Ethical Hacking - C701 TotalTester Part 2/2

You are cataloging asset worth in the environment. A particular hard drive fails once every three years and costs $300 to replace. Fourteen hours is required to restore normal operations on a failure. Recovery technicians earn $10 an hour. Which of the following is the closest approximate cost of the ALE?

$146 A is correct. ALE = SLE × ARO. In this case, ALE = [$300 (replacement) + $140 (14 hours @ 10/hour)] × 33 percent (1 failure every 3 years). B, C, and D are incorrect. These answers are not correct calculations, given ALE = SLE × ARO.

On a Windows-based machine, which switch can be used in ping to set the size of the echo request packet?

-l C is correct. The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes. A, B, and D are incorrect. The -a switch resolves addresses to hostnames. The -s switch provides a timestamp for count hops. The -t switch indicates the ping will continue until stopped.

In 2016, the "Dyn attack" resulted in one of the largest and most successful DDoS efforts in history. Which malware played a large role in the attack?

. Mirai A is correct. For about three and a half hours on October 21st, 2016, IoT devices infected with the Mirai malware crippled Internet traffic by disrupting the DNS service's ability to respond to resolution requests. B, C, and D are incorrect. Each of these attacks was noteworthy in its own way, but did not play a role in the Dyn attack.

An attacker tells an employee she has left her badge at home and asks for the door to be held open. Which attack is in play here?

. Piggybacking B is correct. Piggybacking is different from tailgating in that there is no fake badge in play: the attacker doesn't have a badge but asks for someone to let her in anyway. A, C, and D are incorrect. Tailgating makes use of a fake badge. Shoulder surfing occurs when the attacker is already inside the building. Propping is not a valid term.

hich of the following refers to the network used by IoT-enabled vehicles?

. VANET A is correct. The Vehicle Ad Hoc Network (VANET) is the communications network used by our vehicles. It refers to the spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange. B, C, and D are incorrect. Device to gateway is an IoT communication model, and edge networking is not correct. IoV is not a recognized term in CEHv10.

Which of the following represents the XOR from 01110011 and 11010101?

10100110 D is correct. XOR gates compare two inputs—if the two match, the output is a zero (0); if they don't, it's a one (1). A, B, and C are incorrect. These answers do not match the XOR for the two inputs.

Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.)

A. Ensure an e-mail is from a trusted, legitimate e-mail address source. B. Verify the spelling and grammar are correct. C. Verify all links before clicking them. A, B, and C are correct. Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links. D is incorrect. The last line containing a copyright is irrelevant.

Which of the following are common registry locations for malware insertion?

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce E is correct. All these registry locations are good bets for malware insertion. A, B, C, and D are incorrect. All answers are correct; therefore, "All the above" is the appropriate choice.

In sniffing traffic, you come across an ICMP type 3, code 13 packet. What is this packet used for?

Administratively prohibited D is correct. ICMP type 3, code 13 messages indicate the packet could not be routed because it was administratively prohibited (due to a firewall or router ACL). A, B, and C are incorrect. ICMP type 3 indicates unreachable, not TTL expiration (type 7) or redirect (type 5). Answer C is irrelevant.

Payment Card Industry Data Security Standard (PCI-DSS) requires organizations to perform external and internal penetration testing. What is the required occurrence?

At least once a year and after any significant infrastructure or application upgrade or modification is correct. PCI-DSS requires organizations to be tested at least once a year, and of course after any "significant" modifications. B, C, and D are incorrect. These answers don't reflect PCI-DSS requirements.

Which of the following is considered by OWASP to be the top vulnerability security professionals should be aware of in IoT systems?

B. Insecure web interface B is correct. Per OWASP, an insecure web interface can be present when an issue such as account enumeration, lack of account lockout, or weak credentials is present. Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however, threats from internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with automated testing tools to identify other issues such as cross-site scripting. A, C, and D are incorrect. Insufficient authentication/authorization, insecure network services, and an insecure cloud interface are ranked second, third, and sixth, respectively.

Which of the following statements is true?

B. Sniffers operate at Layer 2 of the OSI model. C. Sniffers operate at Layer 3 of the OSI model. D is correct. Sniffers operate at Layers 2 and 3 of the OSI model. Layer 2 provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and Layer 3 handles the packets and payloads (IP addressing and such). A, B, and C are incorrect. I get it—technically nothing works without Layer 1, but we all know that's not what's being asked here. Answers B and C are both correct but neither is the best answer.

A security tester wants to see what can be found from the company's public-facing web servers. He enters the command nc 187.55.66.77 80. The returned output reads as follows: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Apr 2016 01:41:33 GMT Date: Mon, 16 Apr 2016 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2015 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 Which of the following is an example of what the engineer performed?

Banner grabbing A is correct. You can easily perform banner grabbing with netcat. B, C, and D are incorrect. Netcat isn't used to query whois (registration information) or to perform SQL injection or XSS.

Which of the following provides specific services to untrusted networks or hosts?

Bastion host C is correct. Bastion hosts are deliberately placed on the edge of the network—that is, public facing—to handle external requests for <fill-in-the-blank-with-whatever-service-you-can-think-of>. They must be hardened and protected, for obvious reasons, but are designed to protect the internal network. A, B, and D are incorrect. Proxy firewalls are designed primarily to hide networks. Packet filtering is exactly what it sounds like, and stateful firewalls are used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed but externally sourced is not).

Which of the following best describes ARP poisoning?

C. In ARP poisoning, an attacker continually inserts invalid entries into an ARP cache. C is correct. In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else. A, B, and D are incorrect. None of the remaining answers correctly describes ARP poisoning. Yes, it's true an attacker may be sending thousands of ARP packets through a switch to the target, but that in and of itself does not ARP poisoning make.

An attacker takes advantage of a web application's use of semicolons in communication with databases and enters additional strings to carry out malicious instructions. Which of the following best defines this attack?

CSPP B is correct. A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code. A, C, and D are incorrect. These attacks do not match the description.

You use a Linux distribution Live CD to boot a system that is running Ubuntu and enter the following command set: sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd N3wPWD4thi$ Which of the following best describes what you are attempting?

Change the password of the underlying desktop Ubuntu installation. A is correct. Let's walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user's password. B, C, and D are incorrect. These answers do not match the output of the command-line entries.

In cloud architecture, as defined by NIST, which role acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers?

Cloud broker D is correct. The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. Per NIST SP 500-292, the broker "acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well." A, B, and C are incorrect. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid. The cloud consumer is the individual or organization that acquires and uses cloud products and services. The cloud auditor is the independent assessor of cloud service and security controls.

Your organization uses a cloud computing model that shares cloud infrastructure for data and services. Which deployment model matches this description?

Community B is correct. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. A, C, and D are incorrect. A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). The hybrid cloud model is a composite of two or more cloud deployment models.

A pen tester is using Metasploit to attack an FTP server. He wants the attack to use the FTP server as a launching point to "pivot" to an internal LAN segment. Which of the following should be accomplished to perform the attack?

Create a route statement within the meterpreter. A is correct. The meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Adding a route statement allows for the "pivot" action. B, C, and D are incorrect. These steps will not assist in pivoting.

