ITN 261 - Chapter 8, ITN 261 - Chapter 9, ITN 261 Chapter 10, ITN - 261 Chapter 11, ITN 261 chapter 12, ITN 261 Chapter 13
Which command-line parameter would you use to disable name resolutions in tcpdump? 0. -n 1. -i 2. -r 3. -x
0. -n The -i flag indicates which interface you are going to listen on. The -n flag tells Wireshark to not do name resolution, leaving you with numeric values for the IP address and port number.
What is one downside to running a default tcpdump without any parameters? 0. DNS requests 1. Not enough information 2. Sequence numbers don't show 3. tcpdump won't run without additional parameters
0. DNS requests By default, tcpdump does name resolution. Not only does tcpdump look up port numbers and print their service names, it also triggers a DNS lookup. This DNS lookup is network traffic, which means that for most packets there is probably a DNS lookup request showing in the packet capture.
What would you use sslstrip for? 0. Getting plaintext traffic 1. Removing all SSL requests 2. Converting SSL to TLS 3. Converting TLS to SSL
0. Getting plaintext traffic Sslstrip is used to get plaintext traffic. It does not remove SSL requests, though it may be used to convert an HTTPS request to an HTTP request. It does not convert SSL to TLS or TLS to SSL, and there would be no particular advantage to either of those tasks.
What is the difference between a virus and ransomware? 0. Ransomware may be a virus. 1. Ransomware includes Bitcoins. 2. Ransomware is only generated in Russia. 3. A virus only runs on Windows systems.
0. Ransomware may be a virus. This is a bit of a trick question. Ransomware may be a virus, which means it is a subset of the category virus. Ransomware may ask to be paid in Bitcoins, but it doesn't include Bitcoins. Ransomware has been generated all over the world and viruses run on all operating systems.
What would a signal range for a Bluetooth device commonly be? 1. 300 ft. 2. 3,000 ft. 3. 75 ft. 4. 500 ft.
1. 300 ft. While there are Bluetooth devices that will transmit much further, a common range is about 300 feet (100 meters) for Bluetooth 4.0.
What is the policy that allows people to use their own smartphones on the enterprise network? 1. Bring your own device 2. Use your own device 3. Bring your own smart device 4. Use your own smart device
1. Bring your own device Bring your own device (BYOD) is a policy that allows employees to use their own devices on an enterprise network. This opens the door to the potential for attacks from unknown and unexpected devices. None of the other answers are real things.
In a botnet, what are the systems that tell individual bots what to do called? 1. C2 servers 2. IRC servers 3. HTTP servers 4. ISC2 servers
1. C2 servers C2 servers are command and control servers. These are servers that can be used to provide management and control of bots in a botnet. The communication may be IRC or HTTP, but not necessarily. The servers aren't called that in a botnet anyway. ISC2 servers don't exist.
What is the /etc/ettercap/etter.dterm-18ns file used for? 0. Enabling firewall rules for Ettercap 1. Configuring hostnames to IP addresses 2. Setting up mail for Ettercap 3. Disabling ARP spoofing in Ettercap
1. Configuring hostnames to IP addresses The ipchains/iptables command to turn on redirection for Ettercap is done in a different file. In the etter.dns file is the mapping of hostnames to IP addresses as well as other DNS resource records.
What is the purpose of using a disassembler? 1. Converting opcodes to mnemonics 2. Converting mnemonics to opcodes 3. Translating mnemonics to operations 4. Removing the need for an assembler
1. Converting opcodes to mnemonics An executable contains a set of binary values that the CPU will interpret as operation codes (opcodes) when the program is run. These binary values won't generally mean much to people when they are bare. As a result, disassemblers are used to convert opcodes to mnemonics, which are short/abbreviated words that can let someone know what the opcode does.
What social engineering vector would you use if you wanted to gain access to a building? 1. Impersonation 2. Scarcity 3. Vishing 4. Smishing
1. Impersonation Vishing and smishing are non-kinetic approaches to social engineering. Scarcity is not a social engineering vector. Impersonation is a social engineering vector and the one used to gain unauthorized access to a facility.
Which of these tools would be most beneficial when trying to dynamically analyze malware? 0. Cutter 1. OllyDbg 2. Metasploit 3. AV-Test
1. OllyDbg When you are trying to dynamically analyze malware, a debugger is useful because it allows you to run the malware and also control its execution. OllyDbg is the only debugger in that list. Cutter does disassembly but does not allow you to run the malware and control its execution.
