Exam 1 Practice
Penetration tests and exploit attempts are similar in many ways. Discuss three specific differences between a penetration test and an exploit/attack.
1. Pen tests are not malicious 2. Testing can only happen with permission of organization 3. Pen tester reveals discovered vulnerabilities and exploits in order to strengthen the security posture of the organization.
A hacker is attempting to see which IP protocols are supported by target machines or network. Which NMAP switch would the hacker use? A. -sP B. -sS C. -sU D. -sO
A. -sP
A security engineer is attempting to perform scanning on a company's internal network to verify security policies of their networks. The engineer uses the following NMAP command: nmap -Pn -sT -p 80 ***.***.**.** What type of scan is this? A. Connect scan B. Idle scan C. Stealth scan D. Xmas scan
A. Connect scan
Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? A. NMAP -PO -A -O -p1-65535 192.168.0/24 B. NMAP -Pn -A -O -sS 192.168.2.0/24 C. NMAP -PO -A -sT -p0-65535 192.168.0/16 D. NMAP -Pn -O -sS -p 1-1024 192.168.0/8
A. NMAP -PO -A -O -p1-65535 192.168.0/24
While testing a server for a firm, you find a severe vulnerability that you know can be easily fixed with a patch from the vendor. You have already gained the administrator access to the machine in question. The vulnerability is outside the scope of your original test. You should: A. Notify the company of the vulnerability, even though it's outside your scope. B. Not notify the company of the vulnerability, because it's outside your scope. C. Fix the vulnerability by downloading the patch and installing it. D. Notify your colleagues so that they can have a laugh about the absurd security at the firm you're testing.
A. Notify the company of the vulnerability, even though it's outside your scope.
Passive reconnaissance involves collecting information through which of the following? A. Publicly accessible sources B. Social engineering C. Traceroute analysis D. Email tracking
A. Publicly accessible sources
Which of the following utility uses the ICMP protocol concept and Time to Live ('TTL') field of IP header to find the path of the target host in the network? A. Traceroute B. WhoIs C. DNS Lookup D. OphCrack
A. Traceroute
Social engineering may be a part of a penetration test, if the scope calls for it. A. True B. False
A. True
A computer science student needs to fill some information into a password protected Adobe PDF job application that was received from a prospective employer. Instead of requesting the password, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Identify the type of password attack. A. Man-in-the-middle attack B. Dictionary attack C. Brute-force attack D. Session hijacking
B. Dictionary attack
Which of the following terms denotes a penetration test in which neither the pen tester is given a prior knowledge about the infrastructure nor the network defense team is made aware of the testing? A. Blind testing B. Double blind testing C. Grey box testing D. White box testing
B. Double blind testing
A cloud or hosted service can be penetration tested without any additional permissions, as long as the firm commissioning the penetration test gives permission. A. True B. False
B. False
It is ethically acceptable to install password-less backdoors on client systems during a penetration test solely for the purpose of allowing yourself easier access during the penetration test. (e.g., you are using them ONLY during the time of the test, not after). A. True B. False
B. False
Reporting is an optional step in a typical penetration testing procedure. A. True B. False
B. False
You are newly hired at a penetration testing firm. Your boss gives you new business cards, stating you are EC-Council certified as a Certified Ethical Hacker. You tell your boss that you don't have the certification and are told that the rest of the firm is certified, and so you can consider yourself certified. This is an acceptable ethical reasoning for you to accept the business cards. A. True B. False
B. False
What is the correct order of steps in the system hacking cycle? A. Covering Tracks -> Hiding Files -> Escalating -> Privileges -> Executing Applications -> Gaining Access B. Gaining Access -> Escalating Privileges -> Executing Applications -> Hiding Files -> Covering Tracks C. Executing Applications -> Gaining Access -> Covering Tracks -> Escalating Privileges -> Hiding Files D. Escalating Privileges -> Gaining Access -> Executing Applications -> Covering Tracks -> Hiding Files
B. Gaining Access -> Escalating Privileges -> Executing Applications -> Hiding Files -> Covering Tracks
Which of the following protocols is responsible for accessing distributed directories and access information such as valid usernames, addresses, departmental details, and so on? A. DNS B. LDAP C. NTP D. SMTP
B. LDAP
Company X is running an application with debug enabled in one of its system. Under which category of vulnerabilities can this flaw be classified? A. Design Flaws B. Misconfiguration C. Operating System Flaws D. Unpatched servers
