CSA+ CH1 Threat Management Part 2

Lucca wants to validate DNS responses to ensure that they are from authoritative DNS servers. What technology can he use to do this? DNSSEC DNSCrypt DNShield DNS is an open protocol and does not support secure validation.

A. DNSSEC allows authoritative DNS servers to use digital signatures to validate its responses.

Ian's company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts? Change scanning software. Follow the service provider's scan policies. Sign a security contract with the provider. Discontinue port scanning.

B. Most infrastructure-as-a-service providers will allow their customers to perform security scans as long as they follow the rules and policies around such scans. Ian should review his vendor's security documentation and contact them for details if he has questions.

During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system? MySQL RDP TOR Jabber

B. Port 3389 is the service port for RDP. If Fred doesn't expect this port to be open on his point-of-sale terminals, he should immediately activate his incident response plan.

Charles needs to make sure he has found the correct social media profile for a target of his OSINT process. Which of the following includes the three critical items needed to uniquely identify the majority of Americans? Height, weight, and eye color Date of birth, gender, and zip code Zodiac sign, gender, and zip code Age, height, and weight

B. Studies have shown that 87 percent of the U.S. population can be uniquely identified with their date of birth, gender, and ZIP code. If Charles can obtain this information, he has a very high chance of identifying the right individual

Chris wants to determine what TCP ports are listening on a Windows system. What is his best option to determine this from the command line? Use arp -a. Use netstat -ap Use nmap -t 127.0.0.1. There is not a Windows command do to this.

B. netstat can be used to list listening ports. The -a flag displays all listening ports, while -p will also show programs such as Time_wait, Established, Close_wait.

While reviewing web server logs, Danielle notices the following entry. What occurred? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 A theme was changed. A file was not found. There was an attempt to edit the 404 page. The 404 page was displayed.

C. Attackers often use built-in editing tools that are inadvertently or purposefully exposed to edit files to inject malicious code. In this case, someone has attempted to modify the 404 file displayed by WordPress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page or simply a defaced 404 page.

Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query? AFRINIC APNIC RIPE LACNIC

C. Brandon should select RIPE, the regional Internet registry for Europe, the Middle East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific region, and LACNIC serves Latin America and the Caribbean.

Geoff wants to perform passive reconnaissance as part of an evaluation of his organization's security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment? A DNS forward or reverse lookup A zone transfer A WHOIS query Using maltego

C. Performing a WHOIS query is the only passive reconnaissance technique listed. Each of the other techniques performs an active reconnaissance task.

Alex has been asked to investigate a call to one of his organization's system administrators that is believed to have led to a breach. The administrator described that call by saying that the caller identified themselves as the assistant to the director of sales and said that they needed access to a file that was critical to a sales presentation with a major client but that their laptop had died. The administrator provided a link to the file, which included the organization's sales data for the quarter. What type of social engineering occurred? Baiting Quid pro quo Pretexting Whaling

C. This is an example of pretexting, which relies on creating a scenario that the victim will believe, resulting in the attacker gaining access. Baiting uses an item or something that the user desires to cause them to fall for a phishing style attack. Quid pro quo promises a benefit in exchange for information, and whaling is a phishing attack specifically aimed at important users.

After a series of compromised accounts led to her domain being blacklisted, Lauren has been asked to restore her company's email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully? Migrate her company's SMTP servers to new IP addresses. Migrate to a cloud email hosting provider. Change SMTP headers to prevent blacklisting. Work with the blacklisting organizations to get removed from the list.

C. While some blacklists use entire IP ranges, changing IP addresses for SMTP servers is often a valid quick fix. Some organizations even discover that one server has been blacklisted and others in their cluster have not been. Migrating to a cloud provider or working with the blacklisting organizations can help, and online validation tools can help Lauren quickly check which lists her organization is on. Changing SMTP headers won't help!

Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS? Route poisoning Anti-malware router filters Subdomain whitelisting DNS blackholing

D. DNS blackholing uses a list of known malicious domains or IP addresses and relies on listing the domains on an internal DNS server, which provides a fake reply. Route poisoning prevents networks from sending data to a destination that is invalid. Routers do not typically have an anti-malware filter feature, and subdomain whitelisting was made up for this question.