What would the result of a high false failure rate be? 1. People having to call security 2. Unauthorized people being allowed in 3. Forcing the use of a man trap 4. Reduction in the use of biometrics
1. People having to call security A false acceptance rate would be allowing unauthorized people in. If you are an authorized person but your biometric scanner isn't working reliably and rejects you, you may need to call security or someone else to let you into the building. Neither of the other two would be a result of a high false failure rate. They may be solutions to other problems, but not a high false failure rate.
You get a phone call from someone telling you they are from the IRS and they are sending the police to your house now to arrest you unless you provide a method of payment immediately. What tactic is the caller using? 1. Pretexting 2. Biometrics 3. Smishing 4. Rogue access
1. Pretexting Biometrics is the use of a physical attribute to provide authentication. Smishing is using short message service (SMS/texting) to gather information from people. Rogue access isn't really anything. Pretexting is coming up with a believable story that you can use when trying to perform a social engineering attack on someone.
Why might you have more endpoints shown at layer 4 than at layer 2? 0. Layer 4 multiplexes layer 2. 1. Systems may initiate multiple connections to the same host. 2. Ports are more numerous than MAC addresses. 3. The IP addresses dictate the endpoints.
1. Systems may initiate multiple connections to the same host. The number of MAC addresses can be smaller than the number of layer 3 addresses because multiple IP addresses could be associated with a single MAC address if the IP addresses are off network; the MAC address for those would be the gateway's MAC address. If a system opens multiple connections to the same system, as may happen when rendering a web page, there would be multiple port combinations for the same IP source and destination.
What does the following line mean? Sequence number: 4361 (relative sequence number) 1. The sequence number shown is not the real sequence number. 2. The sequence number shown has not been incremented. 3. The sequence number shown isn't long enough. 4. The sequence number shown is the acknowledgment number.
1. The sequence number shown is not the real sequence number. Wireshark presents a relative sequence number, which means the initial sequence number as far as Wireshark is concerned in presenting it to you is 1. The relative sequence number increments just as the real sequence number does. The real sequence number, which is a very large value, is hidden to make analysis easier.
What is the purpose of a packer for malware? 1. To obscure the actual program 2. To ensure that the program is all binary 3. To compile the program into a tight space 4. To remove null characters
1. To obscure the actual program All programs that have been compiled are in binary. Even scripting languages are in binary by the time they hit the processor. Packers will make a program smaller, which was initially of some value when bandwidth wasn't as ubiquitous, but a packer doesn't do any compilation. A packer does not remove null characters. A packer can, however, obscure the actual program code because the only executable function is one designed to extract and decompress the real malware.
Which of these forms of biometrics is least likely to give a high true accept rate while minimizing false reject rates? 1. Voiceprint 2. Iris scanning 3. Retinal scanning 4. Fingerprint scanning
1. Voiceprint Voiceprint identification is the least reliable of these options. As a result, it would be the most likely to give you a high false reject rate, which would lower the true accept rate.
What can you say about [TCP Segment Len: 35], as provided by Wireshark? 0. The window size has changed. 1. Wireshark has inferred this information. 2. Wireshark extracted this from one of the headers. 3. Wireshark has additional detail below.
1. Wireshark has inferred this information. Anything you see in Wireshark that is in square brackets [ ] is something Wireshark has calculated or inferred. It is not something that has been extracted directly from the packet capture. Wireshark is helping with the packet analysis.
What is an advantage of a phone call over a phishing email? 1. You are able to go into more detail with pretexting. 2. Phishing attacks are unreliable. 3. Not everyone has email but everyone has a phone. 4. Pretexting only works over the phone.
1. You are able to go into more detail with pretexting. Pretexting can work over email just as well as via a phone call. It may be more common for people to have email than a phone, especially a company-owned landline. Phishing attacks are very successful, which is why they are so commonly used. With a phone call, though, you could go into more detail and address questions or concerns as they arise. You could include additional layers that you couldn't with an email since you could never be sure if your email was read, or deleted, or caught in a filter.
Why might you have problems with sslstrip? 0. sslstrip is deprecated. 1. sslstrip doesn't work with newer versions of TLS. 2. sslstrip doesn't support TLS. 3. sslstrip only works with Ettercap.
1. sslstrip doesn't work with newer versions of TLS Sslstrip was released in 2009 and took advantage of problems in SSL. These problems not only existed in SSL but also continued through early versions of TLS. Newer versions of TLS don't have the same issues, which means sslstrip won't work with them.
