Ethical Hacking and Network Defense
MS RPC port
135
NB Session port
139
Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?
139
MS-SQL port
1433
Which ports does SNMP use to function?
161 and 162
A Distributed Reflection DoS attack takes advantage of the fact that most Internet routers communicate on port ____________.
179
FTP port
21
SSH port
23
Telnet port
25
______________ operates at 5GHz.
802.11a
Active Systems
An IDS or IPS that logs events, sends out alerts, and can interoperate with routers and firewalls.
Mandatory Access Control (MAC)
An OS security mechanism that enforces access rules based on privileges for interactions between processes, files, and users; included in SELinux.
A covert channel or backdoor may be detected using all of the following except ___________.
An SDK
Fping
An enhanced Ping utility for pinging multiple targets simultaneously.
PHP Hypertext Processor (PHP)
An open-source server-side scripting language.
Attack
Any attempt by an unauthorized person to access, damage, or use resources of a network or computer system.
Embedded System
Any computer system that's not a general-purpose PC or server.
Data at Rest
Any data not moving through a network or being used by the OS; usually refers to data on storage media.
What is a computer virus?
Any program that self-replicates
Which of the following is the most accurate definition of a virus?
Any program that self-replicates.
Which of the following fives the best definition of spyware?
Any software or hardware that monitors your system
Network Protection System
Any system designed specifically to protect networks or network devices from attacks; includes routers, firewalls, Web filters, network-based and host-based IPSs and IDSs, and honeypots.
Port 458
Apple QuickTime
At which layer of the OSI model does a proxy operate?
Application
Choosing a protective network appliance, you want a device that will inspect packets at the most granular level possible while providing improved traffic efficiency. What appliance would satisfy these requirements?
Application Firewall
What type of firewall requires individual client application to be authorized to connect?
Application gateway
Which type of firewall negotiates between the server and client to permit or deny connection based on the type of software and connection requested?
Application gateway
Which of the following are used to specify filenames or other targets that fine-tune the action of the command in Linux?
Arguments
Which serves as a single contact point between the Internet and the private network?
Bastion host
Which of the following is not correct about the registration authority?
Because the question asks what the RA cannot do, the correct answer is that RA cannot generate a certificate.
How does stream cipher encryption work?
Bits are encrypted as a continuous stream.
How does block cipher encryption work?
Bits are slit up into blocks and fed into the cipher.
If a penetration test team does not have anything more than a list of IP addresses of the organization's network, what type of test are the penetration testers conducting?
Black Box
What is black box testing?
Black box testing is testing that occurs when an attacker has no knowledge of the infrastructure of the organization being tested. It is time consuming and expensive but simulates a true outside hacker.
Which of the following defines how the organization will maintain what is accepted as normal day-to-day business in the event of a security incident or other events disruptive to the business?
Business continuity plan
What is the most important security advantage of NAT?
By default it only allows outbound connections.
How can you prevent piggybacking?
By stationing a guard by the door, you could monitor and make sure that piggybacking is not occurring.
How are brute force attacks performed?
By trying all possible combinations of characters
How is a brute-force attack performed?
By trying all possible combinations of characters
Which is a hardware firewall vendor manufacturing Stateful Packet Inspection units with NAT and DES especially for small offices?
D-Link
What is not a benefit of hardware keyloggers?
Difficult to install
With commands such as ____, you can perform zone transfers of all DNS records. Answer Dig Whois DNS Netcat
Dig
____ is a tool that is used to perform DNS zone transfers. Answer Whois Netcat Metis Dig
Dig
Which of the following types of evidence is received as the result of testimony or interview of an individual regarding something he or she directly experienced?
Direct
Port 197
Directory Location Service (DLS)
Which of the following documents states how personnel and assets will be safeguarded in the event of a disaster?
Disaster recovery plan
Which is NOT one of the three broad classes of security threats?
Disclosing contents of private networks
A virus does not do which of the following?
Display pop-ups
Which approach to security is proactive in addressing potential threats before they occur?
Dynamic security approach
Which of the following versions of EAP types only uses a password hash for client authentication?
EAP-MD5 does not provide server authentication.
Port 7
ECHO
If you were looking for information about a company's financial history, you would want to check the __________________ database.
EDGAR
Which of the following is not a flag on a packet?
END
________ is a method for expanding an email list.
EXPN
SHORT ANSWER Briefly describe the main characteristics of economic loss as a result of a spoofing attack.
Economic loss may occur when valuable data is lost or duplicated.Distributing the bank account numbers, balances, and accounting data of a large conglomerate might have an impact upon a large number of people, including both employees and competitors of the victim. Knowing exactly where things stand with the company can lead to unforeseen opportunity for others at the expense of the victim. There are other ways to get this sort of data, and industrial espionage is still a growth industry. But the surreptitious nature of a successful spoofing attack makes it possible that the company never knows exactly what happened or when.
Asymmetric Algorithm
Encryption methodology that uses two keys that are mathematically related; also referred to as public key cryptography.
Which class of individuals works the most with the server and is primarily concerned with access to content and services?
End user
Etherleak
Etherleak, in a nutshell, is when a network driver releases information about the system in padded ICMP payloads. For example, if I send an ICMP packet with a 1 byte payload to a system, the response should contain a payload with padded bytes:
A(n) ____________________ is a security professional who applies his or her hacking skills for defensive purposes.
Ethical Hacker
T/F: Snort logs packets only into the American Standard Code for Information Interchange (ASCII) format.
FALSE
T/F: TCP uses a connectionless design,meaning the participants in a TCP session must initially create a connection.
FALSE
T/F: TCP/IP has a basic flaw that allows IP spoofing. This is due to the fact that trust and authentication have an linear relationship.
FALSE
T/F: The OSI Model and the TCP/IP Model are entirely aligned.
FALSE
You should use one password for all accounts regardless of type.
FALSE
When a TCP three-way handshake ends, both parties send a(n) ____ packet to end the connection. Answer SYN ACK FIN RST
FIN
FIN packet
FIN packet is sent to the target computer. If the port is closed, it sends back an RST packet. When a three-way handshake ends, both parties send a FIN packet to end the connection
The ____ timer waits for FIN packets. Its default value is 10 minutes.
FIN_WAIT
Which of the following programs can be used for port redirection?
FPipe is a source port forwarder/redirector. It can create a TCP or UDP stream with a source port of your choice.
McAfee Personal Firewall provides an online connection to an anti-hacking Web site called ____________.
HackerWatch.org
SHORT ANSWER What are the main categories of spoofing?
Hackers employ several different types of spoofing, depending on factors such as the intended target and how much information about the network is available. The main categories of spoofing include the following: * Blind spoofing * Active spoofing * IP spoofing * ARP (Address Resolution Protocol) spoofing * Web spoofing * DNS (Domain Name System) spoofing
Which of the following describes an attacker who goes after a target to draw attention to a cause?
Hactivist
The group Anonymous is an example of what?
Hactivists
____________________ scanning is TCP connection scanning, but it does not complete the connections.
Half-open
Keyloggers
Hardware devices or software (spyware) that record keystrokes made on a computer and store the information for later retrieval.
Firewalls
Hardware devices or software used to control traffic entering and leaving an internal network.
Intrusion Detection Systems (IDSs)
Hardware or software devices that monitor network traffic and send alerts so that security administrators can identify attacks in progress and stop them.
A _________ is used to represent a password.
Hash
A message digest is a product of which kind of algorithm?
Hashing
What is hashing?
Hashing is taking data and producing a string or number based on the data. It is used for verifying data integrity.
Heap-based buffer overflows are different from stack based buffer overflows because stack-based buffer overflows are dependent on overflowing what?
Heap-based buffer overflows are different from stack based buffer overflows in that stack based buffer overflows are dependant on overflowing a fixed length buffer.
Port 42
Host Name Server (Nameserv)
A disadvantage of Nmap is that it is very slow because it scans all the 65,000 ports of each computer in the IP address range. Answer True False
False
A distributed denial of service (DDoS) attack is mostly an annoyance however a denial of service (DoS) attack is much more of a problem.
False
A drawback to public key infrastructure (PKI) is that the two parties must have prior knowledge of one another in order to establish a relationship.
False
A poison null byte attack uploads masses of files to a server with the goal of filling up the hard drive on the server in an attempt to cause the application to crash.
False
A site administrator can block the Internet Archive from making snapshots of the site.
False
Accumulating as many connections as possible on social media (seeking quantity over quality) makes it less likely that you will link or "friend" a scam artist or an identity thief.
False
Active fingerprinting takes longer than passive fingerprinting.
False
Adware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software.
False
An advantage to brute-force password attacks is that they typically do not take much time to perform.
False
An effective method for uncovering database problems is to consider the security problem simply from an insider's perspective, rather than an outsider's perspective.
False
An embedded OS must be developed specifically for use with embedded systems. True or False?
False
Antivirus software should be updated annually. True or False?
False
Sanitizing a Web posting refers to a company deleting information that others may find insensitive or offensive.
False
Scareware is software specifically designed to display advertisements on a system in the form of pop-ups or nag screens.
False
The manual method of obtaining network range information is quick, but it is largely ineffective. Select one:
False
The mere existence of an open port means vulnerability exists.
False
The popularity of services such as Facebook, LinkedIn, and Twitter has made the loss of information or loss of control of that information through social media less of a concern.
False
Typically, a computer system can see all communications, whether they are addressed to the listening station or not.
False
User Datagram Protocol (UDP) acknowledges each connection attempt; Transmission Control Protocol (TCP) does not, so it tends to produce less reliable results.
False
Whenever possible, security practitioners work to encourage people to use their social network for both their professional activities and their personal activities.
False
Worms require user intervention for their infection to take place; viruses do not.
False
What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing?
Hub
Wireless access points functions as a ____________.
Hub
____________________ was developed by Pavel Krauz, inspired by Juggernaut, another session hijacking tool.
Hunt
Port 1
TCP Port Service Multiplexer (TCPMUX)
Port 80
Hypertext Transfer Protocol - (HTTP)
Which of the following statements is NOT true about Kali Linux?
It is designed to be used as a desktop replacement operating system.
Which of the following is an advantage of the network host-based configuration?
It is inexpensive or free
Regarding the Firewall-1 firewall, which of the following is NOT true?
It is particularly vulnerable to SYN floods.
What is anomaly based IDS?
It observes the traffic to see what is normal then sets off a notification if traffic becomes unusual.
An attacker can use _______ to enumerate users on a system.
NetBIOS
Port 137
NetBIOS Name Service
What is a birthday attack?
Its used to find the same hash value for two different inputs and reveal any mathematical weakness in hashing algorithms.
Jake has just been given a new background tool by an old acquaintance. Before he installs it, he would like to make sure that it is legitimate. Which of the following is the best approach?
Jake should compare the tools hash value to the one found on the vendor's website.
Which of the following can an attacker use to determine the technology and structure within an organization?
Job Boards
Which of the following is a desktop interface for Linux?
KDE
Which of the following is a remote access Trojan authored entirely in Delphi that uses TCP port 26097 by default?
Let Me Rule
In IPsec, encryption and other processes happen at which layer of the OSI model?
Level 3
Port 389
Lightweight Directory Access Protocol (LDAP)
Which of the following gives Facebook users flexibility as to who is allowed to see which portions of a profile?
Limited Profile Settings
Which routing protocol calculates the best path to a target network by one or more metrics such as delay, speed, or bandwidth?
Link state
A common Linux rootkit is ____. Answer Back Orfice Kill Trojans Packet Storm Security Linux Rootkit 5
Linux Rootkit 5
A piece of media that contains a complete and bootable operating system is called a(n):
Live CD
Port 49
Login Host Protocol (Login)
Clocking attacks seek to accomplish what?
Prevent legitimate users from accessing a system
How does the SYN cookie work?
Prevents memory allocation until third part of SYN ACK handshaking.
Nessus
Previously an open-source scanning tool; now licensed by Tenable Network Security. See OpenVAS.
This type of scan is known as half open because a full TCP three-way connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems although most now detect it. Open ports reply with a SYN/ACK, and closed ports respond with an RST/ACK.
TCP SYN scan
T/F: Identifying a trust relationship from your network to an outside machine is a passive activity.
TRUE
T/F: Nessus is a remote security scanner designed to be run on Linux, BSD, Solaris, and other versions of Unix.
TRUE
T/F: SARA was designed to complement and interface with other security tools, such as Nmap.
TRUE
T/F: Scanners were originally developed to aid security professionals and system administrators in examining networks for security vulnerabilities.
TRUE
T/F: Sniffers look only at the traffic passing through the network interface adapter on the machine where the application is resident.
TRUE
T/F: TCP is responsible for safe and reliable data transfer between host computers.
TRUE
T/F: The costs to the victims of successful spoofing attacks are tied to the amount of information that was copied and the sensitivity of the data.
TRUE
T/F: The three types of sniffer are bundled, commercial, and free.
TRUE
T/F: When you transmit information in a data packet to a computer on a network, the request is sent to every computer on that network that uses the same Ethernet cable or wireless LAN.
TRUE
T/F: Whether or not encryption is used, the use of password protection is open to various kinds of attack.
TRUE
The command mv is designed to move files.
TRUE
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world?
NAT
__________________ is used to audit databases.
NGSSquirreL
ADS requires what to be present?
NTFS
Alternate Data Streams are supported in which file systems?
NTFS
If a domain controller is not present, what can be used instead?
NTLMv2
________ is used to synchronize clocks on a network.
NTP
Which of the following types of attack has no flags set?
NULL
TCP scan with all the packet flags are turned off
NULL scan
A _______ is used to connect to a remote system using NetBIOS.
NULL session
Which of the following refers to a utility designed to detect Simple Network Management Protocol (SNMP)-enabled devices on a network and locate and identify devices that are vulnerable to SNMP attacks?
SNScan
Port 156
SQL Server
Port 118
SQL Services
_________________ can be caused by the exploitation of defects and code.
SQL injection
Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?
SSH
Which of the following denial of service attacks results from a client's failure to respond to the server's reply to a request for connection?
SYN flood
List the six flags of a TCP packet.
SYN, ACK, PSH, URG, RST, FIN
What is the proper sequence of the TCP three-way-handshake?
SYN, SYN-ACK, ACK
What is the sequence of the three-way handshake?
SYN, SYN-ACK, ACk
List the three components of the TCP/IP three-way handshake.
SYN, SYN-ACK, and ACK
Which class of individuals is primarily concerned with the security of the Web server because it can provide an easy means of getting into the local network?
Server administrator
Which of the following is used to uniquely identify a network, thereby ensuring that clients can locate the correct wireless local area network (WLAN) that they should be attaching to?
Service set identifier (SSID)
How would you describe an attack in which an attacker attempts to deliver the payload over multiplepackets for long periods of time?
Session splicing works by delivering the payload over multiple packets, which defeats simple pattern matching without session reconstruction.
Which of the following is NOT considered a sensible guideline to follow when using social networking sites?
Set up an e-mail account that uses your real name.
Symmetric cryptography is also known as _______.
Shared Key Cryptography
The early networks did not resemble the networks in use today because they were mainly proprietary and performed poorly compared with today's deployments.
TRUE
What type of encryption uses the same key to encrypt and to decrypt information?
Symmetric encryption
A DNS zone transfer is used to do which of the following?
Synchronize server information
_______ is the process of exploiting services on a system?
System Hacking
Trojans are a type of malware.
TRUE
Supervisory Control and Data Acquisition (SCADA) Systems
Systems used for equipment monitoring and automation in large-scale industries and critical infrastructure systems, such as power plants and air traffic control towers; these systems contain components running embedded OSs.
Trojans can be used to open backdoors on a system.
TRUE
Wireless LANs are built upon the 802.11 family of standards and operate in a similar manner to wired networks.
TRUE
Worms are designed to replicate repeatedly.
TRUE
You should never use information posted about you online as the basis for your password or security hints.
TRUE
Branching
Takes you from one area of a program (a function) to another area.
Which of the following best describes session hacking?
Taking control of the communication link between two machines.
What does TOE stand for?
Target Of Evaulation
Which of the following is used for banner grabbing?
Telnet
You have been exploring the files and directory structure of the new Linux server. What are theentries of the /etc/hosts file made up of?
The /etc/host file stores IP addresses and is used for hostname-to-IP address resolution.
Metropolitan Area Networks (MANs)
The 802.16 standard defines the Wireless MAN Air Interface for wireless MANs and addresses the limited distance available for 802.11b WLANs. The most widely used implementation of wireless MAN technology is WiMAX. See also Worldwide Interoperability for Microwave Access (WiMAX).
An SYN attack uses which protocol?
TCP
Which of these protocols is a connection-oriented protocol?
TCP
This scan attempts to determine access control list (ACL) rule sets or identify if firewall or simply stateless inspection is being used. A stateful firewall should return no response. If an ICMP destination unreachable, communication administrative prohibited message is returned, the port is considered to be filtered. If an RST is returned, no firewall is present.
TCP ACK scan
This type of scan is the most reliable, although it is also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK, and closed ports respond with an RST/ACK.
TCP Connect scan
What is a covert channel?
A backdoor
Network Address Translation (NAT)
A basic security feature of a firewall used to hide the internal network from outsiders. Internal private IP addresses are mapped to public external IP addresses to hide the internal infrastructure from unauthorized personnel.
RC5
A block cipher created by Ronald L. Rivest that can operate on different block sizes: 32, 64, and 128 bits. The key size can reach 2048 bits.
International Data Encryption Algorithm (IDEA)
A block cipher that operates on 64-bit blocks of plaintext and uses a 128-bit key; used in PGP encryption software.
Blowfish
A block cipher that operates on 64-bit blocks of plaintext, but its key length can be as large as 448 bits.
When discussing passwords, what is considered a brute-force attack?
A brute force attack attempts every single possibility until you exhaust all possible combinations of words and characters or discover the password.
Protocol
A language used to transmit data across a network infrastructure.
IP Access Lists
A list of IP addresses, subnets, or networks that are allowed or denied access through a router's interface.
Rainbow Table
A lookup table of password hash values that enables certain programs to crack passwords much faster than with brute-force methods.
Jon has written a virus that is executed when opened in Word or Excel. Which of the following best describes this type of virus?
A macro virus is designed to be imbedded in a document. After being embedded, the virus writer can have the macro execute each time the document is opened. Many applications, such as Microsoft Word and Excel, support powerful macro languages.
HTML****
A markup language used mainly for indicating the formatting and layout of Web page.
Port scanning
A method of finding out which services a host computer offers.
Zone Transfer
A method of transferring records from a DNS server to use in analysis of a network.
Function
A mini program within a main program that performs a particular task.
Privileged Mode
A mode on Cisco routers that allows administrators to perform full router configuration tasks; also called enable mode.
Wireless LAN (WLAN)
A network that relies on wireless technology (radio waves) to operate.
Open Web Application Security Project (OWASP)
A not-for-profit foundation dedicated to fighting and finding Web application vulnerabilities.
Initial Sequence Number (ISN)
A number that keeps track of what packets a node has received.
What is a payload?
A payload is the piece of software that lets you control a computer system after it's been exploited.
Shoulder surfing
A shoulder surfer is skilled at reading what users enter on their keyboards, especially logon names and passwords. This skill certainly takes practice, but with enough time, it can be mastered easily
What is a signature based IDS?
A signature based IDS is an IDs that compares packets captures to lists of known malicious traffic patters and sets off a notification if it finds a match.
When considering closed circuit TV as a security measure, the focal length must be considered. What is focal length?
The camera's effectiveness in viewing objects from a horizontal and vertical view
Basic Service Set (BSS)
The collection of connected devices in a wireless network.
Which of the following is not a valid Linux user group?
The three valid groups in Red Hat Linux are super users, system users, and normal users.
SHORT ANSWER What are the major differences between commercial sniffers and free sniffers?
The two major differences between commercial and free sniffers are: * Commercial sniffers generally cost money, but typically come with support. * Support on free sniffers has the reputation of being scant, meaning it is difficult to find anyone who will offer support; incomplete, meaning that the information was never recorded; or fiendishly expensive, compared to support for commercial products. This reputation is not always deserved.
Which of the following would most likely be classified as misuse(s) of systems?
Using your business computer to conduct your own (non-company) business
Which of the following is NOT one of the more common distributions of Linux?
Timbuktu
Port 37
Time
A logic bomb is activated by which of the following?
Time and date, actions, events.
______________________________ is based on the principle that distance can be measured by computing the time required for reflected energy to be measured at the source.
Time domain reflectometry (TDR) Time domain reflectometry TDR
Why would you need to use a proxy to perform scanning?
To enhance anonymity
A buffer overflow can result in data being corrupted or overwritten.
True
A cookie can store information about a Web site's visitors. True or False?
True
U.S. laws regulate the exportation of cryptographic systems.
True
Wget is a tool that can be used to retrieve HTTP, HTTPS, and FTP files over the Internet. Answer True False
True
When working on securing Web applications, the safety of information must be considered both when it is being stored and when it is being transmitted, because both stages are potential areas for attack.
True
While the majority of Live CDs can run in memory to free the optical drive or other media for other uses, loading the data off a CD-ROM will always be slower than a hard drive-based installation.
True
With passive fingerprinting, the victim has less chance of detecting and reacting to the impending attack.
True
The Cisco PIX 515E has additional security features that monitor multimedia and __________ transmissions.
Voice over IP
Which of the following allows the placing of telephone calls over computer networks and the Internet?
Voice over IP (VoIP)
Which of the following is a wireless DoS tool?
Void11 is a wireless DoS tool.
____ is an Internet tool that aids in retrieving domain name-specific information from the NSI Registrar database.
WHOIS
____________ refers to a process used to locate wireless networks that might be vulnerable to attack.
War-driving
Which of the following techniques is not used to locate network access points, but to reveal the presence of access points to others?
Warchalking
Which of the following refers to encryption using short keys or keys that are poorly designed and implemented that can allow an attacker to decrypt data easily and gain unauthorized access to the information?
Weak ciphers or encoding algorithms
When a hacker spoofs an IP address through a Web site, it is known as ____ spoofing.
Web
What makes the OpenVAS tool unique?
What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author's judgment on what's considered dangerous might differ from yours.
DiskProbe can be used for which of the following tasks?
When a standalone file is encrypted with EFS, a temp file is created named efs0.tmp. Diskprobe or a hex editor can be used to recover that file. All other answers are incorrect because Diskprobe is not used for spoofing a PKI certificate; it can only recover the last file encrypted, not an entire folder of encrypted files. Diskprobe is not used to crack an MD5 hash.
While performing a penetration test for your client, you discovered the following on their e-commerce website: <input type="hidden" name="com" value="add"> <input type="hidden" name="un" value="Cowboy Hat/Stetson"> <input type="hidden" name="pid" value="823-45"> <input type="hidden" name="price" value="114.95">
When attackers discover the hidden price field, they might attempt to alter it and reduce the price. To avoid this problem, hidden price fields should not be used. However, if they are used, the value should be confirmed before processing.
SHORT ANSWER Explain how to release a TCP connection.
When releasing the connection between two computers, the source computer sends a FIN packet to the destination computer. The destination computer then sends a FIN/ACK packet, and the source computer sends an ACK packet. Either computer could send an RST and close the session (reset) immediately.
What is active sniffing
When the network setup requires you to force network devices to work together to accomplish sniffing. Active sniffing allows you to see traffic outside of what is being passed to your nic card.
What is a man in the middle attack?
Where an attacker has positioned himself between two communicating entities
What is a penetration test?
Where you look for vulnerabilities and seek to exploit them to show what could happen to a vulnerable system.
What is passive sniffing
Where you plug in a sniffer an start pulling packets without any other interaction needed. Packets can be viewed later and it only works on what your nic card can see.
_____ box testing: the security tester has full knowledge of the network, systems, and infrastructure.
White
If you have been contracted to perform an attack against a target system, you are what type of hacker?
White Hat
Which of the following would most likely engage in the pursuit of vulnerability research?
White Hat
The ____ model is derived from old Western genre movies where the "good guys" always wore white hats and the "bad guys" always wore black hats.
White Hat/Black Hat
What is white box testing?
White box testing simulates an internal user with extensive knowledge of the infrastructure. This is much faster and less expensive.
These individuals perform ethical hacking to help secure companies and organizations.
White hat hackers
Port 43
WhoIs
The ____________________ utility gives you information on a company's IP addresses and any other domains the company might be part of. Answer
Whois
Which of the following refers to is the protocol designed to query databases to look up and identify the registrant of a domain name?
Whois
____ is a tool that is used to gather IP and domain information. Answer Whois Netcat Metis Dig
Whois
The Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards, which range from 802.11a to 802.11n are known collectively in standard jargon as:
Wi-Fi
Which of the following offers the greatest level of security for wireless networks?
Wi-Fi Protected Access 2 (WPA2)
Which one of the following is the strongest authentication technology for protecting wireless networks?
Wi-Fi Protected Access version 2 (WPA2)
Which of the following technologies is specifically designed to deliver Internet access over the so-called last mile to homes or businesses that may not otherwise be able to get access?
WiMAX
Which OS holds 90 percent of the desktop market and is one of our largest attack surfaces?
Windows
What is wireshark
Wireshark is a very popular sniffer
Are there any reasons not to take an extreme view of security if that view errors on the side of caution?
Yes, that can lead to wasting resources on threats that are not likely.
Which of the following is a commonly used UNIX enumeration tool? a. Netcat b. Nbtstat c. Netstat d. Finger
d. Finger
What component can be used to reduce the risk of a Trojan program or rootkit sending information from an attacked computer to a remote host? a. Base-64 decoder b. Keylogger c. Telnet d. Firewall
d. Firewall
A firewall that uses a combination of approaches rather than a single approach to protect the network is called:
hybrid
A form of offline attack that functions much like a dictionary attack, but with an extra level of sophistication, is a:
hybrid attack
The spread of viruses can be minimized by all of the following EXCEPT:
immediately following instructions in security alerts e-mailed to you from Microsoft
Which of the following is the best description of the INTITLE tag?
instructs Google to search for a term within the title of a document
Digital signatures are NOT used for ________________________.
integrity
Which Wireshark filters displays only traffic from 192.168.1.1?
ip.addr == 192.168.1.1
Bugnosis
is a Web bug detector. As you surf the Web, it analyzes every page you visit and alerts you when it finds any Web bugs
NessusWX
is a client program for Nessus security scanner which is designed especially for Windows platform.
Tcpdump
is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license,[3] tcpdump is free software.