While reviewing Apache logs, Cynthia notices the following log entries. What has occurred? 10.0.1.1 - POST /wordpress/wp-content/r57.php?1 200 10.0.1.1 - GET /wordpress/wp-content/r57.php 200 A file was downloaded and verified. A file was emailed. A file was moved to the wp-content directory. A file was uploaded and verified.

D. The POST shows a file being uploaded, and the GET shows an attempt to retrieve it. If Cynthia doesn't expect her system to allow uploads, she should check into what occurred. If she searches for r57.php, she will become much more concerned; it is a remote access tool!

Which of the following items is not typically included in the rules of engagement for a penetration test? Timing Authorization Scope Authorized tools

D. The rules of engagement for a penetration test typically describe the scope, timing, authorization, and techniques that will be used (or that are prohibited). This helps to ensure that unexpected impacts are minimized and allows both the tester and the target organization to understand what will occur. Specifically listing authorized tools is not typical for most rules of engagement.

While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered? RADIUS VNC Kerberos Postgres

A. RADIUS typically uses TCP ports 1812 and 1813. Kerberos is primarily a UDP service although it also uses TCP 544 and 2105, Postgres uses 5432, and VNC uses 5500.

Rhonda has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Rhonda needs to take, as shown in this diagram? Flow diagram shows gaining access leads to escalating privileges, which leads to C and install additional tools, where finally it leads to gaining access. System browsing Scanning Rooting Consolidation

A. Rhonda's next step is to prepare to pivot. To do so, she needs to browse for additional systems and to identify the methods she will use to access them. At times, this will move her back into the discovery phase.

Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11? iptables -A OUTPUT -d 10.24.31.11 -j DROP iptables -A INPUT -d 10.24.31.11 -j ADD iptables -block -host 10.24.31.11 -j DROP iptables -block -ip 10.24.31.11 -j ADD

A. Adding an iptables entry uses the -A flag to add to a list. Here, you can safely assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP address or subnet range, and -j specifies the action, DROP.

The national insurance company that Luke works for has experienced a breach, and Luke is attempting to categorize the impact. As he reviews the incident report, he notes that customer data that included Social Security numbers was exfiltrated from the organization. How should he categorize the impact? As a regulated information breach As an intellectual property breach As a confidential information breach As an integrity loss

A. Luke knows that Social Security number breaches are regulated in most states in the United States and that this means his organization has experienced a regulated information breach. He will now most likely have to take actions as required by law in the states in which they have Nexus.

Mike's penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task? Wireshark nmap netcat Angry IP Scanner

A. Passive network mapping can be done by capturing network traffic using a sniffing tool like Wireshark. Active scanners including nmap, the Angry IP Scanner, and netcat (with the -z flag for port scanning) could all set off alarms as they scan systems on the network.

While conducting a penetration test, Ben executes the following command: ifconfig eth0 hw ether 08:00:27:06:d4 What network protection is Ben most likely attempting to avoid? Port security NAC A firewall An IPS

A. Port security filters on MAC address and the command Ben executed changed the MAC address of his PC. In most cases, simply changing a MAC address will not help him bypass NAC, and both firewalls and IPS won't care about his MAC address.

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic? Flow diagram shows Internet leads to A - firewall and vice versa, A-firewall leads to B - router and vice versa, B - router leads to C - layer 3 distribution switch and vice versa, and C - layer 3 distribution switch leads to D - Windows 2012 server and vice versa. The firewall The router The distribution switch The Windows 2012 server

A. Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect.

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory? Submit cmd.exe to VirusTotal. Compare the hash of cmd.exe to a known good version. Check the file using the National Software Reference Library. Run cmd.exe to make sure its behavior is normal.

A. Susan's best option is to submit the file to a tool like VirusTotal, which will scan it for virus-like behaviors and known malware tools. Checking the hash by using either a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won't tell her if it includes malware. Running a suspect file is the worst option on the list!

Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running? LDAPS and HTTPS FTPS and HTTPS RDP and HTTPS HTTP and Secure DNS

A. TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. While other services could use these ports, Jennifer's best bet is to presume that they will be providing the services they are typically associated with.

What U.S. government program seeks to provide trusted sources that meet the following requirements? -Provide a chain of custody for classified and unclassified integrated circuits -Ensure that there will not be any reasonable threats related to supply disruption -Prevent intentional or unintentional modification or tampering of integrated circuits -Protect integrated circuits from reverse engineering and vulnerability testing Trusted Foundry Chain of Custody Trusted Suppliers Trusted Access Program

A. The U.S. Department of Defense's Trusted Foundry program is intended to ensure the integrity and confidentiality of integrated circuits throughout the design and manufacturing life cycle while retaining access to leading-edge technology for trusted and untrusted uses.