If you were to see the following command in someone's history, what would you think had happened? msfvenom -i 5 -p windows/x64/shell_reverse_tcp -o program 1. A poison pill was created. 2. A malicious program was generated. 3. Existing malware was encoded. 4. Metasploit was started.
2. A malicious program was generated. The program msfvenom is used to convert a payload module from Metasploit into an executable program. The malware could potentially be used as part of a poison pill, which is a type of defensive tactic, but it's hard to determine that just from the command line. While the malware is encoded as part of this process, it is not an existing piece of malware. This is not a way to start Metasploit, though msfvenom does make use of the Metasploit framework.
What would you need to do before you could perform a DNS spoof attack? 0. Set up a port span 1. Start up Wireshark 2. ARP spoof 3. Configure sslstrip
2. ARP spoof A DNS spoofing attack requires that the program can see the DNS request in order to respond to it. This means there needs to be an ARP spoof in place so Ettercap (or another tool) can get the traffic on the network to get the DNS request to respond to.
Why is bluesnarfing potentially more dangerous than bluejacking from the standpoint of the victim? 1. Bluejacking sends while bluesnarfing receives. 2. Bluejacking receives while bluesnarfing sends. 3. Bluejacking installs keyloggers. 4. Bluesnarfing installs keyloggers.
2. Bluejacking receives while bluesnarfing sends. Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluesnarfing sends data to the attacker. Bluejacking can be used to send information to a Bluetooth device, such as a text message. Neither of these attacks install keyloggers.
What is the web page you may be presented with when connecting to a wireless access point, especially in a public place? 1. Credential harvester 2. Captive portal 3. Wi-Fi portal 4. Authentication point
2. Captive portal The captive portal is the page that is opened when you connect to a public access point. None of the other answers are real things.
At which protocol layer does the Berkeley Packet Filter operate? 0. Internetwork 1. Transport 2. Data Link 3. Protocol
2. Data Link BPF operates at the Data Link layer. This allows filtering down to the MAC address. If BPF operated at other layers, you wouldn't get the entire set of packet headers.
What is the four-stage handshake used for? 1. Passing keys 2. Deriving keys 3. Encrypting messages 4. Initialization seeding
2. Deriving keys The four-stage handshake is used to authenticate stations against wireless networks. As part of the handshake, encryption keys are generated. Keys are derived on both sides of the transaction rather than being exchanged directly. This is handled during the four-way handshake. Keys are not passed. Messages can't be encrypted until the four-way handshake is complete and the keys are generated. There is no such thing as initialization seeding.
How would someone keep a baiting attack from being successful? 1. Disable Registry cloning. 2. Disable autorun. 3. Epoxy external ports. 4. Don't browse the Internet.
2. Disable autorun. While some people do epoxy USB ports to prevent USB sticks from being inserted, it's not a good approach and wouldn't necessarily keep a baiting attack from working if the bait is a CD-ROM. Browsing the Internet is common and no longer doing that won't protect you against baiting. Registry cloning isn't really a thing in this context. Disabling autorun would keep any malicious software from running automatically from external devices.
What program could be used to perform spoofing attacks and also supports plug-ins? 0. arpspoof 1. fragroute 2. Ettercap 3. sslstrip
2. Ettercap (ethernet capture) arpspoof and Ettercap can both be used to perform ARP spoofing. Ettercap also supports other types of spoofing attacks and plug-ins. Sslstrip is a plug-in supported in Ettercap. Fragroute is a program that does something completely different.
What is the purpose of a deauthentication attack? 1. Disabling stations 2. Forcing stations to reauthenticate 3. Reducing the number of steps in the handshake 4. Downgrading encryption
2. Forcing stations to reauthenticate The purpose of a deauthentication attack is to force stations to reauthenticate. This allows the attacker to collect information from the authentication and handshake. This information could be used later to potentially derive the key, as in WEP transmissions. A deauthentication attack doesn't disable stations. There is no way to reduce the number of steps in a handshake, and downgrading encryption is considerably harder, if it's possible at all.
How many stages are used in the WPA handshake? 1. Two 2. Four 3. Three 4. One
2. Four There are four stages used in a WPA handshake. This four-stage process is used to derive the key and agree on capabilities.
What do we call an ARP response without a corresponding ARP request? 0. Is-at response 1. Who-has ARP 2. Gratuitous ARP 3. IP response
2. Gratuitous ARP When an ARP response is sent without a corresponding ARP request, it's an unexpected or unnecessary message. This makes it a gratuitous ARP.