Netcat
is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts
The security triad of __________, ________, and _________ form the basic building blocks of any good security initiative.
confidentiality, integrity, and availability
The first rule of firewalls dictates that to provide the best security, they not only must be installed properly, but they must also be ____________ properly.
configured
The ____ relies on the OS of the attacked computer, so it's a little more risky to use than the SYN scan. Answer NULL scan connect scan XMAS scan ACK scan
connect scan
similar to the SYN scan, except that it does complete the three-way handshake
connect scan
What is used to monitor a NIDS?
console
A text file that is downloaded to a computer by a Web site to provide information about the Web site and online access is called a:
cookie
A(n) ____ scan demonstrates whether a remote host is active by sending ICMP echo request packets to that host.
ping
The most common type of ICMP message is ___________________.
ping
A(n) ____________________ is a software tool that examines and reports about vulnerabilities on local and remote hosts.
scanner
The second step of the hacking process is ___________________.
scanning
Cryptography provides an invaluable service to security by providing all of the following except:
the ability to hack into systems and remain undetected.
The primary components of a host-based intrusion detection system (HIDS) are:
the command console and the monitoring agent software
A hash algorithm can be compromised with a collision, which occurs when two separate and different messages or inputs pass through the hashing process and generate:
the same value
SQLPing and SQLRecon are:
tools for locating rogue or unknown database installations
You need to determine the path to a specific IP address. Which of the following tools is the best to use?
traceroute
Which command launches a CLI version of Wireshark?
tshark
State Table
A file created by a stateful packet filter that contains information on network connections. See also stateful packet filters.
SYN-ACK
A reply to a SYN packet sent by a host.
Algorithm
A set of directions used to solve a problem.
What is a vulnerability assessment?
A vulnerability assessment is where you scan and test for existing vulnerabilities but report them instead of exploit them.
Hping
An enhanced Ping utility for crafting TCP and UDP packets to be used in portscanning activities.
Port 53
Domain Name System - (DNS)
Session hijacking is used to capture traffic.
FALSE
Most encryption cannot be broken.
False
Which of the following best describes what a Hacktivist does?
Hacks for political reasons
Port 139
Network Basic Input/Output System - (NetBIOS)
NetDDE
Network Dynamic Data Exchange (NetDDE) services have been started on the computer. NetDDE is a system process that runs on Windows OSs to facilitate exchanging network data
Port 119
Network News Transport Protocol - (NNTP)
The ____ tool was originally written for Phrack magazine in 1997 by Fyodor. Answer Unicornscan Fping Nessus Nmap
Nmap
Which of the following types of viruses is designed to change their code and "shape" to avoid detection by virus scanners, which would look for a specific virus code and not the new version?
Polymorphic virus
Which of the following is NOT considered a vulnerability of Web servers?
Poor end-user training
What is the name for a DoS attack that causes machines on a network to initiate a DoS against one of that network's servers?
Smurf attack
Which attack relies on broadcast packets to cause a network to actually flood itself with ICMP packets?
Smurf attack
A Trojan relies on _________ to be activated.
Social Engineering
____ means using a knowledge of human nature to get information from people. Answer Fingerprinting Footprinting Zone transferring Social engineering
Social engineering
16 characters
The computer names you assign to Windows systems are called NetBIOS names and have a limit of 16 characters; the last character is reserved for a hexadecimal number (00 to FF) that identifies the service running on the computer. Therefore, you can use only 15 characters for a computer name, and NetBIOS adds the last character automatically to identify the service that has registered with the OS. For example, if a computer named SALESREP is running the Server service, the OS stores this information in a NetBIOS table.
Internet Control Message Protocol (ICMP)
The protocol used to send informational messages and test network connectivity.
SHORT ANSWER What is the importance of proper discarding of refuse?
The security policy must carefully address what is sensitive information and what isn't, and decide how to treat refuse. Some documents may not be considered sensitive, like employee handbooks and company policy statements. But these can often tell hackers what physical and network security to expect when doing intrusion. The best solution to theft of trash paper is to crosscut-shred it and keep it in locked trash receptacles. Old hardware cannot be shredded and takes up space; thus, these items are frequently thrown out, or given to employees to take home.Hackers search for outdated hardware, such as tapes, CD-ROMs, and hard disks. There are various tools available to hackers, such as forensics programs, that can restore data from damaged data-storage devices.
Which of the following statements is NOT true regarding Structured Query Language (SQL) injections?
They are specific to only one vendor's database and cannot force the application to reveal restricted information.
Metis
Tool to gather competitive intelligence from web sites
Which is a robust commercial software firewall solution for Linux operating systems?
Wolverine
Port 103
X.400 Standard
Most NetBIOS enumeration tools connect to the target system by using which of the following? a. ICMP packets b. Default logons and blank passwords c. Null sessions d. Admin accounts
c. Null sessions
The sixth step in the hacking process is _____________________.
covering tracks
__________________________ are methods for transferring data in an unmonitored manner.
covert channels
Which of the following Linux commands is used to copy files from location to location?
cp
Flooding a system with many false connection attempts in an effort to prevent legitimate use is an example of a ____________ attack.
denial of service
A(n) ____________________ attack is an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted.
denial-of-service
Which of the following was the first wireless standard that saw any major usage outside of proprietary or custom deployments?
802.11 standard
HTTP port
88
Zombies
Computers controlled by a hacker to conduct criminal activity without their owners' knowledge; usually part of a botnet. See also botnet.
At what point can SSL be used to protect data?
During transmittion
SQL injections require very little skill or knowledge to execute.
FALSE
A written contract isn't necessary when a friend recommends a client. True or False?
False
Private information on Facebook is truly private.
False
SHORT ANSWER What happens if a route table cannot find a match?
If the route table cannot find a match, it uses the default network address option of 0.0.0.0. This option specifically refers the request to the network gateway. The gateway router has a register of network addresses and is capable of finding a match. The route table uses the netmask in combination with the network address to decide if the destination computer belongs to a LAN (local area network) or an external network.
Spread Spectrum
In this technology, data is spread across a large-frequency bandwidth instead of traveling across one frequency band.
LDAP is used to perform which function?
Query a database
____________________ is the act of locating targets and developing the methods necessary to attack those targets successfully.
Reconnaissance
Which of the following is used to identify a wireless network?
SSID
Which of the following statements is NOT true regarding social engineering?
Social engineering has different goals and objectives than other types of hacking.
Which of the following is not a DoS program?
Stacheldraht is a DDoS program.
This type of scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, open ports send no reply whereas closed ports will return an RST.
TCP NULL scan
A scan of a network client shows that port 23 is open; what protocol is this aligned with?
Telnet
Port 23
Telnet
Nmap is valuable in OS fingerprinting as well as port scanning.
True
High-end, enterprise-capable firewalls such as the Fortigate 3600 generally scan e-mail, FTP, and TCP packets for viruses and can implement user ____________ for added security.
authentication
An attacker can use a ___________________ to return to a system.
backdoor
The ____ captures the network traffic from the Ethernet connection.
capture driver
Although very similar to application gateways, _____________ are more secure and usually found on more expensive equipment.
circuit level
Offloading services from the local intranet to the Internet itself can be done by the use of:
cloud computing
A major difference between a hacker and an ethical hacker is the:
code of ethics to which each subscribes.
What organization designates a person as an OPST? a. International Information Systems Security Certification Consortium (ISC2) b. EC-Council c. SANS Institute d. ISECOM
d. ISECOM
What port does DNS use? a. Port 80 b. Port 69 c. Port 25 d. Port 53
d. Port 53
Security testers and hackers use which of the following to determine the services running on a host and the vulnerabilities associated with these services? a. Zone transfers b. Zone scanning c. Encryption algorithms d. Port scanning
d. Port scanning
Windows OSs are vulnerable to the Conficker worm because of which of the following? a. Arbitrary code b. SQL buffer overflow c. Blank password d. RPC vulnerability
d. RPC vulnerability
A closed port responds to a SYN packet with which of the following packets? a. FIN b. SYN-ACK c. SYN d. RST
d. RST
A team composed of people with varied skills who attempt to penetrate a network is referred to as which of the following? a. Green team b. Blue team c. Black team d. Red team
d. Red team
To determine a company's primary DNS server, you can look for a DNS server containing which of the following? a. Cname record b. Host record c. PTR record d. SOA record
d. SOA record
Multifunction devices (MFDs) are rarely: a. Targets of network attacks b. Installed on Windows networks c. Installed on large networks d. Scanned for vulnerabilities
d. Scanned for vulnerabilities
Which federal law amended Chapter 119 of Title 18, U.S. Code? a. Computer Fraud and Abuse Act, Title 18 b. Electronic Communication Privacy Act c. Stored Wire and Electronic Communications and Transactional Records Act d. U.S. Patriot Act, Sec. 217: Interception of Computer Trespasser Communications
d. U.S. Patriot Act, Sec. 217: Interception of Computer Trespasser Communications
Which of the following is an example of a macro programming language? a. Cþþ b. Windows XP c. Visual Basic d. Visual Basic for Applications
d. Visual Basic for Applications
To find extensive Nmap information and examples of the correct syntax to use in Linux, which of the following commands should you type? a. nmap -h b. nmap -help c. nmap ? d. man nmap
d. man nmap
Which of the following is a characteristic of adware?
displaying pop-ups
Countermeasures that an organization can take regarding protecting domain information include:
employing a commonly available proxy service to block the access of sensitive domain data.
When hackers talk about standards of behavior and moral issues of right and wrong, what are they referring to?
ethics
Information or physical remnants collected from a crime scene and used to determine the extent of a crime and potentially prove a case in court is called:
evidence
A measurement of the percentage of individuals who have gained access but should not have been granted such is called:
false acceptance rate (FAR)
The main function or capability of certificate authorities (CAs) is to:
generate key pairs and bind a user's identity to the public key.
Taking security precautions such as keeping patches updated, uninstalling unneeded applications, closing unused ports, and turning off unused services is called ____________ the operating system.
hardening
A __________ is used to store a password.
hash
Port 80
http port
Shoulder surfing, keyboard sniffing, and social engineering are considered:
nontechnical attacks
There are two ping utilities available for a Linux or Unix machine: ping and ____________________.
ping6
An attacker can deprive the system owner of the ability to detect the activities that have been carried out by:
planting a backdoor
The seventh and final step in the hacking process is _____________________.
planting backdoors
A one-way hashing function is designed to be:
relatively easy to compute one way, but hard to undo or reverse
Nmap option -sS
sS option is telling Nmap that it should also scan TCP ports using SYN packets. Because this scan includes UDP ports this explicit definition of -sS is necessary
Google hacking can be thwarted to a high degree by:
sanitizing information that is available publicly whenever possible.
___________________ is designed to intimidate users.
scareware
A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt. Answer script program snippet signature
script
A(n) ____________________ is a person skilled at reading what users enter on their keyboards, especially logon names and passwords.
shoulder surfer
Attackers observing victims as they enter codes at a bank cash machine or a gas pump are participating in:
shoulder surfing
A firewall designed to secure an individual personal computer is a:
single machine firewall
Another name for an ethical hacker operating legally and with permission is ____________.
sneaker
A(n) ____________________ is an application that monitors, filters, and captures data packets transferred over a network.
sniffer packet sniffer
How is the practice of tricking employees into revealing sensitive data about their computer system or infrastructure best described?
social engineering
Tricking or coercing people into revealing information or violating normal security practices is referred to as:
social engineering
____________________ is NOT part of the key management process.
storage
Sometimes called secret key algorithms, ____________________ key algorithms use the same key to encrypt and to decrypt the data.
symmetric
Key management is potentially the biggest problem in ___________________________.
symmetric encryption
The fourth step in the hacking process is ___________________.
system hacking
_____________________ is the process of exploiting services on a system.
system hacking
The database on the local Windows system that is used to store user account information is called:
the Security Account Manager (SAM)
Blocking everything and allowing only what is needed is known as:
the deny-all principle.
What is the front line of defense for cybersecurity in any organization?
the end user
Once a circuit level gateway verifies the user's logon, it creates a virtual circuit between:
the internal client and the proxy server
The best description of zeroization is _______________________.
used to clear media of a key value
What can enumeration discover?
user accounts
Finger
you use the Finger command to enumerate your computer and see how this powerful command can gather information from a remote system. Finger utility, which enables you to find out who's logged in to a *nix system with one simple command (see Figure 6-25). Finger is both a client and a server. The Finger daemon (fingerd) listens on TCP port 79.
SNMP port
161
User Datagram Protocol (UDP)
A fast, unreliable Transport layer protocol that's connectionless.
Windows Software Update Services (WSUS)
A free add-in component that simplifies the process of keeping Windows computers current with the latest critical updates, patches, and service packs. WSUS installs a Web-based application that runs on a Windows server.
Perl****
A high-level general-purpose programming language used especially for developing Web applications developed by Larry Wall in 1987.
Shoulder Surfing
A technique attackers use; involves looking over an unaware user's shoulders to observe the keys the user types when entering a password.
Multiple Independent Levels of Security/Safety (MILS)
A type of OS (often embedded) certified to run multiple levels of classification (such as unclassified, secret, and top secret) on the same CPU without leakage between levels; used in the U.S. military for high-security environments and in organizations, such as those controlling nuclear power or municipal sewage plants, when separating privileges and functions is crucial.
Drive-By Downloads
A type of attack in which Web site visitors download and install malicious code or software without their knowledge.
Supplicant
A wireless user attempting access to a WLAN.
Common symmetric encryption algorithms include all of the following except:
AES
Bug
An error that causes unpredictable results.
BLT******
Branching, Looping, and Testing.
A good defense against password guessing is _______.
Complex Passwords
Which category of risk inherent with Web servers includes risks such as the ability to steal information from a server, run scripts or executables remotely, enumerate servers, and carry out denial of service (DoS) attacks?
Defects and misconfiguration risks
Which of the following is a disadvantage of alarms?
False alarms tied to the police may result in fines.
The HTTP ____ method is the same as the GET method, but retrieves only the header information of an HTML document, not the document body. Answer CONNECT PUT POST HEAD
HEAD
The most desirable approach to security is one which is:
Layered and dynamic
Which of the following types of viruses is a piece of code or software designed to lie in wait on a system until a specified event occurs?
Logic bomb
What is metasploit?
Metasploit is a tool for developing and executing exploit code against a remote target machine.
Port 445
Microsoft-DS
A Trojan can include which of the following?
RAT
Which copies itself into the Windows directory and creates a registry key to load itself at startup?
Sasser
Port 444
Simple Network Paging Protocol (SNPP)
Which of the following tests of a disaster recovery plan involves practicing backup and restore operations, incident response, communication and coordination of efforts, and alternative site usage in such a way that normal business operations are not adversely affected?
Simulation
All of the following are commonly used tools to perform session hijacking EXCEPT:
Smurf
Configuring routers to not forward directed broadcast packets can help defend against a ____________ attack.
Smurf
A remote access Trojan would be used to do all the following except __________.
Sniff Traffic
SHORT ANSWER Where are sniffers normally placed?
Sniffers are normally placed on: * Computers * Cable connections * Routers * Network segments connected to the Internet * Network segments connected to servers that receive passwords
SHORT ANSWER What are the components of a sniffer?
Sniffers use the following components to capture data from a network: * Hardware * Capture driver * Buffer * Decoder * Packet Analysis
____ is bundled with the Solaris operating systems. It captures packets from the network and displays their contents.
Snoop
You have decided to set up Snort. A coworker asks you what protocols it cannot check.
Snort cannot analyze IGMP, a routing protocol.
Which of the following can help you determine business processes of your target through human interaction?
Social Engineering
____ uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't, or by manipulation.
Social Engineering
Adware
Software that can be installed without a user's knowledge; its main purpose is to determine users' purchasing habits.
Piggybacking
Sometimes security testers need to enter part of a building that's restricted to authorized personnel. In this case, a tester or an attacker uses a technique called piggybacking. Piggybacking is trailing closely behind an employee who has access to an area without the person realizing you didn't use a PIN or a security badge to enter the area. Those skilled in piggybacking watch authorized personnel enter secure areas and wait for the opportune time to join them quickly at the security entrance.
Based on the packet capture shown in the graphic, what is contained in the highlighted section of the packet?
Source and destination IP addresses
Channels
Specific frequency ranges within a frequency band in which data is transmitted.
These are individuals that may carry out an attack even if they know there is a high chance of them getting caught and serving a long prison term.
Suicide hackers
Which of the following is a Windows-based port scanner designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use Traceroute?
Superscan
Which network device can block sniffing to a single network collision domain, create VLANS, and make use of SPAN ports and port mirroring?
Switch
A(n) ____________________ attack takes advantage of the way that most hosts implement the TCP three-way handshake.
TCP SYN
Which of the following is not a Trojan?
TCPTROJAN
Which of the following tests is designed to simulate an attack against technology from either the inside or the outside depending on the goals and intentions of the client?
Technical attack
Conversion Specifiers
Tells the compiler how to convert the value in a function.
How can computer criminals use the Whois utility for their purposes?
The Whois utility is a commonly used tool for gathering IP address and domain information. With just a company's Web address, you can discover a tremendous amount of information. Unfortunately, attackers can also make use of this information. Often companies don't realize that they're publishing information on the Web that computer criminals can use. The Whois utility gives you information on a company's IP addresses and any other domains the company might be part of.
From the attacker's point of view, what is the primary weakness in a DoS attack?
The attack must be sustained
SHORT ANSWER Describe physical intrusion as a social engineering technique.
The foremost traditional technique of social engineering is physical intrusion, whereby social engineers physically enter the premises of an organization or the workstations of employees for the sole purpose of collecting information. Any unauthorized entry plan uses the same kinds of research and reconnaissance. "Casing the joint" before a physical intrusion usually includes: * Learning the schedules of the organization * Knowing the floor plan of the building or buildings * "Baselining" the security procedures
Worldwide Interoperability for Microwave Access (WiMAX)
The most common implementation of the 802.16 MAN standard. See also metropolitan area networks (MANs).
You have noticed the following in your logs. What was the attacker trying to do? [View full width] GET/%c0%af..%c0%af..%c0%af..%c0%af..C:/mydocuments/home/cmd.exe? /c+nc+-l+-p+8080+-e+cmd .exe HTTP/1.1
The purpose of the entry was an attempt to install Netcat as a listener on port 8080 to shovel a command shell back to the attacker.
Keyspace
The range of all possible key values contained in an encryption algorithm. See also key.
You have become worried that one of your co-workers accessed your computer while you were on break and copied the secring.skr file. What would that mean?
The secring.skr file contains the PGP secret key. PGP is regarded as secure because a strong passphrase is used and the secret key is protected. The easiest way to break into an unbreakable box is with the key. Therefore, anyone who wants to attack the system will attempt to retrieve the secring.skr file before attempting to crack PGP itself
Network Security
The security of computers or devices that are part of a network infrastructure.
Computer Security
The security of stand-alone computers that aren't part of a network infrastructure.
Where will an attacker find the system password file in a Linux machine that is restricted to root andcontains encrypted passwords?
The shadow file is used to prevent hackers and ordinary users from viewing encrypted passwords.
Buffer overflows can be a serious problem. Which of the following C/C++ functions perform bound checks?
The strncat function accepts a length value as a parameter, which should be no larger than the size of the destination buffer.
SHORT ANSWER How are hackers commonly categorized?
There are distinct groups of hackers; however, the membership between groups is fluid. There are two ways commonly used to categorize them: * The first is the simplest —White Hat good hackers vs. Black Hat bad hackers. * The second is based loosely on psychological profiling and is a more complicated and more useful way to understand the motivations of hackers.
SHORT ANSWER What are the TCP flags?
There are six possible TCP packet flags: URG, ACK, PSH, RST, SYN, and FIN. Packets can have more than one flag set, and this is indicated by the flag names being separated by a slash, such as SYN/ACK, or a comma, such as ACK, FIN.SYN/ACK says the packet is attempting to both synchronize with the sender and acknowledge the received packet. Normally a packet will have only one flag sent, except in the case of SYN/ACK or FIN/ACK. You will never see an RST/FIN packet because these flags signal the same result. Packets with three or more flags set are probably attempts to crash your machine. A packet with all six flags set is called a "Christmas Tree Packet," or a "Nastygram." Newer implementations of TCP/IP usually drop packets like this.
Which is NOT true about enterprise networks and firewall solutions?
They are usually easier to manage and secure.
What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0 <Return> <Return>
This command returns the banner of the website specified by IP address.
UDP scanning
This equates to scanning 65,535 computers in 3 to 7 seconds, which brings UDP scanning to a new level. Most scanners using UDP scans can just make best guesses when trying to determine whether a port is closed, open, or filtered. Many security testers consider UDP scanning an unreliable method of discovering live systems on a network. Although Unicornscan can handle TCP, ICMP, and IP port scanning, it optimizes UDP scanning beyond the capabilities of any other port scanner. Unicornscan is included on the BackTrack DVD along with a Web-based Unicornscan analysis tool.
#!/bin/sh
This line is important because it identifies the file you're writing as a script. You should enter a few lines of documentation in any scripts or programs you write because they help with program modifications and maintenance done later. When a line is used for documentation purposes, it's preceded with a # character
Which of the following statements is NOT true about dictionary-based virus detection?
This method can detect both viruses that it knows about and those it does not know about.
Systems Management Server (SMS)
This service includes detailed hardware inventory, software inventory and metering, software distribution and installation, and remote troubleshooting tools.
Connect scan
This type of scan relies on the attacked computer's OS, so it's a little more risky to use. A connect scan is similar to a SYN scan, except that it does complete the three-way handshake. This means the attacked computer most likely logs the transaction or connection, indicating that a session took place. Therefore, unlike a SYN scan, a connect scan isn't stealthy and can be detected easily.
IPX/SPX
This version emphasized the use of a windowed environment instead of commandline utilities. In addition, TCP/IP replaced IPX/SPX as the default protocol. Just like tcp/ip.
Why use Google hacking?
To fine-tine search results
What is the role of social engineering?
To gain information from human beings
What is Tor used for?
To hide the process of scanning
What is the purpose of a proxy?
To keep a scan hidden
Which of the following is NOT one of the key goals of a backdoor?
To obtain a Trojan construction kit
What are the steps to spoof a trusted machine relationship?
To spoof a trusted machine relationship, the attacker must: * Identify the target pair of trusted machines * Anesthetize the host the attacker intends to impersonate * Forge the address of the host the attacker is pretending to be * Connect to the target as the assumed identity * Accurately guess the correct sequence
Toby is concerned that some of the workers in the R&D facility have been asking about wirelessnetworking. After discussing this with the plant's security manager, Toby gets approval to implement apolicy that does not allow any wireless access. What else does Toby need to do besides create thepolicy.
Toby should provide employee awareness activities to make sure that employees know about the new policy AND perform periodic site surveys to test for rogue access points.
Whois
Tool to gather ip and domain information
Which tool can trace the path of a packet?
Tracert
____ is a change in the position or order of letters or words, as in an anagram.
Transposition
SNMP is used to perform which function in relation to hardware?
Trap messages
Which DDoS tool uses TCP port 6667?
Trinity uses TCP port 6667.
The functionality of Tripwire could best be compared to which of the following?
Tripwire provides integrity assurance. Tripwire looks for changes that may have occurred from hackers or malicious software. By monitoring attributes of files that typically do not change, such as binary signatures, size, changes in size, or integrity scans, Tripwire can be useful for detecting intrusions, attacks, and the corruption of data.
Port 69
Trivial File Transfer Protocol - (TFTP)
A UDP packet is usually smaller than a TCP packet. True or False?
True
Process isolation provides extra protection against catastrophic failure of a system by ensuring that one process crashing will not take others with it.
True
Public key infrastructure (PKI) addresses storing, managing, distributing, and maintaining keys and digital certificates securely.
True
Rainbow tables compute every possible combination of characters prior to capturing a password so that the attacker can then capture the password hash from the network and compare it with the hashes that have already been generated
True
Security testers can use Hping to bypass filtering devices. True or False?
True
SolarWinds has the ability to generate network maps that can be viewed in products such as Microsoft's diagramming product Visio.
True
Some cookies can cause security issues because unscrupulous people might store personal information in cookies that can be used to attack a computer or server. Answer True False
True
Special-purpose Live CDs include firewall applications, rescue disks, and security tools.
True
Substitution, transposition, stream, and block are common forms of ciphers.
True
Symmetric encryption is inherently faster than asymmetric encryption due to the nature of the computations performed.
True
T/F: Hacking requires that the practitioner be intimately familiar with the techniques of the perpetrator or opponent.
True
T/F: Internet footprinting is a technical method of reconnaissance, which interests budding hackers and network security specialists alike.
True
T/F: Most social engineering attacks are opportunistic: the hacker uses whatever technique he or she thinks fits the situation.
True
T/F: Reconnaissance is not by definition illegal, and many reconnaissance techniques are completely legal.
True
Which of the following is not considered an optional part of a virus program?
Virus programs have two required components, which include search routines and infection routines. The infection routine is the portion of the virus responsible for copying the virus and attaching it to a suitable host.
Net 192.168.1.0/24
Wireshark command that displays traffic to or from the subnet 192.168.1.0/24
This symmetric encryption is considered weak because the same clear-text input will produce the same cipher-text output.
With DES electronic code book (ECB), the identical plaintext encrypted with the same key will always produce the same ciphertext.
Connectionless
With a connectionless protocol, no session connection is required before data is transmitted. UDP and IP are examples of connectionless protocols.
_______ ________ is the most critical step of the testing process
Written approval
Closed ports respond to a(n) ____ with an RST packet. Answer XMAS scan SYN scan Connect scan ACK scan
XMAS scan
What organization designates a person as a CISSP? a. International Information Systems Security Certification Consortium (ISC2) b. EC-Council c. SANS Institute d. GIAC
a. International Information Systems Security Certification Consortium (ISC2)
Typical categories of databases include all of the following EXCEPT:
applied database
Which of the following commands should you use to determine whether there are any shared resources on a Windows computer with the IP address 193.145.85.202? a. netstat -c 193.145.85.202 b. nbtscan -a 193.145.85.202 c. nbtstat -a 193.145.85.202 d. nbtstat -a \\193.145.85.202
c. nbtstat -a 193.145.85.202
Dig
can be done with the Dig command. (For those familiar with the Nslookup command, Dig is now the recommended command.) To determine a company's primary DNS server, you can look for a DNS server containing a Start of Authority (SOA) record. An SOA record shows for which zones or IP addresses the DNS server is responsible. After you determine the primary DNS server, you can perform another zone transfer to see all host computers on the company network. In other words, the zone transfer give you an organization's network diagram. You can use this information to attack other servers or computers that are part of the network infrastructure.
Sniffers can be used to:
capture information
Enumeration of Windows systems can be more difficult if port _______ is filtered. a. 110/UDP b. 443/UDP c. 80/TCP d. 139/TCP
d. 139/TCP
Which protocol uses UDP? a. FTP b. Netstat c. Telnet d. TFTP
d. TFTP
The act of a third party covertly monitoring Internet and telephone conversations is called:
wiretapping
Port number ________ is used for SMTP.
25
Nmap
A security tool used to identify open ports and detect services and OSs running on network systems.
Remote Procedure Call (RPC)
An interprocess communication mechanism that allows a program running on one host to run code on a remote host.
