Ethical Hacking Chapter #1

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

reusability

Having access controls on predefined parameters can help increase the level of security One user or program may not reuse or manipulate objects that another user or program is currently accessing in order to prevent violation of security

Active - modify the target system Passive - violate the confidentiality of a system's data without affecting the state of that system

How are attacks can be classified as?

TCP ICMP IP optimizes UDP scanning

How does unicorn scan handle port scanning

Many security testers use the ____ tool to bypass filtering devices by injecting modified IP packets. a. Tcpdump c. Nmap b. Hping d. Nessus

Hping

The ____ tool enables you to craft an IP packet to your liking. a. Unicornscan c. Nmap b. Hping d. Ethereal

Hping

port 80

Hypertext Transfer Protocol (HTTP) Used when connecting to a Web server

First byte is reserved for network address Last three bytes are available for host computers Supports more than 16 million host computers Limited number of Class A networks Reserved for large corporations and governments Format: network.node.node.node

IP addressing Class A consists of what?

Divided evenly Two-octet network address Two-octet host address Supports more than 65,000 hosts Assigned to large corporations and Internet Service Providers (ISPs) Format: network.network.node.node

IP addressing class A consists of what

Three-octet network address and one-octet host address More than two million Class C addresses Supports up to 254 host computers Usually available for small business and home use Format: network.network.network.node

IP addressing class C consists of what

Consists of four bytes Divided into two components Network address Host address

IP addressing consists of how many bytes? divided into how many components

enables multiple users to communicate over the Internet in discussion forums

IRC

program that sends automatic responses to users, giving the appearance of a person being present on the other side of the connection

IRC "bot"

Why are employees sometimes not told that the company is being monitored?

If a company knows that it's being monitored to assess the security of its systems, employees might behave more vigilantly and adhere to existing procedures. Many companies don't want this false sense of security; they want to see how personnel operate without forewarning that someone might attempt to attack their network.

If subnetting is used in an organization, you can include the broadcast address by mistake when performing ping sweeps. How might this happen?

If you decide to use ping sweeps, be careful not to include the broadcast address in your range of addresses. You can do this by mistake if subnetting is used in an organization. For example, if the IP address 193.145.85.0 is subnetted with a 255.255.255.192 subnet mask, four subnets are created: 193.145.85.0, 193.145.85.64, 193.145.85.128, and 193.145.85.192. The broadcast addresses for each subnet are 193.145.85.63, 193.145.85.127, 193.145.85.191, and 193.145.85.255, respectively. If a ping sweep was inadvertently activated on the range of hosts 193.145.85.65 to 193.145.85.127, an inordinate amount of traffic could flood through the network because the broadcast address of 193.145.85.127 was included. This would be more of a problem on a Class B address, but if you perform ping sweeps, make sure your client signs a written agreement authorizing the testing.

How can a computer criminal use HTTP methods before running an exploit on a server?

If you know HTTP methods, you can send a request to a Web server and, from the generated output, determine what OS the Web server is using. You can also find other information that could be used in an attack. After you determine which OS version a company is running, you can search for any exploits that might be used against that network's systems.

Why is port scanning useful for hackers?

Port scanning helps you answer questions about open ports and services by enabling you to quickly scan thousands or even tens of thousands of IP addresses. Many port-scanning tools produce reports of their findings, and some give you best-guess assessments of which OS is running on a system. Most, if not all, scanning programs report open ports, closed ports, and filtered ports in a matter of seconds. When a Web server needs to communicate with applications or other computers, for example, port 80 is opened. An open port allows access to applications and can be vulnerable to an attack. A closed port does not allow entry or access to a service. For instance, if port 80 is closed on a Web server, users wouldn't be able to access Web sites. A port reported as filtered might indicate that a firewall is being used to allow specified traffic in or out of the network.

port 110

Post Office Protocol 3 (POP3) Used for retrieving e-mail

reconnaissance

Preparatory phase where an attacker gathers as much information as possible about the target prior to launching the attack

Denial of service attack

Prevents legitimate users from accessing network resources Some forms do not involve computers

steganography

Process of hiding data in other data, for instance image and sound files

Macroviruses

Programs that support a macro programming language (e.g., Visual Basic for Applications) Lists of commands Can be used in destructive ways

"____" is not a domain tested for the CEH exam. a. Sniffers c. Footprinting b. Social engineering d. Red team testing

Red team testing

port 135

Remote Procedure Call (RPC) Critical for operation of Microsoft Exchange Server and Active Directory

Worms: examples are code red and numda Theoretically can infect every computer in the world over a short period

Replicates and propagates without a host

The ____ Institute Top 20 list details the most common network exploits and suggests ways of correcting vulnerabilities. a. SANS c. CERT b. CompTIA d. ISECOM

SANS

the main protocol for transmitting e-mail messages across the Internet

SMTP

primarily used to monitor devices on a network, such as remotely monitoring a router's state

SNMP

enables a remote user to log on to a server and issue commands

SSH

TCP header flag that signifies the beginning of a session

SYN

A computer that receives a SYN packet from a remote computer responds to the packet with a(n) ____ packet if its port is open. a. FIN c. SYN/ACK b. RST d. ACK

SYN/ACK

____ is a Web tool used to gather IP and domain information. It is available for both UNIX and Window OSs. a. Samba c. SamSpade b. Bugnosis d. FOCA

SamSpade

A ____ or batch file is a text file containing multiple commands that are normally entered manually at the command prompt. a. script c. snippet b. program d. signature

Script

Some hackers are skillful computer operators, but others are younger inexperienced people who experienced hackers refer to as ____. a. script kiddies c. packet sniffers b. repetition monkeys d. crackers

Script kiddies

In a(n) ____, the tester does more than attempt to break in; he or she also analyzes the company's security policy and procedures and reports any vulnerabilities to management. a. penetration test c. hacking test b. security test d. ethical hacking test

Security Test

____ takes penetration testing to a higher level. a. Hacking c. Security testing b. Cracking d. Packet sniffing

Security testing

Internet Control Message Protocol (ICMP)

Sends messages related to network operations Helps troubleshoot network connectivity problems Ping command Tracks the route a packet traverses Traceroute command

____ can be used to read PINs entered at ATMs or to detect long-distance authorization codes that callers dial. a. Shoulder surfing c. Zone transferring b. Footprinting d. Social engineering

Shoulder surfing

To help prevent ____ attacks, you must educate your users not to type logon names and passwords when someone is standing directly behind them—or even standing nearby. a. shoulder-surfing c. piggybacking b. footprinting d. social engineering

Shoulder-surfing

port 25

Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this port

____ means using a knowledge of human nature to get information from people. a. Fingerprinting c. Zone transferring b. Footprinting d. Social engineering

Social engineering

What type of information is usually gathered by social engineering?

Social engineering means using a knowledge of human nature to get information from people. In computer attacks, the information is usually a password to a network or other information an attacker could use to compromise a network. A salesperson can get personal information about customers, such as income, hobbies, social life, drinking habits, music preferences, and the like, just by asking the customer the right questions. A salesperson uses charm and sometimes guile to relax customers. In a sense, a salesperson attempts to bond with customers by pretending to be empathetic with them. After leaving the store, customers might regret some of the information they freely gave, but if the salesperson was personable, they might not think twice about the personal information the salesperson elicited. Social engineers might also use persuasion tactics, intimidation, coercion, extortion, and even blackmail to gather the information they need. They are probably the biggest security threat to networks and the most difficult to protect against.

____ can be used to gather information useful for computer criminals, like company phone directories, financial reports, interoffice memos, resumes of employees, etc. a. Shoulder surfing c. Piggybacking b. Footprinting d. Dumpster diving

dumpster diving

Describe an example of a macro virus.

The most infamous macro virus is Melissa, which appeared in 1999. The virus was initiated after a user opened an infected document; the virus then sent an e-mail message to the first 50 entries it located in the infected computer's address book.

What is a Class B IP address?

These address are evenly divided between a two-octet network and a two-octet host address, allowing more than 65,000 host computers per Class B network address. Large organizations and Internet service providers are often assigned Class B Internet addresses. Class B addresses have the format "network.network.node.node".

