SEC 110 ch 11
Which of the following accurately describes what a protocol analyzer is used for? (Select two.) -A device that allows you to capture, modify, and retransmit frames (to perform an attack). -A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack). -A device that can simulate a large number of client connections to a website, test file downloads for an FTP site, or simulate large volumes of emails. -A passive device that is used to copy frames and allow you to view frame contents. -A device that measures the amount of data that can be transferred through a network or processed by a device.
-A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack). -A passive device that is used to copy frames and allow you to view frame contents.
Rules of engagement
A document that defines exactly how the penetration test will be carried out.
Python
A easy to read and understand programming language.
shoulder surfing
A eavesdropping technique where the listener obtains passwords or other confidential information by looking over the shoulder of the target.
Which of the following describes a man-in-the-middle attack? -A false server intercepts communications from a client by impersonating the intended server. -A person convinces an employee to reveal his or her login credentials over the phone. -An IP packet is constructed that is larger than the valid size. -Malicious code is planted on a system, where it waits for a triggering event before activating.
A false server intercepts communications from a client by impersonating the intended server.
Command shell
A program that provides an interface to give users access to operating system functions and services.
Dumpster diving
A social engineering attack in which an attacker goes through the trash to find important documents or information that has been thrown out.
In a variation of the brute force attack, an attacker may use a predefined list of common usernames and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue? 3DES encryption A strong password policy AES encryption VLANs
A strong password policy
Scope of work
A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.
Which of the following attacks tries to associate an incorrect MAC address with a known IP address? Hijacking ARP poisoning MAC flooding Null session
ARP poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on a network? Port mirroring MAC flooding MAC spoofing ARP poisoning
ARP poisoning
Which of the following strategies can protect against a rainbow table password attack? Enforce strict password restrictions Educate users to resist social engineering attacks Encrypt the password file with one-way encryption Add random bits to the password before hashing takes place
Add random bits to the password before hashing takes place
Distributed denial of service (DDoS)
An attack that is designed to bombard the target with more data than it can handle, causing it to shut down.
DNS attack
An attack that targets DNS services.
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use? Antivirus scanner Signature-based IDS Anomaly-based IDS Network-based firewall Host-based firewall
Anomaly-based IDS *********************** An anomaly-based intrusion detection system (IDS) can recognize and respond to some unknown attacks.
What is the most common form of host-based IDS that employs signature or pattern-matching detection methods? Honeypots Firewalls Antivirus software Motion detectors
Antivirus software
MAC flooding
Attack against a network switch in which the attacker sends a large number of Ethernet frames with various MAC addresses, overwhelming the switch. The switch is overloaded and sends traffic to all ports.
MAC spoofing
Attack in which the hacker spoofs the MAC address of the gateway. This results in the spoofed address overwriting the gateway's MAC address in the switch's CAM table.
ARP poisoning
Attack targeting the ARP protocol. The attacker changes the ARP cache by spoofing the IP address of a target.
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? Correct Answer: Password sniffing Correct Answer: Brute force attack Correct Answer: Keylogger Correct Answer: Pass-the-hash attack
Brute force attack
Dictionary attack
Brute force password attack in which the hacker uses a list of words and phrases to try to guess the password.
Password spraying
Brute force password attack that uses the same password with multiple user accounts instead of different passwords for the same account.
Which of the following are network-sniffing tools? -Ettercap, Ufasoft snif, and Shark -WinDump, KFSensor, and Wireshark -Cain and Abel, Ettercap, and TCPDump -Ufasoft snif, TCPDump, and Shark
Cain and Abel, Ettercap, and TCPDump
Macros
Code that is used to perform a series of steps or functions inside a specific application.
You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic? -Configure the network interface to use promiscuous mode. -Configure the network interface to use port mirroring mode. -Configure the network interface to use protocol analysis mode. -Configure the network interface to enable logging.
