ITN 261 - Mid-Term

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Network services _________ a port to listen on it

'bind to'

Ports ________ are considered administrative and require administrator-level privilege to listen on those ports

0-1023

What financial filing is required for public companies and would provide you with the annual report?

14-A

What version of SNMP introduced encryption and user-based authentication?

3

What status code will you get if your attempt to use the VRFY command fails?

550

What is the difference between a false positive and a false negative?

A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist.

Which of these devices would not be considered part of the Internet of Things? A. Smartphone B. Thermostat C. Light bulb D. Set-top cable box

A. A smartphone is a general-purpose computing platform with a traditional user interface--screen and keyboard, so it isn't part of the IoT.

If you were looking for the definitive documentation on a protocol, what would you consult? A. Request for Comments B. Manual pages C. Standards D. IEEE

A. The best place to find definitive documentation about protocols seen on the Internet is in the Request for Comments (RFC) documents.

If you were looking up information about a company in New Zealand, which RIR would you be looking in for data?

APNIC

Which of the following is one factor of a defense-in-depth approach to network design?

Access control lists on routers

What is AfriNIC and what region does it represent?

Africa Network Information Center, Africa

What would you use a security information event manager for?

Aggregating and providing search for log data

What is ARIN and what region does it represent?

American Registry for Internet Numbers, Canada, the United States, and many Caribbean and North Atlantic islands. (NORTH AMERICA)

What layer has the following characteristics? Application programming interfaces User interface Direct interaction with the user from the application HTTP, SMTP are examples of protocols at this layer Protocol data unit is data

Application Layer (layer 7)

What is nmap looking at when it conducts a version scan?

Application banners

A limited version of ethical hacking where you are focused exclusively on an application - commonly a web application

Application testing

What is APNIC and what region does it represent?

Asia Pacific Network Information Center (APNIC)

Why is it important to store system logs remotely?

Attackers might delete local logs.

The DNS server where records for a domain belonging to an organization or enterprise reside is called the _________ server.

Authoritative

INFORMATION OR SYSTEMS SHOULD BE UP AND ACCESSIBLE WHEN THEY ARE MEANT TO BE is a definition of?

Availability

If you were to see the subnet mask 255.255.252.0, what CIDR notation (prefix) would you use to indicate the same thing? A. /23 B. /22 C. /21 D. /20

B. A /23 network would be 255.255.254.0. A /21 would be 255.255.248. A /20 would be 255.255.240.0. Only a /22 would give you a 255.255.252.0 subnet mask.

What order, from bottom to top, does the TCP/IP architecture use? A. Network Access, Network, Transport, Application B. Link, Internet, Transport, Application C. Physical, Network, Session, Application D. Data Link, Internet, Transport, Application

B. From top to bottom, the TCP/IP architecture is Link, Internet, Transport, Session, and Appplication.

The UDP headers contain which of the following fields? A. Source address, destination address, checksum, length B. Destination port, source port, checksum, length C. Flags, source port, destination port, checksum D. Length, checksum, flags, address

B. The IP headers include addresses. UDP headers use ports. TCP headers use flags, but UDP headers do not. The UDP headers have the source and destination port fields along with checksum and length.

Which header field is used to reassemble fragmented IP packets? A. Source address B. IP identification C. Don't fragment bit D. Acknowledgment field

B. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.

Which of these services would be considered a storage as a service solution? A. Microsoft Azure B. iCloud C. Google Compute D. DropLeaf

B. While Microsoft Azure and Google Compute have storage capabilities, they aren't storage as a service solutions. Drop leaf is a typle of table. Dropbox is a storage as a service solution. The only one listed here that is storage as a solution is iCloud, whick is Apple's cloud storage platform.

What is this? Interacting with the service can tell you a lot This requires speaking the protocol Many implementations will give out details about version information HTTP headers have Server: which may tell you the application and version Even SSH will tell you version information

Banner grabbing

What can an intrusion prevention system do that an intrusion detection system can't?

Block or reject network traffic

To remove malware from the network before it gets to the endpoint, you would use which of the following? A. Packet filter B. Application layer gateway C. Unified threat management appliance D. Stateful firewall

C. Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

Which of these addresses would be considered a private address (RFC 1918 address)? A. 172.128.10.5 B. 9.10.10.7 C. 172.20.128.240 D. 250.28.17.10

C. The RFC 1918 address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The only address listed that fits into one of those address blocks is 172.20.128.240. The Address block is 172.16.0.0-172.31.255.255.

