Ethical Hacking - C701 TotalTester Part 1/2
Internet attackers—state-sponsored or otherwise—often discover vulnerabilities in a service or product but keep the information quiet and to themselves, thus ensuring the vendor is unaware of the vulnerability until the attackers are ready to launch an exploit. Which of the following best describes this?
. Zero-day attack A is correct. A zero-day attack is one carried out on a vulnerability the good guys didn't even know existed. The true horror of such attacks is that you do not known about the vulnerability until it's far too late.
Which Google search operator allows a pen tester to restrict results to only those from websites within a given domain?
. site: D is correct. This operator displays pages for a specific website or domain holding the search term. For example, site:anywhere.com passwds would display all pages with the text "passwds" in the domain anywhere.com. A, B, and C are incorrect. The link: operator displays linked pages based on a search term, the inurl: operator displays pages with the string in the URL, and the cache: operator displays the most recently cached version of a web page.
Which of the following provides the integrity method for WPA2?
. CCMP As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Which firewall operates at Layer 5?
Circuit level It's true that circuit-level firewalls can and do monitor TCP handshakes (Layer 4) and that they can monitor and filter on upper-layer protocols (Application layer), but they don't make filtering decisions based on the data within those protocols. They primarily work at the Session layer (Layer 5). Application-level firewalls work at Layer 7, and packet-filtering and stateful firewalls respectively at Layers 3 and 4.
A victim is directed to a website an attacker has modified: the attacker has created a transparent frame in front of the Click Here To Login button. When the victim clicks to log in to the site, they are redirected instead to a URL the attacker owns. Which of the following best describes the attack?
Clickjacking Clickjacking is exactly what it sounds like—stealing the "click" a user intended for one thing and using it for another
Which cloud role in NIST acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers?
Cloud broker The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. Per NIST SP 500-292, the broker "acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well."
You want to separate data ownership from data custodian duties. Which of the following should be implemented to carry this out?
Cloud computing As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity that is accountable for the data itself, while the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that.
Which attack can be mitigated by configuring the web server to send random challenge tokens?
CSRF In a CSRF attack, a user is already on a validated session with the target server. He then opens a link sent by the attacker to a malicious site. If things are set appropriately, the attacker can then send requests to the user's valid se
During a pen test, you notice VoIP traffic is traversing the subnet. Which of the following tools could be used to decode a packet capture and extract voice conversations?
Cain is correct. Cain (and Abel) can do all sorts of great stuff, including extracting voice from VoIP captures.
Which of the following tools provides visibility and security controls for servers in a cloud?
CloudPassage Halo A is correct. CloudPassage Halo "provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds." B, C, and D are incorrect. Metasploit is a framework for delivering exploits. AWSExploit is not a legitimate tool. CloudInspect was designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.
Which of the following statements best defines smishing?
It is sending SMS texts to a user in an effort to trick them into downloading malicious code. Smishing comes from cramming SMS (texting) and phishing together. "Smishing," get it? The idea is the same as with phishing, except you use text messaging to trick users into downloading stuff.
Which of the following best describes a honeypot?
It is used to gather information about attackers.
Which of the following lists security and privacy controls for U.S. government federal information systems?
NIST 800-53 NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations "provides a catalog of security controls for all U.S. federal information systems except those related to national security." Remember that exception—it may help you on the exam.
Which cloud deployment model is also known as "single tenant"?
Private A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
You want to create a document that shows how to install data-at-rest protection within your system. Which of the following is the best descriptor of the document you are creating?
Procedure A procedures document is a step-by-step description of how to accomplish a specific task.
You deploy cloud services such that they are provided over a network open for public use. Which of the following best describes your deployment of cloud?
Public public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren't a major issue.
A security consulting group is brought in to assist in improving the security posture of the environment. Team members perform footprinting, enumeration, scanning, and vulnerability assessments, then attempt exploitation of specific findings. Other team members attend the security tools and policies of the environment before, during, and after the attacks to monitor and suggest improvements on the environment's security suite. Which of the following best describes the team?
Purple team Red and blue teams are pretty well known. Red teams are on offense, employed to go on the attack, simulating the bad guys out in the world by trying to exploit anything they can find, and blue teams are the security professionals trying to defend the network. They are often merged into "purple" teams in the real world to better test and secure environments. A, B, and D are incorrect. The team is performing both red and blue team duties, making A and B incorrect choices. D is included as a distractor.
A new network administrator is asked to schedule daily scans of systems throughout the enterprise. Which of the following programming languages has an OSI-approved open source license and is commonly used for accomplishing this goal?
Python Python is free to use, even for commercial products, because of its OSI-approved open source license, and is commonly used for simple items such as kicking off scans
Which of the following describes the risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
Residual risk Residual risk is exactly what it sounds like—risk that remains after the application of security controls.
Joe sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a contact number to call. Joe then performs a denial of service on several systems. He then receives phone calls from users asking for assistance. Which social engineering practice is in play here?
Reverse social engineering Reverse social engineering occurs when you get the targets to call you.
Which protocol usually listens on ports in the 137-139 range?
SMB D is correct. Also known as Common Internet File System (CIFS), SMB can run directly over port 445 but also uses 137 and 138 in UDP and uses 137 and 139 in TCP. A, B, and C are incorrect. Telnet uses 23, Kerberos uses 88, and SNMP uses 161.