_______________ uses trusted devices.
Bluetooth
Firewalls provide very little protection to a database server.
False
Linux antivirus software can't detect backdoor Trojans. True or False?
False
Linux can be operated only from the command line.
False
Symmetric encryption is also called public key cryptography
False
T/F: Breaking CD-ROMs is sufficient to destroy their data, as data cannot be recovered from broken disks.
False
T/F: Making money is a rare motive among all classes of hacker.
False
T/F: The strongest link in any security scheme is the user.
False
T/F: Viruses are indiscriminate in their damaging effects, but only expert hackers can set one loose.
False
The HTTP CONNECT method starts a remote application-layer loopback of the request message. Answer True False
False
The Nbtstat command is used to enumerate *nix systems. True or False?
False
The Ping of Death is an exploit that sends multiple ICMP packets to a host faster than the host can handle. True or False?
False
The ever-increasing amount of personal information that people put online themselves has made gathering information on human beings more difficult.
False
The first viruses debuted in the "wild" in the 1990s as ways to destroy exam records at universities.
False
The goals of confidentiality and integrity are basically the same.
False
Server understands request but refuses to comply
HTTP 403 Forbidden
Unable to match request
HTTP 404 Not Found
Why is an SPI firewall more resistant to flooding attacks?
It examines each packet in the context of previous packets.
In comparing a packet filter firewall with a stateful packet inspection firewall (SPI), the SPI firewall is:
LESS susceptible to ping and SYN floods and LESS susceptible to IP spoofing.
____ comes bundled with Windows. Network Monitor, a component of Microsoft Systems Management Server (SMS), enables you to detect and troubleshoot problems on LANs,WANs, and serial links running the Microsoft Remote Access Server (RAS).
Network Monitor
____________________ is the process of identifying domain names as well as other resources on the target network.
Network enumeration
1. Cross-site scriptiog (xss) flaws 2. Injection flaws and malicious file execution 3. Unecured direct object reference 4. Cross site request forgery (csrf) 5. Information leakage and incorrect error handling 6. session management 7. Unsecured cryptographic storage 8. Unsecured communication 9. Failure to restrict url access
OWASP Top ten list
Which of the following is a method of identifying the OS of a targeted computer or device in which no traffic or packets are injected into the network and attackers simply listen to and analyze existing traffic?
Passive fingerprinting
Nmap is required to perform what type of scan?
Port Scan
Port 110
Post Office Protocol 3 - (POP3)
Which of the following is commonly known as misuse detection because it attempts to detect activities that may be indicative of misuse or intrusions?
Signature recognition
T/F: Block ciphers operate on blocks of data.
TRUE
T/F: DSS stands for the United States government's Digital Signature Standard, which is based on the Digital Signature Algorithm (DSA).
TRUE
T/F: Hunt performs sniffing in addition to session hijacking.
TRUE
Looping
The act of performing a task over and over.
How is black-box testing performed?
With no knowledge
What's the hexadecimal equivalent of the binary number 1111 1111? a. FF b. 255 c. EE d. DD
a. FF
What is the primary goal of PKI?
hashing
Web application exploits include:
•Theft of information such as credit cards or other sensitive data •The ability to update application and site content •Server-side scripting exploits •Buffer overflows •Domain Name Server (DNS) attacks •Destruction of data
SNMP Trap port
162
Why is SYN flood attack detectable?
A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This large number of half open TCP connections fills the buffer on victim's system and prevents it from accepting legitimate connections.
You have been able to intercept many packets with Wireshark that are addressed to the broadcastaddress on your network and are shown to be from the web server. The web server is not sendingthis traffic, so it is being spoofed. What type of attack is the network experiencing?
A Smurf attack uses ICMP to send traffic to the broadcast address and spoof the source address to the system under attack.
ACK
A TCP flag that acknowledges a TCP packet with SYN-ACK flags set.
SYN
A TCP flag that signifies the beginning of a session.
What is the purpose of a Web bug? How do they relate to or differ from spyware?
A Web bug is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. Its purpose is similar to that of spyware and adware: to get information about the person visiting the Web site. Web bugs are not from the same Web site as the Web page creator. They come from third-party companies specializing in data collection. Security professionals need to be aware of cookies and Web bugs to keep these information-gathering tools off company computers.
Asynchronous JavaScript and XML (AJAX)
A Web development technique used for interactive Web sites, such as Facebook and Google Apps; this development technique makes it possible to create the kind of sophisticated interface usually found on desktop programs.
WebGoat
A Web-based application designed to teach security professionals about Web application vulnerabilities.
Network Basic Input Output System (NetBIOS)
A Windows programming interface that allows computers to communicate across a LAN.
NetBIOS
A Windows programming interface that allows computers to communicate across a LAN. Network Basic Input Output System (NetBIOS)
Domain Controller
A Windows server that stores user account information, authenticates domain logons, maintains the master database, and enforces security policies for a Windows domain.
Identify the purpose of the following trace. 11/14-9:01:12.412521 0:D0:9:7F:FA:DB -> 0:2:B3:2B:1:4A type:0x800 len:0x3A 192.168.13.236:40465 -> 192.168.13.235:1 TCP TTL:40 TOS:0x0 ID:5473 IpLen:20 DgmLen:40 *UP**F Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20 UrgPtr: 0x0 =+=+=+=+=+=+=+=+=+=+
A XMAS scans as the Urgent, Push, and FIN flags are set. Answer A is not correct, as an ACK scan would show an ACK flag.
Which of the following describes a programmable lock that uses a keypad for entering a PIN number or password?
A cipher lock is one in which a keypad is used for entering a pin number or password. These are commonly used on secured doors to control access.
Substitution Cipher
A cipher that maps each letter of the alphabet to a different letter. The Book of Jeremiah was written by using a substitution cipher called Atbash.
Assembly Language
A combination of hexadecimal numbers and expressions, such as mov, add,and sub, so writing programs in this language is easier than in machine language.
NetBIOS Extended User Interface (NetBEUI)
A fast, efficient protocol that allows transmitting NetBIOS packets over TCP/IP and various network topologies, such as token ring and Ethernet.
Cryptanalysis
A field of study devoted to breaking encryption algorithms. data at rest Any data not moving through a network or being used by the OS; usually refers to data on storage media.
Virus Signature File
A file maintained by antivirus software that contains signatures of known viruses; antivirus software checks this file to determine whether a program or file on your computer is infected.
Which of the following regulates the flow of traffic between different networks?
A firewall
What is a firewall?
A firewall is an appliance within a network that is designed to protect internal resources from unauthorized external access.
Application-Aware Firewall
A firewall that inspects network traffic at a higher level in the OSI model than a traditional stateful packet inspection firewall does.
Ruby****
A flexible, object-oriented programming language similar to Perl.
Pretty Good Privacy (PGP)
A free e-mail encryption program that allows typical users to encrypt e-mails.
Hashing Algorithm
A function that takes a variable-length string or message and produces a fixed-length hash value, also called a message digest. See also message digest.
Botnet
A group of multiple computers, usually thousands, that behave like robots to conduct an attack on a network. The computers are called zombies because their users aren't aware their systems are being controlled by one person. See also zombies.
Which is NOT true about a buffer overflow attack?
A hacker does not need a good working knowledge of some programming language to create a buffer overflow.
A full-open scan means that the three-way handshake has been completed. What is the difference between this and a half-open scan?
A half-open does not include the final ACK
Cipher
A key that maps each letter or number to a different letter or number.
What separates a suicide hacker from other attackers?
A lack of fear of being caught
Encryption Algorithm
A mathematical formula or method for converting plaintext into ciphertext.
Competitive Intelligence
A means of gathering information about a business or an industry by using observation, accessing public information, speaking with employees, and so on.
Piggybacking
A method attackers use to gain access to restricted areas in a company. The attacker follows an employee closely and enters the area with that employee.
Digital Signature
A method of signing messages by using asymmetric encryption that ensures authentication and nonrepudiation. See also authentication and nonrepudiation.
Zone transfer
A method of transferring records from a DNS server to use in analysis of a network.
Rootkit
A program created after an attack for later use by the attacker; it's usually hidden in the OS tools and is difficult to detect. See also backdoor.
Backdoor
A program that an attacker can use to gain access to a computer at a later date. See also rootkit.
Virus
A program that attaches itself to a host program or file.
Compiler
A program that converts a text-based program, called source code, into executable or binary code.
Trojan Program
A program that disguises itself as a legitimate program or application but has a hidden payload that might send information from the attacked computer to the creator or to a recipient located anywhere in the world.
Worm
A program that replicates and propagates without needing a host.
ActiveX Data Objects (ADO)
A programming interface for connecting a Web application to a database.
Server Message Block (SMB)
A protocol for sharing files and printers and providing a method for client applications to read, write to, and request services from server programs in a network. SMB has been supported since Windows 95.
Connection-oriented Protocol
A protocol for transferring data over a network that requires a session connection before data is sent. In TCP/IP this step is accomplished by sending a SYN packet.
Path-Vector Routing Protocol
A protocol that uses dynamically updated paths or routing tables to transmit packets from one autonomous network to another.
Secure Multipurpose Internet Mail Extension (S/MIME)
A public key encryption standard for encrypting and digitally signing e-mail. It can also encrypt e-mails containing attachments and use PKI certificates for authentication.
Access Point (AP)
A radio transceiver that connects to a network via an Ethernet cable and bridges a wireless network with a wired network.
Common Internet File System (CIFS)
A remote file system protocol that enables computers to share network resources over the Internet.
A retina scan is a scan of which of the following?
A retinal scan examines the blood vessel patterns of the retina; it offers a unique method of identification. It's a form of biometric authentication used for high security areas, such as military and bank facilities.
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
A reverse ARP request maps to two hosts
What is a Root kit?
A root kit is software used to hide a system compromise.
Distance-Vector Routing Protocol
A routing protocol that passes the routing table (containing all possible paths) to all routers on the network. If a router learns one new path, it sends the entire routing table again, which isn't as efficient as a link-state routing protocol.
Link-State Routing Protocol
A routing protocol that uses link-state advertisements to send topology changes or new paths to other routers on the network. This method is efficient because only new information is sent, not the entire routing table.
Active Server Pages (ASP)
A scripting language for creating dynamic Web pages.
What is a security audit?
A security audit is an inspection focused on policy and procedures.
OpenVAS
A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
Key
A sequence of random bits used in an encryption algorithm to transform plaintext into ciphertext, or vice versa.
ColdFusion
A server-side scripting language for creating dynamic Web pages; supports a wide variety of databases and uses a proprietary markup language known as CFML.
Object Linking and Embedding Data Base (OLE DB)
A set of interfaces enabling Web applications to access diverse database management systems.
What is a signature?
A signature is algorithmic output that is designed to ensure the authenticity of the sender.
Web Bug
A small graphics file referenced in an <IMG> tag, used to collect information about the user. This file is created by a third-party company specializing in data collection.
Demilitarized Zone (DMZ)
A small network containing resources that sits between the Internet and the internal network, sometimes referred to as a "perimeter network." It's used when a company wants to make resources available to Internet users yet keep the company's internal network secure.
Real-time Operating System (RTOS)
A specialized embedded OS designed with algorithms aimed at multitasking and responding predictably; used in devices such as programmable thermostats, appliance controls, planes, and spacecraft.
Open Database Connectivity (ODBC)
A standard database access method that allows a Web application to interact with a variety of database management systems.
Triple Data Encryption Standard (3DES)
A standard developed to address the vulnerabilities of DES; it improved security, but encrypting and decrypting data take longer.
RC4
A stream cipher created by Ronald L. Rivest that's used in WEP wireless encryption.
Public Key Infrastructure (PKI)
A structure consisting of programs, protocols, and security policies. PKI uses public key cryptography to protect data traversing the Internet.
Narrowband
A technology that uses microwave radio band frequencies to transmit data. The most popular uses of this technology are cordless phones and garage door openers.
Machine Code*****
A term for code executed directly by a computer's central processing unit. The most basic computer language.
In Linux, you issue commands from a command line using which of the following?
A terminal window
Cookie
A text file containing a message sent from a Web server to a user's Web browser to be used later when the user revisits the Web site.
Certification Authority (CA)
A third party, such as VeriSign, that vouches for a company's authenticity and issues a certificate binding a public key to a recipient's private key.
Anomaly Detectors
A type of IDS that sends alerts on network traffic varying from a set baseline.
Phishing
A type of attack carried out by e-mail; e-mails include links to fake Web sites intended to entice victims into disclosing private information or installing malware.
SQL injection
A type of exploit that takes advantage of poorly written applications. An attacker can issue SQL statements by using a Web browser to retrieve data, change server settings, or possibly gain control of the server.
Spear Phishing
A type of phishing attack that targets specific people in an organization, using information gathered from previous reconnaissance and footprinting; the goal is to trick recipients into clicking a link or opening an attachment that installs malware.
Which is/are a characteristic of a virus?
A virus is malware. A virus replicates with user interaction.
Macro Virus
A virus written in a macro programming language, such as Visual Basic for Applications. Malware Malicious software, such as a virus, worm, or Trojan program, used to shut down a network and prevent a business from operating.
What is the difference between a vulnerability and an exploit?
A vulnerability is the weakness. An exploit is the way to abuse that weakness.
Which of the following best describes PGP?
A way of encrypting data in a reversible method
Which best describes a vulnerability scan?
A way to automate the discovery of vulnerabilities
Which of the following best describes a vulnerability?
A weakness
SHORT ANSWER What are the main properties of Diffie-Hellman?
A weakness of symmetric-key cryptography is that the shared key must be exchanged between the two parties before they can encrypt and decrypt their communications.Diffie-Hellman is an algorithm that was developed to solve this problem, as it allows two parties who do not have prior knowledge of each other to establish a shared secret key over a public, insecure channel. Diffie Hellman is currently considered secure, an assumption that rests upon the difficulty of solving the Diffie Hellman problem, a mathematical problem proposed by Whitfield Diffie and Martin Hellman.To date, no easy solutions have been found for this problem.
Wireless Personal Area Network (WPAN)
A wireless network specified by the 802.15 standard; usually means Bluetooth technology is used, although newer technologies are being developed. It's for one user only and covers an area of about 10 meters.
Ad-hoc Network
A wireless network that doesn't rely on an AP for connectivity; instead, independent stations connect to each other in a decentralized fashion.
Which of the following is/are true of a worm?
A worm is malware, a worm replicates on its own
Which of the following statements is most correct? A. Active fingerprinting tools inject packets into the network B. Passive fingerprinting tools inject traffic into the network C. Nmap can be used for passive fingerprinting D. Passive fingerprinting tools do not require network traffic to fingerprint an operating system
A. Active fingerprinting tools inject packets into the network
typically used to get past a firewall
ACK scan
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?
ACKCMD uses TCP ACK packets to bypass ACLs that block incoming SYN packets.
IPsec uses which two modes?
AH/ESP
If you need to find a domain that is located in Canada the best RIR to check first would be __________________.
ARIN
A(n) ____ stores the IP address and the corresponding Media Access Control (MAC) address of the computer that would be notified to send data.
ARP Table
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
ARP poisoning
Modifying the Address Resolution Protocol (ARP) table for hacking purposes is called ____________________.
ARP spoofing
A(n) ____ on a computer stores the IP address and the corresponding MAC address.
ARP table
____, the precursor to the Internet, appeared in ____.
ARPANET, 1969
Why is ATM shoulder surfing much easier than computer shoulder surfing?
ATM theft is much easier than computer shoulder surfing because a keypad has fewer characters to memorize than a computer keyboard. If the person throws away the receipt in a trash can near the ATM, the shoulder surfer can match the PIN with an account number and then create a fake ATM card. Often shoulder surfers use binoculars or high-powered telescopes to observe PINS being entered, making it difficult to protect against this attack.
___ is a reasonably priced commercial port scanner with a GUI interface. Answer AW Security Port Scanner Common Vulnerabilities and Exposures Ethereal Tcpdump
AW Security Port Scanner
Footprinting has two phases. What are they?
Active and Passive
Which of the following is a form of OS fingerprinting that involves actively requesting information from the target system?
Active fingerprinting
___________________ are scripting languages (select two)
ActiveX and CGI
Documentation****
Add comments to the code that explain what you're doing.
Which of the following controls fit in the area of policy and procedure?
Administrative
The ____________________, also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government.
Advanced Encryption Standard (AES) Advanced Encryption Standard AES
Pablo has set up a Linux PC with Airsnarf that he is planning to take down to the local coffee shop.What type of activity is he planning?
Airsnarf is a rogue access point program that can be used to steal usernames and passwords from public wireless hotspots.
What can be configured in most search engines to monitor and alert you of changes to content?
Alerts
Which is true about SonicWALL firewall solutions?
All models contain built-in encryption.
When scanning a network via a hardline connection to a wired-switch NIC in promiscuous mode, what would be the extent of network traffic you would expect to see?
All nodes attached to the same port
What is another way used to describe Ethernet? A. Collision detection B. Sends traffic to all nodes on a hub C. CSMA/CD D. All of the above
All of the above
POST
Allows data to be posted )that is, Sent to a web server
Public Key Cryptography
Also known as asymmetric key cryptography, an asymmetric algorithm that uses two mathematically related keys.
Which of the following best describes HTTP?
Although HTTP uses TCP as a transport, it is considered a stateless connection because the TCP session does not stay open waiting for multiple requests and their responses.
SHORT ANSWER What are some of the most popular scanner tools?
Although the earliest scanners were based on UNIX platforms, they are currently available for Windows and Macintosh platforms. Some popular scanners that can be easily found are: * Nessus * Network Mapper (Nmap) * Security Auditor's Research Assistant (SARA) * Security Administrator's Integrated Network Tool (SAINT) * Strobe * Cheops
An open source software circuit level gateway is available from which of the following?
Amrita Labs
Wired Equivalent Privacy (WEP)
An 802.11b standard developed to encrypt data traversing a wireless network.
Wi-Fi Protected Access (WPA)
An 802.11i standard that addresses WEP security vulnerabilities in 802.11b; improves encryption by using Temporal Key Integrity Protocol (TKIP). See also Wired Equivalent Privacy (WEP).
Pseudocode
An English-like language you can use to help create the structure of your program.
What is an IDS?
An IDS is a hardware or software device that examines streams of packets for unusual or malicious behavior
802.1X Standard
An IEEE standard that defines the process of authenticating and authorizing users on a network before they're allowed to connect.
Station (STA)
An addressable unit in a wireless network. A station is defined as a message destination and might not be a fixed location.
Infrared (IR)
An area in the electromagnetic spectrum with a frequency above microwaves; an infrared signal is restricted to a single room or line of sight because IR light can't penetrate walls, ceilings, or floors. This technology is used for most remote controls.
Man-in-the-Middle Attack
An attack in which attackers place themselves between the victim computer and another host computer, and then intercept messages sent from the victim to the host and pretend to be the host computer.
Mathematical Attack
An attack in which properties of the encryption algorithm are attacked by using mathematical computations. Categories of this attack include ciphertextonly attack, known plaintext attack, chosen-plaintext attack, chosen-ciphertext attack, and side-channel attack.
Replay Attack
An attack in which the attacker captures data and attempts to resubmit the data so that a device, such as a workstation or router, thinks a legitimate connection is in effect.
Dictionary Attack
An attack in which the attacker runs a password-cracking program that uses a dictionary of known words or passwords as an input file against the attacked system's password file.
Brute-force Attack
An attack in which the attacker uses software that attempts every possible combination of characters to guess passwords.
Distributed Denial-of-Service (DDoS) Attack
An attack made on a host from multiple servers or computers to deny legitimate users from accessing network resources.
Denial-of-Service (DoS) Attack
An attack made to deny legitimate users from accessing network resources.
Session Hijacking
An attack on a network that requires guessing ISNs. See also initial sequence number (ISN).
Which of the following best describes a buffer overflow attack?
An attack that attempts to put too much data in a memory buffer.
What is a mathematical attack?
An attack that targets properties of an algorithm using mathematical computations.
Protected EAP (PEAP)
An authentication protocol that uses Transport Layer Security (TLS) to authenticate the server to the client but not the client to the server; only the server is required to have a digital certificate.
Symmetric Algorithm
An encryption algorithm that uses only one key to encrypt and decrypt data. The recipient of a message encrypted with a key must have a copy of the same key to decrypt the message.
Extensible Authentication Protocol (EAP)
An enhancement to PPP designed to allow an organization to select an authentication method.
Syntax Error****
An error that results when an instruction does not follow the syntax rules, or grammar, of the programming language.
Shell
An executable piece of programming code that creates an interface to an operating system for executing system commands.
Buffer Overflow Attack
An exploit written by a programmer that finds vulnerability in poorly written code that doesn't check for a predefined amount of memory space use, and then inserts executable code that fills up the buffer (an area of memory) for the purpose of elevating the attacker's permissions.
What is an external penetration test?
An external penetration test analyses publically accessible information and is conducted from outside the network.
Common Gateway Interface (CGI)
An interface that passes data between a Web server and a Web browser.
What is an internal penetration test?
An internal penetration test a penetration test is performed within the organization from several network access points.
An overt channel is _________.
An obvious method of using a system
Samba
An open-source implementation of CIFS that allows *nix servers to share resources with Windows clients and vice versa.
Which of the following is the best definition of "sensitive information"?
Any information that, if accessed by unauthorized personnel, could damage your organization in any way
Which of the following types of privacy laws affect computer security?
Any privacy law applicable to your organization
List three measures for protecting systems on any network.
Any three of the following: having user awareness training programs, running antivirus tools, disabling unneededservices, filtering out unnecessary ports, installing security updates and patches, securing configurations, andreviewing logs
HTTP GET
As you learned in Chapter 3, HTTP operates on port 80. A security tester can pull information from a Web server by using HTTP commands. You've probably seen HTTP client error codes before, such as 404 Not Found. A basic understanding of HTTP can be beneficial to security testers, and you don't have to learn too many codes to get data from a Web server. If you know the return codes a Web server generates, you can determine what OS is used on the computer where you're conducting a security test. Table 4-2 lists common HTTP client errors, and Table 4-3 lists HTTP server errors that might occur.
Which of the following can be used to provide confidentiality and integrity?
Asymmetric encryption can provide users both confidentiality and authentication. Authentication is typically provided through digital certificates and digital signatures.
SYN/ACK packet
Attackers typically use ACK scans to get past a firewall or other filtering device. A filtering device looks for the SYN packet, the first packet in the three-way handshake, that the ACK packet was part of. Remember this packet order: SYN, SYN/ACK, and ACK. If the attacked port returns an RST packet, the packet filter was fooled, or there's no packet-filtering device. In either case, the attacked port is considered to be "unfiltered."
Nmap
Attackers typically use ACK scans to get past a firewall or other filtering device. A filtering device looks for the SYN packet, the first packet in the three-way handshake, that the ACK packet was part of. Remember this packet order: SYN, SYN/ACK, and ACK. If the attacked port returns an RST packet, the packet filter was fooled, or there's no packet-filtering device. In either case, the attacked port is considered to be "unfiltered." s most security professionals will tell you, Hollywood seldom depicts attackers actually hacking into a system. Typically, they're using a GUI program, frantically clicking or typing a decryption algorithm. One exception is The Matrix Reloaded. The female protagonist, Trinity, sits in front of a computer terminal and runs Nmap. She discovers that port 22 (SSH) is open, runs an SSHv1 CRC32 exploit (an actual bug in SSH) that allows her to change the root password to Z1ON0101, and then proceeds to shut down the grid. Moral of the story? Know your tools and exploits, and you might save the world. You don't have to memorize how each flag is set when running a port scan with Nmap. In fact, just typing the command nmap 193.145.85.201 scans every port on the computer with this IP address. However, port scanning can be an involved process. Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use stealth attacks that are more difficult to detect. In the following activities, you become familiar with the basic Nmap commands and then learn some of the more complex options.
Birthday Attacks
Attacks used to find the same hash value for two different inputs and reveal mathematical weaknesses in a hashing algorithm.
What is a brute force attack?
Attempt to use every possible target against a target until successful
What utility may be used to stop auditing or logging of events?
Auditpol
How can vulnerability to flooding attacks be reduced with an application gateway?
Authenticating users
Which of the following is the most basic security activity?
Authenticating users
In IPsec, what does Authentication Header (AH) provide?
Authentication services
These individuals perform illegal activities.
Black hat hackers
What type of penetration testing is most often used when an organization wants to closely simulate how an attacker views a system?
Black-box testing
Which created a buffer overflow attack against a Windows flaw called the DCOM RPC vulnerability?
Blaster
____________________ is any kind of spoofing where only one side of the relationship under attack is in view.
Blind spoofing
Which of the following is a recommended configuration of a firewall to defend against DoS attacks?
Block ICMP packets that originate outside the network.
Which of the following is used to make calls or send text messages from the targeted device?
Bluebugging
Which of the following technologies emerged for the first time in 1998 and was designed to be a short-range networking technology that could connect different devices together?
Bluetooth
______________ is a short-range wireless technology.
Bluetooth
At what frequency does Bluetooth operate?
Bluetooth operates at 2.45GHz. It is available in three classes: 1, 2, and 3. It divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency.
Port 179
Border Gateway Protocol (BGP)
____ attacks use all possible combination of letters, numbers, and special characters to determine the target password.
Brute-force
Which password attack method tries every possible sequence of keys until the correct one is found?
Brute-force password attack
Common forms of distributed denial of service (DDoS) attacks include all of the following EXCEPT:
Buffer overflows
Which is a firewall vendor manufacturing a host-based firewall for Windows 2000 Server, Sun Solaris, and Red Hat Linux environments?
Check Point
Which firewall solution would be best for a large enterprise running Windows XP Professional and Linux operating systems, using the Internet, and requiring remote access to their Intranet server for field sales people?
Check Point Firewall-1
What is EDGAR used to do?
Check financial filings
____ hackers act as mentors to new hackers. They write scripts and tools that others use.
Coders
On a switch, each switchport represents a ____________.
Collision Domain
What kind of domain resides on a single switchport?
Collission Domain
SHORT ANSWER What are the main characteristics of commercial sniffers?
Commercial sniffers observe, monitor, and maintain information on a network. Some companies use sniffer programs to detect network problems. Commercial sniffers can be used for both fault analysis, which detects network problems, and performance analysis, which detects bottlenecks.
The first password hacks were a response to the ___________________________________, developed in the early 1960s and first loaded on an IBM mainframe at MIT.
Compatible Time Sharing System (CTSS) Compatible Time Sharing System CTSS
If you can't gain enough information directly from a target, what is another option?
Competitive analysis
A white-box test means the tester has which of the following?
Complete Knowledge
Windows NT 3.51
Created with security and enhancement of network functionality in mind. Emphasized domains instead of workgroups and used the client/server model instead of peer-to-peer networks; the server was responsible for authenticating users and giving them access to network resources. The client/server model also allowed having many computers in a domain instead of the limited number of computers in a workgroup. NTFS replaced FAT16 and FAT32 because of the difficulty in incorporating security in these file systems. NTFS included file-level security features not possible in FAT.
