New Ethical Hacking set
What is a PERL module that supports IDS evasion techniques?
Libwisker.
Which regulation defines security and privacy controls for Federal information systems and organizations?
NIST-800-53
What access control principle requires that a user have no more access to a resource than what is required to do that user's job?
Least Privilege.
How does the OSSTMM define legislative compliance?
Legislative compiance deals with governmental regulations.
What are the OSSTMM types of Compliance?
Legislative, Contractual and Standards-Based.
What are the three types of compliance defined by the Open Source Security Testing Methodology Manual or OSSTMM?
Legislative, contractal and standards-based.
What are the OSSTMM Process Controls?
Nonrepudiation; Confidentiality; Privacy; Integrity; and Alarm.
An XMAS scan that is discarded by an unfiltered remote host indicates a closed or open port?
Open, because it's out of state.
How do stateful firewalls operate?
Operates at OSI Layers 3 and 4, the Network and Transport layers, making filtering decisions based on previous packets that have been sent. They do this by maintaining a state table. This is unlike the packet-filtering firewall, which is stateless.
Two numbers XOR not equal?
Output is one.
Two numbers XOR equal?
Output is zero.
What are some indicators that hidden data probably exists on a computer?
A binary file header that does not match the file extension, a file that has been modified by steganography tools, and user-created data in a host-protected area (HPA) are all indicators that hidden data probably exists on a computer.
What software vulnerability is most likely to cause a web browser to send a request that the browser's user does not intend to send?
A Cross-Site Request Forgery.
What does Aircrack-ng use to crack WPA and WPA2 PSKs?
A Dictionary attack.
What is another way to describe a Layer 2 Broadcast?
A Layer 2 Broadcast can more simply be described as a message to all NICs.
What is another name for a Layer 3 Limited Broadcast?
A Layer 3 Limited Broadcast is more commonly known as the Network Broadcast address.
What type of address is sent to all devices on a subnet?
A Layer 3 directed broadcast address. Directed broadcasts can be forwarded by routers.
What type of address is sent to all devices on a broadcast domain?
A Layer 3 limited broadcast address. It is also known as the network broadcast address, which is not forwarded by routers.
What is packETH?
A Linux GUI-based tool for generating TCP/IP packets.
What is POODLE (Padding Oracle on Downgraded Legacy Encryption)?
A MitM attack that causes the encryption system to fallback from TLS to SSL 3.0.
What is POODLE?
A MitM attack which causes the encryption system to fallback from TLS to SSL 3.0.
What is an SIV?
A System Integrity Verifier, such as TripWire.
What is the main difference between Nemesis and PackETH?
Both craft packets, but Nemesis is command line, while PackETH is GUI.
How is a LAND attack executed?
A TCP SYN segment spoofing the target host's IP address is sent, causing a looped TCP connection with itself causing vulnerable TCP implementations to crash the OS.
What three devices can be used as a gateway?
A WAP, a router, and a firewall.
What is the correct process for the TCP three-way handshake connection establishment and connection termination?
Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK
What address translation method uses a many-to-many mapping using a pool of public IP addresses and assigning them to devices with private IP addresses on an as-needed basis?
Dynamic NAT.
What occurs during the Verification phase of Microsoft's SDL?
Dynamic analysis and fuzz testing are performed, and an attack surface review is conducted.
Question: 52 What is the disadvantage of an automated vulnerability assessment tool?
E. Noisy
Question: 33 What is the proper response for a FIN scan if the port is closed? A.
E. RST
Question: 35 What is the proper response for a X-MAS scan if the port is closed?
E. RST
Question: 66 What is the proper response for a NULL scan if the port is closed?
E. RST
Question: 46 What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
E. Reload from known good media
Question: 63 _______ is one of the programs used to wardial.
E. ToneLoc
Which types of EAP use a password hash for supplicant authentication?
EAP-MD5 and LEAP.
Which types of EAP are vulnerable to man-in-the-middle attacks?
EAP-MD5; EAP-TTLS; and PEAP.
Which types of EAP are vulnerable to identity exposure?
EAP-MD5; LEAP; and EAP-TLS.
Which three types of EAP use public key certificates for server authentication?
EAP-TLS; EAP-TTLS; and PEAP user public key certs for server authentication.
Grey hat hackers
A cross between black and white—they will often illegally break into systems merely to flaunt their expertise to the administrator of the system they penetrated or to attempt to sell their services in repairing security breaches.
What is blackboard architecture?
A design in which a database or knowledgebase is established to solve a particular problem. It often involves expert systems and can be considered a form of AI.
What is a bastion host?
A device placed on the Internet that is not protected by another device. It must be hardened to withstand attack.
Mobile Threats
A device that comes and goes from insecure to secure environments
What is correct about digital signatures?
A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that?
A fingerprint scanner and his username and password.
What is a screened subnet?
A firewalled, separate subnet.
What is THC Hydra?
A password-cracking tool that runs on Linux, Mac-OS and Windows.
What is THC Hydra?
A password-cracking tool.
What is Phlashing?
A permanent denial of service attack in which system hardware is sabotaged with false firmware updates. Also known as 'bricking a system'.
> NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following?
A ping scan
Network Scanning
A procedure for identifying active hosts on a network.
NetBios
A standard communication protocol. Can use TCP port 139 for file and printer sharing
How is Information Security defined?
A state of well-being of information and infrastructure in which the possibility of theft, tampering and disruption of information and services is kept low or tolerable.
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below: Access List should be written between VLANs. Port security should be enabled for the intranet. A security solution which filters data packets should be set between intranet (LAN) and DMZ. A WAF should be used in front of the web applications. According to the section from the report, which of the following choice is true?
A stateful firewall can be used between intranet (LAN) and DMZ.
What is AES?
A symmetric encryption algorithm that is a block cipher.
What is a buffer?
A temporary storage area whose length is defined in the program that creates it or by the operating system.
What flaw enables attackers to compromise passwords encryption keys or session tokens?
Broken Authentication and Session Management.
What flaw enables attackers to compromise passwords, encryption keys or session tokens?
Broken Authentication and Session Management.
What was Number 2 in O-WASP's Top 2013 security priorities?
Broken Authentication and Session Management.
Which method of password cracking takes the most time and effort?
Brute force
How can a policy help improve an employee's security awareness?
By implementing written security procedures, enabling employee security training, and promoting the benefits of security
What type of authentication system is RSA Secur'e'-I D?
A two-factor authentication system which requires a user PIN and the hardware token provided by the device.
What DNS record translates a host name to an IP address?
A.
What vulnerability can be mitigated by setting the HttpOnly flag in cookies?
Cross-site scripting attacks.
Question: 62 Which of the following tools can be used to perform a zone transfer?
A. NSLookup C. Dig D. Sam Spade E. Host
Question: 32 If you send a SYN to an open port, what is the correct response?(Choose all correct answers.
A. SYN B. ACK
Question: 11 Which of the following tools are used for footprinting?(Choose four.
A. Sam Spade B. NSLookup C. Traceroute D. Neotrace
Question: 67 If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False.
A. True
nmap -sA
ACK scan. Used to test your firewall rules.
What purpose does the plus (+) character serve in Structured Query Language (SQL)?
Concatenates two string values together in SQL code.
What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?
Data Execution Prevention (DEP)
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
False Negative
What technique generates a large amount of alert traffic to prevent an IDS from detecting a legitimate attack?
False positive generation.
nmap -F
Fast mode. Scan fewer ports than the default. (default is to scan 1,000 ports, -F only scans the 100 most common ports)
To grab a web server's banner after telnetting to port 80, what command would you enter?
HEAD / HTTP / 1.0.
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?
Identify and evaluate existing practices
What security standard recommends security controls based on industry best practices?
ISO 27002.
Which ISO standard is focused on security controls?
ISO 27002.
As a risk equation component, how is "Threat" understood?
Identified as the frequency or rate of a potential negative event.
What character does a Linux command need to be followed by in order to have it run as a background process?
Follow the command with a space and an ampersand ( &).
As a risk equation component, how is "Cost" understood?
Identified as the hard and soft damages an organization might incur as the result of a successful attack.
How can Wireshark capture and analyze unicast traffic on a switched network?
If it is in promiscuous mode and if the switch supports mirrored ports.
International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining
guidelines and practices for security controls.
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
hping2 -1 host.domain.com
What is BBProxy?
Part of the BlackBerry Attack Toolkit, along with BBScan and MetaSploit patches: it can perform Blackjacking attacks, but not Bluesnarfing, Bluejacking, or Bluebugging.
How does a metamorphic virus operate?
Rewrites itself completely each time it infects a new executable; reprogramming itself by translating its own code into a temporary representation and then back to the normal code again.
According to NIST SP 800-30, what risk assessment step would come last?
Risk Determination.
Risks = Threats x Vulnerabilities is referred to as the:
Risk equation
Which of the following security operations is used for determining the attack surface of an organization?
Running a network scan to detect network services in the corporate DMZ
What command will display active and inactive services on a computer running Windows Server 2012?
SC QUERY STATE = ALL.
What command would be issued to display active and inactive services on a Windows Server 2012 computer?
SC QUERY STATE = ALL.
Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?
SHA-1
What hashing algorithm creates a 160-bit hash value?
SHA-1.
What two attacks DO rely on ICMP messages to disable a target host?
SMURF and Ping of Death attacks.
What law requires publicly traded companies to submit to independent audits and to properly disclosue financial information?
SOX.
What is a SPAN port?
SPAN stands for Switch Port Analysis.
What are five well-known SQL injection tools?
SQL Injector, SQL Ninja, Havij, Pangolin and Absinthe are all SQL injection tools.
Eve stole a file named secret.txt, transferred it to her computer and she just entered these commands: [eve@localhost ~]$ john secret.txt Loaded 2 password hashes with no different salts (LM [DES 128/128 SSE2-16]) Press 'q' or Ctrl-C to abort. almost any other key for status 0g 0:00:00:03 3/3 0g/s 86168p/s 86168c/s 172336C/s MERO..SAMPLUI 0g 0:00:00:04 3/3 0g/s 3296Kp/s 3296Kc/s 6592KC/s GOS..KARIS4 0g 0:00:00:07 3/3 0g/s 8154Kp/s 8154Kc/s 16309KC/s NY180K..NY1837 0g 0:00:00:10 3/3 0g/s 7958Kp/s 7958Kc/s 1591KC/s SHAGRN..SHENY9 What is she trying to achieve?
She is using John the Ripper to crack the passwords in the secret.txt file.
It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers). Which of the following vulnerabilities is being described?
Shellshock
In footprinting an organization during a black-box penetration test, what is the recommended method to use?
Should be done using mailing list messages, as this is the first step in the Discovery phase of the pen test, or the pre-attack phase of the three-phase model. Information gathering in this stage comes from sources like a WHOIS database, mailing lists, or USENET groups.
What does the i p .dst display filter show in Wireshark?
Specifies a destination IP address or network in Wireshark.
What does the i p . host display filter show in Wireshark?
Specifies a host or destination hostname.
What does the tcp.port display filter show in Wireshark?
Specifies a source or destination TCP port number.
Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms?
Speed
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?
Split DNS
How is a Smurf attack executed?
Spoofs the target's host's IP address and broadcasts a flood of ping messages to all systems on a LAN segment. When recipients reply to the target host, the target host is flooded by Echo Reply messages from all the attacked systems.
Which of the following types of firewalls ensures that the packets are part of the established session?
Stateful inspection firewall
What are the phases of Microsoft's Security Development Lifecycle?
Training; Requirements; Design; Implementation; Verification; Release and Response.
What does a firewall check to prevent particular ports and applications from getting packets into an organization?
Transport layer port numbers and application layer headers
What attributes are generally analyzed during passive OS fingerprinting?
TTL, TCP windows, DF flags, and ToS—or Type of Service fields.
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?
Tailgating
What type of server authentication does LEAP use?
Uses a password hash for server authentication.
What is Dynamic NAT?
Uses a pool of external publicly routable IP address to share among multiple computers on a private network. Addresses are assigned on a per-session basis, and are returned to the pool at the end of the session.
Which of the following is the BEST way to defend against network sniffing?
Using encryption protocols to secure network communications
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
Validate and escape all information sent to a server
What are the RC5 key sizes?
Variable from 0 through 2040 bits.
What is the relationship between Nikto and Libwhisker?
a GPL web vulnerability scanner that uses Libwhisker for some IDS evasion functionality.
7. Physihing can be migrated through the use of _____? a. spam filtering b. education c. antivirus d. anti-malware
a,b. spam filtering and education....are tremendously helpful at lessening the impact of phishing. Pure antivirus and anti-malware typically do not include this functionality unless they are part of a larger suite.
Craig received a report of all the computers on the network that showed all the missing patches and weak passwords. What type of software generated this report?
a vulnerability scanner
4. Social engineering can use all the following except? a. technology b. people c. human nature d. physical
all....the targets of social engineering are people and the weaknesses present in human beings.
Aplication vulnerabilitiy
buffer overflow attacks, cross-site scripting, SQL injection, man-in-the-middle session hijacking, denial of service
OS Vulnerabilities
bug, etc.
nmap -T0 through -T5
controls timing template (higher is faster). You can slow your scans down to try to avoid detection. 3 is default, 4 is recommended for modern, reliable networks, 0 is for the paranoid to bypass IDS
White hat hackers
ethical hackers that break into the systems for non malicious reasons such as to test the system security vulnerabilities or to expose undisclosed weaknesses
Which of the following is an extremely common IDS evasion technique in the web world?
unicode characters
WHOIS database
the central database of domain names
Usability
the system is easy to learn and efficient and satisfying to use
Nmap grepable output
-oG
Nmap normal output
-oN
Nmap ml output
-oX
ACK Scan
-sA
FIN Scan
-sF
Idlescan
-sI
List Scan
-sL
IP Protocol Scan
-sO
Ping Scan
-sP
nmap -sn or -sP
-sP (old way) or -sn (newer version) = ping scan - determines active hosts Ex: nmap -sP 192.168.3.1-20 will scan 3.1 through 3.20 to see which are up (which reply)
RPC Scan
-sR
UDP Scan
-sU
What is ARP spoofing?
