CEHv9 Questions 401-500
466 Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state. From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised. A. 53 B. 110 C. 25 D. 69
A Explanation: Port 53 is used by DNS and is almost always open, the problem is often that the port is opened for the hole world and not only for outside DNS servers. 280
454 On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat"
B Explanation: lsof is a command used in many Unix-like systems that is used to report a list of all open files and the processes that opened them. It works in and supports several UNIX flavors.
437 Windump is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library? A. NTPCAP B. LibPCAP C. WinPCAP D. PCAP
C Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
456 Jim's Organization just completed a major Linux roll out and now all of the organization's systems are running Linux 2.5 Kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ, which built-in functionality of Linux can achieve this? A. IP ICMP B. IP Sniffer C. IP tables D. IP Chains
C Explanation: iptables is the name of the user space tool by which administrators create rules for the packet filtering and NAT modules. While technically iptables is merely the tool which controls the packet filtering and NAT components within the kernel, the name iptables is often used to refer to the entire infrastructure, including netfilter, connection tracking and NAT, as well as the tool itself. iptables is a standard part of all modern Linux distributions.
480 While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion ? A. 192.10.25.9 B. 10.0.3.4 289 C. 203.20.4.5 D. 222.273.290.239 E. 222.173.290.239
E Explanation: Convert the hex number to binary and then to decimal. 0xde.0xad.0xbe.0xef translates to 222.173.190.239 and not 222.273.290.239 0xef = 15*1 = 15 14*16 = 224 ______ = 239 0xbe = 14*1 = 14 11*16 = 176 ______ = 190 0xad = 13*1 = 13 10*16 = 160 ______ = 173 0xde = 14*1 = 14 13*16 = 208 ______ = 222
420 On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless network? A. The SSID is only 32 bits in length B. The SSID is transmitted in clear text C. The SSID is to identify a station not a network 251 D. The SSID is the same as the MAC address for all vendors
B Explanation: The use of SSIDs is a fairly weak form of security, because most access points broadcast the SSID, in clear text, multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID.
483 If you come across a sheepdip machine at your client's site, what should you do? A. A sheepdip computer is used only for virus-checking. B. A sheepdip computer is another name for a honeypot C. A sheepdip coordinates several honeypots. 291 D. A sheepdip computers defers a denial of service attack.
A Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.
418 Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler? Select the best answer. A. GPSDrive B. GPSMap C. WinPcap D. Microsoft Mappoint
A 250 Explanation: Explanations: GPSDrive is a Linux GPS mapping package. It recommended to be used to send PrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real software package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows, it isn't going to do what Joe Hacker is wanting to do. Microsoft Mappoint is a Windows application. PrismStumbler is a Linux application. Thus, these two are not going to work well together.
439 What is the expected result of the following exploit? 263 A. Opens up a telnet listener that requires no username or password. B. Create a FTP server with write permissions enabled. C. Creates a share called "sasfile" on the target system. D. Creates an account with a user name of Anonymous and a password of [email protected].
A Explanation: The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) -- $port, $your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username, and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife -- netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance, although it could be administrator). The #'s in the script means the text following is a comment, notice the last line in particular, if the # was removed the script would spawn a connection to itself, the host system it was running on.
458 You are trying to compromise a Linux Machine and steal the password hashes for cracking with password brute forcing program. Where is the password file kept is Linux? A. /etc/shadow B. /etc/passwd C. /bin/password D. /bin/shadow
A Explanation: /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Topic 19, Evading IDS, Firewalls and Honeypots
433 Which of the following keyloggers can't be detected by anti-virus or anti-spyware products? A. Hardware keylogger B. Software Keylogger C. Stealth Keylogger D. Convert Keylogger
A Explanation: A hardware keylogger will never interact with the operating system and therefore it will never be detected by any security programs running in the operating system.
432 Joseph has just been hired on to a contractor company of the Department of Defense as their senior Security Analyst. Joseph has been instructed on the Company's strict security policies that have been implemented and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use twofactor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication? 258 A. Security token B. Biometric device C. OTP D. Proximity cards
A Explanation: A security token (sometimes called an authentication token) is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key fob. Security tokens provide an extra level of assurance through a method known as two-factor authentication: the user has a personal identification number (PIN), which authorizes them as the owner of that particular device; the device then displays a number which uniquely identifies the user to the service, allowing them to log in.
