CEH Prep

What is considered the best option against session hijacking?

Use unpredictable sequence numbers

Which of the following are aspects of the Common Criteria testing process?

"Common Criteria" is an international standard (ISO/IEC 15408) for computer security certification that provides a framework for computer system users to specify their security functional and assurance requirements (SFRs and SARs, respectively). Vendors can implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine whether they actually meet the claims. There are four aspects to the test—a target of evaluation (TOE, the system being tested), a security target (ST, the documentation describing the TOE and requirements), protection profile (PP, the requirements for the type of product being tested), and the evaluation assurance level (EAL, the rating level, ranked from 1 to 7).

You are cataloging asset worth in the environment. A particular hard drive fails once every three years and costs $300 to replace. Fourteen hours is required to restore normal operations on a failure. Recovery technicians earn $10 an hour. Which of the following is the closest approximate cost of the ALE?

$146 is correct. ALE = SLE × ARO. In this case, ALE = [$300 (replacement) + $140 (14 hours @ 10/hour)] × 33 percent (1 failure every 3 years).

The < character opens an HTML tag, and the > character closes it. In some web forms, input validation may deny these characters to protect against XSS. Which of the following represent the HTML entities used in place of these characters? (Choose two.)

&gtl &lt;

what is a DROWN attack?

(Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications

Which switch should be used in an nmap OS detection scan to only attempt fingerprinting machines with at least one open TCP port? --osscan-limit -TCP-only --fuzzy -T4

--osscan-limit The --fuzzy switch is the same as --osscan-guess. When nmap is unable to detect a perfect OS match, it can offer near matches as possibilities. The match has to be very close for nmap to do this by default. If you specify this option (or the equivalent --fuzzy option), nmap will guess more aggressively

An attacker is setting up a netcat listener on a Windows system and wants it to stay in persistent mode. Which of the following commands does this?

-L -l option opens the port as a listening port but does not keep it persistent. The -e and -n options (-e defines a program to execute, and -n prohibits DNS lookups)

Netstat commands

-an (all connections and listening ports in numerical form) -r (displays the route table -s (displays per-protocol statistics)

On a Windows-based machine, which switch can be used in ping to set the size of the echo request packet?

-l The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes The -a switch resolves addresses to hostnames. The -s switch provides a timestamp for count hops. The -t switch indicates the ping will continue until stopped.

nmap flags

-p (one port) -sS (stealth scan and half-opens connection) -T (how fast the scan is 1 is low and 5 is crazy) -Pn (skip ping test) -A (aggressive) -sU (performs a UDP scan) -O (displays operating system)

Which of the following represents the correct steps you should take when encrypting and signing a message using PKI?

1. Create a hash of the message. 2. Encrypt the hash with your private key. 3. Encrypt the message with the recipient's public key

Which of the following is a symmetric cryptographic standard? 3DES ECC PKI RSA

3DES

You are searching for systems with file sharing enabled. Which port would be seen in a listening state on a Microsoft Windows machine, thus indicating file sharing?

445 There are a few ports in Microsoft system file-sharing you should be aware of. Microsoft file sharing SMB uses UDP and TCP ports from 135 to 139. Direct-hosted SMB traffic without NetBIOS uses port 445 (TCP and UPD). 161 is an SNMP port, 3389 is associated with Terminal Services (a.k.a. Remote Desktop), and 1433 is an MS SQL port.

You are examining a host with an IP address of 65.93.24.42/20, and you want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? 65.93.255.255 65.93.31.255 65.93.0.255

65.93.31.255

The loopback address represents the local host and in IPv4 was represented by 127.0.0.1. What is the loopback address in IPv6?

::1

In a CSPP (Connection String Parameter Pollution) attack, which of the following would most likely be used?

; The entire attack is based on the use of semicolons by web applications in communicating with databases

Which of the following best describes a wrapping attack?

A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.

different types of cloud computing model

A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require. A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.

Which of the following best describes a Window Update Packet?

A packet used by the receiving device to negotiate a larger window size during data exchange

Different type of classifications for attackers

A pure insider is an employee of the organization who already has legitimate credentials. Insider affiliates are spouses or friends who illegally use the credentials. Outside affiliates are outside attackers (hackers). Inside associates are limited-access employees, such as cleaning staff.

Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides?