A technique in which an attacker crafts ARP packets in which a legitimate IP address on a given LAN are associated with the attacker's own Media Access Control (MAC) address.
What is FREAK (Factoring Attack on RSA-EXPORT Keys)?
A technique to exploit a vulnerability that enables an attacker to use a MitM attack to take advantage of a downgrade mechanism in RSA encryption security.
What is described as a method of transferring traffic using legitimate communication channels?
An overt channel is a method of transferring traffic by using legitimate communication channels.
Which of the following is the greatest threat posed by backups?
An un-encrypted backup can be misplaced or stolen.
Zero-day attack
Attack that exploits previously unknown vulnerabilities, so victims have no time (zero days) to prepare for or defend against the attack.
State-sponsored attacker
Attacker commissioned by governments to attack enemies' information systems.
Insider Attacks
Attacks beginning from inside your organization; malicious or non-malicious.
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials.
What kind of IDS does session splicing attempt to evade?
Attempts to evade detection by signature-based IDS.
What IPSec configuration provides authentication and integrity but not confidentiality?
Authentication Header in transport mode.
What does Authentication Header provide in IPSec Tunnel Mode?
Authentication and integrity, but not encryption, for the encapsulated packet.
What authentication type is a biometric passport?
Authentication by something you have because it contains data embedded in a chip in the passport.
What is implemented by using the 802.1X standard?
Authentication for port-based connections.
What are the OSSTMM Interactive Controls?
Authentication; Indemnification; Resilience; Subjugation; and Continuity.
An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database. <iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe> What is this type of attack (that can use either HTTP GET or HTTP POST) called?
Cross-Site Request Forgery
What occurs during the Training phase of Microsoft's SDL?
Core security training for software development team members is conducted. Members are encouraged to attend at least one class yearly.
What is defined as the hard and soft damages an organization might incur as the result of a successful attack?
Cost. In the non-profit context, this could also be referred to as impact.
What is the risk of the HTTP TRACE method?
Could enable an attacker to launch a Cross-Site Tracing Attack.
What is the risk of the HTTP PUT method?
Could enable an attacker to upload files to a target server.
What is the risk of the HTTP CONNECT method?
Could enable an attacker to use a target server as a proxy.
What is the risk of the HTTP DELETE method?
Could enable an attacker to use an HTTP client to delete files from a target server.
Hacktivism
Cracking into a system as a political act.
After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access, what would you do first?
Create User Account
How does a companion or camouflage virus operate?
Creates a companion file for each executable file it infects. It may save itself as notepad.com and each time a user infects the legitimate program notepad.exe, the computer will instead load notepad.com and infect the system.
To find a webpage named "employee directory" on the domain example com what search string should be used?
Intitle: "employee directory" site:example.com.
What does the Google string operator "intitle:" do?
Intitle: limits the search results to only sites with matching text in their titles.
Which of the following is designed to identify malicious attempts to penetrate systems?
Intrusion Detection System
What does the Google string operator "inurl:" do?
Inurl: limits the search results to only sites with matching text in their URLs.
Doxing
Involves the examination of Interent records in an attempt to reveal the identity of an anonymous poster.
What are scanning and enumeration?
The second pre-attack phase in which the hacker is moving from passive information gathering to active information gathering.
What was an enhancement that 802.11i provided to WPA?
WPA changed from the use of a block cipher to a stream cipher for encryption.
What types of encryption do WPA and WPA2 use?
WPA uses TKIP; WPA2 uses AES-CCMP.
What encryption algorithm does WPA2 use?
WPA2 uses AES encryption.
What wireless standard uses AES encryption?
WPA2 uses AES encryption.
Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario?
Watering Hole Attack
What do we mean when we speak of an attacker covering tracks?
When an attempt is made to make sure to remove all evidence of an attacker's activities. This might include using rootkits to cover their tracks. Other hackers might hunt down log files and attempt to alter or erase them.
In steganalysis what is Stego-Only?
When only the Stego-Object is available for analysis.
In steganalysis what is Known-Stego?
When the Stego-Algorithm, the Cover-Medium and the Stego-Object are all available.
In steganalysis what is Chosen-Stego?
When the Stego-Object and Stego-Algorithm are both available.
What is gaining access in the context of an attack scenario?
When the hacker moves from simply probing the network to actually attacking it. Once the hacker has gained access, he can begin to move from system to system, spreading damage as he progresses.
Exclusive Or or XOR.
When two bits are combined, the result will be zero only if both bits are the same.
Version Detection Scan
-sV
Window Scan
-sW
Xmas Tree scan
-sX
What Port does BGP use?
TCP Port 179.
What Port does HTTPS used by default?
TCP Port 443.
What was Number 3 in OWASP's Top 2013 security priorities?
Cross-Site Scripting.
Exploit
(v.) to make use of, develop; to make improper use of for personal profit; (n.) a feat, deed using a vulnerability
POP3
110
How many networks does Class A support?
126 networks.
What are the AES key sizes?
128, 192 or 256 bits.
What size hash does MD5 create?
128-bit, based on variable length plaintext.
Secure LDAP
636 (over SSL)
What is the size of the message integrity check in TKIP?
64-bit.
Diffie-Hellman Group 1?
768-bit modulus.
What is 2 to the 3rd power?
8.
HTTP
80, 81, 8080
In what version of WiFi was AES introduced?
802.11i.
What does NetStumbler not support that Kismet does support?
802.11n, Mac OS-X, Linux or monitor mode.
Diffie-Hellman Group 18?
8192-bit modulus.
Kerberos
88
ICMP Type 3 Code 13
"Communication Administratively Prohibited".
ICMP Type 3 Code 10
"Communication with Destination Host Administratively Prohibited".
ICMP Type 3 Code 9
"Communication with Destination Network Administratively Prohibited".
ICMP Type 3 Code 7
"Destination Host Unknown".
ICMP Type 3 Code 12
"Destination Host Unreachable for Type of Service".
ICMP Type 3 Code 6
"Destination Network Unknown".
ICMP Type 3 Code 11
"Destination Network Unreachable for Type of Service".
ICMP Type 3 Code 4
"Fragmentation Needed but DF bit was set".
ICMP Type 3 Code 1
"Host Unreachable".
What does ICMP Type 3 Code 0 mean?
"Net Unreachable".
ICMP Type 3 Code 2
"Protocol Unreachable".
ICMP Type 3 Code 8
"Source Host Isolated".
ICMP Type 3 Code 5
"Source Route Failed".
The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%). What is the closest approximate cost of this replacement and recovery operation per year?
$146
What Google search string operator can be used to search for exposed directory listings on web servers?
'intitle:'
What filter can be used in Wireshark to display only traffic sent between devices on the 10.10.10/0/24 network?
'ip.src == 10.10.10.0/24 and ip.dst == 10.10.10.0/24'.
What types of PSK digital modulation does Bluetooth 2.0 with Enhanced Data Rate use?
8DPSK and π/4-DQPSK.
TCP SYN Scan
-sS
TCP connect() scan
-sT
What two parameters could be used with N-map to launch the N-map Scripting Engine?
-A or -sC.
don't ping
-P0
nmap -Pn or -P0
-P0 (Pzero (old way)) or -Pn (new way) - disables host discovery (no ping)
PI and PT Ping
-PB
ICMP Ping
-PI
ICMP Netmask
-PM
ICMP Timestamp
-PP
SYN Ping
-PS
TCP Ping
-PT
FTP Bounce Attack
-b
What is the difference between grep -l and grep -L?
-l means "files which include"; -L means "files which exclude".
nmap all output
-oA
What are the two basic types of attacks?(Choose two
.B. Passive D. Active
What file formats can Nikto save to?
.TXT, .CSV, Nessus .NBE, .HTML, .XML and Metasploit. It cannot save to libwhisker format, although it does use the libwhisker PERL module for some IDS evasion functionality.
What are the five key steps in the ethical hacker's process?
1. Assessment; 2. Policy development; 3. Implementation; 4. Training; 5. Audit.
What are the steps to create an encrypted message with a digital signature using PKI?
1. Create a hash of the message body; 2. Encrypt the hash with your private key; 3. Encrypt the message with the recipient's private key.
What are the seven basic steps the EC-Council divides footprinting and scanning into?
1. Information Gathering; 2. Determining the Network Range; 3. Identifying Active Machines; 4. Finding Open Ports and Access Points; 5. OS Fingerprinting; 6. Fingerprinting Services; and 7. Mapping the Network.
Footprinting process
1. Know Security Posture 2. Reduce Focus Area 3. Identify Vulnerabilities 4. Draw Network Map
What are the six steps of the attacker's process which include the pre-attack and attack phases?
1. Performing reconnaissance; 2. Scanning and enumeration; 3. Gaining access; 4. Escalation of privilege; 5. Maintaining access; 6. Covering tracks and placing backdoors.
What are the six key sections of security assessment according to the OSSTMM?
1. Physical security; 2. Internet security; 3. Information security; 4. Wireless security; 5. Communications security; 6. Social engineering.
What are the social engineering phases?
1. use footprinting and gather details about a target 2. Select a specific ind or gropu who may have the access or info you need to get closer to the desired target. 3. forge a relationshiop with the intended victim through conversations, discussions, emails, or other means. 4. exploit the relationship with the intended victim and extract the desired information These four phases can be seen in 3 distinct components of social eng: Research (step 1) Develop (step 2 and 3) Exploit (step 4)
A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001 00111010
10001011
SMB
137,138,139. Server Message Block. In a Windows network, this protocol is for file, folder, and printer sharing. SMB signing can prevent MITM as each packet is signed when accessing a share. SMB either relies on the older NetBIOS API (ports 137,138,139, or can run directly over TCP which is then on port 445. SMB is sometimes known as CIFS (common internet file system)
SQL Server
1433, 1434
Diffie-Hellman Group 5?
1536-bit modulus.
How many networks can the Class B Address Range support?
16,384 networks.
Diffie-Hellman Group 15?
3072-bit modulus.
nmap -p
<port ranges>
You are using NMAP to resolve domain names into IP addresses for a ping sweep later. Which of the following commands looks for IP addresses?
>host -t a hackeddomain.com
Which type of EAP is vulnerable to a session hijack?
?? Vulnerable to a session hijack.
What size hash does SHA-1 create?
A 160-bit hash value.
What are two primary weaknesses in WEP?
A 24 bit Initialization Vector and key rollover.
What is the Burp Suite intercepting proxy?
A Burp Suite feature that acts as a MitM between the pen tester and the target. With this tool, a pen tester or attacker can intercept and change HTTP traffic either sent to or received from the target.
What is the Burp Suite sequencer tool?
A Burp Suite feature that can test session token randomness.
What is the Burp Suite repeater tool?
A Burp Suite feature that enables the manual modification and resending of unique requests.
What describes a group of security responders who are responsible for mitigating attacker activities during an attack simulation?
A blue team.
What is an Exploit?
A breach of IT system security through vulnerabilities.
In what type of password attack are all combinations of letters numbers and symbols used to discover the password?
A brute-force attack.
What activity is performed to identify business systems and process that are critical for a company to continue to operate?
A business impact analysis,
What activity is performed to identify business systems and process that are critical for a company to continue to operate?
A business impact analysis.
To what type of attack is RSA particularly susceptible?
A chosen ciphertext attack.
What is Nemesis?
A command-line tool that can generate ARP Ethernet TCP and UDP packets.
What is the difference between a hybrid password attack and a brute force attack?
A hybrid password attack substitutes numbers and characters in words to discover a password: such as replacing the letter o with the number 0 (zero) or the letter a with the @ (at sign) or a lower-case l (ell) with the number 1.
What type of root-kit can migrate the OS into a VM?
A hypervisor-level root-kit, which installs itself between the hardware layer and the OS.
What is a heap?
A memory space that is dynamically allocated.
What is hex 0x90?
A null operation or NOP.
What is a stack?
A reserved area of memory where a program saves the return address when a call instruction is received.
What biometric scan is likely to reveal personal health information about a user?
A retinal scan.
What type of malware can be used to modify the kernel of an OS and can be used by an attacker to access the computer in the future?
A rootkit.
What is IRDP?
A routing protocol that allows a host to discover the IP addresses of active routes on their subnet by listening to router advertisement and solicitation messages on their network.
What is a data breach?
A security incident in which an organization's sensitive data is exposed to an untrusted environment or unauthorized party in which the data could be altered, copied or manipulated.
What is a software interrupt?
A signal that an event has occurred. An exception and a trap are the same as a software interrupt.
What kind of device does session-splicing attempt to evade?
A signature-based IDS. It is not a technique used to evade firewalls.
What is a service-oriented architecture?
A software design in which software components deliver information to other components over a network, such as an application programming interface (API) that allows software components to communicate and deliver data.
What is service-oriented architecture (SOA)?
A software design in which software components deliver information to other components over a network, such as an application programming interface (API) that provides programmatic access to a database backend, thus enabling developers to build client applications to retrieve data.
How would a web server that serves mostly PHP pages for the GNU Bash Shellshock vulnerability be black-box tested?
A specially crafted environment variable with trailing commands should be sent.
What does USBDumper do?
A spyware utility that silently copies files from a USB drive to a computer.
What is displayed when the SC QUERY command is issued without parameters?
Active services only.
Which of the following is a component of a risk assessment?
Administrative safeguards
When visiting a site using HTTPS what type of key is used to encrypt data after completion of the SSL handshake?
After completion of the SSL handshake, a symmetric session key is used to encrypt data.
How does a VM root-kit operate after it takes control?
After the root-kit migrates the OS into a VM, the root-kit silently loads at startup and hosts the guest OS without the user realizing the computer has been compromised.
nmap -A
Aggressive - Also does OS & port scanning, but in addition it does version detection, vulnerability scanning, and a traceroute. It also lists possible problems with each scanned port number.
What does the n-map -A parameter represent?
Aggressive scanning; no PING.
By default where does Snort log alerts to?
Alerts to /var/log/snort.
allintext: (google)
All query words must appear in the text of the page
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
An Intrusion Detection System
What is Heartbleed?
An OpenSSL vulnerability that allows an attacker to obtain 64Kb of information from a web server's memory at regular intervals.