Often technical personnel who aren't familiar with security techniques think that restricting access to ports on a router or firewall can protect a network from attack. Is this a good solution?

This is easier said than done. After all, if a firewall prevents any traffic from entering or exiting a network on port 80, you have indeed closed a vulnerable port to access from hackers. However, you have also closed the door to Internet access for your users, which probably isn't acceptable to your company. The tricky (and almost impossible) part for security personnel is attempting to keep out the bad guys while allowing the good guys to work and use the Internet.

What are the problems on depending on ping sweeps to find out which hosts are "live"?

To find out which hosts are "live," ping sweeps simply ping a range of IP addresses and see what type of response is returned. The problem with relying on ping sweeps to identify live hosts is that a computer might be shut down at the time of the sweep, indicating that the IP address does not belong to a live host. Another problem with ping sweeps is that many network administrators configure nodes to not respond to an ICMP Echo Request (type 8) with an ICMP Echo Reply (type 0). This doesn't mean the computer isn't alive; it just means it isn't replying to the attack computer at that moment. Add to that the possibility of a firewall filtering out ICMP traffic, and you have many reasons for using caution when running ping sweeps.

What is the most important recommendation that should be made to a client to help prevent viruses from being introduced into corporate networks?

To help prevent viruses from being introduced into corporate networks, the most important recommendation you should make to a client is to update virus signature files as soon as they're available from the vendor. Most antivirus software does this automatically or prompts the user to do so. An organization can't depend on employee vigilance to protect its systems, so centralizing all antivirus software updates from a corporate server is prudent.

can be set to 0 off or 1 on

each flag occupies one bit of the TCP segment

secure shell (SSH)

enables a remote user to log on to a server securely and issue commands interactively

internet relay chat (IRC)

enables multiple users to comm over the internet in discussion forums

telnet

enables users to log on to a server remotely and issue commands interactively

Attempt to cause users on a network to flood each other with data, making it appear as if everyone is attacking each other

What are smurf attacks

Persuasion Intimidation Coercion Extortion/blackmailing

What are social engineering tactivs

black box testing, white box testing, and gray box testing

What are the 3 categories for ethical hacking testing?

former black hats white hats consulting firms

What are the ethical hackers categories?

preparation, conduct, and conclusion

What are the three phases of security testing

used to erase the attacker's activities from the system's log files

What are trojans like ps or netcat used for

sometimes employed by companies to perform penetration tests

ethical hacker

Disclosure, deception, disruption, and usurpation

examples of loss

A closed port can be vulnerable to an attack.

false

A closed port responds to a SYN scan with an RST packet, so if no packet is received, the best guess is that the port is open.

false

A disadvantage of Nmap is that it is very slow because it scans all the 65,000 ports of each computer in the IP address range.

false

A hex number is written with two characters, each representing a byte.

false

In the TCP/IP stack, the Transport layer includes network services and client software.

false

Malware programs cannot be detected by antivirus programs.

false

Namedroppers is a tool that can be used to capture Web server information and possible vulnerabilities in a Web site's pages that could allow exploits such as SQL injection and buffer overflows.

false

The HTTP CONNECT method starts a remote application-layer loopback of the request message.

false

To retrieve e-mail from a mail server, you most likely access port 119.

false

might indicate that a firewall is being used

filtered port

Based on the starting decimal number of the ____ byte, you can classify IP addresses as Class A, Class B, or Class C. a. first c. third b. second d. fourth

first

In computer jargon, the process of finding information on a company's network is called ____________________.

footprinting

accesses a computer system or network without the authorization of the system's owner

hacker

An April 2009 article in USA Today revealed that the federal government is looking for ____ to pay them to secure the nation's networks. a. crackers c. hackers b. IT professionals d. security testers

hackers

suicide hackers

hacktivists who are willing to become martyrs for their cause

Each character represents a nibble Value contains alphabetic letters A representing 10 and F representing 15

hex consists of 2 characters

Convert each nibble to binary Convert binary value to decimal

hex number in binary or decimal

Uses 16 as its base Supports numbers from 0 to 15

hexadecimal number system uses what as a base

Group of 8 bits Can represent 28 (256) different colors

how are bytes grouped?

Encoding base 64 Used to reduce size of e-mail attachments Represents zero to 63 using six bits A is 000000... Z is 011001

how are viruses encoded

Use turnstiles Train personnel to notify security about strangers Do not hold secured doors for anyone Even people they know All employees must use access cards

how do you prevent piggybacking

Watch authorized personnel enter an area Quickly join them at security entrance Exploit desire to be polite and helpful Attacker wears a fake badge or security card

how does piggybacking work

Attacker creates a large ICMP packet More than allowed 65,535 bytes Large packet is fragmented into small packets Reassembled at destination Destination point cannot handle reassembled oversize packet Causes it to crash or freeze

how does ping of death attacks work?

1023

how many ports are considered well known

Create groups of four characters Convert decimal value of each letter to binary Rewrite as three groups of eight bits Convert binary into decimal

in viruses, how do you convert 64 strings to decimal equivalent

application layer

includes network services and client software

In TCP, the ______________________________ is a 32-bit number that tracks the packets received by the node and allows reassembling of large packets that have been broken up into smaller packets.

initial sequence number (ISN) ISN initial sequence number

IDS stands for ____. a. Intrusion Detection System c. Information Destruction System b. Information Dissemination System d. Intruder Dispersal System

instruction detection system

In the TCP/IP stack, the ____ layer uses IP addresses to route packets. a. Internet c. Transport b. Network d. Application

internet

____ are devices or computer programs that can be used to capture keystrokes on a computer. a. Viruses c. Macro viruses b. Keyloggers d. Firewalls

keyloggers

network layer

layer represents the physical network pathway and the network interface card

A(n) ____________________ is a virus encoded as a macro in programs that support a macro programming language, such as Visual Basic for Applications (VBA).

macro virus

____________________ is malicious software, such as a virus,worm, or Trojan program, introduced to a network for just that reason.

malware

2005 hybrid worm with backdoor capabilities spread by mass e-mailing and exploiting Windows vulnerabilities

mytob

____________________ or rootkits are computer programs that give attackers a means of regaining access to the attacked computer later.

backdoors

gray hats

believe in full disclosure (information is better out in the open than kept in secret

puts the burden on the tester to find out what technologies the company is using

black box model

In the TCP/IP stack, the ____ layer is concerned with physically moving electrons across a medium. a. Internet c. Transport b. Network d. Application

network

allows access to applications

open port

Derogatory term referring to people who copy code from knowledgeable programmers instead of creating the code themselves.

packet monkey

copies code from knowledgeable programmers instead of creating the code himself/herself

packet monkey

operates on ports 65301, 22, 5631, and 5632

pcAnywhere

In a(n) ____________________, an ethical hacker attempts to break into a company's network to find the weakest link in that network or one of its systems.

penetration test

____ is trailing closely behind an employee who has access to an area without the person realizing that you didn't use a PIN or a security badge to enter the area. a. Shoulder surfing c. Piggybacking b. Footprinting d. Dumpster diving

piggybacking

To verify if all the IP addresses of a network are being used by computers that are up and running, you can use a port scanner to ____________________ the range of IP addresses.

ping

Port scanners can also be used to conduct a(n) ____________________ of a large network to identify which IP addresses belong to active hosts.

ping sweep

An OpenVAS____________________ is a security test program (script) that can be selected from the client interface.

plug-in

A(n) ____ is the logical, not physical, component of a TCP connection. a. ISN c. port b. socket d. SYN

port

simple network management protocol (SNMP)

primarily used to monitor devices on a network, such as monitoring a router's state remotely.

