Midterm
What command is used to listen to open ports with netstat? A.) $ netstat -an B.) $ netstat -ports C.) $ netstat -n D.) $ netstat -s
A.) $ netstat -an
Which nmap switch utilizes the slowest scan? A.) -T0 B.) -sT C.) -s0 D.) -sX
A.) -T0
What is the size of each of the fields in a UDP header? A.) 16 bits B.) 32 bits C.) 8 bytes D.) 16 bytes
A.) 16 bits
What port uses SSL to secure web traffic? A.) 443 B.) 25 C.) 23 D.) 80
A.) 443
Which permission value in linux allows for read and execute? A.) 5 B.) 7 C.) 4 D.) 1
A.) 5
What is the default TTL calues for Ubuntu Linux OS? A.) 64 B.) 128 C.) 255 D.) 256
A.) 64
Jason invokes the following Nmap command at a Linux command line. What Nmap scan is preformed? $ nmap -n 10.10.10.10/60 A.) A connect scan B.) a syn stealth scan C.) a null scan D.) a ping sweep
A.) A connect scan
An attacker was able to install a device at an unattended workstation and was able to recover passwords, account information, and other information the next day. What did the attacker install? A.) A keylogger B.) Key scanner C.) Rootkit D.) Trojan
A.) A key logger
What is an ICMP echo scan? A.) A ping sweep B.) A SYN scan C.) A Xmas tree scan D.) Part of a UDP scan
A.) A ping sweep
Which flag forces both sender and receiver on the network to terminate their connections with one another? A.) FIN B.) RST C.) URG D.) SYN
A.) FIN
What is the process of making an operating system secure from an attack called? A.) Hardening B.) Tuning C.) Sealing D.) Locking down
A.) Hardening
What network appliance senses irregularities and plays an active role in stopping that irregular activity from continuing? A.) IPS B.) IDP C.) IDS D.) firewall
A.) IPS
What does a stateful inspection provide to the network administrator? A.) It tracks all communications streams and the packets are inspected. B.) It provides the administrator with a slower network response. C.) It ensures that communications are terminated D.) It provides the administrator with reduced admin work.
A.) It tracks all communications streams and the packets are inspected.
What is the focus of a security audit or vulnerability assessment? A.) Locating vulnerabilities B.) Locating threats C.) Enacting threats D.) Exploiting vulnerabilities
A.) Locating vulnerabilities
A black-box test means the tester has which of the following? A.) No knowledge B.) Some knowledge C.) Complete knowledge D.) Permission
A.) No knowledge
Of the following methods, which one acts as a middleman between an external network and the private network by initiating and establishing the connection? A.) Proxy server B.) Firewall C.) Router D.) Switch
A.) Proxy server.
What is the sequence of the three-way handshake? A.) SYN, SYN-ACK, ACK B.) SYN, SYN-ACK C.) SYN, ACK, SYN-ACK D.) SYN, ACK, ACK
A.) SYN, SYN-ACK, ACK
Port number ___ is used by DNS for zone transfers. A.) TCP 53 B.) UDP 53 C.) TCP 25 D.) UDP 25
A.) TCP 53
What prevents IP packets from circulating throughout the internet forever? A.) TTL B.) Spanning tree C.) Broadcast domains D.) NAT
A.) TTL
A scan of a network client shows that port 23 is open; what protocol is this aligned with? A.) Telnet B.) NetBIOS C.) DNS D.) SMTP
A.) Telnet
In Linux, what method uses a brute-force effort to locate a file? A.) find B.) grep C.) | D.) search
A.) find
Which command would retrieve banner information from a website at port 80? A.) nc 192.168.10.27 80 B.) nc 192.168.19.27 443 C.) nc 192.168.10.27 -p 80 D.) nc 192.168.10.27 -p -l 80
A.) nc 192.168.10.27 80
Using nmap, what is the correct command to scan a target subnet of 192.168.0.0/24 using a ping sweep and identifying the operating system. A.) nmap -sP -O 192.168.0.0/24 B.) nmap -sP -V 192.168.0.0/24 C.) nmap -sT -P 192.168.0.0/24 D.) nmap -Ps -O 192.168.0.0/24
A.) nmap -sP -O 192.168.0.0/24
What is the generic syntax of a wireshark filter? A.) protocol.field operator value B.) field.protocol operator value C.) operator.protocol value field D.) protocol.operator value field
A.) protocol.field operator value
Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously. What command can Jennifer use? A.) tcpdump -r capture.log B.) tcpdump -l capture.log C.) tcpdump -t capture.log D.) tcpdump -w capture.log