A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security

In sniffing traffic, you come across an ICMP type 3, code 13 packet. What is this packet used for?

Administratively prohibited ICMP type 3 indicates unreachable, not TTL expiration (type 7) or redirect (type 5)

Which of the following statements are true? (Choose three.) Aircrack can use PTW to crack WEP keys Aircrack can use Korek to crack WEP keys Aircrack can use a dictionary list to crack WEP keys Aircrack can use a rainbow table to crack WEP keys

Aircrack can use PTW to crack WEP keys Aircrack can use Korek to crack WEP keys Aircrack can use a dictionary list to crack WEP keys

Which of the following best matches the purpose of key escrow?

Allows a third party to access sensitive data if the need arises Key escrow agents are usually used when the government needs access to something during an investigation.

A client asks you about intrusion detection systems. The company wants a system that dynamically learns traffic patterns and alerts on abnormal traffic. Which IDS would you recommend?

Anomaly based

Payment Card Industry Data Security Standard (PCI-DSS) requires organizations to perform external and internal penetration testing. What is the required occurrence?

At least once a year and after any significant infrastructure or application upgrade or modification

Which of the following is a good way to attempt to quickly identify the operating system of your target?

Attempt a telnet session to the machine and examine the banner is correct. Banner grabbing is a time-tested, quick, and easy way to identify operating systems.

Which of the following statements best describes the term "likelihood" in regard to risk management?

Likelihood is the probability that a threat will exploit a particular vulnerability

Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization?

BIA Business impact analysis process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, and it identifies the critical systems that would be affected by them

Which of the following is the least likely step you should take in recovering from a malware infection? reinstall the OS from original media delete system restore points remove the system from the corporate network back up the hard drive

Back up the hard drive is correct. Of the options provided, this one is by far the least likely step you'd take in recovery. Backing up an already-infected hard drive for restore purposes later on, when you know there's an infection somewhere on the disk, makes as much sense as putting sugar on your grits. It's a horrible idea and just doesn't work. Why copy the malware?

A pen tester is using netcat in connection with a target over port 80. The results are displayed here: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2018 01:41:33 GMT Date: Mon, 16 Jan 2018 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2016 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 Which of the following best describes what was accomplished?

Banner Grabbing

Which of the following refers to monitoring security configuration changes over time?

Baselining to develop a baseline, you take a snapshot of the current system's security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren't are cut.

Which of the following provides specific services to untrusted networks or hosts?

Bastion host

A pen test team member wants to clone a website to an offline copy, for further screening and examination later. Which of the following tools is the best choice for this purpose?

BlackWidow BlackWidow can download a clone of a website for scanning and vulnerability discovery at your leisure. It can download an entire website or download portions of a site, and it can build a site structure

SQL queries based solely on responses to true/false?

Blind SQL injection

Which of the following cipher types transforms a fixed-length block of plain text into cipher text of the same length?

Block

Which of the following is the best choice for performing a bluebugging attack?

Blooover

which of the following tools allow for Bluetooth device discovery?

BlueScanner BT Browser

OWASP releases several Top Ten lists. On their top security priorities, one entry includes flaws that allow attackers to compromise passwords, encryption keys, and session tokens. Which of the following matches this description best?

Broken Authentication

Where is the SAM file stored on a Windows 10 system?

C:\Windows\System32\Config\

An organization wants to save on time and money and decides to go with an automated approach to pen testing. Which of the following tools would work for this? (Choose all that apply.) CANVAS Nmap Netcat Core Impact

CANVAS Core Impact CANVAS and core impact are both automated suites while the other two are manual pen test tools

Which of the following provides the integrity method for WPA2? CCMP RC4 AES 802.1x

CCMP As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 RC4 and AES are encryption algorithms (AES is used in WPA, by the way). 802.1x is the standards family wireless comes from

Which of the following provides for integrity in WPA2?

CCMP Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) uses message integrity codes (MICs) for integrity purposes. Temporal Key Integrity Protocol (TKIP) is a protocol designed to keep keys from getting stale during the wireless communication process. RADIUS (Remote Authentication Dial-In User Service) is a service/protocol enabling remote access servers to communicate with a central server to provide authentication and authorization services for dial-in users.

Which Trojan presents various exploitation techniques, creating arbitrary transfer channels in authorized network access control system data streams?