PKI stands for ____. a. Public Key Infrastructure c. Protected Key Infrastructure b. Private Key Infrastructure d. Primary Key Infrastructure

public key infratructure

composed of people with varied skills who perform penetration tests

red team

A ____ is created after an attack and usually hides itself within the OS tools, so it's almost impossible to detect. a. toolbox c. shell b. rootkit d. macro virus

rootkit

Trojan Programs can install a backdoor or ____ on a computer. a. rootkit c. worm b. shell d. macro virus

rootkit

set of instructions that runs in sequence to perform tasks on a computer system

script

Many experienced penetration testers can write computer programs or ____ in Perl or the C language to carry out network attacks. a. kiddies c. scripts b. packets d. crackers

scripts

____ enables an attacker to join a TCP session and make both parties think he or she is the other party. a. A DoS attack c. A buffer overflow attack b. The Ping of Death d. Session hijacking

session hijacking

____ is an attack that relies on guessing the ISNs of TCP packets. a. ARP spoofing c. DoS b. Session hijacking d. Man-in-the-middle

session hijacking

executable piece of programming code that should not appear in an e-mail attachment

shell

A(n) ____________________ is a person skilled at reading what users enter on their keyboards, especially logon names and passwords.

shoulder surfer

Antivirus software compares ____________________ of known viruses against the files on the computer; if there's a match, the software warns you that the program or file is infected.

signatures programming code

SYN flag: synch flag ACK flag: acknowledgment flag PSH flag: push flag URG flag: urgent flag RST flag: reset flag FIN flag: finish flag

six TCP segment flags

purported to have shut down more than 13,000 ATMs

slammer

Some attackers want to be hidden from network devices or IDSs that recognize an inordinate amount of pings or packets being sent to their networks, so they use ____________________ attacks that are more difficult to detect.

stealth

In addition to a unique network address, each network must be assigned a(n) ____________________, which helps distinguish the network address bits from the host address bits.

subnet mask

Simple mail transfer protocol (SMTP)

the main protocol for transmitting email messages across the internet

Hypertext transfer protocol (HTTP)

the primary protocol used to communicate over the web

security

the state of well-being of a system's data and infrastructure

The collection of tools for conducting vulnerability assessments and attacks is sometimes referred to as a "____". a. black box c. gray box b. white box d. tiger box

tiger box

TCP stands for ____. a. Transfer Control Protocol c. Transfer Congestion Protocol b. Transmission Control Protocol d. THE Control Protocol

transmission control protocol

In the TCP/IP stack, the ____ layer is concerned with controlling the flow of data, sequencing packets for reassembly, and encapsulating the segment with a TCP or UDP header. a. Internet c. Transport b. Network d. Application

transport

One of the most insidious attacks against networks and home computers worldwide is ____, which disguise themselves as useful computer programs or applications. a. macro viruses c. spyware programs b. worms d. Trojan programs

trojan programs

Software keyloggers behave like ____ and are loaded on a computer. a. Trojan programs c. shells b. viruses d. firewalls

trojan programs

An octal digit can be represented with only three bits because the largest digit in octal is seven.

true

Computer crime is the fastest growing type of crime worldwide.

true

Network attacks often begin by gathering information from a company's Web site.

true

No matter what medium connects computers on a network—copper wires, fiber-optic cables, or a wireless setup—the same protocol must be running on all computers if communication is going to function correctly.

true

Port scanning is a method of finding out which services a host computer offers.

true

Some cookies can cause security issues because unscrupulous people might store personal information in cookies that can be used to attack a computer or server.

true

The average home user or small-business owner doesn't typically use Telnet.

true

The most effective approach to protect a network from malware being introduced is to conduct structured training of all employees and management.

true

To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information.

true

Wget is a tool that can be used to retrieve HTTP, HTTPS, and FTP files over the Internet.

true

You can search for known vulnerabilities in a host computer by using the Common Vulnerabilities and Exposures Web site.

true

Limited vulnerability analysis Attack and penetration testing

two most common approaches to security testing conduct phase

Half a byte or four bits Helps with reading numbers by separating the byte Example: 1111 1010 versus 11111010

understanding nibbles

In an ACK scan, if the attacked port returns an RST packet the attacked port is considered to be "____". a. open c. unfiltered b. closed d. unassigned

unfiltered

white hats

use skills for defensive purposes

black hats

use skills for illegal or malicious purposes

internet layer

uses IP addresses to route packets to the correct destination network

A ____ can replicate itself, usually through an executable program attached to an e-mail. a. shell c. keylogger b. virus d. rootkit

virus

Obtain confidential information (passwords) Obtain other personal information

what are goals of social engineering

Used to capture keystrokes on a computer Software Loaded on to computer Behaves like Trojan programs Hardware Small and easy to install device Goes between keyboard and computer Examples: KeyKatcher and KeyGhost

what are keyloggers

Can pick deadbolt lock in less than five minutes After only a week or two of practice

what are lock up servers

Executable piece of programming code Creates interface to OS for issuing commands Should not appear in an e-mail attachment

what are shells in viruses

Binoculars or high-powered telescopes Key positions and typing techniques Popular letter substitutions $ equals s, @ equals a

what are shoulder surfer tools

Reads what users enter on keyboards Logon names Passwords PINs

what are shoulder surfers

Urgency Quid pro quo Status quo Kindness Position

what are social engineering techniques

software (personal) and hardware (enterprise)

what are the 2 firewalls?

Owner permissions (rwx) Group permissions (rwx) Other permissions (rwx) Setting permission (rwxrwxrwx) means they all have read, write, and execute permissions

what are the UNIX permissions

Insidious attack against networks and computers Disguise themselves as useful programs Can install backdoors and rootkits Allow attackers remote access

what are trojan programs

Discarded computer manuals Passwords jotted down Company phone directories Calendars with schedules Financial reports Interoffice memos Company policy Utility bills Resumes

what can be found in dumpster diving

Web server OS Names of IT personnel

what can you determine with just a URL

pull info from a web server

what do HTTP commands do?

Identifies traffic on unfamiliar ports

what do good software or hardware firewall do?

Open ports Closed ports Filtered ports Best-guess running OS

what do port scanning programs report

Cripples the network Makes it vulnerable to other attacks

what does attempting to access information do

OS runs this code Code elevates attacker's permission Administrator, owner, or creator

what happens when an attacker writes code that overflows buffer

Commonly used Gathers IP address and domain information Attackers can also use it

what is Whois

One-pixel by one-pixel image file Referenced in an <IMG> tag Usually works with a cookie Purpose similar to spyware and adware Comes from third-party companies Specializing in data collection

what is a web bug

purpose: Determine user's purchasing habits Tailors advertisement problem: Slows down computers

what is adware's main purpose? or problem?

Look over the location Find weakness in security systems Types of locks and alarms used

what is case the joint

Gathering information using technology

what is competitive intelligence

Finding information on company's network Passive and nonintrusive Several available Web tools

what is footprinting

Powerful tool for UNIX and Windows OSs Requires Java J2SE

what is paros

Usually framed as urgent request to visit a Web site Web site is a fake

what is phishing

Trailing closely behind an employee cleared to enter restricted areas

what is piggybacking

Finds which services are offered by a host Identifies vulnerabilities

what is port scanning

Enables attacker to join a TCP session Attacker makes both parties think he or she is the other party Complex attack Beyond the scope of this book

what is session hijacking

adware: installed without users being aware

what is similar to spyware.

Convincing other people to reveal information such as unlisted phone numbers, passwords, etc.

what is social engineering

Combines social engineering and exploiting vulnerabilities E-mail attacks directed at specific people Comes from someone the recipient knows Mentions topics of mutual interest

what is spear phishing

helps protect against spyware and and adware

what is spybot and ad-aware?

