Test 2v2
You have configured a standalone computer to analyze malware. It has port monitors, file monitors, and virtualization installed, and it has no network connectivity. What is this system called?
A sheep dip computer
Which of the following best describes a phishing attack?
A social engineering attack in which the attacker presents to a user a link or an attachment that looks like a valid, trusted resource.
Which covert communication program can bypass router ACLs that block incoming SYN traffic on port 80?
AckCmd
Which of the following is not a valid virus type of infection?
Add-on shell
n CVSS, the ______ group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This metric group is the most important information in the scoring system and the only one that's mandatory to obtain a vulnerability score.
Base
Which of the following is an industry standard that is used to provide a score of the risk of a given security vulnerability?
CVSS
Which of the following measures whether or not a public exploit is available?
CVSS temporal group exploit code maturity metric
Which of the following is not a banking malware propagation technique?
Code injection
You are going to try to trick an internal user into installing a tool for you to use to exfiltrate traffic. Which of the following tools would be the best to evade a network-based IDS?
Cryptcat
Which of the following is not a common tool used for static malware analysis?
Currports
Netcat is an example of which of the following?
Document Trojan that could be used to infect a system
After accessing a router configuration file, you found the following: password 7 0832585B0D1C0B0343. What type of password is it?
Vigenere
Which of the following is the correct port and protocol combination designed specifically for transporting event messages used to track suspicious activity?
UDP and syslog
Which type of attack occurs when an IDS discards the packet that is accepted by the host?
Evasion
Which is of the following is the worst state for security monitoring?
False Negative
During a pen test, you discover a vulnerability scanner which reports that port 80 on the target system is open and labels the application as nginx. However, when you try to connect to the targeted device on that port you get the following message: SSH Connection Error: The authenticity of host '192.168.78.8' can't be established. ECDSA key fingerprint is SHA256:zji8Q3580eVg2m3l1HIrzKFl0. This indicates that the target system is configured for SSH access over port 80. Which of the following describes this scenario?
False negative
Your co-worker has set up a packet filter to filter traffic on the source port of a packet. He wants to prevent DoS attacks and would like you to help him to configure Snort. Which of the following is correct?
Filtering on the source port of the packet will not prevent spoofing.
Which type of control would be best suited to detect an application anomaly such as malware that had taken control of an application and was causing it to act abnormally?
HIDS
While getting ready to pay some bills, you visit your bank's website and prepare to log in. However, you notice that the login page now has several additional fields where your bank ATM and your Social Security number are requested. What category of banking Trojan could be responsible for this modification?
HTML Injection
KeyGhost is an example of what?
Hardware keylogger
Your Windows computer is running erratically, and you suspect that spyware has been installed. You have noticed that each time you try to go to an antivirus website, your computer is redirected to another domain and you are flooded with pop-ups. What file did the spyware most likely modify?
Hosts
You have decided to set up Snort. A co-worker asks you what protocols it cannot check. What is your response?
IGMP
A business has hired you as a penetration tester after a recent security breach. The attacker was successful at planting a Trojan on one internal server and extracting all its financial data. Which of the following is an immediate recommendation that you can give the business?
Immediately move the financial data to another system
Which type of attack occurs when an IDS accepts packets that are discarded by the host?
Insertion
After two days of work, you successfully exploited a traversal vulnerability and gained root access to a CentOS 6.5 server. Which of the following is the best option to maintain access?
Install netcat
Which of the following is a disadvantage of a signature IDS?
It cannot detect day zero attacks
You have been asked to create a Snort filter that will log traffic from well-known ports and going to ports greater than or equal to 666. Which of the following accomplishes this task?
Log TCP any :1024 -→ 192.168.123.0/24 666:
Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users' browsers being inadvertently redirected to sites hosting malware?
Malvertising
Snort is considered which of the following?
NIDS
You have completed a port scan and were given the following results: Interesting ports on 192.168.123.254: Not shown: 1712 closed ports PORT STATE SERVICE 1500/tcp open 1501/udpopen MAC Address: 00:1C:10:F5:61:9C (Cisco-Linksys) Nmap done: 1 IP address (1 host up) scanned in 4.770 seconds Which of the following is the most correct match
NetGuard Firewall
Which of the following best describes Netcat?
Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP.
You need to identify all inbound and outbound network traffic for attacks. Which of the following would best meet your needs?