What does segregation of duties accomplish?
An access control principle designed to create a system of checks and balance on employees who have privileged access, while least privilege requires that a user have no more access to a resource than what is required to do that user's job.
Passive Reconnaissance
An information gathering technique in penetration testing where the pentester uses tools and techniques that make detection of activity difficult. The information is gathered without the target's knowledge and usually consists of open, available, and legal-to-acquire sources.
Active Reconnaissance
An information gathering technique in penetration testing where the pentester uses tools and techniques that may or may not avoid detection, but put the attacker at risk of discovery (for example, injection of packets directly onto the wire or purposefully walking up to a locked door to attempt entry).
What is Metagoofil?
An information gathering tool written in Python which will perform a search in Google to extract metadata from public documents belonging to a target company.
What is a threat?
Any agent, condition, or circumstance that could potentially cause harm, loss, damage or compromise to an asset.
What is an asset?
Any item of economic value.
What is a Layer 2 Ethernet Broadcast Address?
Appears as a MAC address where all six groups are set to hex FF. It is sent to all network interface cards on a broadcast domain. Layer 2 broadcasts are sent to all nodes on a switch, but are not forwarded by routers.
How do add-on viruses operate?
Append their code to the host code without making any changes to the latter, or they relocate the host code to insert their own code at the beginning.
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Application
What is a Security Misconfiguration?
Applications and systems are often deployed with insecure default settings.
What occurs during the Implementation phase of Microsoft's SDL?
Approved tools are used; unsafe functions are deprecated; and static analysis is performed.
An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job?
Ask the employer for authorization to perform the work outside the company.
How do packet-filtering firewalls operate?
At OSI Layers 3 and 4, the Network and Transport layers, making filtering decisions based on the header information of each packet. Rules on these firewalls on based on ports numbers and inbound or outbound traffic.
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
At least once a year and after any significant upgrade or modification
Question: 74 ETHER: Destination address : 0000BA5EBA11 ETHER: Source address : 00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type : 0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP: Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?
B. Create a network tunnel
Question: 26 What does a type 3 code 13 represent?(Choose two
B. Destination unreachable D. Administratively prohibited
Question: 61 MX record priority increases as the number increases.(True/False.
B. False
Question: 20 The follows is an email header. What address is that of the true originator of the message? Return-Path: <[email protected]> Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <[email protected]> To: "mikeg" <[email protected]> Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal
C. 168.150.84.123
Question: 72 How does a denial-of-service attack work?
C. A hacker prevents a legitimate user (or group of users) from accessing a service
Question: 42 What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
C. All are DDOS tools
Question: 37 What flags are set in a X-MAS scan?(Choose all that apply.
C. FIN D. PSH F. URG
Question: 31 Which of the following is an automated vulnerability assessment tool.
C. Nessus
What does the Google string operator "cache:" do?
Cache: returns a cached version of the specified site.
What is the difference between AH being used in tunnel and transport mode?
Can be used in tunnel mode to sign the entire encapsulated packet. In transport mode signs the IP packet header, the authentication header and the IP payload.
What is the difference between AH being used in tunnel and transport mode?
Can be used in tunnel mode to sign the entire encapsulated packet. In transport mode signs the IP packet header; the authentication header; and the IP payload.
What would be a likely use for IKE-Scan?
Can be used to fingerprint VPN servers as it can discover, fingerprint and test IP Security VPN servers by using Internet Key Exchange. It is supported on Linux, UNIX, Mac and Windows.
To what attack is RSA particularly susceptible?
Chosen ciphertext attacks.
What firewall operates at Layer 5 of the OSI model?
Circuit level firewalls.
How many tiers exist in an N-Tier implementation?
Consists of three or more tiers. It is also known as a multi-tier architecture: a client-server application model in which processes are distributed among many computers, where each tier consists of a single role or function carried out by one or more computers.
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete?
Containment
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?
Cross-site scripting vulnerability
Question: 59 One of your team members has asked you to analyze the following SOA record. What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.
D. 2400
Question: 44 Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?
D. Connect scan
Question: 50 What is Hunt used for?
D. Hunt is used to intercept traffic i.e. man-in-the-middle traffic
Question: 57 Pandora is used to attack __________ network operating systems.
D. Netware
What are the options form the PREFERENCES tab in Nessus?
Database Compliance Checks, Global Variable Settings and Cisco IOS Compliance.
What drop-down options can be selected from the Nessus Preferences tab?
Database Compliance Checks; Global Variable Settings; and CISCO IOS Compliance Checks.
Perspective clients want to see sample reports from previous penetration tests. What should you do next?
Decline but, provide references.
What is Dmitry?
Deepmagic Information Gathering Tool—is an open source *Nix command-line network scanner not related to Nmap.
What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?
Defense in depth
Which security strategy requires using several, varying methods to protect IT systems against attacks?
Defense in depth
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?
Delegate
What is IDS Session Splicing?
Delivers its payload over multiple packets, defeating simply pattern matching without session reconstruction.
What occurs during the Design phase of Microsoft's SDL?
Design requirements are established; attack surface analysis and reduction are performed; and threat modeling is used.
env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd' What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?
Display passwd content to prompt
What type of server authentication does EAP-MD5 use?
Does not have server authentication.
The company ABC recently discovered that their new product was released by the opposition before their premiere. They contract an investigator who discovered that the maid threw away papers with confidential information about the new product and the opposition found it in the garbage. What is the name of the technique used by the opposition?
Dumpster diving
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
ESP transport mode
What does ESP transport?
ESP transports only the data payload.
What does ESP tunnel?
ESP tunnels the entire IP packet.
Why is difficult to block attacks by an attacker who keeps changing the proxy servers that are used to initiate the attack?
Each attack originates from a different IP address, so it is difficult, if not impossible, to block future attacks.
What is true regarding N-tier architecture?
Each tier can be modified independently of the others.
What are two tools that can be used to scan for wireless networks?
Either Kismet or NetStumbler. Kismet is the more powerful of the two and can also be used as an IDS. NetStumbler only runs on Windows.
What does a half-open scan achieve?
Elicits responses from a target host: regardless of whether the probed ports are open or closed.
How do employers protect assets with security policies pertaining to employee surveillance activities?
Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.
What function does the Netcat -t flag perform?
Enables TELNET negotiation.
What is Bluebugging?
Enables an attacker to create a back door on a Bluetooth-enabled device, allowing the attacker to subsequently listen to conversations, forward calls and send text messages. BLOOOVER is a Bluebugging tool.
What is Bluesnarfing?
Enables an attacker to gain unauthorized access to information on a Bluetooth-enabled devices such as a user's contact list, text messages, email messages, and calendar.
........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hot spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there. Fill in the blank with appropriate choice.
Evil Twin Attack
You've just been hired to perform a pen test on an organization that has been subjected to a largescale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?
Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
What protocol does a sequence prediction attack use?
Exploits TCP as a connection-oriented protocol.
What is a Zero-Day Attack?
Exploits computer application vulnerabilities before the software developer has released a patch for the vulnerability.
What process is exploited by a Ping of Death attack?
Exploits the fragmentation and reassembly process on the target host by sending packets that exceed the RFC 791 maximum of 65,535 byte IP packet size.
How is a WinNuke attack executed?
Exploits the way certain TCP implementations process TCP packets with the URG flag set. The URG flag marks data that should be processed immediately upon receipt, instead of being queued up like regular TCP traffic.
What does FISH stand for?
Fibonacci Shrinking.
Directory Transversal
Finding a directory listing and gaining access to a parent or root file for access to other files
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall.
Firewalking
How do shell viruses operate?
Forms a shell around the target host program's code, making itself the original program and the host program its sub-routine.
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do?
Forward the message to your company's security response team and permanently delete the message from your computer.
What attack is specific to UDP?
Fraggle.
What is the Class A Address Range?
From 1 to 126.
What is the Class B Address Range?
From 128 to 191.
What is the Class C Address Range?
From 192 to 233.
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the best protection that will work for her?
Full disk encryption.
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?
HIPAA
Of the HTTP methods TRACE, DELETE, PUT, OPTIONS and CONNECT which would not be considered potentially risky by the n-map http-methods script?
HTTP OPTIONS.
What is a Layer 3 Limited Broadcast Address?
Has all eight bits in all four octets turned on.
What two conditions must a digital signature meet?
Has to be unforgeable, and has to be authentic.
Encrypted message steps?
Hash message body, encrypt hash with private key, encrypt message with recipient's public key.
A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can he use it?
He cannot read it because it is encrypted.
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site. Which file does the attacker need to modify?
Hosts
What attribute is generally NOT analyzed during passive OS fingerprinting?
ICMP Echo Replies. This requires a ping to be sent.
You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening?
ICMP could be disabled on the target server.
What kind of packet will HPING -1 send?
ICMP.
What is IDS Flooding?
IDS is overloaded with traffic, causing real data to get lost in the noise.
nmap -sO
IP protocol scan (major protocols like ICMP, TCP, UDP, IGMP, etc)
Why would you need to use a proxy server instead of IP spoofing for an interactive attack?
IP spoofing only works for individual packets. An interactive attack maintains an open channel of communication.
What protocols reside at the TCP/IP model's Internet layer?
IP, ICMP and ARP.
Which protocol is used for setting up secured channels between two devices, typically in VPNs?
IPSEC
Who owns OSSTMM?
ISECOM.
Which ISO standards are simply based on BS 7799?
ISO 17799, 27001 and ISO 27002.
Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking. What should you do?
Immediately stop work and contact the proper legal authorities.
How does NIST recommend that an administrator should maximize the number of vulnerabilities detected by a vulnerability scanner?
Implement vulnerability scanners from multiple vendors to maximize the number of vulnerabilities detected.
What is the difference between ESP Tunnel and Transport mode in IPSec?
In IPSEC it Tunnels the entire IP packet and Transports only the data payload.
In what type of password attack are all combinations of letters, numbers, and symbols used to discover a password?
In a brute-force attack, all combinations of letters, numbers and symbols are used to try and discover the password.
Which of these options is the most secure procedure for storing backup tapes?
In a climate controlled facility offsite
How are stacks organized?
In a last-in first-out structure.
In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?
In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name.
What is the process of logging, recording, and resolving events that take place in an organization?
Incident Management Process
Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
Incident response services to any user, company, government agency, or organization in partnership with the Department of Homeland Security
What is the purpose of two hyphen characters (--) in Structured Query Language (SQL)?
Indicates a comment in SQL.
How does a multi-partite virus operate?
Infects a system's boot sector and executable files simultaneously.
How does a macro virus operate?
Infects files which have embedded macro languages: such as Visual Basic for Applications in MS Word or Excel.
How does a sparse infector virus operate?
Infects only occasionally, such as perhaps when every tenth program is executed, or only for files whose lengths fall within a narrow range.
Information about what is displayed when the SC QUERY command is issued without parameters on a Windows 2012 Server?
Information about ACTIVE SERVICES.
The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?
Injection
What was Number 1 in O-WASP's Top 2013 security priorities?
Injection.
What occurs when an application accesses a resource without an appropriate authorization check?
Insecure Direct Object Reference.
What was Number 4 in OWASP's Top 2013 security priorities?
Insecure Direct Object References.
What are examples of a cross-site scripting (XSS) attack?
Inserting VBScript code in a form field on a website or using JavaScript code. A common XSS exploit is performed when an attacker inserts malicious script input into input fields on a web form. Server-side input validation can be used to mitigate XSS attacks performed on web forms.
Which of the following is assured by the use of a hash?
Integrity
What is not true regarding WebGoat?
It *does not* use white-box testing methods. It is black-box.
What does the PLUGINS tab in Nessus do?
It allows various plugins to be enabled or disabled.
What is the role of test automation in security testing?
It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.
What is true regarding the SMB protocol?
It can be used to enable file and printer sharing without the need for NETBIOS port broadcasting and SMB uses TCP/UDP Port 445.
What is the CCS Injection Vulnerability?
It could enable an attacker to decrypt or modify traffic between a vulnerable server and a vulnerable client by using a MitM attack.
What is true of ESP when it is used in IPSec tunnel mode?
It encrypts the entire IP packet.
What is the best description of SQL Injection?
It is an attack used to gain unauthorized access to a database.
If an unusual amount of outbound traffic from TCP port 25 is being send from a variety of local hosts during off-peak hours what is the likely cause?
It is most likely that a local bot is sending spam to other networks.
What is the purpose of the DHCPDiscover message in IPv4?
It is the client broadcast to locate available DHCP servers.
What is the purpose of the TCP FIN flag?
It is the final data flag used during the four-step shutdown of a session.
Hack Value
It is the notion among hackers that something is worth doing or is interesting
What is true of AH when it is used in IPSec tunnel mode?
It provides authentication and integrity but not encryption for the encapsulated packet. Only ESP can provide encryption.
How does the Address Resolution Protocol (ARP) work?
It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
What is true regarding a hybrid attack?
It substitutes numbers and characters in words to discover a password.
What is session token randomness?
Its unpredictability is a means of mitigating the impersonation of legitimate users by an attacker.
Which of the following is a passive wireless packet analyzer that works on Linux-based systems?
Kismet
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a linux platform?
Kismet
What two VPN protocols operate at the Data Link layer of the OSI model?
L2TP and PPTP.
What is the difference between PEAP and LEAP?
LEAP is an older EAP implementation that used TKIP and WEP keys. PEAP uses PKI and TLS for authentication confidentiality.
Which type of EAP is vulnerable to a dictionary attack?
LEAP.
Which types of EAP are able to provide Dynamic Key Delivery?
LEAP; EAP-TLS; EAP-TTLS; and PEAP.
In Risk Management, how is the term "likelihood" related to the concept of "threat?"
Likelihood is the probability that a threat-source will exploit a vulnerability.
What port does Linux - Portmapper run on?
Linux Portmapper runs on Port 111.
What is Blue-Bugging?
Listening to conversations, forwarding calls and sending text messages from someone else's cell.
What function does the Netcat -L flag perform?
Listens for incoming connections.
What does the command ./snort -b -A fast -c snort.conf result in?
