NSA CNT Exam

What is a Bootkits Rootkit? 1. Privilege Level 2, Infection Method 3. Detection Method

1. Privilege Level - Operate at the bootloader level, before the operating system loads 2, Infection Method - Modify the master boot record (MBR) or other boot components to gain control during the boot process 3. Detection Method - Bootkit detection often requires specialized tools that can analyze the boot process

What is a Memory-Resident or RAM-Based Rootkit? 1. Privilege Level 2, Infection Method 3. Detection Method

1. Privilege Level - Operate in the system's memory 2, Infection Method - Load directly into RAM, making detection more challenging 3. Detection Method - Memory analysis tools and behavioral monitoring can help identify anomalies in system memory.

What is a Kernel Mode Rootkit? 1. Privilege Level 2, Infection Method 3. Detection Method

1. Privilege Level: Operate at the kernel or ring 0 level 2. Infection Method: invade the core of the operating system, replacing or modifying kernel components 3- More challenging to detect, specialized tools, memory analysis, and behavioral monitoring

Administration distance of OSPF

110

Administration distance of RIP

120

When using the Routing Information Protocol (RIP), what is the maximum number of hops a message can take between its source and its destination before the destination is considered unreachable?

15

By default, what is the MTU size on a typical Ethernet network?

1500 bytes

Administration distance of BGP

200

Administration distance of EIGRP

90

You are troubleshooting a network issue on a client computer and discover that the network card has an IP address of 169.254.196.200. What does this mean? a. The network card has been erroneously assigned a loopback address. b. The computer has been assigned a routed public IP address. c. The network card is set up for multicast communication. d. The computer is configured to use DHCP, but was unable to lease an address.

D The computer is configured to use DHCP, but was unable to lease an address.

What is the minimum category of UTP cable required in order to support Gigabit speeds? a. Cat 5 b. Cat 6 c. Cat 3 d. Cat 5e

D. Cat 5e

OSI Model Physical Layer

Data communication through physical channels like fiber-optic cables, copper cabling, and air Ex: Bluetooth, NFC, data transmission speeds

ipconfig /displaydns

Display's all DNS connections

powercfg /energy (Windows)

Displays power usage information

What is DNS and what port does it use

Domain Name System is used to resolve host names to IP addresses. DNS servers host the DNS service and respond to DNS queries. DNS uses UDP port 53.

What is DHCP and what port does it use?

Dynamic Host Configuration Protocol Automatically sets IP addresses and other attributes to an IP host to enable information transfer between network nodes UDP Port 67

What command is used to edit a file in Linux (2)

Echo to add lines to a file Nano to edit the file

Computer Concepts - Endianness

Endianness means that the bytes in computer memory are read in a certain order - If my computer reads bytes from left to right and your computer reads from right to left were going to have issues communicating

What is EIGRP?

Enhanced Interior Gateway Routing Protocol Send updates from one router to the next, only neighbors exist

Data Integrity Protection (Tripwire)

FIM (Tripwire File Integrity Monitoring) built in capability to reduce noises by providing ways to determine low risk change from high risk change in data Alerts changes to files and directories on a computer system

UDP provides error checking, but not sequencing (T/F)

False

Routing Information Protocol (RIP) is an interior gateway protocol that uses a link-state algorithm. (T/F)

False RIP is a distance-vector routing protocol. It uses the Bellman-Ford algorithm to determine the best path to a destination based on the number of hops.

What is FTP and what port does it use

File Transfer Protocol is used to upload and download files from an FTP server. FTP uses ports TCP 20 & 21

What is HTTP and what port does it use?

HTTP is HyperText Transfer Protocol and it is responsible for web content. Many web pages use HTTP to transmit the web content and allow the display and navigation of HyperText. TCP Port: 80

Access to Resources Kernel Space: User Space:

Kernel Space - the kernel has direct access to all hardware and system resources User Space: user applications do not have direct access to hardware resources. They interact with the system through system calls provided by the kernel

Privileges Level Kernel Space: User Space:

Kernel Space - the kernel operates in a privileged mode with unrestricted access to the hardware and system resources User Space: User applications operate in a less privileged mode, typically at a lower privilege level then the kernel

Execution Context Kernel Space: User Space:

Kernel Space: the kernel runs in a global and shared context, and its code is typically loaded into a fixed location in memory during system boot User Space: each user application runs its isolated context, with its own memory space and resources

What is nslookup (Windows)

Lets user enter a host name and find out the corresponding IP address or domain name system

Antivirus Concepts: Heuristic

Looks for specific commands or instructions that would not typically be found in an application Ex: the payload of a trojan The replication mechanics of a virus the distribution pattern of a worm

What are Noise Signatures in the context of malware?

Refers to the observable and detectable patterns or behaviors that can be identified by security tools and analysts. These patterns may generate network or system activity that stands out from normal behavior making it possible to detect and mitigate malware

What are some benefits of Virtualization?