484 If you come across a sheepdip machaine at your client site, what would you infer? A. A sheepdip computer is used only for virus checking. B. A sheepdip computer is another name for honeypop. C. A sheepdip coordinates several honeypots. D. A sheepdip computer defers a denial of service attack.
A Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.
465 An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. 279 Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer) A. Create a network tunnel. B. Create a multiple false positives. C. Create a SYN flood. D. Create a ping flood.
A Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.
453 Clive is conducting a pen-test and has just port scanned a system on the network. He has identified the operating system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and attests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this? A. The services are protected by TCP wrappers B. There is a honeypot running on the scanned machine C. An attacker has replaced the services with trojaned ones D. This indicates that the telnet and SMTP server have crashed 272
A Explanation: Explanation: TCP Wrapper is a host-based network ACL system, used to filter network access to Internet protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.
479 You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why? A. A firewall is blocking port 23 B. You cannot spoof + TCP C. You need an automated telnet tool D. The OS does not reply to telnet even if port 23 is open
A Explanation: Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states - "open", "closed", or "filtered" a port can be in an "open" state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, "You cannot spoof + TCP", well you can spoof + TCP, so we strike that out.
472 Network Intrusion Detection systems can monitor traffic in real time on networks. Which one of the following techniques can be very effective at avoiding proper detection? A. Fragmentation of packets. B. Use of only TCP based protocols. C. Use of only UDP based protocols. D. Use of fragmented ICMP traffic only. 284
A Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.
485 What type of attack changes its signature and/or payload to avoid detection by antivirus programs? A. Polymorphic B. Rootkit 292 C. Boot sector D. File infecting
A Explanation: In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.
423 Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware? A. System integrity verification tools B. Anti-Virus Software C. A properly configured gateway D. There is no way of finding out until a new updated signature file is released
A Explanation: Programs like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.
475 Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features offered by Snort? A. IDS, Packet Logger, Sniffer B. IDS, Firewall, Sniffer C. IDS, Sniffer, Proxy D. IDS, Sniffer, content inspector
A Explanation: Snort is a free software network intrusion detection and prevention system capable 286 of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire
407 In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? A. Rouge access point attack B. Unauthorized access point attack C. War Chalking D. WEP attack
A Explanation: The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with. 244
434 What does the this symbol mean? 259 A. Open Access Point B. WPA Encrypted Access Point C. WEP Encrypted Access Point D. Closed Access Point
A Explanation: This symbol is a "warchalking" symbol for a open node (open circle) with the SSID tsunami and the bandwidth 2.0 Mb/s
436 Samuel is high school teenager who lives in Modesto California. Samuel is a straight 'A' student who really likes tinkering around with computers and other types of electronic devices. Samuel just received a new laptop for his birthday and has been configuring it ever since. While tweaking the registry, Samuel notices a pop up at the bottom of his screen stating that his computer was now connected to a wireless network. All of a sudden, he was able to get online and surf the Internet. Samuel did some quick research and was able to gain access to the wireless router he was connecting to and see al of its settings? Being able to hop onto someone else's wireless network so easily fascinated Samuel so he began doing more and more research on wireless technologies and how to exploit them. The next day Samuel's fried said that he could drive around all over town and pick up hundred of wireless networks. This really excited Samuel so they got into his friend's car and drove around the city seeing which networks they could connect to and which ones they could not. What has Samuel and his friend just performed? A. Wardriving B. Warwalking C. Warchalking D. Webdriving
A Explanation: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio. Topic 18, Linux Hacking 261
422 Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption and enabling MAC filtering on hi wireless router. Paul notices when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. 252 What is Paul seeing here? A. MAC Spoofing B. Macof C. ARP Spoofing D. DNS Spoofing
A Explanation: You can fool MAC filtering by spoofing your MAC address and pretending to have some other computers MAC address. Topic 16, Virus and Worms
441 Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality of Linux can achieve this? A. IP Tables B. IP Chains C. IP Sniffer D. IP ICMP
A Explanation: iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.
402 Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.) A. Identifies the wireless network B. Acts as a password for network access C. Should be left at the factory default setting D. Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools
A,B Explanation:
464 What makes web application vulnerabilities so aggravating? (Choose two) A. They can be launched through an authorized port. B. A firewall will not stop them. C. They exist only on the Linux platform. D. They are detectable by most leading antivirus software.
A,B Explanation: As the vulnerabilities exists on a web server, incoming traffic on port 80 will probably be allowed and no firewall rules will stop the attack.
