ITN 261 - Mid-Term
Network services _________ a port to listen on it
'bind to'
Ports ________ are considered administrative and require administrator-level privilege to listen on those ports
0-1023
What financial filing is required for public companies and would provide you with the annual report?
14-A
What version of SNMP introduced encryption and user-based authentication?
3
What status code will you get if your attempt to use the VRFY command fails?
550
What is the difference between a false positive and a false negative?
A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist.
Which of these devices would not be considered part of the Internet of Things? A. Smartphone B. Thermostat C. Light bulb D. Set-top cable box
A. A smartphone is a general-purpose computing platform with a traditional user interface--screen and keyboard, so it isn't part of the IoT.
If you were looking for the definitive documentation on a protocol, what would you consult? A. Request for Comments B. Manual pages C. Standards D. IEEE
A. The best place to find definitive documentation about protocols seen on the Internet is in the Request for Comments (RFC) documents.
If you were looking up information about a company in New Zealand, which RIR would you be looking in for data?
APNIC
Which of the following is one factor of a defense-in-depth approach to network design?
Access control lists on routers
What is AfriNIC and what region does it represent?
Africa Network Information Center, Africa
What would you use a security information event manager for?
Aggregating and providing search for log data
What is ARIN and what region does it represent?
American Registry for Internet Numbers, Canada, the United States, and many Caribbean and North Atlantic islands. (NORTH AMERICA)
What layer has the following characteristics? Application programming interfaces User interface Direct interaction with the user from the application HTTP, SMTP are examples of protocols at this layer Protocol data unit is data
Application Layer (layer 7)
What is nmap looking at when it conducts a version scan?
Application banners
A limited version of ethical hacking where you are focused exclusively on an application - commonly a web application
Application testing
What is APNIC and what region does it represent?
Asia Pacific Network Information Center (APNIC)
Why is it important to store system logs remotely?
Attackers might delete local logs.
The DNS server where records for a domain belonging to an organization or enterprise reside is called the _________ server.
Authoritative
INFORMATION OR SYSTEMS SHOULD BE UP AND ACCESSIBLE WHEN THEY ARE MEANT TO BE is a definition of?
Availability
If you were to see the subnet mask 255.255.252.0, what CIDR notation (prefix) would you use to indicate the same thing? A. /23 B. /22 C. /21 D. /20
B. A /23 network would be 255.255.254.0. A /21 would be 255.255.248. A /20 would be 255.255.240.0. Only a /22 would give you a 255.255.252.0 subnet mask.
What order, from bottom to top, does the TCP/IP architecture use? A. Network Access, Network, Transport, Application B. Link, Internet, Transport, Application C. Physical, Network, Session, Application D. Data Link, Internet, Transport, Application
B. From top to bottom, the TCP/IP architecture is Link, Internet, Transport, Session, and Appplication.
The UDP headers contain which of the following fields? A. Source address, destination address, checksum, length B. Destination port, source port, checksum, length C. Flags, source port, destination port, checksum D. Length, checksum, flags, address
B. The IP headers include addresses. UDP headers use ports. TCP headers use flags, but UDP headers do not. The UDP headers have the source and destination port fields along with checksum and length.
Which header field is used to reassemble fragmented IP packets? A. Source address B. IP identification C. Don't fragment bit D. Acknowledgment field
B. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.
Which of these services would be considered a storage as a service solution? A. Microsoft Azure B. iCloud C. Google Compute D. DropLeaf
B. While Microsoft Azure and Google Compute have storage capabilities, they aren't storage as a service solutions. Drop leaf is a typle of table. Dropbox is a storage as a service solution. The only one listed here that is storage as a solution is iCloud, whick is Apple's cloud storage platform.
What is this? Interacting with the service can tell you a lot This requires speaking the protocol Many implementations will give out details about version information HTTP headers have Server: which may tell you the application and version Even SSH will tell you version information
Banner grabbing
What can an intrusion prevention system do that an intrusion detection system can't?
Block or reject network traffic
To remove malware from the network before it gets to the endpoint, you would use which of the following? A. Packet filter B. Application layer gateway C. Unified threat management appliance D. Stateful firewall
C. Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.
Which of these addresses would be considered a private address (RFC 1918 address)? A. 172.128.10.5 B. 9.10.10.7 C. 172.20.128.240 D. 250.28.17.10
C. The RFC 1918 address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The only address listed that fits into one of those address blocks is 172.20.128.240. The Address block is 172.16.0.0-172.31.255.255.