What are the three steps in the TCP handshake as described by the flags set? A. SYN, SYN/URG, RST B. RST, SYN, ACK C. SYN, SYN/ACK, ACK D. SYN, SYN/ACK, ACK/URG

C. The three-way handshake is used to establish a connection. The first message has the SYN flag set and includes the sequence number. The response from the server has the ACK flag set for the SYN message that was sent from the client. The acknowledgment number is set. Addictionally, in the same message, the server sends its own SYN flag and sequice number. The client then responds with an ACK message. So, the sequence is SYN, SYN/ACK, and ACK.

Which protocol is necessary to enable the functionality of traceroute? A. HTTP B. SNMP C. ICMP D. IP

C. Traceroute requires ICMP

KEEPING INFORMATION MEANT TO BE PRIVATE PRIVATE is a definition of?

CONFIDENTIALITY

Many professional security certifications will require you to adhere to a code of ethics Know the code of ethics you are being expected to comply with Understand all laws and regulations that apply to you and the organization you are working for are all examples of?

Code of Ethics

What is this called? Managed by MITRE, a defense contractor Vulnerability scanners will commonly scan against CVEs - published vulnerabilities They can also scan for misconfigurations, which are not necessarily CVEs The CVE database includes well-defined details in a standard format, regardless of vendor

Common Vulnerabilities and Exposures (CVE) project

How do you authenticate with SNMPv1?

Community string

Which network topology are you most likely to run across in a large enterprise network? A. Ring topology B. Bus topology C. Full mesh D. Star-bus hybrid

D. An enterprise would use multiple switches that were all connected to one another over a bus, while all the endpoints would connect to the switch in a star topology.

Which of these protocols would be used to communicate with an IoT device? A. ICMP B. SMTP C. Telnet D. HTTP

D. HTTP is the only option that would be commmonly used to pass messages between a controlling server and an IoT device.

What is a MAC address used for? A. Addressing systems over a VPN B. Addressing systems through a tunnel C. Addressing systems over TCP D. Addressing systems on the local network

D. Local network

If you wanted a lightweight protocol to send real-time data over, which of these would you use? A. TCP B. HTTP C. ICMP D. UDP

D. TCP uses a three-way handshake, which is fairly heavyweight. HTTP uses TCP and adds more on top of it. ICMP is used for control messages. UDP has very little overhead and is commonly used for real-time data transport. SO THE ANSWER IS UDP

The PDU for TCP is called a _______________ . A. Packet B. Datagram C. Frame D. Segment

D. TCP uses segment for the PDU.

_______ provides IP addresses from hostnames

DNS

What layer has the following characteristics? Where data is converted to signals to send out on the wire Addressing is media access control (MAC) All local communications happen at layer 2 - system to system is always done using the MAC address Ethernet has elements in this layer Protocol data unit is frame

Data Link (layer 2)

What is the server message block protocol used for?

Data transfers on Windows systems

What type of enumeration would you use the utility dirb for?

Directory enumeration

What type of attack is a compromise of availability?

DoS

What information would you not expect to find in the response to a whois query about an IP address?

Domain association

If you were looking for detailed financial information on a target company, with what resource would you have the most success?

EDGAR

Which of the following are not valid SMTP commands?

EXPN

If you found a colleague searching at pgp.mit.edu, what would they likely be looking for?

Email addresses

Which of these may be considered an evasive technique?

Encoding data

How would you ensure that confidentiality is implemented in an organization?

Encryption

What layer has the following characteristics? Manages longer term connections Responsible for opening, closing and managing sessions between end-user application and server Authentication and authorization are services at this layer NetBIOS is an example of a protocol at this layer Protocol data unit is data

Session Layer (layer 5)

What would you be trying to enumerate if you were to use enum4linux?

Shares and/or users

You see the following text written down—port:502. What does that likely reference?

Shodan search

What kind of firewall is this? rules based on network header information

Simple firewall

What is this? SNMP used to gather management information from hosts Can also be used to send "commands" to a system Uses Abstract Syntax Notation 1 (ASN.1) to store/represent data Older versions of the protocol have weak authentication Current versions may have encryption and strong authentication Use a tool like snmpwalk to gather data from hosts

Simple network managment protocol

__________________ include privilege escalation, password grabbing, internal reconnaissance, etc

Post exploitation activities

What layer has the following characteristics? Formatting and processing of data Translates data from the network to the application JPEG is an example of a format that exists at this layer Protocol data unit is data

Presentation Layer (layer 6)

How would you calculate risk?