CCTT A Covert Channel Tunneling Trojan (CCTT) enables attackers to gain shell interfaces into and out of a network using authorized channels covertly. It involves the use of a CCTT box acting as an internal server communicating with a CCTT client externally using allowed channels—like an HTTP tunnel, for instance.

Which of the following attacks injects parameters into a connection string using semicolons as separators?

CSPP CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have

An attacker takes advantage of a web application's use of semicolons in communication with databases and enters additional strings to carry out malicious instructions. Which of the following best defines this attack?

CSPP is correct. A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.

Which attack can be mitigated by configuring the web server to send random challenge tokens?

CSRF (Cross-Site Request Forgery) In a CSRF attack, a user is already on a validated session with the target server. He then opens a link sent by the attacker to a malicious site. If things are set appropriately, the attacker can then send requests to the user's valid server connection. Using random challenge tokens ensures each request is actually coming from the user's already-established session.

Which of the following attacks causes a web browser to send a request that the browser's user did not intend to send?

CSRF is correct. Of the answers provided, a cross-site request forgery (CSRF) is the most likely culprit. In a CSRF attack, the user is tricked (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website. The malicious website can then instruct the user's web browser to send a request to the target website.

Which of the following attacks is RSA specifically vulnerable to?

Chosen-cipher-text attacks

In cloud architecture, as defined by NIST, which role acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers? cloud consumer cloud auditor cloud broker cloud carrier

Cloud broker is correct. The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. Per NIST SP 500-292, the broker "acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well." The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid. The cloud consumer is the individual or organization that acquires and uses cloud products and services. The cloud auditor is the independent assessor of cloud service and security controls.

You use AWS as a cloud service and want to perform an automated test against it. Which tool best suits your needs?

CloudInspect

Which of the following tools provides visibility and security controls for servers in a cloud? AWSExploit Metsploit CloudPassage Halo CloudInspect

CloudPassage Halo CloudPassage Halo "provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds."

Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack?

Computer based

Metasploit simplifies many attack sequences and provides several options. How would an attacker pivot an attack from one system to another within Metasploit?

Create a route statement in the meterpreter Pivoting is a technique of using a foothold (or instance) to move around inside a network. In short, the first compromise is used to allow and aid in the compromise of other otherwise inaccessible systems. The meterpreter resides entirely in memory and writes nothing to disk, and adding a route statement inside the dynamic meterpreter environment allows the attack to "pivot" to a new target.

Which of the following provides a Linux environment for Windows users? Cygwin UNIWIN Backtrack Ip Tables

Cygwin Cygwin provides a Linux-like environment for Windows. It contains many open source tools, providing functionality similar to a Linux distribution on Windows.

Which of the following is most likely to interfere with a system's resource usage?

HIDS is correct. A host-based intrusion detection system (HIDS) is, by design, host based. Therefore, it is installed on the system itself and eats up resources like I do hot doughnuts. HIDSs are great at providing an additional layer of protection in your environment, but they do come at a resource cost.

Which of the following is a symmetric algorithm? ECC DES SHA-1 Diffie-Hellman

DES

Key Sizes

DES = encipher and decipher blocks of 64 bits AES = symmetric-key 128 bit block size key sizes of 128, 192, and 256 bits

A user accesses the company website www.somebiz.com from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site—no files have been changed, and when accessed from their terminals (inside the company) the site appears normal. The user connects over VPN into the company website and notices the site appears normal. Which of the following might explain the issue?

DNS poisoning

Examine the following command-line entry: ``` nslookup > server 135.16.205.22 > set type = any > ls -d AnyBiz.com ``` What is the attacker attempting?

DNS zone transfer

what is a DNS transfer

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers

Which of the following is a suite of IETF specifications for securing DNS records?

DNSSEC Domain Name System Security Extensions (DNSSEC) was released by IETF as a means to help clients verify the true originator of DNS messaging.

Which of the following methods does Aircrack-ng use when targeting WPA2-enabled keys?

Dictionary List WPA and WPA2 are more secure than WEP, with WPA using TKIP and WPA2 on CCMP. Aircrack has only one option with either of these—a dictionary list.

Which of the following describes a primary advantage for using Digest authentication over Basic authentication?