A.) tcpdump -r capture.log
Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for? A.) 123 B.) 139 C.) 161 D.) 110
B.) 139
One a class C network, how many hosts can network administrators plan for if they are using a subnet mask of /27? A.) 16 B.) 32 C.) 64 D.) 128
B.) 32
Which DNS rescord maps an ip address to a hostname? A.) MX B.) A C.) AAA D.) MR
B.) A
Jason invokes the following nmap command at linux command line. What nmap scan is preformed? # nmap -n 10.10.10.10-60 A.) A connect scan B.) A syn stealth scan C.) A null scan D.) A ping sweep
B.) A syn stealth scan
What does a SYN scan accomplish? A.) It establishes a full TCP connection B.) It establishes a "half open" connection. C.) It opens an ACK connection with the target D.) It detects all closed ports on a target system
B.) It establishes a "half open" connection.
What does a SYN scan accomplish? A.) It establishes a full TCP connection B.) It establishes only a "half open" connection C.) It opens an ACK connection with the target D.) It detects all closed ports on a target system.
B.) It establishes only a "half open" connection
Which of the following types of attack has no flags set? A.) SYN B.) NULL C.) Xmas tree D.) FIN
B.) NULL
What port numbers is/are associated with the IP address? A.) 0 to 65535 B.) No ports C.) 53 D.) 80
B.) No ports
The command: SID: S-1-5-21domain-501, suggests what kind of account? A.) Administrator B.) Normal guest account C.) Power users D.) Domain admin
B.) Normal guest account
Which of the following is part of the overall SID? A.) UID B.) RID C.) USD D.) LSR
B.) RID
During a FIN scan, what indicated that a port is closed? A.) No return response B.) RST C.) ACK D.) SYN
B.) RST
During a FIN scan, what indicates that a port is closed? A.) No return response B.) RST C.) ACK D.) SYN
B.) RST
During an xmas tree scan what indicates a port is closed? A.) No return response B.) RST C.) ACK D.) SYN
B.) RST
A team that conducts penetration testing can be referred to as what? A.) Blue team B.) Red team C.) Black team D.) White team
B.) Red team
Which tool is used to illuminate a SID for a username? A.) Nslookup B.) SID2User C.) HKEY_LOCAL_USER/SID D.) >user ls -l
B.) SID2User
Your end client report that they cannot reach any website on the external website. As the nertwork admin, you decide to conduct some fact finding. Upon your investigation, you determine that you are able to ping the outside of the LAN to external websites using their IP address. Pinging websites with their domain name resolution does not work. What is most likely the cause of the issue? A.) The firewall is blocking the DNS resolution B.) The DNS server is not functioning correctly C.) The external websites are not responding D.) HTTP GET request is being dropped at the firewall from going out
B.) The DNS server is not functioning correctly
What program can be sued to discover firewalls? A.) Metasploit B.) Traceroute C.) Ns lookup D.) Dig
B.) Traceroute
What command would you use to give read, write and execute privileges for an object to the owner, group, and others in Linux? A.) chmod 666 B.) chmod 777 C.) chmod 7 D.) chmod 532
B.) chmod 777
How would you use netcat to set up a server on a system? A.) nc -l -l 10.10.10.10 B.) nc -l -p 1000 C.) nc -p -u 1000 D.) nc -l -p -t 10.10.10.10
B.) nc -l -p 100
What item should not be included in the rules of engagement? A.) test date and time B.) permission to test C.) contact information D.) daily debriefing conference call
B.) permission to test
Which tool can trace the path of a packet? A.) ping B.) tracert C.) whois D.) DNS
B.) tracert
Which of the following best describes DNS poisoning? A.) The adversary intercepts and replaces the victims MAC address with their own. B.) The adversary replaces their malicious IP address with the victim's IP address for the domain name. C.) The adversary replaces the legitimate domain name with the malicious domain name. D.) The adversary replaces the legitimate IP address that is mapped to the domain name with the malicious IP address.