471 Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet. Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company. Based on the above scenario, please choose which would be your corrective measurement actions (Choose two) A. Use encrypted protocols, like those found in the OpenSSH suite. B. Implement FAT32 filesystem for faster indexing and improved performance. C. Configure the appropriate spoof rules on gateways (internal and external). D. Monitor for CRP caches, by using IDS products.
A,C Explanation: First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session.
403 Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply) A. 802.11b B. 802.11e C. 802.11a D. 802.11g E. 802.11
A,C,D Explanation: If you check the website, cards for all three (A, B, G) are supported. See: http://www.stumbler.net/ 242
431 Which are true statements concerning the BugBear and Pretty Park worms? Select the best answers. A. Both programs use email to do their work. B. Pretty Park propagates via network shares and email C. BugBear propagates via network shares and email D. Pretty Park tries to connect to an IRC server to send your personal passwords. E. Pretty Park can terminate anti-virus applications that might be running to bypass them.
A,C,D Explanation: Explanations: Both Pretty Park and BugBear use email to spread. Pretty Park cannot propagate via network shares, only email. BugBear propagates via network shares and email. It also terminates anti-virus applications and acts as a backdoor server for someone to get into the infected machine. Pretty Park tries to connect to an IRC server to send your personal passwords and all sorts of other information it retrieves from your PC. Pretty Park cannot terminate anti-virus applications. However, BugBear can terminate AV software so that it can bypass them. Topic 17, Physical Security
443 Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply. A. Linux passwords can be encrypted with MD5 B. Linux passwords can be encrypted with SHA C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish E. Linux passwords are encrypted with asymmetric algrothims
A,C,D Explanation: Linux passwords are enrcypted using MD5, DES, and the NEW addition Blowfish. The default on most linux systems is dependant on the distribution, RedHat uses MD5, while slackware uses DES. The blowfish option is there for those who wish to use it. The encryption algorithm in use can be determined by authconfig on RedHat-based systems, or by reviewing one of two locations, on PAM-based systems (Pluggable Authentication Module) it can be found in /etc/pam.d/, the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.
409 Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) A. Train users in the new policy. B. Disable all wireless protocols at the firewall. C. Disable SNMP on the network so that wireless devices cannot be configured. D. Continuously survey the area for wireless devices.
A,D Explanation: If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installation of wireless devices on the corporate network. 245
449 Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? A. Rebecca should make a recommendation to disable the () system call B. Rebecca should make a recommendation to upgrade the Linux kernel promptly C. Rebecca should make a recommendation to set all child-process to sleep within the execve() D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege
B Explanation:
468 The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line the source code that might lead to buffer overflow. 281 A. Line number 31. B. Line number 15 C. Line number 8 D. Line number 14
B Explanation:
495 You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address. What can be inferred from this output? 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net (68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 12.933 ms 20.938 ms 5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms 9 so-7-0-0-gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.11 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 38.894 ms 33.244 33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms 300 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms 18 example-gwl.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms 19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms 20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms A. An application proxy firewall B. A stateful inspection firewall C. A host based IDS D. A Honeypot
B Explanation:
457 Bob is a Junior Administrator at ABC Company. On One of Linux machine he entered the following firewall rules: iptables -t filter -A INPUT -p tcp --dport 23 -j DROP 274 Why he entered the above line? A. To accept the Telnet connection B. To deny the Telnet connection C. The accept all connection except telnet connection D. None of Above
B Explanation: -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table, and contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet which is creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. Also a protocol name from /etc/protocols is allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. All may not be used in in combination with the check command. --destination-port [!] [port[:port]] Destination port or port range specification. The flag --dport is an alias for this option. -j, --jump target This specifies the target of the rule; ie. what to do if the packet matches it. The target can be a user-defined chain (not the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. 275
477 When referring to the Domain Name Service, what is denoted by a 'zone'? A. It is the first domain that belongs to a company. B. It is a collection of resource records. C. It is the first resource record type in the SOA. D. It is a collection of domains.
B Explanation: A reasonable definition of a zone would be a portion of the DNS namespace where responsibility has been delegated.
413 Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof attack B. Replay attack C. Injection attack D. Rebound attack
B Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).
421 Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof Attack B. Replay Attack C. Inject Attack D. Rebound Attack
B Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.