Configure the network interface to use promiscuous mode. ----------------------- Configure the network interface to use promiscuous mode. By default, a NIC only accepts frames addressed to itself. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC processes every frame it sees.
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. Which kind of exploit has been used in this scenario? DNS poisoning Man-in-the-middle Domain name kiting Reconnaissance
DNS poisoning
Which type of denial-of-service (DoS) attack occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses? Spam ARP poisoning DNS poisoning SYN flood
DNS poisoning
While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred? Man-in-the-middle Spoofing DNS poisoning Hijacking
DNS poisoning
Intrusion detection system
Device or software that monitors, logs and detects security breaches, but takes no action to stop or prevent the attack.
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? Shoulder surfing Dumpster diving Social engineering Password guessing
Dumpster diving
Which of the following processes identifies an operating system based on its response to different types of network traffic? Port scanning Firewalking Social engineering Fingerprinting
Fingerprinting
You want to check a server for user accounts that have weak passwords. Which tool should you use? John the Ripper Nessus OVAL Retina
John the Ripper
Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which type of attack? DDoS Spamming Man-in-the-middle attack Passive logging
Man-in-the-middle attack
You are concerned about attacks directed against the firewall on your network. You would like to examine the content of individual frames sent to the firewall. Which tool should you use? Throughput tester Load tester System log Event log Packet sniffer
Packet sniffer
You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use? Port scanner Packet sniffer IDS Throughput tester IPS
Packet sniffer
Brute force attack
Password attack in which the attacker uses a cracking tool that submits every possible letter, number and symbol combination in a short amount of time.
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? Password sniffing Pass-the-hash attack Password salting Keylogging
Password salting
You want to identify traffic that is generated and sent through a network by a specific application running on a device. Which tool should you use? TDR Multimeter Toner probe Certifier Protocol analyzer
Protocol analyzer ************************** Use a protocol analyzer (also called a packet sniffer) to examine network traffic. You can capture or filter packets from a specific device or packets that use a specific protocol.
Which of the following password attacks uses preconfigured matrices of hashed dictionary words? Brute-force attack Rainbow table attack Dictionary attack Hybrid attack
Rainbow table attack
Which of the following roles would be MOST likely to use a protocol analyzer to identify frames that might cause errors? Standard user Security operations team Malicious hacker Network administrator
Security operations team
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Anomaly-analysis-based IDS Stateful-inspection-based IDS Signature-based IDS Heuristics-based IDS
Signature-based IDS ********************** A signature-based IDS, or pattern-matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database.
Rainbow attack
Similar to dictionary attacks, but a rainbow attack uses special tables called rainbow tables that have common passwords and the generated hash of each password.
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account, and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occurred? Social engineering Dumpster diving Shoulder surfing Password guessing
Social engineering
Social engineering
Social engineering uses manipulation of people or situations to gain access to sensitive information.
Which of the following best describes shoulder surfing? Giving someone you trust your username and account password. Finding someone's password in the trash can and using it to access their account. Guessing someone's password because it is so common or simple. Someone nearby watching you enter your password on your computer and recording it.
Someone nearby watching you enter your password on your computer and recording it.
IP scanners
Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.
Security information and event management
Special tools that gather network information and aggregate it into a central place. SIEM systems can actively read the network information and determine if there is a threat.
A router on the border of your network detects a packet with a source address that is from an internal client, but the packet was received on the internet-facing interface. This is an example of which form of attack? Snooping Sniffing Spamming Spoofing
Spoofing
Which type of activity changes or falsifies information in order to mislead or re-direct traffic? Spoofing Snooping Spamming Sniffing
Spoofing
What is the primary purpose of penetration testing? -Assess the skill level of new IT security staff. -Test the effectiveness of your security perimeter. -Evaluate newly deployed firewalls. -Infiltrate a competitor's network.
Test the effectiveness of your security perimeter.
Packet sniffing
The act of capturing data packets transmitted across the network and analyzing them for important information.