B. Misconfiguration
Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting A. Results matching all words in the query B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting D. Results for matches on target.com and Marketing.target.com that include the word "accounting"
B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
A consultant is hired to do a physical penetration test at a large financial company. On the first day of his assessment, the consultant goes to the company's building dressed as an electrician and waits in the lobby for an employee to pass through the main access gate, and then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform? A. Mantrap B. Tailgating C. Shoulder surfing D. Social engineering
B. Tailgating
DLL Hijacking is possible in Windows for privilege execution because A. DLLs are shared libraries, and sharing resources can be a vulnerability B. Windows searches the current directory for the DLL when the application specifies one C. DLLs typically have bugs that are not fixed readily D. Windows uses the Library path to find the DLL which could be exploited by attacker
B. Windows searches the current directory for the DLL when the application specifies one
What results will the following command yield? nmap -sS -O -p 123-153 192.168.100.3 A. A stealth scan, opening port 123 and 153. B. A stealth scan, checking open ports 123 to 153. C. A stealth scan, determine operating system, and scanning ports 123 to 153. D. A stealth scan, checking all open ports excluding ports 123 to 153.
C. A stealth scan, determine operating system, and scanning ports 123 to 153.
Which of the following statements correctly defines a zero-day attack? A. An attack that exploits vulnerabilities after the software developer releases a patch for the vulnerability. B. An attack that could not exploit vulnerabilities even though the software developer has not released a patch. C. An attack that exploits vulnerabilities before the software developer releases a patch for the vulnerability. D. An attack that exploits an application even if there are zero vulnerabilities.
C. An attack that exploits vulnerabilities before the software developer releases a patch for the vulnerability.
You are penetration testing a firm which you have previously tested. The company has acquired a new firm based in Japan and would like you to test the systems of the new acquisition. You have previously only tested firms within the US. You should: A. Accept the work, you've already tested for this firm before. B. Notify the firm that you've never tested in Japan before, but that you'd be happy to accept the work. C. Consult your legal counsel to determine what is legally allowed in Japan. D. Do all the penetration testing remotely from the US to Japan, since penetration tests fall under the jurisdiction of the originating company.
C. Consult your legal counsel to determine what is legally allowed in Japan.
Which of the following SMTP in-built commands tells the actual delivery addresses of aliases and mailing lists? A. VRFY B. RCPT TO C. EXPN D. PSINFO
C. EXPN
A pen tester was hired to perform penetration testing on an organization. The tester was asked to perform passive footprinting on the target organization. Which of the following techniques comes under passive footprinting? A. Performing traceroute analysis B. Performing social engineering C. Finding the top-level domains (TLDs) and sub-domains of a target through web services D. Querying published name servers of the target
C. Finding the top-level domains (TLDs) and sub-domains of a target through web services
Which of the following tools will scan a network to perform vulnerability checks and compliance auditing? A. Hping B. Metasploit C. Nessus/Tenable D. OpenSSL
C. Nessus/Tenable
You are working on a penetration test assignment and come across an employee who has a text file containing the employee's personal information including name, SSN and credit card numbers. To whom may you transfer this information? A. The employee's direct supervisor B. No one C. The CISO, CIO, or other C-level executive D. The highest bidder
C. The CISO, CIO, or other C-level executive
How does the SAM database in Windows operating system store the user accounts and passwords? A. The operating system stores the passwords in a secret file that users cannot find. B. The operating system uses key distribution center (KDC) for storing all user passwords. C. The operating system stores all passwords in a protected segment of volatile memory. D. The operating system performs a one-way hash of the password
C. The operating system stores all passwords in a protected segment of volatile memory.
While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 (Destination unreachable/port unreachable) for all the pings you have sent out. What is the most likely cause of this? A. The firewall is dropping the packets. B. UDP port is filtered C. UDP port is closed. D. The host does not respond to ICMP packets.