Log packets in binary or Tcpdump format; log only timestamp, alert message, source IP address and port, and destination IP address and port; run in NIDS mode and use the rules in the snort.conf file.
What does the '-A fast' option tell Snort to do?
Log: timestamp; alert message; source IP address and port; destination IP address and port.
What security protocol creates a 128-bit hash value based on variable-length plain text?
MD5.
In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following best describes what spammers use to hide the origin of these types of e-mails?
Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers continuously.
What resource is most likely to be used when footprinting during a during a black-box penetration test?
Mailing list messages will normally be used.
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?
Make sure that legitimate network routers are configured to run routing protocols with authentication.
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?
Malicious code is attempting to execute instruction in a non-executable memory region.
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?
Maltego
What data access control model uses permissions that are determined by organizational policy and a user's need to know?
Mandatory access control.
viruses, worms, and malware
Many times these computers are connected to the Internet, so they receive emails with malicious attachments like ___
What is MALLOC( )?
Memory allocation in C.
You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task?
Metagoofil
Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system?
Metasploit
Daisy-chaining
Method of connecting several devices along a bus and managing the signals for each device.
How does a cluster virus operate?
Modifies directory table entries so that it points users or system processes to the virus code instead of the actual program. There is only one copy of the virus on the disk, infecting all the programs in the computer system.
What does a protocol scan achieve?
Modifies the values of the IP protocol header field in order to determine which IP protocols are supported by the target host.
What is NBTSTAT?
NETBIOS over TCP; abbreviated NBT.
What is the access control principle that requires that a user have no access to information that is not required by that user regardless or rank, clearance or authorization?
Need-to-Know.
What is the availability of Nemesis and PackETH?
Nemesis is available on Windows and Linux, PackETH is Linux only.
What is a command-line tool that can generate ARP, Ethernet, TCP and UDP packets?
Nemesis.
Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?
Nessus
Due to a slow down of normal network operations, IT department decided to monitor internet traffic for all of the employees. From a legal stand point, what would be troublesome to take this kind of measure?
Not informing the employees that they are going to be monitored could be an invasion of privacy.
What response is Firewalk not likely to receive on a filtered port?
Not likely to receive a TTL expired in transit message on a filtered port.
nmap --randomize_hosts -O
OS fingerprinting
Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?
PKI
What MitM attack exploits vulnerabilities in fallback mechanisms from TLS to SSL 3.0?
POODLE.
What protocols reside at the TCP/IP model's Network Access layer?
PPP and SLIP.
What DNS record translates an IP address to a host name?
PTR.
What is PTK?
Pairwise Transient Key.
What is the default order that Snort IDS rules are evaluated?
Pass; Drop; Alert, and Log.
What type of sniffing attack is typically used on networks containing hubs?
Passive.
This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described?
Payment Card Industry (PCI)
Which of the following guidelines or standards is associated with the credit card industry?
Payment Card Industry Data Security Standards (PCI DSS)
What is the TCP/IP model's Network Access layer responsible for?
Physical layer delivery.
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
Preparation phase
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?
Private
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this?
Privilege Escalation
Which type of security document is written with specific step-by-step details?
Procedure
How is XSS best described?
Programming code that can be used to harvest cookies stored on a user's computer: occurs when a malicious user is able to inject code into the webpage of a legitimate company or user.
What is the purpose of the TCP ACK flag?
Provides acknowledgement of packets received.
What kind of packet will HPING -0 send?
Raw IP.
In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for vulnerabilities.
Reconnaissance
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client?
Reconnaissance
5 phases of hacking
Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks
Where does reconnaissance fall in the three-phase penetration testing model?
Reconnaissance is in the pre-attack phase. This is gathering of information about the target.
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?
Report immediately to the administrator
How does the OSSTMM define contractual compliance?
Requirements that are enforced by an industry or group.
What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
Residual risk
What does Ping -a do?
Resolves IP addresses to hostnames.
The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?
SYN
What two attacks DO NOT rely on ICMP messages to disable a target host?
SYN Floods and LAND attacks.
nmap -sS
SYN scanning (stealth scan). Also known as HALF-OPEN scanning. This is the default scan and the most common.
Which of the following is a protocol specifically designed for transporting event messages?
SYSLOG
Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?
Sarbanes-Oxley Act (SOX)
You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out?
Scan servers with Nmap
Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries.) More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries and that are related to various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Basic example to understand how cryptography works is given below: SECURE (plain text) +1(+1 next letter, for example, the letter ""T"" is used for ""S"" to encrypt.) TFDVSF (encrypted text) +=logic=> Algorithm 1=Factor=> Key Which of the following choices is true about cryptography?
Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the shared session key and to achieve a communication way.
What was Number 5 in OWASP's Top 2013 security priorities?
Security Misconfiguration.
What occurs during the Requirements phase of Microsoft's SDL?
Security requirements are established; as are quality gates and bug bars; and security and privacy risk assessments are performed.
What is BlueJacking?
Sending unsolicited messages to someone else's cell phone via OBEX; SPIM.
To TRACEROUTE from a host to a target web server what types of packets should be sent?
Since many firewalls and routers are typically configured to drop ICMP Echo Request packets, TCP SYN packets and UDP packets should be used.
Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems?
Single sign-on
Of trusted third party cross-certification bridge and single-sign on which is not a federated identity management model?
Single-sign on.
Of trusted third party cross-certification bridge and single-sign on which is not a federated identity management model?
Single-sign on—or SSO.
What does the Google string operator "site:" do?
Site: limits the search results to the specified site.
Which of the following is a low-tech way of gaining unauthorized access to systems?
Social Engineering
Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'security through obscurity'. What technique is Ricardo using?
Steganography
Which are faster: stream or block ciphers?
Stream.
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?
Terms of Engagement
What command would be used at the Windows command prompt to configure the Windows built-in firewall?
The "netsh firewall" command would be used.
What command would be used at the Windows command prompt to add a route?
The "route add" command would be used.
Which phase of penetration testing involves acquiring the target?
The Attack Phase.
What Burp Suite feature would you use if you wanted to perform a customized brute-force attack?
The Burp Suite intruder tool.
What plan focuses on the restoration of specific IT services?
The Disaster Recovery Plan.
Of the HTTP methods TRACE DELETE PUT OPTIONS and CONNECT which would not be considered potentially risky by the n-map http-methods script?
The HTTP OPTIONS method.
What HTTP method could enable an attacker to use a web server as an unauthorized file repository?
The HTTP PUT command enables HTTP clients to update a file on a target system.
What Burp Suite feature is used to perform a customized brute-force attack?
The Intruder Tool.
What Burp Suite feature would be used for a customized brute-force attack?
The Intruder tool.
What HTTP method is not considered potentially risky when identified by the n-map http-methods script?
The OPTIONS method.
What encryption algorithm is WEP based upon?
The RC4 symmetric encryption algorithm, which is designed to provide randomness.
What is the purpose of the TCP SYN flag?
The TCP SYN flag establishes synchronization for the session and sets the Initial Sequence Number (ISN).
Which step in NIST SP 800-30 determines whether any flaws or weaknesses might exist in a company's systems policies, or procedures?
The Vulnerability Identification step.
Describe privilege escalation in the context an attack scenario.
The act of leveraging a bug or vulnerability in an application or operating system to gain access to resources that normally would have been protected from the average user.
What is Confidentiality?
The assurance that information is accessible only to those authorized to have access.
What occurs in privilege escalation?
The attacker finds a flaw that allows the attacker to run the application with more privileges than normal.
In a web-server MitM attack what does the client receive?
The attacker's public key.
Into which compliance category does the Open Source Security Testing Methodology Manual place the Payment Card Industry Data Security Standard?
The contractual compliance category, which deals with requirements that are enforced by an industry or group.
In steganography what is a Stego-Object?
The cover medium with the embedded hidden message.
Functionality
The degree to which a system performs its intended function
How is the Common Criteria Security Target (ST) best described?
The documentation for a system or product that is to be tested.
What is Common Criteria Security Target?
The documentation for the system or product that is to be tested.
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?
The employee should not provide any information without previous management authorization.
During a SYN FLOOD attack what is the host left waiting for?
The final ACK segment.
What do the first three bytes or 24 bits of MAC address entail?
The first half is the Organizational Unit Identifier (OUI) which is assigned by the IEEE.
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8
The host is likely a printer. Internet Printing Protocol (IPP) uses port 631.
What does the i p . src display filter show in Wireshark?
The i p . src display filter specifies a source IP address or network in Wireshark.
Why was Wired Equivalent Privacy developed?
The initial attempt to provide wireless networks with the same privacy as wired networks.
The "white box testing" methodology enforces what kind of restriction?
The internal operation of a system is completely known to the tester.
In steganography what is the Stego-Algorithm?
The method used to accomplish steganographic embedding of the hidden message in the cover medium.
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?
The network devices are not all synchronized.
What authentication mechanism expands all passwords to 14 characters, converts them to uppercase, splits them into two separate seven-character strings, and then hashes each string independently?
The original Lan Manager authentication method found in early versions of Windows, such as Win95 and Win98.
What is a Payload?
The part of exploit code that performs the intended malicious action.
What process or step in an Advanced Persistent Threat attack involves the installation of a back door?
The persistent step.
Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens?
The port will ignore the packets.
What is session splicing?
The process of delivering pieces of payload by using multiple packets. This enables the attack to effectively evade pattern-based IDS detection techniques.
What is the benefit of performing an unannounced Penetration Testing?
The tester will have an actual security posture visibility of the target network.
What is true regarding SOAP messages?
These are typically one-way transmissions compatible with HTTP and SMTP; encrypted with HTTPS and formatted with XML.
What is true of circuit-level firewalls?
These operate at the Session Layer, or Layer 5 of the OSI Model. Instead of inspecting individual packets these firewalls listen for session requests and either permit or deny those requests.
What do RC4, FISH, SKIPJACK and SEAL all have in common?
They are all stream ciphers.
What do AES, DES, 3DES, IDEA and BLOWFISH all have in common?
They are all symmetric block ciphers.
What two statements are true regarding active sniffing attacks?
They are easier to detect than passive sniffing attacks and they are typically used on networks with switches attached.
What is true about IDS devices?
They do not sit inline with network traffic and they can send alerts.
How would an attack in which a flaw in an application is exploited to bypass its security best be described?
This is a privilege escalation attack.
Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: [email protected]"". Which statement below is true?
This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
What are two true statements regarding port scanning attacks?
This is an attempt to access a computer through an open port and also an attempt to determine whether vulnerabilities exist on the computers on the network.
What does SC QUERY STATE = ALL indicate?
This is the command in Windows Server 2012 to display active and inactive services. SC.EXE is "Service Control" - a command line tool to manage services.
What is the purpose of the TCP R S T flag?
To close an abnormal session.
For a port scanner sending a TCP XMAS packet to port 80 and has the packets discarded by a remote host not behind a firewall IDS or IPS what does this response indicate?
This means that the port is open. The packet is discarded by the remote host—no response is received—because it is considered to be 'out of state' per the TCP protocol standard.
What is CMMI Level I?
This refers to an immature organization or process.
What is CMMI Level 5?
This refers to an organization actively engaged in ongoing Process Improvement.
What does the C++ statement for ( ; i < 50 ; i++ ) indicate?
This snippet of code indicates that the for loop will execute 49 times before it ends.
What is an Insecure Direct Object Reference?
This type of flaw occurs when an application references an internal object without an appropriate access control or privilege check.
It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition?
Threat
How is threat best described?
Threat is best described as the frequency of a potential negative event.
What occurs during the design phase of the MS Security Development Lifecycle?
Threat modeling; design requirements; attack surface analysis and reduction.
What is defined as the frequency of potentially adverse events?
Threat.
What risk equation component is frequency of potentially adverse events?
Threat.
What type of authentication includes a smart card a PIN and a biometric scan?
Three factor.
Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip file is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt." In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered?
Trojan
What does Ping -f do?
Turns on the Don't Fragment flag.
What is the ICMP response message for a closed protocol on an Nmap scan?
Type 3 Code 2.
NTP
UDP 123 (sometimes TCP but defaults to UDP)
SNMP
UDP 161. SNMPv3 is secure (authentication & encryption). You can further secure it with IP filtering: only allow the Admin's IP to talk to this port on the target device.
Syslog
UDP 514
What Unicode Transformation Format is ASCII compatible?
UTF-8
What quarterly scans must be conducted IAW with PCI DSS Requirement 11?
Unauthorized WAP detection and internal and external vulnerability scans.
What service operates on TCP/UDP Port 17?
Unix "Quote of the Day".
In order to have an anonymous Internet surf, which of the following is best choice?
Use Tor network with multi-node
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?
Use a scan tool like Nessus
While using your bank's online servicing you notice the following string in the URL bar: "http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21 " You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site?
Web Parameter Tampering
Misconfiguration
Web server, DB, etc.
Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?
WebGoat
How does an XSS attack occur?
When a malicious user is able to inject code into the web page of a legitimate company or user setting.
What is Cross-Site Scripting?
When a malicious user is able to inject code into the webpage of a legitimate company or user.
What is IDS Evasion?
When an IDS discards the packet that is accepted by the host it is addressed to.
In steganalysis what is Known-Message?
When both the Stego-Object and Cover-Medium are available for comparison.
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?
Whisker
What does a TCP CONNECT scan achieve?
Will elicit responses from a target host if ports are open or closed, but unlike a half-open scan, it is less discreet and thus easier to detect.
What OS does not respond to ICMP Echo Request (ping) messages that are directed to network or broadcast addresses?
Windows OSes. Microsoft's implementation of RFC 1122 configures its TCP/IP stacks to drop ping packets not directed to a host IP address.
What are the options from the CREDENTIALS tab in Nessus?
Windows, SSH, Kerberos and Cleartext.
In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving. Which Algorithm is this referring to?
Wired Equivalent Privacy (WEP)
The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices.
Wireless Intrusion Prevention System
The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router?
Wireshark
You want to analyze packets on your wireless network. Which program would you use?
Wireshark with Airpcap
SOAP services use which technology to format information?
XML
What are common vulnerabilities of web applications?