Which of the following sets up many, varying security controls, delaying attackers by using layers of security to protect an organization's IT resources

Defense in depth C is correct. Defense in depth is an information assurance concept where multiple layers of security controls are placed throughout an IT system, with the intent being redundancy; in the event a security control fails or a vulnerability is exploited, another one down the chain can help prevent the attack. A, B, and D are incorrect. Single sign-on deals with passwords and has no relevance here. An overt channel is one used for its intended purpose. The term "multilayer firewall" is not legitimate.

Which TCP flag brings communications to an orderly close?

FIN B is correct. The FIN flag brings communications to an orderly close. A, C, D, and E are incorrect. These TCP flags do not bring communications to an orderly close.

You have network anomaly-based IPS set up, along with multiple other tools for security controls. This morning on the way to work, you receive an e-mail alert on your phone regarding possible malicious traffic. In investigating, you see that the IPS saw the anomalous traffic coming into the network and leaving, with the alert based on the unexpected behavior. The traffic turned out to be a user coming into work very early to get a project finished. Which of the following best describes what the IPS noted?

False positive B is correct. The IPS saw the traffic, obviously, but made a decision it was bad traffic based on previous noted behavior, when it was indeed normal traffic (just at an abnormal time). The traffic was flagged as malicious even though it wasn't, which is the definition of a false positive. A, C, and D are incorrect. A false negative occurs when the IPS sees traffic as good when it is actually malicious. The other two answers are distractors.

Which of the following tools is designed as a sniffer for IoT traffic

Foren6 B is correct. Foren6 "leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world Internet of Things applications where other means of debug (cabled or network-based monitoring) are too costly or impractical." A, C, and D are incorrect. Firmalyzer performs security assessments in IoT networks, Attify Zigbee provides a toolset for Zigbee devices, and Nessus is a vulnerability scanner.

A coder wants to determine if the application properly handles a wide range of invalid inputs. Which of the following refers to a software testing effort generating random invalid inputs?

Fuzzing C is correct. Fuzzing is a software testing effort where tons of randomized inputs are hurled at the application to see how it reacts.

Ethical hacker Brad is testing insecure direct object reference. He attempts to gain account access to resources under a username he discovered called Joe. Which of the following best demonstrates an attempt to exploit the insecure direct object reference?

GET /restricted/accounts/?name=Joe HTTP/1.1 Host: somebank.com B is correct. Of the choices provided, this is the only one that attempts direct access to Joe's account. The following is from OWASP's page on the subject: "Applications frequently use the actual name or key of an object when generating web pages. Applications don't always verify the user is authorized for the target object. This results in an insecure direct object reference flaw." An attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn't authorized for. A, C, and D are incorrect. These attempts do not attempt direct access to Joe's account.

Which of the following is the best way to defend against network sniffing?

Implement encryption throughout the environment. A is correct. Encryption is the enemy of sniffing (and IDS). After all, if it's encrypted at point A and decrypted only at point B, any effort to examine the traffic in between is pointless. Of the choices, this is the best available option. B, C, and D are incorrect. Physical security and static IP addressing won't do a thing about sniffing. MAC access control can provide some protection, but not at the level encryption could.

In which phase of the IoT hacking methodology would you most likely employ Shodan?

Information gathering A is correct. The steps within EC-Council's IoT hacking methodology are information gathering, vulnerability scanning, launching attacks, gaining access, and maintaining access. Shodan is a search engine tailor-made for IoT type information gathering. B, C, and D are incorrect. Shodan is used in the information gathering stage.

Which of the following is the crucial architecture layer within the IoT, allowing all communication?

Internet layer C is correct. Of the five layers, the Internet layer is considered the most crucial, as it serves as the main component to allow all communication. A, B, and D are incorrect. The Middleware layer sits between the Application and Hardware layer, and handles data and device management, data analysis, and aggregation. First, data handling takes place in the Access Gateway layer, with message identification and routing occurring there. The Edge Technology layer consists of sensors, RFID tags, readers, and the devices themselves.

Which of the following is true regarding ESP in Tunnel Mode?

It encrypts the entire packet. A is correct. If you think about tunneling across the Internet, this makes perfect sense—of course the entire packet is encrypted. B, C, and D are incorrect. Tunnel Mode encrypts the entire packet, so answers B and C are out. As far as authentication and integrity go, that is provided by AH but usually only in Transport Mode.

Which of the following statements best describes the term "likelihood" in regard to risk management?

Likelihood is the probability that a threat will exploit a particular vulnerability. D is correct. Risk management is filled with terms like "threat," "exposure," "residual," and tons of others. Likelihood is the probability that a threat (sometimes referred to as a threat source or a threat agent) will exploit a particular vulnerability. For example, a grizzly bear is a threat to my laptop, but the likelihood of one barreling through my window and destroying my system is really low. A, B, and C are incorrect. None of the other answers correctly describes likelihood

Which of the following tools allows pen testers to analyze and examine links between personnel and/or hardware using graphs and link analysis

Maltego D is correct. Per the tool's website, "Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego's unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure." A, B, and C are incorrect. Metasploit is a framework for building and performing exploit attacks against targets. Shodan is a search engine specifically for finding host types on the Internet. Whois displays registrant information on sites.

An attacker uses text messaging to socially engineer a user into providing sensitive information. Which social engineering attack type is in use?

Mobile based A is correct. Mobile-based social engineering uses mobile device technology. B, C, and D are incorrect. The other two methods are human based and computer based. Technology based is not a valid term.

Which of the following statements best describes a DRDoS attack?

Multiple intermediary machines send the attack at the behest of the attacker. A is correct. The distributed reflection denial of service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out attacks so the attacker remains hidden. B, C, and D are incorrect. These attacks do not reflect a DRDoS attack.

Which of the following statements is true regarding n-tier architecture?

N-tier allows each tier to be configured and modified independently. D is correct. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collections of servers, each providing a specific service or task. A, B, and C are incorrect. These statements are not necessarily true regarding n-tier.

Which of the following defines a method of transmitting data that doesn't violate a security policy?

Overt channel D is correct. An overt channel is one being used for its intended purpose. In other words, overt channels are legitimate. A, B, and C are incorrect. Backdoor channels and session hijacking are both malicious in nature. A covert channel is a channel that is not being used legitimately.

Which TCP flag is used to force transmission of data even if the buffer is full?

PSH D is correct. The PSH flag is used when the application simply can't wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes. A, B, and C are incorrect. An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination. ACK is used for acknowledgments, and FIN brings an orderly close to the session.

Which of the following statements is true?

Pcap is used on Windows. Libpcap is used on Linux. C is correct. Pcap (for Windows) and its Linux-based brother libpcap are the packet capture libraries/drives used by virtually every sniffing and scanning tool you can think of—nmap, Snort, Wireshark, tcpdump, kismet, and L0phtCrack, for example. For extra fun—and possibly a Jeopardy-type question on your exam—libpcap was written in C/C++. A, B, and D are incorrect. The other answers provided are not true regarding Pcap.

An attacker sees guard dogs inside the perimeter. Which of the following best describes this control effort?

Physical deterrent control D is correct. What can deter you more than the sight of a dog patrolling an area, just waiting for an intruder to chew on? Note the terminology here, though: "preventive" could just has easily been used as a descriptor; however, "deterrent" is usually found with the physical descriptor. A, B, and C are incorrect. Dogs aren't technical—even smart ones. And while you can use a bloodhound as a means to track down an escapee, dogs are not detective controls.

An attacker gains access to an internal machine. He then uses Metasploit to access and attack other internal systems from that machine. Which of the following terms describes this?

