a possible threat-source that may exploit a vulnerability.

D. Likelihood is the probability that a vulnerability is a threat-source.

B. Likelihood is the probability that a threat-source will exploit a vulnerability.

How well did you know this?

Not at all

Perfectly

Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide. All the developed components are reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in JavaScript and can track the customer’s activity on the site. These tools are located on the servers of the marketing company.

What is the main security risk associated with this scenario?

A. External script contents could be maliciously modified without the security team knowledge

B. External scripts have direct access to the company servers and can steal the data from there

C. There is no risk at all as the marketing services are trustworthy

D. External scripts increase the outbound company data traffic which leads greater financial losses

A. External script contents could be maliciously modified without the security team knowledge

How well did you know this?

Not at all

Perfectly

What type of analysis is performed when an attacker has partial knowledge of inner-workings of

the application?

A. Black-box

B. Announced

C. White-box

D. Grey-box

How well did you know this?

Not at all

Perfectly

Which of the following is a low-tech way of gaining unauthorized access to systems?

A. Scanning

B. Sniffing

C. Social Engineering

D. Enumeration

C. Social Engineering

How well did you know this?

Not at all

Perfectly

Which regulation defines security and privacy controls for Federal information systems and organizations?

A. HIPAA

B. EU Safe Harbor

C. PCI-DSS

D. NIST-800-53

How well did you know this?

Not at all

Perfectly

Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking.

What should you do?

A. Confront the client in a respectful manner and ask her about the data.

B. Copy the data to removable media and keep it in case you need it.

C. Ignore the data and continue the assessment until completed as agreed.

D. Immediately stop work and contact the proper legal authorities.

How well did you know this?

Not at all

Perfectly

Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?

A. 123

B. 161

C. 69

D. 113

A. 123

How well did you know this?

Not at all

Perfectly

It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? A. Discovery B. Recovery C. Containment D. Eradication

C. Containment

If an attacker uses the command SELECT\*FROM user WHERE name = `x' AND userid IS NULL; --`; which type of SQL injection attack is the attacker performing? A. End of Line Comment B. UNION SQL Injection C. Illegal/Logically Incorrect Query D. Tautology

D. Tautology

What would you enter, if you wanted to perform a stealth scan using Nmap? A. nmap -sU B. nmap -sS C. nmap -sM D. nmap -sT

B. nmap -sS

You are doing an internal security audit and intend to find out what ports are open on all the servers. What is the best way to find out? A. Scan servers with Nmap B. Scan servers with MBSA C. Telnet to every port on each server D. Physically go to each server

A. Scan servers with Nmap

Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS? A. Denial-of-Service B. False Positive Generation C. Insertion Attack D. Obfuscating

B. False Positive Generation

What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities. What kind of Web application vulnerability likely exists in their software? A. Host-Based Intrusion Detection System B. Security through obscurity C. Defense in depth D. Network-Based Intrusion Detection System

C. Defense in depth

How does the Address Resolution Protocol (ARP) work? A. It sends a request packet to all the network elements, asking for the domain name from a specific IP. B. It sends a request packet to all the network elements, asking for the MAC address from a specific IP. C. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. D. It sends a reply packet for a specific IP, asking for the MAC address.

B. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.

Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN? A. AH permiscuous B. ESP confidential C. AH Tunnel mode D. ESP transport mode

D. ESP transport mode

In Wireshark, the packet bytes panes show the data of the current packet in which format? A. Decimal B. ASCII only C. Binary D. Hexadecimal

D. Hexadecimal

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? A. nmap -T4 -q 10.10.0.0/24 B. nmap -T4 -F 10.10.0.0/24 C. nmap -T4 -r 10.10.1.0/24 D. nmap -T4 -O 10.10.0.0/24

B. nmap -T4 -F 10.10.0.0/24

DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed. What command is used to determine if the entry is present in DNS cache? A. nslookup -fullrecursive update.antivirus.com B. dnsnooping -rt update.antivirus.com C. nslookup -norecursive update.antivirus.com D. dns --snoop update.antivirus.com

C. nslookup -norecursive update.antivirus.com

Which of the following is an adaptive SQL Injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output? A. Function Testing B. Dynamic Testing C. Static Testing D. Fuzzing Testing

D. Fuzzing Testing

You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement? A. All three servers need to be placed internally B. A web server facing the Internet, an application server on the internal network, a database server on the internal network C. A web server and the database server facing the Internet, an application server on the internal network D. All three servers need to face the Internet so that they can communicate between themselves