XSS, buffer overflows and cookie manipulation.
nmap -sX
Xmas scan sets Fin, Urg, and Psh, although some utilities turn ALL 6 flags on! Know these 3 scans!
How do you determine which addresses are subnet addresses?
You must first determine what address range is used for each range for each subnet.
Botnet
a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam messages.
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
3. Social engineering can be thwarted using what kinds of controls? a. technical b. administrative c. physical d. proactive controls
a. b. c. - technical, admistrastic and physical. Technolgy alone cannot stop the impact of social engineering and must be accompanied by other mechanisms as well, such as eduation. The strongest defense against social engineering tends to be proper training and education.
6. Social engineering is designed to____? a. manipulate human behavior b. make people distrustful c. infect a system d. gain a physical advantage
a. manipulate human behavior. Social engineering is designed to exploit human nature with the intention of gaining information.
8. Which mechanism can be used to influence a targeted individual? a. means of dress or appearance b. technological controls c. physical controls d. training
a. means of dress or appearance. appearance can easily impact the opinion that an individual or a group has about someone. The other options here are types of countermeasures used to stop physical attacks.
2. Training and education of end uers can be used to prevent? a. phishing b. tailgating/piggybacking c. session hijacking d. wireshark
a. phishing and b. tailgating/piggybacking. Training and edcuation are specifically used to prevent the practice of tailgating or piggybacking. Attacks such as session hijacking can't be prevented through training and education of end users.
1. Phishing takes place using ____? a. instant messaging b. email c. websites d. piggybacking
b. email. Phishing is performed using email to entice the target to provide info of a sensitive nature.
17. Human beings tend to follow set patterns and behaviors known as ____? a. repetition b. habits c. primacy d. piggybacking
b. habits. Habits are set patterns of behavior that individuals tend to follow or revert to frequently.
18. When talking to a victim, using _____ can make an attack easier. a. eye contact b. keywords c. jargon d. threats
b. keywords. Using keywords or buzzwords can make a victim believe the attacker is in the know about how a company works.
16. Social engineering can be used to carry out email campaigns known as ______? a. spamming b. phishing c. vishing d. splashing
b. phishing. Phishing is a social engineering attack designed to gather information from victims using email.
12. Jason receives notices that he has unauthorized charges on his credit card account. What type of attack is Jason a victim of? a. social engineering b. phishing c. identify theft d. bad luck
c. identify theft. This attack is most likely the result of identify theft, and while we don't know exactly how it was stolen, candidates include phishing, social engineering, keyloggers, or Trojan horses.
20. Jason notices that he is receiving mail, phone calls, and other requests for information. He has also noticed some problems with his credit checks such as bad debts and loans he did not participate in. What type of attack did Jason become a victim of? a. social engineering b. phishing c. identity theft d. bad luck
c. identity theft. This attack is most likely a result of identity theft. The information to carry out this attack may have been obtained through the use of techniques such as phishing or social engineering. However, those techniques can be used for other attacks as well and not just identify theft.
15. In social engineering a proxy is used to ____? a. assist in scanning b. perform a scan c. keep an attackers origin hidden d. automate the discovery of vulnerabilities
c. keep an attackers origin hidden. An attacker could keep their activities masked and covered up to prevent themselves from being discovered.
Payload
component of an attack that performs the intended malicious action,
14. What is a vulnerability scan designed to provide to those executing it? a. a way to find open ports b. a way to diagram a network c. a proxy attack d. a way to reveal vulnerabilities
d. a way to reveal vulnerabilities. a vulnerability scan is designed to pick up weaknesses in a system. Such scans are typically automated.
What C library function performs bounds checking on its input?
f-gets() is the C library function that performs bounds checking on its input. Bounds checking is a methodology used to verify that input from a data stream does not exceed the size of an available buffer as C and C++ are particularly vulnerable to buffer overflow attacks.
This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?
footprinting
https://www.exploit-db.com/google-hacking-database/
google hacking DB
related: (google)
google lists similar websites
site: (google)
google only searches in this site
info: (google)
google returns info about the site
When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What nmap script will help you with this task?
http-methods
app to mirror website
httrack on Kali
What Google search string operator will return only URLs that have a particular string of text in their titles such as exposed directory listings on a web server?
intitle.
What Google search string operator will locate exposed directory listings on web servers?
intitle:
To find a webpage named EMPLOYEE DIRECTORY on the website EXAMPLE.COM what Google search string would be used?
intitle:"employee directory" site:example.com.
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?
msfencode
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use?
nmap -T4 -F 10.10.0.0/24
Which of the following Nmap commands will produce the following output? Output: Starting Nmap 6.47 (http://nmap.org ) at 2015-05-26 12:50 EDT Nmap scan report for 192.168.1.1 Host is up (0.00042s latency). Not shown: 65530 open|filtered ports, 65529 filtered ports PORT STATE SERVICE 111/tcp open rpcbind 999/tcp open garcon 1017/tcp open unknown 1021/tcp open exp1 1023/tcp open netvenuechat 2049/tcp open nfs 17501/tcp open unknown 111/udp open rpcbind 123/udp open ntp 137/udp open netbios-ns 2049/udp open nfs 5353/udp open zeroconf 17501/udp open|filtered unknown 51857/udp open|filtered unknown 54358/udp open|filtered unknown 56228/udp open|filtered unknown 57598/udp open|filtered unknown 59488/udp open|filtered unknown 60027/udp open|filtered unknown
nmap -sS -sU -Pn -p 1-65535 192.168.1.1
Which of the following will perform an Xmas scan using NMAP?
nmap -sX 192.168.1.254
Of Queso, Xprobe, p0f and Nmap which is a passive OS fingerprinting tool?
p0f does not send traffic host in order to generate a response. Instead, it relies on techniques such as packet sniffing. Queso is obsolete.
Normal scan timing
parallel scan
Aggressive scan timing
parallel scan & 300 sec timeout & 1.25 sec/probe
Insane scan timing
parallel scan & 75 sec timeout & 0.3 sec/probe
Cyber terrorism
politically motivated attacks on information systems
nmap -p
port range. For example, NMAP -sT -p 1-1024 10.0.0.0 /8 will scan the whole 10 network for ports 1 through 1024.
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?
promiscuous mode
netcraft.com
recon site
ext: (google)
search for a file type
Paranoid scan timing
serial scan & 300 sec wait
Polite scan timing
serialize scans & 0.4 sec wait
Sneaky scan timing
serialize scans & 15 sec wait
When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine?
site: target.com filetype:xls username password email
Vulnerability
susceptibility to an attack
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What wireshark filter will show the connections from the snort machine to kiwi syslog machine?
tcp.dstport==514 && ip.dst==192.168.0.150
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?
tcp.port eq 25
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
tcpdump
Which of the following tools can be used for passive OS fingerprinting?
tcpdump
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
tcptrace
Footprinting
the process of systematically identifying the network and its security posture (usually a passive process)
metagoofil
tool to harvest pdfs and doc from a website
To hijack a session by predicting the next session ID token and modifying the packets
what would be the best tool to use?,Burp Suite. Although it could be accomplished with Wireshark, additional tools and more time would be required to accomplish the same goal.
Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called?
zero-day
What kind of passwords can John the Ripper NOT crack?
Cisco VPN client passwords.
Which of these is capable of searching for and locating rogue access points?
WIPS
What kind of attack is phishing considered to be?
A computer-based social engineering attack.
What is a "True Negative" state on an IDS?
An alarm was not generated, and no condition was present to generate it.
What penetration testing method simulates an attack by an insider?
Gray-box—or partial-knowledge testing.
What Diffie-Hellman group uses a 1536-bit Modulus?
Group 5.
What is 2 the 9th power?
512.
What are the four basic stages of security assessment according to NIST 800-42?
1. Planning; 2. Discovery; 3. Attack; 4. Reporting.
Diffie-Hellman Group 2?
1024-bit modulus.
What is 2 to the 10th power?
1024.
What is 2 to the 7th power?
128.
How many hosts does Class A support?
16,777,214 hosts.
What is 2 to the 4th power?
16.
How does XOR work?
2 XOR unequal 1; 2 XOR equal 0.
How many networks can the Class C Address Range support?
2,097,152 networks.
What is 2 to the 1st power?
2.
FTP port
20, 21
FTP
20,21
Diffie-Hellman Group 14?
2048-bit modulus.
What size modulus does Diffie-Hellman Group 14 use?
2048-bit.
SSH
22
SMTP
25
How many hosts can the Class C Address Range support?
254 hosts.
What is 2 to the 8th power?
256.
What is 2 to the 5th power?
32.
RDP
3389
LDAP
389
What is 2 to the 2nd power?
4.
Diffie-Hellman Group 16?
4096-bit modulus.
HTTPS
443
You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled. Which port would you see listening on these Windows machines in the network?
445
How long is a MAC address?
48 bits or 6 bytes long and is expressed in hexadecimal.
What is the size of the initialization vector in WPA?
48-bit.
Who are the parties generally responsible for data breaches?
55.28% by malicious outsiders; 24.08% through accidental loss; 16.07% by malicious insiders; State-sponsored organizations account for 3.44% and 1.13% can be attributed to hacktivists.
Diffie-Hellman Group 17?
6144-bit modulus.
What is 2 to the 6th power?
64.
When issuing the command nmap -sS 10.-2.9.- what will occur?
A stealth scan on the 10.0.9.0/24 10.1.9.0/24 and 10.2.9.0/24 networks.
What provides a one-to-one relationship between a public and private IP address and is used to route packets?
A static NAT entry.
Which statement best describes a server type under an N-tier architecture?
A group of servers with a unique role
What is another way to described a Layer 3 Directed Address?
A Layer Directed address is a subnet broadcast, which is routable.
What is Libwhisker?
A Perl module that supports IDS evasion techniques, such as session splicing. Some web vulnerability scanners, such as Nikto, rely on Libwhisker for session splicing functionality.
What was FITARA?
A bill intended to change the framework that determines how the U.S. government purchases technology. It did not become law but many of its provisions were included in the 2015 NDAA.
What is the difference between a hybrid attack and a dictionary attack?
A hybrid attack uses a list of words, but substitutes numbers and symbols and symbols for some characters; a dictionary attack relies only upon a list of unmodified words.
What is Netcat?
A network utility that send and receive arbitrary data on TCP/IP networks. It is issued at the command line as nc.
What type of firewall operates primarily at Network Layer 3?
A packet-filtering firewall.
What type of firewall operates primarily at the Network Layer or Layer 3 of the OSI model?
A packet-filtering firewall.
Port Scanning
A series of messages sent by someone attempting to break into a computer to learn about the computer's network services.
What is Firewalk?
A tool that is used to determine what ports are filtered by a gateway firewall. It manipulates TTL values so that packets expire one hop after the firewall.
What is the same as a back door?
A trap door.
What is Ike-scan?
A utility that can discover, fingerprint and test IPSec VPN servers using Internet Key Exchange. Runs on Linux, UNIX, Mac and Windows.
What is a vulnerability?
A weakness in the system design, implementation, software or code, or other mechanism.
What is WebGoat?
A web application that uses black-box testing methods.
What is WebGoat?
A web testing application that has been deliberately insecure so that users can practice exploiting security vulnerabilities in web applications.
Script kiddie
A(n) ____ is an amateur hacker that simply uses the hacking tools that have been developed by others. a. cracker c. script kiddie b. reverse engineer d. Trojan horse
Question: 28 Which of the following Nmap commands would be used to perform a stack fingerprinting?
A. Nmap -O -p80 <host(s.>
Question: 56 Under what conditions does a secondary name server request a zone transfer from a primary name server?
A. When a primary SOA is higher that a secondary SOA
When discussing passwords, what is considered a brute force attack?
A. You attempt every single possibility until you exhaust all possible combinations or discover the password
Question: 55 What does white box examing mean?
A. You have full knowledge of the environment
Symmetric Block Ciphers?
AES, DES, 3DES, IDEA and BLOWFISH.
Question: 60 One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.
A. 200303028
Question: 18 When worsheets with Windows systems, what is the RID of the true administrator account?
A. 500
Question: 39 When worsheets with Windows systems, what is the RID of the true administrator account?
A. 500
Question: 38 What is a NULL scan?
A. A scan in which all flags are turned off
Question: 15 Which of the following statements about a zone transfer correct?(Choose three.
A. A zone transfer is accomplished with the DNS C. A zone transfer passes all zone information that a DNS server maintains E. A zone transfer can be prevented by blocsheets all inbound TCP port 53 connections
Question: 47 What is Form Scalpel used for?
A. Dissecting HTML Forms
Question: 71 This kind of password cracsheets method uses word lists in combination with numbers and special characters:
A. Hybrid
What are the two OSSTMM control classes?
A. Interactive and B. Process.
Question: 7 Which of the following are well know password-cracsheets programs?(Choose all that apply.
A. L0phtcrack E. John the Ripper
Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply).
A. Linux passwords can be encrypted with MD5 C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish
Question: 29 Name two software tools used for OS guessing.(Choose two.
A. Nmap C. Queso
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. Which of the following tools is being described?
Aircrack-ng
What is another name for Layer 2 Network Address Filtering?
Also known as MAC filtering.
What attack is most likely to occur as a result of a trust relationship?
An ARP spoofing attack, which is a technique in which spoofed ARP packets enable an attacker to associate a legitimate IP address on a given LAN with the attacker's own MAC address.
In what attack scenario are zombies used to send a large number of ICMP Echo Request packets toward a target computer?
An ICMP Flood Attack.
What is a closed protocol ICMP response?
An ICMP Type 3 Code 2 response message: "Protocol Unreachable". Other Type 3 code messages would indicate either a filtered or open and filtered protocol to an Nmap scan.
What ICMP attack uses bots or zombies?
An ICMP flood attack.
What device may SSL prevent from functioning correctly?
An IDS: since the packets are encrypted the IDS cannot read them.
What type of border device is a fragmentation attack designed to avoid?
An IDS—Intrusion Detection System—by breaking apart malicious session data into multiple fragments in order to exploit the reassembly process on the IDS: sending the attack data slowly, leveraging session timeouts between fragments to avoid detection.
What occurs when an application accesses a resource without an appropriate authorization check?