C. UDP port is closed.
Which of the following windows utilities allow an attacker to perform NetBIOS enumeration? A. GetRequest B. SetRequest C. nbtstat D. ntpdate
C. nbtstat
Briefly explain how automation of vulnerabilities using Common Vulnerability Enumeration (CVE), Common Vulnerability Scoring Systems (CVSS), Common Configuration Enumeration (CCE) etc. allows vulnerability scanners to efficiently discover open vulnerabilities.
CVE allows unique labelling of discovered vulnerabilities so that IT organizations can identify and catalog Cybersecurity vulnerabilities. Databases of vulnerabilities such as Mitre CVE or NVD store vulnerabilities, which can be queried by vulnerability scanners to detect open vulnerabilities. Similarly, CCE allows identification of configuration guidelines or policy settings for computer systems. Scanners use this information to provide vulnerability assessments of the IT infrastructure of organizations. Finally, CVSS scores can be used to prioritize mitigation of vulnerabilities so that IT resources can be efficiently used to patch the vulnerabilities.
Which of the following regional internet registries (RIRs) provides services related to the technical coordination and management of Internet number resources in Canada, the United States, and many Caribbean and North Atlantic islands? A. AFRINIC B. APNIC C. LACNIC D. ARIN
D. ARIN
What can enumeration of a single computer system discover? A. Services B. User accounts C. Shares D. All the above
D. All the above
You are performing a port scan with Nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results? A. Stealth scan B. XMAS scan C. Fragmented packet scan D. Connect scan
D. Connect scan
Which of the following is NOT an objectives of network scanning? A. Discover the network's live hosts B. Discover the ports open C. Discover the services running D. Discover usernames and passwords
D. Discover usernames and passwords
Which of the following enumeration techniques is used by a network administrator to replicate domain name system (DNS) data across many DNS servers, or to backup DNS files? A. Extract usernames using email IDs B. Extract information using default passwords C. Brute force Active Directory D. Extract information using DNS Zone Transfer
D. Extract information using DNS Zone Transfer
How can rainbow tables be defeated? A. Use of non-dictionary words B. All uppercase character passwords C. Lockout accounts under brute force password cracking attempts D. Password salting
D. Password salting
What is the best defense against a privilege escalation vulnerability? A. Never place executables in write-protected directories. B. Never perform debugging using bounds checkers and stress tests and increase the amount of code that runs with privilege. C. Review user roles and administrator privileges for maximum utilization of automation services. D. Run services with least privileged accounts and implement multifactor authentication and authorization.