Which of the following commands will provide Ben with the most information about a host? dig -x [ip address] host [ip address] nslookup [ip address] zonet [ip address]

A. The dig command provides information including the time the query was done, details of the query that was sent, and the flags sent. In most cases, however, host, dig -x, and nslookup will provide roughly the same information. zonet is not an actual Linux command.

When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing? How fast the scan runs The TCP timeout flag it will set How many retries it will perform How long the scan will take to start up

A. The nmap -T flag accepts a setting between 0 (or "paranoid") and 5 or ("insane"). When Scott sets his scan to use the insane setting, it will perform the fastest scanning it can, which will likely set off any IDS or IPS that is watching for scans.

Part of Tracy's penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissance of a wired network versus a wireless network? Encryption and physical accessibility Network access control and encryption Port security and physical accessibility Authentication and encryption

A. Tracy knows that most wired networks do not use end-to-end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physical access to a network jack or a VPN connection from an authorized account. Without more detail, she cannot determine whether authentication is required for both networks, but NAC is a common security feature of wired networks, and WPA2 Enterprise requires authentication as well. Port security is used only for wired network connections.

Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here: Validity 2016-07-07 00:00:00to 2017-08-11 23:59:59 (400 days, 23:59:59) 2016-07-08 00:00:00to 2017-08-12 23:59:59 (400 days, 23:59:59) 2017-07-11 00:00:00to 2018-08-15 23:59:59 (400 days, 23:59:59) What should Fred record in his reconnaissance notes? The certificates expired as expected, showing proper business practice. The certificates were expired by the CA, possibly due to nonpayment. The system that hosts the certificates may have been compromised. The CA may have been compromised, leading to certificate expiration.

A. When an organization expires multiple certificates, it often indicates a security problem that resulted in a need to invalidate the certificates. Fred should check for other information about a possible compromise near the dates of expiration.

Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations? Using application whitelisting to prevent all unallowed programs from running Using Windows Defender and adding the game to the blacklist file By listing it in the Blocked Programs list via secpol.msc You cannot blacklist applications in Windows 10 without a third-party application.

A. Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to "disallowed", preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high-security environments or those in which limiting what programs can run is critical.

While gathering DNS information about an organization, Chris discovered multiple AAAA records. What type of reconnaissance does this mean Chris may want to consider? Second-level DNS queries IPv6 scans Cross-domain resolution A CNAME verification

B. AAAA records are IPv6 address records. This means that Chris may also want to scan for hosts that are available via IPv6 gateways. The rest of the answers here are made up for this question.

Every year, Alice downloads and reads a security industry published list of all the types of attacks, compromises, and malware events that have occurred, that are becoming more prevalent, and that are decreasing in occurrence. What type of analysis can she perform using this information? Anomaly Trend Heuristic Availability

B. Alice can use trend analysis to help her determine what attacks are most likely to target her organization and then take action based on the trends that are identified.

Charles received a pcap file from a system administrator at a remote site who was concerned about the traffic it showed. What type of behavior should Charles report after his analysis of the file? Table shows columns for number, time, source (10.100.25.14), destination (10.100.18.12), protocol (TCP), length, and info. A DOS attack Port scanning A DDoS attack Service access issues

B. Charles should immediately notice that all traffic comes from one host (10.100.25.14) and is sent to the same host (10.100.18.12). All the traffic shown is TCP SYNs to well-known ports. Charles should quickly identify this as a SYN-based port scan.

While application vulnerability scanning one of her target organizations web servers, Andrea notices that the server's hostname is resolving to a cloudflare.com host. What does Andrea know about her scan? It is being treated like a DDoS attack. It is scanning a CDN-hosted copy of the site. It will not return useful information. She cannot determine anything about the site based on this information.

B. Cloudflare, Akamai, and other content distribution networks use a network of distributed servers to serve information closer to requesters. In some cases, this may make parts of a vulnerability scan less useful, while others may remain valid. Here, Andrea simply knows that the content is hosted in a CDN and that she may not get all of the information she wants from a scan.

Alex is observing a penetration tester who has gained access to a Windows domain controller. The penetration tester runs a program called fgdump and gathers information from the system. What type of information has the penetration tester targeted? File and group information Password and usernames Active Directory full GPO lists Nothing, because FGDump is a Linux tool.