Which of the following are true statements regarding SMB? (Choose all that apply.)
SMB uses port 445. B. SMB can use TCP or UDP. Server Message Block (SMB) is an application-level protocol that is used mainly for shared resource access (such as file and print sharing). It runs over port 445 on either TCP or UDP, depending on the usage
You implement a firewall on the edge of your private network. Which of the following best describes this control effort?
Technical preventive control A firewall is a technical control and is preventive in nature. Controls are generally preventive, corrective, or detective in nature; however, they may also be labeled as directive, deterrent, or compensating.
What does SOAP use to package and exchange information for web services?
XML SOAP formats its information exchange in XML.
During investigation of system security, you discover the HttpOnly flag is set in cookies. Which of the following is most likely being mitigated by this attempt?
XSS D is correct. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script. A, B, and C are incorrect. Cross-site request forgery (CSRF) tricks a user (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website (the malicious website can then instruct the user's web browser to send a request to the target website). CSPP (connection string parameter pollution) is an injection attack that takes advantage of web applications using semicolons to separate parameters in database communication. Buffer overflow has absolutely nothing to do with this question.
The organization has a DNS server out in the DMZ and a second internal to the network. Which of the following best describes this DNS configuration?
Split DNS Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external, as there is no need for anyone outside your organization to see them.
Which of the following describes a vulnerability allowing attackers to execute concatenated commands in bash?
Shellshock A is correct. Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables.
Search engines assist users in finding the information they want on the Internet. Which of the following is known as the hacker's search engine, explicitly allowing you to find specific types of computers (for example, routers or servers) connected to the Internet?
Shodan B is correct. Shodan allows users to search for very specific types of hosts, which can be very helpful to attackers—ethical or not. A, C, and D are incorrect. Whois provides registrar and technical POC information. Nslookup is a command-line tool for DNS lookups. Burp Suite is a website/application hacking tool.
Which of the following attacks is also known as "cross-guest VM breach"?
Side channel Side-channel attacks, also known as "cross-guest VM breach," deal with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of naughty activities.
Which character is the best choice to start a SQL injection attempt?
Single quote . The single quote starts many SQL attacks.
Which of the following best describe crypters?
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus "Crypters" are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it's referred to as "fud," for "fully undetectable").
Which of the following best describes a biometric passport?
Something you have There are three main types of authentication: something you know, something you have, and something you are. When we see "biometric," we instantly want to click "something you are" and move on. But in this case it's asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.
Which virus type is only executed when a specific condition is met?
Sparse infector Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.
An attacker performs a whois search against a target organization and discovers the technical point of contact and site ownership e-mail addresses. He then crafts an e-mail to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place?
Spear phishing Spear phishing occurs when the e-mail is being sent to a specific audience, even if that audience is one person. In this example, the attacker used recon information to craft an e-mail designed to be more realistic to the intended victim and therefore more successful.
Which of the following is a valid Google Search entry for searching for spreadsheet files possibly containing passwords?
site:sample.com filetype:xls username password B is correct. Of the answers provided, this matches the correct syntax of what is being searched for. A, C, and D are incorrect. The remaining answers do not match the syntax required for the sear
Which of the following commands can be used to launch the executable bad.exe hidden in the file NoProblems.txt?
start noproblems.txt:bad.exe There are other methods, but the syntax displayed here is correct.
Examine the partial e-mail header provided here: Return-path: [email protected] Delivery-date: Tue, 12 Mar 2019 00:31:13 +0200 Received: from mailexchanger.anotherbiz.com([220.15.10.254]) by mailserver.anotherbiz.com running ExIM with esmtp id xxxxxx-xxxxxx-xxx; Tue, 12 Mar 2019 01:39:23 +0200 Received: from mailserver.anybiz.com ([215.90.50.254] helo=mailserver.anybiz.com) by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx for [email protected]; Tue, 12 Mar 2019 01:39:23 +0200 Received: from SOMEONEComputer [220.200.100.254] (helo=[SOMEONEcomputer]) by mailserver.anybiz.com with esmtpa (Exim x.xx) (envelope-from <[email protected]) id xxxxx-xxxxxx-xxxx for [email protected]; Mon, 11 Mar 2019 20:36:08 -0100 Message-ID: [email protected] Date: Mon, 11 Mar 2019 20:36:01 -0100 X-Mailer: Mail Client From: SOMEONE Name [email protected] To: USERJOE Name [email protected] Subject: Opinion ... What is the address of the true originator of the message?
220.200.100.254. E-mail headers are packed with information, showing the entire route the message has taken. Thankfully, on your exam you'll most likely be asked to identify the true originator: the machine (person) who sent it in the first place. This is clearly displayed in line 9, shown here: Received: from SOMEONEComputer [220.200.100.254] (helo=[SOMEONEcomputer]).
You are searching for systems with file sharing enabled. Which port would be seen in a listening state on a Microsoft Windows machine, thus indicating file sharing?
445 here are a few ports in Microsoft system file sharing you should be aware of. Microsoft file sharing SMB uses UDP and TCP ports from 135 to 139. Direct-hosted SMB traffic without NetBIOS uses port 445 (TCP and UPD 161 is an SNMP port, 3389 is associated with Terminal Services (a.k.a. Remote Desktop), and 1433 is an MS SQL port.
