Chapter 9
Which of the following tools would you use to perform a SYN flood attack?
Metasploit
You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?
Sniffing
You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?
tcpdump port 22
The information below is from Wireshark. Which kind of attack is occurring?
A DDoS attack
Which of the following BEST describes a disassembler program?
A program that translates machine code into assembly language, or low-level language.
Which of the following BEST describes a relational database?
A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.
An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened?
ARP poisoning
Which cybersecurity approach seeks to asymmetrically put the odds in the security analyst's favor by using maneuverability of sensitive data, honeypots, and anti-malware programs?
Active defense approach
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what Jason has done?
Active hijacking
Which of the following is a type of malware that can be purchased in a ready-to-use state, is created to be used with a variety of targets, can be integrated with other malware programs, and can be implemented in stages?
Commodity malware
You have decided to configure an ARP cache poisoning on-path (man-in-the-middle) attack to test a new computer on your network to verify that it connects to required company resources securely. After defining the target hosts in Ettercap and capturing data during several login attempts, you see the following. What should your next step be in checking for a cookie hijacking attack?
Copy the user_token field value and use a cookie copy tool, such as the Google Chrome Copy Cookies extension, to attempt to access the same resource found at the URL listed.
Which of the following attack types overflows the server, causing it to not function properly?
DoS
You have been hired by an organization that has been victimized by session hijacking. What is one of the most important steps you as a security analyst can take to prevent further session hijacking attacks?
Encrypt network traffic.
An attacker wants to use a SQL injection attack against your web application. Which of the following can provide useful information to the attacker about your application's SQL vulnerabilities?
Error messages
In actively defending against SQL injection attacks, you create queries that have placeholders for values from your users' input. Which of the following SQL injection countermeasures did you implement with these queries?
Prepared statements
Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)
Ransomware Rootkit
Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark?
The HTML Form URL Encoded: subtree would have the POST data.
While reviewing a machine that a user has reported for strange behavior, you decide to use ipconfig to review its network configuration. Afterward, you see the output shown below. No changes were made manually to the machine's network configuration and all IP configuration is automatic. The proper default gateway for this network segment is 10.10.10.1. Which of the following would explain the output shown?
The machine in question is being targeted by a DHCP on-path (man-in-the-middle) attack.
While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?
There is a website that someone on your network logged into that has no encryption.
While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?
There is an ICMP flood attack.
Which of the following are uses for the sqlmap utility? (Select two.)
To determine SQL server parameters, including version, usernames, operating systems, etc. To detect vulnerable web apps
Which of the following is a valuable resource for security analysts to find out what the newly discovered Trojan and malware risks are?
it-isac.org
A new openSSH vulnerability has been discovered. You are tasked with finding all systems running an SSH service on the network. The nmap 192.168.122.0/24 command has been run to find all potentially vulnerable systems, and the output is shown below. Which machines on the following IP addresses will likely need their SSH software updated immediately? (Select two.)
192.168.122.1 192.168.122.82
Which of the following BEST describes a DoS fragmentation attack?
An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.
Which of the following BEST describes a TCP session hijacking attack?
An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.
You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for?
Any results that show something unexpected being passed back from the server
You train your staff to notify you if they notice any of the following signs: Services are unavailable or very slow Unexpected 503 error messages Abnormal spikes in network traffic Customer complaints about access Which type of attack are you preparing against?
DDoS attack
An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack?
Input fields in the comment forms were not being validated.
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?
Malware signature
Which type of malware can infect the core of an operating system, giving an attacker complete control of the entire system remotely, including the ability to change code?
Rootkit
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run anti-malware scans
The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here?
SQL injection
Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate?
SQL injection
Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?
Static analysis
Which of the following BEST describes steps in an active defense against DDoS attacks?
Train staff for warning signs, allow only necessary outside access to servers, and configure network devices' preexisting mitigation settings, like router throttling.
Which IPsec method is the most used and protects an entire packet by wrapping it with a new IP header, encrypting it, and then sending it on to the receiving host?
Tunnel mode
A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?
netstat -e -s
Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?
Blind injection attack
John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad.
Cross-site scripting
In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?
DDoS attack
A suspicious program is run in a controlled environment, where a security analyst monitors the program's execution to track the effect it has on computer resources, like its operating system. The analyst can set breakpoints or pause the program for reports on memory content, storage devices, or CPU registers. Which reverse engineering tool is the analyst using?
Debugger
A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done?
Fuzz testing
Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?
IDA Pro
An attacker has captured the username and password from an executive in your organization through ARP poisoning during an on-path (man-in-the-middle) attack. Which of the following will be MOST likely to stop this form of attack in the future?
Implement HTTPS
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?
Implement switched networks.
Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?
MAC flooding
What is a likely motivation for DoS and DDoS attacks?
Injury of the target's reputation
A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from?
IoT Trojan
Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?
Less than one day
An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?
MAC spoofing
A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?
NIDS
Which of the following is an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?
Reflected cross-site scripting
You are testing a compromised machine on an isolated network, and you find a web server running on an open port. When you browse to it, you see the following information. Which kind of infection does this computer have?
Remote Access Trojan
A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?
Run a network bandwidth test on the company's network to determine if there are any anomalies.
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?
Run an antivirus software scan on Karen's device and scan the entire network.
The following steps describe the process for which type of attack? Locate and sniff an active connection between a host and web server. Monitor traffic to either capture or calculate the session ID. Desynchronize the session. Remove the authenticated user. Inject packets to the server.
Session hijacking
An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this?
Smurf DDoS attack
A machine on your network has been infected with a crude ransomware application. You have obtained a copy of the software and are reverse engineering it with Ghidra. You are hoping that the password for the software is hard-coded into the application. You are presented with the default view in Ghidra, which displays the assembly (machine) code for the application. What might you do next to locate the password?
Use a string search looking for "password" and its variants.
A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?
Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.
There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?
sniffer-detect