What are the three steps in the TCP handshake as described by the flags set? A. SYN, SYN/URG, RST B. RST, SYN, ACK C. SYN, SYN/ACK, ACK D. SYN, SYN/ACK, ACK/URG
C. The three-way handshake is used to establish a connection. The first message has the SYN flag set and includes the sequence number. The response from the server has the ACK flag set for the SYN message that was sent from the client. The acknowledgment number is set. Addictionally, in the same message, the server sends its own SYN flag and sequice number. The client then responds with an ACK message. So, the sequence is SYN, SYN/ACK, and ACK.
Which protocol is necessary to enable the functionality of traceroute? A. HTTP B. SNMP C. ICMP D. IP
C. Traceroute requires ICMP
KEEPING INFORMATION MEANT TO BE PRIVATE PRIVATE is a definition of?
CONFIDENTIALITY
Many professional security certifications will require you to adhere to a code of ethics Know the code of ethics you are being expected to comply with Understand all laws and regulations that apply to you and the organization you are working for are all examples of?
Code of Ethics
What is this called? Managed by MITRE, a defense contractor Vulnerability scanners will commonly scan against CVEs - published vulnerabilities They can also scan for misconfigurations, which are not necessarily CVEs The CVE database includes well-defined details in a standard format, regardless of vendor
Common Vulnerabilities and Exposures (CVE) project
How do you authenticate with SNMPv1?
Community string
Which network topology are you most likely to run across in a large enterprise network? A. Ring topology B. Bus topology C. Full mesh D. Star-bus hybrid
D. An enterprise would use multiple switches that were all connected to one another over a bus, while all the endpoints would connect to the switch in a star topology.
Which of these protocols would be used to communicate with an IoT device? A. ICMP B. SMTP C. Telnet D. HTTP
D. HTTP is the only option that would be commmonly used to pass messages between a controlling server and an IoT device.
What is a MAC address used for? A. Addressing systems over a VPN B. Addressing systems through a tunnel C. Addressing systems over TCP D. Addressing systems on the local network
D. Local network
If you wanted a lightweight protocol to send real-time data over, which of these would you use? A. TCP B. HTTP C. ICMP D. UDP
D. TCP uses a three-way handshake, which is fairly heavyweight. HTTP uses TCP and adds more on top of it. ICMP is used for control messages. UDP has very little overhead and is commonly used for real-time data transport. SO THE ANSWER IS UDP
The PDU for TCP is called a _______________ . A. Packet B. Datagram C. Frame D. Segment
D. TCP uses segment for the PDU.
_______ provides IP addresses from hostnames
DNS
What layer has the following characteristics? Where data is converted to signals to send out on the wire Addressing is media access control (MAC) All local communications happen at layer 2 - system to system is always done using the MAC address Ethernet has elements in this layer Protocol data unit is frame
Data Link (layer 2)
What is the server message block protocol used for?
Data transfers on Windows systems
What type of enumeration would you use the utility dirb for?
Directory enumeration
What type of attack is a compromise of availability?
DoS
What information would you not expect to find in the response to a whois query about an IP address?
Domain association
If you were looking for detailed financial information on a target company, with what resource would you have the most success?
EDGAR
Which of the following are not valid SMTP commands?
EXPN
If you found a colleague searching at pgp.mit.edu, what would they likely be looking for?
Email addresses
Which of these may be considered an evasive technique?
Encoding data
How would you ensure that confidentiality is implemented in an organization?
Encryption
What layer has the following characteristics? Manages longer term connections Responsible for opening, closing and managing sessions between end-user application and server Authentication and authorization are services at this layer NetBIOS is an example of a protocol at this layer Protocol data unit is data
Session Layer (layer 5)
What would you be trying to enumerate if you were to use enum4linux?
Shares and/or users
You see the following text written down—port:502. What does that likely reference?
Shodan search
What kind of firewall is this? rules based on network header information
Simple firewall
What is this? SNMP used to gather management information from hosts Can also be used to send "commands" to a system Uses Abstract Syntax Notation 1 (ASN.1) to store/represent data Older versions of the protocol have weak authentication Current versions may have encryption and strong authentication Use a tool like snmpwalk to gather data from hosts
Simple network managment protocol
__________________ include privilege escalation, password grabbing, internal reconnaissance, etc
Post exploitation activities
What layer has the following characteristics? Formatting and processing of data Translates data from the network to the application JPEG is an example of a format that exists at this layer Protocol data unit is data
Presentation Layer (layer 6)
How would you calculate risk?