B. A web server facing the Internet, an application server on the internal network, a database server on the internal network

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software? A. Cross-site scripting vulnerability B. Web site defacement vulnerability C. SQL injection vulnerability D. Cross-site Request Forgery vulnerability

A. Cross-site scripting vulnerability

What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall. A. Session hijacking B. Firewalking C. Man-in-the middle attack D. Network sniffing

B. Firewalking

Bob received this text message on his mobile phone: "Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com". Which statement below is true? A. This is scam as everybody can get a @yahoo address, not the Yahoo customer service employees. B. This is scam because Bob does not know Scott. C. Bob should write to scottmelby@yahoo.com to verify the identity of Scott. D. This is probably a legitimate message as it comes from a respectable organization.

A. This is scam as everybody can get a @yahoo address, not the Yahoo customer service

Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A. Stealth virus B. Tunneling virus C. Cavity virus D. Polymorphic virus

A. Stealth virus

A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. File system permissions B. Privilege escalation C. Directory traversal D. Brute force login

A. File system permissions

By using a smart card and pin, you are using a two-factor authentication that satisfies A. Something you know and something you are B. Something you have and something you know C. Something you have and something you are D. Something you are and something you remember

B. Something you have and something you know

What is the difference between the AES and RSA algorithms? A. Both are symmetric algorithms, but AES uses 256-bit keys B. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data C. Both are asymmetric algorithms, but RSA uses 1024-bit keys D. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data

D. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data

In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving. Which Algorithm is this referring to? A. Wired Equivalent Privacy (WEP) B. Wi-Fi Protected Access (WPA) C. Wi-Fi Protected Access 2 (WPA2) D. Temporal Key Integrity Protocol (TKIP)

A. Wired Equivalent Privacy (WEP)

You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines has 2 connections, one wired and the other wireless. When you verify the configuration of this Windows system you find two static routes. route add 10.0.0.0 mask 255.0.0.0 10.0.0.1 route add 0.0.0.0 mask 255.0.0.0 199.168.0.1 What is the main purpose of those static routes? A. Both static routes indicate that the traffic is external with different gateway. B. The first static route indicates that the internal traffic will use an external gateway and the second static route indicates that the traffic will be rerouted. C. Both static routes indicate that the traffic is internal with different gateway. D. The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.

D. The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause? A. The network devices are not all synchronized. B. Proper chain of custody was not observed while collecting the logs. C. The attacker altered or erased events from the logs. D. The security breach was a false positive.

A. The network devices are not all synchronized.

An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? A. Use fences in the entrance doors. B. Install a CCTV with cameras pointing to the entrance doors and the street. C. Use an IDS in the entrance doors and install some of them near the corners. D. Use lights in all the entrance doors and along the company's perimeter.

B. Install a CCTV with cameras pointing to the entrance doors and the street.

Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication; which option below offers that? A. A fingerprint scanner and his username and password B. His username and a stronger password C. A new username and password D. Disable his username and use just a fingerprint scanner

A. A fingerprint scanner and his username and password

As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic? A. request smtp 25 B. tcp.port eq 25 C. smtp port D. tcp.contains port 25

B. tcp.port eq 25

Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content url. 4. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario? A. Session Fixation B. HTML Injection C. HTTP Parameter Pollution D. Clickjacking Attack

D. Clickjacking Attack

Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization? A. Preparation phase B. Containment phase C. Identification phase D. Recovery phase

A. Preparation phase

Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications an unpatched security flaws in a computer system? A. Nessus B. Metasploit C. Maltego D. Wireshark

B. Metasploit

Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened? A. Masquerading B. Tailgating C. Phishing D. Whaling

B. Tailgating

In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks? A. Both pharming and phishing attacks are identical. B. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name. C. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name. D. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering

B. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name.

In order to have an anonymous Internet surf, which of the following is best choice? A. Use SSL sites when entering personal information B. Use Tor network with multi-node C. Use shared WiFi D. Use public VPN

B. Use Tor network with multi-node

Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? A. The port will ignore the packets. B. The port will send an RST. C. The port will send an ACK. D. The port will send a SYN.