Bob is working with senior management to identify the systems and processes that are critical for operations. As part of this business impact assessment (BIA), he performs calculations on various systems to place value on them. On a certain server he discovers the following: • The server costs $2500 to purchase. • The server typically fails once every five years. • Salary for the technician to repair a server failure is $40 an hour, and it typically takes two hours to fully restore a failure. • The accounting group has five employees paid $25 an hour who are at a standstill during an outage. What is the ALE for the server?
566 ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence, in this case 0.2, or 1 failure / 5 years = 20 percent) by the amount of cost incurred from a single failure (single loss expectancy [in this case, $80 for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 [replacement of the server] = $2830). ALE = 0.2 × $2830, so the ALE in this case is $566.
In a CSPP attack, which of the following would most likely be used?
; The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered "; Integrated Security=true" as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated by treating semicolons as data instead of characters. A, B, and D are incorrect. The single quote is generally associated with SQL injection efforts. The + and @ signs are not applicable here
Which of the following best describes a wrapping attack?
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate
Which of the following represents the highest risk to an organization's IT security?
A disgruntled employee The internal disgruntled employee represents the biggest risk to your organization. And as easy as this is to remember, you'll definitely get asked about it on the exam.
Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides?
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.
A security team member enters the following: nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host] Which of the following would you expect to see returned?
A return of "State: NOT VULNERABLE" on systems protected against Heartbleed You can use the nmap command "nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]" to search for the vulnerability; the returned message will say "State: NOT VULNERABLE" if you're good to go.
Your new employee is pen testing a fully switched subnet and wants to know how to proceed. Which of the following methods might be useful for sniffing traffic in this situation? (Choose all that apply.)
A. ARP spoofing B. Span port D. MAC flooding Spoofing ARP messages can trick the switch into sending traffic your way, and MAC flooding turns the switch into a hub. Spanning a port requires access to the switch IOS itself but would provide access to traffic.
Which of the following is incorrect regarding ethical hacking?
A. An ethical hacker always performs testing offsite. B. Ethical hackers never write to or modify a target system. C. Ethical hackers don't make use of tools that have the potential to harm target systems. Because... Ethical hackers act exactly like their black hat, bad guy counterparts, using the same exploits, tools, and activities they do, with one major difference: ethical hackers only work with permission from the organization. Granted, a strong ROE (rules of engagement) up front may limit what the ethical hackers are allowed to employ and how far they are to proceed in a test, but in general, and for a legitimate pen test, if it's fair for the bad guys it should be fair for the ethical hackers.
A client asks you about intrusion detection systems. The company wants a system that dynamically learns traffic patterns and alerts on abnormal traffic. Which IDS would you recommend?
A. Anomaly based Anomaly-based, or behavior-based, systems must be given some time to learn what is considered normal traffic. Then they will alert on anything falling outside the determined nor
Which of the following tools allow for Bluetooth device discovery? (Choose two.)
A. BlueScanner B. BT Browser BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.
How would OSSTMM categorize PCI DSS?
A. Contractual The Open Source Security Testing Methodology Manual (OSSTMM) defines three types of compliance: contractual, legislative, and standards based. Contractual deals with requirements enforced by an industry or non-government group.
Which of the following statements is true regarding Kerberos?
A. Kerberos makes use of UDP as a transport protocol. B. Kerberos makes use of TCP as a transport protocol. C. Kerberos uses port 88 for transmission of data. D. Kerberos makes use of both symmetric and asymmetric encryption techniques. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). It can make use of both TCP and UDP and runs over port 88.
Which of the following should be included in a security policy? (Choose all that apply.)
A. References to supporting documents B. Policy exceptions C. Noncompliance disciplinary actions A security policy defines everything about your security layout for your employees. Of course it will include references to all sorts of documentation (such as lists of allowed hardware and software as well as locations for related policies and procedures), exceptions (hopefully few, but there will be some), and what happens to employees should they decide to stray from the policy
What encryption standard does WPA2 use?
AES WPA2 uses AES for its encryption algorithm.
Which of the following statements are true regarding active sniffing? (Choose all that apply.)
Active sniffing is used when you are on a switch. Active sniffing is easier to detect than passive sniffing. because... If you're connected to a switch, you're on your own collision domain—meaning you'll only see traffic intended for your port. Active sniffing is typically required in order to force the switch to send you other traffic to sniff. Active attacks, by their nature, are easier to detect—you're actively injecting packets to make your sniffing efforts successful; therefore, there's something to see.
Which of the following is NOT a recommended practice for malware analysis?
After static analysis, run the virus in a sparsely used portion of the network. Running a virus on your production network is dumb, dumb, dumb. When performing malware analysis, first prepare a test bed—usually a system with VMs, all shared drives disabled, and the NIC in host-only mode. After copying the virus to the test system, perform static analysis while the malware is inactive. Next, set up network connections (off production network, of course) and monitor for errors/activity. Finally, run the malware and note the processes, files added, and network activity.
Which of the following best represents SOA?
An API that allows different components to communicate Service-Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
You want to ensure your messages are safe from unauthorized observation and want to provide some means of ensuring the identity of the sender and receiver during the communications process. Which of the following best suits your goals?
Asymmetric encryption Asymmetric encryption protects the data as well as provides for nonrepudiation
Which of the following is a good way to attempt to quickly identify the operating system of your target?
Attempt a telnet session to the machine and examine the banner. Banner grabbing is a time-tested, quick, and easy way to identify operating systems.