Digest authentication never sends a password in clear text over the network There are a couple of different methods a web page can use to negotiate credentials with a web user using HTTP. Digest authentication hashes a password before sending it, whereas Basic just sends it in plain text.

what is bluesmacking

DoS attack

what is a smurf attack

DoS attack using ICMP (in a broadcast PING attack)

Which of the following is the rating assigned by a Common Criteria evaluation? EAL PP TOE ST

EAL (Evaluation Assurance level) PP = Protection Profile (requirements for the type of product being tested) TOE = target of evaluation (product being tested) ST = security target (documentation)

In which step of EC-Council's hacking methodology would you expect to use remote execution tools and spyware?

Executing applications

Which of the following tools is designed as a sniffer for IoT traffic?

Foren6 "leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world Internet of Things applications where other means of debug (cabled or network-based monitoring) are too costly or impractical.

Ethical hacker Brad is testing insecure direct object reference. He attempts to gain account access to resources under a username he discovered called Joe. Which of the following best demonstrates an attempt to exploit the insecure direct object reference?

GET /restricted/accounts/?name=Joe HTTP/1.1

Which of the following laws protects the confidentiality and integrity of personal information collected by financial institutions?

GLBA The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.

A client wants the pen test attack to simulate an inside user who finds ways to elevate privileges and create attacks. Which test type does the client want?

Gray box is correct. Gray-box tests are indicative of those where some knowledge is given of the target and are designed to replicate an inside attacker. white box = all knowledge known black box= no knowledge but outside

An attacker is attempting to telnet to an internal server. He has done his homework and knows port 23 is open on the machine, it is listening for requests, and he can reach it using port scans from his current location (nmap). To hide his tracks, he spoofs his IP address and then launches telnet against the server. His attempts fail. What is the most likely cause?

He cannot spoof his IP and successfully use telnet The replies will be sent back to the actual IP that the attacker is spoofing.

You are monitoring the activities of your pen test team and notice one member opening Airsnarf. What is he trying to accomplish?

He is trying to sniff passwords and user ID's

An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used?

Heartbleed Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack. Basically the attacker sends a single byte of data while telling the server it sent 64KB of data. The server will then send back 64KB of random data from its memory

Valuable, sensitive data appears to have been stolen from the organization. Investigation shows no apparent successful attacks against the business infrastructure over several months. During the investigation, a user returns a laptop found to hold the sensitive information on it. When queried, she admitted to using the laptop after work at a local Starbucks while having an afternoon coffee. Which of the following attacks did she most likely fall victim to?

Honeyspot

Which of the following is the best choice for providing secure remote access, minimizing MITM opportunities?

IPSec IPSec sets up a tunnel between hosts to securely transfer data. It's easy to set up and use and provides many benefits. One such benefit is reducing man-in-the-middle (MITM) attack opportunities.

Which of the following best represents Amazon EC2?

IaaS Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS. Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.

Which of the following is true regarding LM hashes?

If the right side of the hash ends with 1404EE

Which of the following best describes ARP poisoning?

In ARP poisoning, at attacker continually inserts invalid entries into an ARP cache.

what is true regarding WEP cracking?

Initialization Vectors are small, get reused frequently, and are sent in clear text

Which of the following is true regarding ESP in Tunnel Mode?

It encrypts the entire packet Tunnel Mode encrypts the entire package

Which of the following statements is true regarding STP?

It is a Layer 2 protocol Spanning Tree Protocol is considered a Layer 2 protocol. It prevents switching loops (sending packets whizzing about forever in a perpetual broadcast loop) by killing connecting ports along the way

Which of the following best describes session key creation in SSL?

It is created by the client after the servers identity is verified

Which of the following is a passive wireless discovery tool? Aircrack Kismet NetStumbler Netsniff

Kismet Kismet works as a passive network discovery tool, without using packet interjection to gather information. Kismet also works by channel hopping to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump. NetStumbler is an active discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.

Which of the following statements is true regarding Kismet?

Kismet can discover wireless networks that are not sending beacon frames Kismet's primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you

Which of the following protects against MITM attacks in WPA?

MIC

In WEP, data integrity is provided by a 32-bit integrity check value (ICV) that is appended to the 802.11 payload and encrypted. However, this could be changed by an attacker without being detected by the recipient. What does WPA use as an improved integrity measure?

MIC Message integrity check (MIC, also known as Michael) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks

Which of the following is true regarding MX records?

MX record priority increases as the preference number decreases

What is netcat used for?