What type of attack relies on a variation of the input validation attack but has the goal of going after a user instead of the application or data?
Cross-site scripting (XSS)
____________________ uses an algorithm to encrypt a ciphertext document from a plaintext document, and when the information is needed again, the algorithm is used to decrypt the ciphertext back into plaintext.
Cryptography
Hackers may justify their actions based on which of the following: A. All information should be free B. Access to computers and their data should be unlimited C. Writing viruses, malware, or other code is not a crime D. Any of the above
D. Any of the above
Port 546
DHCP Client
Port 547
DHCP Server
What is Datapipe used for?
Datapipe is a Linux redirector. It can be used for port redirection. This form of tool is useful when certain ports are blocked at the firewall.
Which of the following phases has the goal of determining what was done right, what was done wrong, and how to improve?
Debriefing and feedback
____ is a method of achieving access to information by actually joining the organization as an employee or a consultant.
Deception
Which of the following options for firewall implementation has a region of the network or zone that is sandwiched between two firewalls?
Demilitarized zone (DMZ)
he D-Link DFL-300 firewall is specifically designed to detect common ____________ attacks
Denial of Service
One of the most common types of attacks via the Internet is:
Denial of service
Network-Based IDSs/IPSs
Devices that monitor traffic on network segments and alert security administrators of suspicious activity.
Port80
Displays all port 80 traffic
Which attack causes Internet routers to attack the target systems without actually compromising the routers themselves?
Distributed Reflection Denial of Service
Which of the following is NOT considered one of the three types of controls you can use in risk mitigation?
Distribution
Footprinting can determine all of the following except ______?
Distribution and number of personnel
A hierarchical system of servers and services specifically designed to translate IP addresses into domain names (forward lookups) as well as the reverse (reverse lookups) is called:
Domain Name Service (DNS).
Which of the following is the best definition for war-driving?
Driving looking for wireless networks to hack
____ can be used to gather information useful for computer criminals, like company phone directories, financial reports, interoffice memos, resumes of employees, etc. Answer Shoulder surfing Footprinting Piggybacking Dumpster diving
Dumpster diving
Which of the following is not a defense against buffer overflow?
Enabling stack execution is something you would not want to do.
____________________ are the principles of conduct that govern individuals, groups, and professions.
Ethics
A polymorphic virus ____________.
Evades detection through rewriting itself
Which of the following is a symmetric algorithm?
Examples of symmetric algorithms include DES, 3DES, and Rijindael. All other answers are incorrect because El Gamal, ECC, and Diffie-Helman are all asymmetric algorithms.
SNMP uses encryption and is therefore a secure program.
FALSE
T/F: A TCP session can be hijacked only before the hosts have authenticated successfully.
FALSE
T/F: A successful IP spoofing attack requires more than simply forging a single header. On the contrary, there must be a complete, sustained dialogue between the machines for a minimum of five packets.
FALSE
T/F: A user needs root privileges to perform TCP connect scanning.
FALSE
T/F: Arpspoof, part of the Ettercap suite, can be used to spoof ARP tables.
FALSE
T/F: As might be expected,Triple DES is almost three times faster than DES.
FALSE
T/F: During the development of TCP/IP in the 1980s, security was a priority.
FALSE
T/F: Information traveling across a network is typically in human-readable format.
FALSE
T/F: Since UDP does not have many error recovery features, it is more resistant to hijacking.
FALSE
T/F: Transposition relies on length of password.
FALSE
TCP and UDP both use flags.
FALSE
The command mv is used to remove empty directories.
FALSE
The command used to display where you are in the file system is cd.
FALSE
The default access point security settings should never be changed.
FALSE
The environment in which a new facility is constructed has little impact on the level and type of security needed.
FALSE
The popularity of services such as Facebook, LinkedIn, and Twitter has made the loss of information or loss of control of that information through social media less of a concern.
FALSE
The stability of a web server does not depend on the operating system.
FALSE
The widespread availability of wireless has made management and security much easier for the network and security administrator.
FALSE
Viruses do not require a host program.
FALSE
Wireless refers to all the technologies that make up 802.11.
FALSE
FAT32
FAT32 has a significant advantage: in a partition less than 8GB, the capacity of every cluster is fixed to 4KB. Compared with FAT16, it decreases the waste of disk space and increases disk capacity-factor. WIn95, Win98, Win 2000, Win 2003 and Win 7 are in support of FAT 32 disk partition format at present. However, FAt32 also has its defect. Because of the expansion of file allocation table, the disk adopts FAT32 format division runs slower than FAT16 format division.
You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss's computer. What does FakeGina do?
FakeGina captures login usernames and passwords that are entered at system startup.
A NULL scan requires setting the FIN, ACK, and URG flags. True or False?
False
A brute-force attack tries passwords that are pulled from a predefined list of words.
False
A closed port can be vulnerable to an attack. Answer True False
False
A closed port responds to a SYN scan with an RST packet, so if no packet is received, the best guess is that the port is open. Answer True False
False
A denial of service (DoS) attack can be considered an "upgraded" and advanced version of a distributed denial of service (DDoS) attack.
False
A denial of service (DoS) attack is considered a critical problem because it is very difficult to defeat.
False
A denial of service (DoS) attack is typically the first action an attacker will take in an attempt to access a system.
False
A session, the connection that a client has with the server application, should use the same identifier, encryption, and other parameters every time a new connection between client and server is created, rather than create new information for each connection and then discard it each time.
False
Antivirus software cannot detect suspicious behavior of applications on a system.
False
Because wardialing involves the use of modems, it is out of date and should no longer be used.
False
Covert channels are not capable of transferring information using a mechanism that was not designed for the purpose. Select one:
False
Databases are rarely a target for attackers because many of them are "unhackable."
False
Delivering malicious software via instant messaging (IM) is relatively difficult because IM software has had strong security controls from the beginning.
False
Employees should be able to install programs on their company computers as long as the programs aren't copyrighted. True or False?
False
Fail-open state results in closed and completely restricted access or communication.
False
For a Windows computer to be able to access a *nix resource, CIFS must be enabled on at least one of the systems. True or False?
False
Fping doesn't allow pinging multiple IP addresses simultaneously. True or False?
False
Future generations of cryptography technology will most likely represent an evolution of past technologies and techniques.
False
In Linux, the files that dictate the access between hardware and the operating system reside in /home.
False
In symmetric encryption, one key is used for encryption and a separate key is used for decryption.
False
It is easy for an attacker to predict the sequence numbers of the packets in order to hijack a session successfully.
False
It is much harder to detect active OS fingerprinting than passive OS fingerprinting.
False
Logic bombs are relatively easy to detect.
False
Many attackers gain access to their target system through something known as a window.
False
Modern antivirus software is not equipped to deal with the problems polymorphic viruses pose.
False
Most printers now have only TCP/IP enabled and don't allow default administrator passwords, so they're inherently more secure. True or False?
False
Most users of social networking sites are diligent about protecting their personal information through privacy settings and similar configuration options available on these sites.
False
Namedroppers is a tool that can be used to capture Web server information and possible vulnerabilities in a Web site's pages that could allow exploits such as SQL injection and buffer overflows. Answer True False
False
Obtaining financial information on companies operating in the United States is difficult because financial records on publicly traded companies are not available to the public.
False
Over the past few years, the use of denial of service (DoS) attacks to commit crimes such as extortion has decreased. Select one:
False
Over the past several years, social networking sites have become less and less of a target for cybercriminals.
False
Over time, corporations have been moving fewer and fewer services to the cloud.
False
Placing a backdoor on a system prevents an attacker from coming back later in an attempt to take control of the system. Select one:
False
Safe browsing practices have little to do with whether individuals become victims online.
False
Session hijacking is the process of assisting two parties in establishing a new session.
False
Social networking means tricking or coercing people into revealing information or violating normal security practices.
False
Structured Query Language (SQL) injections require very little skill or knowledge to execute.
False
The Security Account Manager (SAM) is a file that resides on the network, not on the hard drive, and is not actively accessed while Windows is running.
False
The Windows Net use command is a quick way to discover any shared resources on a computer or server. True or False?
False
What is gray box testing?
Gray box testing is where the attacker has some knowledge of the infrastructure.
These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking.
Gray hat hackers
Discernment is an advantage of which of the following physical security controls?
Guards have the ability to make a decision and judgment call in situations that require discernment.
Request not understood by server
HTTP 400 Bad Request
Request not allowed for the resource
HTTP 405 Method Not Allowed
Request not made by client in allotted time
HTTP 408 Request Timeout
Server is unavailable due to maintenance or overload
HTTP 503 Service Unavailable
Server did not receive a timely response
HTTP 504 Gateway Timeout
Port 443
HTTPS
SHORT ANSWER What are the methods used by hackers to modify a route table?
Hackers can modify a route table using two methods. One method is to erase all of the necessary records from the route table of a computer and then provide the hacker's own IP address as the default gateway address in the route table. This will guarantee that all packets sent from that computer will be transferred to the hacker's computer. Another method is to change the corresponding route in the route table of the gateway router. That allows hackers to receive packets sent to a specific server from a client computer. It is probably easier to adjust the route table on the local computer.
SHORT ANSWER Explain "love for puzzles" as a motivation for hackers.
Hackers gain great satisfaction in finding the solutions to complicated puzzles.There are many variables that have to be controlled and techniques that have to be mastered to successfully crack systems. These are the same challenges that motivate locksmiths and cat burglars in the physical security realm. Strong passwords, such as "Tr34$>1drU,"(tr) can be devised that block most attack attempts, and locks can be keyed with "024642" pin combinations which are almost unpickable. Think of the fun when you figure out how to solve these difficult puzzles!
Which of the following best describes what a suicide hacker does?
Hacks without stealth
An administrator has just been notified of irregular network activity; what appliance functions in this manner?
IDS
Passive Systems
IDSs that don't take any action to stop or prevent a security event.
TCP works with ____ to manage data packets on the network.
IP
____ takes care of the transport between machines. But it is unreliable, and there is no guarantee that any given packet will arrive unscathed. a. TCP b. IP
IP
Which of the following prevents ARP poisoning?
IP DHCP Snooping
_________________________ is the theoretical time when the number of unallocated IP addresses equals zero.
IP address exhaustion
SHORT ANSWER Briefly describe IP spoofing attacks.
IP spoofing is a technique attackers use in which they send packets to the victim or target computer with a false source address. The victim is unaware that the packet is not from a trusted host, and so it accepts the packet and sends a response "back" to the indicated source computer. Since the attacker sending the spoofed packet cannot see the response, he must guess the proper sequence numbers to send the final ACK packet as if it had come from the "real" source. If this attempt is successful, the hacker may have a connection to the victim's machine and be able to hold it for as long as the computer remains active. There are two methods for resolving these problems: sequence guessing and source routing.
A banner can do what?
Identify a service
What is an SID used to do?
Identify a user
If subnetting is used in an organization, you can include the broadcast address by mistake when performing ping sweeps. How might this happen?
If you decide to use ping sweeps, be careful not to include the broadcast address in your range of addresses. You can do this by mistake if subnetting is used in an organization. For example, if the IP address 193.145.85.0 is subnetted with a 255.255.255.192 subnet mask, four subnets are created: 193.145.85.0, 193.145.85.64, 193.145.85.128, and 193.145.85.192. The broadcast addresses for each subnet are 193.145.85.63, 193.145.85.127, 193.145.85.191, and 193.145.85.255, respectively. If a ping sweep was inadvertently activated on the range of hosts 193.145.85.65 to 193.145.85.127, an inordinate amount of traffic could flood through the network because the broadcast address of 193.145.85.127 was included. This would be more of a problem on a Class B address, but if you perform ping sweeps, make sure your client signs a written agreement authorizing the testing.
How can a computer criminal use HTTP methods before running an exploit on a server?
If you know HTTP methods, you can send a request to a Web server and, from the generated output, determine what OS the Web server is using. You can also find other information that could be used in an attack. After you determine which OS version a company is running, you can search for any exploits that might be used against that network's systems.
What is "competitive intelligence"?
If you want to open a piano studio to compete against another studio that has been in your neighborhood for many years, getting as much information as possible about your competitor is wise. How could you know the studio was successful without being privy to its bank statements? First, many businesses fail after the first year, so the studio being around for years is a testament to the owner doing something right. Second, you can simply park your car across the street from the studio and count the students to get a good idea of the number of clients. You can easily find out the cost of lessons by calling the studio or looking for ads in newspapers, flyers, telephone books, billboards, and so on. Numerous resources are available to help you discover as much as is legally possible about your competition. Business people have been doing this for years. Now this information gathering, called competitive intelligence, is done on an even higher level through technology. As a security professional, you should be able to explain to the company that hired you all the methods competitors use to gather information. To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information.
Private Key
In a key pair, the secret key used in an asymmetric algorithm that's known only by the key owner and is never shared. Even if the public key that encrypted a message is known, the owner's private key can't be determined.
How does a SYN scan work?
In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port to which the SYN packet is sent is closed, the computer responds to the SYN packet with an RST/ACK packet. If a SYN/ACK packet is received by an attacker's computer, it quickly responds with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction. In this sense, it is "stealthy." After all, you don't want a transaction to be logged showing the IP address that connected to the attacked computer.
Class
In object-oriented programming, the structure that holds pieces of data and functions.
Which of the following statements is NOT true regarding passive session hijacking?
In passive session hijacking, the attacker assumes the role of the party he has displaced.
SHORT ANSWER Describe the three-way handshake authentication method of TCP.
In the three-way handshake authentication method of TCP, a SYN packet is sent to the server by the client in order to initiate a connection. Then the server sends a SYN/ACK packet as an acknowledgment that the synchronization request by the client has been received, and awaits the final step. The client sends an ACK packet to the server. At this point, both the client and the server are ready to transmit and receive data. The connection ends with an exchange of Finish packets (FIN), or Reset packets (RST).
XMAS Scan
In this type of scan, the FIN, PSH, and URG flags are set. (Refer to Chapter 2 for a review of the different flags.) Closed ports respond to this type of packet with an RST packet. This scan can be used to determine which ports are open. For example, an attacker could send this packet to port 53 on a system and see whether an RST packet is returned. If not, the DNS port might be open.
Windows XP Professional
Included Windows 2000 features, such as standards-based security and improved manageability, and added the Microsoft Management Console (MMC), an improved user interface, and better plug-and-play support. Security improvements in the kernel data structures made them read only to prevent rogue applications from affecting the OS core, and Windows File Protection was added to prevent overwriting core system files. With Service Pack 2 (SP2), security was improved further with features such as Data Execution Prevention (DEP) and a firewall that's enabled by default. DEP fixed a security exposure caused by vulnerable running services that hackers often use for buffer overflow attacks, and the firewall made it more difficult for hackers to exploit Windows service vulnerabilities and enumerate shares and services. In fact, enumeration of Windows XP SP2 and later systems can be difficult without modifying the configuration. Opening ports and services and disabling Windows Firewall are common in corporate networks, but these practices give hackers who have breached the perimeter network better access. In these environments, the enumeration processes used for earlier Windows versions still work much the same way in Windows XP Professional.
Which is NOT a typical adverse result of a virus?
Increased network functionality and responsiveness
Which of the following is NOT a common use of live distributions?
Increasing RAM
A sparse infector virus ____________.
Infects files selectively
What is a technical weakness of the Stack tweaking defense?
It only decreases time out but does not actually stop DoS attacks.
Why might a circuit level gateway be inappropriate for some situations?
It requires client-side configuration
What form of authentication takes a username and a random nonce and combines them?
It uses the username, the password, and a nonce value to create an encrypted value that is passed to the server.
Which is true about Windows XP Internet Connection Firewall (ICF)?
It works best in conjunction with a perimeter firewall.
Why might a proxy gateway be susceptible to a flood attack?
Its authentication method takes more time and rources
Jane has noticed that her system is running strangely. However, even when she ran Netstat, everything looked fine. What should she do next?
Jane should use a third-party tool that is known good. One way to ensure this is to download the file only from the developer's website and to verify that the fingerprint or MD5sum of the tool has remained unchanged.
SHORT ANSWER What are the cracking modes supported by John the Ripper?
John the Ripper supports several modes for cracking passwords: * The wordlist mode is the simplest mode supported by John the Ripper and compares passwords against a list of words in a text file. * The single-crack mode is faster than the wordlist mode, and it uses logon or GEOCS information for cracking passwords. It limits the cracking process to the accounts related to the logon information. If more than one user has the same password, it repeats the comparison of guessed passwords. * The incremental mode is the most powerful mode used by John the Ripper. It attempts all possible combinations of letters, numbers, and special characters as passwords. This mode is used for conducting brute-force attacks. * The external mode is the user-defined mode. An external mode may be defined by using the section [List.External: Mode] in the john.ini file. Here, mode is the name of the external mode. You can use an external mode to specify customized functions for trying passwords. You should add these functions to the [List: External: Mode] section.
____________________ was developed by Alexandre Sagala and is a GUI for Nmap, to be used with the KDE desktop environment.
KNmap
What is the best way to defend against a buffer overflow?
Keep all software patched and updated
Which system should be used instead of LM or NTLM?
Kerberos
LILO
LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. LILO is very important in the Linux system and for this reason, we must protect it the best we can. The most important configuration file of LILO is the lilo.conf file, which resides under the /etc directory. It is with this file that we can configure and improve the security of our LILO program and Linux system. Following are three important options that will improve the security of our valuable LILO program.
On newer Windows systems, what hashing mechanism is disabled?
LM
__________ is a hash used to store passwords in older Windows systems.
LM
Hubs operate at what layer of the OSI model?
Layer 1
If a device is using node MAC addresses to funnel traffic, what layer of the OSI model is this device working in?
Layer 2
Which approach to security addresses both the system perimeter and individual systems within the network?
Layered security approach
Companies may require a penetration test for which of the following reasons?
Legal Reasons, Regulatory Reasons, and to perform an audit.
This form of active sniffing is characterized by a large number of packets with bogus MAC addresses.
MAC flooding is the act of attempting to overload the switches content addressable memory (CAM) table. By sending a large stream of packets with random addresses, the CAM table of the switch will evenly fill up and the switch can hold no more entries; some switches might divert to a "fail open" state. This means that all frames start flooding out all ports of the switch.
A birthday attack can be used to attempt to break _____________________.
MD5
Which of the following is a common hashing protocol?
MD5
_________________ is an example of a hashing algorithm.
MD5
Port 569
MSN
Which record will reveal information about a mail server for a domain?
MX
Which of the following types of viruses infects and operates through the use of a programming language built into applications such as Microsoft Office in the form of Visual Basic for Applications (VBA)?
Macro virus
Which of the following terms refers to any software that is inherently hostile, intrusive, or annoying in its operation?
Malware
What is the danger inherent in IP spoofing attacks?
Many firewalls don't examine packets that seem to come from within the network.
____ is a tool that is used to gather competitive intelligence from Web sites. Answer Whois Netcat Metis Dig
Metis
SNMP is used to do which of the following?
Monitor network devices
Why is port scanning considered legal by most security testers and hackers?
Most security testers and hackers argue that port scanning is legal simply because it doesn't invade others' privacy; it merely discovers whether the party being scanned is available. The typical analogy is a person walking down the street and turning the doorknob of every house along the way. If the door opens, the person notes that the door is open and proceeds to the next house. Of course, entering the house would be a crime in most parts of the world, just as entering a computer system or network without the owner's permission is a crime.
Which of the following types of viruses infects using multiple attack vectors, including the boot sector and executable files on the hard drive?
Multipartite virus
Chipping Code
Multiple sub-bits representing the original message that can be used for recovery of a corrupted packet traveling across a frequency band.
The Distributed Denial of Service attack initiated by the ____________ worm is considered by many to be a clear example of cyber-terrorism.
MyDoom
Which created a domestic "cyber terrorism" attack against a Unix distributor?
MyDoom
A standalone technology that hides internal addresses from the outside and only allows connections that originate from inside the network is called:
NAT
What does the command nc -n -v -l -p 25 accomplish?
Nc -n -v -l -p 25 opens a listener on TCP port 25 on the local computer.
Which is a term used to refer to the process of authentication and verification?
Negotiation
Port 150
NetBIOS Session Service
Which tool can be used to view web server information?
Netcraft
Who first developed SSL?
Netscape
Which of the following is not a network mapping tool?
Netstat
At what OSI layer do packet filters function?
Network layer
Intrusion Prevention Systems (IPSs)
Network-based or host-based devices or software that go beyond monitoring traffic and sending alerts to actually block malicious activity they detect.
NTSF
New Technology File System (NTFS) was first released as a high-end file system in Windows NT 3.1, and in Windows NT 3.51, it added support for larger files and disk volumes as well as ACL file security. Subsequent Windows versions have included upgrades for com- pression, disk quotas, journaling, file-level encryption, transactional NTFS, symbolic links, and self-healing. Even with strong security features, however, NTFS has some inherent vulnerabilities. For example, one little-known NTFS feature is alternate data streams (ADSs), written for compatibility with Apple Hierarchical File System (HFS). An ADS can "stream" (hide) nformation behind existing files without affecting their function, size, or other information, which makes it possible for system intruders to hide exploitation tools and other malicious files. Several methods can be used to detect ADSs. In Windows Vista and later, a switch has been added to the Dir command: Enter dir/r from the directory you want to analyze to display any ADSs. For previous Windows versions, you need to download a tool such as LNS from www.ntsecurity.nu/toolbox/lns/. Whatever method you use, you need to determine whether any ADS you detect is supposed to be there. A better and more efficient method of detecting malicious changes to the file system is using host-based file-integrity monitoring tools, such as Tripwire (www.tripwire.com) or Ionx Data Sentinel (www.ionx.co.uk). A *nix- based version of Tripwire is also available.
Which of the following is an example of a multipartite virus or worm?
Nimda had the capability to infect in many different ways, including malformed MIME header and IFrame exploit within email propagation, placing an infected riched20.dll in the document, prepending itself to target executable files, and by attempting to connect to open shares and copy itself to these locations.
Which of the following is used to perform customized network scans?
Nmap
____ is currently the standard port-scanning tool for security professionals. Answer Unicornscan Fping Nessus Nmap
Nmap
a port scanning tool
Nmap
The practice of identifying the operating system of a networked device through either passive or active techniques is called:
OS identification.
Which of the following statements most closely expresses the difference in routing and routable protocols?
OSPF is a routing protocol whereas IP is a routable protocol.
Which of the following represents a valid ethical hacking test methodology?
OSSTMM (Open Source Security Testing Methodology Manual)
Null Session
One of the biggest vulnerabilities of NetBIOS systems is a null session, which is an unauthenticated connection to a Windows computer that uses no logon and password values. Many of the enumeration tools covered in this chapter establish a null session to gather information such as logon accounts, group membership, and file shares from an attacked computer. This vulnerability has been around for more than a decade and is still present in Windows XP. Null sessions have been disabled by default in Windows Server 2003, although administrators can enable them if they're needed for some reason. In Windows Vista and Server 2008, null sessions aren't available and can't be enabled, even by administrators.
Which of the following is not one of the three major classes of threats?
Online auction fraud
What makes the ____________________ tool unique is the ability to update security check plug-ins when they become available.
OpenVAS
____, an open-source fork of Nessus, functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration. Answer Unicornscan NetScanTools OpenVAS Nmap
OpenVAS
The HTTP ____ method requests that the entity be stored under the Request-URI. Answer GET PUT POST HEAD
PUT
____ solves the ACK storm issue and facilitates TCP session hijacking.
Packet Blocking
Which type of firewall is generally the simplest and least expensive?
Packet filter
Which type of firewall is included in Windows XP and many distributions of Linux operating systems?
Packet filter
Which of the following are four basic types of firewalls?
Packet filtering, application gateway, circuit level, stateful packet inspection
Which of the following is NOT true regarding the use of a packet sniffer?
Packet sniffing involves the attacker capturing traffic from both ends of the communication between two hosts
Which of the following are considered passive online attacks?
Packet sniffing, or man-in-the-middle and replay attacks
The ____ tool can generate a report that can show an attacker how a Web site is structured and lists Web pages that can be investigated for further information. Answer Netcat Paros Dig Whois
Paros
What type of sniffing takes place on networks such as those that have a hub as the connectivity device?
Passive sniffing
Which is a unique feature of the McAfee Personal Firewall that is not found on most personal firewalls?
Performing traceroute to show the source of incoming packets
-for loop
Performs a test on a variable, and then exits the block when a certain condition is met.
-do loop
Performs an action first and then tests to see whether the action should continue to occur.
What are the three approaches to security?
Perimeter, layered, and hybrid
Multifunction Devices (MFDs)
Peripheral networked devices that perform more than one function, such as printing, scanning, and copying.
Which of the following does an ethical hacker require to start evaluating a system?
Permission
Which of the following is a capability implemented through Bluetooth technology, designed to reach a maximum range on average of 10 meters or 30 feet?
Personal area network (PAN)
With ____, a user is tricked into giving private information about his or her account with a known large organization.
Phishing
commonly used terms for these attackers are p________, s________ k________, d________ e________, c_______/c_____, s_______ c_____/h______
Phreakers, Script kiddies, Disgruntled employees, Software crackers/hackers, Cyberterrorists/cybercriminals, System crackers/hackers
In the 1970s, phone phreaks, a new sort of hacker, appeared. They used various methods, collectively called ____________________, to access telephone networks to make free calls from payphones.
Phreaking
What is the term for hacking a phone system?
Phreaking
Which of the following is not typically used during footprinting?
Port Scanning
Why is port scanning useful for hackers?
Port scanning helps you answer questions about open ports and services by enabling you to quickly scan thousands or even tens of thousands of IP addresses. Many port-scanning tools produce reports of their findings, and some give you best-guess assessments of which OS is running on a system. Most, if not all, scanning programs report open ports, closed ports, and filtered ports in a matter of seconds. When a Web server needs to communicate with applications or other computers, for example, port 80 is opened. An open port allows access to applications and can be vulnerable to an attack. A closed port does not allow entry or access to a service. For instance, if port 80 is closed on a Web server, users wouldn't be able to access Web sites. A port reported as filtered might indicate that a firewall is being used to allow specified traffic in or out of the network.
Enumeration does not uncover which of the following pieces of information?
Ports
What does the enumeration phase not discover?
Ports
Filtered ports
Ports protected with a network-filtering device, such as a firewall.
Closed Ports
Ports that aren't listening or responding to a packet.
Open ports
Ports that respond to ping sweeps and other packets.
SHORT ANSWER Briefly describe Enigma.