Pivoting C is correct. Pivoting is using a compromised system as a launching point into other systems. After the first system is owned, you can add a route statement in Metasploit to access the network beyond it. A, B, and D are incorrect. Fuzzing refers to a testing scenario aimed at applications (using random data). Patching refers to applying released security updates. Switching is not a term used in this area.

If a rootkit is discovered on the system, which of the following is the best alternative for recovery?

Reload the entire system from known-good media. C is correct. Sometimes a good old wipe and reload is not only faster than a clean effort, but it's just flat out better. When it comes to rootkits, it's really your only option—unless we're talking a hardware-level rootkit, in which case you're probably better off throwing the thing away. A, B, and D are incorrect. Nearly anything you're doing with the data files themselves isn't going to help in getting rid of a rootkit. The device has been rooted, so all data should be treated as suspect. Tripwire is a great tool, but it—or any other tool—isn't really useful to you once the machine has been infected.

Which of the following best describes the amount of risk that remains after mitigation efforts to correct a vulnerability have been taken?

Residual C is correct. Residual risk is that which remains after your fix efforts have been completed. A, B, and D are incorrect. Inherent risk is that which is currently there—inherited from the current situation and circumstances. Deferred risk is risk you wish to deal with later. Impartial is a distractor.

Which step comes right after footprinting?

Scanning The step following footprinting is scanning: reconnaissance, scanning, gaining access, maintaining access, and clearing tracks.

A pen test member has gained access to a facility. She positions herself beside a partition wall in such a way that the screen activity of an employee is clearly viewable. Which social engineering attack is this?

Shoulder surfing D is correct. Shoulder surfing occurs when an attacker stands behind an authorized user and watches their screen activity. A, B, and C are incorrect. Impersonation occurs when an attacker pretends to be a person of authority. Tailgating occurs when the attacker uses a fake badge and follows employees through an open door, whereas piggybacking does not involve the use a badge of any sor

Which of the following methods of concealment involves a hacker spoofing an IP address to have packets returned directly to him regardless of the routers between the sender and receiver?

Source routing D is correct. Source routing specifies the route a packet will take to a destination, regardless of what the route tables between the two systems say. As an aside, in the real world, source routing is almost always blocked. A, B, and C are incorrect. Proxy servers and anonymizers are used to hide your presence on the Web. Filtering is used on firewalls, routers, and other network devices to block or allow traffic.

Which of the following tools is the best option for rooting an Android device?

SuperOneClick A is correct. SuperOneClick is designed for rooting Android. B, C, and D are incorrect. Each of the remaining options is designed for use on iOS devices.

Your client has encrypted communications between two segments using SSL. They are concerned about possible intrusion attempts and install an IDS between the two to monitor the traffic. You advise against this for what reason?

The IDS is blind to SSL traffic. C is correct. Encryption is the nemesis of an IDS because it cannot see the traffic. A, B, and D are incorrect. SSL does not affect false positives or negatives and certainly does not fail because of passive sniffing.

You run the user2sid command on a machine, and the following is found in part of the results: S-1-5-21-334913988-132044091-501. You then run sid2user 5 21 334913988 132044091 500 on the machine, and the result is the following: Name is Matt Domain is Walker. Which of the following is true?

The Matt account is the true administrator account. B is correct. The administrator account always has the RID of 500; therefore, running sid2user on the SID will reveal the correct administrator account name (in this case, Matt). A, C, and D are incorrect. Walker is the name of the domain, and the other two answers are false.

Which of the following statements is true regarding normal TCP communications

The RST flag aborts the connection immediately due to an error. D is correct. The reset flag is there for just such an emergency—something bad has happened. A, B, and C are incorrect. SYN flags start conversations and synchronize things along the way. ACK flags acknowledge receipt but are not set in every segment. FIN flags do bring things to an orderly close, but not a rapid abort

A new employee is attempting to connect to wireless. Her hardware is the same as most others on the floor, and other users are connecting fine. The client can see the wireless network, but packet captures show the WAP is not responding to association requests. Which of the following best describes the issue?

The WAP is employing a MAC filter. B is correct. The simplest, most logical explanation is the WAP simply doesn't recognize the MAC attempting to connect to it and refuses to even acknowledge the attempts. A, C, and D are incorrect. The client can see the network; therefore, SSID and DHCP are out. While it is possible explicit channel configuration may cause issues, it's not relevant for this scenario.

You are performing an ACK scan against a network from an external location. You've identified two web servers on the DMZ subnet and notice that they are responding to the ACK scan. Which of the following best describes the situation?

The firewall for the DMZ subnet is not performing stateful inspection. D is correct. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence. A, B, and C are incorrect. There is no way to tell, from the information provided, what type of web server is responding. The IDS is passive/reactive and would not prevent the packet flow anyway.

You are performing an XMAS scan and get an RST/ACK packet back from a port. What does this indicate?

The port is closed. B is correct. An RST/ACK on an XMAS scan indicates a closed port. A, C, and D are incorrect. No response would indicate an open port or that the scan failed to reach the target.

Which of the following best describe the result from the Linux command "someproc &"? (Choose two.)

The process "someproc" will run as a background task. The process "someproc" will stop when the user logs out. A and C are correct. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding "nohup" before the process name), it will die when the user logs out. B and D are incorrect. These do not reflect the outcome of the command.

An IDS system monitors network traffic and has multiple network taps across the environment. Events occur that could be indicative of an internal to external exfiltration of traffic; however, the activity is legitimate and the users and systems involved have already identified this activity from previous sessions. The IDS does not fire an alert. Which IDS alert type is described here?

True negative B is correct. The IDS saw traffic that could be indicative of an attack; however, there was no malicious activity and it did not send an alert. A true negative is defined as an event or events monitored by an IDS but noted as normal behavior and does not trigger an alert. As a hint for study, the "true" part means the device performed the correct action while the "negative" part describes the action taken (in this case, no alert). A, C, and D are incorrect. A true positive occurs when there is an event that is malicious in nature and the IDS responds by triggering an alert. A false positive occurs when the IDS triggers an alert on traffic or events that are legitimate. A false negative occurs when the IDS does not trigger an alert on traffic or events it should have; in other words, the traffic is malicious in nature and should have caused alarm, but for whatever reason the IDS did not fire.

Which of the following is an attempt to resolve computer security problems through hardware enhancements and associated software modifications?

Trusted computing D is correct. Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer's operating system (OS). A, B, and C are incorrect. The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers that cooperate to come up with specific plans. Cloud computing is irrelevant. OSRoT is not a legitimate term.

To log in to her network, Jill uses a token and a four-digit PIN. Which authentication measure best describes this?

Two-factor authentication C is correct. Because Jill uses something she has (a token) and something she knows (the PIN), this is considered two-factor authentication. A, B, and D are incorrect. Two factors are used for authentication here.

Which of the following tools silently copies all files from a USB when it is connected to the system?

USB Dumper A is correct. USB Dumper copies the files and folders from the flash drive silently when it connected to the PC. B, C, and D are incorrect. Snoopy is a sniffer for Windows, HackRFone is used in rolling code attacks, and KeyLLama is a keylogger.

What enables Unicode characters to be represented in an ASCII-compatible length of 1 to 4 bytes?