Assuming the user had appropriate credentials, which of the following are true regarding the following command? (Choose all that apply.)
B. In Windows Explorer, a drive will appear denoted as BankFiles (\ECCCOMPUTER) (F:). C. The mapped drive will remain mapped after a reboot. Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The "persistent:yes" portion means it will remain mapped forever, until the user turns it off.
An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. The attacker follows the user inside. Which social engineering attack is in play here?
B. Tailgating Tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.
A TCP/IP packet leaves Host A headed to Server B. It is the first packet sent in an attempt to open a web page on Server B using default ports. Which of the following statements are true regarding the response packet sent by Server B? (Choose two.)
B. The SYN and ACK flags will be set. C. The source port will be 80. Because this is a request for a web page, we know the requestor will be using TCP and will be asking for port 80 (HTTP traffic) from the server. Because the second step of the three-way handshake is a SYN/ACK, the response packet will include that. The originating system will assign a dynamic source port and use the well-known port for the destination. Therefore, the server will respond with a source port matching the dynamic port assigned by the originator. In other words, Host A might have sent source port 2200, destination port 80, while the response from Server B would reverse them: source port 80, destination port 2200
Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization?
BIA Business impact analysis best matches this description. A BIA is the actual process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, and it identifies the critical systems that would be affected by them.
Which of the following is the least likely step you should take in recovering from a malware infection?
Back up the hard drive. Backing up a hard drive when you know there's an infection makes as much sense as putting sugar on your grits. It's a horrible idea and just doesn't work. Why copy the malware?
A pen tester is using netcat in connection with a target over port 80. The results are displayed here: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2018 01:41:33 GMT Date: Mon, 16 Jan 2018 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2016 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 Which of the following best describes what was accomplished?
Banner grabbing A is correct. Banner grabbing simply involves touching a box over a port and seeing what message—what banner—comes in response. There are innumerable ways to do this, and you need to be very familiar with each and every one of them. In this example, the pen tester might have used a netcat command such as nc -vv -n 192.168.17.8 80 (where -vv is verbose mode, -n indicates no name resolution, and 80 indicates a connection to port 80). B, C, and D are incorrect. These answers will not provide the results shown and are not banner-grabbing techniques.
Which of the following refers to monitoring security configuration changes over time
Baselining To develop a baseline, you take a snapshot of the current system's security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren't are cut.
A pen tester is attempting to inject SQL queries based solely on responses to true/false questions. Which of the following best describes the action he is taking?
Blind SQL injection Blind (also known as inferential) injection occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don't come back to the attacker. In other words, if the administrator is smart enough to ensure only generic responses come back from queries, an attacker can still ask the database true-or-false questions and determine the answer based on the application's response. Because there's a lot of guesswork and trial and error, this attack takes a long while to pull off.
Where is the SAM file stored on a Windows 7 system?
C:\Windows\System32\Config\ he SAM file is stored in the same folder on most Windows machines, including Windows 10 boxes: C:\Windows\System32\Config. You might also find a copy in backups (C:\Windows\Repair\Sam)
You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
CNAME CNAME records provide for aliases within the zone.
Your cloud deployment method shares infrastructure with several organizations. Which of the following best describes your deployment method?
Community B is correct. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require. A, C, and D are incorrect. A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Which OSSTMM control ensures only the participants have knowledge of an asset?
Confidentiality The Open Source Security Testing Methodology Manual (OSSTMM) defines five process controls: confidentiality, nonrepudiation, privacy, integrity, and alarm. Confidentiality ensures only participants have knowledge of an asset.
Which of the following statements is true?
Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks. . A CSRF attack occurs when the attacker takes one session while you're connected on a legitimate one and sends messages as if they're from you. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it's naughty and dropped.
The IR team is advised of a potential information spillage from a networked computer. An IR team member at the system disconnects the computer from the network and powers it down. Which step in the incident handling process was just completed?
Contain The incident handling (or incident response) steps generally include identification (sometimes also called discovery), containment, eradication, recovery, and lessons learned. In this example, the IR team is quite clearly containing the issue. Finally, as an aside, IR teams also take great pains to ensure evidence is preserved as best as possible. I'd assume in this scenario the IR person already took steps to retain memory-resident artifacts and such before shutting things down. The important aspect of this question, however, is to know which IR steps goes where.
Which of the following represents the correct steps you should take when encrypting and signing a message using PKI?
Create a hash of the message. 2. Encrypt the hash with your private key. 3. Encrypt the message with the recipient's public key. A digital signature is a hash of the message signed with your private key—which is a little different because we all know only your public key is used to encrypt. In this case, the use of the private key is designed to prove you are who you say you are.
Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this?
Cross-certification . When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as "cross-certification."
Which of the following is a symmetric algorithm?
DES
The IT staff is notified that the company's website has been defaced. A security employee, working from home, visits the site and sees the message "YOU HAVE BEEN HACKED!" on the front page. He then reboots the system, VPNs to the internal network, and visits the site again, this time noticing nothing out of place. What is the most likely explanation?
DNS poisoning D is correct. The externally facing DNS server is providing bad resolution to the public, while the internal name server is providing the correct address. A, B, and C are incorrect. None of the remaining choices explains the symptoms.
Which of the following is not one of the basic responses to risk?
Delegate The five risk responses are accept, avoid, monitor (or prepare), mitigate, and transfer.