An Insecure Direct Object Reference.
What is designed to access a network acquire data and continue to monitor the network in secret?
An advanced persistent threat attack.
What is a "True Positive" state on an IDS?
An alarm was generated, and a condition was present to generate it.
What is a "False Positive" state on an IDS?
An alarm was generated, and no condition was present to generate it.
What is a "False Negative" state on an IDS?
An alarm was not generated, and a condition was present to generate it.
What is Diffie-Hellman?
An asymmetric encryption protocol that is used to exchange security keys between two parties who have no previous communications between them.
What is the CCS Injection vulnerability?
An attacker can decrypt or modify traffic between a server and a client using a MitM attack.
How would an attacker evade an IDS configured to match a directory-traversal pattern?
An attacker would encode the directory-traversal portion of the URL in UTF-8.
Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?
An authentication system that creates one-time passwords that are encrypted with secret keys.
What occurs during the Release phase of Microsoft's SDL?
An incident response plan is created; a final security review is conducted; release is certified and archiving is accomplished.
What is a Connection String Parameter Pollution attack?
An injection attack that takes advantage of web applications which communicate with database by using semicolons to separate each parameter.
What is an Injection Flaw?
An injection flaw enables an attacker to send information to a target system that could reveal sensitive information.
What is a pointer?
An object whose value denotes the address in memory of some other object.
What is Nikto?
An open-source web server scanner that tests for dangerous files, outdated software, and other web server vulnerabilities.
If scanning an employee's computer in the United States finding what would require immediately contacting law enforcement?
An outbound email message selling credit card numbers or child pornography.
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?
Blind SQLi
If executives are found liable for not properly protecting their company's assets and information systems, what type of law would apply in this situation?
Civil
Question: 58 ____________ will let you assume a users identity at a dynamically generated web page or site.
D. The shell attack
Question: 65 What is the following command used for? net use \targetipc$ "" /u:""
D. This command is used to connect as a null session
What is the purpose of a business continuity plan?
Contains procedures that should be performed in the event of disaster. It also includes the order in which procedures should be implemented—essential business functions and services should be restored first.
Question: 53 What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.
B. 135 C. 139 E. 445
Question: 25 Which of the following ICMP message types are used for destinations unreachables?
B. 3
Question: 49 Which of the following ICMP message types are used for destinations unreachables?
B. 3
Question: 14 While footprinting a network, what port/service should you look for to attempt a zone transfer?
B. 53 TCP
Question: 10 Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?
B. ARIN
Question: 24 What are two things that are possible when scanning UDP ports?(Choose two.
B. An ICMP message will be returned E. Nothing
Question: 69 Which of the following are potential attacks on cryptography? (Select 3)
B. Chosen-Ciphertext Attack C. Man-in-the-Middle Attack E. Replay Attack
Sniffing is considered an active attack?
B. False
Question: 8 Password cracsheets programs reverse the hashing process to recover passwords.(True/False
B. False : Explanation: Password cracsheets programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password
Question: 70 When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device?
B. ICMP ECHO_REQUEST & TCP ACK
What is the name of the software tool used to crack a single account on Netware Servers using a dictionary attack?
B. NWPCrack
Question: 22 Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports?
B. Nmap -hU <host(s.>
Question: 30 What are the six types of social engineering?(Choose six
B. Reciprocation C. Social Validation D. Commitment E. Friendship F. Scarcity G. Authority
QUESTION NO: 45 _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
B. RootKit
Question: 12 According to the CEH methodology, what is the next step to be performed after footprinting?
B. Scanning
How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?
B. The right most portion of the hash is always the same
Question: 17 Which of the following tools are used for enumeration?(Choose three.
B. USER2SID D. SID2USER E. DumpSec
Question: 54 What does black box examing mean?
B. You have no knowledge of the environment
How does a stateful firewall make decisions on how to allow or deny traffic?
Based on previous packets that have been sent.
What configuration management task involves the monitoring of security configuration changes over time?
Baselining.
What are the options from the GENERAL SETTINGS tab in Nessus?
Basic, Port Scanning, Performance and Advanced.
What are three well known browser exploit kits?
Blackhole, Redkit and Neutrino.
Which methods are least likely to mitigate social engineering attacks?
Blocking workplace access to social networking sites only narrows the time window for social engineering attacks, because users will just access them from home and enforcing complex password requirements are thwarted by social engineering because users are unwittingly tricked into revealing those passwords to an attacker.
Which of the following is not a Bluetooth attack?
Bluedriving
It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition?
Bluetooth
Which type of security feature stops vehicles from crashing through the doors of a building?
Bollards
What common ports and protocols might a router use?
Border Gateway Protocol on TCP Port 179; DHCP on UDP Ports 67 and 68; and Network Time Protocol on UDP Port 123.
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server?
Botnet Trojan
What kind of security vulnerability occurs when an application accesses a resource without an appropriate authorization check?
Broken Authentication and Session Management Describes.
#!/usr/bin/python import socket buffer=["A"] counter=50 while len(buffer)<=100: buffer.apend ("A"*counter) counter=counter+50 commands=["HELP","STATS.","RTIME.","LTIME.","SRUN.","TRUN.","GMON.","GDOG.","KSTET.", "GTER.","HTER.","LTER.","KSTAN."] for command in commands: for buffstring in buffer: print "Exploiting" +command+":"+str(len(buffstring)) s=socket.socket(socket.AF_INET.socket.SOCK_STREAM) s.connect(('127.0.0.1',9999)) s.recv(50) s.send(command+buffstring) s.close() What is the code written for?
Buffer Overflow
When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners. What proxy tool will help you find web vulnerabilities?
Burpsuite
How does a file virus operate?
By infecting files which are executed in, or interpreted by the system. The can be either non-resident-direct action, or memory-resident.
How does a boot sector virus operate?
By moving the MBR to another location on the hard disk and copying itself to the original location of the MBR. When the system boots, the virus code is executed first and then control is passed to the original MBR.
What compliance category does OSSTMM place PCI DSS?
Contractual, because the requirements are enforced by and industry or group.
Into which compliance category does OSSTMM place PCI DSS?
Contractual.
"PTR" record
Converts IP to NAME
"A" record
Converts NAME to IP
Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in-bounds checking mechanism? Code: #include <string.h> int main(){ char buffer[8]; strcpy(buffer, ""11111111111111111111111111111""); } Output: Segmentation faul
C#
Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion?
Change management
How do file extension viruses operate?
Changes the extensions of files, taking advantage of file extensions hidden by the OS to run their malicious code.
Question: 75 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net (68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 20.938 ms 5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms 9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.111 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms 33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms 18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms 19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms 20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what?
C. A stateful inspection firewall
Question: 51 ________ is an automated vulnerability assessment tool.
C. Nessus
Question: 68 Ethereal works best on ____________.
C. Networks using hubs
Question: 64 What are the default passwords used by SNMP?(Choose two.)
C. Private E. Public
Question: 9 What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0 <Return> <Return>
C. This command returns the banner of the website specified by IP address
Question: 21 What is the tool Firewalk used for?
C. To determine what rules are in place for a firewall
Question: 41 802.11b is considered a ________________protocol.
C. Unsecure
Which service in a PKI will vouch for the identity of an individual or company?
CA
What are some examples of symmetric ciphers?
CAST, TWO-FISH, BLOWFISH, RC4, SERPENTS and RIJNDAEL are all symmetric ciphers.
What is the integrity method used by WPA2?
CCMP.
What service operates on TCP/UDP Port 19?
CHARGEN.
You've gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's password or to activate disabled Windows accounts?
CHNTPW
What web vulnerability is mitigated by a web server configured to send random challenge tokens?
CSRF attacks.
What vulnerability can be mitigated by configuring a web server to send random challenge tokens?
CSRF.
What actions can be performed with Cain & Abel?
Can crack passwords; Re-cord and extract VoIP conversations; Capture and de-crypt RDP traffic; Collect server certs and prepare them for MitM attacks; Detect W-LANs; and much more.
What type of supplicant authentication does EAP-TTLS use?
Can use PAP, CHAP, or MS-CHAP for supplicant authentication.
What kind of supplicant authentication does PEAP use?
Can use any kind of supplicant authentication that any version of EAP uses: a password hash; a smart card token; a public key certificate; or PAP, CHAP, or MS-CHAP.
What kind of supplicant authentication does EAP-TLS use?
Can use either a smart-card token or a public key certificate for supplicant authentication.
Scenario: Victim opens the attacker's web site. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. Victim clicks to the interesting and attractive content url. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?
ClickJacking Attack
What is the purpose of the DHCPInform message in IPv4?
Client to server asking only for local configuration parameters; client already has external configured network address.
What is the purpose of the DHCPRequest message in IPv4?
Client to server either: requesting offered parameters; confirming correctness of previously allocated address, or extending the lease period.
What is the purpose of the DCHPDecline message in IPv4?
Client to server indicating network address is already in use.
What is the purpose of the DHCPRelease message in IPv4?
Client to server relinquishing network address and canceling remaining lease.
An XMAS scan that receives a RST packet from an unfiltered remote host indicates a closed or open port?
Closed.
What can be implemented to separate data ownership from the data custodian?
Cloud computing can be implemented.
What is a "Collision attack" in cryptography?
Collision attacks try to find two inputs producing the same hash.
What is a hybrid attack?
Combines elements of a brute-force attack and a dictionary attack.
What is the TCP/IP model's Application layer responsible for?
Communication with applications.
What PCI DSS requirement would require the use of a vulnerability scanner such as Nessus?
Companies must regularly test security systems and processes: quarterly external vulnerability scans and annual penetration tests; these tests must also be performed after any significant change is made to the network.
How does XOR, or Exclusive Or, Operate?
Compares two bits. If they are different, the result is 1. If they are the same, the result is 0.
What OSSTMM control ensures that only participants have knowledge of an asset?
Confidentiality ensures only participants have knowledge.
CIA
Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.
What is a good way to mitigate IP spoofing attacks?
Configure an encrypted VPN.
What does the n-map -P0 parameter configure n-map to do?
Configures n-map to scan hosts that do not respond to ICMP pings.
What is the TCP/IP model's Host-to-Host layer responsible for?
Connection-oriented and connectionless communication.
While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?
Cross-Site Request Forgery
What vulnerability can be mitigated by configuring a web server to send random challenge tokens?
Cross-Site Request Forgery attacks can be mitigated by configuring a web server to send random challenge tokens.
What are two drop-down options that can be selected from the Preferences tab when creating a new policy in Nessus 5.2?
Global Variable Settings and Database Compliance Checks.
What is reconnaissance?
The first pre-attack phase in which the hacker seeks to find out as much information as possible about the victim.
Question: 19 Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Exam for?
D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the Trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by loosheets at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet?
D. Port 6667 (Net-Devil Trojan)
Question: 27 Destination unreachable administratively prohibited messages can inform the hacker to what?
D. That a router or other packet-filtering device is blocsheets traffic
Question: 43 You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
D. Nimda
Question: 48 What is a primary advantage a hacker gains by using encryption or programs such as Loki?
D. IDS systems are unable to decrypt it
Question: 23 Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports?
D. Netcat -u -v -w2 <host> 1-1024
Question: 13 NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish? nslookup > server <ipaddress> > set type =any > ls -d <target.com>
D. Performs a zone transfer
Question: 16 What did the following commands determine? C: user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH
D. That the true administrator is Joe
Asymmetric Ciphers?
DIFFIE-HELLMAN, EL GALMAL, RSA, ECC, KNAPSACK and DSA.
What is another name for cache poisoning?
DNS Spoofing, also known as pharming.
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gains access to the DNS server and redirects the direction www.google.com to his own IP address. Now when the employees of the office want to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
DNS spoofing
What is also known as cache poisoning?
DNS spoofing.
What is another name for cache poisoning?
DNS spoofing.
_________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types.
DNSSEC
What is the SQL command to delete a table in a database?
DROP TABLE.
What mechanism can session splicing exploit to evade an IDS?
Data fragmentation.
What is the TCP/IP model's Internet layer responsible for?
Delivery of data, error and diagnostics, and address resolution.
How does a DHCP starvation attack work?
Denial-of-service attack on DHCP servers where an attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
What is the purpose of a single quote (') character in SQL (Structured Query Language)?
Denotes a character string in Structured Query Language commands.
What purpose does that at sign (@) serve in SQL code?
Denotes a variable in SQL code.
What address translation method uses a many-to-many mapping?
Dynamic NAT uses a pool of adresses. PAT uses a many-to-one mapping: one external address to many internal.
What is Bluejacking?
Enables an attacker to send unsolicited messages to Bluetooth-enabled devices using the Object EXchange (OBEX) communications protocol. Bluejacking does not steal data; it only sends data.
What are the five most common types of wireless implementations of the Extensible Authentication Protocol, or EAP?
EAP-MD5; LEAP, or CISCO Lightweight EAP; EAP-TLS; or EAP with Tunneled TLS, abbreviated EAP-TTLS; and PEAP or Protected EAP.
How can cloud computing accomplish the security principle of separation of duties?
Enables the cloud provider to assume the role of data custodian or the one responsible for access to the data, thus separating that duty from that of the data owner, or the one designated as accountable for the data.
You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS). What is the best way to evade the NIDS?
Encryption
What occurs when ESP is used in IPSec tunnel mode: does it encrypt only the IP payload or the entire IP packet?
Encrypts the entire IP packet and not just the IP—or data—payload.
Whats the end goal of social engineering attacks?
End goal = is for the victim to drop their guard or for the attacker to gain enough information to better coordinate and plan a later attack.
What are two methods least likely to mitigate social engineering attacks?
Enforcing complex passwords and blocking workplace access to social networking sites.
What is error checking?
Ensures that buffers receive the type and amount of information required.
In steganography what is a Hidden-Message?
Essentially the equivalent of the data payload in steganography. It is what steganography hides in the cover medium.
Which of the following statements regarding ethical hacking is incorrect?
Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an organization's systems.
How does a stealth virus operate?
Evades anti-virus software by intercepting the AV software's request to read an infected file, instead passing the request tothe virus versus the OS.
How do SQL Injection attacks work?