Probability * loss value
If you were checking on the IP addresses for a company in France, what RIR would you be checking with for details?
RIPE
Which of these passes objects between systems?
RMI
What is the process Java programs identify themselves to if they are sharing procedures over the network?
RMI registry
What strategy does a local, caching DNS server use to look up records when asked?
Recursive
Less tightly scoped; usually carte blanche (within reason) attacks against a target network
Red teaming
Each _____ has a database that can be queried for information about address blocks and registered contacts
Regional Internet Registries (RIR)
What underlying functionality is necessary to enable Windows file sharing?
Remote procedure call
What would you use MegaPing for?
Running a port scan
What is RIPE and what region does it represent?
Réseaux IP Européens Network Coordination Centre, Europe
What kind of scan is this? Takes advantage of three-way hand shaken nmap sends SYN segment to target host If port closed, the protocol definition says to respond with a segment that has the RST flag set If port is open, the protocol definition says to respond with a SYN/ACK segment If port is open, nmap sends RST message in response to SYN/ACK to cancel the connection attempt
SYN scan
What would you use credentials for in a vulnerability scanner?
Scanning for local vulnerabilities
Which of the following products might be used as an intrusion detection system?
Snort
If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2
Someone was trying to probe an email port on the target.
What is an XMAS scan?
TCP scan with FIN/PSH/URG set
What kind of architecture is this? Only four layers - Link, Internet, Transport Application Application layer is session, presentation and application from the OSI model Link layer is the data link and physical layer from the OSI model
TCP/IP Architecture
What has four layers (Link, internet, transport, and application)
TCP/IP architecture
Which of these may be considered worst practice when it comes to vulnerability scans?
Taking no action on the results
What would you use a job listing for when performing reconnaissance?
Technologies used
What would you be looking for with the following Google query? filetype:txt Administrator:500:
Text files including the text Administrator:500:
What does nmap look at for fingerprinting an operating system?
The IP ID field and the initial sequence number
If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?
Tunneling attack
What kind of scanner is this? UDP is connectionless so there is no defined way of interacting with a UDP port nmap sends UDP message to port Application may not respond but still be listening - if the right message isn't received, the application may simply ignore the message Because there is no defined response, nmap can't tell if the message was ignored or dropped in the network, so retransmits UDP scanning can be slow because of the number of retransmits
UDP Scanning
Which information would a packet filter use to make decisions about what traffic to allow into the network?
UDP source port
What is one reason a UDP scan may take longer than a TCP scan of the same host?
UDP will retransmit more.
What information could you get from running p0f?
Uptime
What protocol is this? Very simple protocol, used for fast communication with no overhead Connectionless Headers include: Checksum to ensure datagram is intact Source and destination ports
User Datagram Protocol (UDP)
What important event can be exposed by enabling auditing?
User login
What additional properties does the Parkerian Hexad offer over the CIA triad?
Utility, possession, authenticity
You are working with a colleague and you see them interacting with an email server using the VRFY command. What is it your colleague is doing?
Verifying email addresses
Which of these isn't an example of an attack that compromises integrity?
Watering Hole
What kind of firewall is this? application layer gateway that makes decisions based on web data
Web application firewall
Which of these is an example of an application layer gateway?
Web application firewall
__________ can be enumerated - hidden directories identified, technologies used
Web applications
What kind of scan is this? Same response as the FIN scan because the target host responds in the same way Flags FIN, PSH and URG are all set, making it appear as though the packet is lit up like a Christmas tree (Xmas) It was thought that an unnatural combination of flags would be missed by firewalls and intrusion detection systems, so may get through where more standard scans wouldn't This technique has been around so long, it won't evade anything
XMAS scan
What would be a reason to use the Override feature in OpenVAS?
You want to change a severity rating on a finding.
What technique would you ideally use to get all of the hostnames associated with a domain?