Which of the following methods does Aircrack-ng use when targeting WPA2-enabled keys?
Dictionary list A is correct. WPA and WPA2 are more secure than WEP, with WPA using TKIP and WPA2 on CCMP. Aircrack has only one option with either of these—a dictionary list. B, C, and D are incorrect. PTW is used by default against WEP, and FMS and Korek are also both options available for WEP, but none works against WPA or WPA2.
Which of the following is the rating assigned by a Common Criteria evaluation?
EAL A is correct. The Evaluation Assurance Level (EAL) is the rating assigned to a product after testing. EAL levels range from 1 (functionally tested) to 7 (formally verified, designed, and tested). B, C, and D are incorrect. Protection profile (PP) is the set of requirements for the type of product being tested. Target of evaluation (TOE) is the product itself. Security target (ST) is the documentation describing the TOE and any requirements.
Which of the following is least likely to mitigate social engineering attacks?
Ensuring strong password policy is in place and enforced What good does a really strong password do you if you hand it over to the nice gentleman calling from the help desk about your computer problems?
What is the MAC address in broadcast frames?
FF:FF:FF:FF:FF:FF
Which of the following is a legitimate use for tcp-over-dns?
Firewall evasion D is correct. Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because...well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.
Which of the following tools can be used in IPSec VPN scanning and fingerprinting?
IKE-scan . IKE-scan is an IPSec VPN scanning, fingerprinting, and testing tool.
Which IDS evasion technique would be associated with splitting TCP headers among multiple packets?
Fragmenting Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.
Which of the following is most likely to interfere with a system's resource usage?
HIDS A host-based intrusion detection system (HIDS) is, by design, host based. Therefore, it is installed on the system itself and eats up resources like I do hot doughnuts. HIDSs are great at providing an additional layer of protection in your environment, but they do come at a resource cost.
An attacker is attempting to telnet to an internal server. He has done his homework and knows port 23 is open on the machine, it is listening for requests, and he can reach it using port scans from his current location (nmap). To hide his tracks, he spoofs his IP address and then launches telnet against the server. His attempts fail. What is the most likely cause?
He cannot spoof his IP and successfully use telnet. C is correct. Spoofing the IP address sends all of his replies to that fake address, meaning he cannot spoof his IP and still use telnet: the replies would go to the spoofed address instead of the attacker's own. A, B, and D are incorrect. Because the scans are getting through, the firewall is not blocking port 23 traffic, which is telnet's port. Answer D is a distracter.
Valuable, sensitive data appears to have been stolen from the organization. Investigation shows no apparent successful attacks against the business infrastructure over several months. During the investigation, a user returns a laptop found to hold the sensitive information on it. When queried, she admitted to using the laptop after work at a local Starbucks while having an afternoon coffee. Which of the following attacks did she most likely fall victim to?
Honeyspot Faking a well-known hotspot on a rogue AP (such as McDonald's or Starbucks free Wi-Fi spots) is referred to as a "honeyspot" attack. Other names for this include rogue access point and "mis-association."
Amazon's EC2, virtual machines are provided and can be controlled through a service API. Which of the following best defines this service?
IaaS Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.
Which cloud computing type provides virtualized computing resources over the Internet?
IaaS Because... Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
Implementing MDM Mobile Device Management (MDM) won't mitigate all the risks associated with unending use of mobile devices on your network, but it's a step in the right direction.
Your organization resolves events as well as takes the time to log and record root causes, actions taken to mitigate the problem, and lessons learned. What is this process called?
Incident management process Regardless of the size of your organization, a well-defined process for handling incidents is a mandatory, key part of any good security plan. After all, the last thing you want during a real incident is for confusion and panic to reign.
Which of the following best describes a connection stream parameter pollution attack?
Injecting parameters into a connection string using semicolons as separators Highlighted at a Black Hat conference in 2010, CSPP can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
A small business advertises primarily on the front of their building. During a security assessment, it is noted that an attacker could literally drive a vehicle through the front of the lobby. Which of the following actions works best to mitigate this vulnerability?
Installing bollards Bollards are very strong posts placed in front of a building to prevent accidental (or purposeful) driving of a vehicle into the building. These can be in place permanently, temporarily, or even motorized to pop up and down as the need arises.
Which of the following statements is true regarding STP?
It is a Layer 2 protocol D is correct. Spanning Tree Protocol is considered a Layer 2 protocol. It prevents switching loops (sending packets whizzing about forever in a perpetual broadcast loop) by killing connecting ports along the way.
Which of the following statements is true regarding Kismet?
Kismet can discover wireless networks that are not sending beacon frames. Kismet's primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you.
A security admin has turned on MAC filtering on a WAP. Which of the following is the best way to bypass this activity?
MAC spoofing So the admin says, "Only allow these MAC addresses to connect," and the WAP is secure, right? Sure. And I have a future as an NBA player. Simply sniff traffic until you find a MAC that works and spoof it. Voilà!
Which of the following protects against MITM attacks in WPA?
MIC Message integrity check (MIC) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Which of the following best matches the POODLE attack?
MITM The original variant of POODLE was a man-in-the-middle attack, where the bad guy exploits vulnerabilities in the TLS security protocol fallback mechanism.
Which of the following best describes an effort to maintain the communications channel between the two entities in hopes of sniffing valuable data?
Man in the middle This correctly describes a man-in-the-middle attack. The idea of a man-in-the-middle attack is to maintain the communications channel between the two entities in hopes of sniffing valuable data.