D.) The adversary replaces the legitimate IP address that is mapped to the domain name with the malicious IP address.
Enumeration is useful to system hacking because it provides which of the following? A.) Passwords B.) IP ranges C.) Configurations D.) Usernames
D.) Usernames
What command displays the network configuration in Linux OS? A.) ipconfig B.) netstat C.) ls D.) ifconfig
D.) ifconfig
What command can you use to switch to a different user in Linux? A.) swu B.) user C.) sudo D.) su
D.) su
Does a null scan respond is a port open?
No
You have selected the option in your IDS to notify you via email if it senses any network irregularities? Checking logs, you notice a few incidents but you didn't receive any alerts. What protocol needs to be configured on the IDS? A.) NTP B.) SNMP C.) POP3 D.) SMTP
SMTP
What directory holds the basic commadns in the Linux OS? A.) /etc B.) /bin C.) / D.) /config
B.) /bin
Where is the event log located in Linux OS? A.) /home/log B.) /var/log C.) /log/ D.) /home/system32/log
B.) /var/log
What is the default TTL value for Microsoft windows 7 os? A.) 64 B.) 128 C.) 255 D.) 256
B.) 128
Which of the following denotes the root directory in a Linux system? A.) root/ B.) / C.) home\ D.) \home\
B.) /
Jason is a novice penetration tester. He was running nmap against a target host. After he entered the command, the target host went down. Which of the following nmap command most likely did Jason enter? A.) # nmap -n -A 10.10.10.10 B.) # nmap -n -sC 10.10.10.10 C.) # nmap -n --scripts=all 10.10.10.10 D.) # nmap -n --script=brute 10.10.10.10
C.) # nmap -n --scripts=all 10.10.10.10
In the TCP three-way handshake, which is next after the initial SYN packet? A.) An ACK is received B.) A SYN is received C.) A SYN/ACK is sent D.) An ACK is sent
C.) A SYN/ACK is sent
A crystal-box test means the tester has which of the following? A.) No knowledge B.) Some knowledge C.) Complete knowledge D.) Permission
C.) Complete knowledge
Which report would be best given to a client's senior leadership team? A.) Analysis report B.) Project summary report C.) Executive summary report D.) Chapter summary report
C.) Executive summary report
An administrator has just been notified of irregular activity. What appliance functions in this manner? A.) IPS B.) stateful packet filtering C.) IDS D.) Firewall
C.) IDS
At which layer of the OSI does a packet-filtering firewall work? A.) Layer 1 B.) Layer 2 C.) Layer 3 D.) Layer 4
C.) Layer 3
What UDP flag forces a connection to terminate at both endsof the circuit? A.) RST B.) FIN C.) None D.) URG and RST
C.) None
Which category of firewall filters is based on packet header data only? A.) Stateful B.) Application C.) Packet D.) Proxy
C.) Packet
When trying to identify all the workstations on a subnet, what method might you choose? A.) Port scan B.) Anonymous C.) Ping sweep D.) Web crawler
C.) Ping sweep
What is the function of a CNAME record? A.) Provides authentication to a website B.) Encrypted DNS zone transfers C.) Supplements an alias to a domain name D.) Replaces the MX for security transactions
C.) Supplements an alias to a domain name
In Linux, what designator is used to uniquely identify a user account? A.) GID B.) SID C.) UID D.) PID
C.) UID
The wayback machine is used to do which of the following? A.) Get job posting B.) View websites C.) View archived versions of websites D.) Back up copies of websites
C.) View archived versions of websites
Which of the following provides free information about a website that includes phone numbers, administrator's email, and even the domain registration authority? A.) Nslookup B.) Dig C.) Whois.net D.) Ping
C.) Whois.net