A. The port will ignore the packets.

Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting? A. Internal, Blackbox B. External, Blackbox C. External, Whitebox D. Internal, Whitebox

A. Internal, Blackbox

Jesse receives an email with an attachment labeled "Court\_Notice\_21206.zip". Inside the zip file named "Court\_Notice\_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt". In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered? A. Worm B. Macro Virus C. Key-Logger D. Trojan

D. Trojan

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software? A. Cross-site scripting vulnerability B. Session management vulnerability C. SQL injection vulnerability D. Cross-site Request Forgery vulnerability

A. Cross-site scripting vulnerability

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester? A. Service Level Agreement B. Project Scope C. Rules of Engagement D. Non-Disclosure Agreement

C. Rules of Engagement

The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy? A. Public B. Private C. Shared D. Root

B. Private

You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -\> 192.168.100.0/24 21 (msg: "FTP on the network!";) A. An Intrusion Detection System B. A firewall IPTable C. A Router IPTable D. FTP Server rule

A. An Intrusion Detection System

Which of the following is a component of a risk assessment? A. Administrative safeguards B. Physical security C. DMZ D. Logical interface

A. Administrative safeguards

A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk? A. Delegate B. Avoid C. Mitigate D. Accept

A. Delegate

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use a scan tool like Nessus B. Use the built-in Windows Update tool C. Check MITRE.org for the latest list of CVE findings D. Create a disk image of a clean Windows installation

A. Use a scan tool like Nessus

When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Forward the message to your company's security response team and permanently delete the message from your computer. B. Reply to the sender and ask them for more information about the message contents. C. Delete the email and pretend nothing happened D. Forward the message to your supervisor and ask for her opinion on how to handle the situation

A. Forward the message to your company's security response team and permanently delete the message from your computer.

WPA2 uses AES for wireless data encryption at which of the following encryption levels? A. 64 bit and CCMP B. 128 bit and CRC C. 128 bit and CCMP D. 128 bit and TKIP

C. 128 bit and CCMP

This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low- level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described? A. Payment Card Industry (PCI) B. Center for Disease Control (CDC) C. Institute of Electrical and Electronics Engineers (IEEE) D. International Security Industry Organization (ISIO)

A. Payment Card Industry (PCI)

While using your bank's online servicing you notice the following string in the URL bar: "http://www.MyPersonalBank.com/account? id=368940911028389&Damount=10980&Camount= 21" You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site? A. Web Parameter Tampering B. Cookie Tampering C. XSS Reflection D. SQL injection

A. Web Parameter Tampering

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic? A. Application B. Circuit C. Stateful D. Packet Filtering

C. Stateful

A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001 00111010 A. 10001011 B. 11011000 C. 10011101 D. 10111100

A. 10001011

Which of the following is the successor of SSL? A. TLS B. RSA C. GRE D. IPSec

A. TLS

You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number? A. TCP B. UPD C. ICMP D. UPX

A. TCP

Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client? A. Reconnaissance B. Enumeration C. Scanning D. Escalation

A. Reconnaissance

You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task? A. Metagoofil B. Armitage C. Dimitry D. cdpsnarf

A. Metagoofil

When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine? A. site: target.com filetype:xls username password email B. inurl: target.com filename:xls username password email C. domain: target.com archive:xls username password email D. site: target.com file:xls username password email

A. site: target.com filetype:xls username password email

What is a "Collision attack" in cryptography? A. Collision attacks try to find two inputs producing the same hash. B. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key. C. Collision attacks try to get the public key. D. Collision attacks try to break the hash into three parts to get the plaintext value.

A. Collision attacks try to find two inputs producing the same hash.

You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use? A. Social engineering B. Tailgating C. Piggybacking D. Eavesdropping

A. Social engineering

What is the process of logging, recording, and resolving events that take place in an organization? A. Incident Management Process B. Security Policy C. Internal Procedure D. Metrics

A. Incident Management Process

The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks? A. Injection B. Cross Site Scripting C. Cross Site Request Forgery D. Path disclosure

A. Injection

Which of the following describes the characteristics of a Boot Sector Virus? A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program D. Overwrites the original MBR and only executes the new virus code

A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR

You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order to do fast, efficient searches of the logs you must use regular expressions. Which command-line utility are you most likely to use? A. Grep B. Notepad C. MS Excel D. Relational Database

A. Grep

You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job? A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels. B. Interview all employees in the company to rule out possible insider threats. C. Establish attribution to suspected attackers. D. Start the wireshark application to start sniffing network traffic.

A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 1/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8 A. The host is likely a printer. B. The host is likely a Windows machine. C. The host is likely a Linux machine. D. The host is likely a router.