UTF-8 D is correct. In 1992, lots of work started on streamlining Unicode transmission, since Unicode needed to be compatible with ASCII for transmission over the Internet. In January of 1993, UTF-8 was presented officially at the USENIX conference in San Diego to solve this problem. It was developed to encode UTF characters in a way that could be accepted and decoded by ASCII systems. Per Google, UTF-8 is the dominant character encoding on the Web. A, B, and C are incorrect. XOR is a logic gate comparing two inputs. EBCDIC (Extended Binary Coded Decimal Interchange Code) is a binary code for alphabetic and numeric characters. UTF-16 is a distractor.

In which phase of the Security Development Lifecycle is "fuzz" testing performed?

Verification B is correct. The Security Development Lifecycle (SDL) phases include training, requirements, design, implementation, verification, release, and response, and each phase holds specific actions. For example, in the training phase, core security training for developers is performed. In the requirements phase, the level of security desired is set. In the verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed. A, C, and D are incorrect. The implementation phase includes using approved tools and static analysis and turning off unsafe functions. Design includes requirements, attack surface analysis, and threat modeling. Release includes an incident response plan, final security review, and certification.

An attacker places his sites on a specific group. After several days of monitoring the group members' traffic, he notes several websites they frequently visit and goes to work infecting those sites with malware. Which of the following best defines this attack?

Watering hole attack B is correct. I will admit, prior to preparing for this book, I'd never heard of the watering hole attack. You might ask why one would go through the trouble of infecting multiple websites that have nothing to do with the target when they could otherwise spend that time attacking...well...the target—but c'est la vie. In this attack, the goal is to gain access to a machine owned by one of the target group's members. By infecting sites the team members visit frequently, sometimes with unknown (zero-day) exploits, the attacker can get members' machines infected and use that to attack the rest of the group. A, C, and D are incorrect. Shellshock (a.k.a. Bashdoor) is a Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands. Heartbleed is an SSL vulnerability that exploits the heartbeat issue in data transfer. Spray and pray isn't an attack name that I'm aware of (but it should be, because it sounds really cool).

Which of the following statements is true?

WebGoat is maintained by OWASP. A is correct. WebGoat has 30 or so "lessons" embedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect "black box" testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something. B, C, and D are incorrect. These statements are not true regarding WebGoat.

When would a secondary name server request a zone transfer from a primary?

When the primary SOA serial number is higher A is correct. Secondary servers check in with the primary based on the refresh interval. The primary increments the serial number every time the SOA changes. If the secondary checks in and the primary's copy has a higher serial number, then it knows the SOA has changed and it needs a new copy. B, C, and D are incorrect. The secondary does not request a new copy if the serial number is lower or when the server is rebooted. The TTL reaching zero has nothing to do with requesting a zone transfer.

In which of the following OSs are you most likely to experience problems in collecting 802.11 management and control packets while passively sniffing?

Windows A is correct. For whatever reason, many wireless NICs don't have good support for monitor mode in Windows. They seem to be okay catching general traffic, but the control packets are hard to come by. B, C, and D are incorrect. Linux variants and macOS wireless NICs provide better support for monitor mode.

Which of the following is an attack whereby SOAP messages are replayed as if they were legitimate?

Wrapping attack B is correct. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate. A, C, and D are incorrect. These attacks do not involve SOAP messaging.

Which of the following can best be mitigated by setting the HttpOnly flag in cookies?

XSS B is correct. Cross-side scripting occurs when the bad guy injects code—usually in the form of a script—into a web page. Because setting the HttpOnly flag in a cookie prevents the cookie from being accessible by a client-side script, this would be a good idea for XSS mitigation. A, C, and D are incorrect. None of these will be remediated by the HttpOnly flag.

You are running an IDLE scan using hping2. As the scan continues, you note the IPID is incrementing randomly. What does this tell you?

Your target machine is not an IDLE zombie; it is active on the network with other tasks. B is correct. An IDLE scan makes use of a zombie system that is inactive on the network, using the resulting IPID numbers for scan results. If the numbers increment randomly, then the zombie is not truly idle. A, C, and D are incorrect. The results have nothing to do with a firewall, this scan cannot tell you which OS is running, and this is not the expected behavior from an idle zombie.

Which of the following commands is used to open Computer Management on a Windows OS machine?

compmgmt.msc A is correct. The compmgmt.msc command is used to open the Computer Management console. B, C, and D are incorrect. The Services MMC is opened by services.msc, and gpedit (.msc) opens the Group Policy Editor. ncpa.cp does not exist.

Which of the following Metasploit framework tools can assist a pen tester in evading AV systems?

msfencode D is correct. Msfencode allows the tester to encode the payload. In other words, you can change the way it appears to an AV system. The following is from Offensive Security's site: "Most of the time, one cannot simply use shellcode generated straight out of msfpayload. It needs to be encoded to suit the target in order to function properly. This can mean transforming your shellcode into pure alphanumeric, getting rid of bad characters or encoding it for 64 bit target." A, B, and C are incorrect. These do not address evasion.

Which of the following commands would be the best choice for a pen tester attempting to perform DNS cache snooping?

nslookup -norecursive one.anywhere.com. C is correct. If you can make a nonrecursive query to a DNS server looking for an already resolved hostname, the box is susceptible to DNS cache snooping. To see if you can do this, you may try to find the IP address of a hostname by querying the DNS server nonrecursively (that is, not asking further DNS servers for an answer if the DNS server in question does not know it).

Which of the following contains a listing of port numbers for well-known services defined by IANA?

%windir%\system32\drivers\etc\services C is correct. If you happen to be out on your real job and completely forget every well-known port number, you'd probably just look up the list on an Internet search. If you're bored or really nerdy, though, you can pull up a list of them by visiting the "services" file. It's sitting right there beside the "hosts" and "lmhosts" files. A, B, and D are incorrect. These locations do not hold the "services" file.

Which of the following is most likely to cause a web browser to send a request that the browser's user did not intend to send?

. CSRF B is correct. Of the answers provided, a cross-site request forgery (CSRF) is the most likely culprit. In a CSRF attack, the user is tricked (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website. The malicious website can then instruct the user's web browser to send a request to the target website. A, C, and D are incorrect. Buffer overflows allow attackers to inject malicious code into a system's memory. XSS executes code within a trusted context on the site itself. SQL injection uses SQL statements injected into a form or front end to accomplish back-end tasks.

Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack?

. Computer based B is correct. Computer-based social engineering attacks include any measures using computers and technology. A, C, and D are incorrect. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. There is no such thing as a "technical" social engineering attack. Using a phone during a social engineering effort is known as "vishing" (for "voice phishing").

Which of the following can be compared to a CSRF attack

. Session riding A is correct. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers. B, C, and D are incorrect. Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself. Side session and VM straddling are not legitimate terms.

An attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. Which of the following correctly describes this attack?

. Smishing C is correct. Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. A, B, and D are incorrect. Vishing refers to using a phone in social engineering, and phishing uses e-mail. Text attack is not a valid term.

What happens when you issue the "net use" command on a Windows machine?

. The user will see a list of connected resources. B is correct. The net use command issued without any parameters will show you a list of connected resources and logged-in user accounts

Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of ___________ measures within physical security.

. operational C is correct. Operational measures are the policies and procedures you set up to enforce a security-minded operation. A, B, and D are incorrect. Physical controls include all the things you can touch, taste, smell, or get shocked by. Technical controls are measures taken with technology in mind to protect explicitly at the physical level.