B. FGDump is a tool used for Windows password auditing. If successful, it will dump the username and password hash for every user.

Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting? DNS record enumeration Zone transfer Reverse lookup Domain brute forcing

B. If Chris can perform a zone transfer, he can gather all of the organization's DNS information, including domain servers, host names, MX and CNAME records, time to live records, zone serial number data, and other information. This is the easiest way to gather the most information about an organization via DNS if it is possible. Unfortunately, for penetration testers (and attackers!), few organizations allow untrusted systems to perform zone transfers.

Which of the following items is not one of the three important rules that should be established before a penetration test? Timing Reporting Scope Authorization

B. It is critical to determine when a penetration test will occur and what systems, networks, personnel, and other targets are part of the test and which are not. In addition, testers must have the proper permission to perform the test. The content and format of the summary are important but not critical to have in place before the penetration test occurs.

While reviewing output from netstat, John sees the following output. What should his next action be? [minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING [minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED Capture traffic to 151.101.2.69 using Wireshark. Initiate the organization's incident response plan. Check to see whether 151.101.2.69 is a valid Microsoft address. Ignore it, because this is a false positive.

B. John has discovered a program that is accepting connections and has an open connection, neither of which is typical for the Minesweeper game. Attackers often disguise Trojans as innocuous applications, so John should follow his organization's incident response plan.

While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network? Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1 2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1 A web browsing session Data exfiltration Data infiltration A vulnerability scan

B. Large data flows leaving an organization's network may be a sign of data exfiltration by an advanced persistent threat. Using HTTPS to protect the data while making it look less suspicious is a common technique.

As part of her system hardening process for a Windows 10 workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan? Window shows Microsoft Baseline Security Analyzer where table shows columns for score, share, directory, share ACL (admin share), and directory ACL. The system has been compromised, and shares allow all users to read and execute administrative files. The system has default administrative shares enabled. The system is part of a domain that uses administrative shares to manage systems. The shares are properly secured and pose no threat to the system.

B. Lauren can determine only that the default administrative shares are enabled. While administrative shares are useful for remote administration, they can pose a threat for systems that do not require them, and some security baselines suggest disabling them in the registry if they are not used.

Lauren inputs the following command on a Linux system: #echo 127.0.0.1 example.com >> /etc/hosts What has she done? She has added the system to the allowed hosts file. She has routed traffic for the example.com domain to the local host. She has routed local host traffic to example.com. She has overwritten the hosts file and will have deleted all data except this entry.

B. Lauren has added an entry to the hosts file that routes all traffic for example.com to her local address. This is a useful technique to prevent a system from contacting a malicious host or domain or to simply prevent a nontechnical user from visiting specific sites or domains.

Lauren wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact? Location A Location B Location C Location D

B. Lauren will see the most important information about her organization at location B, which provides a view of data center servers behind the data center firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.

Lauren is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail. Lauren wants to determine what IP addresses to scan from location A. How can she find this information? Scan the organization's web server and then scan the other 255 IP addresses in its subnet. Query DNS to find her organization's registered hosts. Contact ICANN to request the data. Use traceroute to identify the network that the organization's domain resides in.

B. Lauren's best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third-party hosting provider, or other systems that aren't owned by her organization in the /24 subnet range. Contacting ICANN isn't necessary with access to WHOIS, and depending on what country Lauren is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.

Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization's systems. Which of the following technologies should he recommend? Captive portals Multifactor authentication VPNs OAuth

B. Multifactor authentication helps reduce the risk of a captured or stolen password by requiring more than one factor to authenticate. Attackers are less likely to have also stolen a token, code, or biometric factor

Nathan has been asked to monitor and manage the environment in which a cybersecurity exercise is conducted. What team is he on? Red team White team Blue team Black team

B. Nathan is part of the white team, which manages the environment. The red team attacks, and the blue team defends. Black team is not a term that is commonly used in this context, but some organizations identify purple and green teams (often with varying descriptions for their responsibilities, which is admittedly confusing!).