A. The host is likely a printer.

Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company? A. Height and Weight B. Voice C. Fingerprints D. Iris patterns

A. Height and Weight

Which of the following is not a Bluetooth attack? A. Bluedriving B. Bluejacking C. Bluesmacking D. Bluesnarfing

A. Bluedriving

This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time? A. footprinting B. network mapping C. gaining access D. escalating privileges

A. footprinting

The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices. A. Wireless Intrusion Prevention System B. Wireless Access Point C. Wireless Access Control List D. Wireless Analyzer

A. Wireless Intrusion Prevention System

The NMAP command above performs which of the following? \> NMAP -sn 192.168.11.200-215 A. A ping scan B. A trace sweep C. An operating system detect D. A port scan

A. A ping scan

Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange? A. PKI B. single sign on C. biometrics D. SOA

A. PKI

Which of the following is assured by the use of a hash? A. Integrity B. Confidentiality C. Authentication D. Availability

A. Integrity

The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%). What is the closest approximate cost of this replacement and recovery operation per year? A. $146 B. $1320 C. $440 D. $100

A. $146

While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user? A. Cross-Site Request Forgery B. Cross-Site Scripting C. Clickjacking D. Web form input validation

A. Cross-Site Request Forgery

A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate? A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials. B. Attempts by attackers to access the user and password information stored in the company's SQL database. C. Attempts by attackers to access passwords stored on the user's computer without the user's knowledge. D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites were visited and for how long.

A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials.

Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications? A. Validate and escape all information sent to a server B. Use security policies and procedures to define and implement proper security settings C. Verify access right before allowing access to protected information and UI controls D. Use digital certificates to authenticate a server prior to sending data

A. Validate and escape all information sent to a server

To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit? A. Vulnerability scanner B. Protocol analyzer C. Port scanner D. Intrusion Detection System

A. Vulnerability scanner

Which of these options is the most secure procedure for storing backup tapes? A. In a climate controlled facility offsite B. On a different floor in the same building C. Inside the data center for faster retrieval in a fireproof safe D. In a cool dry environment

A. In a climate controlled facility offsite

You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal? A. Network-based IDS B. Firewall C. Proxy D. Host-based IDS

A. Network-based IDS

During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do? A. Identify and evaluate existing practices B. Create a procedures document C. Conduct compliance testing D. Terminate the audit

A. Identify and evaluate existing practices

Which of the following statements regarding ethical hacking is incorrect? A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an organization's systems. B. Testing should be remotely performed offsite. C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting services. D. Ethical hacking should not involve writing to or modifying the target systems.

A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an organization's systems.

You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out? A. Scan servers with Nmap B. Physically go to each server C. Scan servers with MBSA D. Telent to every port on each server

A. Scan servers with Nmap

What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities? A. Security through obscurity B. Host-Based Intrusion Detection System C. Defense in depth D. Network-Based Intrusion Detection System

C. Defense in depth

It is a short-range wireless communication technology that allows mobile phones, computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security. A. Bluetooth B. Radio-Frequency Identification C. WLAN D. InfraRed

A. Bluetooth

The practical realities facing organizations today make risk response strategies essential. Which of the following is NOT one of the five basic responses to risk? A. Accept B. Mitigate C. Delegate D. Avoid

C. Delegate

Which of the following tools is used by pen testers and analysts specifically to analyze links between data using link analysis and graphs? A. Metasploit B. Wireshark C. Maltego D. Cain & Abel

C. Maltego

You've just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case? A. TCP/IP doesn't support ICMP B. ARP is disabled on the target server C. ICMP could be disabled on the target server D. You need to run the ping command with root privileges

C. ICMP could be disabled on the target server

Suppose you've gained access to your client's hybrid network. On which port should you listen to in order to know which Microsoft Windows workstations has its file sharing enabled? A. 1433 B. 161 C. 445 D. 3389

C. 445

What is the term coined for logging, recording and resolving events in a company? A. Internal Procedure B. Security Policy C. Incident Management Process D. Metrics

C. Incident Management Process

Which of the following BEST describes how Address Resolution Protocol (ARP) works? A. It sends a reply packet for a specific IP, asking for the MAC address B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP C. It sends a request packet to all the network elements, asking for the domain name from a specific IP D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws? A. Use digital certificates to authenticate a server prior to sending data. B. Verify access right before allowing access to protected information and UI controls. C. Verify access right before allowing access to protected information and UI controls. D. Validate and escape all information sent to a server.