Maintaining access to a system and it can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command

A team member advises that sometimes metadata in publicly available documents can provide valuable intelligence on a target. Which of the following tools can perform a metadata search for you?

Metagoofil

Metasploit operates with multiple payload types. Which Metasploit payload type operates via DLL injection and is very difficult for AV software to pick up?

Meterpreter Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred

what is port 445?

Microsoft-DS SMB file sharing It can also run over TCP or UDP depending on the usage

In 2016, the "Dyn attack" resulted in one of the largest and most successful DDoS efforts in history. Which malware played a large role in the attack?

Mirai For about three and a half hours on October 21st, 2016, IoT devices infected with the Mirai malware crippled Internet traffic by disrupting the DNS service's ability to respond to resolution requests.

Which of the following statements best describes a DRDoS attack?

Multiple intermediary machines send the attack at the behest of the attacker The distributed reflection denial of service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out attacks so the attacker remains hidden

Which of the following statements is true regarding n-tier architecture?

N-tier allows each tier to be configured and modified independently

OSSTMM defines interactive and process controls. Which of the following are process controls?

Nonrepudiation, confidentiality, privacy is correct. The Open Source Security Testing Methodology Manual (OSSTMM) notes ten different types of controls. Process controls are nonrepudiation, confidentiality, privacy, integrity, and alarm. Interactive controls include authentication, indemnification, resilience, subjugation, and continuity.

who is WebGoat maintained by?

OWASP

Which of the following defines a method of transmitting data that doesn't violate a security policy?

Overt Channel An overt channel is one being used for its intended purpose. In other words, overt channels are legitimate

Which of the following would most likely be used to encrypt an entire hard drive?

PGP Pretty Good Privacy (PGP) uses an asymmetric encryption method to encrypt information. Although generally associated with e-mail, it can encrypt virtually anything. PGP uses public/private key encryption.

Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail? S/MIME SSL PGP PPTP

PGP Pretty Good Privacy is used for signing, compressing, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications S/MIME is associated with protection of e-mail, but it is a protocol, not an application

What is the primary difference between PGP and S/MIME?

PGP can be used to encrypt hard drives, but S/MIME cannot. PGP is an application where S/MIME is a protocol

Which of the following is not a component of a Kerberos system? ​ AS KDC TGS PKI TGT

PKI A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT). PKI has nothing to do with it.

Which of the following attacks acts as a "man in the middle," exploiting fallback mechanisms in TLS clients?

POODLE In a POODLE attack, the man in the middle interrupts all handshake attempts by TLS clients, forcing a degradation to a vulnerable SSL version. Since many browsers would revert back to SSL 3.0 for backward compatibility, and TLS handshakes are "walked down" the connection until a usable one is found, attackers could interrupt the handshaking and make it go all the way down to SSL 3.0.

Which TCP flag is used to force transmission of data even if the buffer is full? ACK FIN URG PSH

PSH is correct. The PSH flag is used when the application simply can't wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes. Incorrect answers: An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.

A team member enters the following nmap command: ``` nmap --script http-methods --script-args one.two.sample.com ``` When the command executes, the following appears: ``` PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-methods: |_ Supported Methods: GET PUT HEAD POST OPTIONS <output omitted> ``` Based on the output, which HTTP methods will the script consider potentially risky?

PUT HTTP PUT permits HTTP clients to update or upload files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE

A client wants the best platform for software development. Which cloud service type best meets his needs?

PaaS PaaS is geard toward software development

While using your bank's online services, you notice the following string in the URL bar: http://www.MyPersonalBank/Account?Id=368940911028389&Damount=10980&Camount=21 You observe that if you modify the Damount and Camount values and submit the request, the data on the web page reflect the changes. What type of vulnerability is present on this site

Parameter tampering

Which is a true statement regarding phishing and pharming?

Pharming redirects victims by modifying the host configuration or DNS, while phishing redirects by providing the user a malicious URL similar to the legitimate one Pharming requires the attacker to either adjust the user's hosts file or to redirect DNS queries to a fake location. Phishing is simply providing a URL (or clickable link) that looks similar to a legitimate one.

Which of the following may be useful in mitigation against phishing? (Choose all that apply.) Network IDS PhishTankToolbar Netcraft Toolbar Host-based IDS

Phishtank Toolbar Netcraft Toolbar

Which of the following copies into the system32 folder on Windows machines and creates a back door?