D. Run services with least privileged accounts and implement multifactor authentication and authorization.
You are doing a research on SQL injection attacks. Which of the following combination of Google operators will you use to find all Wikipedia pages that contain information about SQL, injection attacks or SQL injection techniques? A. site:Wikipedia.org intitle:"SQL Injection" B. allinurl: Wikipedia.org intitle:"SQL Injection" C. site:Wikipedia.org inurl:"SQL Injection" D. SQL injection site:Wikipedia.org
D. SQL injection site:Wikipedia.org
Which of the following is an active reconnaissance technique? A. Collecting information about a target from search engines B. Performing dumpster diving C. Collecting contact information from yellow pages D. Scanning a system by using tools to detect open ports
D. Scanning a system by using tools to detect open ports
Sean works as a penetration tester in ABC firm. He was asked to gather information about the target company. Sean begins with social engineering by following the steps: ● Secretly observes the target to gain critical information ● Looks at employee's password or PIN code with the help of binoculars or a low-power telescope Based on the above description, identify the social engineering technique. A. Dumpster diving B. Phishing C. Tailgating D. Shoulder surfing
D. Shoulder surfing
Which initial procedure should an ethical hacker perform after being brought into an organization? A. Begin security testing. B. Turn over deliverables C. Assess what the organization is trying to protect D. Sign a formal contract with a non-disclosure clause or agreement
D. Sign a formal contract with a non-disclosure clause or agreement
You need to do an ethical hack for BAYAREA Company, and the manager says that you need to obtain the password of the root account of the main server to hire you. You are in possession of a rainbow table, what else do you need to obtain the password of the root? A. Do a vulnerability assessment B. Inject an SQL script into the database C. Perform a network recognition D. The hash of the root password
D. The hash of the root password
Which of the following business challenges could be solved by using a vulnerability scanner? A. Auditors want to discover if all systems are following a standard naming convention. B. A web server was compromised, and management needs to know if any further systems were compromised. C. There is an urgent need to remove administrator access from multiple machines for an employee who quit. D. There is a monthly requirement to test corporate compliance with host application usage and security policies.
D. There is a monthly requirement to test corporate compliance with host application usage and security policies.
An NMAP scan of a server shows port 69 is open. What risk could this pose? A. Weak SSL version B. Cleartext login C. Web portal data leak D. Unauthenticated access
D. Unauthenticated access
As a pen-tester, you are hired to do a black box testing of organization X. Outline three fingerprinting methods to learn about IT systems that are in the organization's network.
DNS fingerprinting - public DNS services can be queried to find domain records for the organization Website fingerprinting - website search engines such as Netcraft, Censys etc. can be useful for learning about services hosted by the organization, sub-domains, as well as server operating systems People search - corporate social networks such as Linkedin and people search services such as Pipl can be used to find employees belonging to the organization, and their e-mail addresses. Very often e-mail addresses are also users' login id in the organization's IT system.
What is a privilege escalation attack? Give an example of a technique that allows an attacker to escalate privilege.
Privilege escalation uses operating system features to switch privilege from an ordinary user (who may not have any administrative powers) to that of an administrator to cause the most damage on a system. Some examples of privilege escalation are DLL hijacking, access token manipulation, application shimming, path interception etc.
What are rainbow tables? How can passwords be cracked by using rainbow tables.
Rainbow tables contain hashed passwords and their cleartext counterpart, stored in a compressed format in order to save memory space needed for the cracking operation. Password cracking using a rainbow table requires that the attacker has the hashed password to be cracked in their possession. If a hash value in the rainbow table can be matched to the password to be cracked, then the attacker is able to learn the user's password.
Explain how the nmap Idle scan works, and how one can infer if a port is open, closed or filtered using the idle scan.
The idle scan uses a Zombie machine in the network to scan a target to evade detection. The attacker first connects to a non-existent service on the Zombie to learn its most recent IP addresses sequence number. The attacker then scans the target by spoofing the Zombie's IP address as source IP address. If indeed the port is open on the target, it will create a connection response which will be handled by the Zombie by sending a connection reset packet, as it did not originally send the connection request, thereby incrementing its IP sequence number. On the other hand, if the port is closed, the victim will send a connection reset packet, which will be ignored by the Zombie, and the IP sequence number will be unchanged. A second request to the Zombie from the attacker can then reveal the new IP sequence number - if the value of the sequence number is 2 more than the previously observed sequence number value, the port is open. On the other hand, if the value is only 1 more than the previously seen sequence number, the port is closed or filtered.
Briefly describe the type of nmap scans that can be used to evade firewalls or Intrusion Detection Systems.
To evade firewalls and IDS, nmap provides packet fragmentation (-f), source address spoofing (-S), decoy scanning (-D), source routing through a path not containing firewall or IDS filters and proxy chaining.