D. Validate and escape all information sent to a server.

Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety? A. Restore a random file. B. Perform a full restore. C. Read the first 512 bytes of the tape. D. Read the last 512 bytes of the tape.

B. Perform a full restore.

Which of the following is a component of a risk assessment? A. Physical security B. Administrative safeguards C. DMZ D. Logical interface

B. Administrative safeguards

Risks = Threats x Vulnerabilities is referred to as the: A. Risk equation B. Threat assessment C. BIA equation D. Disaster recovery formula

A. Risk equation

It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition? A. Threat B. Attack C. Vulnerability D. Risk

A. Threat

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? A. NMAP -PN -A -O -sS 192.168.2.0/24 B. NMAP -P0 -A -O -p1-65535 192.168.0/24 C. NMAP -P0 -A -sT -p0-65535 192.168.0/16 D. NMAP -PN -O -sS -p 1-1024 192.168.0/8

B. NMAP -P0 -A -O -p1-65535 192.168.0/24

Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern. A. nmap –p 445 -n -T4 -open 10.1.0.0/16 B. nmap -p 445 -max -Pn 10.1.0.0/16 C. nmap -sn -sF 10.1.0.0/16 445 D. nmap -s 445 -sU -T5 10.1.0.0/16

A. nmap –p 445 -n -T4 -open 10.1.0.0/16

A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk? A. Accept B. Delegate C. Mitigate D. Avoid

B. Delegate

OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server? A. openssl s\_client -site www.website.com:443 B. openssl\_client -site www.website.com:443 C. openssl\_client -connect www.website.com:443 D. openssl s\_client -connect www.website.com:443

D. openssl s\_client -connect www.website.com:443

John is an incident handler at a financial institution. His steps in a recent incident are not up to the standards of the company. John frequently forgets some steps and procedures while handling responses as they are very stressful to perform. Which of the following actions should John take to overcome this problem with the least administrative effort? A. Increase his technical skills B. Read the incident manual every time it occurs C. Select someone else to check the procedures D. Create an incident checklist

D. Create an incident checklist

Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company? A. Voice B. Fingerprints C. Iris patterns D. Height and Weight

D. Height and Weight

Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using? A. Armitage B. Nikto C. Metasploit D. Nmap

B. Nikto

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access? A. He needs to gain physical access. B. He must perform privilege escalation. C. He already has admin privileges, as shown by the "501" at the end of the SID. D. He needs to disable antivirus protection.

B. He must perform privilege escalation.

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He is determined that the application is vulnerable to SQL injection and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing? A. NoSQL injection B. Blind SQL injection C. Union-based SQL injection D. Error-based SQL injection

B. Blind SQL injection

You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list: A. wtmp B. user.log C. btmp D. auth.log

B. user.log

Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occuring during non-business hours. After further examination of all login activities, it is notices that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realized the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux serves to synchronize the time has stopped working? A. NTP B. TimeKeeper C. OSPF D. PPP

A. NTP

\>NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following? A. A port scan B. A ping scan C. An operating system detect D. A trace sweep

B. A ping scan

An LDAP directory can be used to store information similar to a SQL database. LDAP uses a ____ database structure instead of SQL's ______ structure. Because of this, LDAP has difficulty representing many-to-one relationships. A. Strict, Abstract B. Simple, Complex C. Relational, Hierarchical D. Hierarchical, Relational

D. Hierarchical, Relational

What is the purpose of DNS AAAA record? A. Address prefix record B. Address database record C. Authorization, Authentication and Auditing record D. IPv6 address resolution record

D. IPv6 address resolution record

Which of the following statements is FALSE with respect to Intrusion Detection Systems? A. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic B. Intrusion Detection Systems can examine the contents of the data in context of the network protocol C. Intrusion Detection Systems can be configured to distinguish specific content in network packets D. Intrusion Detection Systems require constant update of the signature library

A. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic

You are performing a penetration test for a client and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain. If the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer? A. list domain=abccorp.local type=zone B. Is -d accorp.local C. list server=192.168.10.2 type=all D. Iserver 192.168.10.2 -t all

B. Is -d accorp.local

Which command can be used to show the current TCP/IP connections? A. Netsh B. Net use connection C. Netstat D. Net use