Uses 8 as its base Supports values from 0 to 7

what is the base for the octal numbering system

spyware

what sends information from infected computer to attacker

Loss of bandwidth Degradation or loss of speed

what will flooding a network with billions of packets do

In the ____________________ model, the tester is told what network topology and technology the company is using and is given permission to interview IT personnel and company employees.

white box

Require pushing in a sequence of numbered bars

why are rotary locks harder to pick

New viruses, worms, and Trojan programs appear daily

why is it difficult to protect against malware attacks

A ____ is a computer program that replicates and propagates itself without having to attach itself to a host. a. virus c. worm b. Trojan d. shell

worm

In a Linux script, the line ____ is important because it identifies the file as a script. a. #!/bin/sh c. #!/bin/shscript b. #!/bin/script d. #!/bin/sc

#!/bin/sh

In a ____ attack, a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of memory space use. a. buffer overflow c. DDoS b. DoS d. session hijacking

buffer overflow

the primary protocol used to communicate over the World Wide Web

HTTP

Request not understood by server

HTTP 400 Bad Request

Server understands request but refuses to comply

HTTP 403 Forbidden

Unable to match request

HTTP 404 Not Found

Request not allowed for the resource

HTTP 405 Method Not Allowed

Request not made by client in allotted time

HTTP 408 Request Timeout

Request could not be fulfilled by server

HTTP 500 Internal Server Error

Server received invalid response from upstream server

HTTP 502 Bad Gateway

Server is unavailable due to maintenance or overload

HTTP 503 Service Unavailable

Server did not receive a timely response

HTTP 504 Gateway Timeout

Operating system attacks Application-level attacks Shrink-wrap code attacks Misconfiguration attacks

Hacker attacks can be categorized as what?

The U.S. Department of Justice labels all illegal access to computer or network systems as "____". a. cracking c. sniffing b. hacking d. trafficking

Hacking

port 119

Network News Transfer Protocol Used to connect to a news server for use with newsgroups

List at least five domains tested for the Certified Ethical Hacker (CEH) exam.

- Ethics and legal issues - Footprinting - Scanning - Enumeration - System hacking - Trojan programs and backdoors - Sniffers - Denial of service - Social engineering - Session hijacking - Hacking Web servers - Web application vulnerabilities - Web-based password-cracking techniques - Structured Query Language (SQL) injection - Hacking wireless networks - Viruses and worms - Physical security - Hacking Linux - Intrusion detection systems (IDSs), firewalls, and honeypots - Buffer overflows - Cryptography - Penetration-testing methodologies

What are four different skills a security tester needs?

- Knowledge of network and computer technology - Ability to communicate with management and IT personnel - An understanding of the laws that apply to your location - Ability to apply the necessary tools to perform your tasks

The ____ option of Nmap is used to perform a TCP SYN stealth port scan. a. -sS c. -sV b. -sU d. -S

-sS

What steps are involved in TCP's "three-way handshake"?

1. Host A sends a TCP packet with the SYN flag set (that is, a SYN packet) to Host B. 2. After receiving the packet, Host B sends Host A its own SYN packet with an ACK flag (a SYN-ACK packet) set. 3. In response to the SYN-ACK packet from Host B, Host A sends Host B a TCP packet with the ACK flag set (an ACK packet).

The POP3 service uses port ____. a. 110 c. 135 b. 119 d. 139

110

The Network News Transport Protocol service uses port ____. a. 110 c. 135 b. 119 d. 139

119

The Microsoft RPC service uses port ____. a. 110 c. 135 b. 119 d. 139

135

The NetBIOS service uses port ____. a. 110 c. 135 b. 119 d. 139

139

The binary number 11000001 converted to decimal is ____. a. 128 c. 193 b. 164 d. 201

193

Currently, the CEH exam is based on ____ domains (subject areas) with which the tester must be familiar. a. 11 c. 31 b. 22 d. 41

22

The SMTP service uses port ____. a. 25 c. 69 b. 53 d. 80

25

Each Class C IP address supports up to ____ host computers. a. 254 c. 65,000 b. 512 d. 16 million

254

ISN

32-bit number Tracks packets received by a node Allows reassembly of large packets Sent on steps one and two of TCP three-way handshake Sending node ISN is sent with SYN packet Receiving node ISN is sent back to sending node with SYN-ACK packet

The DNS service uses port ____. a. 25 c. 69 b. 53 d. 80

53

To represent 0 to 63 characters you need only ____ bits. a. four c. six b. five d. seven

6

The TFTP service uses port ____. a. 25 c. 69 b. 53 d. 80

69

An octet is equal to ____________________ bits, which equals one byte.

8

HTTP uses port ____ to connect to a Web service. a. 21 c. 25 b. 22 d. 80

80

The HTTP service uses port ____. a. 25 c. 69 b. 53 d. 80

80

What is the purpose of a Web bug? How do they relate to or differ from spyware?

A Web bug is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. Its purpose is similar to that of spyware and adware: to get information about the person visiting the Web site. Web bugs are not from the same Web site as the Web page creator. They come from third-party companies specializing in data collection. Security professionals need to be aware of cookies and Web bugs to keep these information-gathering tools off company computers.

exposure

A breach in security Can vary from one company to another, or even from one department to another loss due to an exploit

Reconnaissance Scanning Gaining access Maintaining access Covering tracks

What are five phases that make up an attack

____ is concerned with the security of computers or devices that are part of a network infrastructure. a. Attack security c. Computer security b. Cybercrime d. Network security

Network security

The ____ tool was originally written for Phrack magazine in 1997 by Fyodor. a. Unicornscan c. Nessus b. Fping d. Nmap

Nmap

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is launched against a host from multiple servers or workstations. In a DDoS attack, a network could be flooded with literally billions of packets; typically, each participant in the attack contributes only a few of the total number of packets. If one server bombards an attacked server with hundreds or even thousands of packets, available network bandwidth could drop to the point that legitimate users notice a performance degradation or loss of speed. Now imagine 1000 servers or even 10,000 servers involved, with each server sending several thousand IP packets to the attacked server. There you have it: a DDoS attack. Keep in mind that participants in the attack often aren't aware their computers are taking part in the attack. They, too, have been attacked by the culprit. In fact, in one DDoS attack, a company was flooded with IP packets from thousands of Internet routers and Web servers belonging to Yahoo.com.

What types of ports do successful Trojan programs commonly use?

A good software or hardware firewall would most likely identify traffic that's using unfamiliar ports, but Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect. The programmer who wrote Backdoor.Slackbot.B controlled a computer by using Internet Relay Chat (IRC), which is on port 6667.

Architecture and configuration of the target system Skill level of the perpetrator Initial level of access obtained

A hacker's chances of gaining access into a target system are influenced by factors such as:

exploit

A specific way to breach the security of an IT system through a vulnerability

What is Spyware

A spyware program sends information from the infected computer to the person who initiated the spyware program on your computer. This information could be confidential financial data, passwords, PINs—just about any data stored on your computer. You need to make sure your users understand that this information collection is possible, and that spyware programs can register each keystroke entered. It's that simple. This type of technology not only exists, but is prevalent. It can be used to record and send everything a user enters to an unknown person located halfway around the world.

Why is "attach" a key word when talking about viruses?

A virus does not stand on its own. It can't replicate itself or operate without the presence of a host program. A virus attaches itself to a host program, just as the flu attaches itself to a host organism.

Describe some actions which security testers cannot perform legally.

Accessing a computer without permission, destroying data, or copying information without the owner's permission is illegal. Certain actions are illegal, such as installing worms or viruses on a computer network that deny users access to network resources. As a security tester, you must be careful that your actions don't prevent customers from doing their jobs. For example, DoS attacks should not be initiated on your customer's networks.

threat

Action or event that might compromise security

Source IP address Destination IP address Flags

What are packet components

What is Back Orifice

Back Orifice is still one of the most common Trojan programs used today. It allows attackers to take full control of the attacked computer, similar to the way Windows XP Remote Desktop functions, except that Back Orifice works without the user's knowledge. The program has been around since 1999, but it's now marketed as an administrative tool rather than a hacking tool.

____ is currently the standard port-scanning tool for security professionals. a. Unicornscan c. Nessus b. Fping d. Nmap

Nmap

a port scanning tool

Nmap

typically used to get past a firewall

ACK scan

Why is ATM shoulder surfing much easier than computer shoulder surfing?

ATM theft is much easier than computer shoulder surfing because a keypad has fewer characters to memorize than a computer keyboard. If the person throws away the receipt in a trash can near the ATM, the shoulder surfer can match the PIN with an account number and then create a fake ATM card. Often shoulder surfers use binoculars or high-powered telescopes to observe PINS being entered, making it difficult to protect against this attack.