If you wanted a tool that could help with both static and dynamic analysis of malware, which would you choose? 1. Cutter 2. IDA 3. PE Explorer 4. MalAlyzer
2. IDA (Interactive Disassembler) You need a tool that can perform disassembly if you are doing static analysis. Dynamic analysis can make use of disassembled executables, but the tool would need to also be able to execute the code. IDA is the only tool there that does both disassembly and execution. Cutter only does disassembly. PE Explorer does neither, and MalAlyzer doesn't exist.
Why would someone use a Trojan? 0. It acts as malware infrastructure. 1. It evades antivirus. 2. It pretends to be something else. 3. It's polymorphic.
2. It pretends to be something else. A Trojan, also called a Trojan horse, appears to be one thing but is, in fact, another. It can fool users into running the malware because they are expecting something else. A Trojan can't evade antivirus if there is a signature that matches the executable. It doesn't act as malware infrastructure, and while it may be polymorphic, that wouldn't be why someone used a Trojan.
What would you use a bluebugging attack for? 1. Identifying Bluetooth devices nearby 2. Listening to a physical space 3. Enabling a phone's camera 4. Gathering data from a target system
2. Listening to a physical space A bluebugging attack is used to gain access to a smartphone in order to initiate a call out to the attacker's phone. This allows the attacker to listen to anything happening around the phone owner. Scanning is used to identify Bluetooth devices nearby. There is no particular attack used to enable a phone's camera. Gathering data from a target device or system is bluesnarfing.
What could you use to generate your own malware? 1. Empire 2. Metasploit 3. Rcconsole 4. IDA Pro
2. Metasploit Metasploit can be used to generate your own malware from one of the payload modules. Empire is another exploitation framework built around PowerShell. IDA Pro is a debugger and Rcconsole doesn't exist.
What mode has to be enabled on a network interface to allow all headers in wireless traffic to be captured? 1. Promiscuous 2. Monitor 3. Radio 4. Wireless LAN
2. Monitor Promiscuous mode is used on network interfaces to collect frames that are not destined for the network interface. This is insufficient on a wireless network because the radio headers are not captured. To capture radio headers, monitor mode needs to be enabled in addition to the promiscuous mode that will always be set to get all frames and all information from the frame. Only monitor mode gives the radio headers.
What types of authentication are allowed in a WPA-encrypted network? 1. Handshake and personal 2. Personal and enterprise 3. Enterprise and handshake 4. 802.11 and personal
2. Personal and enterprise WPA supports both Personal and Enterprise authentication. Personal authentication makes use of a pre-shared key, while Enterprise authentication uses usernames and passwords to authenticate specific users, providing accounting and access control, meaning we know exactly who has connected to the network.
Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers? 0. Conversations 1. Endpoints 2. Protocol hierarchy 3. Statistics view
2. Protocol hierarchy While conversations and endpoints are statistics you can get from Wireshark, the protocol hierarchy view shows a layered look at all the protocols in the capture, showing percentages for all of the protocols.
What would be one reason not to write malware in Python? 1. Python interpreter is slow. 2. Python interpreter may not be available. 3. Library support is inadequate. 4. Python is a hard language to learn.
2. Python interpreter may not be available. Python interpreters may be considered slower to execute than a compiled program, but the difference is negligible and speed of execution generally isn't much of a concern when it comes to malware. Python is not a hard language to learn, and there are a lot of community-developed libraries. One challenge, though, is that you may need a Python interpreter unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn't commonly have a Python interpreter installed.
Why would you use automated tools for social engineering attacks? 1. Better control over outcomes 2. Reduce complexity 3. Implement social proof 4. Demonstrate authority
2. Reduce complexity It's debatable whether you get better control over outcomes executing your attacks manually. You would not be implementing social proof or demonstrating authority using an automated attack any more than if you did it manually. You would be reducing complexity, though, since doing it manually means you would be setting up and controlling multiple moving pieces. This gets to be complex, and the attack would fail if you didn't get it just right.
You've received a text message from an unknown number that is only five digits long. It doesn't have any text, just a URL. What might this be an example of? 1. Vishing 2. Smishing 3. Phishing 4. Impersonation
2. Smishing Smishing is short message phishing, which means someone is sending a text message, attempting to fraudulently gather information. Vishing is a phone call (voice). Phishing can be an overall term but commonly refers to email. Impersonation is more of a physical approach.