Which of the following are advantages to a single sign-on system? (Choose two.)
Many user authentication problems can be resolved at a central location. Users do not need to memorize multiple passwords Because... Single sign-on is a great thing for users (remember, one password instead of many) and provides some great benefits for administrators as well. Because users are on one password, most authentication issues can be handled with that one password, at the SSO point.
OSSTMM defines interactive and process controls. Which of the following are process controls?
Nonrepudiation, confidentiality, privacy The Open Source Security Testing Methodology Manual (OSSTMM) notes ten different types of controls. Process controls are nonrepudiation, confidentiality, privacy, integrity, and alarm
Which of the following focuses on protecting customer credit card data?
PCI DSS
Which of the following would most likely be used to encrypt an entire hard drive?
PGP Pretty Good Privacy (PGP) uses an asymmetric encryption method to encrypt information. Although generally associated with e-mail, it can encrypt virtually anything. PGP uses public/private key encryption. TLS and SSL are encryption algorithms for network traffic. SSH is an encrypted version of telne
Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail?
PGP Pretty Good Privacy is used for signing, compressing, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications
What is the primary difference between S/MIME and PGP?
PGP can be used to encrypt hard drives, but S/MIME cannot. C is correct. Pretty Good Privacy (PGP) can handle a lot more than e-mail, and that is one of the primary differences between it and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is an application, whereas S/MIME is a protocol. A, B, and D are incorrect. The remaining choices are not true regarding either PGP or S/MIME.
Which of the following attacks acts as a "man in the middle," exploiting fallback mechanisms in TLS clients?
POODLE n a POODLE attack, the man in the middle interrupts all handshake attempts by TLS clients, forcing a degradation to a vulnerable SSL version. Since many browsers would revert back to SSL 3.0 for backward compatibility, and TLS handshakes are "walked down" the connection until a usable one is found, attackers could interrupt the handshaking and make it go all the way down to SSL 3.0. B, C, and D are incorrect. Heartbleed is an OpenSSL vulnerability that allows an attacker to pull 64KB of information from a web server's memory at regular intervals. FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade of RSA keys to weaker lengths. DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications.
A team member enters the following nmap command: nmap --script http-methods --script-args one.two.sample.com When the command executes, the following appears: PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-methods: |_ Supported Methods: GET PUT HEAD POST OPTIONS <output omitted> Based on the output, which HTTP methods will the script consider potentially risky?
PUT The http-methods script will report whether the HTTP GET, PUT, HEAD, POST, and OPTIONS methods are supported by the target system. Of the available options, however, PUT will most likely be marked as potentially risky. HTTP PUT permits HTTP clients to update or upload files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE. A, B, and C are incorrect. GET, HEAD, and POST are not considered risky by the scrip
While using your bank's online services, you notice the following string in the URL bar: http://www.MyPersonalBank/Account?Id=368940911028389&Damount=10980&Camount=21 You observe that if you modify the Damount and Camount values and submit the request, the data on the web page reflect the changes. What type of vulnerability is present on this site?
Parameter tampering One of the easiest things you can attempt is simply changing the parameter fields in a URL and seeing what happens.
Which of the following is a true statement regarding phishing and pharming?
Pharming redirects victims by modifying the host configuration or DNS, while phishing redirects by providing the user a malicious URL similar to the legitimate one. Pharming requires the attacker to either adjust the user's hosts file or to redirect DNS queries to a fake location. Phishing is simply providing a URL (or clickable link) that looks similar to a legitimate one.
You hire guards and post guard dogs on the property. Which kind of security measure have you put into place?
Physical Physical measures include all the things you can touch, taste, smell, or get shocked by. Examples of physical controls include bollards, lighting, locks, fences, and guards with Tasers or accompanied by angry German Shepherds.
You are concerned about static electricity problems in your data center. Which of the following will not assist you in dealing with the problem?
Positive pressure Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn't do a thing regarding static electricity
What are the phases of a pen test? (Choose three.)
Pre-attack Attack Post-attack
In which phase of a pen test is scanning performed?
Pre-attack Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
James is a member of a pen test team newly hired to test a bank's security. He begins searching for IP addresses the bank may own, using public records on the Internet, and also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is James working?
Pre-attack The pre-attack phase (a.k.a the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
In what phase of the ethical hacking process would you employ Google hacking?
Reconnaissance Google hacking is merely adjusting the parameters of your search to discover more pertinent information and is performed in reconnaissance.
An organization has a public-facing web server. To protect the internal intranet from enumeration, which of the following steps could be useful?
Remove A records for internal hosts. Removing A records for internal hosts removes the DNS server's ability to provide their IP addresses to a casual DNS request. A, B, and C are incorrect. Allowing zone transfers to all is never a good idea; don't just give it all away! An HIDS will certainly alert on attack signatures but will not prevent the attack attempt. Blocking all port 53 traffic would, in effect, deny your own DNS the ability to service your own clients.
You've discovered a certain application in your environment that has proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
Removing the software from the environment Removing the software or service that contains a vulnerability is described as avoiding the risk—if it's not there to be exploited, there's no risk. B, C, and D are incorrect. Installing patches (or a new version) is an attempt to mitigate risk. Installing different software without vulnerabilities is called transferring risk (I don't care what the publisher says, the community will determine if there are vulnerabilities). Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you're willing to just accept the vulnerabilities that exist.