Poison Ivy Poison Ivy provides a full remote-control back door on infected systems and copies itself directly into /system32 SubRoot, from 2009, creates a full-control back door over port 1700 (TCP). Restorator is a defacement Trojan. Biodox is a GUI full remote-control Trojan

Which of the following should be included in a security policy? (Choose all that apply.) Policy exceptions reference to supporting documents noncompliance disciplinary actions procedures

Policy exceptions reference to supporting documents noncompliance disciplinary actions

Hash Lengths

SHA-1 = 60 SHA-2 = 256,384,512 (uses 32 bit words)

Which protocol usually listens on ports in the 137-139 range?

SMB Kerberos uses 88 SNMP 161

Which of the following statements is true regarding the use of a proxy server on your network?

Proxy servers can filter internet traffic for internla users

A new network administrator is asked to schedule daily scans of systems throughout the enterprise. Which of the following programming languages has an OSI-approved open source license and is commonly used for accomplishing this goal

Python Python is free to use, even for commercial products, because of its OSI-approved open source license, and is commonly used for simple items such as kicking off scans

Within a PKI, which of the following verifies the applicant?

Registration authority

Which of the following best describes the amount of risk that remains after mitigation efforts to correct a vulnerability have been taken?

Residual

Which IoT attack involves sniffing, jamming, and replaying a car key fob signal?

Rolling code

Which of the following is a design pattern where services are provided to other components by specific application components?

SOA Object-Oriented Architecture is regarding software development, but it is a design architecture based on the division of responsibilities for an application or system into individual reusable and self-sufficient objects

Which of the following best describes an API that allows application components to communicate with other components? SOAP SOA EC2 DAR

SOA Service-Oriented Architecture is an architecture-driven software design where software components deliver information to other components, usually over a network. For example, a company might develop an API that provides software programming access to a specific database, which would then let other developers build applications that could leverage the API to query or upload data. EC2 refers to Amazon Web Services cloud offerings. SOAP (Simple Object Access Protocol) is a messaging protocol using XML (and HTTP) that allows programs running on different operating systems to communicate. Data at rest has nothing to do with this question

what is SOAP message?

SOAP (formerly an acronym for Simple Object Access Protocol) is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. SOAP formats its information exchange in XML.

what deals with publicly traded companies, forcing them to allow independent audits and to post financial findings

SOX

Which cloud service type is designed to offer on-demand applications to subscribers over the Internet?

SaaS

A pen tester gains access to a Windows application server and enters the following command: ``` netsh firewall show config ``` What should be displayed in return?

Settings of the built-in firewall

Which of the following would be a benefit of virtualization of servers?

Shared hardware between virtualized servers

Amanda is a pen test team member scanning systems on an event. She notices a system using port 445, which is active and listening. Amanda issues the following command: ``` for /f "tokens=1 %%a in (myfile.txt) do net use * \\192.168.1.3\c$ /user."administrator" %%a ``` Which of the following best describes what Amanda is trying to accomplish?

She is trying to password-crack the user account named "administrator"

Which of the following describes a vulnerability allowing attackers to execute concatenated commands in bash?

Shellshock Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables.

You are examining an ongoing attack against a subnet. An IP address in the subnet has been sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway?

Smurf smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up.

Malware developers do their best to hide their work. Which of the following best describes crypters?

Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus products

Which virus type is only executed when a specific condition is met?

Sparse infector

The organization has a DNS server out in the DMZ and a second internal to the network. Which of the following best describes this DNS configuration?

Split DNS

Examine the response provided to a banner-grab effort. Which of the following is true regarding this server? ``` ... HTTP/1.1 200 OK Cache-Control: private Content-Length: 31544 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=jzh3bkzbazylvcjpkpdalaur; domain=.somebiz.com; path=/; HttpOnly X-AspNet-Version: 4.0.30319 Set-Cookie: OI=01c6f8df-b3f3-4cc8-aa73-bd41fc511126; domain=.sombiz.com; expires=Mon, 27-Jun-2016 15:13:22 GMT; path=/ X-Powered-By: ASP.NET Date: Mon, 27 Jun 2016 15:13:22 GMT Connection: close ```

Steps have been taken to protect the server against XSS

Which of the following tools is the best option for rooting an Android device?