Zone transfer
What kind of topology is this? all devices cable back to a central networking device
bus
What kind of firewall is this? rules may include contents of the application data
deep packet inspection
What command would you use to get the list of mail servers for a domain?
dig mx domain.com
An _________ is taking advantage of that vulnerability
exploit
is the scariest since you have no awareness of the existing vulnerability
false negative
scanner didn't identify a vulnerability where one exists
false negative
What kind of scan is this? the ability to manually craft packets and send to target can also be use to scan a network
hping
What kind of topolgy is this? a star-bus hybrid is common where multiple stars are connected by a bus
hybrid
What kind of scan is this? Avoiding detection can be important - your IP may be blocked, so game over Idle scan spoofs the source IP address Zombie host used - zombie should be idle (not getting network traffic) nmap uses spoofed source address of zombie host Zombie host OS increments initial sequence number based on traffic inbound nmap can determine whether port is open based on the number of packets zombie receives (the amount initial sequence number increments when nmap checks)
idle scan
What is an advantage of using masscan over nmap?
masscan can scan more addresses faster.
What scanner is this? can be used for high-speed scanning and parameters are the same as for nmap
massscan
What kind of topolgy is this? systems are connected directly to one another, as needed (the Internet is a mesh network)
mesh
____________ has many modules based on known vulnerabilities
metasploit
______________ is a common exploit framework
metasploit
What is Ethics?
moral principles that govern a person's behavior or the conducting of an activity. doing no harm
Which of these is a built-in program on Windows for gathering information using port 445?
nbtstat
________________ is a common tactic used after gaining access to a system
password cracking
If you wanted to locate detailed information about a person using either their name or a username you have, which website would you use?
peekyou.com
Some services are exposed through remote procedure calls or also known as.
remote method invocations
What kind of topolgy is this? devices appear to be connected in a circle, though this may only be an appearance rather than how they are connected physically
ring
What tool does a Java program need to use to implement remote process communication?
rmic
Nmap and Metasploit can be extended with ______ to probe ports
scripts
correlates security information across multiple sources is the defintion of?
security information and event management
high-level statements of intent to support the business is a definition of?
security policy
__________________ is about identifying an application and version running on a target host
service enumeration
You need to identify all Excel spreadsheets available from the company Example, Inc., whose domain is example.com. What search query would you use?
site:example.com filetype:xls
What kind of topology is this? straight line that all systems connect to
star
What utility is used to query the databases of each RIR? You can also use this to get the size of the public IP address block for a company.
the whois utility
What tool could be used to gather email addresses from PGP servers: Bing, Google, or LinkedIn?
theHarvester
scanner didn't identify a vulnerability where no vulnerability exists
true negative
scanner identified a vulnerability that does exist
true positive
A _________- is a weakness in a system or piece of software
vulnerability
Generally use a database of signatures to identify vulnerabilities in target systems, this may be from application banners and matching version numbers.
vulnerability scanner
Which of these could you enumerate on a WordPress site using wpscan?
Plug-ins
Using tactics, techniques and procedures commonly used by attackers in order to locate weaknesses so they can be remediated is a definition of what?
Ethical Hacking
You're being employed to help improve a security posture •Keep the needs/goals of your employer in mind •Do no harm •This can't always be helped •Revision: do no deliberate harm and own up when something goes awry This is an example of?
Ethics
_____________ is a trustworthy repository of exploits
Exploit-db.org
What kind of scan is this? nmap sends out a FIN message, which is unnatural where there is no connection Protocol definition says respond with a RST if the port is closed If port is open, packet is dropped nmap will flag open ports as open|filtered Firewall dropping a packet for any reason will result in no response, so nmap can't tell if it's open or the packet was just dropped
FIN
scanner identified a vulnerability that doesn't exist
False Positive
What is fragroute primarily used for?
Fragmenting application traffic
What kind of scan is this? Same, essentially, as SYN scan Difference is nmap completes the three-way handshake to establish a connection Once connection is established, nmap tears the connection down More overhead with this and slightly more time consuming A lot of half-open connections from a SYN scan may be more noticeable In reality, all port scans are easily identified by modern networks and security devices
Full connect scan
An intrusion detection system can perform which of the following functions?
Generate alerts on traffic
the use of keywords to narrow search results, what is this?
Google Hacking
These are examples of? Watches host-based behavior, requiring software on endpoints File integrity monitoring is one common example of this Process monitoring may also be part of this.
Host-based intrusion detection
INFORMATION THAT IS STORED OR SENT SHOULD BE INTACT AND IDENTICAL WHEN IT IS READ OR RECEIVED is a definition of?
INTEGRITY
What would you use Wappalyzer for?