Resource Efficiency Easier Management Minimal Downtime Faster Provisioning

Antivirus concepts: Signature

Signature based antivirus is a type of security software that uses signatures to identify malware. Signatures are bits of code that are unique to a specific piece of malware compares signature to a known database

Data Integrity Protection (WFP)

Windows File Protection prevents programs from replacing critical Windows system files because these files are used by the operating system

What is the fastest Ethernet standard that can possibly be used on twisted-pair cabling? a. 100Base-T b. 10TBase-T c. 10GBase-T d. 1000Base-T

c. 10GBase-T

Which of the following is NOT a range of IP addresses recommended for use in private networks? a. 10.0.0.0 through 10.255.255.255 b. 192.168.0.0 through 192.168.255.255 c. 172.16.0.0 through 172.31.255.255 d. 127.0.0.0 through 127.255.255.255

d. 127.0.0.0 through 127.255.255.255

What utility is used to verify that TCP/IP installed, bound to the NIC, configured correctly, and communicating with the network?

ping

What commands to move and remove a file in Linux?

rm - remove mv = move

How to encrypt a file on a Linux machine what command?

shred (filename)

In a TCP segment, what field indicates how many bytes the sender can issue to a receiver before acknowledgment is received

sliding window

What are the different types of CPU architectures?

ia32 - 32-bit intel Architecture mipsel - 64 bit Microprocessor 32 and 64 bit systems

What is Virtualization

is a process that allows for more efficient utilization of physical computer hardware and is the foundation of cloud computing

Which command will produce statistics about each message transmitted by a host, separated according to protocol type?

netstat -s

Botnets and there Key Features

- Compromises multiple computers to form a network of bots used for DDoS attacks

Rootkits and there Key Features

- Conceals its presence or other malware from detection - Often modifies the operating system or kernel components - Can be challenging to detect and remove

What are some basic functions of a network router?

- Connect dissimilar networks, such as LAN and a WAN, which use different types of routing protocols - Interpret Layer 3 and often Layer 4 addressing - Determine the best path for data to follow from point A to point B - Reroute traffic if the path of first choice is down but another path is available

Trojan Horses and there Key Features

- Disguises itself as a legitimate or benign program - Tricks users into executing or installing it - Can create backdoors for remote access

Adware and there Key Features

- Displays unwanted advertisements to users - May come bundled with legitimate software

Viruses and there Key Features

- Infects other executable files or documents - Spreads when infected files are shared or executed - Often requires user interaction to propagate

Spyware and there Key Features

- Secretly monitors user activities without their knowledge - Collects sensitive information such as login credentials or browsing habits - Often used for identity theft or espionage

Worms and there Key Features

- Self replicates and spreads across networks without user intervention -Exploits vulnerabilities in network protocols or operating systems - Can consume network bandwidth and system resources

A Fast Ethernet connection utilizes what pins on an RJ-45 plug?

1 , 2 ,3 , 6

What is Kerberos?

Kerberos authenticates service requests between two or more trusted hosts across an untrusted network like the internet Kerberos Authentication: 88

What is windows registry?

A database on your hard drive to store settings for various programs and applications

What is a device driver?

A device driver is a special kind of software program that controls as specific hardware device attached to a computer

What part of a MAC address serves as the extension identifier, or device ID? a. The last 24 bits of the MAC address. b. The last 12 bits of the MAC address. c. The first 24 bits of the MAC address. d. The first 12 bits of the MAC address.

A. The last 24 bits of the MAC address

What is ARP? What port does it use?

Address Resolution Protocol The protocol that translates IP addresses into MAC addresses Works between layers 2-3 of the OSI model, ALL layer 3 devices have an ARP table Only translates 32-bit IP addresses to 48-bit MAC addresses Port - 219

Which routing protocol started as a Cisco proprietary protocol and combines some of the features of a link-state protocol with that of distance-vector protocols? a. OSPF b. EIGRP c. IS-IS d. BGP

B: EIGRP

Which of the following is not a task handled by a router? :a. A router can connect dissimilar networks .b. A router forwards broadcasts over the network .c. A router can interpret Layer 3 and often Layer 4 addressing. d. A router can reroute traffic if the path of first choice is down but a second path is available.

B: a router forwards broadcasts over the network

Big-Endian (BE) vs Little-Endian (LE)

BE stores the big end first and then proceeds to the lowest, from left to right LE stores the little end first. from right to left

What is the difference between bandwidth and throughput?

Bandwidth is the amount of data that could theoretically be transmitted during a given period of time. Throughput is the measure of how much data is actually transmitted during a given period of time

Endianness is represented in two ways what are they?

Big-endian (BE) and Little Endian (LE)

There are several interior gateway protocols, but only one current exterior gateway protocol. What is this protocol, and what characteristics does it have?