Which of the social engineering principles is in use when you see a line of people at a vendor booth at a security conference waiting to grab free USB sticks and CDs? 1. Reciprocity 2. Social proof 3. Authority 4. Scarcity
2. Social proof Social proof is in use when it appears to be okay to engage in a behavior because you see others engaging in it. When people see a line of others waiting to grab USB sticks, in spite of knowing they shouldn't trust USB sticks, they may be inclined to lower their defenses. There is no reciprocity or authority here. There may eventually be scarcity, but that's not what would drive people to stand in line to acquire a potentially dangerous item.
How does an evil twin attack work? 1. Phishing users for credentials 2. Spoofing an SSID 3. Changing an SSID 4. Injecting four-way handshakes
2. Spoofing an SSID An evil twin attack uses an access point masquerading as the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don't get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won't do much, since four-way assumes both ends are communicating, so the injection of a full communication stream will get ignored.
What problem does port spanning overcome? 0. Switches don't support layer 3. 1. Switches aggregate ports. 2. Switches filter traffic. 3. Switches are unreliable.
2. Switches filter traffic. Switches filter traffic by only sending traffic destined for the MAC address associated with the port to which the system that owns the MAC address is attached. Switches are reliable. They don't support layer 3 as switches, though there are such things as multilayer switches that include routing functionality. Either way, that's not something that port spanning overcomes. Switches may aggregate ports, but port spanning doesn't have anything to do with that.
Why would you use an encoder when you are creating malware using Metasploit? 1. To compile the malware 2. To evade antivirus 3. To evade user detection 4. To compress the malware
2. To evade antivirus An encoder is used to alter the look of an executable file. This alteration is done in order to prevent the antivirus program from recognizing the executable as malware. It doesn't compile the malware and doesn't evade user detection. A packer would be used to compress malware.
Why would you use wireless social engineering? 1. To send phishing messages 2. To gather credentials 3. To get email addresses 4. To make phone calls
2. To gather credentials Especially in enterprises, there is generally some authentication that happens. This could be in the form of a pre-shared key or a username/password combination. Either way, when you are using social engineering of wireless networks, you are probably attempting to gather credentials to gain access to sites. It's unlikely you'd use this vector for sending phishing messages or getting email addresses, and it wouldn't be used to make phone calls.
What is the primary difference between a worm and a virus? 1. A worm uses polymorphic code. 2. A virus uses polymorphic code. 3. A worm can self-propagate. 4. A virus can self-propagate.
3. A worm can self-propagate. Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It's the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute.
Which of these would be an example of pretexting? 1. Web page asking for credentials 2. A cloned badge 3. An email from a former co-worker 4. Rogue wireless access point
3. An email from a former co-worker If you sent an email posing as a former co-worker, you could be implementing a couple of different social engineering principles. Because you have a story and a means to collect information fraudulently, you are using pretexting. The other attacks are also social engineering, but they are not pretexting.
What is the primary purpose of polymorphic code for malware programs? 1. Efficiency of execution 2. Propagation of the malware 3. Antivirus evasion 4. Faster compilation
3. Antivirus evasion Polymorphic means many bodies, which means it has multiple looks. When a program has multiple looks, it can cause antivirus programs to misidentify it. Polymorphic code rewrites the program when it is copied or moved from one system or location to another. It isn't more efficient and doesn't help with propagation, though it could be part of the propagation process. It also doesn't speed compilation.
Which hardware vendor uses the term SPAN on switches? 1. HP 2. 3COM 3. Cisco 4. Juniper
3. Cisco Different vendors use different terms to refer to port mirroring. Cisco uses the term Switch Port Analyzer (SPAN), which leads to the process sometimes being called port spanning.
What does the malware that is referred to as a dropper do? 1. Drops antivirus operations 2. Drops CPU protections against malicious execution 3. Drops files that may be more malware 4. Drops the malware into the Recycle Bin
3. Drops files that may be more malware A dropper downloads (drops) additional files, which may be malware. It doesn't do any of the things mentioned in the other options.
What would you use Cuckoo Sandbox for? 1. Static analysis of malware 2. Malware development 3. Dynamic analysis of malware 4. Manual analysis of malware
3. Dynamic analysis of malware Cuckoo Sandbox is a set of programs and infrastructure used to run malware and identify changes to the system that result. This means it is used for dynamic analysis of malware, not for static analysis. Because it's automated, it's not manual. Also, it's used for analysis, not development.