Possibly the most famous substitution cryptography machine was Enigma, the most secure encryption method of its time. Enigma worked similarly to a mechanical word processor, in that it could be configured to print a substitute character for the character typed. During World War II, the German Army used this machine to send commands and orders from headquarters to the battle lines. The recipient would use an identical machine set up with the proper configuration to decrypt the messages. Using information from Nazi defectors and from errors in some coded German documents, Alan Turing, a member of the British government's Code and Cypher School at Bletchley Park, developed the Turing Bombe, a machine to crack the "Enigma Code."
Which of the following is NOT considered a common mistake that people make when using social media?
Posting so little personal information that others do not want to "follow" or "friend" them
Which of the following activities do security professionals recommend to limit the chances of becoming a target for a Trojan horse?
Prevent employees from downloading and installing any programs
Wireshark requires a network card to be able to enter which mode to sniff all network traffic?
Promiscuous mode
What four rules must be set for packet filtering firewalls?
Protocol type, source port, destination port, source IP
What device acts as an intermediary between an internal client and a web resource?
Proxy
A device that hides internal IP address is called
Proxy server
Which of the following is NOT a connectivity device used to connect machines on a network?
Proxy server
Which of the following can maintain a state table?
Proxy servers have the capability to maintain state.
Asymmetric encryption is also referred to as which of the following?
Public Key
Which of the following is used to bring trust, integrity, and security to electronic transactions?
Public key infrastructure
While conducting a penetration test for a new client, you noticed that they had several databases. After testing one, you got the following response: Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified error in asp file line 82:
QL injection is a type of exploit whereby hackers are able to execute SQL statements via an Internet browser. You can test for it using logic, such as 1=1, or inserting a single '.
____ is a method for secure key exchange over an insecure channel based on the nature of photons.
Quantum cryptography
Someone claiming to be a new vendor has shown up at your office and has presented you with several small gifts. He is now asking you setup and configuration information about the company's PBX system. You believe that you might have been targeted for social engineering. Which category of attack would this possibly qualify as?
Reciprocation is the technique of giving someone a token or small gift to make them more willing to give something in return.
Hackers usually follow the following steps: r_____ and f______, s______ and e_____, g______ a_____, m______ a_____, c______ t_____
Reconnaissance and footprinting, Scanning and enumeration, Gaining access, Maintaining access, Covering tracks
SHORT ANSWER What are some of the hackers' motivations?
Regardless of the hacker's profile, knowledge or skills, they are all powerfully motivated by something: * Curiosity * Love of puzzles * Desire for recognition or fame * Revenge * Financial gain * Patriotism or politics
Port 5
Remote Job Entry (RJE)
Port 135
Remote Procedure Call - (RPC)
-while loop
Repeats an action a certain number of times. It checks whether a condition is true, and then continues looping until the condition becomes false.
Which one of the following is NOT a goal of Trojans?
Replicating
Variable****
Represents a numeric or string value.
PUT
Requests that the entity be stored under the Request-URI
Port 22
SSH Remote Login Protocol
What is SSL?
SSL is an encryption algorithm that uses both symmetric and asymmetric encryption algorithms.
An XMAS tree scan sets all of the following flags except __________________.
SYN
What DoS attack is based on leaving connections half open?
SYN Flood
What is the name for a DoS defense that is dependent on sending back a hash code to the client?
SYN cookie
A computer that receives a SYN packet from a remote computer responds to the packet with a(n) ____ packet if its port is open. Answer FIN RST SYN/ACK ACK
SYN/ACK
__________ is used to partially encrypt the SAM.
SYSKEY
____ is a Web tool used to gather IP and domain information. It is available for both UNIX and Window OSs. Answer Samba Bugnosis SamSpade FOCA
SamSpade
HEAD
Same as the GET method but retrieves only the header information of an HTML document, not the document body
Shutting down router and firewall ports 5554 and 9996 will block most damage from which of these?
Sasser
SHORT ANSWER How do scanners work?
Scanners automate the process of examining network weaknesses. Scanners are not heuristic; they do not discover new vulnerabilities but check for known vulnerabilities and open ports. A scanner performs these functions: * Connects to a target host(s) * Examines the target host for the services running on it * Examines each service for any known vulnerability Scanners can be set to target either a single IP address,and search for vulnerabilities on the target host, or a range of IP addresses. In either mode, the scanner attempts to connect with the target (or targets) to find open ports and possible vulnerabilities present on the target host(s).
Port 25
Simple Mail Transfer Protocol -(SMTP)
You have been asked to start up Snort on a Windows host. Which of the following is the correctsyntax?
Snort -ix -dev -l\snort\log is the correct entry to run snort as an IDS on a Windows computer.
Which of the following would be a very effective source of information as it relates to social engineering?
Social Networking
What type of information is usually gathered by social engineering?
Social engineering means using a knowledge of human nature to get information from people. In computer attacks, the information is usually a password to a network or other information an attacker could use to compromise a network. A salesperson can get personal information about customers, such as income, hobbies, social life, drinking habits, music preferences, and the like, just by asking the customer the right questions. A salesperson uses charm and sometimes guile to relax customers. In a sense, a salesperson attempts to bond with customers by pretending to be empathetic with them. After leaving the store, customers might regret some of the information they freely gave, but if the salesperson was personable, they might not think twice about the personal information the salesperson elicited. Social engineers might also use persuasion tactics, intimidation, coercion, extortion, and even blackmail to gather the information they need. They are probably the biggest security threat to networks and the most difficult to protect against.
Which of the following is the best definition of a virus?
Software that self-replicates
Host-Based IDSs/IPSs
Software used to protect a critical network server or database server. The software is installed on the system you're attempting to protect, just like installing antivirus software on a desktop system.
Script
Some tools might need to be modified to better suit your needs as a security tester. Creating a customized script—a program that automates a task that takes too much time to perform manually—can be a time-saving solution. As mentioned, Fping can use an input file to perform ping sweeps. Creating an input file manually with thousands of IP addresses isn't worth the time, however. Instead, most security testers rely on basic programming skills to write a script for creating an input file. If you have worked with DOS batch programming, scripting will be familiar. If you're from a networking background and new to programming, however, this topic might seem a little overwhelming, but Chapter 7 focuses on getting nonprogrammers up to speed. A script or batch file is a text file containing multiple commands that would usually be entered manually at the command prompt. If you see that you're using a set of commands repeatedly to perform the same task, this task might be a good candidate for a script. You can run the script by using just one command.
____________________ is a debugging technique that allows packets to explicitly state the route they will follow to their destination rather than follow normal routing rules.
Source routing
Which is a technique used to provide false information about data packets?
Spoofing
____ can be define as misrepresenting the sender of a message (e-mail, IM, letter, resume, etc.) in a way that causes the human recipient to behave a certain way.
Spoofing
____________ is a type of attack where header information on data packets is changed to provide false information.
Spoofing
____________________ can be defined as a sophisticated way to authenticate one machine to another by using forged packets.
Spoofing
Which method of defense against a SYN flood involves altering the response timeout?
Stack tweaking
Which of the following is NOT a denial of service attack?
Stack tweaking
How do symmetric and asymmetric encryption algorithms differ from each other?
Symmetric algorithms use one key to both encrypt and decrypt data where asymmetric use one key for encryption and one key for decryption.
This type of scan sends a FIN packet to the target port. An open port should return no response. Closed ports should send back an RST/ACK. This technique is usually effective only on UNIX devices or those compliant to RFC 793.
TCP FIN scan
_________________________ occurs when a hacker takes control of a TCP session between two hosts.
TCP session hijacking
____ is the common language of networked computers and makes transferring information fast and efficient.
TCP/IP
____________________ is a suite of protocols that underlie the Internet. The TCP/IP suite comprises many protocols and applications that focus on two main objectives.
TCP/IP
SHORT ANSWER What are the network interfaces supported by TCP/IP?
TCP/IP supports the following types of network interfaces: * Standard Ethernet Version 2 * IEEE 802.3 * Token-ring * Serial Line Internet Protocol (SLIP) * Loopback * FDDI * Serial Optical * ATM * Point-to-Point Protocol (PPP)
Which utility will tell you in real time which ports are listening or in another state?
TCPView
Which of the following excels at allowing the security professional to find services that have been redirected from standard ports?
THC-Amap
Which of the following is a utility used to reset passwords?
TRK
A DoS attack is meant to deny a service from legitimate usage.
TRUE
A NULL session is used to attack to Windows remotely.
TRUE
A buffer overflow can result in data being corrupted or overwritten.
TRUE
A number of different methods can be used to deface a web site.
TRUE
A persuasion/coercion attack is considered psychological.
TRUE
Active sniffing is used when switches are present.
TRUE
Ad hoc networks can be created very quickly and easily because no access point is required in their setup.
TRUE
An IPS is designed to look for and stop attacks.
TRUE
Anomaly based IDSs look for deviations from normal network activity.
TRUE
Atmospheric conditions, building materials, and nearby devices can all affect emanations of wireless networks.
TRUE
Backdoors on a system can be used to bypass firewalls and other protective measures.
TRUE
Because your web browser is your main portal to the internet you need to be sure you have its latest version and to download all the updates.
TRUE
Brutus is a password cracker that is designed to decode different password types present in web applications.
TRUE
During the footprinting process social networking sites can be used to find out about employees and look for technology policies and practices.
TRUE
For both symmetric and asymmetric cryptography data is encrypted by applying the key to an encryption algorithm.
TRUE
In a phone-based attack it is fairly easy for an attacker to make a call that appears to be coming from the CEO's office and win the trust of someone else in the organization.
TRUE
In wireless networks based on the 802.11 standard stations transmit their information using the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).
TRUE
Polycarbonate acrylic windows are much stronger than standard glass, offering superior protection.
TRUE
Public Key Infrastructure (PKI) addresses storing, managing, distributing, and maintaining keys and digital certificates securely.
TRUE
Session hijacking is used to take over an authenticated session.
TRUE
Setting up a limited profile on Facebook gives you flexibility as to who is allowed to see which portions of a profile.
TRUE
Signature based IDSs look for known attack patterns and types.
TRUE
Someone walking into an office and taking a file folder full of important data off a desk can be part of a social engineering attack.
TRUE
T/F: A successful hijacking takes place when a hacker intervenes in a TCP conversation and then takes the role of either host or recipient.
TRUE
T/F: Hijacking differs from spoofing in that the takeover occurs during an authenticated session.
TRUE
T/F: IP packets often arrive out of sequence because they are not all taking the same route in sequence. ANS: T
TRUE
The command-line equivalent of WinDump is known as what?
Tcpdump
____ is a protocol packet analyzer. Answer Nmap Fping Tcpdump Nessus
Tcpdump
____, the most commonly bundled sniffer with Linux distros, is also widely used as a free network diagnostic and analytic tool for UNIX and UNIX-like operating systems.
Tcpdump
Mobile Broadband Wireless Access (MBWA)
The 802.20 standard, with a goal similar to mobile WiMAX; addresses wireless MANs for mobile users sitting in trains, subways, or cars traveling at speeds up to 150 miles per hour.
Wardriving
The act of driving around an area with a laptop computer that has a WNIC, scanning software, and an antenna to discover available SSIDs in the area.
Attack Surface
The amount of code a computer system exposes to unauthenticated outsiders.
Social engineering
The art of social engineering has been around much longer than computers. Social engineering means using knowledge of human nature to get information from people. In computer attacks, the information is usually a password to a network or other information an attacker could use to compromise a network. A salesperson, for example, can get personal information about customers, such as income, hobbies, social life, drinking habits, music preferences, and the like, just by asking the customer the right questions. A salesperson uses charm and sometimes guile to relax customers and even attempts to bond with customers by pretending to be empathetic with them. After leaving the store, customers might regret some of the information they gave freely, but if the salesperson was personable, they might not think twice about it. Social engineers might also use persuasion tactics, intimidation, coercion, extortion, and even blackmail to gather the information they need. They are probably the biggest security threat to networks and the most difficult to protect against
Which of the following will allow you to set the user to full access, the group to read-only, and allothers to no access?
The command for file and folder permissions is chmod , and the proper setting would be 740 .
SHORT ANSWER Describe some of the most common terms you need to know when dealing with cryptography.
The following are common terms when dealing with cryptography: * Cleartext is a readable or decoded version of an original message. * Ciphertext, the opposite of cleartext, is an unreadable or encoded version of an original message. * Key is the use of a number, word, or phrase generated in an algorithm to both encrypt and decrypt. * An algorithm is a mathematical function used to make a key. * A hash is a one-way function that converts messages into unique strings of digits.
Ginny has a co-worker's WinZip file with several locked documents that are encrypted, and she would like to hack it. Ginny also has one of the lock files in its unencrypted state. What's the best method to proceed?
The known plaintext attack requires the hacker to have both the plaintext and ciphertext of one or more messages. For example, if a WinZip file is encrypted and the hacker can find one of the files in its non-encrypted state, the two form plaintext and ciphertext. Together, these two items can be used to extract the cryptographic key and recover the remaining encrypted, zipped files.
Port
The logical component of a connection that identifies the service running on a network device. For example, port 110 is the POP3 mail service.
Transmission Control Protocol/Internet Protocol (TCP/IP)
The main protocol used to connect computers over the Internet.
Steganography
The method of hiding data in plain view in pictures, graphics, or text.
Three-way handshake
The method the Transport layer uses to create a connection-oriented session
Infrastructure Mode
The mode a wireless network operates in, whereby centralized connectivity is established with one or more APs. It's the most common type of WLAN and differs from an ad-hoc network, which doesn't require an AP.
Frequency
The number of sound wave repetitions in a specified time; also referred to as cycles per second.
When would an attacker ant to perform a session hijack?
The optimum time to perform a session hijack is after authentication.
Internet Assigned Numbers Authority (IANA)
The organization responsible for assigning IP addresses.
While hacking away at your roommate's Linux computer, you accessed his passwd file. Here is whatyou found.root :x: 0 : 0 : root: /root : /bin/bashbin : x : 1 : 1 : bin : /bin :daemon : x : 2 : 2 : daemon : /sbin :Where is the root password?
The password has been shadowed. You can determine this because there is an x in the second field.
Enumeration
The process of connecting to a system and obtaining information such as logon names, passwords, group memberships, and shared resources.
NonRepudiation
The process of ensuring that the sender and receiver can't deny sending or receiving the message; this function is available in asymmetric algorithms but not symmetric algorithms.
Authentication
The process of verifying that the sender or receiver (or both) is who he or she claims to be; this function is available in asymmetric algorithms but not symmetric algorithms.
How can a Linux user list which processes are running if he suspects something has been loaded thatis not approved?
The ps command gives a snapshot of the currently running processes, including ps itself.
TCP flag
The six flags in a TCP header are switches that can be set to on or off to indicate the status of a port or service.
Which of the following is the best defines the primary difference between a sneaker and an auditor?
The sneaker tends to use more unconventional methods.
Which of the following describes the stack mechanism that computers use to pass arguments to functions and reference local variables?
The stack is a last in first out (LIFO) mechanism that computers use to pass arguments to functions as well as reference local variables.
At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line,what is the function of 100?
The structure of the passwd file is such: Account Name:Password:UID:GID:User Information:Directory:Program. In this case, the 100 falls under the GID.
Which of the following will happen after using a Live CD, ejecting the media, and rebooting the system from the hard drive?
The system will be just like it was before using the Live CD.
When assessing threats to a system, what three factors should you consider?
The system's attractiveness, the information contained on the system, and how much traffic the system gets
Why are rootkits that infect a device's firmware considered the biggest threat to any OS (embedded or general-purpose)?
They tend to be extremely small, are loaded in low-level nonvolatile storage that anti-rootkit tools can't access readily, and can persist even after the hard drive has beenreformatted
SHORT ANSWER Describe conformity as a social engineering technique.
This method hinges on the general tendency of people to believe that an apparent similarity between themselves and another (unknown) person is an actual similarity. The hacker convinces the victim that they have a lot in common and that they share the same values. The hacker becomes the victim's good friend by appearing honest,trustworthy,and friendly. This is a person in whom one may truly confide. Once the information is garnered, the "good friend" just disengages.
paros
Tool to capture web server information and possible vulnerabilities in web sites pages that could allow exploits such Sql injection and buffer overflow attacks
Netcat
Tool to perform read and write data ports over a network
Which of the following refers to a software program used to determine the path a data packet traverses to get to a specific IP address?
Traceroute
Which of the following is a firewall best able to control?
Traffic
Which of the following terms refers to functions employed in asymmetric encryption that are easy to compute in one direction, but tough to compute in the other?
Trapdoor functions
The ____________ is probably the most used and most widely known DoS tool.
Tribal Flood Network
Which of the following is malware that looks legitimate but hides a payload that does something unwanted?
Trojan
A software development kit specifically designed to facilitate the design and development of Trojans is called a:
Trojan construction kit
Which statement(s) defines malware most accurately?
Trojans are malware, Malware covers all malicious software
A code is a mechanism that relies on the usage of complete words or phrases, whereas ciphers utilize single letters to perform encryption.
True
A countermeasure for protecting domain information is to employ commonly available proxy services to block the access of sensitive domain data.
True
A good understanding of, and comfort level with, the command line is essential for success with Linux.
True
A good way to prevent Structured Query Language (SQL) injection attacks is to use input validation, which ensures that only approved characters are accepted.
True
A lookup table is used to track which Media Access Control (MAC) addresses are present on which ports on the switch.
True
A number of different methods can be used to deface a Web site.
True
A one-way hash function is also known as a fingerprint.
True
A persuasion/coercion attack is considered psychological.
True
A ping is actually an Internet Control Message Protocol (ICMP) message.
True
A regular live distribution CD provides everything needed to install and run Linux. But special-purpose Live CDs may lack this capability and may not even be able to install.
True
A rootkit can provide a way to hide spyware such as a keystroke logger so that it is undetectable even to those looking for it. Select one:
True
Active sniffing introduces traffic onto the network, meaning that the user's presence is now detectable by anyone or anything that may be looking.
True
An attacker can use enumeration methods to determine whether or how a target can respond to system hacking activities.
True
An exploit discovered for one OS might also be effective on another OS. True or False?
True
An organization's Web server is often the public face of the organization that customers and clients see first
True
Brutus is a password cracker that is designed to decode different password types present in Web applications.
True
Content addressable memory (CAM) is the memory present on a switch that is used to look up the Media Access Control (MAC) address to port mappings that are present on a network.
True
Databases can be easily missed because they may be installed as part of another application or just not reported by the application owner.
True
Defacing a Web site is one of the most common acts of vandalism against Web sites.
True
Digital signatures are a combination of public key cryptography and hashing. Select one:
True
Education is the first line of defense for stopping both worms and viruses.
True
Enumeration represents the point at which the attack crosses the legal line to being an illegal activity in some areas.
True
Error messages should be considered a potential Web server vulnerability because they can provide vital information to an attacker.
True
FTP offers more security than TFTP. True or False?
True
For both symmetric and asymmetric cryptography, data is encrypted by applying the key to an encryption algorithm.
True
For many businesses, a social media presence is a key part of the corporate communications strategy.
True
Hardware-based keystroke loggers can be plugged into a universal serial bus (USB) or PS2 port on a system and monitor the passing signals for keystrokes.
True
Hoax viruses are those designed to make the user take action even though no infection or threat exists.
True
If any part of a multipartite virus is not eradicated from the infected system, it can re-infect the system.
True
If the time and money required to compromise an embedded system exceeds the value of the system's information, a security tester might recommend not fixing the vulnerability. True or False?
True
In Linux the /boot directory contains all the files required to start up and boot a Linux operating system.
True
In Windows Server 2008, the administrator must enable IIS manually to use it. True or False?
True
In Windows directories are referenced with the familiar "\", but in Linux the directories are referenced with "/."
True
In some cases, spyware creators have stated their intentions outright by presenting End-User License Agreements (EULAs) to the victim.
True
In symmetric encryption, the length of the key and the quality of the algorithm will determine how secure the encryption system is.
True
In the Windows OS, the NetBIOS service is commonly targeted by attackers because diverse information can be obtained, including usernames, share names, and service information.
True
Input validation refers to restricting the type of input or data the Web site will accept so that mistakes will not be entered into the system.
True
It is worthwhile to conduct an Internet search on yourself in order to see what personal information is available about you online.
True
Kernels are unique to an operating system, and there is typically only one version of a kernel for a specific operating system.
True
Malware can be used to turn a system into a server hosting any type of content, such as illegal music or movies, pirated software, pornography, and financial data.
True
Malware in the current day has been adopted by criminals for a wide array of purposes to capture information about the victim or commit other acts.
True
Network attacks often begin by gathering information from a company's Web site. Answer True False
True
Of the tools for detecting Trojans, one of the easiest to access would be the command line tool known as netstat.
True
Offline attacks are a form of password attack that relies on weaknesses in how passwords are stored on a system.
True
Once escalated privileges have been obtained, the PsTools suite makes it possible for an attacker to run an application on a remote system rather easily.
True
One of the common problems that make password attacks effective is that many people use ordinary words as their password.
True
One of the main characteristics of worms is that they do not need a host program to function.
True
One purpose of adware is to determine users' purchasing habits. True or False?
True
Port scanning is a method of finding out which services a host computer offers. Answer True False
True
T/F: The protection of data provided to organizations or stored on personal computers is a high priority.
True
T/F: The reading and techniques used by both ethical and malicious hackers are identical.
True
The Linux kernel, unlike that of Windows, can be configured by anyone with the time and knowledge required.
True
The Net view command can be used to see whether there are any shared resources on a server. True or False?
True
The Whois tool has been used by law enforcement to gain information useful in prosecuting criminal activity.
True
The lack of a familiar interface, such as CD/DVD-ROM drives, contributes to the difficulty of updating embedded OSs. True or False?
True
The purpose of OS fingerprinting is to determine the operating system that is in use on a specific target.
True
The strength of asymmetric encryption is that it addresses the key distribution problem inherent with symmetric encryption.
True
The terms algorithm and cipher describe the formula or process used to perform encryption.
True
There are currently five primary Regional Internet Registries (RIRs) across the globe
True
To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information. Answer True False
True
Wrappers can be used to merge an attacker's intended payload with a harmless executable to create a single executable from the two.
True
You can search for known vulnerabilities in a host computer by using the Common Vulnerabilities and Exposures Web site. Answer True False
True
ohnny Long's Google Hacking Database (GHDB) is a database of queries that can be used to conduct a Google Web search to identify sensitive data and content.
True
SHORT ANSWER What is the problem with using bandwidth without permission?
Using bandwidth without permission may seem harmless, but what if accidental damage happens to a system or if alteration to processing information and codes occurs? If the network has been hacked, it doesn't much matter whether the hacker directly caused the error or mischief, they will be blamed for any loss or damage. In many states, unauthorized use of a computer system is a crime, in addition to being unethical.
VRFY is used to do which of the following?
Validate an email address
Which of the following statements is NOT true regarding the protection of databases?
Very few tools are available to locate, audit, and ultimately protect databases.
The Wayback Machine is used to do which of the following?
View archived versions of websites
Which of the following types of malware is a piece of code or software that spreads from system to system by attaching itself to other files and is activated when the file is accessed?
Virus
List three worms or viruses that use e-mail as a form of attack.
Waledec, Nimda, Melissa, and W32/Sobig.F
A technique that has existed for more than 25 years as a footprinting tool and involves the use of modems is called:
Wardialing
Which of the following is the process of locating wireless access points and gaining information about the configuration of each?
Wardriving
One of your user's Windows computers has been running slowly and performing erratically. After looking it over, you find a suspicious-looking file named watching.dll. Which of the following programs uses that file?
Watching.dll is one of the files that is loaded when SubSeven is installed.
You are about to install Snort on a Windows computer. Which of the following must first be installed?
WinPcap is a program that will allow the capture and sending of raw data from a network card. Answer A is incorrect because LibPcap is used by Linux, not Windows.
LDAP (port 389)
Windows Server 2003 and 2008 domain controllers using CIFS listen on the following ports: which is 389. Windows server 2003 an 2008 domain controllers are used to authenticate users accounts, so they contain much of the information attackers want to access.
Previously known as Ethereal, ____ is probably the best-known and most powerful free network protocol analyzer for UNIX/Linux and Windows.
Wireshark
Host 192.168.1.102
Wireshark command that displays all information to or from 192.168.1.102
WPA2 uses which of the following encryption standards?
With DES electronic code book (ECB), the identical plaintext encrypted with the same key will always produce the same ciphertext.
Fping
With the Fping tool (www.fping.com), you can ping multiple IP addresses simultaneously. Fping, included on the BackTrack DVD, can accept a range of IP addresses entered at a command prompt, or you can create a file containing multiple IP addresses and use it as input for the Fping command. For example, the fping -f ip_address.txt command uses ip_address.txt, which contains a list of IP addresses, as its input file. The input file is usually created with a shell-scripting language so that you don't need to type the thousands of IP addresses needed for a ping sweep on a Class B network
How can DNS be used for footprinting?
Without going into too much detail, DNS uses name servers to resolve names. After you determine what name server a company is using, you can attempt to transfer all the records for which the DNS server is responsible. This process, called a zone transfer, can be done with the Dig command. (For those familiar with the Nslookup command, Dig is now the recommended command.) To determine a company's primary DNS server, you can look for a DNS server containing a Start of Authority (SOA) record. An SOA record shows for which zones or IP addresses the DNS server is responsible. After you determine the primary DNS server, you can perform another zone transfer to see all host computers on the company network. In other words, the zone transfer give you an organization's network diagram. You can use this information to attack other servers or computers that are part of the network infrastructure.
Which of the following is a malware program designed to replicate without attaching to or infecting other files on a host system?
Worm
n this type of scan, the FIN, PSH, and URG flags are set
XMAS scan
Nessus
a tool first released in 1998. Although Nessus is no longer under the GPL license, as most open-source software is, you can still download it free from Tenable Network Security Corporation (www.nessus.org) for noncommercial personal use. An open-source fork of Nessus called OpenVAS was developed in 2005, and it's one of the tools included on the BackTrack DVD. OpenVAS functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration. What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author's judgment on what's considered dangerous might differ from yours.
The U.S. Department of Justice defines a hacker as which of the following? a. A person who accesses a computer or network without the owner's permission b. A penetration tester c. A person who uses telephone services without payment d. A person who accesses a computer or network system with the owner's permission
a. A person who accesses a computer or network without the owner's permission
Which type of scan is usually used to bypass a firewall or packet-filtering device? a. ACK scan b. SYN scan c. XMAS scan d. FIN scan
a. ACK scan
Which of the following describes an RTOS? a. An embedded OS capable of multitasking and responding predictably b. An embedded OS intended for real-time data manipulation c. An embedded OS intended for packet analysis d. An embedded OS intended for devices that run multiple OSs
a. An embedded OS capable of multitasking and responding predictably
Why does the fping -f 193.145.85.201 193.145.85.220 command cause an error? a. An incorrect parameter is used. b. The IP range should be indicated as 193.145.85.201-220. c. There's no such command. d. IP ranges aren't allowed with this command.
a. An incorrect parameter is used.