Which wireshark filter only displays traffic from 10.10.10.10? A.) ip.addr=! 10.10.10.10 B.) ip.addr ne 10.10.10.10 C.) ip.addr == 10.10.10.10 D.) ip.addr - 10.10.10.10
C.) ip.addr == 10.10.10.10
In Linux, which of the following accounts denotes the administrator? A.) Admin B.) Administrator C.) root D.) su
C.) root
To make Tcpdump sniff on a network interface eth0, do not resolve the host and service names, for TCP packets to and from host 10.10.10.10. Which of the following commands should be invoked? A.) tcpdump -nn -i eth0 and tcp and host 10.10.10.10 B.) tcpdump -n -i eth0 and tcp host 10.10.10.10 C.) tcpdump -nn -i eth0 tcp and host 10.10.10.10 D.) tcpdump -nn -i eth0 and tcp and net 10.10.10.10
C.) tcpdump -nn -i eth0 tcp and host 10.10.10.10
Jason is running his virtual test machine using NAT network setting in his first penetration test. He selected the exploit and payload in Metasploit and fire the exploit against the windows target where a vulnerable service was running. Metasploit reported that the payload failed. Assuming the exploit is correct, which of the following patload most likely did Jason choose? A.) windows/meterpreter/bind_tcp B.) windows/shell_bind_tcp C.) windows/meterpreter/reverse_tcp D.) windows/shell/bind_nonx_tcp
C.) windows/meterpreter/reverse_tcp
A full-open scan means that the three-way handshake has been completed. What is the difference between this and a half-open scan? A.) A Half-open scan uses TCP B.) A half-open uses UDP C.)A half-open does not include the final ACK D.) A half-open includes the final ACK
C.)A half-open does not include the final ACK
How would an administrator set a password for a user in Linux? A.) # password user pass123 B.) # chmod pass user pass123 C.) # pass user pass123 D.) # passwd user pass123
D.) # passwd user pass123
In Linux, how would you create a new user in a terminal? A.) # useradd /home/samerea ssamarea B.) > useradd raeleah C.) cuser ray_j /home/ray_j D.) # useradd savion
D.) # useradd savion
Using nmap, what switches allow us to fingerprint an operating system and conduct a port scan? A.) -sS -sO B.) -sSO C.) -O -Ss D.) -O -sS
D.) -O -sS
Which switch in nmap allows for a full TCP connect scan? A.) -sS B.) -sU C.) -FC D.) -sT
D.) -sT
How many hosts can be accommodated in a subnet with a netmask of 255.255.252.0? A.) 128 B.) 256 C.) 512 D.) 1024
D.) 1024
What best describes a vulnerability scan? A.) A way to find open ports B.) A way to diagram a network Xmas tree C.) A proxy attack D.) A way to automate the discovery of vulnerabilities
D.) A way to automate the discovery of vulnerabilities
At which layer of the OSI model does a proxy operate? A.) Physical B.) Network C.) Data Links D.) Application
D.) Application
Which of the following is not a flag on a TCP packet? A.) URG B.) PSH C.) RST D.) END
D.) END
What item should not be included in the Rules of Engagement? A.) test date and times B.) contact information C.) daily debriefing conference call D.) Intellectual property ownership
D.) Intellectual property ownership
Which record will reveal information about a mail sever for a domain? A.) A B.) Q C.) MS D.) MX
D.) MX
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of all internal IP addresses to the outside world? A.) VPN B.) Tunneling C.) NTP D.) NAT
D.) NAT
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world? A.) VPN B.) Tunneling C.) NTP D.) NAT
D.) NAT
What would be the last values to complete the connection? SEQ: 300 ACK: 0 FLAGS: SYN SEQ: 243 ACK: 301 FLAGS: SYN/ACK SEQ: ??? ACK: ??? FLAGS: ??? A.) SEQ: 302 ACK: 200 FLAGS:SYN B.) SEQ: 302 ACK: 201 FLAGS: ACK C.) SEQ: 301 ACK: 202 FLAGS: ACK D.) SEQ: 301 ACK: 244 FLAGS: ACK
D.) SEQ: 301 ACK: 244 FLAGS: ACK