Exploits vulnerable code by inputting SQL syntax into fields that were not intended to receive such inputs.
What is EBP?
Extended Base Pointer in hex memory management.
What is EIP?
Extended Information Pointer in hex memory management.
What is ESP?
Extended Stack Pointer in hex memory management or Encapsulating Security Protocol in IP Security.
What is Daisy Chaining?
Gaining access to one network or computer, and then using these as a springboard to gain access to multiple networks and computers that contain desirable information.
Question: 34 What is the proper response for a FIN scan if the port is open?
F. No response
Question: 36 What is the proper response for a X-MAS scan if the port is open?
F. No response
Question: 40 What is the proper response for a NULL scan if the port is open?
F. No response
nmap -sF
FIN
Of FREAK; Heartbleed; POODLE and CCS Injection; which can be used in a MitM attack to force the downgrade of an RSA key to a weaker length?
FREAK enables an attacker to force a user to a weaker encryption key length; thus enabling the attacker to use brute force to decrypt messages sent between a vulnerable server and a vulnerable client.
What protocols reside at the TCP/IP model's Application layer?
FTP, SNMP, Telnet, HTTP, SMTP, DNS and SSH.
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible?
File system permissions
The security concept of "separation of duties" is most similar to the operation of which type of security device?
Firewall
In WPA-Enterprise, what type of authentication is used?
Generally TACACS or RADIUS.
An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps?
First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.
What is Broken Authentication and Session Management?
Flaws in authentication and session management systems that enable attackers to compromise passwords, encryption keys or session tokens.
What are the three primary IDS avoidance techniques?
Flooding; Evasion; and Session Splicing.
A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take?
Follow proper legal procedures against the company to request payment.
To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing?
Fuzzing
Sid is a judge for a programming contest. Before the code reaches him it goes through a restricted OS and is tested there. If it passes, then it moves onto Sid. What is this middle step called?
Fuzzy-testing the code
What is the G++ switch that compiles to an executable file?
G++ -o.
What is the format of a web request from a browser to a web server?
GET / HTTP / 1.1.
What is the format of a web request from a browser to a web server?
GET / HTTP/ 1.1.
What HTTP methods are not considered risky by the n-map http-method script?
GET HEAD and POST.
What law protects the confidentiality and integrity of personal information that is collected by financial institutions and requires those institutions to disclose their privacy practices to their customers?
GLBA.
What service operates on TCP Port 70?
GOPHER.
You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order to do fast, efficient searches of the logs you must use regular expressions. Which command-line utility are you most likely to use?
GREP
What is BlueSnarfing?
Gaining access to contacts, texts, emails and calendars on somebody else's cell phone.
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28. Why he cannot see the servers?
He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
Email uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7 He receives this output: Nmap scan report for 192.168.99.1 Host is up (0.00082s latency). Not shown: 994 filtered ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 80/tcp open http 161/tcp closed snmp MAC Address: B0:75:D5:33:57:74 (ZTE) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Nmap scan report for 192.168.99.7 Host is up (0.000047s latency). All 1000 scanned ports on 192.168.99.7 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops What is his conclusion?
He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?
He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Heartbleed Bug
What OpenSSL vulnerability could allow an attacker to obtain roughly 64Kb of information form a web server's memory at regular intervals?
Heartbleed.
Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company?
Height and Weight
Which ISO standard is based on BS 7799 and is focused on security governance?
ISO 27001.
Which ISO standard is focused on security governance?
ISO 27001.
What security standard recommends security *controls* based on industry based practices?
ISO 27002.
As a risk equation component, how is "Vulnerability" understood?
Identified as the percentage of likelihood--or probability--that execution of a threat will be successful.
What does n-map -traceroute indicate?
Identifies path taken by a packet towards its destination.
What Google search string operate will find directory listings on web servers?
Intitle:
You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach?
Install Cryptcat and encrypt outgoing packets from this server.
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
Install a CCTV with cameras pointing to the entrance doors and the street.
An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem?
Insufficient input validation
Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting?
Internal Whitebox
What two tests must be conducted quarterly to maintain compliance with PCI DSS Requirement 11?
Internal and external vulnerability scans and unauthorized WAP detection.
What protocols use TCP Port 631?
Internet Printing Protocol and the Common UNIX Printing System.
What does the Google string operator "intext:" do?
Intext: limits the search results to only sites with matching text in their bodies.
In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values. Which of the following is true hash type and sort order that is using in the psexec module's 'smbpass'?
LM:NT
What function does the Netcat -e flag perform?
Launches a program after a connection is made.
What is one of the actions that can be performed with the Abel half of the Cain & Abel utility?
Launching a system shell on a remote computer.
Sniffers operate on Layer
Layer 2 of the OSI model
What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?
Legislative, contractual, standards based
Which tier in the N-tier application architecture is responsible for moving and processing data between the tiers?
Logic tier
What are two activities considered to be part of passive information gathering?
Looking at DNS records and reading a company's job postings.
Between AES, RC5, SHA-1 and MD5, which of these are hashing algorithms, and which are block ciphers?
MD5 and SHA-1 are hashing algorithms, while RC5 and AES are both block ciphers.
What service runs on TCP Ports 1433 and 1434?
MS-SQL runs on TCP Ports 1433 and 1434.
What OS has the greatest difficulty collecting 802.11 management and control packets in monitor mode?
Many wireless network adapters and drivers on Windows do not support monitor mode so they cannot capture 802.11 management packets control packets or header information.
Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test state. Which of the following activities should not be included in this phase? (see exhibit)
Mapping of network state
What does the grep metacharacter "^" mean?
Match only the beginning of the line.
XOR?
Matching bits=0; different bits=1.
Which of the following parameters describe LM Hash (see exhibit):
Maximum password length is 14 characters No distinctions between upper and lowercase Simple algorithm so 10,000,000 hashes can be generated per second
What are the primary and alternate forms of expressing the risk equation?
May be expressed as Risk = Threat times Vulnerability (R = T x V) or Risk = Threat times Vulnerability times Cost (R = T x V x C).
Which of the following describes the characteristics of a Boot Sector Virus?
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
How does a polymorphic virus operate?
Mutates so that no parts stay the same from infection to infection.
What n-map parameter is used to disable DNS resolution?
N-map -n. N-map -R means always perform DNS resolution.
What is the n-map command for NULL scan of a target host?
N-map -sN.
What is the n-map command for a protocol scan of a target host?
N-map -sO.
What is the n-map command for a half-open scan of a target host?
N-map -sS.
What is the n-map command for TCP CONNECT scan of a target host?
N-map -sT.
What will be the response to the command n-map 10.10.10.10?
N-map will report TCP port information about the specified address.
What occurs when N-map is issued with the -p- parameter?
N-map will scan ports 1 through 65535 (all).
What are the five most common firewall technologies?
NAT; packet filtering; stateful packet inspection; proxy servers; bastion hosts; and DMZ.
Using Windows CMD, how would an attacker list all the shares to which the current user context has access?
NET USE
What directive catalogs security and privacy controls for federal information systems with the exception of those related to national security?
NIST 800-53.
nmap -sN
NULL
In order to determine whether traffic to TCP Port 25 from a single wired MS Windows host is legitimate; of Wireshark; Netstat; Kismet and Netstumbler which will provide the most specific information with the least amount of administrative overhead?
Netstat will provide the most specific information with the least amount of administrative overhead. Wireshark will require more administrative overhead, while both Kismet and NetStumbler are for wireless networks.
Between Kismet and Netstumbler which is the more limited?
Netstumbler only works on Windows, and cannot detect wireless traffic on 802.11n or 802.11ac networks. Kismet works on MacOS and Linux, and can detect traffic on all types of 802.11 networks.
A large mobile telephony and data network operator has a data that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?
Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.
You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?
Network-based IDS
Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments?
Network-based intrusion detection system (NIDS)
Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?
Nikto
Of Havij; SQL Ninja; Nikto; SQL Injector; Absinthe; and Pangolin; which is not an SQL injection tool?
Nikto is an open-source web server scanner.
Can a bastion host be used to protect hosts on a LAN from external networks?
No.
Does Aircrack-ng use a rainbow table to crack WEP keys?
No.
What are three process controls in the OSSTMM?
Nonrepudiation, confidentiality and alarm.
In IPSec when is AH not used with ESP?
Not used typically with ESP in tunnel mode because ESP encrypts the IP headers.
In IPSec when is AH not used with ESP?
Not used typically with in tunnel mode because ESP encrypts the IP headers.
Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to his spouse the network's SSID and password and you hear them both clearly. What do you do with this information?
Nothing, but suggest to him to change the network's SSID and password.
A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?
Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability.
What is true regarding a hybrid password attack?
Numbers and characters are substituted in words to discover a password.
nmap -O
OS "fingerprinting" & port scanning. Send packets to remote OS and analyze the response. This is ACTIVE scanning.B281
You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! What seems to be wrong?
OS Scan requires root privileges.
Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet-facing services, which OS did it not directly affect?
OS X
What does the n-map -O parameter do?
OS fingerprinting.
What OSI Layer do DNS packets exist at?
OSI Layer 7.
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
OSSTMM addresses controls and OWASP does not.
What happens during a buffer overflow?
Occurs when a program puts more data into a buffer than it can hold.
What is the difference between ISO 27001 and ISO 27002?
One focuses on governance; the other on controls.
What is the difference between dictionary attacks and hybrid attacks against a password file?
One uses a list of words but substitutes numbers and symbols for some characters; the other relies only upon a list of words.
What is the difference between dynamic NAT and static NAT?
One uses many-to-many mapping while the other uses a one-to-one mapping.
What is the difference between passive and active reconnaissance?
One uses only publicly available sources to collect information; the other involves direct contact with the target.
Websites and web portals that provide web services commonly use the Simple Object Access Protocol SOAP. Which of the following is an incorrect definition or characteristics in the protocol?
Only compatible with the application protocol HTTP
The "black box testing" methodology enforces which kind of restriction?
Only the external operation of a system is accessible to the tester.
What does OSSTMM stand for?
Open Source Security Testing Methodology Manual.
Which web vulnerability scanner can also crawl a website and includes fuzzing among its vulnerability tests?
Paros Proxy.
Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?
Penetration testing
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?
Piggybacking
Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?
Ping of death
What kind of packets does a Smurf attack use?
Ping or ICMP Echo request packets.
What is not activated by the -A parameter in Nmap?
Ping scanning is not activated.
What does Ping -t do?
Pings the specified host until stopped.
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank?
Place a front-end web server in a demilitarized zone that only handles external web traffic
What are the four phases of the alternate penetration testing process?
Planning, Discovery, Attack and Reporting.
There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the process. A term describes when two pieces of data result in the same value is?
Polymorphism
What address translation method uses a many-to-one mapping to translate multiple private IP addresses to a single public IP address?
Port Address Translation.
What maintains a pool of public IP addresses and assigns them to devices with private IP addresses?
Port Address Translation.
nmap -sV
Port scanning and VERSION detection.
How does the OSSTMM define standards-based compliance?
Practices that are recommended and must be followed to be certified by an organization or group.
How does OSSTMM define standards-based compliance?
Practices that are recommended. To be certified by an organization or group, they must followed, such as ITIL or ISO.
What are the steps in the three-phase penetration testing model?
Pre-attack; Attack; and, Post-attack.
What Linux command should precede another to ensure that it doesn't die when the user logs out?
Prefacing a command with "nohup" and a space before the task.
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Protocol analyzer
in IPSec, what is true of the Authentication Header when it is used in tunnel mode?
Provides authentication and integrity only for the encapsulated packet.
PGP, SSL, and IKE are all examples of which type of cryptography?
Public Key
Which of the following is a characteristic of Public Key Infrastructure (PKI)?
Public-key cryptosystems distribute public-keys within digital signatures.
What is Doxing?
Publishing personally identifiable information about an individual that has been collected from publicly available databases and social media.
What is the first step in conducting a risk assessment according to NIST SP 800-30?
Purpose, Scope and Source Identification?
What is the first step in conducting a risk assessment according to NIST SP 800-30?
Purpose, Scope, and Source Identification.
What are three examples of scripting languages?
Python, Perl and Ruby.
An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol is most likely able to handle this requirement?
RADIUS
This asymmetry cipher is based on factoring the product of two large prime numbers. What cipher is described above?
RSA
What are some applications and protocols that use RC4?
RSA SecurPC for file encryption, WEP and SSL/TLS—for web session encryption.
What is the difference between the AES and RSA algorithms?
RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.
Of RSA, 3DES, AES, and RC5, which is an asymmetric encryption algorithm?
RSA is asymmetric. 3DES, AES and RC5 are all symmetric encryption algorithms.
What asymmetric encryption algorithm uses factors of prime numbers?
RSA.
What attack is used to crack passwords by using a precomputed table of hashed passwords?
Rainbow Table Attack
It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition?
Ransomware
What are two things that Cain & Abel can do that John the Ripper cannot?
Record and extract VoIP conversations and crack CISCO VPN passwords.
What tasks other than password cracking can Cain perform?
Record and extract VoIP conversions; capture and de-crypt RDP traffic; collect server certs and prepare them for MitM attacks; poison ARP tables; start stop, poison, continue and remove Windows services; remotely manipulate Windows registry parameters; calculate RSA SecurID tokens; detect W-LANs; reveal passwords in text boxes; and enumerate network devices and extract Security Identifiers (SIDs).
What is the purpose of Information Security?
Refers to protecting or safeguarding information and information systems that use, store and transmit information. It protects that data and those systems that store, process and transmit that data from unauthorized access, disclosure, alteration and destruction.
What is Hack Value?
The notion by a hacker that something is worth doing or is interesting.
Which element of Public Key Infrastructure (PKI) verifies the applicant?
Registration authority
Which of the following security policies defines the use of VPN for gaining access to an internal corporate network?
Remote access policy
Incremental Substitution
Replacing numbers in a url to access other files
Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?
SHA-1
A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response?
Say no; the friend is not the owner of the account.
What does the n-map -sC parameter do?
Scripting Engine with default scripts.
What will the command string grep -Le '^Jan 8' *.log output?