Chris discovers the following entries in /var/log/auth.log. What is most likely occurring? Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2 Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2 Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2 Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2 Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2 Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2 Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2 Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2 Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2 Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2 A user has forgotten their password. A brute-force attack against the root account A misconfigured service A denial-of-service attack against the root account

B. Repeated failures from the same host likely indicate a brute-force attack against the root account.

Which of the following capabilities is not a typical part of an SIEM system? Alerting Performance management Data aggregation Log retention

B. SIEM systems typically provide alerting, event and log correlation, compliance data gathering and reporting, data and log aggregation, and data retention capabilities. This also means that they can be used for forensic analysis as they should be designed to provide a secure copy of data. They do not typically provide performance management-specific capabilities.

Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is? A print server A Microsoft SQL server A MySQL server A secure web server running on an alternate port

B. TCP ports 1433 and 1434 are commonly associated with Microsoft SQL servers. A print server will likely use ports 515, 631, and 9100; a MySQL server will typically use 3306; and alternate ports for web servers vary, but 8443 is a common alternative port.

While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP. What should Janet report has occurred? [ 21/Jul/2017:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21/Jul/2017:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0 [ 21/Jul/2017:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0 [ 21/Jul/2017:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0 [ 21/Jul/2017:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0 [ 21/Jul/2017:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0 A denial-of-service attack A vulnerability scan A port scan A directory traversal attack

B. Testing for common sample and default files is a common tactic for vulnerability scanners. Janet can reasonably presume that her Apache web server was scanned using a vulnerability scanner.

While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: nc -l -p 43501 < example.zip What happened? The user set up a reverse shell running as example.zip. The user set up netcat as a listener to push example.zip. The user set up a remote shell running as example.zip. The user set up netcat to receive example.zip.

B. The -l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.

Which of the three key objectives of cybersecurity is often ensured by using techniques like hashing and the use of tools like Tripwire? Confidentiality Integrity Identification Availability

B. The three objectives of cybersecurity are confidentiality, integrity, and availability. Hashing and the use of integrity monitoring tools like Tripwire are both techniques used to preserve integrity; in fact, file integrity monitoring tools typically use hashing to verify that files remain intact and unchanged.

Scott is part of the white team who is overseeing his organization's internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report? Window shows table with columns for number, time, source, destination (10.0.2.15, 10.0.2.4), protocol (TCP, HTTP), length, and info. The blue team has succeeded. The red team is violating the rules of engagement. The red team has succeeded. The blue team is violating the rules of engagement.

B. This capture shows SQL injection attacks being attempted. Since this is the reconnaissance phase, the red team should not be actively attempting to exploit vulnerabilities and has violated the rules of engagement.

What services will the following nmap scan test for? nmap -sV -p 22,25,53,389 192.168.2.50/27 telnet, SMTP, DHCP, MS-SQL ssh, SMTP, DNS, LDAP telnet, SNMP, DNS, LDAP ssh, SNMP, DNS, RDP

B. This nmap scan will scan for ssh (22), SMTP (25), DNS (53). and LDAP (389) on their typical ports. If the services are running on an alternate port, this scan will completely miss those and any other services.

While reviewing email logs for his domain's email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] ... This behavior continues for thousands of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered? Brute force Domain harvesting Domain probe Email list builder

B. This type of probe is known as domain harvesting and relies on message rejection error messages to help the individual running the probe to determine which email accounts actually exist. Rick may want to disable delivery receipts, disable nondeliverable responses, or investigate more advanced techniques like false nondeliverable responses or recipient filtering and tar pitting.

Senior C-level executives at the organization that Alex works for have received targeted phishing messages that include a fake organizational login page link and a message that states that their passwords were inadvertently reset during a scheduled maintenance window. What type of attack should Alex describe in his after action report? Tuna phishing Whaling Spear phishing SAML phishing

B. Whaling is a term used to specifically denote phishing attacks aimed at high-ranking officers of a company. Spear phishing describes phishing messages apparently sent by an individual or organization that the recipient is familiar with and leverages trust in that organization. Neither tuna phishing nor SAML phishing are industry terms.

After Charles completes a topology discovery scan of his local network, he sees the Zenmap topology shown here. What can Charles determine from the Zenmap topology view? Diagram shows circle with markings for router.demo.com (192.168.1.1), DemoHost2 (192.168.1.17), DemoPrinter (192.168.1.9), DemoHost4 (192.168.1.79), et cetera. There are five hosts with port security enabled. DemoHost2 is running a firewall. DemoHost4 is running a firewall. There are four hosts with vulnerabilities and seven hosts that do not have vulnerabilities.