____ is a reasonably priced commercial port scanner with a GUI interface. a. AW Security Port Scanner c. Ethereal b. Common Vulnerabilities and Exposures d. Tcpdump

AW Security Port Scanner

NDA, to protect the client's confidential data Clause stating that the ethical hacker has full consent of the client to hack into their systems

After discussing security issues with the client, a formal contract should be drawn up that contains

attack

Any attempt by an unauthorized person to access, damage, or use network resources

binary octal hexadecimal

As a security professional, knowledge of numbering systems will come into play:

What are the critical components of a TCP header? How may hackers abuse them?

As a security professional, you should know the critical components of a TCP header: TCP flags, the initial sequence number, and source and destination port numbers. Hackers abuse many of these TCP header components; for example, when port scanning,many hackers use the method of sending a packet with a SYN-ACK flag set even though a SYN packet was not sent first.

Which ports should security professionals scan when doing a test? Why?

As a security tester, you need to know which ports attackers are going after so those ports can be closed or protected. Security professionals must scan all ports when doing a test, not just the well-known ports (Ports 1 to 1023, the most common, are covered in Chapter 2). Many computer programs use port numbers outside the range of well-known ports. For example, pcAnywhere operates on ports 65301, 22, 5631, and 5632. A hacker who discovers that port 65301 is open might want to check the information at the Common Vulnerabilities and Exposures Web site for a possible vulnerability in pcAnywhere. After a hacker discovers an open service, finding a vulnerability or exploit isn't difficult.

As a security tester, should you use social-engineering tactics?

As a security tester, you should never use social-engineering tactics unless the person who hired you gives you permission in writing. You should also confirm on which employees you're allowed to perform social-engineering tests, and document the tests you conduct. Your documentation should include the responses you received, and all test results should, of course, be confidential.

Remove evidence of their entry Install a backdoor or a Trojan to gain repeat access Install rootkits at the kernel level to gain full administrator access to the target compute

Attackers, who choose to remain undetected do what

Inside - initiated from within a network by an authorized user Outside - caused by an external intruder who does not have authorization to access the network

Attacks can be categorized as inside or outside attacks by what

Why is it hard for an ethical hacker to avoid breaking any laws?

Because the job of an ethical hacker is fairly new, the laws are constantly changing. Even though a company has hired you to test its network for vulnerabilities, be careful that you aren't breaking any laws for your state or country. If you're worried that one of your tests might slow down the network because of excessive bandwidth use, that concern should signal a red flag. The company might consider suing you for lost time or monies caused by this delay.

common Trojan program

Black Orifice

In the ____ model, management does not divulge to staff that penetration testing is being conducted, nor does it give the tester any diagrams or describe what technologies the company is using. a. gray box c. black box b. white box d. red box

Black box

A ____ can be created that welcomes new users joining a chat session, even though a person isn't actually present to welcome them. a. byte c. switch b. packet d. bot

Bot

The HTTP ____________________ method is used with a proxy that can dynamically switch to a tunnel connection, such as Secure Socket Layer (SSL).

CONNECT

The ____ certification for security professionals is issued by the International Information Systems Security Certifications Consortium (ISC2). a. Global Information Assurance Certification (GIAC) b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)

Certified Information Systems Security Professional (CISSP)

The International Council of Electronic Commerce Consultants (EC-Council) has developed a certification designation called ____. a. CompTIA Security+ b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)

Certifies Ethical Hacker (CEH)

What type of class has the IP address 193.1.2.3? a. Class A c. Class C b. Class B d. Class D

Class C

Some of the most infamous cases are hacks carried out by ____ students, such as the eBay hack of 1999. a. graduate c. college b. high-school d. engineering

College

Ethical hackers are employed or contracted by a company to do what illegal hackers do: break in. Why?

Companies need to know what, if any, parts of their security infrastructure are vulnerable to attack. To protect a company's network, many security professionals recognize that knowing what tools the bad guys use and how they think enables them to better protect (harden) a network's security.

TCP three way handshake

Computer A sends computer B a SYN packet Computer B replies with a SYN-ACK packet Computer A replies with an ACK packet

Crimes facilitated by use of a computer Crimes where the computer is the target

Computer crimes can be separated into two categories:

network security

Concern with security of network infrastructure

computer security

Concerned with security of a stand alone computer Not part of a network infrastructure

assurance

Confidence that the system will behave according to its specifications

TCP is a(n) ____________________ protocol, which means the sender doesn't send any data to the destination node until the destination node acknowledges that it's listening to the sender.

Connection-oriented

Remote network Remote dial-up network Local network Stolen equipment Social engineering Physical entry

Ethical hacker will attempt attacks over various channels:

Shut down computers cannot respond Networks may be configured to block ICMP Echo Requests Firewalls may filter out ICMP traffic

What are ping sweeps problems

Text file Contains multiple commands

What are script or batch file

What can an attacker see on the target system? What can an intruder do with that information? Are the attackers' attempts being noticed on the target systems?

Ethical hacker's evaluation of a client's information system security seeks answers to what 3 basic questions?

subnet mask

Each network must be assigned a subnet mask Helps distinguish network from host address bits Subnetting concepts are important Utilities return information based on IP address and subnet information May be useful when penetration testing

transport layer

Encapsulates data into segments Use TCP or UDP to reach a destination host TCP is a connection-oriented protocol

white box testing

Ethical hacker is given full advance knowledge of the system

black box testing

Ethical hacker is given no prior knowledge or information about a system

the tester might get information about which OSs are used, but not get any network diagrams

Gray box model

attack

Deliberate assault on that system's security

antivirus programs

Detection based on virus signatures Signatures are kept in virus signature file Must update periodically Some offer automatic update feature

With commands such as ____, you can perform zone transfers of all DNS records. a. Dig c. DNS b. Whois d. Netcat

Dig

____ is a tool that is used to perform DNS zone transfers. a. Whois c. Metis b. Netcat d. Dig

Dig

A ____ attack prevents legitimate users from accessing network resources. a. buffer overflow c. social engineering b. session hijacking d. DoS

DoS

port 53

Domain Name Service (DNS) Connects to Web sites using URLs instead of IP addresses

The HTTP ____ method is the same as the GET method, but retrieves only the header information of an HTML document, not the document body. a. CONNECT c. POST b. PUT d. HEAD

HEAD

What is the "poor man's firewall"?

Even though IPX/SPX is not widely used today, many corporations have legacy systems that rely on it. In fact, some users separate their internal networks from the outside world by running IPX/SPX internally. An intruder attempting to attack a network over the Internet would be blocked when the protocol changes from TCP/IP to IPX/SPX. This tactic is referred to as "the poor man's firewall." Of course, it's not a recommended solution for protecting a network, but as a network security professional, you might see it used.

When a TCP three-way handshake ends, both parties send a(n) ____ packet to end the connection. a. SYN c. FIN b. ACK d. RST

FIN

____ was the standard for moving or copying large files and is still used today, although to a lesser extent because of the popularity of HTTP. a. FTP c. SNMP b. TFTP d. SMTP

FTP

allows different operating systems to transfer files between one another

FTP

All states look at port scanning as noninvasive or nondestructive in nature and deem it legal.

False

An ethical hacker is a person who performs most of the same activities a cracker does, but with the owner or company's permission.

False

Macro viruses are hard to create.

False

UDP

Fast but unreliable delivery protocol Operates on Transport layer Used for speed Does not need to verify receiver is listening or ready Depends on higher layers of TCP/IP stack handle problems Referred to as a connectionless protocol

computer crime

Fastest growing type of crime worldwide

port 20 and 21

File Transfer Protocol (FTP) Was the standard for moving or copying large files Used today to a lesser extent Popularity of HTTP Requires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)

1 represents having permission 111 (rwx): all permissions apply 0 removes permission 101 (r-x): user can read and execute but not write

File permissions are represented with bits

With the ____ tool, you can ping multiple IP addresses simultaneously. a. Fping c. Nessus b. Nmap d. Unicornscan

Fping

The HTTP ____ method retrieves data by URI. a. GET c. POST b. PUT d. HEAD

GET

____ is the most basic HTTP method. a. GET c. CONNECT b. PUT d. HEAD

GET

The SysAdmin,Audit,Network, Security (SANS) Institute offers training and IT security certifications through ____. a. Global Information Assurance Certification (GIAC) b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)

Global Information Assurance Certification (GIAC)

What is "competitive intelligence"?