Search for files that do not contain the specified search term and accept a regular expression pattern as a search term. The metacharacter inside the search string tells grep to only look at the beginning of a line. Therefore the return would be a list of all .log files that do not contain the term 'Jan 8' at the beginning of lines of content.
What does grep -L mean?
Search for files which do NOT contain the specified element.
What does the i p . addr display filter show in Wireshark?
Searches source and destination IP addresses, and if a match is found on either, the packet is displayed.
What does a NULL scan achieve?
Sends a TCP segment with no flags set in its header to a specific port on a target host. If the port is open, the host drops the segment; if the port is closed, the host responds with a RST/ACK segment.
In order to promote company-wide acceptance of a company's security policy who must endorse it?
Senior management.
Of Broken Authentication and Session Management; Injection; XSS; Sensitive Data Exposure; Security Misconfiguration and Insecure Direct Object References: which was not among the top five of O-WASP's 2013 security priorities?
Sensitive Data Exposure.
What is a Layer 3 Limited Broadcast Address?
Sent to all devices on a broadcast domain when the specific destination address is not known.
What is a Layer 3 Directed Broadcast Address?
Sent to all devices on a specific subnet. All bits in the last octet are on. These addresses are forwarded by routers, so they can originate from outside of the local network.
What is the purpose of the DHCPAck message in IPv4?
Server to client confirming configuration parameters, including committed network address.
What is the purpose of the DHCPNAK message in IPv4?
Server to client indicating client's notion of network address is incorrect.
What is the purpose of the DHCPOffer message in IPv4?
Server to client response with offer of configuration parameters.
Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?
Service Oriented Architecture
What does Ping -I do?
Sets Time to Live.
What does Ping -l do?
Sets the Send Buffer size.
What are some examples of human-based social engineering attacks?
Shoulder surfing, dumpster diving and tailgating.
Which initial procedure should an ethical hacker perform after being brought into an organization?
Sign a formal contract with non-disclosure.
How do application-level firewalls operate?
Sits at OSI Layer 7, and is designed to read data for a specific application layer protocol, such as HTTP or FTP.
How does a circuit-level gateway firewall operate?
Sits at the Session Layer, monitoring the TCP handshake process to allow only legitimate connection attempts.
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
Social engineering
What does SEAL stand for?
Software Encryption Algorithm.
By using a smart card and pin, you are using a two-factor authentication that satisfies
Something you have and something you know
What are the four fields in a UDP packet?
Source Port; Destination Port; Length, and Optional Checksum.
What are the fields in a TCP packet?
Source Port; Destination Port; Sequence Number; Acknowledgement Number; Data Offset; Reserved; URG; ACK; PSH; RST; SYN; FIN; Window; Checksum; Urgent Pointer; Options; Padding and Data.
What do packet filtering firewalls look at?
Source port, destination port, incoming protocol and outgoing protocol.
What function does the Netcat -p flag perform?
Specifies a TCP port.
What should you do if you trigger an IDS alert while conducting a black-box penetration test for a customer?
Stop the test and inform the appropriate individual.
A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?
Stop work immediately and contact the authorities.
Which cipher encrypts the plain text digit (bit or byte) one by one?
Stream cipher
RC4 is a symmetric encryption algorithm. Does it use a block or a stream cipher?
Stream.
What is STRCPY( )?
String copy in C.
Suicide Hacker
Suicide hackers are those who hack for some purpose and don't care if they suffer long term jail due to their activities. They can be bad as well as good.
What are the key sizes of newer versions of SHA?
Supports key sizes of 224-256, 384 or 512 bits.
What are three benefits of symmetric over asymmetric encryption algorithms?
Symmetric algorithms are faster, they use a single key to encrypt and decrypt traffic; and are excellent for bulk data encryption because of their higher speed.
Which is faster: asymmetric or symmetric encryption?
Symmetric.
What is the order of the three best known AAA—Authentication Authorization and Accounting protocols, from oldest to newest?
TACACS is the oldest, RADIUS is in the middle, and DIAMETER is the newest of the well-known AAA protocols. TACACS+ was created by CISCO, and is incompatible with TACACS, which was originally created for Unix.
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number?
TCP
Telnet
TCP 23
Windows printer service
TCP 515
DNS
TCP 53 for zone transfers, UDP 53 for individual queries
Mac OS X printer sharing
TCP 631
HP JetDirect
TCP 9100
nmap -sT
TCP Connect, or just "connect scan" (plain old vanilla port scan). This does leave a record of your activities, but it's one of the most reliable types of scans because it simulates normal network conditions.
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?
TCP SYN
What protocols reside at the TCP/IP model's Host-to-Host layer?
TCP and UDP.
What kind of packet will HPING -2 send?
TCP.
What kind of packet will HPING without parameters send?
TCP.
What Port does LDAP use by default?
TCP/UDP Port 389.
What Port does SMB use?
TCP/UDP Port 445.
What Port does Kerberos use by default?
TCP/UDP Port 88.
Which of the following is the successor of SSL?
TLS
What is the string of characters used as a technique for escaping a web server's root directory in order to obtain files from a private area of a server?
The 'dot-dot-slash' (../) string is used to escape a web server's root directory in order to try and access a private area of a web server.
What does -b option tell Snort to do?
The -b option configures the program to log packets in binary format—also known as TCP-dump format.
What command will run Snort in sniffer mode?
The -v command will run the program in sniffer mode.
The company ABC recently contracted a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. What of the following options can be useful to ensure the integrity of the data?
The CFO can use a hash algorithm in the document once he approved the financial statements.
How many hosts can the Class B Address Range support?
The Class B address range can support 65,534 hosts.
What DNS record translates a host name to an IP address?
The DNS A record.
What is the resource type on a DNS server to configure the OS type of a particular DNS record?
The DNS server HINFO resource type.
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?
The WAP does not recognize the client's MAC address
What command can be used in Wireshark to display only traffic sent between devices on the 10.10.10.0/24 network?
The Wireshark command ip.src == 10.10.10/0/24 and ip.dst == 10.10.10.0/24 will display only traffic sent between devices on the 10.10.10.0/24 network.
When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what it is meant by processing?
The amount of time it takes to be either accepted or rejected form when an individual provides Identification and authentication information.
Vulnerability Scanning
The automated process of proactively identifying vulnerabilities of computing systems present in a network
In steganography what is a Cover-Medium?
The carrier object standing alone, such as an .MP3, .GIF, AVI, or .TXT file.
What causes the denial of service in a SYN Flood attack?
The client IP address is typically a spoofed address, and the server will be unable to contact the client to complete the handshake process.
Where can the complete list of Organizational Unit Identifiers be found?
The complete list can be found at http://standards.ieee.org/regauth/oui/oui.txt
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any
The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines has 2 connections, one wired and the other wireless. When you verify the configuration of this Windows system you find two static routes. route add 10.0.0.0 mask 255.0.0.0 10.0.0.1 route add 0.0.0.0 mask 255.0.0.0 199.168.0.1 What is the main purpose of those static routes?
The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred?
The gateway is not routing to a public IP address.
An attacker tries to do banner grabbing on a remote web server and executes the following command. $ nmap -sV host.domain.com -p 80 He gets the following output. Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for host.domain.com (108.61.158.211) Host is up (0.032s latency). PORTSTATESERVICEVERSION 80/tcpopenhttp Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds What did the hacker accomplish?
The hacker successfully completed the banner grabbing.
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)
The hacker successfully transfered the zone and enumerated the hosts.
What occurs during a MitM attack between a target host and a web server?
The hacker will receive the target host's public key.
The "gray box testing" methodology enforces what kind of restriction?
The internal operation of a system is only partly accessible to the tester.
Non-repudiation
The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.
What is true regarding a SYN flood attack?
The target host is left waiting for an ACK segment.
What is true regarding a SYN FLOOD attack?
The target is left waiting for an ACK segment.
What risk equation component is probability of success?
Vulnerability.
What is true regarding port scanning attacks?
They attempt to determine whether vulnerabilities exist on a computer on the network and they attempt to access a computer through an open port.
What is true regarding security policy best practices?
They should be as short as possible. Best practices dictate brevity at no more than three pages. They help to improve employees' security awareness. Shorter being generally easier to understand and comply with.
What actions cannot be performed by issuing the "net" command at the Windows command prompt?
This command cannot configure a firewall or add a route.
If fingerprinting OSes on a network by analyzing TTL fields TCP window sizes what type of OS fingerprint is being employed?
This constitutes passive OS fingerprinting.
How could the NTFS alternate data stream (ADS) technology be maliciously used?
This could be maliciously used by hiding a Trojan Horse in a text file.
What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability?
Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server
Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS?
Timing options to slow the speed that the port scan is conducted
What is the purpose of an Advanced Persistent Threat attack?
To access a network, acquire data, and continue to monitor a network in secret.
What was the purpose of FISMA?
To assign specific information security responsibilities to specific government agencies.
What is the purpose of WS-SecureConversation?
To create security contexts for faster message exchanges.
What is the purpose of key escrow?
To enable a third party to access data if the need arises.
What is the purpose of key escrow?
To enable a trusted third party to access sensitive data if the need arises.
What would be the purpose of modifying the TCP Initial Sequence Number, Initial Window Size and options on a Linux host?
To mitigate active OS fingerprinting by products such as N-map.
What is the purpose of the TCP PSH flag?
To signal that data in the packet should be pushed to the beginning of the queue.
What is the purpose of the TCP URG flag?
To signify that urgent control characters are present in the packet that should have priority.
When is the Net-cat -p command used?
To specify the TCP port on which to listen for incoming connections.
What is the purpose of a ping sweep?
To try and determine the IP addresses of hosts connected to a network.
If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?
Trap door
TFTP
UDP 69 - insecure! (no authentication)
TFTP port
UDP 69 - insecure! (no authentication)
What Port does ISAKMP used by default?
UDP Port 500.
What port does a SYSLOG server use?
UDP Port 514.
nmap -sU
UDP scan. Looks for open UDP ports
Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web application vulnerabilities?
Use cryptographic storage to store all PII
What is not a PCI compliance recommendation?
Use encryption to protect all transmission of card holder data over any public network.
In Linux, what will issuing the iptables command with -nat parameter do?
Use port-based IP addressing to allow internal hosts to communicate with the Internet.
What command will run Snort in packet logger mode and log packets to ./log directory?
Use the -l ./log command. This will also ensure that packets are logged to the ./log directory.
How can session token randomness be tested?
Use the Burp Suite sequencer tool.
How do you configure IP masquerading on a Linux host?
Use the ipchains command which is similar to Port Address Translation or Port Overloading. Previous iterations of Linux could use either the iptables command, or the ipfwadm command.
What is true regarding Pcap?
Used by Nmap, Snort and Tcpdump.
What is true regarding RC4?
Used for web encryption; it is known for its speed and simplicity; it is used for wireless encryption; it is used for file encryption and it is a symmetric encryption algorithm that uses a stream cipher.
What is a recovery agent?
Used to provide a copy of the encryption key in the event that the original is lost.
What protocol does HPING2 used to send packets by default?
Uses TCP to send packets.
What is an enhancement to WPA that is included in the 802.11i standard?
Uses a block cipher rather than a stream cipher for encryption.
How does an encryption virus work?
Uses a different encryption key for each infected file, thus defeating conventional AV signature detection methods.
What G++ option switch will take a C++ preprocessor file and compile it to a specified executable file?
Using G++ with the -o switch will compile a C++ file to a specified executable file.
What does the n-map -sV parameter indicate?
Version detection.
What are the fields in an IP packet header?
Version; Internet Header Length; Type of Service; Total Length; Identification; Flags; Fragment Offset; Time to Live; Protocol; Header Checksum; Source Address; Destination Address; Options, and Padding.
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
If a penetration tester is using Nessus during the Discovery phase of a black-box test what action is the tester most likely performing?
Vulnerability Analysis.
A penetration tester who is using Nessus during the Discovery phase of a black-box test is performing what action?
Vulnerability analysis. Scanning would be non-intrusive, using tools such as n-map.
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?
Vulnerability scanner
What is defined as the likelihood that exploitation of a threat will be successful?
Vulnerability.
Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except.
Work at the Data Link Layer
How do intrusive viruses operate?
Writes over the host code either partly or completely with the viral code.
9. Jennifer receives an email claiming that her bank acct info has been lost & that she needs to click a link to update the banks db. However, she doesn't recognize the bank, b/c it is not one she does business with. What type of attack is she being presented with? a. phishing b. spam c. whaling d. vishing
a. phishing. This type of attack is a clear example of phishing: an attack crafts an attractive-looking email with the intention of enticing the victim to perform an action.
10. What is the best option for thwarting social-engineering attacks? a. technology b. training c. policies d. physical controls
b. training. Training is the best and most effective method of blunting the impact of social engineering. Addressing the problem through education can lesson the need for some countermeasures.
Black hat hackers
break into systems to destroy information or for illegal gain
19. An attacker can use which technique to influence a victim? a. tailgating b. piggybacking c. name-dropping d. acting like tech support
c. name-dropping. Name-dropping can be used by an attacker to make a victim believe the attacker has power or knows people who are in power.
11. Janet receives an email enticing her to click a link. But when she clicks this link she is taken to a website for her bank, asking her to reset her account info. However, Janet noticed that the bank is not hers and the website is not for her bank. What type of attack is this? a. whaling b. vishing c. phishing d. piggybacking
c. phishing. This is an example of phishing because if involve enticing the user to click a link and presumably provide information.
You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line. Which command would you use?
c:\compmgmt.msc
Cloud Computing
could cause a vulnerability if they are not protected properly
13. A security camera pciks up someone who doesn't work at the copmay following closely behind an employee while they enter the building. What type of attack is taking place? a. phishing b. walking c. gate running d. tailgating
d. tailgating. This attack is called tailgating and involves a person being closely followed by another individual through a door or entrance.
5. Social engineering can use all the following except ___? a. mobile phones b. instant messaging c. trojan horses d. viruses
d. viruses. Social engineering takes advantage of many mechanisms including trojan horses, but it does not use viruses. However, IM, mobile phones, and trojan horses are all effective tools for social engineering.
link: (google)
google shows page that link to the page given
cache: (google)
google's cached version of the page