B. Zenmap topologies show a number of pieces of useful information. The icons next to DemoHost2 show the following information: a relative assessment of how many ports are open, with white showing "not scanned," green showing less than three open ports, yellow showing three to six open ports, and red showing more than six open ports. Next, it shows a firewall is enabled, and finally the lock icon shows that some ports are filtered. In this scan, only DemoHost2 has been identified by nmap as currently running a firewall, which doesn't mean that other hosts are not actually running firewalls!

What two pieces of information does nmap need to estimate network path distance? IP address and TTL TTL and operating system Operating system and BGP flags TCP flags and IP address

B. nmap can combine operating system identification and time to live to take a reasonable guess at the number of hops in the network path between the scanner and a remote system. The operating system guess will provide the base time to live, and the TTL counter will decrement at each hop. Given these two pieces of information, nmap takes an educated but often very accurate guess.

Allan's nmap scan includes a line that starts with cpe:/o. What type of information should he expect to gather from the entry? Common privilege escalation Operating system Certificate performance evaluation Hardware identification

B. nmap provides both hardware and operating system identification capabilities as part of its common platform enumeration features. cpe:/o indicates operating system identification, and cpe:/h indicates hardware identification.

Shane wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use? Fragmenting packets Changing packet header flags Spoofing the source IP Appending random data

B. nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets.

An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system? A discretionary access control system A role-based access control system A mandatory access control system A level-based access control system

C. A mandatory access control system relies on the operating system to constrain what actions or access a subject can perform on an object. Role-based access control uses roles to determine access to resources, and discretionary access control allows subjects to control access to objects that they own or are responsible for. Level-based access control is a type of role-based access control.

John needs to protect his organization's authentication system against brute-force attacks. Which of the following control pairs are best suited to preventing a brute-force attack from succeeding if ease of use and maintenance is also important? Passwords and PINs Passwords and biometrics Passwords and token-based authentication Token-based authentication and biometrics

C. A password combined with token-based authentication can prevent brute-force attacks that might succeed against a password or password and PIN combination. Biometric factors are useful but often have significant maintenance and deployment overhead and are typically more difficult to use than a token-based second factor.

Attackers have been attempting to log into Alaina's Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue? Prevent console login via ssh. Implement a login-block feature with back-off settings. Move the administrative interface to a protected network. Disable console access entirely.

C. Best practice for most network devices is to put their administrative interfaces on a protected network. Many organizations then require administrators to connect via a jump box, adding another layer of protection. Preventing console access is typically not desirable in case changes need to be made and a GUI is not available; login-block can help but will only slow down attacks and will not prevent them.

As part of his reconnaissance effort, Chris enters usernames from public information about a company into a site like checkusernames.com and receives information like the results shown here. What type of action is he performing? Window shows website of checkusernames.com which has search bar with text correctbatteryhorsestaple, button for check user name, and options for You Tube too long, Wikipedia available, TMZ not available, et cetera. Social engineering Brute-force username guessing Social media profiling Phishing

C. Chris is performing a type of social media profiling. While common usernames may not tell him very much, unique usernames or those commonly used by a specific target can help him gather more information about the sites his targets use.

While Greg was performing a port scan of a critical server system, the system administrators at his company observed the behavior shown here in their network management software suite. What action should Greg take after he is shown this chart? Bar graph shows AMI (AWS) on days from 21st April to 22nd April versus response time in milliseconds from 0 ms to 1500 ms versus percent packet loss from 0 percent to 100 percent with plots for average response time AMI (AWS), percentile 95 percent, et cetera. Increase the number of concurrent scans. Decrease the number of ports scanned. Decrease the number of concurrent scans. Increase the number of ports scanned.

C. Greg is seeing a significant increase in network latency for the host he is scanning, which could result in performance issues for users of the server. Greg needs to slow down his scan, which can be accomplished by reducing the number of concurrent scans.

While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered? A route change Fast flux DNS A load balancer An IP mismatch

C. Load balancers can alias multiple servers to the same hostname. This can be confusing when conducting scans, as it may appear that multiple IP addresses or hosts are responding for the same system.

While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart: service rogueservice stop After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this? The service restarted at reboot; she needs to include the "-p", or permanent flag. The service restarted itself; she needs to delete the binary associated with the service. The service restarted at reboot; she should add an .override file to stop the service from starting. A malicious user restarted the service; she needs to ensure users cannot restart services.