Where is the password file kept on a Linux machine?

/etc C is correct. The /etc folder contains all the administration files, and Linux stores the password file (passwd) and the shadow file here. A, B, and D are incorrect. These choices do not reflect the location of the password file in Linux. The /dev folder holds the pointer locations to the various storage and input/output systems. /sbin holds administrative commands and is the repository for most of the routines Linux runs (known as daemons). /mnt holds the access locations you've actually mounted.

You are examining a host with an IP address of 65.93.24.42/20, and you want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet?

65.93.31.255 D is correct. If you view the address 65.93.24.42 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 01000001.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 01000001.01011101.00011111.11111111 (65.93.31.255/20). A, B, C, and E are incorrect. These answers do not match the broadcast address for this subnet.

Which of the following statements are true? (Choose three.)

A. Aircrack can use a dictionary list to crack WEP keys. B. Aircrack can use PTW to crack WEP keys. C. Aircrack can use Korek to crack WEP keys. A, B, and C are correct. Aircrack-ng can make use of dictionary lists. It uses something called the Pyshkin, Tews, Weinmann (PTW) technique by default, but can also use the Fluhrer, Mantin, Shamir (FMS) technique or the Korek technique to crack WEP. When it comes to WPA or WPA2, it uses dictionary lists only. D is incorrect. Rainbow tables are used in password cracking but not in wireless key cracking. Wrong place, wrong tool.

Which of the following statements is true regarding NetStumbler?

A. NetStumbler can be installed on Windows A is correct. NetStumbler is a Windows tool. It can detect wireless traffic on 802.11a, b, and g networks but not on 802.11n networks. B, C, and D are incorrect. NetStumbler can't be installed on anything but Windows. Additionally, it doesn't support monitor mode (used in passive scanning).

X.509 defines the standard for digital certificates. Per this standard, which of the following are fields within a certificate? (Choose all that apply.)

A. Version B. Algorithm ID D. Public key E. Key usage A, B, D, and E are correct. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description.

After the three-way handshake, which flag is set in packets sent in either direction?

ACK B is correct. After the three-way handshake is completed, an ACK flag is set in every packet sent. A, C, and D are incorrect. The remaining TCP flags do not appear in every packet.

What does the "chmod 744 anyfile" command accomplish?

Allow all privileges to the user, read-only to the group, and read-only for all others. A is correct. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read-only is equivalent to 4, write is 2, and execute is 1. To accumulate permissions, you add the numbers: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7. In use, the first number corresponds to the user, the second to the group, and third is to all others. B, C, and D are incorrect. The remaining answers do not match the 744 portion of the command.

Which of the following best matches the purpose of key escrow?

Allows a third party to access sensitive data if the need arises D is correct. Key escrow agents are usually used when the government needs access to something during an investigation. A, B, and C are incorrect. Backups have nothing to do with key escrow. Lost key replacement is done by something called a recovery agent. Your CA provides for identification services, not the key escrow agent.

Your customer is concerned about weak passwords in the environment and asks you to specifically test for them. Which of the following are you least likely to do?

Announce to the users when you will begin testing. A is correct. If the goal is to see if there are weak passwords being used in the environment on an average day, why in the world would you make it an uncommon day by telling people to change their passwords right before you start testing? B, C, and D are incorrect. All of these actions make perfect sense regarding an ethical hacker being asked to test and report on weak passwords.

Which of the following best describe a detective control? (Choose all that apply.)

Auditory alarms set on doorways Audit logs C and D are correct. Detective controls are in place to let you know when something has happened or is happening. A and B are incorrect. A system backup does a great job of fixing things after everything is over (a corrective control), and authentication badges are used to keep bad guys from getting in to begin with (preventive control), but neither is a detective control.

An attacker waits until a user has an authenticated session with the server he really wants to attack. He then sends a phishing e-mail to the user. When the user opens it and goes to the malicious website, the attacker begins sending messages through the user's browser session to the target server. Which of the following best describes this attack?

B. CSRF B is correct. The question is describing CSRF. A, C, and D are incorrect. This description does not match the remaining answers.

Which of the following are components of a Kerberos system? (Choose all that apply.)

KDC AS TGS TGT A, B, D, and E are correct. A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT). C is incorrect. Kerberos does not make use of any PKI facets in its system.

You are viewing LM hashes and note this one in particular: 3A02FB4397CFC4FFFAAD3B435B51404EE Which of the following would create the LM hash?

M@tt123 B is correct. Forget the characters in the password itself and just look at the length. If it's seven characters or less, the last half of the LM hash will be AAD3B435B51404EE. INCORRECT ANSWERS: 1234M@tt D. 123M@ttt M@tt1234

Which of the following is the best choice for performing a bluebugging attack?

Blooover D is correct. Blooover is designed and created for Bluebugging. A, B, and C are incorrect. BBProxy and PhoneSnoop are both BlackBerry tools, and btCrawler is a discovery option.

In a known-plain-text attack, what does the attacker have access to?

Both plain text and cipher text C is correct. In a known-plain-text attack, the attacker has both versions and compares plain-text entries against their cipher-text counterparts to find patterns that can be used to break other cipher texts. A, B, and D are incorrect. These answers do not reflect known-plain-text attacks.

You are offering your team's pen test services to a potential client. The customer reviews things and seems unconvinced a manual pen test will be helpful in securing their systems. Which of the following should you do as an ethical hacker and representative of your team?

Bring statistical information to the table, showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike. C is correct. Ethically, this is the only choice that makes any sense. You can't do anything without an agreement in place first, and it's your job to convince them they need it. A, B, and D are incorrect. Each of these answers—although funny and providing some satisfaction for the "See, I told you so!" crowd among us—is highly unethical.

OWASP releases several Top Ten lists. On their top security priorities, one entry includes flaws that allow attackers to compromise passwords, encryption keys, and session tokens. Which of the following matches this description best?

Broken Authentication A is correct. I admit it—this one is really, really picky. Broken Authentication is second on the list of security priorities in OWASP's 2017 list, and best matches the question parameters. The following is taken directly from the list: "Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities."

Bob is working with senior management to identify the systems and processes that are critical for operations. As part of this business impact assessment, he performs calculations on various systems to place a value on them. On a certain router he discovers the following: • The router costs $3200 to purchase. • The router typically fails once every three years. • The salary for a technician to repair a server failure is $35 an hour, and it typically takes one technician two hours to fully restore a failure. • Without access outside their subnet, 15 employees averaging $20 an hour will be at a standstill during an outage. What is the ALE for the router?

C. $1277.10 C is correct. ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time a failure is likely to occur annually (the annual rate of occurrence, in this case 0.2, or 1 failure / 3 years = 33 percent) by the amount of cost incurred from a single failure (single loss expectancy, in this case $70 [for the repair guy] + $600 [15 employees at $20 an hour for two hours] + $3200 [replacement of server] = $3,870). ALE = 0.33 × $3870, so the ALE for this case is $1277.10.

Which of the following attacks is RSA specifically vulnerable to?

Chosen-cipher-text attacks B is correct. In a chosen-cipher-text attack, the bad guy chooses a particular cipher-text message and attempts to discern the key through comparative analysis with multiple keys and a plain-text version. Because RSA uses a public key to encrypt and a private key to decrypt, an attacker could use the public key to encrypt tons of things for analysis. A, C, and D are incorrect. RSA is not particularly susceptible to known-plain-text attacks. Sequence-timing attacks do not exist. Rubber hose attacks, in addition to sounding hilarious, are violent social engineering efforts.