428 Which of the following is one of the key features found in a worm but not seen in a virus? A. The payload is very small, usually below 800 bytes. B. It is self replicating without need for user intervention. C. It does not have the ability to propagate on its own. D. All of them cannot be detected by virus scanners. 255
B Explanation: A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided.
476 The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. From the options given below choose the one best interprets the following entry: Apr 26 06:43:05 [6282] IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.) Interpret the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107.53 A. An IDS evasion technique B. A buffer overflow attempt C. A DNS zone transfer D. Data being retrieved from 63.226.81.13. 287
B Explanation: The IDS log file is depicting numerous attacks, however, most of them are from different attackers, in reference to the attack in question, he is trying to mask his activity by trying to act legitimate, during his session on the honeypot, he changes users two times by using the "su" command, but never triess to attempt anything to severe.
446 John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack. Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here? [root@apollo /]# rm rootkit.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm - rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory A. The hacker is planting a rootkit B. The hacker is trying to cover his tracks C. The hacker is running a buffer overflow exploit to lock down the system D. The hacker is attempting to compromise more machines on the network 268
B Explanation: By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.
490 ETHER: Destination address : 0000BA5EBA11 ETHER: Source address : 00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type : 0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP: Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP: 295 .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? A. Create a SYN flood B. Create a network tunnel C. Create multiple false positives D. Create a ping flood
B Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.
450 What is Cygwin? A. Cygwin is a free C++ compiler that runs on Windows 270 B. Cygwin is a free Unix subsystem that runs on top of Windows C. Cygwin is a free Windows subsystem that runs on top of Linux D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment
B Explanation: Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. A collection of tools which provide Linux look and feel. The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions of Windows since Windows 95, with the exception of Windows CE.
455 Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? Select the best answer. A. Ipchains B. Iptables C. Checkpoint FW for Linux D. Ipfwadm 273
B Explanation: Explanations: Ipchains was improved over ipfwadm with its chaining mechanism so that it can have multiple rulesets. However, it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version.
460 You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as? A. Footprinting B. Firewalking C. Enumeration D. Idle scanning
B Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.
488 To scan a host downstream from a security gateway, Firewalking: A. Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets B. Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway C. Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment. D. Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway
B Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.
408 On wireless networks, SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless networks? A. The SSID is only 32 bits in length. B. The SSID is transmitted in clear text. C. The SSID is the same as the MAC address for all vendors. D. The SSID is to identify a station, not a network.
B Explanation: The SSID IS constructed to identify a network, it IS NOT the same as the MAC address and SSID's consists of a maximum of 32 alphanumeric characters.
473 What do you conclude from the nmap results below? Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) (The 1592 ports scanned but not shown below are in state: closed) PortStateService 21/tcpopenftp 25/tcpopensmtp 80/tcpopenhttp 443/tcpopenhttps Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed - 1 IP address (1 host up) scanned in 91.66 seconds A. The system is a Windows Domain Controller. B. The system is not firewalled. C. The system is not running Linux or Solaris. D. The system is not properly patched.
B Explanation: There is no reports of any ports being filtered. 285
467 Neil monitors his firewall rules and log files closely on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web sites during work hours, without consideration for others. Neil knows that he has an updated content filtering system and that such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP which is always authorized at the firewall. B. They are using tunneling software which allows them to communicate with protocols in a way it was not intended. C. They have been able to compromise the firewall, modify the rules, and give themselves proper access. D. They are using an older version of Internet Explorer that allows them to bypass the proxy server.
B Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.
427 The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service. Which of the following Database Server was targeted by the slammer worm? A. Oracle B. MSSQL C. MySQL D. Sybase E. DB2
B Explanation: W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039.
442 WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use ? A. LibPcap B. WinPcap C. Wincap D. None of the above
B Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows 265 environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
461 Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? 277 A. Give users tokens B. Give user the least amount of privileges C. Give users two passwords D. Give users a strong policy document
B Explanation: With less privileges it is harder to increase the privileges.
444 Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools? 266 A. Ensure all files have at least a 755 or more restrictive permissions. B. Configure rules using ipchains. C. Configure and enable portsentry on his server. D. Install an intrusion detection system on her computer such as Snort.
B Explanation: ipchains is a free software based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling code, ipfwadm. In Linux 2.2, ipchains is required to administer the IP packet filters. ipchains was written because the older IPv4 firewall code used in Linux 2.0 did not work with IP fragments and didn't allow for specification of protocols other than TCP, UDP, and ICMP.