Embedded OS on routers are susceptible to which of the following? (Choose all that apply.) a. Authentication bypass attacks b. Buffer overflow attacks c. Password-guessing attacks d. RTOS clock corruption
a. Authentication bypass attacks b. Buffer overflow attacks c. Password-guessing attacks
An exploit that attacks computer systems by inserting executable code in areas of memory not protected because of poorly written code is called which of the following? a. Buffer overflow b. Trojan program c. Virus d. Worm
a. Buffer overflow
Applications written in which programming language are especially vulnerable to buffer overflow attacks? (Choose all that apply.) a. C b. Perl c. C++ d. Java
a. C c. C++
As a security tester, what should you do before installing hacking software on your computer? a. Check with local law enforcement agencies. b. Contact your hardware vendor. c. Contact the software vendor. d. Contact your ISP.
a. Check with local law enforcement agencies.
Which federal law prohibits unauthorized access of classified information? a. Computer Fraud and Abuse Act, Title 18 b. Electronic Communication Privacy Act c. Stored Wire and Electronic Communications and Transactional Records Act d. Fifth Amendment
a. Computer Fraud and Abuse Act, Title 18
How can you find out which computer crime laws are applicable in your state? a. Contact your local law enforcement agencies. b. Contact your ISP provider. c. Contact your local computer store vendor. d. Call 911.
a. Contact your local law enforcement agencies.
What is the main purpose of malware? a. Doing harm to a computer system b. Learning passwords c. Discovering open ports d. Identifying an operating system
a. Doing harm to a computer system
Which flags are set on a packet sent with the nmap -sX 193.145.85.202 command? (Choose all that apply.) a. FIN b. PSH c. SYN d. URG
a. FIN b. PSH d. URG
What is the best method of preventing NetBIOS attacks? a. Filtering certain ports at the firewall b. Telling users to create difficult-to-guess passwords c. Pausing the Workstation service d. Stopping the Workstation service
a. Filtering certain ports at the firewall
Security testers conduct enumeration for which of the following reasons? (Choose all that apply.) a. Gaining access to shares and network resources b. Obtaining user logon names and group memberships c. Discovering services running on computers and servers d. Discovering open ports on computers and servers
a. Gaining access to shares and network resources b. Obtaining user logon names and group memberships
A security tester should possess which of the following attributes? (Choose all that apply.) a. Good listening skills b. Knowledge of networking and computer technology c. Good verbal and written communication skills d. An interest in securing networks and computer systems
a. Good listening skills b. Knowledge of networking and computer technology c. Good verbal and written communication skills d. An interest in securing networks and computer systems
What is a potential mistake when performing a ping sweep on a network? a. Including a broadcast address in the ping sweep range b. Including a subnet IP address in the ping sweep range c. Including the subnet mask in the ping sweep range d. Including the intrusion detection system's IP address in the ping sweep range
a. Including a broadcast address in the ping sweep range
Why are embedded OSs more likely to have unpatched security vulnerabilities than general-purpose OSs do? (Choose all that apply.) a. Many security checks are omitted during development to reduce the code size. b. Devices with embedded OSs connect to the Internet more frequently. c. Manufacturers prefer that you upgrade the system rather than the embedded OS. d. Devices with embedded OSs typically can't have any downtime for installing patches.
a. Many security checks are omitted during development to reduce the code size. c. Manufacturers prefer that you upgrade the system rather than the embedded OS. d. Devices with embedded OSs typically can't have any downtime for installing patches.
A(n) scan sends a packet with all flags set to NULL. a. NULL b. VOID c. SYN d. XMAS
a. NULL
On a Windows computer, what command can you enter to show all open ports being used? a. Netstat b. Ipconfig c. Ifconfig d. Nbtstat
a. Netstat
Which of the following tools can be used to enumerate Windows systems? (Choose all that apply.) a. OpenVAS b. DumpSec c. DumpIt d. Hyena
a. OpenVAS b. DumpSec d. Hyena
Shoulder surfers can use their skills to find which of the following pieces of information? (Choose all that apply.) a. Passwords b. ATM PINs c. Long-distance access codes d. Open port numbers
a. Passwords b. ATM PINs c. Long-distance access codes
Which command verifies the existence of a node on a network? a. Ping b. Ipconfig c. Netstat d. Nbtstat
a. Ping
When conducting competitive intelligence, which of the following is a good way to determine the size of a company's IT support staff? a. Review job postings on Web sites such as www.monster.com or www.dice.com. b. Use the Nslookup command. c. Perform a zone transfer of the company's DNS server. d. Use the host -t command.
a. Review job postings on Web sites such as www.monster.com or www.dice.com.
An exploit that leaves an attacker with another way to compromise a network later is called which of the following? (Choose all that apply.) a. Rootkit b. Worm c. Backroot d. Backdoor
a. Rootkit d. Backdoor
Which organization issues the Top 20 list of current network vulnerabilities? a. SANS Institute b. ISECOM c. EC-Council d. OPST
a. SANS Institute
Which of the following is a well-known SMB hacking tool? (Choose all that apply.) a. SMBRelay b. SMBsnag c. L0phtcrack's SMB Packet Capture utility d. NTPass
a. SMBRelay c. L0phtcrack's SMB Packet Capture utility
Which of the following is one method of gathering information about the operating systems a company is using? a. Search the Web for e-mail addresses of IT employees. b. Connect via Telnet to the company's Web server. c. Ping the URL and analyze ICMP messages. d. Use the ipconfig /os command.
a. Search the Web for e-mail addresses of IT employees.
MBSA performs which of the following security checks? (Choose all that apply.) a. Security update checks b. IIS checks c. System time checks d. Computer logon checks
a. Security update checks b. IIS checks
A good password policy should include which of the following? (Choose all that apply.) a. Specifies a minimum password length b. Mandates password complexity c. States that passwords never expire d. Recommends writing down passwords to prevent forgetting them
a. Specifies a minimum password length b. Mandates password complexity
Which of the following exploits might hide its destructive payload in a legitimate application or game? a. Trojan program b. Macro virus c. Worm d. Buffer overflow
a. Trojan program
To see a brief summary of Nmap commands in a Linux shell, which of the following should you do? a. Type nmap -h. b. Type nmap -summary. c. Type help nmap. d. Press the F1 key.
a. Type nmap -h.
Which of the following protocols is connectionless? (Choose all that apply.) a. UDP b. IP c. TCP d. SPX
a. UDP b. IP
What social-engineering technique involves telling an employee that you're calling from the CEO's office and need certain information ASAP? (Choose all that apply.) a. Urgency b. Status quo c. Position of authority d. Quid pro quo
a. Urgency c. Position of authority
Cell phone vulnerabilities make it possible for attackers to do which of the following? (Choose all that apply.) a. Use your phone as a microphone to eavesdrop on meetings or private conversations. b. Install a BIOS-based rootkit. c. Clone your phone to make illegal long-distance phone calls. d. Listen to your phone conversations.
a. Use your phone as a microphone to eavesdrop on meetings or private conversations. c. Clone your phone to make illegal long-distance phone calls. d. Listen to your phone conversations.
What's one way to gather information about a domain? a. View the header of an e-mail you send to an e-mail account that doesn't exist. b. Use the Ipconfig command. c. Use the Ifconfig command. d. Connect via Telnet to TCP port 53.
a. View the header of an e-mail you send to an e-mail account that doesn't exist.
To find information about the key IT personnel responsible for a company's domain, you might use which of the following tools? (Choose all that apply.) a. Whois b. Whatis c. SamSpade d. Nbtstat
a. Whois c. SamSpade
Which of the following doesn't attach itself to a host but can replicate itself? a. Worm b. Virus c. Trojan program d. Buffer overflow
a. Worm
Before using hacking software over the Internet, you should contact which of the following? (Choose all that apply.) a. Your ISP b. Your vendor c. Local law enforcement authorities to check for compliance d. The FBI
a. Your ISP c. Local law enforcement authorities to check for compliance
Which program can detect rootkits on *nix systems? a. chkrootkit b. rktdetect c. SELinux d. Ionx
a. chkrootkit
If you're trying to find newsgroup postings by IT employees of a certain company, which of the following Web sites should you visit? a. http://groups.google.com b. www.google.com c. www.samspade.com d. www.arin.org
a. http://groups.google.com
Which of the following Nmap commands sends a SYN packet to a computer with the IP address 193.145.85.210? (Choose all that apply.) a. nmap -sS 193.145.85.210 b. nmap -v 193.145.85.210 c. nmap -sA 193.145.85.210 d. nmap -sF 193.145.85.210
a. nmap -sS 193.145.85.210 b. nmap -v 193.145.85.210
The phase of incident response that involves determining which evidence is relevant to the investigation and which is not is called:
analysis and tracking
_____________________ is the point at which an attacker starts to plan his or her attack.
analyzing the results
Which of the following can limit the impact of worms?
antivirus software, firewalls, and patches
Automated methods for obtaining network range information:
are faster than manual methods.
There are three basic elements of risk: a_____, t_____, and v_______.
assets, threats, and vulnerabilities
Also called public key algorithms, ____________________ key algorithms use two keys for encrypting and decrypting data.
asymmetric
Trojan horses often gain access to users machines by appearing as a funny or useful file sent as an e-mail ____________.
attachment
The process of reviewing logs, records, and procedures to determine whether they meet appropriate standards is called:
auditing
At the heart of internetworked systems are two critical issues: trust and ____________________.
authentication
The process of determining whether the credentials given by a user are authorized to access a particular network resource is called:
authentication
Which of the following terms refers to the process of positively identifying a party as a user, computer, or service?
authentication
Which of the following is NOT one of the key concepts of cryptography?
availability
The base-64 numbering system uses bits to represent a character. a. 4 b. 6 c. 7 d. 8
b. 6
VxWorks is which of the following? a. A Windows embedded OS b. A proprietary embedded OS c. A Linux embedded OS d. A Windows security validation tool
b. A proprietary embedded OS
Which of the following doesn't use an embedded OS? a. An ATM b. A workstation running Windows Vista Business c. An NAS device running Windows Server 2008 R2 d. A slot machine
b. A workstation running Windows Vista Business
What exploit is used to elevate an attacker's permissions by inserting executable code in the computer's memory? a. Trojan program b. Buffer overflow c. Ping of Death d. Buffer variance
b. Buffer overflow
What organization offers the Certified Ethical Hacker (CEH) certification exam? a. International Information Systems Security Certification Consortium (ISC2) b. EC-Council c. SANS Institute d. GIAC
b. EC-Council
Which federal law prohibits intercepting any communication, regardless of how it was transmitted? a. Computer Fraud and Abuse Act, Title 18 b. Electronic Communication Privacy Act c. Stored Wire and Electronic Communications and Transactional Records Act d. Fourth Amendment
b. Electronic Communication Privacy Act
A software or hardware component that records each keystroke a user enters is called which of the following? a. Sniffer b. Keylogger c. Trojan program d. Buffer overflow
b. Keylogger
Which of the following is an OS security mechanism that enforces access rules based on privileges for interactions between processes, files, and users? a. MBSA b. Mandatory Access Control c. Server Message Block d. Systems Management Server
b. Mandatory Access Control
Which of the following is a good place to begin your search for vulnerabilities in Microsoft products? a. Hacking Web sites b. Microsoft Security Bulletins c. Newsgroup references to vulnerabilities d. User manuals
b. Microsoft Security Bulletins
Which of the following is the vulnerability scanner from which OpenVAS was developed? a. OpenVAS Pro b. Nessus c. ISS Scanner d. SuperScan
b. Nessus
Which of the following commands connects to a computer containing shared files and folders? a. Net view b. Net use c. Netstat d. Nbtstat
b. Net use
Entering a company's restricted area by following closely behind an authorized person is referred to as which of the following? a. Shoulder surfing b. Piggybacking c. False entering d. Social engineering
b. Piggybacking
The Netstat command indicates that POP3 is in use on a remote server. Which port is the remote server most likely using? a. Port 25 b. Port 110 c. Port 143 d. Port 80
b. Port 110
What port, other than port 110, is used to retrieve e-mail? a. Port 25 b. Port 143 c. Port 80 d. Port 135
b. Port 143
To bypass some ICMP-filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services? (Choose all that apply.) a. PING packets b. SYN packets c. ACK packets d. Echo Request packets
b. SYN packets c. ACK packets
Many social engineers begin gathering the information they need by using which of the following? a. The Internet b. The telephone c. A company intranet d. E-mail
b. The telephone
A Ping command initially uses which ICMP type code? a. Type 0 b. Type 8 c. Type 14 d. Type 13
b. Type 8
A computer relies on a host to propagate throughout a network. a. Worm b. Virus c. Program d. Sniffer
b. Virus
A null session is enabled by default in all the following Windows versions except: a. Windows 95 b. Windows Server 2008 c. Windows 98 d. Windows 2000
b. Windows Server 2008
Establishing a(n) ____________ upon initial setup and configuration of a firewall permits better identification of abnormal traffic versus normal traffic.
baseline
Identifying abnormal activity on a firewall requires that one establish a:
baseline
You're consulting for an organization that would like to know which of the following ways are the best ways to prevent hackers from uncovering sensitive information from dumpster diving. (Choose all that are correct)
bb A. and B Paper shredders are the number one defense that can be used to prevent dumpster divers from being successful. By keeping the trash in a secured location, you make it much harder for individuals to obtain information from the trash.
Which of the following best describes the role of IP?
best effort at delivery
_____ box testing: the security team has no knowledge of the target network or its systems.
black
Those who exploit systems for harm such as to erase files, change data, or deface Web sites are typically called:
black hat hackers
A hacker with computing skills and expertise to launch harmful attacks on computer networks and uses those skills illegally is best described as a _______________________.
black-hat hacker
Since they are easier to perpetrate than intrusions, ____________ attacks are the most common form of attack after viruses.
blocking
A device that prevents entry into designated areas by motor vehicle traffic is called a:
bollard
The part of a hard drive or removable media that is used to boot programs is called the:
boot sector
A group of infected systems that are used to collectively attack another system is called a:
botnet
When a sniffer captures data from a network, it stores the data in a(n) ____________________—a dynamic area of RAM that holds specified data.
buffer
Trojans are designed to be small and stealthy in order to:
bypass detection
Which port numbers are most vulnerable to NetBIOS attacks? a. 135 to 137 b. 389 to 1023 c. 135 to 139 d. 110 and 115
c. 135 to 139
Which ports should be filtered out to protect a network from SMB attacks? a. 134 to 138 and 445 b. 135, 139, and 443 c. 137 to 139 and 445 d. 53 TCP/UDP and 445 UDP
c. 137 to 139 and 445
A NetBIOS name can contain a maximum of _________ characters. a. 10 b. 11 c. 15 d. 16
c. 15
Which of the following is not a valid octal number? a. 5555 b. 4567 c. 3482 d. 7770
c. 3482
A penetration tester is which of the following? a. A person who accesses a computer or network without permission from the owner b. A person who uses telephone services without payment c. A security professional who's hired to hack into a network to discover vulnerabilities d. A hacker who accesses a system without permission but does not delete or destroy files
c. A security professional who's hired to hack into a network to discover vulnerabilities
What portion of your ISP contract might affect your ability to conduct a penetration test over the Internet? a. Scanning policy b. Port access policy c. Acceptable use policy d. Warranty policy
c. Acceptable use policy
What's the first method a security tester should attempt to find a password for a computer on the network? a. Use a scanning tool. b. Install a sniffer on the network. c. Ask the user. d. Install a password-cracking program.
c. Ask the user.
Which organization offers free benchmark tools for Windows and Linux? a. PacketStorm Security b. CVE c. Center for Internet Security d. Trusted Security Solutions
c. Center for Internet Security
Before conducting a security test by using social-engineering tactics, what should you do? a. Set up an appointment. b. Document all findings. c. Get written permission from the person who hired you to conduct the security test. d. Get written permission from the department head.
c. Get written permission from the person who hired you to conduct the security test.
Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer? a. Tracert b. Traceroute c. Hping d. Nmapping
c. Hping
What protocol is used for reporting or informational purposes? a. IGMP b. TCP c. ICMP d. IP
c. ICMP
SCADA systems are used for which of the following? a. Monitoring embedded OSs b. Monitoring ATM access codes c. Monitoring equipment in large-scale industries d. Protecting embedded OSs from remote attacks
c. Monitoring equipment in large-scale industries
Which of the following is a Windows command-line utility for seeing NetBIOS shares on a network? a. Net use b. Net user c. Net view d. Nbtuser
c. Net view
What is the most widely used port-scanning tool? a. Netcat b. Netstat c. Nmap d. Nslookup
c. Nmap
Some experienced hackers refer to inexperienced hackers who copy or use prewritten scripts or programs as which of the following? (Choose all that apply.) a. Script monkeys b. Packet kiddies c. Packet monkeys d. Script kiddies
c. Packet monkeys d. Script kiddies
Which of the following is a major challenge of securing embedded OSs? a. Training users b. Configuration c. Patching d. Backup and recovery
c. Patching
A FIN packet sent to a closed port responds with which of the following packets? a. FIN b. SYN-ACK c. RST d. SYN
c. RST
To determine whether scanning is illegal in your area, you should do which of the following? a. Refer to U.S. code. b. Refer to the U.S. Patriot Act. c. Refer to state laws. d. Contact your ISP.
c. Refer to state laws.
One way to secure IIS is to do which of the following? (Choose all that apply.) a. Disable IIS logging. b. Install IIS on a domain controller. c. Run the IIS Lockdown Wizard. d. Upgrade to the most recent IIS version.
c. Run the IIS Lockdown Wizard. d. Upgrade to the most recent IIS version.
Which protocol offers guaranteed delivery and is connection oriented? a. UDP b. IP c. TCP d. TFTP
c. TCP
What command is used to log on to a remote server, computer, or router? a. Ping b. Traceroute c. Telnet d. Netstat
c. Telnet
"Destination Unreachable" is designated by which ICMP type code? a. Type 0 b. Type 14 c. Type 3 d. Type 8
c. Type 3
Which of the following is a fast and easy way to gather information about a company? (Choose all that apply.) a. Conduct port scanning. b. Perform a zone transfer of the company's DNS server. c. View the company's Web site. d. Look for company ads in phone directories.
c. View the company's Web site. d. Look for company ads in phone directories.
Which of the following enables you to view all host computers on a network? a. SOA b. Ipconfig c. Zone transfers d. HTTP HEAD method
c. Zone transfers
Weaknesses of SNMP: community strings can be passed as _____ ____, default community strings are ____ _____
clear text, well known
______________ dictates the performance of a wireless network.
clients, interference, and access points
A(n) ____________________ is a text file generated by a Web server and stored on a user's browser. Answer
cookie
Section 1029 gives the U.S. federal government the power to prosecute hackers who knowingly and with intent to defraud produce, use, or traffic in one or more c__________ a_____ devices.
counterfeit access
The process of tracking and carefully processing evidence from collection to trial to the return to its owner is called:
creating a paper trail
What type of attack relies on a variation of the input validation attack but has the goal of going after a user instead of the application or data?
cross-site scripting (XSS)
The initial sequence number (ISN) is set at which step of the TCP three-way handshake? a. 1, 2, 3 b. 1, 3 c. 1 d. 1 and 2
d. 1 and 2
To reduce the risk of a virus attack on a network, you should do which of the following? a. Use antivirus software. b. Educate users about opening attachments from suspicious e-mail. c. Keep virus signature files current. d. All of the above
d. All of the above
Port scanning provides the state for all but which of the following ports? a. Closed b. Open c. Filtered d. Buffered
d. Buffered
Which of the following is the most efficient way to determine which OS a company is using? a. Run Nmap or other port-scanning programs. b. Use the Whois database. c. Install a sniffer on the company's network segment. d. Call the company and ask.
d. Call the company and ask.
________ is one of the components most vulnerable to network attacks. a. TCP/IP b. WINS c. DHCP d. DNS
d. DNS
What type of network attack relies on multiple servers participating in an attack on one host system? a. Trojan attack b. Buffer overflow c. Denial-of-service attack d. Distributed denial-of-service attack
d. Distributed denial-of-service attack
If you run a program in New York City that uses network resources to the extent that a user is denied access to them, what type of law have you violated? a. City b. State c. Local d. Federal
d. Federal
In basic network scanning, ICMP Echo Requests (type 8) are sent to host computers from the attacker, who waits for which type of packet to confirm that the host computer is live? a. ICMP SYN-ACK packet b. ICMP SYN packet c. ICMP Echo Reply (type 8) d. ICMP Echo Reply (type 0)
d. ICMP Echo Reply (type 0)
Which of the following is an advantage of Windows CE over other Windows embedded OSs? a. It's designed for more advanced devices with complex hardware requirements. b. It has many of the same security features as Windows XP. c. It provides the full Windows API. d. Its source code is available to the public.
d. Its source code is available to the public.
Which of the following programs includes several buffer overflow exploit plug-ins? a. Buffercrack b. MBSA c. Nmap d. Metasploit
d. Metasploit
To view eDirectory information on a NetWare 5.1 server, which of the following tools should you use? a. Nmap b. Mmap c. Nbtstat d. Novell Client
d. Novell Client
TCP communication could be likened to which of the following? a. Announcement over a loudspeaker b. Bullhorn at a sporting event c. Internet traffic d. Phone conversation
d. Phone conversation
Discovering a user's password by observing the keys he or she presses is called which of the following? a. Password hashing b. Password crunching c. Piggybacking d. Shoulder surfing
d. Shoulder surfing
Trin00 can run as a ___________, a program that usually has no visual interface and provides some background service.
daemon
A ________________ is a file used to store passwords.
database
The ____ vi command deletes the current line. Answer d dl dd dw
dd
dd vi command
dd deletes current line. Vi- edits filename
In many typical configurations with multiple firewalls, e-mail servers and FTP servers are located in the:
demilitarized zone
An attack characterized by an explicit attempt by attackers to prevent legitimate users from accessing a system is called:
denial of service
Security issues that can arise in cloud computing that are above and beyond those with standard environments include all of the following EXCEPT:
detectability
During the planning phase of a penetration test, the aim should be to:
determine why a penetration test and its associated tasks are necessary.
Which password attack method uses long lists of words that have been predefined and can be quickly downloaded for use to break a password that is a word or a name?
dictionary password attack
____________________________ is the term for criminals' practice of going through industrial or corporate trash containers looking for information such as contact lists, manuals memos, calendars, and printouts of important documents.
dumpster diving
Which of the following is a good Web site for gathering information on a domain? a. www.google.com b. www.namedroppers.com c. www.samspade.org d. www.arin.net e. All of the above
e. All of the above
With the release of Service Pack 2, Microsoft changed the configuration and Windows XP ships with its Internet Connection Firewall ____________ by default.
enabled
The categories of Web application vulnerabilities include all of the following EXCEPT:
end-user education
A(n) ____________ network is a large network often made up of several interconnected local networks.
enterprise
Web applications that require a user to log on prior to gaining access can track information relating to improper or incorrect logons; this information typically lists entries such as all of the following EXCEPT:
entry of a valid user ID and password
The third step in the hacking process is __________________.
enumeration
The fifth step in the hacking process is _______________________.
escalation of privilege
Planning, discovery, attack, and reporting are considered:
ethical hacking steps.
The capacity of a system to keep functioning in the face of hardware or software failure is called:
fault tolerance
A(n) ____________ serves as a barrier to unauthorized communication between a network and the outside world.
firewall
In computer jargon, the process of finding information on a company's network is called ____________________. Answer
footprinting
The first step in the hacking process is _______________.
footprinting
What is the Network Layer of the OSI Reference Model responsible for?
formatting the data
When a large IP packet is sent over a network, it is broken down. This process is called ____.
fragmentation
____________________ is a popular though easily detectable scanning technique.
full connect
Which of the following is one of the goals of Trojans?
giving remote access
_____ box testing: the goal is to determine what insiders can access.
gray
Browsers do not display _________________.
hidden fields
___________________ is used to overwhelm a service.
hijacking
From a security standpoint which one of the following is not desirable in a door?
hollow core
A group of computers or a network configured to attract attackers is called a(n):
honeynet
A _______________________ monitors activity on one host, but cannot monitor an entire network.
host intrusion detection system (HIDS)
___________________ can monitor changes to system files.
host intrusion detection systems (HIDSs)
A ____________ firewall solution is actually a combination of several different firewall systems in a single system.
hybrid
Which of the following is an example of a passive fingerprinting tool?
p0f
In a ____________ firewall configuration, each incoming packet is examined.
packet filter
The stateful packet inspection (SPI) firewall is based on the ____________ firewall.
packet filtering
What is the best description of footprinting?
passive information gathering
Botnets are used to perform all of the following attacks EXCEPT:
passive session hijacking
What technique is used when traffic is captured on a network with hubs?
passive sniffing
A _______________________ is used to reveal passwords.
password cracker
Cain and Abel, John the Ripper, Pandora, and Pwdump3 are examples of:
password crackers
Which of the following is true regarding account passwords?
passwords should have at least one number and one special character
operates on ports 65301, 22, 5631, and 5632
pcAnywhere
Which of the following is a capability implemented through Bluetooth technology, designed to reach a maximum range on average of 30 feet?
personal area network (PAN)
An attacker using friendliness, trust, impersonation, and empathy to get a victim to do what they want him or her to do is participating in ________________________________.
persuasion/coercion
An attacker using friendliness, trust, impersonation, and empathy, to get a victim to do what they want him or her to do is participating in:
persuasion/coercion
Which of the following is not typically a web resource used to footprint a company?
phonebooks
NGSSquirreL and AppDetective are:
pieces of software for performing audits on databases
Port scanners can also be used to conduct a(n) ____________________ of a large network to identify which IP addresses belong to active hosts.
ping sweep
An OpenVAS____________________ is a security test program (script) that can be selected from the client interface. Answer
plug-in
Which of the following is NOT considered a vulnerability of web servers?
poor end-user training
A process where communications are redirected to different ports than they would normally be destined for is called:
port redirection
A(n) ____________________ examines and reports upon the condition (open or closed) of a port as well as the application listening on that port, if possible.
port scanner
Which of the following is NOT considered a common mistake that people make when using social media?
posting so little information that others do want to "follow" or "friend" them
Which of the following is entered ahead of time for both the access point (AP) and client so they can authenticate and associate securely?
preshared keys
(Ignore this question) To create a digital signature, two steps take place that result in the actual signature that is sent with data. In the first step, the message or information to be sent is passed through a hashing algorithm that creates a hash to:
private key as the key in the encryption process.
________________________ involves increasing access on a system.
privilege escalation
unfiltered
real time plug-in that removes filtering effects, such as comb filtering resonance, or excessive equalization.