You are hired as an independent assessor to verify security controls within a cloud environment. Which NIST cloud architecture role are you performing?

Cloud auditor C is correct. The cloud auditor is the independent assessor of cloud service and security controls. Per NIST SP 500-292, the auditor "provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services." A, B, and D are incorrect. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid. The cloud consumer is the individual or organization that acquires and uses cloud products and services. The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.

In NIST cloud architecture, which role acts as the organization that has the responsibility of transferring the data?

Cloud carrier A is correct. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid. B, C, and D are incorrect. The cloud consumer is the individual or organization that acquires and uses cloud products and services. The cloud auditor is the independent assessor of cloud service and security controls. The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.

Which of the following is NOT a role within the cloud architecture, as defined by NIST?

Cloud subscriber D is correct. The five roles defined by NIST SP 500-292 are cloud carrier, cloud consumer, cloud provider, cloud broker, and cloud auditor. Cloud subscriber sounds good, but it is not recognized within NIST SP 500-292.

You use AWS as a cloud service and want to perform an automated test against it. Which tool best suits your needs?

CloudInspect D is correct. Per Core's website, CloudInspect is "a tool that profits from the Core Impact & Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users." It's designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription (in other words, you can poke around the boxes you own all you like, but the behind-the-scenes stuff provided by Amazon is a no-touch zone). A, B, and C are incorrect. Per the CloudPassage website, CloudPassage Halo "provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds." Metasploit is a framework for delivering exploits. AWSExploit is not a legitimate tool.

An organization wants to save on time and money and decides to go with an automated approach to pen testing. Which of the following tools would work for this? (Choose all that apply.)

Core Impact D. CANVAS C and D are correct. Both Core Impact and CANVAS are automated pen test application suites. A and B are incorrect. Nmap is a port scanner. Netcat is a multipurpose scanner and backdoor.

Which of the following best describes a hybrid password-cracking attack?

It substitutes numbers and characters in words to discover a password. D is correct. Usually a hybrid attack involves a list of passwords that get altered along the way in order to guess the password. For example, if your list contained the word "Fishing," a hybrid attack would start substituting numbers and characters: f1$hing, Fi$H1n6, and so on.

Which of the following is a suite of IETF specifications for securing DNS records?

DNSSEC D is correct. Domain Name System Security Extensions (DNSSEC) was released by IETF as a means to help clients verify the true originator of DNS messaging. A, B, and C are incorrect. These answers do not reflect the security effort mentioned in the question.

Which of the following IoT communication models adds a collective entity before sending data to the cloud?

Device to gateway B is correct. An IoT gateway is a device designed to send collected data from IoT devices to the user or to data storage (the cloud) for use later. Implementing this model may allow for the application of additional security controls. A, C, and D are incorrect. Device to device is exactly what it sounds like, and back-end data sharing adds third-party access to your data on the cloud side. Device to thing does not exist.

Which of the following is the best choice for protection against privilege escalation vulnerabilities?

Ensuring services run with least privilege D is correct. Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation. A, B, and C are incorrect. Ensuring drivers are in good shape is good practice but doesn't have a lot to do with privilege escalation prevention. Admin accounts don't run with least privilege; they're admin accounts for a reason. Automating services may save time but doesn't slow down hacking efforts.

You have network IPS set up, along with multiple other tools for security controls. This morning before you came to work, hackers successfully attacked the network. In investigating, you see that the IPS saw the traffic coming into the network and leaving, but did not alert on it. Which of the following best describes what the IPS noted?

False negative A is correct. The IPS saw the traffic, obviously, but made a decision it was good traffic when it was indeed naughty. It should have triggered as a positive hit, but instead allowed the traffic to pass with no action. This is known as a "false negative." B, C, and D are incorrect. A false positive occurs when the IPS sees traffic as naughty when it is actually okay. The other two answers are distractors.

In a discussion about biometric authentication systems, you mention a circumstance where legitimate users are denied access because of a system error or inaccurate readings. What is the correct term for this circumstance?

False negative B is correct. A false negative occurs when a user is denied access even though he is a legitimate user. A, C, and D are incorrect. A false positive occurs when a user is allowed access when he is not legitimate. False acceptance rate and crossover error rate are both measurements of the overall accuracy of biometrics.

You are discussing methods to evade IDS detection with your team. One team member suggests sending large amounts of traffic to the IDS in an effort to hide the true attack traffic. Which of the following best describes this effort?

False-positive generation B is correct. Lots of traffic can oftentimes provide "cover fire" for your attack. The very presence of so many false positives and so much traffic on its own indicates something is going on, but the idea is valid. A, C, and D are incorrect. Session splicing, source routing, and address spoofing have nothing to do with generating large amounts of traffic.

An ethical hacker generates large amounts of traffic, purposefully designed to cause the IDS to alert. Within this deluge of traffic, the pen tester sends packets to the internal target in an attempt to gain access. Which of the following best describes the method used to evade IDS?

False-positive generation C is correct. While it may seem counterintuitive, since you're trying to hide from the IDS, not spook it, sending gobs of false-positive packets to set off alarms may be enough to allow you to gain access somewhere. However, you should note that this is not without its own dangers. After all, surely the friendly IDS monitor isn't just going to blow off a ton of unsolicited traffic and a deluge of alerts—that in and of itself indicates something is amiss.

You are reviewing security plans and policies, and you want to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot?

Full disk encryption C is correct. FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft. A, B, and D are incorrect. These answers do not protect against system folders, files, and MBR until valid credentials are provided at pre-boo

Which of the following laws protects the confidentiality and integrity of personal information collected by financial institutions?

GLBA C is correct. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public. A, B, and D are incorrect. HIPAA deals with the protection of personal data in the medical realm. SOX deals with publicly traded companies, forcing them to allow independent audits and to post financial findings. PCI DSS is in place to secure data used in credit card transactions and storage.

An attacker leverages IoT vulnerabilities to shut off the air conditioning on the data floor, causing a major disruption. What is this attack called?

HVAC attack D is correct. Yes, this is really what it's called. No, I'm not making it up. An HVAC attack takes place when one hacks IoT devices in order to shut down air conditioning services. A, B, and C are incorrect. Although SCADA may have appealed to you here, it's incorrect in this scenario (SCADA and IoT don't necessarily have anything to do with one another). A DoS may have occurred here, but there's no specific indication it occurred. Zigbeez doesn't exist

A hacker performs attacks because of political motivation. Which term best describes this attacker?

Hacktivist D is correct. Hackers who use their skills and talents to forward a cause or a political agenda are practicing hacktivism. A, B, and C are incorrect. Script kiddies generally just copy attack codes and don't really have much in the way of a skill set. State-sponsored hacking is exactly what it sounds like, and a suicide hacker may indeed be a hacktivist, but he doesn't care about being caught (unless the questions specifies this; don't assume it).

You are monitoring the activities of your pen test team and notice one member opening Airsnarf. What is he trying to accomplish?

He is trying to sniff passwords and user IDs. D is correct. Airsnarf does a great job of sniffing passwords and authentication traffic. A, B, and C are incorrect. Airsnarf does not locate rogue APs, nor does it monitor signal strength. Also, Airsnarf does not attempt DoS attacks.