Which of these would be a reason why it is best for communications to originate from inside the infected network? 0. Antivirus 1. Virtual machines 2. Intrusion detection 3. Firewall
3. Firewall The firewall may block inbound communications, which is why it's better for the communication to originate from the inside. Either direction could be caught by intrusion detection. Virtual machines don't factor in here, and antivirus could catch the malware regardless of which direction the traffic is going, since antivirus uses the executable file rather than the communication stream for detection.
What is the SSID used for? 1. Encrypting messages 2. Providing a MAC address 3. Identifying a network 4. Seeding a key
3. Identifying a network The service set identifier (SSID) is used to identify a network. It is the name of the network you would select when you were trying to connect to a network. The SSID is not the MAC address, and it has nothing to do with keys or encryption.
What is the purpose of performing a Bluetooth scan? 1. Identifying open ports 2. Identifying available profiles 3. Identifying endpoints 4. Identifying vendors
3. Identifying endpoints Bluetooth doesn't use ports. While profiles are important, you get the profile capabilities during the pairing process. Just performing a scan won't get you a list of supported profiles. While you should be able to identify vendors as part of the process of running a Bluetooth scan, it's not the purpose of the scan. The purpose is to identify endpoints and their associated addresses so you can run other attacks on them.
What part of the encryption process was weak in WEP? 1. Keying 2. Diffie-Hellman 3. Initialization vector 4. Seeding vector
3. Initialization vector The initialization vector is a random value that seeds the key used for encryption and decryption. In WEP, the algorithm specified for the initialization vector yielded non-random, predictable values. While the initialization vector is part of keying, it's not the keying itself that was weak. Seeding vector is not a real thing, and Diffie-Hellman is a process used to derive and exchange keys securely. It's not part of WEP.
Which form of biometrics scans a pattern in the area of the eye around the pupil? 1. Retinal scanning 2. Fingerprint scanning 3. Iris scanning 4. Uvea scanning
3. Iris scanning While the retina and the uvea are also parts of the eye, neither of them encloses the pupil and can be used as a means of identification. Fingerprints are not part of the eye.
What wireless attack would you use to take a known piece of information in order to be able to decrypt wireless traffic? 1. Sniffing 2. Deauthentication 3. Key reinstallation 4. Evil twin
3. Key reinstallation Sniffing can be used to collect information that may be needed to launch wireless attacks. A deauthentication attack can be used to force a station to generate traffic. An evil twin attack uses a rogue access point to pretend to be a legitimate network. In order to decrypt network traffic, you would need the key. One way to get the key is to reuse information from network traffic that generated a known key. This is a key reinstallation attack.
You are working on a red-team engagement. Your team leader has asked you to use baiting as a way to get in. What are you being asked to do? 1. Make phone calls 2. Clone a website 3. Leave USB sticks around 4. Spoof an RFID ID
3. Leave USB sticks around Baiting is leaving a lure out in order to gather targets. You could use USB sticks or CDs around as bait if they had software on them that would run and "infect" the target system in a way that would give you control over them. While all of the other options are related to social engineering, none of them is called baiting.
What tool could you use to generate email attacks as well as wireless attacks? 1. Meterpreter 2. wifiphisher 3. SE Toolkit 4. Social Automator
3. SE Toolkit You may end up with a Meterpreter interface to a remote system, but it wouldn't be used to generate the attacks. wifiphisher is only used for Wi-Fi-based attacks and Social Automator doesn't exist. The Social-Engineer Toolkit (SE Toolkit) could be used to automate email attacks as well as wireless attacks.
What is one advantage of static analysis over dynamic analysis of malware? 1. Malware is guaranteed to deploy. 2. Dynamic analysis is untrustworthy. 3. Static analysis limits your exposure to infection. 4. Static analysis can be run in virtual machines.
3. Static analysis limits your exposure to infection. Static analysis is looking at the properties of the executable file and evaluating the assembly language code without running the program. This will limit your exposure to infection, because if you do it right you aren't running the program, which would infect you. Dynamic analysis is trustworthy, and malware can't deploy if you don't run it. Dynamic analysis is commonly done in virtual machines.
If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5 2. Traffic just from 192.168.10.5 3. Traffic to and from 192.168.10.5 4. Traffic just to 192.168.10.5 5. All traffic other than from 192.168.86.5
3. Traffic to and from 192.168.10.5 The expression host 192.168.10.5 is BPF, indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest.