Threat hunting
The human-based, methodical search and monitoring of the network, systems and software in order to detect any malicious or suspicious activity that has evaded the automated tools.
Vulnerability scan
The process f capturing and analyzing packets to identify any security weaknesses in a network, computer system, local applications and even web applications.
Intelligence fusion
The sharing of information between multiple government agencies and private security firms.
Bug bounty
These unique tests are setup by organizations such as Google, Facebook and others. Ethical hackers can receive compensation by reporting bugs and vulnerabilities they discover.
A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work. When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d. On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido. What should you do to increase the security of Bob's account? (Select two.) -Use a stronger initial password when creating user accounts. -Train users not to use passwords that are easy to guess. -Do not allow users to change their own passwords. -Require him to use the initial password, which meets the complexity requirements. -Configure user account names that are not easy to guess. -Use Group Policy to require strong passwords on user accounts.
Use Group Policy to require strong passwords on user accounts. Train users not to use passwords that are easy to guess.
The process of walking around an office building with an 802.11 signal detector is known as: Daemon dialing Driver signing War driving War dialing
War driving
You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use? nmap Wireshark Nessus OVAL
Wireshark
Which of the following tools can be used to view and modify DNS server information in Linux? tracert route netstat dig
dig
What social engineering technique involves looking through trash?
dumpster diving
You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use? tracert route nmap ping
ping
Promiscuous mode
A mode in which the NIC processes every frame it sees, not just those addressed to it.
Threat feed
A service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs and other relevant information regarding the threats.
Security Orchestration, Automation and Response
A solution stack of compatible software programs that collect data about security threats from multiple sources and respond to low-level security events without human assistance.
Port mirroring
A switch mode in which all frames sent to all other switch ports will be forwarded on the mirrored port.
Common Vulnerability Scoring System
A system that ranks vulnerabilities based on severity.
Advisories and bulletins
Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.
As part of a special program, you have discovered a vulnerability in an organization's website and reported it to the organization. Because of the severity, you are paid a good amount of money. Which type of penetration test are you performing? Bug bounty Black box White box Gray box
Bug bounty
You are using a protocol analyzer to capture network traffic. You want to only capture the frames coming from a specific IP address. Which of the following can you use to simplify this process? Capture filters Display filters Switch NIC
Capture filters
Which SIEM component is responsible for gathering all event logs from configured devices and securely sending them to the SIEM system? Security automation SIEM alerts Collectors Data handling
Collectors
Intrusion Prevention System (IPS)
Device that monitors, logs, detects and can also react to stop or prevent security breaches.
Protocol Analyzer
Hardware or software used for monitoring and analyzing digital traffic over a network. Protocol analyzers go by other names, such as packet sniffers, packet analyzers, network analyzers, network sniffers, or network scanners.
Engine
IDS component that analyzes sensor data and events; generates alerts; and logs all activity
Sensor
IDS component that passes data from the source to the analyzer.
Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do? -Implement an application-aware IDS in front of the web server -Implement a packet-filtering firewall in front of the web server -Implement a stateful firewall in front of the web server -Implement an application-aware IPS in front of the web server -Install an anti-malware scanner on the web server
Implement an application-aware IPS in front of the web server ********************* You should implement an application-aware IPS in front of the web server. Even though an application-aware IDS can analyze network packets to detect malicious payloads, only an application-aware IPS can both detect and block malicious packets. Because of this, an application-aware IPS would be the most appropriate choice.
Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs? Enumeration Gain access Maintain access Reconnaissance
Maintain access ************************** Once a penetration tester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.
You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use? LC4 Nessus OVAL Wireshark
Nessus ********************* A vulnerability scanner is a software program that searches an application, computer, or network for weaknesses. These weaknesses could be things such as open ports, running applications or services, missing critical patches, default user accounts that have not been disabled, and default or blank passwords. Vulnerability scanning tools include Nessus, Retina Vulnerability Assessment Scanner, and Microsoft Baseline Security Analyzer (MBSA).