Probability * loss value

If you were checking on the IP addresses for a company in France, what RIR would you be checking with for details?

RIPE

Which of these passes objects between systems?

RMI

What is the process Java programs identify themselves to if they are sharing procedures over the network?

RMI registry

What strategy does a local, caching DNS server use to look up records when asked?

Recursive

Less tightly scoped; usually carte blanche (within reason) attacks against a target network

Red teaming

Each _____ has a database that can be queried for information about address blocks and registered contacts

Regional Internet Registries (RIR)

What underlying functionality is necessary to enable Windows file sharing?

Remote procedure call

What would you use MegaPing for?

Running a port scan

What is RIPE and what region does it represent?

Réseaux IP Européens Network Coordination Centre, Europe

What kind of scan is this? Takes advantage of three-way hand shaken nmap sends SYN segment to target host If port closed, the protocol definition says to respond with a segment that has the RST flag set If port is open, the protocol definition says to respond with a SYN/ACK segment If port is open, nmap sends RST message in response to SYN/ACK to cancel the connection attempt

SYN scan

What would you use credentials for in a vulnerability scanner?

Scanning for local vulnerabilities

Which of the following products might be used as an intrusion detection system?

Snort

If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2

Someone was trying to probe an email port on the target.

What is an XMAS scan?

TCP scan with FIN/PSH/URG set

What kind of architecture is this? Only four layers - Link, Internet, Transport Application Application layer is session, presentation and application from the OSI model Link layer is the data link and physical layer from the OSI model

TCP/IP Architecture

What has four layers (Link, internet, transport, and application)

TCP/IP architecture

Which of these may be considered worst practice when it comes to vulnerability scans?

Taking no action on the results

What would you use a job listing for when performing reconnaissance?

Technologies used

What would you be looking for with the following Google query? filetype:txt Administrator:500:

Text files including the text Administrator:500:

What does nmap look at for fingerprinting an operating system?

The IP ID field and the initial sequence number

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?

Tunneling attack

What kind of scanner is this? UDP is connectionless so there is no defined way of interacting with a UDP port nmap sends UDP message to port Application may not respond but still be listening - if the right message isn't received, the application may simply ignore the message Because there is no defined response, nmap can't tell if the message was ignored or dropped in the network, so retransmits UDP scanning can be slow because of the number of retransmits

UDP Scanning

Which information would a packet filter use to make decisions about what traffic to allow into the network?

UDP source port

What is one reason a UDP scan may take longer than a TCP scan of the same host?

UDP will retransmit more.

What information could you get from running p0f?

Uptime

What protocol is this? Very simple protocol, used for fast communication with no overhead Connectionless Headers include: Checksum to ensure datagram is intact Source and destination ports

User Datagram Protocol (UDP)

What important event can be exposed by enabling auditing?

User login

What additional properties does the Parkerian Hexad offer over the CIA triad?

Utility, possession, authenticity

You are working with a colleague and you see them interacting with an email server using the VRFY command. What is it your colleague is doing?

Verifying email addresses

Which of these isn't an example of an attack that compromises integrity?

Watering Hole

What kind of firewall is this? application layer gateway that makes decisions based on web data

Web application firewall

Which of these is an example of an application layer gateway?

Web application firewall

__________ can be enumerated - hidden directories identified, technologies used

Web applications

What kind of scan is this? Same response as the FIN scan because the target host responds in the same way Flags FIN, PSH and URG are all set, making it appear as though the packet is lit up like a Christmas tree (Xmas) It was thought that an unnatural combination of flags would be missed by firewalls and intrusion detection systems, so may get through where more standard scans wouldn't This technique has been around so long, it won't evade anything

XMAS scan

What would be a reason to use the Override feature in OpenVAS?

You want to change a severity rating on a finding.

What technique would you ideally use to get all of the hostnames associated with a domain?