An attacker who gains the trust of a potential victim to the point where the victim volunteers information before the attacker tries to get it is said to have succeeded at what?
reverse social engineering
An attacker who sets up such a realistic persona that the victim volunteers information is participating in:
reverse social engineering
Which of the following is the best example of passive information gathering?
reviewing job listings posted by the targeted company
Which of the following Linux commands is used to remove or delete empty directories from the Linux filesystem?
rmdir
A ______________________ replaces and alters system files changing the way a system behaves at a fundamental level.
rootkit
A(n) ____________________ shows the way to the address sought, or the way to the nearest source that might know the address.
route table
A firewall configuration using a server as a router and running multiple network interfaces with automatic routing disabled is an example of a:
router-based
Which firewall configuration would be appropriate within a network to separate and protect various subnets of a network to provide greater security?
router-based
The goal of the security test is for the ethical hacker to test the s______ c______ and evaluate and measure its potential ______.
security controls, vulnerabilities
The unique ID that is assigned to each user account in Windows that identifies the account or group is called a(n):
security identifier (SID)
In addition to mandating federal agencies to establish security measures, the Computer Security Act of 1987 defined important terms such as:
sensitive information
A ____________________ can only monitor an individual network segment.
sensor
What are deployed to detect activity on the network?
sensors
To help prevent ____ attacks, you must educate your users not to type logon names and passwords when someone is standing directly behind them—or even standing nearby. Answer shoulder-surfing footprinting piggybacking social engineering
shoulder-surfing
What is a term for tricking or coercing people into giving up confidential information or otherwise violating security policy?
social engineering
________________ is used to fake a MAC address.
spoofing
A category of software that keeps track of users' activities on a computer is called ____________.
spyware
Which is used to intercept user information?
spyware
_______________ records a user's typing.
spyware
__________________ is known to disable protective mechanisms on a system such as antivirus software, anti-spyware software, and firewalls, and to report on a user's activities.
spyware
Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use ____________________ attacks that are more difficult to detect.
stealth
Common database vulnerabilities include all of the following EXCEPT:
strong audit log settings
Which of the following is NOT an attribute of OSPF?
subject to route poisoning
What type of device can have its memory filled up when MAC flooding is used?
switch
Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously What command can Jennifer use?
tcpdump -r capture.log
Jennifer is used tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use?
tcpdump -w capture.log
Section 1030, mandates penalties for anyone who accesses a computer in an u___________ m_____ or exceeds one's a_____ r_____.
unauthorized manner, access rights
In an ACK scan, if the attacked port returns an RST packet the attacked port is considered to be "____". Answer open closed unfiltered unassigned
unfiltered
TFTP strength, weakness
uses UDP to cut down on overhead. requires no authentication
Which of the following statements is NOT true regarding the protection of databases?
very few tools are available to locate, audit, and ultimately protect databases.
A program that self-replicates is, by definition, called a(n) ____________.
virus
_________________ attach to files.
viruses
List three types of malware
viruses, worms, Trojan programs, adware, and spyware
Which of the following would confirm a user named chell in SMTP?
vrfy chell
A security exposure in an operating system or application software component is called a ______________________.
vulnerability
A ____ is a script that tells the modem to dial a range of phone numbers defined by the user, and then identifies those numbers that connect to remote computers.
war dialer
A term used to describe calling numerous telephone numbers, usually sequentially, in hopes of reaching a computer to attempt to hack into is called ____________.
war-dialing
The Linux command ____________________ shows you where the files appear in your PATH.
whereis
What three models do penetration or security testers use to conduct tests?
white box, black box, gray box
A setup created by wireless networking technologies that are designed to extend or replace wired networks is called:
wireless local area network (WLAN)
One of the bigger benefits of a Live CD is that a user can boot a computer off a Live CD:
without making any alterations to the existing operating system on the computer
It is most important to obtain _______________________ before beginning a penetration test.
written authorization
POP3 port
110
You have been asked to perform a port scan for POP3. Which port will you scan for?
110
SUNRPC port
111
T/F: In the early 1980s, the majority of servers ran on Windows platforms.
FALSE
SNScan is used to access information for which protocol?
SNMP
The Attacker's Process: 1. Performing r_____________ and f___________ 2. s_______ and e__________ 3. Gaining ______ 4. e_________ of p________ 5. Maintaining ______ 6. ________ tracks and placing _________
1. Performing reconnaissance and footprinting 2. Scanning and enumeration 3. Gaining access 4. Escalation of privilege 5. Maintaining access 6. Covering tracks and placing backdoors
The Ethical Hacker's Process: 1. P_________ 2. R_____________ 3. S_______ 4. Gaining ______ 5. Maintaining ______ 6. C_______ tracks 7. R________
1. Permission 2. Reconnaissance 3. Scanning 4. Gaining access 5. Maintaining access 6. Covering tracks 7. Reporting
What are 2 methods of encryption
1. Stream cipher 2. Block cipher
What are the two IDS types
1. signature 2. anomaly
Nmap Common Option: Idle scan switch
-sI
Nmap Common Option: TCP stealth scan
-sS
The ____ option of Nmap is used to perform a TCP SYN stealth port scan. Answer -sS -sU -sV -S
-sS
Nmap Common Option: TCP full connect scan
-sT
Which of the following is the Nmap command line switch for a full connect port scan?
-sT
Nmap Common Option: UDP scan
-sU
Nmap Common Option: Verbose. Its use is recommended. Use twice for greater effect.
-v
You found the following address in your log files: 0xde.0x1a. What is the IP address in decimal?
0xde.0xaa.0xce.0x1a hexadecimal converted to base10 gives 222.170.206.26.
What are the 3 types of root kits?
1. Application 2. Kernel 3. Library
List 5 cryptography attacks.
1. Birthday attack 2. Mathematical attack 3. Brute force attack 4. Man in the middle attack 5. Replay attack
Name 4 types of password attacks
1. Brute force attack 2. Man in the middle attack 3. Dictionary attack 4. Replay attack
List 3 basic filter commands for Wireshark
1. Host 2. Net 3. Port
List 4 metasploit commands
1. Info - show information on an exploit 2. show - display something 3. set - sets parameters for an exploit 4. use - open an exploit to begin setup
Sections ____ and ____ are the main statutes that address computer crime in U.S. federal law.
1029 and 1030
Blocking port ____________ can help prevent the spread of some versions of the MyDoom virus.
1034
Nmap Common Option: scans via IPv6 rather than IPv4
-6
Nmap Common Option: Hide scan using many decoys
-Ddecoy_host1,decoy2[,...]
Nmap Common Option: Only scans ports listed in nmap-services
-F
Nmap Common Option: Use TCP/IP fingerprinting to guess remote operating system
-O
Nmap Common Option: Don't ping hosts (needed to scan www.microsoft.com and others)
-P0
Nmap Common Option: Specify source address or network interface
-S <your_IP>/-e <devicename>
Nmap Common Option: General timing policy
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
What does the following command in Ettercap do? ettercap -T -q -F cd.ef -M ARP /192.168.13.100
-T tells ettercap to use the text interface; -q tells ettercap to be quieter; -F tells ettercap to use a filter, in this case cd.ef; -M tells ettercap the MITM (man-in-the-middle) method of ARP poisoning.
Nmap Common Option: Get targets from file. Use '-' for stdin
-iL <inputfile>
Nmap Common Option: Never do DNS resolution/Always resolve [default: sometimes resolve]
-n/-R
Nmap Common Option: Output normal/XML/grepable scan logs to <logfile>
-oN/-oX/-oG <logfile>
<range>; Nmap Common Option: ports to scan. Example range: '1-1024,1080,6666,31337'
-p
Which of the following switches is used for an ACK scan?
-sA
LDAP port
389
SHORT ANSWER Briefly describe 3DES.
3DES (Triple DES) is the technique of encrypting plain text with DES and then taking the ciphertext and encrypting it again, with another DES key, and then taking the result and encrypting it yet again, with yet another DES key. The reader may ask why there is no such thing as Dexa DES, where the results are encrypted ten times. The answer is that each encryption takes time at both ends, and industry is unhappy to multiply the time spent encrypting and decrypting a document between three and ten times. Still, 3DES is faster than any secure asymmetric key algorithm.
What is the key length of 3 DES?
3DES has a key length of 168 bits.
What percentage of companies are estimated to have policies regarding social networking?
40%
SSL port
443
SMB over IP port
445
What port range is an obscure third-party application most likely to see?
49152 to 65535
SMTP port
53
Port number ________ is used by DNS for zone transfers.
53 TCP
DNS port
67/68
DHCP port
69
TFTP port
79
Finger port
80
HTTP uses port ____ to connect to a Web service. Answer 21 22 25 80
80
Message Digest 5 (MD5)
A 128-bit cryptographic hash function; still used, even though its weaknesses make finding collisions practical with only moderate computing power. Most useful for file integrity checking.
What do many analysts believe was the reason for the MyDoom virus/worm?
A DDoS attack targeting Santa Cruz Operations
_______________ runs completely from removable media.
A Live CD
Data Encryption Standard (DES)
A NIST standard for protecting sensitive but unclassified data; it was later replaced because the increased processing power of computers made it possible to break DES encryption.
SHORT ANSWER How can a computer be authenticated?
A computer can be authenticated by its IP address, IP host address, or MAC address. c. MAC table d. ARP table IP address—An IPv4 address is a set of dotted numeric figures such as 66.37.227.194 (this particular address is in the Cox Communications Omaha NE network). IP host address—This is the "friendly URL" for a machine, e.g., mail.yahoo.com. MAC address—MAC stands for Media Access Control and is a 12-character hexadecimal number that every network appliance or PC has.MAC addresses are usually notated like this: 00-09-D5-00-DB-BA. Each MAC address contains the code for the manufacturer. You can look up MAC addresses on the Internet at www.techzoom.net/nettools-macdecode.asp.
Honeypot
A computer placed on the network perimeter that contains information or data intended to lure hackers and distract them from legitimate network resources.
Ping of Death Attack
A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze.
What is a code of ethics?
A description of expected behavior
Security Appliance
A device that combines multiple network protection functions, such as those performed by a router, a firewall, and an IPS, on the same piece of hardware.
What are digital certs?
A digital cert is an electronic file that is used to verify a user's identity. it provides nonrepudiation throughout the system.
Which of the following binds a user's identity to a public key?
A digital certificate binds a user's identity to a public key.
Certificate
A digital document that verifies whether two parties exchanging data over the Internet are really who they claim to be. Each certificate has a unique serial number and must follow the X.509 standard.
Which of the following is the best definition for the term sneaker?
A person who hacks a system to test its vulnerabilities
What is an ICMP echo scan?
A ping sweep
Virtual Directory
A pointer to a physical directory on a Web server.
Which of the following statements is NOT true about firewall policy?
A policy is not necessary if the firewall is configured in the way the administrator wants.
Modulation
A process that defines how data is placed on a carrier signal.
Block Cipher
A symmetric algorithm that encrypts data in blocks of bits. These blocks are used as input to mathematical functions that perform substitution and transposition of the bits, making it difficult for someone to reverse-engineer the mathematical functions that were used.
Stream Cipher
A symmetric algorithm that operates on plaintext one bit at a time.
Advanced Encryption Standard (AES)
A symmetric block cipher standard from NIST that replaced DES. See also Data Encryption Standard (DES).
Security Incident Response Team (SIRT)
A team of security professionals with the main responsibility of responding to network attacks and security events.
What is missing from a half-open scan?
ACK
AW Security Scanner
AWSPS features a set of tools for assessment of Network Security including a TCP Connect scanning engine, with adjustable maximum number of simultaneously opened ports and no-connection time-out adjustment. A TCP Syn scanning engine for Windows 2000 platforms with TCP/IP and ICMP packet capture and more. A UDP Port scanner with test probing of ports to confirm whether the host is up. A NetBIOS scanner. Mapping of Ports to applications feature (Ports Finder). Local Connections and Listening Ports instant report. Local TCP, UDP and ICMP statistics instant report. Local Active Routes, DNS Servers and Persistent Routes. Local IP Statistics/Settings reports. Local Transport Protocols/Winsock Service Providers list and details.
our team lead has asked you to make absolute changes to a file's permissions.Which of the following would be correct?
Absolute mode will require the use of octal values, such as chmod 320 .
Types of sniffing
Active Passive
Embedded Operating System (OS)
An operating system that runs in an embedded system; designed to be small and efficient, so it usually lacks some functions of general-purpose OSs. It can be a small program developed specifically for an embedded system or a stripped-down version of a general-purpose OS.
Institute of Electrical and Electronics Engineers (IEEE)
An organization that creates standards for the IT industry.
Null Session
An unauthenticated connection to a Windows system.
Which piece of malicious code was written with the VBS Worm Generator?
Anna Kournikova was created in only a few hours using a tool called the VBS Worm Generator.
Which ports should security professionals scan when doing a test? Why?
As a security tester, you need to know which ports attackers are going after so those ports can be closed or protected. Security professionals must scan all ports when doing a test, not just the well-known ports (Ports 1 to 1023, the most common, are covered in Chapter 2). Many computer programs use port numbers outside the range of well-known ports. For example, pcAnywhere operates on ports 65301, 22, 5631, and 5632. A hacker who discovers that port 65301 is open might want to check the information at the Common Vulnerabilities and Exposures Web site for a possible vulnerability in pcAnywhere. After a hacker discovers an open service, finding a vulnerability or exploit isn't difficult.
As a security tester, should you use social-engineering tactics?
As a security tester, you should never use social-engineering tactics unless the person who hired you gives you permission in writing. You should also confirm on which employees you're allowed to perform social-engineering tests, and document the tests you conduct. Your documentation should include the responses you received, and all test results should, of course, be confidential.
You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default?
BOK uses port 31337 by default.
Several APs group together to form a _____________.
BSS
Which of the following is a next-generation Trojan tool that was designed to accept customized, specially designed plug-ins?
Back Orifice (BO2K)
An attacker can use a(n) _______ to return to a system.
Backdoor
Which presented itself as an e-mail from the system administrator informing the user of a virus infection and gave directions to open an e-mail attachment which would then scan for e-mail addresses and shared folders?
Bagle
Which of the following reveals telling information such as version and service data that will help an attacker?
Banner
Request could not be fulfilled by server
HTTP 500 Internal Server Error
The HTTP ____________________ method is used with a proxy that can dynamically switch to a tunnel connection, such as Secure Socket Layer (SSL).
CONNECT
What common tool can be used for launching ARP poisoning attack?
Cain & Abel
Define sniffing
Capturing packets that pass on a network that aren't meant for you.
The first computer incident-response team was sponsored by ____________ University.
Carnegie-Mellon
The first computer incident response team is affiliated with what university?
Carnegie-Mellon University
Which of the following manages digital certificates?
Certificate Authority
You have been asked to investigate a breach of security. An attacker successfully modified thepurchase price of an item. You have verified that no entries were found in the IDS, and the SQL databases show no indication of compromise. How did this attack most likely occur?
Changing the hidden tag value from a local copy of the web page would allow an attacker to alter the prices without tampering with the SQL database or any alerts being raised on the IDS.
SHORT ANSWER Briefly describe the main characteristics of Cheops.
Cheops, a port scanner for Linux operating systems, was developed for the GNOME interface by using the GTK+ kit. The most important differentiating feature of Cheops is its graphical nature. This application uses a dramatically large percentage of cpu cycles and slows all other applications to a crawl, which probably has something to do with the complexity of its graphical interface. This is a popular application, but Nessus and Nmap do more useful work without this beautiful GUI. This program can be downloaded from ftp://ftp.marko.net/pub/cheops.
Which of the following lock types are smart and programmable?
Cipher
Which type of firewall creates a private virtual connection with the client?
Circuit-level gateway
After accessing a router configuration file, you found the following password: 70832585B0D1C0B0343. What type of password is it?
Cisco uses a proprietary Vigenere cipher to encrypt all passwords on the router except the enable secret password, which uses MD5. The Vigenere cipher is easy to break.
Which of the following is NOT a network mapping tool?
Conquistador
Which type of token does NOT require that the card be inserted or slid through a reader?
Contactless
Wireless Network Interface Cards (WNICs)
Controller cards that send and receive network traffic via radio waves and are required on both APs and wireless enabled computers to establish a WLAN connection.
Which of the following best describes a covert communications?
Covert communications can be described as sending and receiving unauthorized information or data between machines without alerting any firewalls and IDSes on a network.
Computer ____________________ is the term for illegally hacking into a computer system without the permission of the system's owner.
Cracking
Which term is generally used by hackers to refer to attempts at intrusion into a system without permission and usually for malevolent purposes?
Cracking
Which of the following is a tool used to find DDoS programs?
DDoSPing is a Windows GUI scanner for the DDoS agents Wintrinoo, Trinoo, Stacheldraht and TFN.
Encryption and virtual private networks are techniques used to secure which of the following?
Data
In IPsec, what does Encapsulating Security Payload (ESP) provide?
Data Security
____________________ is the process of enclosing higher-level protocol information in lower-level protocol information.
Data encapsulation
Which is NOT a service included in the Norton single machine firewall?
Data recovery
Which of the following is a hierarchical, structured format for storing information for later retrieval, modification, management, and other purposes?
Database
Which of the following refers to a piece of software, a tool, or a technique that targets or takes advantage of a vulnerability?
Exploit
Which of the following maintains a repository for information on virus outbreaks and detailed information about specific viruses?
F-Secure Corporation
A database can be a victim of source code exploits.
FALSE
A drawback to public key infrastructure (PKI) is that the two parties must have prior knowledge of one another in order to establish a relationship.
FALSE
A facility can never have too much lighting.
FALSE
An ad hoc network scales well in production environments.
FALSE
Backdoors are an example of covert channels.
FALSE
Botnets are used to bypass the functionality of a switch.
FALSE
Enumeration discovers which ports are open.
FALSE
Firewalls provide very little protection to a database server.
FALSE
HIDS can monitor network activity.
FALSE
If a company invests in an intrusion detection system other security controls will be unnecessary.
FALSE
If you really understand Facebook's privacy settings you can arrange to keep everything in your profile private.
FALSE
Input validation is a result of SQL injections.
FALSE
It's acceptable to use one password for all your online financial accounts as long as that one password is strong enough.
FALSE
Mantraps encourage piggybacking which is the practice of one individual opening the door to let several others enter.
FALSE
Most encryption cannot be broken.
FALSE
Multipartite viruses come in encrypted form.
FALSE
Ping scanning does not identify open ports.
FALSE
Pop-up blockers, automatic updates, and private browsing capability clutter up the browser and make it weaker.
FALSE
Scareware is harmless.
FALSE
Port 20
File Transfer Protocol - (FTP) - Port 20 used for data transfer
Port 21
File Transfer Protocol - (FTP) - Port 21 used for control
Which of the following is a best defense against the Unicode vulnerability on an unpatched IIS server?
File traversal will not work from one logical drive to another; therefore, the attack would be unsuccessful.
Your coworker has set up a packet filter to filter traffic on the source port of a packet. He wants toprevent DoS attacks and would like you to help him to configure Snort. Which of the following wouldbest accomplish the stated goal?
Filtering data on the source port of a packet isn't secure because a skilled hacker can easily change a source port on a packet, which could then pass through the filter.
Stateless Packet Filters
Filters on routers that handle each packet separately, so they aren't resistant to spoofing or DoS attacks.
Stateful Packet Filters
Filters on routers that record session-specific information in a file about network connections, including the ports a client uses.
A vulnerability scan is a good way to do what?
Find open ports, Find weaknesses
Port 79
Finger
SHORT ANSWER Explain how to setup a TCP connection.
First, the source computer delivers a SYN packet to the destination computer. This packet has the initial sequence number (ISN) that the destination computer must use in order to send a response (ACK) to the source computer. The ISN is indicated by whether the SYN bit is "set." For example, if the SYN bit is set to 1, the 32-bit sequence number represents ISN. However, if the SYN bit is not set, meaning the value of the SYN bit is zero (0), the 32-bit number represents the (ongoing) sequence number. Upon receipt of the SYN packet, the receiving computer transmits a SYN with an acknowledgment, ACK. Finally, the source computer sends an ACK to the destination computer as a response with an "in-range" sequence number.
Which of the following is specifically designed to passively gain information about a target?
Footprinting
Server received invalid response from upstream server
HTTP 502 Bad Gateway
Which method of transmission hops between subchannels sending out short burst of data on eachsubchannel for a short period of time?
Frequency-hopping spread spectrum hops between subchannels and sends out short bursts of data on each subchannel for a short period of time.
FUD
Fully Undetectable
The HTTP ____ method retrieves data by URI. Answer GET PUT POST HEAD
GET
____ is the most basic HTTP method. Answer GET PUT CONNECT HEAD
GET
NmapFE is an nmap graphic interface for the ____________________ Linux Desktop.
GNOME
What is the purpose of social engineering?
Gain information from a human being through face-to-face or electronic means
Which of the following is NOT a type of malware?
Gameware
Port 190
Gateway Access Control Protocol (GACP)
Footprinting
Gathering information about a company before performing a security test or launching an attack; sometimes referred to as "reconnaissance."
Which step(s) in the information-gathering process does footprinting cover?
Gathering information and determining the network range
Dumpster Diving
Gathering information by examining the trash that people discard.
What should a pentester do prior to initiating a new penetration test?
Get Permission
A contract is important because it does what?
Gives Proof
Port 70
Gopher Services
"____" hackers are evidence that the dichotomy of good and evil is NOT a very good fit to the real world.
Gray Hat
Which type of hacker may use their skills for both benign and malicious goals at different times?
Gray Hat
SHORT ANSWER How does IP protocol scanning work?
IP protocol scanning examines a target host for supported IP protocols. In this method, the scanner transmits IP packets to each protocol on the target host. If a protocol on the target host replies with an ICMP unreachable message to the scanner, then the target host does not use that protocol. If there is no reply, then the hacker assumes that the target host supports that protocol. Unfortunately for the hacker, firewalls and computers that run operating systems such as Digital UNIX (now replaced with Compaq Tru64 Operating System) and HP-UX do not send any ICMP unreachable messages. Consequently, the IP protocols supported by such hosts cannot be determined by using IP protocol scanning. Fortunately for the script kiddie population, the number of Digital UNIX,Tru64, and HP-UX servers is relatively small.
What network appliance senses irregularities and plays an active role in stopping that irregular activity from continuing?
IPS
____ is a collection of Internet Engineering Task Force (IETF) standards that define an architecture at the Internet Protocol (IP) layer that protects IP traffic by using various security services.
IPSec
SHORT ANSWER How does DNS spoofing work?
In a DNS spoof, the hacker changes a Web site's IP address to the IP address of the hacker's computer. Consequently, whenever a user from the target subnetwork sends a request for that Web site, DNS servers convert the host name to the incorrect IP address. Altering the IP address directs the user to the hacker's computer. Since the user is accessing the hacker's computer under the impression that he or she is accessing a different, legitimate, site, the hacker can then send malicious code to the user's computer. The hacked site might show an alert message suggesting that all users download a specific program to protect their computers from the dangerous W32/Willies Virus. Users might actively assist in their own demise, believing they are on the real site. DNS spoofing puts the spurious IP information into a cache on a DNS server, and this needs to be frequently refreshed if the spoof is to be long-running. While the spoof is in place, anybody who uses that specific DNS server will be directed to the bogus site.
Public Key
In a key pair, the key that can be known by the public; it works with a private key in asymmetric key cryptography, which is also known as public key cryptography.
Which type of network requires an AP?
Infrastructure
Which of the following is NOT one of the steps an attacker must perform to conduct a successful session hijacking?
Inject packets into the network prior to the authentication process.
What is the best method of defending against IP spoofing?
Installing a router/firewall that blocks packets that appear to be originating within the network.
What does hashing preserve in relation to data?
Integrity
Which of the following terms refers to the ability to verify that information has not been altered and has remained in the form originally intended by the creator?
Integrity
Why is an SPI firewall less susceptible to spoofing attacks?
It examines the source IP of all packets.
Which is true about the Wolverine firewall solution?
It includes built-in VPN capabilities.
Port 143
Internet Message Access Protocol 4 - (IMAP4)
The ____ is responsible for transmitting data from the source computer to the final destination computer.
Internet Protocol (IP)
Port 194
Internet Relay Chat (IRC)
Which of the following is NOT one of the Internet sources that hackers use to gather information about a company or its employees?
Internet protocol resources
Content of an Ethical Hacking Report: i___________, s________ __ w___ p________, r______ ___ c__________, r______________
Introduction, Statement of work performed, Results and conclusions, Recommendations
Which of the following provides the ability to monitor a network, host, or application, and report back when suspicious activity is detected?
Intrusion detection system (IDS)
Which of the following best describes footprinting?
Investigation of a target
Win API****
Is an interface to the Windows OS that programmers can use to access information about a computer running Windows, such as the computer name, OS name, and so forth.
Testing
Is conducted on a variable and returns a value of true or false.
Which of the following statements is NOT true regarding Address Resolution Protocol (ARP) poisoning?
It cannot be used to alter data in transmission or tap Voice over IP (VoIP) phone calls.
SHORT ANSWER Describe some legal reconnaissance activities.
Looking up all of the information about a company available on the Internet, including published phone numbers, office hours, and addresses, is completely legal. Calling with a problem requiring customer service assistance is completely legal (even if it is a made-up problem). Interviewing a member of the staff for a school project is legal. Physical entry of a facility, including attending a tour of the facility, is entirely legal. Making friends with somebody who works there or used to work there is also legal. It would be exceptionally paranoid for company representatives to refuse to answer the phone"just in case it is a hacker performing recon."All of these methods and many others are completely legal and done for various reasons all the time.
What level of knowledge about hacking does a script kiddie have?
Low
Which of the following was NOT a benefit of the 802.11a over 802.11b?
Lower cost of equipment
You have been able to get a Terminal window open on a remote Linux host. You now need to use acommand-line web browser to download a privilege-escalation tool. Which of the following willwork?
Lynx is a basic browser that can be used to pull down the needed code.
You have enabled MAC filtering at the wireless access point. Which of the following is most correct?
MAC addresses can be spoofed; therefore, used by itself, it is not an adequate defense.
_______________ blocks systems based on physical address.
MAC filtering
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
MAC flooding
___________________ is used to flood a switch with bogus MAC addresses.
MAC flooding
Port 29
MSG ICP
SHORT ANSWER What are the issues with copying, downloading, and using proprietary software and other copyrighted works?
Many hackers find it tempting to copy, download, and use proprietary software and other copyrighted works. While hackers typically consider this a harmless activity, it is often illegal (based upon the license with which the software is distributed). There is a philosophical discourse as to whether free access to information is more or less important than a creator's right to protect his or her creations. This is the same sort of debate as that over copyright law, the regulations which govern the distribution and modification of written works.Many feel that proprietary software is a form of elitism that inhibits progress. The argument is that every person has the right to hear, read, see, or learn anything that is available. Proponents of strong intellectual property rights argue that there would be no creation at all if there was not some method of ensuring remuneration or royalty for reproduction of that intellectual property.