492 Which of the following are potential attacks on cryptography? (Select 3) A. One-Time-Pad Attack B. Chosen-Ciphertext Attack C. Man-in-the-Middle Attack D. Known-Ciphertext Attack E. Replay Attack
B,C,E Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. In cryptography, a manin- the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). 298
406 Access control is often implemented through the use of MAC address filtering on wireless Access Points. Why is this considered to be a very limited security measure? A. Vendors MAC address assignment is published on the Internet. B. The MAC address is not a real random number. C. The MAC address is broadcasted and can be captured by a sniffer. D. The MAC address is used properly only on Macintosh computers.
C Explanation:
452 After studying the following log entries, what is the attacker ultimately trying to achieve as 271 inferred from the log sequence? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. Change password of user nobody B. Extract information from a local directory C. Change the files Modification Access Creation times D. Download rootkits and passwords into a new directory
C Explanation:
486 You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: A. Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers B. Examining the SMTP header information generated by using the -mx command parameter of DIG C. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address D. Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers
C Explanation:
463 278 Why would an ethical hacker use the technique of firewalking? A. It is a technique used to discover wireless network on foot. B. It is a technique used to map routers on a network link. C. It is a technique used to discover the nature of rules configured on a gateway. D. It is a technique used to discover interfaces in promiscuous mode.
C Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.
491 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net (68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 20.938 ms 5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 296 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms 9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.111 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms 33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms 18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms 19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms 20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms 297 54.121 ms 58.333 ms You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what? A. A host based IDS B. A Honeypot C. A stateful inspection firewall D. An application proxying firewall
C Explanation:
404 802.11b is considered a ____________ protocol. A. Connectionless B. Secure C. Unsecure D. Token ring based E. Unreliable
C Explanation: 802.11b is an insecure protocol. It has many weaknesses that can be used by a hacker.
487 Which of the following is not an effective countermeasure against replay attacks? A. Digital signatures B. Time Stamps C. System identification D. Sequence numbers 293
C Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Effective countermeasures should be anything that makes it hard to delay or replay the packet (time stamps and sequence numbers) or anything that prove the package is received as it was sent from the original sender (digital signature)
419 In order to attack wireless network, you put up an access point and override the signal of the real access point. And when users send authentication data, you are able to capture it. What kind of attack is this? A. WEP Attack B. Drive by hacking C. Rogue Access Point Attack D. Unauthorized Access Point Attack
C Explanation: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network management or has been created to allow a cracker to conduct a man-in-the-middle attack.
459 Exhibit Study the log given in the exhibit, Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate? 276 A. Disallow UDP 53 in from outside to DNS server B. Allow UDP 53 in from DNS server to outside C. Disallow TCP 53 in from secondaries or ISP server to DNS server D. Block all UDP traffic
C Explanation: According to the exhibit, the question is regarding the DNS Zone Transfer. Since Zone Transfers are done with TCP port 53, you should not allow this connect external to you organization.
482 What is a sheepdip? A. It is another name for Honeynet B. It is a machine used to coordinate honeynets C. It is the process of checking physical media for virus before they are used in a computer D. None of the above
C Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.
424 What are the main drawbacks for anti-virus software? 253 A. AV software is difficult to keep up to the current revisions. B. AV software can detect viruses but can take no action. C. AV software is signature driven so new exploits are not detected. D. It's relatively easy for an attacker to change the anatomy of an attack to bypass AV systems E. AV software isn't available on all major operating systems platforms. F. AV software is very machine (hardware) dependent.
C Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses.
417 Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP? Select the best answer. A. Stands for Wireless Encryption Protocol B. It makes a WLAN as secure as a LAN C. Stands for Wired Equivalent Privacy D. It offers end to end security
C Explanation: Explanations: WEP is intended to make a WLAN as secure as a LAN but because a WLAN is not constrained by wired, this makes access much easier. Also, WEP has flaws that make it less secure than was once thought.WEP does not offer end-to-end security. It only attempts to protect the wireless portion of the network.
410 Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is being followed here? A. no authentication B. single key authentication C. shared key authentication D. open system authentication
C Explanation: Explantion: The following picture shows how the WEP authentication procedure:
494 What is the tool Firewalk used for? A. To test the IDS for proper operation B. To test a firewall for proper operation C. To determine what rules are in place for a firewall D. To test the webserver configuration E. Firewalk is a firewall auto configuration tool
C Explanation: Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device "firewall" will pass. Firewalk works 299 by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.