Network-based IDS
You have been running Snort on your network and captured the following traffic. Can you identify what is occurring? 11/12-01:52:14.979681 0:D0:9:7A:E5:E9 -> 0:D0:9:7A:C:9B type:0x800 len:0x3E 192.168.13.10.237:1674 -> 192.168.13.234:1745 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20 DgmLen:48 ******S* Seq: 0x3F2FE2AAAck: 0x0Win: 0x4000TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Nmap XMAS scan
What does the command nc -n -v -l -p 25 accomplish?
Opens up a Netcat listener on the local computer on port 25
______are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware.
Packers
Which of the following is a vulnerability assessment methodology where the targeted host is not actively attacked?
Passive assessment
Your IDS is actively matching incoming packets against known attacks. Which of the following technologies is being used?
Pattern matching
Which of the following is not true about pharming?
Pharming can be done by exploiting a buffer overflow using Windows PowerShell.
Which of the following attacks can be done by altering the host file on a victim's system, through DNS poisoning, or by exploiting a vulnerability in a DNS server?
Phishing
Which form of evasion uses an encoder and a cipher and exploits the fact that most IDSs use signatures for commonly used strings within shellcode?
Polymorphic
Which IDS evasion technique attempts to desynchronize the IDS from the actual sequence number that the kernel is honoring?
Post-connect SYN
Which of the following can maintain a state table?
Proxy Servers
Which of the following describes a type of malware that restricts access to the computer system's files and folders until a monetary payment is made?
Ransomware
Which of the following is an example of a tool that can be used to perform social engineering attacks?
SET
A number of attackers have used _____________ to send malware or malicious links to mobile devices.
SMS phishing
Which of the following is an example of a social engineering attack that is not related to email?
SMS phishing
Which of the following is true about social engineering motivation techniques?
Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.
Which of the following best describes a covert communication?
Sending and receiving unauthorized information or data by using a protocol, service, or server to transmit info in a way in which it was not intended to be used
How would you describe an attack in which an attacker attempts to deliver the payload over multiple packets for long periods of time?
Session splicing
What is the purpose of the command nc -l -v -n -p 80?
Set up a covert channel listening on port 80
You have been asked to start up Snort on a Windows host. Which of the following is the correct syntax?
Snort -ix -dev -l\ snort\ log
Veriato Investigator is an example of what?
Software keylogger
Which of the following is true about spear phishing?
Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.
Examine the following Snort rule: Alert tcp any any -> 192,168.13.0/24 (msg: "Scan detected"; flags:SF;) Which of the following is correct?
This command detects a SYN FIN scan.
Examine the following Snort rule: log TCP any any -> 192.168.123.0/24 1024: Which of the following is correct
This command logs all TCP traffic from any port going to ports greater than or equal to 1024.
Why would an attacker send the following ASCII string? "cM2KgmnJGgbinYshdvD9d"
To Avoid a signature attack
Which of the following is a vulnerability assessment methodology where the auditor may use methodologies for Windows-based systems that are different from Linux-based systems?
Tree-based assessment
You have discovered that several of your team members' computers were infected. The attack was successful because the attacker guessed or observed which websites the victims visited and infected one or more of those sites with malware. Which type of attack was executed?
Watering hole attack
Which of the following tools can be used to attempt session splicing?
Whisker
Tools used to combine a piece of malware with a legitimate program are known as what?
Wrappers
During a pen test, you have been successful at running shellcode on a victim's systems and now have a command prompt internally. To map the internal network, you have issued the following command that returns no output: $nmap -T3 -O 192.168.192.168.123.0/24 What is the most likely problem?
You do not have the correct level of access on the compromised machine.
You have been asked to examine a Windows 7 computer that is running poorly. You first used Netstat to examine active connections, and you now would like to examine performance via the Computer Management Console. Which of the following is the correct command to launch it?
c:\compmgmt.msc
Which of the following best describes what is pretexting?
impersonation
Which of the following is not a Trojan mitigation step?
manual updates
If you approach a running system that you suspect may be infected, what might you do to quickly assess what is running on the system by using built-in applications?
netstat -an
You are hardening your network and building up your edge detection capability. As such, you have configured syslog to receive and collect Snort alerts. Syslog has not received updates from your Snort server. Thus, you would like to troubleshoot the configuration. If you have Wireshark on the Snort machine, and your Snort server is 192.168.123.99, what would be the correct filter to see if traffic is being sent to your syslog server at 192.168.123.150?
tcp.dstport==514 && ip.src==192.168.123.150