C. Monica issued a command that only stops a running service. It will restart at reboot unless the scripts that start it are disabled. On modern Ubuntu systems, that is handled by upstart. Other services may use init.d scripts. In either case, when asked a question like this, you can quickly identify this as a problem that occurred at reboot and remove the answer that isn't likely to be correct.

If Lauren runs a scan from location B that targets the servers on the data center network and then runs a scan from location C, what differences is she most likely to see between the scans? The scans will match. Scans from location C will show no open ports. Scans from location C will show fewer open ports. Scans from location C will show more open ports.

C. Most data center firewalls are configured to only allow the ports for publicly accessible services through to other networks. Location C is on an internal network, so Lauren will probably see more ports than if she tried to scan data center systems from location A, but it is likely that she will see far fewer ports than a portscan of the data center from inside the data center firewall will show.

The netflow collector that Sam's security team uses is capable of handling 1 gigabit of traffic per second. As Sam's organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam's team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data? Enable QoS Enable netflow compression Enable sampling None of the above

C. Random or deterministic sampling can help Sam's team capture usable flows despite not being able to handle the full throughput of their network. Random sampling will capture a random packet out of every n packets, with n set by the user. Deterministic sampling simply takes the every nth packet that passes through, so Sam might sample the 1st, 11th, 21st, and so on. This means that small flows may be missed, but in this case, sampling half of all packets is still possible, meaning most flows will still be captured.

What major issue would Charles face if he relied on hashing malware packages to identify malware packages? Hashing can be spoofed. Collisions can result in false positives. Hashing cannot identify unknown malware. Hashing relies on unencrypted malware samples.

C. Relying on hashing means that Charles will only be able to identify the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes because of changes meant to avoid signature-based detection systems.

While reviewing netflows for a system on her network, Alice discovers the following traffic pattern. What is occurring? Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows 2017-07-11 04:59:32.934 0.000 TCP 10.1.1.1:34543->10.2.2.6:22 1 60 1 2017-07-11 04:59:39.730 0.000 TCP 10.1.1.1:34544->10.2.2.7:22 1 60 1 2017-07-11 04:59:46.166 0.000 TCP 10.1.1.1:34545->10.2.2.8:22 1 60 1 2017-07-11 04:59:52.934 0.000 TCP 10.1.1.1:34546->10.2.2.9:22 1 60 1 2017-07-11 05:00:06.710 0.000 TCP 10.1.1.1:34547->10.2.2.10:22 1 60 1 2017-07-11 05:00:46.160 0.000 TCP 10.1.1.1:34548->10.2.2.11:22 1 60 1 2017-07-11 05:01:32.834 0.000 TCP 10.1.1.1:34549->10.2.2.12:22 1 60 1 2017-07-11 05:01:39.430 0.000 TCP 10.1.1.1:34550->10.2.2.13:22 1 60 1 2017-07-11 05:01:46.676 0.000 TCP 10.1.1.1:34551->10.2.2.14:22 1 60 1 telnet scan ssh scan ssh scan with unsuccessful connection attempts sftp scan with unsuccessful connection attempts

C. TCP port 22 indicates that this is most likely a ssh scan, and the single packet with no response traffic indicates unsuccessful connection attempts. If the system is not normally used for scanning for open ssh servers, Alice should look into why it is behaving this way.

Selah suspects that the Linux system she has just logged into may be Trojaned and wants to check where the bash shell she is running is being executed from. What command should she run to determine this? where bash ls -l bash which bash printenv bash

C. The which command will show Selah where the bash executable is being run from, typically /bin/bash. If she finds that bash is running from a user directory or somewhere else suspicious, she should immediately report it! (If you're familiar with the printenv command, option D may be tricky; printenv doesn't accept specific flags, so Selah would need to pipe the output to grep or to search it manually to find bash there.)

While conducting active reconnaissance, Lauren discovers a web remote management application that appears to allow Windows command-line access on a server. What command can she run to quickly determine what user the service is running as? username showuser whoami cd c:\Users\%currentuser

C. The whoami command will show the username and its domain. This can be useful when determining whether a service is running as a user or a service account.

As part of his reconnaissance effort, Charles uses the following Google search string: "authentication failure; logname=" ext:log;site:example.com What will he find if he receives results from his target's domain? A list of successful logins A list of log names A list of failed logins A list of log files

C. This Google dork relies on log files being inadvertently exposed for a site. If the authentication logs are exposed, this will show lists of failed logins, along with login paths, possibly providing Charles with a useful list of usernames. He can then leverage that list by attempting logins, by gathering further information on the users, or by using social engineering.