C. Netstat

When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine? A. site: target.com filetype:xls username password email B. domain: target.com archieve:xls username password email C. inurl: target.com filename:xls username password email D. site: target.com file:xls username password email

A. site: target.com filetype:xls username password email

The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what? A. Network Sniffer B. Vulnerability Scanner C. Intrusion Prevention Server D. Security Incident and Event Monitoring

D. Security Incident and Event Monitoring

The purpose of a \_\_\_\_\_\_\_is to deny network access to local area networks and other information assets by unauthorized wireless devices. A. Wireless Analyzer B. Wireless Jammer C. Wireless Access Point D. Wireless Access Control List

D. Wireless Access Control List

What does the -oX flag do in an Nmap scan? A. Perform an Xmas scan B. Perform an eXpress scan C. Output the results in truncated format to the screen D. Output the results in XML format to a file

D. Output the results in XML format to a file

During an Xmas scan, what indicates a port is closed? A. RST B. SYN C. ACK D. No return response

A. RST

Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics: -Verifies success or failure of an attack - Monitors system activities - Detects attacks that a network-based IDS fails to detect. - Near realtime detection and response - Does not require additional hardware - Lower entry cost. Which type of IDS is best suited for Tremp's requirements? A. Network-based IDS B. Open source-based IDS C. Host-based IDS D. Gateway-based IDS

C. Host-based IDS

Which of the following parameters describe LM Hash: I - The maximum password length is 14 characters II - There are no distinctions between uppercase and lowercase III - The password is split into two 7-byte halves A. II B. I C. I, II, and III D. I and II

C. I, II, and III

A pen-tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscous mode? A. Winprom B. Libpcap C. Winpsw D. Winpcap

D. Winpcap

Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious java scripts. After opening one of them, he noticed that it is very hard to understand the code and that all codes differ from the typical java script. What is the name of this technique to hide the code and extend analysis time? A. Steganography B. Code encoding C. Obfuscation D. Encryption

C. Obfuscation

During the security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do? A. Create a procedures document B. Terminate the audit C. Conduct compliance testing D. Identify and evaluate existing practices

D. Identify and evaluate existing practices

While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then decided to conduct: nmap -Pn -p -sl kiosk.adobe.com www.riaa.com kiosk.adobe.com is the host with incremental IP ID sequence. What is the purpose of using "-sl" with Nmap? A. Conduct stealth scan B. Conduct ICMP scan C. Conduct IDLE scan D. Conduct silent scan

C. Conduct IDLE scan

Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server? The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value. A. Stacheldraht B. LOIC C. R-U-Dead-Yet? (RUDY) D. MyDoom

C. R-U-Dead-Yet? (RUDY)

You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following IP addresses could be leased as a result of the new configuration? A. 10.1.4.254 B. 10.1.255.200 C. 10.1.5.200 D. 10.1.4.156

C. 10.1.5.200

Your company was hired by a small healthcare provider to perform a technician assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Create a disk image of a clean Windows installation B. Use the built-in Windows Update tool C. Use a scan tool like Nessus D. Check MITRE.org for the latest of CVE findings

C. Use a scan tool like Nessus

You are analyzing a traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs. - 192.168.8.0/24. What command you would use? A. tshark -net 192.255.255.255 mask 192.168.8.0 B. wireshark -capture -local -masked 192.168.8.0 -range 24 C. sudo tshark -f "net 192.168.8.0/24" D. wireshark -fetch "192.168.8/\*"

B. wireshark -capture -local -masked 192.168.8.0 -range 24

What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the provider's environment. A. Behavioral based B. Heuristics based C. Honypot based D. Cloud based

D. Cloud based

Which utility will tell you in real time which ports are listening or in another state? A. Netsat B. Loki C. Nmap D. TCPView

D. TCPView

Why containers are less secure that virtual machine? A. Host OS on containers has a larger surface attack. B. Containers are attached to the same virtual network. C. Containers may fulfill disk space of the host. D. A compromise container may cause a CPU starvation of the host.

D. A compromise container may cause a CPU starvation of the host.

You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the external IPs are blacklisted 3. Some connections are accepted, and some are dropped 4. You find that it is a CnC communication Which of the following solution will you suggest? A. Block the Blacklist IP's @ Firewall B. Update the Latest Signatures on your IDS/IPS C. Clean the Malware which are trying to Communicate with the External Blacklist IP's D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate with the External Blacklist IP's.

D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate with the External Blacklist IP's.