If you want to open a piano studio to compete against another studio that has been in your neighborhood for many years, getting as much information as possible about your competitor is wise. How could you know the studio was successful without being privy to its bank statements? First, many businesses fail after the first year, so the studio being around for years is a testament to the owner doing something right. Second, you can simply park your car across the street from the studio and count the students to get a good idea of the number of clients. You can easily find out the cost of lessons by calling the studio or looking for ads in newspapers, flyers, telephone books, billboards, and so on. Numerous resources are available to help you discover as much as is legally possible about your competition. Business people have been doing this for years. Now this information gathering, called competitive intelligence, is done on an even higher level through technology. As a security professional, you should be able to explain to the company that hired you all the methods competitors use to gather information. To limit the amount of information a company makes public, you should have a good understanding of what a competitor would do to discover confidential information.

If you're good at your job, many IT employees resent you discovering vulnerabilities in their systems. In fact, it's the only profession in which the better you do your job, the more enemies you make!

If you're good at your job, many IT employees resent you discovering vulnerabilities in their systems. In fact, it's the only profession in which the better you do your job, the more enemies you make!

How does a buffer overflow attack work?

In a buffer overflow attack, a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of space use. For example, if a program defines a buffer size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence,you have a buffer overflow. Basically, the attacker writes code that overflows the buffer; this is possible because the buffer capacity hasn't been defined correctly in the program. The trick is to not fill the overflow buffer with meaningless data, but to fill it with executable program code. That way, the OS runs the code, and the attacker's program does something harmful. Usually, the code elevates the attacker's permissions to that of an administrator's level or gives the attacker the same privileges as the program's owner or creator.

How does a SYN scan work?

In a normal TCP session, a packet is sent to another computer with the SYN flag set. The receiving computer sends back a packet with the SYN/ACK flag set, indicating an acknowledgment. The sending computer then sends a packet with the ACK flag set. If the port to which the SYN packet is sent is closed, the computer responds to the SYN packet with an RST/ACK packet. If a SYN/ACK packet is received by an attacker's computer, it quickly responds with an RST/ACK packet, closing the session. This is done so that a full TCP connection is never made and logged as a transaction. In this sense, it is "stealthy." After all, you don't want a transaction to be logged showing the IP address that connected to the attacked computer.

What is a UDP scan?

In this type of scan, a UDP packet is sent to the target computer. If the port sends back an ICMP "Port Unreachable" message, the port is closed. Again, not getting that message might imply the port is open, but this isn't always true. A firewall or packet-filtering device could undermine your assumptions.

target of evaluation

Information resource or asset that is being protected from attacks

ethical hackers

Information security professionals who specialize in evaluating and defending against threats from attackers

gray box testing

Internal testing performed by system administrator and network professionals

What is ICMP used for?

Internet Control Message Protocol (ICMP) is used to send messages that relate to network operations. For example, if a packet cannot reach its destination, you might see the "Destination Unreachable" error. ICMP makes it possible for network professionals to troubleshoot network connectivity problems (with the Ping command) and to track the route a packet traverses from a source IP address to a destination IP address (with the Traceroute command).

port 143

Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mail

The IP in TCP/IP stands for ____________________.

Internet Protocol

hardware keylogger

KeyGhost

protocol

Language used by computers Transmission Control Protocol/Internet Protocol (TCP/IP) Most widely used

port

Logical, not physical, TCP connection component Identifies running service Example: HTTP uses port 80

attack side of a sophisticated cybercrime toolkit that spreads when Web surfers visit a hacked Web site hosting the malware

Luckysploit

____ commands that open and close files can be used in destructive ways. a. Macro c. Keylogger b. Firewall d. Adware

Macro

Most infamous macro virus

Melissa

____ is a tool that is used to gather competitive intelligence from Web sites. a. Whois c. Metis b. Netcat d. Dig

Metis

What is DNS used for?

Most networks require a DNS server so that users can connect to Web sites with URLs instead of IP addresses. When a user enters a URL, such as www.yahoo.com, the DNS server resolves the name to an IP address. The DNS server might be internal to the company, or each computer might be configured to point to the IP address of a DNS server that's serviced by the company's ISP.

Why is port scanning considered legal by most security testers and hackers?

Most security testers and hackers argue that port scanning is legal simply because it doesn't invade others' privacy; it merely discovers whether the party being scanned is available. The typical analogy is a person walking down the street and turning the doorknob of every house along the way. If the door opens, the person notes that the door is open and proceeds to the next house. Of course, entering the house would be a crime in most parts of the world, just as entering a computer system or network without the owner's permission is a crime.

Penetration testers and security testers usually have a laptop computer configured with ____ and hacking tools. a. multiple OSs c. packet sniffers b. tiger boxes d. script kiddies

Multiple OSs

TCP scan with all the packet flags are turned off

NULL scan

Avoid typing when: Someone is nearby Someone nearby is talking on cell phone

Name prevention of shoulder surfing

Nmap Unicornscan Nessus and OpenVAS

Name some port scanning tools

1. Talk with the client about the importance of security and the necessity of testing 2. Prepare NDA (nondisclosure agreement) documents and have the client sign them 3. Prepare an ethical hacking team and create a schedule for testing 4. Conduct the test 5. Analyze the results and prepare the report 6. Deliver the report to the client

Name the ethical hacking assignment six basic steps

port 139

NetBIOS Used by Microsoft's NetBIOS Session Service

To see additional parameters that can be used with the ____ command, you can type nc -h at the command prompt. a. Nslookup c. Netcat b. Namedroppers d. Whois

Netcat

____ is a tool that is used to read and write data to ports over a network. a. Whois c. Metis b. Netcat d. Dig

Netcat

In the TCP/IP stack, the ____________________ layer represents the physical network pathway and the network interface card.

Network

TCP/IP stack Four distinct layers

Network Internet Transport Application

Elaborate on the following statement: "The most difficult job of a security professional is preventing social engineers from getting crucial information from company employees."

No matter how thorough a security policy is or how much money is spent on firewalls and intrusion detection systems (IDSs), employees are still the weakest link in an organization. Attackers know this fact and use it. Employees must be trained and tested periodically on security practices. Just as fire drills help prepare people to evacuate during a fire, random security drills can improve a company's security practices. For example, randomly selecting and testing employees each month to see whether they would give their passwords to someone within or outside the organization is a good way to see if your security memos are being read and followed.

The ____ certification uses the Open Source Security Testing Methodology Manual (OSSTMM), written by Peter Herzog, as its standardized methodology. a. CEH c. CISSP b. OPST d. GIAC

OPST

The ____ certification is designated by the Institute for Security and Open Methodologies (ISECOM), a nonprofit organization that provides security training and certification programs for security professionals. a. CompTIA Security+ b. OSSTMM Professional Security Tester (OPST) c. Certified Information Systems Security Professional (CISSP) d. Certified Ethical Hacker (CEH)

OSSTMM Professional Security tester (OPST)

What is the SANS Institute Top 20 list?

One of the most popular SANS Institute documents is the Top 20 list, which details the most common network exploits and suggests ways of correcting vulnerabilities. This list offers a wealth of information for penetration testers or security professionals.

Even though you might think you're following the requirements set forth by the client who hired you to perform a security test, don't assume that management will be happy with your results. Provide an example of an ethical hacking situation that might upset a manager.

One tester was reprimanded by a manager who was upset that the security testing revealed all the logon names and passwords to the tester. The manager believed that the tester shouldn't know this information and considered stopping the security testing.

What makes the ____________________ tool unique is the ability to update security check plug-ins when they become available.