Identifying web technologies
Who holds all IP addresses and hands them out to the Region Internet Registries (RIR)
Internet Corporation for Assigned Names and Numbers (ICANN)
What protocol is this? Current predominant version is IPv4, though IPv6 is common Headers include:• IP Identification - used to identify fragmented packets More fragments flag - indicates the frame is part of a fragmented packet Fragment offset - indicates where in the puzzle the fragmented piece goes Source and destination addresses Considered best effort
Internet Protocol (IP)
What is this? Millions of devices around the world Limited functionality, non-standard input/output capabilities (no keyboard, no monitor, etc) Web site thingful.net has a database of these devices Web site shodan.io also has a database of these devices
Internet of Things (IoT)
What is the IPC$ share used for?
Interprocess communication
What is RPC primarily used for?
Interprocess communications
If you were implementing defense in breadth, what might you do?
Introduce a DevSecOps culture
What is one reason for using a scan like an ACK scan?
It may get through firewalls and IDS devices.
What is LATNIC and what region does it represent?
Latin American Network Information Center, South and central america
What social networking site would be most likely to be useful in gathering information about a company, including job titles?
What are data descriptions in SNMP called?
Management information base
Which of these would be an example of a loss of integrity?
Memory failures causing disk drivers to run incorrectly
If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use?
Metasploit
Reconnaissance and Footprinting• Scanning and Enumeration Gaining Access Maintaining Access Covering Tracks This is know as the ___________ of Ethical hacking
Methodology
What is 224.0.0.0/4 used for?
Multi-cast addresses
What would you get from running the command dig ns domain.com?
Name server records for domain.com
These are examples of what? Rules created to identify attack traffic Traffic that matches a rule may log the match or alert on it Alerting expects someone to be watching Detection rules will need to be generated regularly, based on current attack trends
Network Intrusion Detection
What layer has the following characteristics? Networks are defined at this layer Communication is no longer local - network addresses enable transmission from one location to another Routing happens at this layer Crossing a layer 3 boundary refers to using a routing device to move from one network (as defined by the IP address and subnet mask) Protocol data unit is a packet
Network Layer (layer 3)
What kind of firewall is this? may include other features, including intrusion detection and anti-malware
Next Generation Firewall
What is this? De facto port scanner is this. Supports multiple scan types TCP scan types include SYN, Full connect, FIN, XMAS UDP scans supported Default scan is about 1000 well-known ports
Nmap
Which of these tools allows you to create your own enumeration function based on ports being identified as open?
Nmap
What programs would you use to enumerate services? (select the 2 that apply)
Nmap & nc
___________ ports indicate an application listening
Open
Usually a tightly scoped, point in time assessment of a section of an organization's network?`
Penetration Testing
What layer has the following characteristics? Cables Switches Routers Network interface cards Wireless adapters Protocol data unit -- symbol
Physical Layer (layer 1)
What is the difference between a SYN scan and a full connect scan?
The SYN scan doesn't complete the three-way handshake.
If you receive a RST packet back from a target host, what do you know about your target?
The source port in the RST message is closed.
The SYN scan doesn't complete the three-way handshake.
The target system ignores the message.
If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume?
They were trying to reduce false positives.
What would be necessary for a TCP conversation to be considered ESTABLISHED by a stateful firewall?
Three-way handshake complete
What would be the purpose of running a ping sweep? (select all that apply)
To discover range of IP addresses map to live hosts, You want to use a protocol that may be allowed through the firewall, You want to identify responsive hosts without a port scan, and You want to use something that is light on network traffic.
What is the purpose of a security policy?
To provide high-level guidance on the role of security
These are all headers for what protocol? Sequence number - used to order messages Acknowledgement number - used to indicate the last message received Flags - used to provide direction to the receiving host Window size - used to indicate how many bytes can be sent without receiving an acknowledgement Source and destination ports
Transmission Control Protocol
What protocol is this? Used to multiplex network communications - ports allow multiple applications to communicate at the same time Requires a three-way handshake to establish connection between endpoints SYN, SYN/ACK, ACK Handshake establishes existence and availability of other party SYN establishes sequence number, used to order messages Considered to be guaranteed delivery
Transmission Control Protocol (TCP)
What layer has the following characteristics? Allows for multiplexed communications Without this layer, you could only have a single communication stream from one system to another Applications are assigned ports, which is the addressing scheme used at this layer TCP and UDP exist at this layer Protocol data unit is a segment for TCP and a datagram for UDP
Transport Layer (layer 4)