Which of the following best describes an API that allows application components to communicate with other components?
SOA Service-Oriented Architecture is an architecture-driven software design where software components deliver information to other components, usually over a network. For example, a company might develop an API that provides software programming access to a specific database, which would then let other developers build applications that could leverage the API to query or upload data. C are incorrect. EC2 refers to Amazon Web Services cloud offerings. SOAP (Simple Object Access Protocol) is a messaging protocol using XML (and HTTP) that allows programs running on different operating systems to communicate. Data at rest has nothing to do with this question.
Which flags are set in the segment during the second step of the TCP three-way handshake?
SYN-ACK A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK.
Which cloud service type offers on-demand applications to subscribers over the Internet?
SaaS Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
In which phase of an ethical hack would an attacker identify live targets and discover information about them, such as OS, vulnerabilities present, and IP address?
Scanning There are five stages in an ethical hack—reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. In this case, the attacker is using ping as well as port and vulnerability scanners to discover live targets and prepare attacks against them
Which of the following is not considered passive in nature?
Scanning the IP range Of the answers provided, only scanning the IP range fits the passive role as defined by EC-Council
Which jailbreaking method does not retain the patched kernel after reboot, but does leave the software on the device, allowing for future jailbreak activities?
Semi-tethered jailbreaking In semi-tethered jailbreaking, a reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used. A, C, and D are incorrect. A reboot removes all jailbreaking patches in tethered mode, and in untethered mode, the kernel will remain patched (that is, jailbroken) after reboot, with or without a system connection. Rooting is associated with Android devices, not iOS.
Which of the following is a design pattern where services are provided to other components by specific application components?
Service-Oriented Architecture C is correct. First termed "Service-Based Architecture" in 1998, Service-Oriented Architecture is based on distinct pieces of software providing application functionality as service to other applications. Service-Oriented Architecture principles are vendor-neutral. A service is defined as a discrete unit of functionality that can be accessed remotely and acted upon or updated independently. A, B, and D are incorrect. These answers do not correctly reflect the definition provided. Object-Oriented Architecture is regarding software development, but it is a design architecture based on the division of responsibilities for an application or system into individual reusable and self-sufficient objects. Lean code and agile delivery do not apply here.
A pen tester gains access to a Windows application server and enters the following command: netsh firewall show config What should be displayed in return?
Settings of the built-in firewall The netsh command can show all sorts of goodies. In this example, it is used to display the Windows firewall setting
Which of the following is a client-server tool utilized to evade firewall inspection?
Tcp-over-dns Tcp-over-dns combines a special DNS server and client to allow covert messaging.
Traceroute works by stopping at each hop on the way to the destination and providing information to the sender about that hop. How does traceroute manipulate the TTL of the packet to accomplish this?
The TTL is incremented by 1 for each hop discovered. Traceroute starts by setting the TTL to 1. At the first hop, the return packet provides information about that stop along the way. Traceroute then sends the next packet with TTL set to 2, ensuring it will receive information about the hop just after the one it has already discovered. This is repeated until the destination is reached
You are monitoring logs and come across a user login attempt that reads "UserJoe)(&)". Which of the following best describes what is being attempted?
The attacker is attempting LDAP injection. B is correct. The ")(&)" indicates an LDAP injection attempt. A, C, and D are incorrect. SQL injection uses the single quote, and CSPP uses the semicolon. SOAP injection actually looks a lot like SQL injection.
Which of the following statements best describes a teardrop attack?
The attacker sends several overlapping, extremely large IP fragments. In a teardrop attack, the reassembly of fragments takes down the target. Fraggle uses UDP. LAND attacks use the same source IP and destination. Smurf makes use of broadcast pings
A pen tester finds a web application offering an error message with an entry area for an e-mail account. The pen tester enters the following into the field and presses ENTER: ' or '1'='1 A message appears stating "Your login information has been mailed to [email protected]." What is the most likely reason for this?
The background web application used the first record it could find in the table. The entry (' or' 1'='1) in the field had the web app pull the first record from the table.
Examine the following packet capture: 05/11-14:41:06.542524 0:19:A7:FA:DB:9 -> 0:B4:CB:2B:5:F2 tye:0x800 len:0x3A 172.16.55.22:13584 -> 172.16.55.27:1 TCP TTL:40 TOS:0x) ID:8571 IpLen:20 DgmLen:40 **U*P**F Seq: 0x0 Ack: 0x0 win: 0x400 What can you discern from the information provided?
The capture indicates an XMAS scan. B is correct. The PSH, URG, and FIN flags are evident, showing an XMAS scan. A, C, and D are incorrect. A NULL scan would not show the flags set, and an ACK scan would have the ACK flag set. The capture does not indicate anything regarding a backdoor connection.
An attacker tries to do banner grabbing on a remote web server and executes the following command: $ nmap -sV one.sample.com -p 80 He gets the following output: Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for one.sample.com (172.16.22.201) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds Which of the following statements is true regarding the results?
The hacker should've used nmap -O host.domain.com D is correct. The -sV option is for standard service version detection, in this case on port 80. The response shows Apache but nothing else: no banner, no version, no nothing. An -O scan may provide even more detail than would otherwise be gleaned from a simple banner grab. A, B, and C are incorrect. The remaining answers do not match what was returned from the command syntax..