Zone transfer

What kind of topology is this? all devices cable back to a central networking device

bus

What kind of firewall is this? rules may include contents of the application data

deep packet inspection

What command would you use to get the list of mail servers for a domain?

dig mx domain.com

An _________ is taking advantage of that vulnerability

exploit

is the scariest since you have no awareness of the existing vulnerability

false negative

scanner didn't identify a vulnerability where one exists

false negative

What kind of scan is this? the ability to manually craft packets and send to target can also be use to scan a network

hping

What kind of topolgy is this? a star-bus hybrid is common where multiple stars are connected by a bus

hybrid

What kind of scan is this? Avoiding detection can be important - your IP may be blocked, so game over Idle scan spoofs the source IP address Zombie host used - zombie should be idle (not getting network traffic) nmap uses spoofed source address of zombie host Zombie host OS increments initial sequence number based on traffic inbound nmap can determine whether port is open based on the number of packets zombie receives (the amount initial sequence number increments when nmap checks)

idle scan

What is an advantage of using masscan over nmap?

masscan can scan more addresses faster.

What scanner is this? can be used for high-speed scanning and parameters are the same as for nmap

massscan

What kind of topolgy is this? systems are connected directly to one another, as needed (the Internet is a mesh network)

mesh

____________ has many modules based on known vulnerabilities

metasploit

______________ is a common exploit framework

metasploit

What is Ethics?

moral principles that govern a person's behavior or the conducting of an activity. doing no harm

Which of these is a built-in program on Windows for gathering information using port 445?

nbtstat

________________ is a common tactic used after gaining access to a system

password cracking

If you wanted to locate detailed information about a person using either their name or a username you have, which website would you use?

peekyou.com

Some services are exposed through remote procedure calls or also known as.

remote method invocations

What kind of topolgy is this? devices appear to be connected in a circle, though this may only be an appearance rather than how they are connected physically

ring

What tool does a Java program need to use to implement remote process communication?

rmic

Nmap and Metasploit can be extended with ______ to probe ports

scripts

correlates security information across multiple sources is the defintion of?

security information and event management

high-level statements of intent to support the business is a definition of?

security policy

__________________ is about identifying an application and version running on a target host

service enumeration

You need to identify all Excel spreadsheets available from the company Example, Inc., whose domain is example.com. What search query would you use?

site:example.com filetype:xls

What kind of topology is this? straight line that all systems connect to

star

What utility is used to query the databases of each RIR? You can also use this to get the size of the public IP address block for a company.

the whois utility

What tool could be used to gather email addresses from PGP servers: Bing, Google, or LinkedIn?

theHarvester

scanner didn't identify a vulnerability where no vulnerability exists

true negative

scanner identified a vulnerability that does exist

true positive

A _________- is a weakness in a system or piece of software

vulnerability

Generally use a database of signatures to identify vulnerabilities in target systems, this may be from application banners and matching version numbers.

vulnerability scanner

Which of these could you enumerate on a WordPress site using wpscan?

Plug-ins

Using tactics, techniques and procedures commonly used by attackers in order to locate weaknesses so they can be remediated is a definition of what?

Ethical Hacking

You're being employed to help improve a security posture •Keep the needs/goals of your employer in mind •Do no harm •This can't always be helped •Revision: do no deliberate harm and own up when something goes awry This is an example of?

Ethics

_____________ is a trustworthy repository of exploits

Exploit-db.org

What kind of scan is this? nmap sends out a FIN message, which is unnatural where there is no connection Protocol definition says respond with a RST if the port is closed If port is open, packet is dropped nmap will flag open ports as open|filtered Firewall dropping a packet for any reason will result in no response, so nmap can't tell if it's open or the packet was just dropped

FIN

scanner identified a vulnerability that doesn't exist

False Positive

What is fragroute primarily used for?

Fragmenting application traffic

What kind of scan is this? Same, essentially, as SYN scan Difference is nmap completes the three-way handshake to establish a connection Once connection is established, nmap tears the connection down More overhead with this and slightly more time consuming A lot of half-open connections from a SYN scan may be more noticeable In reality, all port scans are easily identified by modern networks and security devices

Full connect scan

An intrusion detection system can perform which of the following functions?

Generate alerts on traffic

the use of keywords to narrow search results, what is this?

Google Hacking

These are examples of? Watches host-based behavior, requiring software on endpoints File integrity monitoring is one common example of this Process monitoring may also be part of this.

Host-based intrusion detection

INFORMATION THAT IS STORED OR SENT SHOULD BE INTACT AND IDENTICAL WHEN IT IS READ OR RECEIVED is a definition of?

INTEGRITY

What would you use Wappalyzer for?