411 246 Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK's implementation. Which tool would you recommend from the list below? A. Kismet B. Shmoo C. Aircrack D. John the Ripper
C Explanation: Implementing KoreK's attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. John the Ripper is a password cracker, Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system, and
448 After studying the following log entries, how many user IDs can you identify that the attacker has tampered with? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 269 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. IUSR_ B. acmr, dns C. nobody, dns D. nobody, IUSR_
C Explanation: Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns.
415 Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A. All IVs are vulnerable to attack B. Air Snort uses a cache of packets C. Air Snort implements the FMS attack and only encrypted packets are counted D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers
C Explanation: Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin- Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.
440 You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data. What kind of program can you use to track changes to files on the server? A. Network Based IDS (NIDS) B. Personal Firewall C. System Integrity Verifier (SIV) D. Linux IP Chains
C Explanation: System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. 264
412 In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? A. WEP attack B. Drive by hacking C. Rogue access point attack D. Unauthorized access point attack
C Explanation: The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with. 247
401 Which of the following is NOT a reason 802.11 WEP encryption is vulnerable? A. There is no mutual authentication between wireless clients and access points B. Automated tools like AirSnort are available to discover WEP keys 241 C. The standard does not provide for centralized key management D. The 24 bit Initialization Vector (IV) field is too small
C Explanation: The lack of centralized key management in itself is not a reason that the WEP encryption is vulnerable, it is the people setting the user shared key that makes it unsecure.
438 Joe the Hacker breaks into company's Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. Running "ifconfig -a" will produce the following: # ifconfig -a 1o0: flags=848<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500 262 inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 8:0:20:9c:a2:35 What can Joe do to hide the wiretap program from being detected by ifconfig command? A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu B. Run the wiretap program in stealth mode from being detected by the ifconfig command. C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. D. You cannot disable Promiscuous mode detection on Linux systems.
C Explanation: The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.
462 Which one of the following attacks will pass through a network layer intrusion detection system undetected? A. A teardrop attack B. A SYN flood attack C. A DNS spoofing attack D. A test.cgi attack
D Explanation: Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks Not A or B: The following sections discuss some of the possible DoS attacks available. Smurf Fraggle SYN Flood Teardrop DNS DoS Attacks"
500 Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? 303 A. Eric network has been penetrated by a firewall breach B. The attacker is using the ICMP protocol to have a covert channel C. Eric has a Wingate package providing FTP redirection on his network D. Somebody is using SOCKS on the network to communicate through the firewall
D Explanation: Port Description: SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.
451 Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? A. Honeypot B. DMZ host C. DWZ host D. Bastion Host
D Explanation: A bastion host is a gateway between an inside network and an outside network. Used as a security measure, the bastion host is designed to defend against attacks aimed at the inside network. Depending on a network's complexity and configuration, a single bastion host may stand guard by itself, or be part of a larger security system with different layers of protection.
430 June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus? A. No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus B. Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus C. Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus D. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program
D Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses. 257
425 What is the best means of prevention against viruses? A. Assign read only permission to all files on your system. B. Remove any external devices such as floppy and USB connectors. C. Install a rootkit detection tool. D. Install and update anti-virus scanner.
D Explanation: Although virus scanners only can find already known viruses this is still the best defense, together with users that are informed about risks with the internet.
493 What is a primary advantage a hacker gains by using encryption or programs such as Loki? A. It allows an easy way to gain administrator rights B. It is effective against Windows computers C. It slows down the effective response of an IDS D. IDS systems are unable to decrypt it E. Traffic will not be modified in transit
D Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.
497 SSL has been seen as the solution to several common security problems. Administrators will often make use of SSL to encrypt communication from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B? A. SSL is redundant if you already have IDS in place. B. SSL will trigger rules at regular interval and force the administrator to turn them off. C. SSL will slow down the IDS while it is breaking the encryption to see the packet content. D. SSL will mask the content of the packet and Intrusion Detection System will be blinded.
D Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.
414 Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? A. Use any ARP requests found in the capture B. Derek can use a session replay on the packets captured C. Derek can use KisMAC as it needs two USB devices to generate traffic D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic
D Explanation: By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key. 248
469 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation? 282 A. They are using Windows based web servers. B. They are using UNIX based web servers. C. They are not using an intrusion detection system. D. They are not using a stateful inspection firewall.
D Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.
481 All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ? 290 A. They are all Windows based webserver B. They are all Unix based webserver C. The company is not using IDS D. The company is not using a stateful firewall
D Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.
435 In an attempt to secure his 802.11b wireless network, Bob decides to use strategic antenna positioning. He places the antenna for the access point near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the buildings center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Bob figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of he following statements is true? A. Bob's network will not be safe until he also enables WEP B. With the 300-foot limit of a wireless signal, Bob's network is safe C. Bob's network will be sage but only if he doesn't switch to 802.11a D. Wireless signals can be detected from miles away; Bob's network is not safe
D Explanation: It's all depending on the capacity of the antenna that a potential hacker will use in 260 order to gain access to the wireless net.
445 John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module. What does this mean in the context of Linux Security? A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation. B. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted. C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation. D. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation.
D Explanation: Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel, without the need of a kernel recompilation. Operating systems other than Linux, such as BSD systems, also provide support for LKM's. However, the Linux kernel generally makes far greater and more versatile use of LKM's than other systems. LKM's are typically used to add support for new hardware, filesystems or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded, freeing memory. 267
416 Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
D Explanation: Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html 249
426 Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong? A. Polymorphic B. Boot Sector infector 254 C. System D. Macro
D Explanation: The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment.
429 You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 256 A. The Morris worm B. The PIF virus C. Trinoo D. Nimda E. Code Red F. Ping of Death
D Explanation: The Nimda worm modifies all web content files it finds. As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby, infecting the browsing system. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines and allow intruders the ability to execute arbitrary commands within the Local System security context on machines running the unpatched versions of IIS.
405 While probing an organization you discover that they have a wireless network. From your attempts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. What would be the easiest way to circumvent and communicate on the WLAN? A. Attempt to crack the WEP key using Airsnort. B. Attempt to brute force the access point and update or delete the MAC ACL. C. Steel a client computer and use it to access the wireless network. D. Sniff traffic if the WLAN and spoof your MAC address to one that you captured.
D Explanation: The easiest way to gain access to the WLAN would be to spoof your MAC address to one that already exists on the network. 243
489 You have discovered that an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. What can you do to solve this problem? 294 A. Install a network-based IDS B. Reconfigure the firewall C. Conduct a needs analysis D. Enforce your security policy
D Explanation: The employee was unaware of security policy.
474 Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain. What is the probable cause of Bill's problem? A. The system is a honeypot. B. There is a problem with the shell and he needs to run the attack again. C. You cannot use a buffer overflow to deface a web page. D. The HTML file has permissions of ready only.
D Explanation: The question states that Bill had been able to spawn an interactive shell. By this statement we can tell that the buffer overflow and its corresponding code was enough to spawn a shell. Any shell should make it possible to change the webpage. So we either don't have sufficient privilege to change the webpage (answer D) or it's a honeypot (answer A). We think the preferred answer is D
447 Which of the following snort rules look for FTP root login attempts? A. alert tcp -> any port 21 (msg:"user root";) B. alert tcp -> any port 21 (message:"user root";) C. alert ftp -> ftp (content:"user password root";) D. alert tcp any any -> any any 21 (content:"user root";)
D Explanation: The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root";)
499 Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-todate content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP that is always authorized at the firewall B. They are using an older version of Internet Explorer that allow them to bypass the proxy server C. They have been able to compromise the firewall, modify the rules, and give themselves proper access D. They are using tunneling software that allows them to communicate with protocols in a way it was not intended
D Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.
478 Statistics from cert.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. What do you think is the main reason behind the significant increase in hacking attempts over the past years? A. It is getting more challenging and harder to hack for non technical people. B. There is a phenomenal increase in processing power. C. New TCP/IP stack features are constantly being added. D. The ease with which hacker tools are available on the Internet. 288
D Explanation: Today you don't need to be a good hacker in order to break in to various systems, all you need is the knowledge to use search engines on the internet.
496 During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. B. Send your attack traffic and look for it to be dropped by the IDS. C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. D. The sniffing interface cannot be detected.
D Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the 301 right answer has to be that the interface cannot be detected.
470 You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block ICMP at the firewall. B. Block UDP at the firewall. C. Both A and B. D. There is no way to completely block doing a trace route into this area.
D Explanation: When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL--Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded. 283
498 Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? A. Defrag B. Tcpfrag C. Tcpdump D. Fragroute
D Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a specified 302 host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.