An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used?

Heartbleed B is correct. Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack. Basically the attacker sends a single byte of data while telling the server it sent 64KB of data. The server will then send back 64KB of random data from its memory. A, C, and D are incorrect. POODLE exploits the TLS handshake to revert connections back to insecure SSL versions. FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade of RSA keys to weaker lengths. DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications.

Which of the following best represents Amazon EC2?

IaaS A is correct. Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS. Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.

Amazon's EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service?

IaaS A is correct. Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.

Which of the following best describes port security?

It allows traffic from a specific MAC address to enter to a port. D is correct. This is exceedingly confusing on purpose—because it's how you'll see it on the exam. "Port security" refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn't allowed to even connect. Port security works on source addresses, so you're automatically looking at "from," not "to." In other words, it is specifically allowing access (entering a port) to a defined MAC address—think of it as a whitelist. In other words, in truth, this type of implementation turns out to be a bit of a pain for the network staff, so most people don't use it that way. In most cases, port security simply restricts the number of MAC addresses connected to a given port. Say your Windows 7 machine runs six VMs for testing, each with its own MAC. As long as your port security allows for at least seven MACs on the port, you're in good shape. A, B, and C are incorrect. Port security works on source addressing, so you can throw out answers A and B. Answer C is incorrect because it's not stopping a specific MAC from connecting; it's only allowing a specific one to do so.

A switch CAM table is filled with faulty MAC addresses, using up all available space in the table. Which of the following has occurred?

MAC flood A is correct. A MAC flood is just what it sounds like—the switch is flooded with thousands of MAC address mappings such that it cannot keep up. When the table can't keep up, the switch stops filtering messages to ports and begins flooding itself, sending every message out every port. B, C, and D are incorrect. SYN flood is not a switch attack. ARP spoofing will help in active sniffing, but it is not the same as MAC flooding. CAM attack is not a valid term.

Which tool has a database containing thousands of signatures used to detect hundreds of vulnerabilities in multiple operating systems?

Nessus B is correct. Nessus is a well-known vulnerability scanner. A, C, and D are incorrect. Nmap is a port scanner, netcat is used for a variety of other purposes, and hping is used for session hijacking.

Which of the following may be useful in mitigation against phishing? (Choose all that apply.)

Netcraft Toolbar B. PhishTank Toolbar A and B are correct. Although nothing is foolproof, a couple of options can assist in protecting against phishing. The Netcraft Toolbar and the PhishTank Toolbar can help in identifying risky sites and phishing behavior. C and D are incorrect. IDSs are great to have, and can help in identifying the effects after social engineering has succeeded, but they do nothing to prevent phishing.

Your organization's leadership wants security to monitor all traffic coming into and out of the network for malicious intent. Which of the following should you implement?

Network-based IDS C is correct. An intrusion detection system is what's being called for here, and an NIDS (network IDS) will watch all network traffic. The network tap location is very important in setting up an NIDS—if not tapped at a location (or in locations) where all network traffic flows through, the tool won't see everything. A, B, and D are incorrect. Answer A gets the IDS part right but misses out with "host" (which only monitors a single system, not an entire subnet). Firewalls aren't used for this purpose—they're designed to block and allow specific traffic. A proxy is used either to hide behind when you're on the outside trying to get in, as an anonymizer-type front from internal to external, or as a repository for information internal machines can hit instead of going outside the subnet.

Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail?

PGP A is correct. Pretty Good Privacy is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications. B, C, and D are incorrect. The remaining answers do not necessarily have a thing to do with e-mail encryption.

Which cloud service type is best designed for software development?

PaaS B is correct. Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn't usually replace an organization's actual infrastructure; instead, it just offers key services the organization may not have onsite. A, C, and D are incorrect. Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet. Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).

Which of the following statements is true regarding the use of a proxy server on your network?

Proxy servers can filter Internet traffic for internal hosts. B is correct. Proxy servers stand in the stead of internal hosts. You can have them go out of the network and do all the dirty work for you, or you can have them "host" services for you. Providing controlled access to Internet traffic with a proxy is an excellent example—browsers point to a proxy that then handles the work of grabbing and returning requested data.

In which deployment model are services provided over a network that is open for public use?

Public A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren't a major issue.

Within a PKI, which of the following verifies the applicant?

Registration authority A is correct. A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system. RAs are also known as "subordinate CAs." B, C, and D are incorrect. The CRL (Certificate Revocation List) used to track which certificates have problems and which have been revoked. The remaining terms are not legitimate.

Which of the following is defined as a process of evaluating assets to determine the amount of vulnerability each represents to the organization?

Risk assessment B is correct. A risk assessment, part of overall rick management, is an evaluation process where everything is looked at through the prism of "what vulnerabilities does this asset add to my environment?" Risk assessors should consider security and administrative safeguards in place and evaluate how likely each system is to be compromised. From this analysis, companies can decide to accept, mitigate, transfer, or avoid the risk.

You set up an access point in the closet of a building. The AP has the same SSID as the organization's real access point, and the signal strength is stronger for local clients. Which wireless attack are you attempting?

Rogue access point D is correct. Using rogue APs (evil twins) may also be referenced as a mis-association attack. Additionally, faking a well-known hotspot on a rogue AP (such as McDonald's or Starbucks free Wi-Fi spot) is referred to as a "honeyspot" attack. A, B, and C are incorrect. War driving involves driving around looking for open access points. The other two answers are distractors.

Which IoT attack involves sniffing, jamming, and replaying a car key fob signal?

Rolling code D is correct. The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attacker can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing him to steal the code...and your car. A, B, and C are incorrect. A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities. KeyFobbing and Auto Scrolling don't exist.

Which of the following best describes a red team?

Security team members attacking a network B is correct. The team simulating an attacking force is considered to be red. In a traditional war game scenario, the red team is attacking "black box" style, given little to no information to start things off. A, C, and D are incorrect. Blue teams are defensive-oriented. They concentrate on preventing and mitigating the attacks and efforts of the red team/bad guys, and operate with full knowledge of internal networking. Outside attackers is irrelevant here.

Which of the following is an example of a logical control?

Security tokens D is correct. Of the answers provided, security tokens are the only example of a logical (technical) control. A, B, and C are incorrect. The remaining answers are not technical controls

Your team is testing a server that serves PHP pages for the Shellshock vulnerability. Which of the following actions should you take?

Send specially created environment variables and trailing commands. A is correct. Shellshock allows an attacker to add trailing information in environment variables. B, C, and D are incorrect. These answers do not match the Shellshock vulnerability

Which of the following best describes a primary security principle that cloud computing can provide?

Separation of duties A is correct. Of the choices available, separation of duties makes the most sense. Cloud computing moves computing processes from internal to external. It also separates the role of data owner from the role of data custodian. B, C, and D are incorrect. Need to know, least privilege, and job rotation really aren't affected by cloud computing one way or another.

Which of the following attacks an already-authenticated connection?

Session hijacking C is correct. Session hijacking takes advantage of connections already in place and already authenticated. The attacker then monitors sequence numbers and, if he guesses correctly, jumps right into the conversation. A, B, and D are incorrect. Smurf is a DoS attack using ICMP (in a broadcast PING attack). A denial of service is just what it sounds like. Phishing is a social engineering effort.