Boarder Gateway Protocol BGP is the only current exterior gateway protocol. BGP spans multiple autonomous systems and is used by edge and exterior routers of the internet

OSI Model Network Layer

Concerned with concepts such as routing, forwarding, and addressing across a dispersed network Ex: IPv4, IPv6, switch, router

OSI Model Application Layer

Concerned with the specific type of application itself and its standardized communication methods

OSI Model Presentation Layer

Concerned with the syntax of the data itself for applications to send and consume - HTML, JavaScript

Which type of virtualization allows a computer's operating system kernel to run multiple isolated instances of a guest virtual machine, with each guest sharing the kernel?

Container Virtualization

What are the different categories of routers, and how do they compare?

Core Routers - also called interior routers, are located inside networks within the same autonomous system. Often on the same domain Edge Routers - or border routers, connect an autonomous system with an outside network (untrusted) Exterior Routers - refers to routers outside the organizations zone.. Routers who communicate with Routers outside a zone

Memory Organization (Offsets)

In the context of memory, it's the distance from the start of a data structure or memory block

What is routing protocol convergence time defined as?

It is the time it takes for the protocol to recognize the best path in the event of a network change

OSI Model Data Link Layer

Manages data frames, digital signals are encapsulated into data packets Split into two sub layers MAC and LLC Layer

Windows Specific Port Services

NetBIOS Name Services: Port 137 NetBIOS Datagram Service: UDP 138 - allows for windows to transfer information over a connectionless communication NetBIOS Session Service: TCP 139 - setting up a session between devices

OSI Model Session Layer

Network coordination between two separate applications in a session. Session manages the beginning and ending of a one to one application connection

What is OSPF?

Open Shortest Path First Builds a map of the entire network and chooses the best routes to take

OSI Model Layers 1-7

Physical Layer Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer Application Layer

What is a User Mode Rootkit 1. Privilege Level 2, Infection Method 3. Detection Method

Privilege Level: Operate at the user level Infection method - typically infiltrate user-space processes and applications Detection Method - may be detected using rootkit scanners, behavioral analysis, or by monitoring changes in system files and registry entries

TCP/IP 3-way handshake

SYN - Host A sends request to Host B SYN/ACK - Host B sends back a ACK of Host A's SYN and its on SYN as well ACK - Host A ACK

What is SSH? What port does it use?

Secure Shell (SSH) can be used to encrypt a wide variety of traffic such as telnet and FTP. Encrypts data between host and remote server Provides password and public key authentication Uses port 22.

What is NETSTAT

Shows all active connections on a PC Shows port at the end of a IP address

netstat -a what does it show

Shows all active ports open

What is Telnet and what port does it use?

TCP Port: 23 Command line tool to access a remote system. Used to configure a router or switch. Can be also used to check if ports are open or closed Not secure, don't use over the internet

What are the different types of rootkits

User Mode Rootkits Kernel Mode Rootkits Bootkits Memory-Resident or RAM-based rootkits

Memory Organization (Length)

The length is the size of a data structure or memory block, usually measured in bytes. It represents the amount of memory occupied by a particular piece of data

What are the different types of malware?

Viruses Worms Trojan Horses Spyware Adware Ransomware Rootkits Keyloggers

ARP Tables might contain two different types of entries. What are they, and how are they created?

They contain dynamic and static entries. Dynamic ARP table entries are created when a client makes an ARP request for information that could not be satisfied by data already in the ARP table, Static ARP table entries are those that someone has entered manually using the ARP utility

OSI Model Transport Layer

To ensure data packets arrive in the right order, without losses or errors. Ex: UPD and TCP TCP - commonly used where all data must be intact (file share) UDP - used when retaining all packets is less critical (video streaming)

IP is an unreliable, connectionless protocol, as it does not establish a session to send its packets.

True

What is the difference between a port and a socket?

a port is a number assigned to a process. A socket consists of both a hosts IP address and a process TCP or UDP port

What happens when a router receives a packet with a TTL of 0? a. The router drops the packet and sends an ICMP TTL expired message back to the host. b. The router marks the packet as corrupted and forwards it to the next hop. c. The router attempts to forward the traffic on a local network. d. The router resets the TTL to 128.

a) The router drops the packet and sends an ICMP TTL expired message back to the host

What command is used to see what is in a file

cat

What command is used to see what is in a file quickly

cat

How is TTL field utilized in IPv4

the TTL field indicates the maximum duration that the packet can remain on the network before it is discarded. it represents the number of times a packet can still be forwarded by a router, or the maximum number of router hops it has remaining.The TTL for packets varies and can be configured; it is usually set at 32 or 64. Each time a packet passes through a router, its TTL is reduced by 1. When a router receives a packet with a TTL equal to 0, it discards that packet and sends a TTL expired message via ICMP back to the source host.

How can you determine the manufacturer of a NIC card based on the MAC address?

the first 24 bits

Command to create file on a Linux machine?

touch command.

What is Signature based detection for malware?

uses a unique signature or digital footprint from software programs running on a protected system. Antivirus programs scan the software and compare the signature to know malware signatures

What are the three different types of port number ranges as defined by IANA?

well known ports 0 to 1023 registered ports 1024 to 49151 dynamic and private ports 49152 to 65535