Consider the ports shown in the nmap returned on an IP scanned during footprinting: PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80 /tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tec open ipp 9100/tcp open MAC Address: 01:2A:48:0B:AA:81 Which of the following is true regarding the output?
The host is most likely a printer or has a printer installed B is correct. Port 515 is generally used for printing services (as a listening port). A, C, and D are incorrect. There's not enough information to definitively identify any of the remaining answers..
A web application in your organization provides significant benefit to the accounting team. However, after a vulnerability scan and a risk assessment, it is determined the application presents significant risk if exposed to external attackers. The server hosting the application is moved inside the DMZ and strong access controls are put into place, allowing only the accounting team to use it. Which of the following best describes the risk method used here?
The organization is mitigating the risk. The actions taken and controls put in place are deigned to mitigate the risk—reducing greatly the likelihood it will ever happen
You send an e-mail to an address inside the target organization; however, you purposefully misspell the address to ensure it will not go to an existing mailbox. Which of the following is the best reason for doing this?
To reveal information about the target's e-mail servers If you purposefully send an e-mail to an address you know is not valid, the servers at your target take a look at the address and decide what to do with it. This effort can elicit a response that can provide insight into e-mail handling.
What does OSSTMM define as legislative, contractual, and standards based?
Types of compliance STMM defines compliance types as either legislative, contractual, or standards based. Legislative deals with governmental regulations, contractual deals with industries or groups, and "standards based" deals with things that must be followed to be certified by an organization or group.
This security assessment notifies the client of potential vulnerabilities but does not actually exploit them.
Vulnerability assessment A vulnerability assessment only points out potential problems to the client.
NIST SP 800-30 defines this as the step that determines whether any weaknesses exist in an organization's systems, policies, or procedures. Which of the following best matches this definition?
Vulnerability identification C is correct. NIST SP 800-30 defines nine steps in risk assessments: Purpose, scope, and source identification, or system characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Communicating and sharing risk assessment information Maintaining the risk assessment Step 3 (vulnerability identification) determines whether any flaws or weaknesses might exist in a company's systems, policies, or procedures. A, B, and D are incorrect. In risk determination, assessors assign values to risk probabilities. In impact analysis, a determination of the extent of loss or degradation due to an exploited risk is made. Threat identification identifies sources that could cause harm to the environment.
You are advising your client on wireless security. Which of the following are valid statements regarding wireless security? (Choose two.)
WPA2 is the best encryption security for the system SSIDs do not provide security measures for a wireless network. WPA2 is the latest encryption standard for wireless, and SSIDs do nothing for security; it's not their intent.
A network admin advises the security staff that it appears there is a larger-than-normal traffic hit on a particular wireless access point on the weekends. Which tool would be the best choice to investigate the issue?
Wireshark Wireshark is the only tool listed that could be used to watch the traffic to and from the WAP.
Which of the following was a piece of malware aimed at Android phones, taking advantage of two-factor authentication to control the phone itself?
ZitMo C is correct. ZitMo (ZeuS-in-the-Mobile) was designed to capture the phone itself, ensuring the one-time passwords also belonged to the bad guys. The target would log on to their bank account and see a message telling them to download an application to their phone in order to receive security messages. Thinking they were installing a security measure, victims instead were installing the means for the attacker to have access to their credentials, not to mention the second authentication factor (usually sent only to the victim via text).
Which nmap script helps with detection of HTTP GET, POST, HEAD, PUT, DELETE, and TRACE methods?
http-methods The following is from nmap.org regarding the script: "Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600.... In this script, 'potentially risky' methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure."
Which command would display all connections and listening ports in numerical form
netstat -an Netstat can display network connections, routing tables, and all sorts of information about the interface. The -a switch displays all connections and listening ports, and the -n switch puts everything in numerical format.
Which one of the following tools can be used for OS fingerprinting?
nmap Nmap has all sorts of switches that allow you to search for nearly everything. For example, the -O switch would come in handy here.
You're using nmap to run port scans. What syntax will attempt a half-open scan as stealthy as possible?
nmap -sS 192.168.1.0/24 -T0 The syntax nmap -sS 192.168.1.0/24 -T0 runs a SYN (half-open) scan against the subnet 192.168.1.0 (.1 through .254) in "paranoid" mode THE SYNTAX FOR BELOW ARE INCORRECT: A. nmap -sT 192.168.1.0/24 -T0 B. nmap -sX 192.168.1.0/24 -T0 C. nmap -sO 192.168.1.0/24 -T0
Which of the following commands lists the running services on a Windows machine?
sc query The built-in sc command provides all sorts of information about running services on a Windows machine.
You are concerned a machine (192.168.15.12) on the network does not seem to be sending logs to a system running syslog (192.168.15.90). Which of the following filters is the best choice to see if the system is sending messages to the syslog server?
tcp.dstport==514 && ip.dst==192.168.15.90 The port number for syslog (514) traffic is intended to be called out in tcp.dstport (the destination port), and the destination IP (192.168.15.90) is called out by ip.dst (IP destination).
Which of the following is a command-line sniffer and packet analyzer?
tcpdump Tcpdump is a well-known sniffer that has been around forever. GUI-based sniffers—like Wireshark—are all the rage, but tcpdump has survived the test of time and still has a place in your toolset.
Which of the following methods correctly performs banner grabbing on a Windows system?
telnet <IPAddress> 80 Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.