OpenVAS

____, an open-source fork of Nessus, functions much like a database server, performing complex queries while the client interfaces with the server to simplify reporting and configuration. a. Unicornscan c. OpenVAS b. NetScanTools d. Nmap

OpenVAS

The HTTP ____ allows data to be sent to a Web server. a. GET c. POST b. PUT d. HEAD

POST

TCP header flag used to deliver data directly to an application

PSH

The HTTP ____ method requests that the entity be stored under the Request-URI. a. GET c. POST b. PUT d. HEAD

PUT

The ____ tool can generate a report that can show an attacker how a Web site is structured and lists Web pages that can be investigated for further information. a. Netcat c. Dig b. Paros d. Whois

Paros

In the ____ attack, the attacker simply creates an ICMP packet that's larger than the maximum allowed 65,535 bytes. a. DoS c. buffer overflow b. Ping of Death d. session hijacking

Ping of Death

type of DoS attack

Ping of Death

Some security professionals use fear tactics to scare users into complying with security measures. Is this a good tactic?

Some security professionals use fear tactics to scare users into complying with security measures. Their approach is to tell users that if they don't take a particular action, their computer systems will be attacked by every malcontent who has access to the Internet. This method is sometimes used to generate business for security testers and is not only unethical, but also against the OSSTMM's Rules of Engagement. The rule states: "The use of fear, uncertainty, and doubt may not be used in the sales or marketing presentations, websites, supporting materials, reports, or discussion of security testing for the purpose of selling or providing security tests. This includes but is not limited to crime, facts, criminal or hacker profiling, and statistics." Your approach to users or potential customers should be promoting awareness rather than instilling fear. You should point out to users how important it is not to install computer programs—especially those not approved by the company—on their desktops because of the possibility of introducing malware. Users should be aware of potential threats, not terrified by them.

Why is it important for you as a security tester to understand and be able to create scripts?

Some tools might need to be modified to better suit your needs as a security tester. Creating a customized script—a computer program that automates a task that takes too much time to perform manually—can be a time-saving solution. Fping can use an input file to perform ping sweeps. Creating an input file manually with thousands of IP addresses isn't worth the time. Instead, most security testers rely on their basic programming skills to write a script for creating an input file.

The two most popular spyware and adware removal programs are ____ and Ad-Aware. a. Zone Alarm c. McAfee Desktop Firewall b. BlackIce d. SpyBot

Spybot

____ is a remote control program. a. Slammer c. Symantec pcAnywhere b. BlackIce d. Zone Alarm

Symantec pcAnywhere

The ____ disseminates research documents on computer and network security worldwide at no cost. a. International Council of Electronic Commerce Consultants (EC-Council) b. SysAdmin,Audit,Network, Security (SANS) Institute c. Institute for Security and Open Methodologies (ISECOM) d. International Information Systems Security Certifications Consortium (ISC2)

SysAdmin, Audit, Network, Security (SANS) Institute

accountability

System administrators or concerned authorities need to be able to know by whom, when, how and why system resources have been accessed An audit trail or log files can address this

TCP critical components

TCP flags Initial sequence number (ISN) Source and destination port numbers

The most widely used is protocol is ____. a. IPX/SPX c. TCP/IP b. ATM d. NetBIOS

TCP/IP

transport layer

TCP/UDP services layer is responsible for getting data packets to and from the application layer by using port numbers. TCP also verifies packet delivery by using acknowledgements

tunneling

Takes advantage of the transmission protocol by carrying one protocol over another

____ is a protocol packet analyzer. a. Nmap c. Tcpdump b. Fping d. Nessus

Tepdump

Text file generated by a Web server Stored on a user's browser Information sent back to Web server when user returns Used to customize Web pages Some cookies store personal information Security issue

What are cookies and what do they do?

How can computer criminals use the Whois utility for their purposes?

The Whois utility is a commonly used tool for gathering IP address and domain information. With just a company's Web address, you can discover a tremendous amount of information. Unfortunately, attackers can also make use of this information. Often companies don't realize that they're publishing information on the Web that computer criminals can use. The Whois utility gives you information on a company's IP addresses and any other domains the company might be part of.

What is the binary numbering system and why was it chosen by computer engineers to be used in computers?

The binary system uses the number two as its base. Each binary digit, or bit, is represented by a one or zero. Bits are usually grouped by eight because a byte contains eight bits. Computer engineers chose this numbering system because logic chips make binary decisions based on true or false,on or off,and so forth. With eight bits, a computer programmer can represent 256 different colors for a video card, for example. (Two to the power of eight, or 28, equals 256.) Therefore, black can be represented by 00000000, white by 11111111, and so on.

What is the difference between spyware and adware?

The difference between spyware and adware is a fine line. Both programs can be installed without the user being aware of their presence. Adware, however, sometimes displays a banner that notifies the user of its presence. Adware's main purpose is to determine a user's purchasing habits so that Web browsers can display advertisements tailored to that user. The biggest problem with adware is that it slows down the computer it's running on.

List at least five tools available for footprinting.

The following tools can be used for footprinting: Google groups, Whois, SamSpade, Web Data Extractor, FOCA, Necrosoft NS Scan, Google search engine, Namedroppers, White Pages, Metis, Dig, Netcat, Wget, Paros, and Maltego.

In the context of penetration testing, what is the gray box model?

The gray box model is a hybrid of the white and black box models. In this model, the company gives a tester only partial information. For example, the tester might get information about which OSs are used, but not get any network diagrams.

How does the octal numbering system relate to network security? You may answer this question by providing an example.

To see how the octal numbering system relates to network security, take a look at UNIX permissions. Octal numbering is used to express the following permissions on a directory or a file: Owner permissions, Group permissions, and Other permissions. Setting the permission (rwxrwxrwx) for a directory means that the owner of the directory, members of a group, and everyone else (Other) have read, write, and execute permissions for that directory. Because each category has three unique permissions, and each permission can be expressed as true or false (on or off), three bits are used. You don't need all eight bits because three bits (rwx) are enough. Recall from binary numbering that zero is counted as a number, so with three bits, there are eight possible occurrences: 000, 001, 010, 011, 100, 101, 110, and 111. Using octal numbering, 001 indicates that the execute (x) permission is granted, 010 indicates that the write (w) permission is granted, but not read and execute, and so on.

In the TCP/IP stack, the ____________________ layer is responsible for getting data packets to and from the Application layer by using port numbers.

Transport

port 69

Trivial File Transfer Protocol Used for transferring router configurations

As a security tester, you can't make a network impenetrable.

True

Even though the Certified Information Systems Security Professional (CISSP) certification is not geared toward the technical IT professional, it has become one of the standards for many security professionals.

True

The SysAdmin, Audit, Network, Security (SANS) Institute offers training and IT security certifications through Global Information Assurance Certification (GIAC).

True

TCP packet

Two 16-bit fields Contains source and destination port numbers

Passive: attacker does not interact with the system directly Active: attacker interacts with the target system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems, and applications

Types of reconnaissance

Unicornscan optimizes ____ scanning beyond the capabilities of any other port scanner. a. TCP c. ICMP b. UDP d. IP

UDP

____ is a connectionless protocol. a. TCP c. FTP b. UDP d. POP3

UDP

____ is a fast but unreliable delivery protocol that operates on the Transport layer. a. IP c. TFTP b. TCP d. UDP

UDP

UDP is an unreliable data delivery protocol. Why is it widely used on the Internet?

UDP is a widely used protocol on the Internet because of its speed. UDP doesn't need to verify whether the receiver is listening or ready to accept the packets. The sender doesn't care—it just sends, even if the receiver isn't ready to accept the packet.

TCP header flag that is used to signify urgent data

URG

____ was developed to assist security testers in conducting tests on large networks and to consolidate many of the tools needed for large-scale endeavors. a. Unicornscan c. Nessus b. NetScanTools d. Nmap

Unicornscan

List the five techniques used by social engineers in their attempts to gain information from unsuspecting people.