SuperOneClick

Which one of the following DoS categories goes after load balancers, firewalls, and application servers by attacking connection state tables?

TCP state-exhaustion attacks

Which tool can be used to extract application layer data from TCP connections captured in a log file into separate files?

TCPflow

Which of the following tools can be used for remote password cracking of web servers? (Choose all that apply.) Nikto BlackWidow THC-Hydra Brutus

THC-Hydra Brutus Nikto is not a remote password cracker. It's an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items. BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.

Which of the following is best known for replacing notepad.exe on Windows systems?

TROJ_QAZ

an employee following someone into an area that needs card access is ....

Tailgating Because they look like they belong

Which of the following is a client-server tool utilized to evade firewall inspection?

Tcp-over-dns Tcp-over-dns combines a special DNS server and client to allow covert messaging.

Which attack takes advantage of weaknesses in fragment reassembly in TCP/IP?

Teardrop sends several overlapping, extremely large IP fragments The teardrop attack uses overlapping packet fragments to confuse a target system and cause it to reboot or crash. It's an older attack that works on some versions of Windows and may still be possible on Windows 7 and Windows Vista machines that have SMB enabled.

What is Heartbleed?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet

A new employee is attempting to connect to wireless. Her hardware is the same as most others on the floor, and other users are connecting fine. The client can see the wireless network, but packet captures show the WAP is not responding to association requests. Which of the following best describes the issue?

The WAP is employing a MAC filter

You are monitoring logs and come across a user login attempt that reads "UserJoe)(&)". Which of the following best describes what is being attempted? SQL injection LDAP injection CSPP SOAP injection

The attacker is attempting LDAP injection The attacker is attempting LDAP injection is correct. The ")(&)" indicates an LDAP injection attempt. SQL uses ' and CSPP uses ; SOAP injection looks like SQL

Examine the following packet capture: ``` 05/11-14:41:06.542524 0:19:A7:FA:DB:9 -> 0:B4:CB:2B:5:F2 tye:0x800 len:0x3A 172.16.55.22:13584 -> 172.16.55.27:1 TCP TTL:40 TOS:0x) ID:8571 IpLen:20 DgmLen:40 **U*P**F Seq: 0x0 Ack: 0x0 win: 0x400 ``` What can you discern from the information provided?

The capture indicates an XMAS scan

An attacker tries to do banner grabbing on a remote web server and executes the following command: ``` $ nmap -sV one.sample.com -p 80 ``` He gets the following output: ``` Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for one.sample.com (172.16.22.201) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds ``` Which of the following statements is true regarding the results?

The hacker should've used nmap -O host.domain.com An -O scan may provide even more detail than would otherwise be gleaned from a simple banner grab

Consider the ports shown in the nmap returned on an IP scanned during footprinting: ``` PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80 /tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tec open ipp 9100/tcp open MAC Address: 01:2A:48:0B:AA:81 ``` Which of the following is true regarding the output?

The host is most likely a printer or has a printer installed port 515 is generally used for printing

From the command sequence provided, which of the following best describes the intent? ``` C:\> nslookup Default Server: ns1.anybiz.com Address: 200.76.153.12 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 200.76.153.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 ```

The operator is enumerating a system named someserver is correct. The HINFO record type was defined in RFC 1035 and was originally intended to provide the type of computer and operating system a host uses (additionally, you could put in room numbers and other descriptions in the record). In this example, the type is set to HINFO, and a machine name—someserver—is provided.

What is a POODLE attack?

The original variant of POODLE was a man-in-the-middle attack, where the bad guy exploits vulnerabilities in the TLS security protocol fallback mechanism.

You are performing an XMAS scan and get an RST/ACK packet back from a port. What does this indicate?

The port is closed no response would mean the port is open or unable to be reached

Which of the following best describe the result from the Linux command "someproc &"?

The process "someproc" will stop when the user logs out and The process "someproc" will run as a background task The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding "nohup" before the process name), it will die when the user logs out.

What happens when you issue the "net use" command on a Windows machine?

The user will see a list of connected resources

Which of the following statements is not true regarding SSIDs?

They are used to encrypt traffic on networks

You send an e-mail to an address inside the target organization; however, you purposefully misspell the address to ensure it will not go to an existing mailbox. Which of the following is the best reason for doing this?