You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? OVAL Network mapper Port scanner Ping scanner
Network mapper
Gathering as much personally identifiable information (PII) on a target as possible is a goal of which reconnaissance method? Packet sniffing Active OSINT Passive
Open-source intelligence is any data that is collected from publicly available sources. The goal is to gather as much personally identifiable information (PII) as possible on the target
Which type of reconnaissance is dumpster diving? Packet sniffing Active Passive OSINT
Passive
Which of the following Security Orchestration, Automation, and Response (SOAR) system automation components is often used to document the processes and procedures that are to be used by a human during a manual intervention? Response Orchestration Playbook Runbook
Playbook
Which phase or step of a security assessment is a passive activity? Privilege escalation Vulnerability mapping Enumeration Reconnaissance
Reconnaissance
You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches? -Document your actions. -Update the vulnerability scanner definition files. -Run the vulnerability assessment again. -Use a port scanner to check for open ports.
Run the vulnerability assessment again.
Which of the following systems is able to respond to low-level security events without human assistance? SOAR IDS SIEM Firewall
SOAR ********************** Security Orchestration, Automation, and Response (SOAR) systems gather and analyze data like SIEM systems, but they take the analysis to the next level. SOAR is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
False negative
Scan results that indicate no vulnerability when a vulnerability exists.
False positive
Scan results that indicated a vulnerability, but there is none.
Which of the following is a very detailed document that defines exactly what is going to be included in the penetration test? Payment terms Goals and guidelines Rules of engagement Scope of work
Scope of work
Which of the following tools can be used to see if a target has any online IoT devices without proper security? theHarvester Shodan Packet sniffing scanless
Shodan
Eavesdropping
The act of covertly listening in on a communication between other people.
Passive reconnaissance
The process of gathering information about a target with no direct interaction with the target.
Active reconnaissance
The process of gathering information by interacting with the target in some manner.
Which of the following describes the worst possible action by an IDS? -The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. -The system identified harmless traffic as offensive and generated an alarm. -The system detected a valid attack and the appropriate alarms and notifications were generated. -The system correctly deemed harmless traffic as inoffensive and let it pass.
The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.
In your role as a security analyst, you need to stay up to date on the latest threats. You are currently reviewing the latest real-time updates on cyberthreats from across the world. Which of the following resources are you MOST likely using? Threat hunting Threat feeds Advisories and bulletins Intelligence fusion
Threat feeds
Which passive reconnaissance tool is used to gather information from a variety of public sources? scanless Shodan theHarvester Packet sniffing
theHarvester
Common Vulnerabilities and Exposures (CVE)
A list of standardized identifiers for known software vulnerabilities and exposures.
Reconnaissance
Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.
Heuristic-based detection
Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.
Signature-based detection
Also referred to as pattern matching, dictionary recognition, or misuse-detection(MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.
Open-Source Intelligence (OSINT)
Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.
Which of the following activities are typically associated with a penetration test? -Create a performance baseline. -Interview employees to verify that the security policy is being followed. -Run a vulnerability scanner on network servers. -Attempt social engineering.
Attempt social engineering.
You have been hired as part of the team that manages an organization's network defense. Which security team are you working on? Blue Red Purple White
Blue
What does an IDS that uses signature recognition use to identify attacks? -Exceeding threshold values -Statistical analysis to find unusual deviations -Comparisons to known attack patterns -Comparison of current statistics to past statistics
Comparisons to known attack patterns ********************* Signature recognition, also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS), looks for patterns in network traffic and compares them to known attack patterns called signatures.
A security administrator logs onto a Windows server on her organization's network. Then she runs a vulnerability scan on that server. Which type of scan was conducted in this scenario? -Intrusive scan -Non-credentialed scan -Credentialed scan -Non-intrusive scan
Credentialed scan In a credentialed scan, the security administrator authenticates to the system prior to starting the scan. A credentialed scan usually provides detailed information about potential vulnerabilities. For example, a credentialed scan of a Windows workstation allows you to probe the registry for security vulnerabilities.