Identifying web technologies

Who holds all IP addresses and hands them out to the Region Internet Registries (RIR)

Internet Corporation for Assigned Names and Numbers (ICANN)

What protocol is this? Current predominant version is IPv4, though IPv6 is common Headers include:• IP Identification - used to identify fragmented packets More fragments flag - indicates the frame is part of a fragmented packet Fragment offset - indicates where in the puzzle the fragmented piece goes Source and destination addresses Considered best effort

Internet Protocol (IP)

What is this? Millions of devices around the world Limited functionality, non-standard input/output capabilities (no keyboard, no monitor, etc) Web site thingful.net has a database of these devices Web site shodan.io also has a database of these devices

Internet of Things (IoT)

What is the IPC$ share used for?

Interprocess communication

What is RPC primarily used for?

Interprocess communications

If you were implementing defense in breadth, what might you do?

Introduce a DevSecOps culture

What is one reason for using a scan like an ACK scan?

It may get through firewalls and IDS devices.

What is LATNIC and what region does it represent?

Latin American Network Information Center, South and central america

What social networking site would be most likely to be useful in gathering information about a company, including job titles?

LinkedIn

What are data descriptions in SNMP called?

Management information base

Which of these would be an example of a loss of integrity?

Memory failures causing disk drivers to run incorrectly

If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use?

Metasploit

Reconnaissance and Footprinting• Scanning and Enumeration Gaining Access Maintaining Access Covering Tracks This is know as the ___________ of Ethical hacking

Methodology

What is 224.0.0.0/4 used for?

Multi-cast addresses

What would you get from running the command dig ns domain.com?

Name server records for domain.com

These are examples of what? Rules created to identify attack traffic Traffic that matches a rule may log the match or alert on it Alerting expects someone to be watching Detection rules will need to be generated regularly, based on current attack trends

Network Intrusion Detection

What layer has the following characteristics? Networks are defined at this layer Communication is no longer local - network addresses enable transmission from one location to another Routing happens at this layer Crossing a layer 3 boundary refers to using a routing device to move from one network (as defined by the IP address and subnet mask) Protocol data unit is a packet

Network Layer (layer 3)

What kind of firewall is this? may include other features, including intrusion detection and anti-malware

Next Generation Firewall

What is this? De facto port scanner is this. Supports multiple scan types TCP scan types include SYN, Full connect, FIN, XMAS UDP scans supported Default scan is about 1000 well-known ports

Nmap

Which of these tools allows you to create your own enumeration function based on ports being identified as open?

Nmap

What programs would you use to enumerate services? (select the 2 that apply)

Nmap & nc

___________ ports indicate an application listening

Open

Usually a tightly scoped, point in time assessment of a section of an organization's network?`

Penetration Testing

What layer has the following characteristics? Cables Switches Routers Network interface cards Wireless adapters Protocol data unit -- symbol

Physical Layer (layer 1)

What is the difference between a SYN scan and a full connect scan?

The SYN scan doesn't complete the three-way handshake.

If you receive a RST packet back from a target host, what do you know about your target?

The source port in the RST message is closed.

The SYN scan doesn't complete the three-way handshake.

The target system ignores the message.

If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume?

They were trying to reduce false positives.

What would be necessary for a TCP conversation to be considered ESTABLISHED by a stateful firewall?

Three-way handshake complete

What would be the purpose of running a ping sweep? (select all that apply)

To discover range of IP addresses map to live hosts, You want to use a protocol that may be allowed through the firewall, You want to identify responsive hosts without a port scan, and You want to use something that is light on network traffic.

What is the purpose of a security policy?

To provide high-level guidance on the role of security

These are all headers for what protocol? Sequence number - used to order messages Acknowledgement number - used to indicate the last message received Flags - used to provide direction to the receiving host Window size - used to indicate how many bytes can be sent without receiving an acknowledgement Source and destination ports

Transmission Control Protocol

What protocol is this? Used to multiplex network communications - ports allow multiple applications to communicate at the same time Requires a three-way handshake to establish connection between endpoints SYN, SYN/ACK, ACK Handshake establishes existence and availability of other party SYN establishes sequence number, used to order messages Considered to be guaranteed delivery

Transmission Control Protocol (TCP)

What layer has the following characteristics? Allows for multiplexed communications Without this layer, you could only have a single communication stream from one system to another Applications are assigned ports, which is the addressing scheme used at this layer TCP and UDP exist at this layer Protocol data unit is a segment for TCP and a datagram for UDP

Transport Layer (layer 4)


Kaugnay na mga set ng pag-aaral

BIO 345 Evolution Prof Maley & Sterner: Exam 1

View Set

POLS 2305-25: Ch. 9: Political Parties

View Set

React Native Interview Questions

View Set