Amanda is a pen test team member scanning systems on an event. She notices a system using port 445, which is active and listening. Amanda issues the following command: for /f "tokens=1 %%a in (myfile.txt) do net use * \\192.168.1.3\c$ /user."administrator" %%a Which of the following best describes what Amanda is trying to accomplish?

She is trying to password-crack the user account named "administrator." A is correct. Amanda is attempting to successfully log in to the user account called "administrator" using a list of passwords in the myfile.txt file. Port 445 is for Microsoft-DS SMB file sharing. B, C, and D are incorrect. Although the admin account may get locked out eventually, it's not the purpose of this script to accomplish that. It is also not enumerating users or elevating a privilege for another account. Question ID: 22411

An attacker wants to verify live targets on a network, but no ICMP packets seem to successfully do the job. Which of the following options might work in this situation?

TCP ping B is correct. A single target not responding doesn't necessarily means it's not "awake"—there could be several reasons it's not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can't ping over TCP, so you may have to use tcping.exe (or another comparable tool). A, C, and D are incorrect. Traceroute is designed to display path information and relies on ICMP and TTL flags for answers. Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can't tell you what's necessarily alive. A broadcast ping is simply ICMP sent to the broadcast address in the subnet.

Which one of the following DoS categories goes after load balancers, firewalls, and application servers by attacking connection state tables?

TCP state-exhaustion attacks A is correct. These attacks go after load balancers, firewalls, and application servers by attempting to consume their connection state tables. B, C, and D are incorrect. Volumetric attacks, also known as bandwidth attacks, consume all available bandwidth for the system or service. Application attacks consume resources necessary for the application to run, effectively making it unavailable to others. Fragmentation attacks take advantage of the system's ability (or lack thereof) to reconstruct fragmented packets.

Which of the following is a password-cracking tool?

THC Hydra B is correct. THC Hydra uses dictionary methods for password cracking. Per the site, "When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more." A, C, and D are incorrect. Hping is a powerful network scanner, and Wireshark is a standard in sniffing traffic. PackETH is a packet crafter

Which of the following are aspects of the Common Criteria testing process?

TOE ST PP . EAL E is correct. "Common Criteria" is an international standard (ISO/IEC 15408) for computer security certification that provides a framework for computer system users to specify their security functional and assurance requirements (SFRs and SARs, respectively). Vendors can implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine whether they actually meet the claims. There are four aspects to the test—a target of evaluation (TOE, the system being tested), a security target (ST, the documentation describing the TOE and requirements), protection profile (PP, the requirements for the type of product being tested), and the evaluation assurance level (EAL, the rating level, ranked from 1 to 7).

Which of the following attacks is directly mitigated via the use of a man trap?

Tailgating D is correct. The whole idea of a man trap is to have a single person's credentials and authorization to proceed verified before she can enter the building. No one can tailgate a man trap because only one person at a time is allowed in. A, B, and C are incorrect. Dumpster diving has nothing to do with a man trap. Shoulder surfing and eavesdropping are done once you're already inside the building.

A web server sits behind a firewall and offers HTTP and HTTPS access to a website and web applications. External users access the server for various web applications. Which of the following statements is true regarding the protection offered by the firewall?

The firewall doesn't protect against port 80 and port 443 attacks. B is correct. The question states that users are accessing the server over HTTP and HTTPS. This indicates the standard ports 80 and 443 must be open on the firewall. Of course, as we all know, there is nothing restricting the use of any port for any purpose—port 80 can carry anything an attacker wants it to carry—but standard port numbering and purposes can be used on most of your exam. A, C, and D are incorrect. Firewalls aren't designed to discern whether traffic is malicious or not: they either allow or block traffic. Firewalls are most definitely not the only security requirement for any system, and there are no authentication mechanisms to go through; either traffic is allowed or it is not.

You are examining an internal web server and discover there are two hours missing from the log files. No users complained of downtime or accessibility issues. Which of the following is most likely true?

The server was compromised by an attacker. B is correct. It's a web server used by employees all day during normal business hours and there's "nothing" in the log? Despite this, none of the users complained about it being down at all? No, we think this one is going to require some forensics work. Call the IR team. A, C, and D are incorrect. The log file being corrupted would've been throughout. A crisp two-hour window doesn't match up with that. If the system were rebooted, that in and of itself would've shown in the log. It defies common sense and probability that absolutely nothing occurred to the web server during normal business hours.

A pen test team starts a particular effort by visiting the company's website. Next, a team member goes to social networking sites and job boards looking for information and building a profile on the organization. Which of the following statements are true regarding these efforts? (Choose two.)

The team is gathering competitive intelligence. The team is practicing passive footprinting. B and D are correct. Footprinting competitive intelligence is a passive effort. Competitive intelligence, by its nature, is open and accessible to anyone, and passive footprinting is an effort that doesn't put you at risk of discovery. A and C are incorrect. This is not an active effort; no internal targets have been touched (that is, there's no record of malicious traffic between them), and there is little to no risk of discovery here. Competitive intelligence refers to information the company wants the world to see. Sure, it can be used against th

You are examining malware code and discover that a particular piece copies itself into the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What is the purpose of this?

To ensure the malware runs at every login to the OS. B is correct. This key indicates an application that should run as soon as the user logs in to the system. A, C, and D are incorrect. An application found in this key does not run at every boot, and an entry here does nothing to hide it from antivirus software on the system. All applications do not need to appear in this registry key.

A pen test specialist is running netcat to transfer a file between two hosts and becomes concerned the traffic is being sniffed. Which of the following methods is the best way to ensure the transfer is protected from sniffing?

Use CryptCat instead. A is correct. CryptCat is the encrypted version of netcat. B, C and D are incorrect. Traffic on a switched network can still be sniffed. Promiscuous mode on the NIC has nothing to do with encryption. The -e option in netcat does nothing for encryption.

Which footprinting tool or technique can be used to find names and addresses of technical points of contact?

Whois A is correct. Whois provides information on the domain registration, including technical and business POC addresses and e-mails. As an interesting side note, proxy registrations and sometimes general inaccuracy of data can sometimes, in the real world, make it difficult to know the truth of who owns what. B, C, and D are incorrect. Nslookup and dig provide DNS resolution information, and traceroute maps ICMP pathways between hosts.

Which of the following consists of a publicly available set of databases containing domain name registration contact information?

Whois D is correct. Whois provides all sorts of information on registrants—technical POCs, who registered the domain, contact numbers, and so on. A, B, and C are incorrect. CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it. IANA regulates IP allocation, and IETF is a standards organization.

Which Google operator is the best choice in searching for a particular string in the website's title?

intitle: D is correct. Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things—from legitimate descriptions of the page or author information, to a list of words useful for a search engine. A, B, and C are incorrect. The intext: operator looks for pages that contain a specific string in the text of the page body. The inurl: operator looks for a specific string within the URL. The site: operator limits the current search to only the specified site (instead of the entire Internet).

Which of the following is the proper syntax on Windows systems for spawning a command shell on port 8080 using Netcat?

nc -L 8080 -t -e cmd.exe C is correct. This is the correct syntax on Windows for using Netcat to leave a command shell open on port 8080. A, B, and D are incorrect. None of these is the proper syntax.

Which of the following provides a means to discover an organization's restricted URLs and possibly OS information from selected targets?

netcraft D is correct. Netcraft has been around for a while and is highlighted repeatedly by ECC. It can be used to discover restricted URLs and to fingerprint OS information.