What method might you use to successfully get malware onto a mobile device? 1. Using the Apple Store or Google Play store 2. Using external storage on an Android 3. Using a third-party app store 4. Jailbreaking
3. Using a third-party app store The Apple App Store and the Google Play Store are controlled by Apple and Google. It's not impossible to get malware onto mobile devices through them, but it's very difficult because apps get run through a vetting process. While some Android devices will support external storage, it's not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed, but it's not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don't vet apps that are submitted.
What tool would allow you to run an evil twin attack? 1. Wireshark 2. Ettercap 3. Wifiphisher 4. Aircrack-ng
3. Wifiphisher Wireshark is used to capture packets/frames from a network. Ettercap is used for spoofing attacks. The program aircrack-ng can be used to crack wireless keys. Wifiphisher, though, can be used to set up an evil twin attack.
Which program would you use if you wanted to only print specific fields from the captured packet? 0. fielddump 1. tcpdump 2. wiredump 3. tshark
3. tshark While tcpdump and tshark can both be used to capture packets, tshark gives you the ability to specify which fields you want to output. The other two options don't exist.
What tool could you use to clone a website? 1. httclone 2. curl-get 3. wget 4. wclone
3. wget wget is the only one of these options that is a legitimate program, and it can be used to clone a website.
In the following packet, what port is the source port? 20:45:55.272087 IP yazpistachio.lan.62882 > loft.lan.afs3-fileserver: Flags [P.], seq 915235445:915235528, ack 3437317287, win 2048, options [nop,nop,TS val 1310611430 ecr 1794010423], length 83 1. lan 2. fileserver 3. yazpistachio 4. 62882
4. 62882 tcpdump uses the format hostname/IP.port when it prints an address. The addresses go source > destination, so yazpistachio.lan is the hostname and 62882 is the port on the source address.
What tool could you use to enable sniffing on your wireless network to acquire all headers? 1. Ettercap 2. Tcpdump 3. Aircrack-ng 4. Airmon-ng
4. Airmon-ng (Air Monitoring - Next Generation) Tcpdump can be used to capture frames/packets. Ettercap is used for captures and spoofing attacks. Neither can capture all headers, including radio headers in a wireless network. The package aircrack-ng includes the program airmon-ng, which can turn on monitor mode on a network interface. The program aircrack-ng itself cannot do that.
Which social engineering principle may allow a phony call from the help desk to be effective? 1. Social proof 2. Imitation 3. Scarcity 4. Authority
4. Authority While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity are at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority.
What attack can a proximity card be susceptible to? 1. Tailgating 2. Phishing 3. Credential theft 4. Cloning
4. Cloning A proximity card could enable tailgating, but it's not the only thing—a key could enable tailgating as well. Technically, it's not the card that allows tailgating anyway. It's the way the doors are configured and implemented. Phishing is unrelated, and technically, credential theft is as well. Proximity cards, particularly if they use RFID tags, are susceptible to cloning.
What statistic are you more likely to be concerned about when thinking about implementing biometrics? 1. False positive rate 2. False negative rate 3. False failure rate 4. False acceptance rate
4. False acceptance rate A false acceptance rate measures how often a biometric system allows unauthorized users access to a facility or area. A false failure (or reject) rate is inconvenient, and some organizations may consider that to be an issue, especially if it's very high. However, a high false accept rate is probably more concerning because you are allowing people who are really unauthorized to have access. The other two are not statistics that are measured; though they correlate to the others, they are not called false positive rate or false negative rate.
What would you use VirusTotal for? 1. Checking your system for viruses 2. Endpoint protection 3. As a repository of malware research 4. Identifying malware against antivirus engines
4. Identifying malware against antivirus engines VirusTotal takes dozens of antivirus engines and runs samples through them to identify what malware they might be. VirusTotal is a website, which means it can't check your system for viruses and also can't do any endpoint protection. While VirusTotal can identify the name given to a malware sample by different antivirus solutions, to find the research associated with that malware, you would need to check with the antivirus vendor.
What are the two types of wireless networks? 1. Star and ring 2. Bus and hybrid 3. Infrastructure and hybrid 4. Infrastructure and ad hoc
4. Infrastructure and ad hoc An infrastructure wireless network is one that uses an access point. An ad hoc wireless network is one organized by the participants. These are the two types of wireless networks. Star, ring, bus, and hybrid are all wired topologies.
What is a viable approach to protecting against tailgating? 1. Biometrics 2. Badge access 3. Phone verification 4. Man traps
4. Man traps Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity, but it won't protect against tailgating. A man trap, however, will protect against tailgating because a man trap allows only one person in at a time.