While reviewing the command history for an administrative user, Chris discovers a suspicious command that was captured, shown here: ln /dev/null ~/.bash_history What action was this user attempting to perform? Enabling the bash history Appending the contents of /dev/null to the bash history Logging all shell commands to /dev/null Allowing remote access from the null shell

C. This command will prevent commands entered at the bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks.

Ron is reviewing his team's work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here? Window shows table with columns for number, time, source, destination (10.0.2.15), protocol (UDP), length (60), and info. The host was not up. Not all ports were scanned. The scan scanned only UDP ports. The scan was not run as root.

C. This scan shows only UDP ports. Since most services run as TCP services, this scan wouldn't have identified most common servers. Ron should review the commands that his team issued as part of their exercise. If he finds that nmap was run with a -sU flag, he will have found the issue.

Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers? nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt

C. Using a UDP scan, as shown in option C, with the -sU flag will not properly identify printers since print service ports are TCP ports. The other commands will properly scan and identify many printers based on either their service ports (515, 631, 9100) or their OS version.

Adam needs to provide ssh access to systems behind his data center firewall. If Adam's organization uses the system architecture shown here, what is the system at point A called? Flow diagram shows computer leads to Internet (TCP 22/ssh connection) and vice versa, Internet leads to firewall or unified security device and vice versa, firewall or unified security device leads to device A and vice versa, et cetera. A firewall-hopper An isolated system A moat-protected host A jump box

D. Adam is using a jump box to provide access. A jump box, sometimes called a jump server or secure administrative host, is a system used to manage devices in a separate, typically higher security zone. This prevents administrators from using a less secure administrative workstation in the high security zone.

While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred? > root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7::: > daemon:*:16820:0:99999:7::: > bin:*:16820:0:99999:7::: > sys:*:16820:0:99999:7::: > sync:*:16820:0:99999:7::: > games:*:16820:0:99999:7::: > man:*:16820:0:99999:7::: > lp:*:16820:0:99999:7::: > mail:*:16820:0:99999:7::: > news:*:16820:0:99999:7::: > uucp:*:16820:0:99999:7::: > proxy:*:16820:0:99999:7::: > www-data:*:16820:0:99999:7::: > backup:*:16820:0:99999:7::: > list:*:16820:0:99999:7::: > irc:*:16820:0:99999:7::: The root account has been compromised. An account named daemon has been added. The shadow password file has been modified. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

D. Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.

Cynthia knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports? Botnet C&C Nginx Microsoft SQL Server instances Web servers

D. Many system administrators have historically chosen 8080 and 8443 as the alternate service ports for plain-text and secure web services. While these ports could be used for any service, it would be reasonable for Cynthia to guess that a pair of services with ports like these belong to web servers.

While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port? Oracle VNC IRC Microsoft SQL

D. Microsoft SQL typically runs on TCP ports 1433 and 1434. Oracle's default is 1521, IRC is 6667, and VNC is 5900.

Sharon wants to gather email addresses as part of her reconnaissance efforts. Which of the following tools best suits her needs? nmap cree.py MailSnarf TheHarvester

D. TheHarvester is an email collection tool that can automatically gather email addresses from a domain, website, or other source. nmap does not provide an email-gathering capability, cree.py is a geolocation tool, and MailSnarf was made up for this question.

During an on-site penetration test of a small business, Bob scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap? Window shows zenmap with options for target, profile, and command with tabs for Nmap output, ports/ hosts, topology (selected), host details, and scans, and diagram shows concentric circles with markings for localhost, 10.0.2.1 router.asus.com, 96.120.24.121, et cetera. There are two nodes on the local network. There is a firewall at IP address 96.120.24.121. There is an IDS at IP address 96.120.24.121. He should scan the 10.0.2.0/24 network.

D. This scan shows Bob that he is likely on a network using some portion of the 10.0.0.0/8 private IP space. An initial scan of the 10.0.2.0/24 network to determine what is near him would be a good start. Since the Zenmap scan was run to a single external host, it will not show other hosts on the local network, so there may be more than two nodes on the network. Bob cannot make determinations about what the host at 96.120.24.121 is, beyond a device on the route between the local host and his remote scan destination.