In your role as a security analyst, you ran a vulnerability scan, and several vulnerabilities were reported. Upon further inspection, none of the vulnerabilities actually existed. Which type of result is this? True negative False positive False negative True positive
False positive
As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? VPN concentrator Network-based IDS Port scanner Protocol analyzer Host-based IDS
Host-based IDS *********************** A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it is received.
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use? Port scanner IDS Packet sniffer IPS
IPS
Which of the following describes a false positive when using an IPS device? -Legitimate traffic being flagged as malicious -The source address identifying a non-existent host -Malicious traffic masquerading as legitimate traffic -Malicious traffic not being identified -The source address matching the destination address
Legitimate traffic being flagged as malicious
A security administrator needs to run a vulnerability scan that analyzes a system from the perspective of a hacker attacking the organization from the outside. Which type of scan should he or she use? Credentialed scan Network-mapping scan Non-credentialed scan Port scan
Non-credentialed scan ************************ In a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A non-credentialed scan can be valuable because it allows the scanner to see the system from the same perspective that an attacker would see it. However, a non-credentialed scan does not typically produce the same level of detail as a credentialed scan.
Black box test
Penetration test in which the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.
White box test
Penetration test in which the ethical hacker is given full knowledge of target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray box test
Penetration test in which the ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threats.
Which of the following uses hacking techniques to proactively discover internal vulnerabilities? Passive reconnaissance Inbound scanning Penetration testing Reverse engineering
Penetration testing
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router. When you run the software, you see frames addressed to the four workstations, but not to the router. Which feature should you configure on the switch? Port mirroring Bonding Promiscuous mode Spanning Tree Protocol
Port mirroring *************** A switch only forwards packets to the switch port that holds a destination device. This means that when your packet sniffer is connected to a switch port, it does not see traffic sent to other switch ports. To configure the switch to send all frames to the packet sniffing device, configure port mirroring on the switch. With port mirroring, all frames sent to all other switch ports are forwarded on the mirrored port.
You want to make sure that a set of servers only accepts traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers do not accept packets sent to those services. Which tool should you use? IPS Packet sniffer IDS Port scanner System logs
Port scanner ************************ Use a port scanner to check for open ports on a system or firewall. Compare the list of open ports with the list of ports allowed by your network design and security policy. Typically, a port is open when a service starts or is configured on a device. Open ports for unused services expose the server to attacks directed at that port.
War driving
The act of driving around with a wireless device looking for open vulnerable wireless networks.
War flying
The act of using drones or unmanned aerial vehicles to find open wireless networks.
An active IDS system often performs which of the following actions? (Select two.) -Updates filters to block suspect traffic. -Traps and delays the intruder until the authorities arrive. -Cannot be detected on the network because it takes no detectable actions. -Performs reverse lookups to identify an intruder. -Requests a second logon test for users performing abnormal activities.
Updates filters to block suspect traffic. Performs reverse lookups to identify an intruder.
You want to be able to identify the services running on a set of servers on your network. Which tool would BEST give you the information you need? Protocol analyzer Port scanner Network mapper Vulnerability scanner
Vulnerability scanner *********************** Use a vulnerability scanner to gather information about systems such as the applications or services running on a system. A vulnerability scanner often combines functions found in other tools and can perform additional functions, such as identifying open firewall ports, missing patches, and default or blank passwords.
You have been promoted to team lead of one of the security operations teams. Which security team are you now a part of? Red Purple Blue White
White
You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins. Which type of penetration test are you performing? Gray box Bug bounty White box Black box
White box
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use? nmap nslookup scanless dnsenum
nmap ********************** The nmap utility is an open-source security scanner used for network enumeration and the creation of network maps. Use nmap to send specially crafted packets to a target host and then analyze the responses to create a map.