What wouldn't you see when you capture wireless traffic that includes radio headers? 1. Capabilities 2. Probe requests 3. SSIDs 4. Network type
4. Network type Radio headers in a wireless network will provide you with the capabilities of the devices, since that's negotiated during the association process. You will also see probe requests asking what networks are in the area, including specific networks that a station knows about. These requests will include the SSID. The responses will also include the SSID. You will not get the network type in the headers.
What kind of access point is being used in an evil twin attack? 1. Infrastructure 2. Ad hoc 3. WPA 4. Rogue
4. Rogue Ad hoc and infrastructure are types of wireless networks. Only infrastructure uses access points, but infrastructure is not a type of access point. WPA is an encryption protocol. A rogue access point, meaning one that isn't legitimate, is used in an evil twin attack by pretending to be a legitimate access point.
What protocol is being used in the frame listed in this summary? 719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU] 1. TLS 2. UDP 3. IP 4. TCP
4. TCP After the frame number, time, source IP, and destination IP is the protocol. This frame shows TCP is the protocol in use.
What are two sections you would commonly find in a portable executable file? 1. Text and binary 2. Binary and data 3. Addresses and operations 4. Text and data
4. Text and data PE files have multiple sections that you may find in an executable. Two that are very common, though, are .text and .data. The .text section includes all the executable code. The .data section includes all the predefined and initialized variables. The other sections listed in other answers aren't sections of a PE file.
Which end of a client/server communication goes on the infected system if it is communicating with infrastructure? _______________
Client The malware would act as a client. The client is the end of the conversation that initiates the communication. It's better to initiate from inside the network to get through firewalls, which may block inbound communication flows.
2. Holds open connection buffers at the web server
How does a slowloris attack work? 1. Holds open connection buffers at the operating system 2. Holds open connection buffers at the web server 3. Holds open connection buffers at the Application layer 4. Holds open connection buffers for UDP
The following shows a time stamp. What does the time of this message reflect? 630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 1. The time since 1970 2. The time of day 3. The time since packet start 4. There is no time in the summary
The time since packet start By default, Wireshark shows a relative time since the start of the packet capture. You can change the field to show absolute time, such as the time of day or the time since 1970 (epoch time). However, that's not what is shown.
3. Heap spraying
What attack injects code into dynamically allocated memory? 1. Buffer overflow 2. Cross-site scripting 3. Heap spraying Slowloris
2. Attack life cycle
What could you use to inform a defensive strategy? 1. SIEM output 2. Attack life cycle 3. Logs 4. Intrusion detection system
1. Consideration for a broader range of attacks
What does a defense in breadth approach add? 1. Consideration for a broader range of attacks 2. Protection against SQL injection 3. Buffer overflow protection 4. Heap spraying protection
4. SIEM
What element could be used to facilitate log collection, aggregation, and correlation? 1. Log manager 2. Firewall 3. IDS 4. SIEM
3. Instruction pointer
What information does a buffer overflow intend to control? 1. Stack pointer 2. Frame pointer 3. Instruction pointer 4. Buffer pointer
1. Fill up connection buffers at the operating system
What is the purpose of a SYN flood? 1. Fill up connection buffers at the operating system 2. Fill up connection buffers in the web server 3. Fill up connection buffers at the Application layer 4. Fill up connection buffers for UDP
1. Operating system
What is the target of a command injection attack? 1. Operating system 2. Web server 3. Database server 4. User
4. User
What is the target of a cross-site scripting attack? 1. Web server 2. Database server 3. Third-party server 4. User
2. Input validation
What protection could be used to prevent an SQL injection attack? 1. Buffer overflows 2. Input validation 3. XML filtering 4. Lateral movement
2. ICMP
What protocol is used for a Smurf attack? 1. DNS 2. ICMP 3. TCP 4. SMTP
1. Firewall
What security element would be a crucial part of a defense in depth network design? 1. Firewall 2. SIEM 3. Web application firewall 4. Log management system
4. Small file retrieval requests
What technique does a slow read attack use? 1. Small HTTP header requests 2. Small HTTP body requests 3. Small HTTP POST requests 4. Small file retrieval requests
3. Buffer overflow
What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes? 1. Heap spraying 2. SQL injection 3. Buffer overflow 4. Slowloris attack
3. Denial of service attacks
What would the Low Orbit Ion Cannon be used for? 1. SQL injection attacks 2. Log management 3. Denial of service attacks 4. Buffer overflows
3. DNS
Which protocol is commonly used for amplification attacks? 1. TCP 2. SMTP 3. DNS 4. XML