In order to identify a particular computer on a network, computers are assigned a unique identifier called a(n) ______________________________ address.
Media Access Control (MAC) Media Access Control MAC
Countermeasures that can be used to defeat sniffing include all of the following EXCEPT:
Media Access Control (MAC) flooding
Which topology has built-in redundancy because of its many client connections?
Mesh
____________________ is a secure hash algorithm developed in 1992 by Ron Rivest,one of the inventors of RSA.
Message Digest Algorithm 5 (MD5) Message Digest Algorithm 5 MD5
Port 18
Message Send Protocol (MSP)
NetBIOS
NetBIOS is a Windows programming interface that allows computers to communicate across a local area network (LAN). Most Windows OSs use NetBIOS to share files and printers. NetBIOS listens on UDP ports 137 (NetBIOS Name service) and 138 (NetBIOS Datagram service) and TCP port 139 (NetBIOS Session service). File and printer sharing in Windows also requires an upper-level service called Server Message Block (SMB), which runs on top of NetBIOS. In Windows 2000 and later, SMB listens on TCP port 445 and doesn't need to use NetBIOS over TCP/IP unless support for older Windows versions is required.
To see additional parameters that can be used with the ____ command, you can type nc -h at the command prompt. Answer Nslookup Namedroppers Netcat Whois
Netcat
Which of the following is capable of port redirection?
Netcat
Which of the following best describes Netcat?
Netcat is a network utility for reading from and writing to network connections on either TCP or UDP. Because of its versatility, Netcat is also called the TCP/IP Swiss army knife.
Which of the following is used for identifying a web server OS?
Netcraft
Elaborate on the following statement: "The most difficult job of a security professional is preventing social engineers from getting crucial information from company employees."
No matter how thorough a security policy is or how much money is spent on firewalls and intrusion detection systems (IDSs), employees are still the weakest link in an organization. Attackers know this fact and use it. Employees must be trained and tested periodically on security practices. Just as fire drills help prepare people to evacuate during a fire, random security drills can improve a company's security practices. For example, randomly selecting and testing employees each month to see whether they would give their passwords to someone within or outside the organization is a good way to see if your security memos are being read and followed.
What is a technique used to determine if someone is trying to falsely deny that they performed a particular action?
Non-repudiation
Which of the following best describes hashing?
Nonreversible
Port 396
Novell Netware over IP
____ hackers have limited computer and programming skills, and rely on toolkits to conduct their attacks.
Novice
Symmetric key systems have key distribution problems due to _______.
Number Of Keys
The process of determining the underlying version of the system program being used is best described as __________________________.
OS fingerprinting
What is the greatest danger in a network host-based configuration?
Operating system security flaws
Which of the following can be used to tweak or fine-tune search results?
Operators
Which of the following statements is NOT true regarding over-sharing of company activities?
Over-sharing of company activities typically is conducted by disgruntled employees who are intentionally trying to harm their company.
Which of the following is the least secure?
PAP
Which of the following does IPsec use?
PKI
Which system does SSL use to function?
PKI
What is PKI?
PKI is a structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange.
A public key is stored on the local computer by its owner in a _______.
PKI system
Port 109
POP2
The HTTP ____ allows data to be sent to a Web server. Answer GET PUT POST HEAD
POST
Which category of firewall filters is based on packet header data only?
Packet
One of the members of your red team would like to run Dsniff on a span of the network that iscomposed of hubs. Which of the following type best describes this attack?
Passive sniffing is all that is required to listen to traffic on a hub. Answer A is incorrect, as active sniffing is performed on switches.
Vulnerability research deals with which of the following?
Passively uncovering vulnerabilities
1. John the ripper 2. Opncrack 3. Expect 4. L0phtcrack 5. Pwdump6 6. Fgdump
Password cracking tools
Enumeration is useful to system hacking because it provides _______.
Passwords and Usernames
Which of the following is true regarding account passwords?
Passwords should have at least one number and one special character.
Your IDS is actively matching incoming packets against known attacks. Which of the followingtechnologies is being used?
Pattern matching is the act of matching packets against known signatures. Answer B is incorrect because anomaly detection looks for patterns of behavior that are out of there ordinary.
Which of the following refers to the structured and methodical means of investigating, uncovering, attacking, and reporting on a target system's strengths and vulnerabilities?
Penetration testing
DIG
Perform DNS zone transfers; replaces the Nslookup command
Which of the following tests includes anything that targets equipment or facilities and can also include actions against people, such as social engineering-related threats?
Physical attack
Repeaters, hubs, bridges, and switches are part of:
Physical or Network Access Layer equipment
____ is trailing closely behind an employee who has access to an area without the person realizing that you didn't use a PIN or a security badge to enter the area. Answer Shoulder surfing Footprinting Piggybacking Dumpster diving
Piggybacking
Which attack occurs by sending packets that are too large for the target machine to handle?
Ping of death
Ping sweep
Pinging a range of IP addresses to identify live systems on a network.
Ciphertext
Plaintext (readable text) that has been encrypted.
Which port uses SSL to secure web traffic?
Port 443
What is privileged escalation
Privileged escalation is an attempt to obtain admin or root privileges.
An intrusion-detection system is an example of:
Proactive security
Which of the following is the best definition for non-repudiation?
Process that verify which user performs what action.
Which of the following is NOT a countermeasure to threats against wireless LANs?
Promiscuous clients
What mode mustt be configured to allow an NIC to capture all traffic on the wire?
Promiscuous mode
Briefly describe RIP attacks.
RIP attacks take advantage of RIP, or Routing Information Protocol. This information protocol is an essential component in a TCP/IP network and is responsible for distribution of routing information within networks. A RIP packet is often used without verification. Attacks on RIP change the destination of data. An attacker can change the routing table on routers and specify that the route through the hacker's designated collection node is the fastest route for packets to or from a sensitive machine. Once the router is modified, it transmits all of the packets to the hacker computer. They can then be modified, read, or responded to.
You have been asked to look up a domain that is located in Europe. Which RIR should you examine first?
RIPE
__________________________ is well suited for bulk encryption.
RSA
A TCP connection can be broken either by exchanging the FIN packets or by sending ____ packets.
RST
During a Xmas tree scan what indicates a port is closed?
RST
During an FIN scan, what indicates that a port is closed?
RST
Which of the following would be the best defense if your Web server had limited resources but you needed a strong defense against DoS?
RST cookie
A _________ is a type of offline attack?
Rainbow Attack
A ___________________ is an offline attack.
Rainbow attack
Which of the following is a type of smash-and-grab burglary in which a heavy vehicle is driven through the windows or doors of a closed shop, usually one selling electronics or jewelry, to quickly rob it?
Ram-raiding
What are worms typically known for?
Rapid replication
Plaintext
Readable text that hasn't been encrypted; also called cleartext.
SHORT ANSWER How can you stop a continuous ACK transfer by resynchronizing the client and server?
Resynchronizing the actual trusted computer with the victim server is performed because both computers have information regarding the quantity of packets that must be transferred. Whenever the hacker inserts additional packets to the stream of data between the actual client and the server, the victim server receives more packets than the trusted client actually sent. To avoid the loop of ACK packets between the client and the host, the hacker should synchronize the number of packets that are sent, which leads both valid members of the session to believe that the packet count is right. If this is done correctly, there will be no ACK storm because neither the trusted computer nor the victim will have too high or too low of a packet count. The hijack will be a complete success and the malicious code transfer from the attacker's machine will be considered a success.
get
Retrives data by uri
It should be routing for someone in the IT security staff to
Review firewall logs
Which network topology uses a token-based access methodology?
Ring
The individual responsible for releasing what is considered to be the first Internet worm was __________________.
Robert T. Morris, Jr.
Which of the following can be shipped preconfigured?
Router based firewalls
Which router configuration is potentially least vulnerable to an attack?
Routers that filter packets with source addresses in the local domain
Required Skills of an Ethical Hacker: R______, M________, L____, F________, M_________, N______ p________, P______ m_________
Routers, Microsoft, Linux, Firewalls, Mainframes, Network protocols, Project management
Which of the following is NOT a commonly accepted rule of evidence?
Rumored
A _________ is a file used to store passwords.
SAM
____ is a third-generation network security analysis tool developed by Advanced Research Corporation
SARA
You have been hired by Bob's Burgers to scan its network for vulnerabilities. They would like you toperform a system-level scan. Which of the following programs should you use?
SARA is a system-level scanner that can scan various ports and attempt to verify what is running on each and what vulnerabilities are present. Answer A is incorrect because Flawfinder is a source code scanner.
You have selected the option in your IDS to notify you via email if it senses any network irregularities. Checking the logs, you notice a few incidents but you didn't receive any alerts. What protocol needs to be configured on the IDS?
SMTP
Port 108
SNA Gateway Access Server
Port 563
SNEWS
Port 161
SNMP
What phase comes after footprinting?
Scanning
Which of the following solutions is actually a combination of firewalls?
Screened firewalls
SSL is a mechanism for which of the following?
Securing transmitted data
NTLM provides what benefit versus LM?
Security
SMTP is used to perform which function?
Send email messages
Which of the following is the best definition for IP spoofing?
Sending a packet that appears to come from a trusted IP
Which of the following represents the second to the lowest level of data classification in the commercial system?
Sensitive is the second to the lowest level of security in the commercial data classification system. The commercial system is categorized from lowest to highest level as public, sensitive, private, and confidential.
Which of the following is a largely obsolete protocol that was originally designed for use in connections established by modems?
Serial Line Interface Protocol
____ can be used to read PINs entered at ATMs or to detect long-distance authorization codes that callers dial. Answer Shoulder surfing Footprinting Zone transferring Social engineering
Shoulder surfing
You watch over Bernie's shoulder while he types the password to log on to hushmail.com. What is this type of attack called?
Shoulder surfing is to look over someone's shoulder to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they enter a password or pin number.
Port 115
Simple File Transfer Protocol (SFTP)
Port 1080
Socks
Spyware
Software installed on users' computers without their knowledge that records personal information from the source computer and sends it to a destination computer.
Firmware
Software residing on a chip.
What is a Trojan horse?
Software that appears to be benign but really has some malicious purpose
Which of the following is the best definition of malware?
Software that damages your system
Which of the following types of lighting is randomly turned on to create an impression of activity?
Standby
Which firewall denies or permits access based in part on data determined from previous packets in the conversation?
Stateful packet inspection
Which type of firewall is considered the most secure?
Stateful packet inspection
What is steganography?
Steganography is the practice of concealing a message inside another medium in such a way that only the sender and recipient even know of its existence.
____________________ refers to setting an IDS rule to watch for abnormal increases in network traffic and to alert the security officer when they occur.
Storm watching
____ loss is a loss of, or the untimely publication of, strategic data that outlines events planned for the future.
Strategic
____ ciphers use a key stream to encrypt and decrypt a plaintext message.
Stream
Which of the following can be used to assess physical security?
Street Views
Which of the following is the best option to prevent hackers from sniffing your information on thewired portion of your network?
Strong password authentication protocols, such as Kerberos, coupled with the use of smart card and the secure remote password protocol are good choices to increase security on wired networks. The secure remote password protocol is the core technology behind the Stanford SRP Authentication Project.
Which of the following refers to a language used to interact with databases making it possible to access, manipulate, and change data?
Structured Query Language (SQL)
Which of the following refers to a language used to interact with databases, making it possible to access, manipulate, and change data?
Structured Query Language (SQL)
Which of the following is method of separating a network into segments for better management and performance?
Subnet mask
____ is the replacement of a letter or group of letters with another letter or group of letters.
Substitution
Which of the following describes a hacker who attacks without regard for being caught or punished?
Suicide Hacker
This scan that has toggled on the FIN, URG, and PSH flags. Open ports should provide no response. Closed ports should return an RST. Systems must be designed per RFC 793 for this scan to work. It does not work against most versions of Windows.
TCP XMAS scan
In ____, the target host transmits connection-succeeded messages for active ports and host-unreachable messages for inactive ports.
TCP connect scanning
SHORT ANSWER Describe the reason why an ACK storm happens.
The ACK storm happens because the attacker was not in a place to stop or delete packets the trusted computer sent. An ACK storm will not occur if the attacker can place himself in the actual flow of the packets, but it takes a certain amount of daring to set up the situation so that you can put yourself in the flow. The attacker would have to be in control of the connection itself so that the session authentication takes place through the attacker's chosen channel.
How many steps are in the ARP process?
The ARP process is a two-step process that consists of an ARP request and an ARP reply.
Which of the following laws was originally passed to address federal computer-related offenses and the cracking of computer systems?
The Computer Fraud and Abuse Act of 1986
OpenPGP
The Internet public key encryption standard for PGP messages; can use AES, IDEA, RSA, DSA, and SHA algorithms for encrypting, authenticating, verifying message integrity, and managing keys. The most common free version is GNU Privacy Guard (GnuPG or GPG), and a commercial version that's compliant with the OpenPGP standard is available.
Secure Hash Algorithm (SHA)
The NIST standard hashing algorithm that's much stronger than MD5 but has demonstrated weaknesses. For sensitive applications, NIST recommends not using SHA-1, and federal agencies are replacing it with longer digest versions, collectively called SHA-2.
After reading an online article about wireless security, Jay attempts to lock down the wirelessnetwork by turning off the broadcast of the SSID and changing its value. Jay's now frustrated when herealizes that unauthorized users are still connecting. What is wrong?
The SSID is still sent in packets exchanged between the client and WAP; therefore, it is vulnerable to sniffing. Tools such as Kismet can be used to discover the SSID.
Which malicious program exploited vulnerability in Local Security Authority Subsystem Service (LSASS)? LSASS is used by Windows computers to verify a user loggin in to a Windows domain or computer.
The Sasser worm targets a security issue with the Local Security Authority Subsystem Service
FAT16
The configuration files of every sector are expressed by 16 bytes in FAT16 and this is why it is named FAT16. Because of the innate limitation, when it exceeds the regular capacity of the sector, the number of the cluster must be expanded to adapt to larger disk space. Cluster is the allocation unit of disk space, just as a grid of bookshelf in library. Every file must be allocated enough cluster, then it can be stored on the disk.
Basic Service Area (BSA)
The coverage area an access point provides in a wireless network.
User Mode
The default method on a Cisco router, used to perform basic troubleshooting tests and list information stored on the router. In this mode, no changes can be made to the router's configuration.
Data Encryption Algorithm (DEA)
The encryption algorithm used in the DES standard; a symmetric algorithm that uses 56 bits for encryption. See also Data Encryption Standard (DES).
You are looking at several types of biometric systems. Which of the following measurements detail the percentage of legitimate users who might be denied access because of system errors or inaccuracy?
The false rejection rate measures how many legitimate users who should have gotten in, but didn't.
Message Digest
The fixed-length value that a hashing algorithm produces; used to verify that data or messages haven't been changed.
List at least five tools available for footprinting.
The following tools can be used for footprinting: Google groups, Whois, SamSpade, Web Data Extractor, FOCA, Necrosoft NS Scan, Google search engine, Namedroppers, White Pages, Metis, Dig, Netcat, Wget, Paros, and Maltego.
Amplitude
The height of a sound wave; determines a sound's volume.
SHORT ANSWER What are the most important types of scanning?
The most important types of scanning are the following: * Transmission Control Protocol (TCP) connect scanning * Half-open scanning * User Datagram Protocol (UDP) scanning * IP protocol scanning * Ping scanning * Stealth scanning
Service Set Identifier (SSID)
The name of a WLAN; can be broadcast by an AP.
What is the three-way handshake?
The opening sequence of a TCP connection
SHORT ANSWER Describe some illegal reconnaissance activities.
There are a number of plainly illegal reconnaissance techniques. Developing a "front" company and acting as a representative of that company, specifically for the purpose of robbing or defrauding the target company, is probably illegal. Furthermore, being expensive and time consuming, this is probably reserved for the professional intel agencies. Stealing garbage is illegal in many locales. Entering a home or office to look for information is also illegal, but this often goes undetected as no valuables are being removed. Dropping a keylogger—a tool that records users' keystrokes—on a vulnerable machine is illegal. Leaving a sniffer, which can intercept and read data packets, on a network is illegal.
Which of the following is a U.S. Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?
Trusted Computer System Evaluation Criteria (TCSEC)
Which of the following types of locks is considered more secure as it has movable metal parts that prevent the wrong key from opening the lock parts?
Tumbler locks are more complex than a basic ward lock. Instead of wards, they use tumblers that make it harder for the wrong key to open the wrong lock
A logic bomb has how many parts, typically?
Two
A public and private key system differs from symmetric because it uses which of the following?
Two Keys
Of the two protocols discussed which is more difficult to scan for?
UDP
Newsgroups are part of an online bulletin board system called ____, which contains groups covering a huge variety of subjects.
USENET
____ was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors. Answer Unicornscan NetScanTools Nessus Nmap
Unicornscan
Unicornscan
Unicornscan running on a typical Pentium computer can scan one port on each IP address of a Class B network. This equates to scanning 65,535 computers in 3 to 7 seconds, which brings UDP scanning to a new level. Most scanners using UDP scans can just make best guesses when trying to determine whether a port is closed, open, or filtered. Many security testers consider UDP scanning an unreliable method of discovering live systems on a net- work. Although Unicornscan can handle TCP, ICMP, and IP port scanning, it optimizes UDP scanning beyond the capabilities of any other port scanner.
List the five techniques used by social engineers in their attempts to gain information from unsuspecting people.
Urgency - Quid pro quo - Status quo - Kindness - Position
Which of the following is a connectionless protocol that offers speed and low overhead as its primary advantage?
User Datagram Protocol
Enumeration is useful to system hacking because it provides which of the following?
Usernames
Social Engineering
Using an understanding of human nature to get information from people.
What is sql injection
Using sql search queries on websites to change or reveal data from its databases.
A(n) ____ is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. Answer image bug zone transfer Bugnosis detector Web bug
Web bug
dynamic Web pages
Web pages that can change on the fly depending on variables, such as the date or time of day.
Static Web Pages
Web pages that display the same information whenever they're accessed.
Hping
You can also use the Hping tool (www.hping.org/download) to perform ping sweeps. However, many security testers use it to bypass filtering devices by injecting crafted or otherwise modified IP packets. This tool offers a wealth of features, and security testers should spend as much time as possible learning this advanced port-scanning tool. For a quick overview, use the hping -help jless command, and browse through the parameters you can use (see Figures 5-7, 5-8, and 5-9). As you cansee, many parameters can be added to the Hping command, enabling you to craft an IP packet for your purposes
Nmap has a GUI version called ____________________ that makes it easier to work with some of the more complex options.
Zenmap
________ involves grabbing a copy of a zone file.
Zone transfer
____________________ is a DNS feature that lets a DNS server update its database with the list of domain names in another DNS server.
Zone transfer
____ enable you to see all the host computers on a network. In other words, they give you an organization's network diagram. Answer Web bugs Footprints Zone transfers Namedroppers
Zone transfers
Nmap 6.25 Usage: nmap [____ _______] [_______] <____ or ___ list>
[Scan Type(s)] [Options] <host or net list>
Web bug
a 1-pixel 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. Its purpose is similar to that of spyware and adware: to get information about the person visiting the Web site, such as an IP address, the time the Web bug was viewed, and the type of browser used to view the page
ConsoleOne
a graphical Java utility for centralized network administration; and the Novell Certificate Authority service, which enabled a server to issue digital certificates.
Which of the following is NOT a step in the common lock picking method of scraping?
a pry bar is used to pry the lock away from the door
In using symmetric encryption to encrypt a given piece of information there are two different mechanisms an algorithm can use, either:
a stream cipher or a block cipher
In using symmetric encryption to encrypt a given piece of information, there are two different mechanisms an algorithm can use, either:
a stream cipher or a block cipher
To identify the NetBIOS names of systems on the 193.145.85.0 network, which of the following commands do you use? a. nbtscan 193.145.85.0/24 b. nbtscan 193.145.85.0-255 c. nbtstat 193.145.85.0/24 d. netstat 193.145.85.0/24
a. nbtscan 193.145.85.0/24
With a hub connectivity device in place, all traffic can be seen by all other stations, which can be also referred to as all stations being on the same:
collision domain
Which of the following contains host records for a domain? a. DNS b. WINS c. Linux server d. UNIX Web clients
a. DNS
does not allow entry or access to a service
closed port
Which Nmap command verifies whether the SSH port is open on any computers in the 192.168.1.0 network? (Choose all that apply.) a. nmap -v 192.168.1.0-254 -p 22 b. nmap -v 192.168.1.0-254 -p 23 c. nmap -v 192.168.1.0-254 -s 22 d. nmap -v 192.168.1.0/24 -p 22
a. nmap -v 192.168.1.0-254 -p 22 d. nmap -v 192.168.1.0/24 -p 22
Which of the following tools can assist you in finding general information about an organization and its employees? (Choose all that apply.) a. www.google.com b. http://groups.google.com c. Netcat d. Nmap
a. www.google.com b. http://groups.google.com
A route table has two sections: the active routes and the ____.
active connections
In ____________________, the hacker can see both parties, observe the responses from the target computer, and respond accordingly.
active spoofing
Countermeasures an organization can take to thwart footprinting of the organization's Web site include all of the following except:
adding unnecessary information to the Web site to throw attackers off the trail.
Web applications are used to ______________.
allow dynamic content
Any activity that should not be but is occurring on an information system is called:
an intrusion
Prevention of viruses and malware includes _____________________.
antivirus
Which of the following testing processes is the most intrusive? a. Port scanning b. Enumeration c. Null scanning d. Numeration
b. Enumeration
Because of cost and size concerns, embedded OSs usually have: a. More RAM and secondary storage than desktop computers b. More flash memory than desktop computers c. Less ROM and primary storage than desktop computers d. Less RAM and secondary storage than desktop computers
d. Less RAM and secondary storage than desktop computers
eDirectory
eDirectory is an X.500-compatible directory service software product from NetIQ. Previously owned by Novell, the product has also been known as Novell Directory Services (NDS) and sometimes referred to as NetWare Directory Services. NDS was initially released by Novell in 1993 for Netware 4, replacing the Netware bindery mechanism used in previous versions, for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object oriented database used to represent certain assets in an organization in a logical tree, including organizations, organizational units, people, positions, servers, volumes, workstations, applications, printers, services, and groups to name just a few.
_____________________ is a powerful prevention measure for stopping viruses.
education
might indicate that a firewall is being used
filtered port
What is the core of the Linux operating system?
kernel
Covert channels work over _____________________.
known channels
Which attack requires the attacker to obtain several encrypted messages that have been encrypted using the same encryption algorithm?
known plaintext attack
Which of the following makes UDP harder to scan for?
lack of startup and shutdown
The preferred paradigm, or approach to security, is a ____________ approach.
layered
The principle that individuals will be given only the level of access that is appropriate for their specific job role or function is called:
least privilege
A mechanical or electronic device designed to secure, hold, or close items operated by a key, combination, or keycard is a:
lock
___________________ are configured to go off at a certain date, time, or when a specific event occurs.
logic bombs
Which of the following best describes how ICMP is used?
logical errors and diagnostics
Which command is used to list the files and subdirectories in a given location?
ls
Chmod +execute script_name
makes the script executable
Exploitative behaviors against Web applications include all of the following EXCEPT:
man-in-the-middle attacks
Exploitative behaviors against web applications include all of the following EXCEPT:
man-in-the-middle attacks
The manual method of obtaining network range information requires the attacker to visit at least one or more of the Regional Internet Registries (RIRs), which are responsible for:
management, distribution, and registration of public IP addresses within their respective assigned regions.
A section of the hard drive record responsible for assisting in locating the operating system to boot the computer is called the:
master boot records (MBRs)
Media Access Control (MAC) flooding and Address Resolution Protocol (ARP) poisoning are:
methods of bypassing a switch to perform sniffing
Which command is used to create new directories?
mkdir
What is msconsole
msconsole is a metasploit command that provides a centralized console that gives you access to all of the options available in the metasploit framework.
The 802.11n standard uses a new method of transmitting signals, which can transmit multiple signals across multiple antennas. This new method of transmitting signals is called:
multiple input and multiple output (MIMO)
Which of the following virus attacks initiated a DoS attack?
my doom
You have been running Snort on your network and captured the following traffic. Can you identify it? 11/12-01:52:14.979681 0:D0:9:7A:E5:E9 -> 0:D0:9:7A:C:9B type:0x800 len:0x3E 192.168.13.10.237:1674 -> 192.168.13.234:12345 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20 DgmLen:48 *****S Seq: 0x3F2FE2AA Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+
n a Netbus scan, port 12345 is scanned as can be seen in the trace.
There are two DNS services involved: n___ _________, and a____________ _______.
name resolvers, authoritative servers
Which command can be used to view NetBIOS information?
nbtstat
How would you use Netcat to set up a server on a system?
nc -l -p 192.168.1.1
A term used to refer to the process of authentication and verification as accomplished on some gateways is ____________.
negotiation
What command is used to listen to open ports with netstat?
netstat -an
Using a server running the Linux operating system with its built-in firewall as the network firewall is one example of which firewall configuration?
network host-based
A ____________________ has the ability to monitor network activity.
network intrusion detection system (NIDS)
The profession of ____ is emerging from a chaotic set of conflicting ethics from both the hobbyist and student communities and those on the information technology career track.
network security
What is a security vulnerability found in RIP?
no authentication
Which of the following terms refers to the ability to have definite proof that a message originated from a specific party?
non-repudiation
allows access to applications
open port
tar command
program is used to create, maintain, modify, and extract files that are archived in the tar format. stands for tape archive. It is an archiving file format. tar was originally developed in the early days of Unix for the purpose of backing up files to tape-based storage devices. It was later formalized as part of the POSIX standard, and today is used to collect, distribute, and archive files, while preserving file system attributes such as user and group permissions, access and modification dates, and directory structures.
A NIC can be set up to retrieve any data packet being transferred throughout the Ethernet network segment. This mode is known as _________________________.
promiscuous mode
Which of the following challenges can be solved by firewalls?
protection against scanning
What is the generic syntax of a Wireshark filter?
protocol.field operator value
A ____________ can help reduce system vulnerability by preventing disclosure of IP addresses much like a firewall.
proxy server
With a circuit level gateway in place, external users only see the IP address of the ____________.
proxy server
Which of the following Linux commands is used to display the current location of the user within the Linux directory structure?
pwd
Breaking the trust the client has placed in the ethical hacker can lead to the:
questioning of other details, such as the results of the test.
Precomputed hashes are used in an attack type known as a:
rainbow table
Which of the following is a type of smash-and-grab burglary in which a heavy vehicle is driven through the windows or doors of a closed shop, usually one selling electronics or jewelry, to quickly rob it?
ram-raiding
Common scams used in social media include all of the following EXCEPT:
reaching out to users to raise money for a legitimate charity.
Which command can be used to remove a file or folder?
rm