Urgency - Quid pro quo - Status quo - Kindness - Position

UDP stands for ____. a. User Datagram Protocol c. User Data Packet b. Universal Datagram Protocol d. Universal Data Packet

User Datagram protocol

worm that uses UDP port 8998 to contact the attacker's server

W32/Sobig.F

internet protocol version 6 (IPv6)

Wasn't designed with security in mind Many current network vulnerabilities

vulnerability

Weakness in a defined asset that could be taken advantage of or exploited by some threat primary entry point an attacker can use to gain access to a system or to its data

A(n) ____ is a 1-pixel x 1-pixel image file referenced in an <IMG> tag, and it usually works with a cookie. a. image bug c. Bugnosis detector b. zone transfer d. Web bug

Web bug

Automates tasks Time saving Requires basic programming skills

What are customized scripts

Trojans to transfer user names, passwords, and any other information stored on the system

What can hackers use trojans for?

Educate users Dumpster diving Proper trash disposal Format disks before disposing them Software writes binary zeros Done at least seven times Discard computer manuals offsite Shred documents before disposal

What can you do to prevent dumpster diving

Discovering system design faults and weaknesses that might allow attackers to compromise a system Keeping informed of new products and technologies in order to find news related to current exploits Checking underground hacking Web sites for newly discovered vulnerabilities and exploits Checking newly released alerts regarding relevant innovations and product improvements for security systems

What does vulnerability research include?

Resolves host names to IP addresses People prefer URLs to IP addresses Extremely vulnerable

What is DNS

Closed port responds with an RST packet

What is FIN scan

Ping multiple IP addresses simultaneously Accepts a range of IP addresses Entered at a command prompt File containing multiple IP addresses Input file Usually created with shell-scripting language

What is FPing

Used to: Perform ping sweeps Bypass filtering devices Allows users to inject modified IP packets

What is Hping

First released in 1998 No longer under GPL license Still available for download

What is Nessus

Originally written for Phrack magazine One of the most popular tools New features frequently added

What is Nmap?

Open-source fork of Nessus Performs complex queries while client interfaces with server Capable of updating security check plug-ins Security test programs (scripts)

What is OpenVAS

Identify which IP addresses belong to active hosts Ping a range of IP addresses

What is Ping sweeps

Stealthy scan

What is SYN scan

FIN, PSH and URG flags are set

What is XMAS scan

Packet flags are turned off

What is a NULL scan

Closed port responds with ICMP "Port Unreachable" message

What is a UDP scan

Used to get past firewall

What is an ACK scan

Completes three-way handshake

What is connect scan?

Looking through an organization's trash for any discarded sensitive information

What is dumpster diving

Use it to increase awareness of their social or political agendas Considered a crime, irrespective of intentions

What is hacktivism used for?

Technique used to exploit the system be pretending to be a legitimate user

What is spoofing

Command: nmap 193.145.85.201 Scans every port on computer with this IP address

What is the standard tool for security professionals

Developed to assist with large network tests Ideal for large-scale endeavors Scans 65,535 ports in three to seven seconds

What is unicornscan

dig and host

What is zone transfer tools

What makes the OpenVAS tool unique?

What makes this tool unique is the capability to update security check plug-ins when they become available. An OpenVAS plug-in is a security test program (script) that can be selected from the client interface. The person who writes the plug-in decides whether to designate it as dangerous, and the author's judgment on what's considered dangerous might differ from yours.

hacktivism

When hackers break into government or corporate computer systems as an act of protest

In the ____ model, the company might print a network diagram showing all the company's routers, switches, firewalls, and intrusion detection systems (IDSs) or give the tester a floor plan detailing the location of computer systems and the OSs running on these systems. a. black box c. red box b. white box d. gray box

White box

The ____________________ utility gives you information on a company's IP addresses and any other domains the company might be part of.

Whois

____ is a tool that is used to gather IP and domain information. a. Whois c. Metis b. Netcat d. Dig

Whois

To identify and correct network vulnerabilities To protect the network from being attacked To get information that helps to prevent security issues To gather information about viruses and malware To find weaknesses in the network and to alert the network administrator before a network attack To know how to recover from a network attack

Why do hackers need vulnerability research?

In order to detect Trojans and compromised files and directories

Why do system administrators deploy host-based IDS

All security testers must be familiar with tool Supports many parameters

Why is Hping a powerful tool

How many host addresses can be assigned with a subnet mask of 255.255.255.0? Give a brief description of how you calculated the result.

With a default subnet mask of 255.255.255.0, 254 host addresses can be assigned to each segment. You use the formula 2x - 2 for this calculation. For this example, x equals 8 because there are eight bits in the fourth octet: 28 - 2 = 254 You must subtract two in the formula because the network portion and host portion of an IP address can't contain all ones or all zeros.

How can DNS be used for footprinting?

Without going into too much detail, DNS uses name servers to resolve names. After you determine what name server a company is using, you can attempt to transfer all the records for which the DNS server is responsible. This process, called a zone transfer, can be done with the Dig command. (For those familiar with the Nslookup command, Dig is now the recommended command.) To determine a company's primary DNS server, you can look for a DNS server containing a Start of Authority (SOA) record. An SOA record shows for which zones or IP addresses the DNS server is responsible. After you determine the primary DNS server, you can perform another zone transfer to see all host computers on the company network. In other words, the zone transfer give you an organization's network diagram. You can use this information to attack other servers or computers that are part of the network infrastructure.

Closed ports respond to a(n) ____ with an RST packet. a. XMAS scan c. Connect scan b. SYN scan d. ACK scan

XMAS scan

in this type of scan, the FIN, PSH, and URG flags are set

XMAS scan

Nmap has a GUI version called ____________________ that makes it easier to work with some of the more complex options.

Zenmap

____ enable you to see all the host computers on a network. In other words, they give you an organization's network diagram. a. Web bugs c. Zone transfers b. Footprints d. Namedroppers

Zone transfers

____ sometimes displays a banner that notifies the user of its presence. a. Spyware c. Webware b. Adware d. Malware

adware

File transfer protocol (FTP)

allows diff OSs to transfer files b/t one anohter

The virus signature file is maintained by ____ software. a. antivirus c. remote control b. keylogger d. firewall

antivirus

In the TCP/IP stack, the ____ layer is where applications and protocols, such as HTTP and Telnet, operate. a. Internet c. Transport b. Network d. Application

application

The ____-layer protocols are the front ends to the lower-layer protocols in the TCP/IP stack. a. Internet c. Transport b. Network d. Application

application

viruses

attaches itself to a file or program Needs host to replicate Does not stand on its own No foolproof prevention method

The ____ vi command deletes the current line. a. d c. dd b. dl d. dw

dd

Which of the following provides the most secure method of securing a company's assets? a. rotary locks c. card access b. combination locks d. deadbolt locks

card access

In any *NIX system, after saving a script, you need to make it executable so that you can run it. From the command line, type ____. a. chmod +execute script_name c. chmod -execute script_name b. chmod +x script_name d. chmod -x script_name

chmod +x script_name

does not allow entry or access to a service

closed port

Components High-order nibble: left side Low-order nibble: right side

components of nibbles

The U.S. government now has a new branch of computer crime called __________________________________________________.

computer hacking and intellectual property (CHIP) CHIP computer hacking and intellectual property

____________________ is defined as securing a stand-alone computer that's not part of a network infrastructure.

computer security

The ____ relies on the OS of the attacked computer, so it's a little more risky to use than the SYN scan. a. NULL scan c. XMAS scan b. connect scan d. ACK scan

connect scan

similar to the SYN scan, except that it does complete the three-way handshake

connect scan

Employees of a security company are protected under the company's ____________________ with the client.

contract

A(n) ____________________ is a text file generated by a Web server and stored on a user's browser.

cookie

Those who break into systems to steal or destroy data are often referred to as ____________________.

crackers


Kaugnay na mga set ng pag-aaral

CIT 372 Review Questions quizzes

View Set

5 Axilla and arm anatomy - trebloc

View Set

Environmental Science Ch. 19: Waste

View Set

Business Law Exam #3 True False ch 12,13

View Set

CIS 301 - Management Information Systems

View Set

APES 7.2- Photochemical Smog WYRNTK

View Set

Chapter 2: Social, Cultural, Religious, and Family Influences on Child Health Promotion

View Set

Ch. 18 Nutrition During Pregnancy and Breastfeeding SB

View Set