To reveal information about the target's e-mail servers

Which of the following is an attempt to resolve computer security problems through hardware enhancements and associated software modifications?

Trusted Computing

Which of the following is an attempt to resolve computer security problems through hardware enhancements and associated software modifications?

Trusted computing module

Amy uses a token and a four-digit PIN to log in to her corporate system. Which authentication measure best describes this?

Two-factor authentication is correct. Because Amy is using something she has (a token) and something she knows (the PIN), this is considered two-factor authentication.

Which of the following tools silently copies all files from a USB when it is connected to the system?

USB Dumper

What enables Unicode characters to be represented in an ASCII-compatible length of 1 to 4 bytes?

UTF-8

Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot?

Untethered This means the device is jail broken forever

Which of the following refers to the network used by IoT-enabled vehicles?

VANET the Vehicle Ad Hoc Network (VANET) is the communications network used by our vehicles. It refers to the spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange

X.509 defines the standard for digital certificates. Per this standard, which of the following are fields within a certificate? (Choose all that apply.) Public key key usage PTR record Algorithm ID Version Private Key

Version, algorithm ID, public key and key usage X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description

Which of the following is the most common means to exploit the Shellshock vulnerability?

Via web servers, utilizing CGI to send malformed Bash requests Shellshock (a.k.a. Bash bug) attacks occur when the bad guy adds malicious commands to Bash environment variable command lines. The most common implementation of this attack occurs via web servers utilizing Common Gateway Interface (CGI), providing the means for the attacker to enter the malformed environment variable command requests

Which wireless technology uses RC4 for encryption?

WEP

You are advising your client on wireless security. Which of the following are valid statements regarding wireless security? (Choose two.)

WPA2 is the best encryption security for the system SSID's do not provide security measures for a wireless network

When would a secondary name server request a zone transfer from a primary?

When the primary SOA serial number is higher

In which of the following OSs are you most likely to experience problems in collecting 802.11 management and control packets while passively sniffing?

Windows For whatever reason, many wireless NICs don't have good support for monitor mode in Windows. They seem to be okay catching general traffic, but the control packets are hard to come by

wireshark filters

Wireshark has the ability to filter based on a decimal numbering system assigned to TCP flags (basically the flag's binary value assigned to the bit representing it in the header). The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding flag numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For instance, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (in the case presented in the question, the filter will display all SYN packets, all SYN/ACK packets, and all ACK packets).

What does SOAP use to package and exchange information for web services?

XML

Which of the following can best be mitigated by setting the HttpOnly flag in cookies? buffer overflow XSS CSPP CSRF

XSS

During investigation of system security, you discover the HttpOnly flag is set in cookies. Which of the following is most likely being mitigated by this attempt?

XSS Cross-site request forgery (CSRF) tricks a user (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website (the malicious website can then instruct the user's web browser to send a request to the target website). CSPP (connection string parameter pollution) is an injection attack that takes advantage of web applications using semicolons to separate parameters in database communication.

As your IDLE scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

Your IDLE scan results will not be useful to you

Which of the following is not part of the ransomware family? Cryptorbit Zeus Cryptolocker Police-themed

Zeus Zeus is an e-banking Trojan for stealing bank and credit card information, not ransomware

Which of the following connection protocols used by IoT devices is based on IEEE 203.15.4 for devices within a range of 10-100 meters?

Zigbee Z-Wave is a low-power, short-range communication method designed primarily for home automation. Thread is an IPv6-based protocol for IoT devices

Which of the following was a piece of malware aimed at Android phones, taking advantage of two-factor authentication to control the phone itself?

ZitMo was designed to capture the phone itself, ensuring the one-time passwords also belonged to the bad guys. The target would log on to their bank account and see a message telling them to download an application to their phone in order to receive security messages. Thinking they were installing a security measure, victims instead were installing the means for the attacker to have access to their credentials, not to mention the second authentication factor (usually sent only to the victim via text)

Which of the following methods correctly performs banner grabbing on a Windows system?

`telnet <IPAddress> 80`

what was Mellissa?

a worm

Examine this robots.txt file: ``` User-agent: * Disallow: / ``` Which of the following is true regarding the website this file is currently residing on

all web spiders are prevented from indexing any pages on the site

what is bluesniffing

an effort to sniff data from bluetooth exchanges

what does a multipartite virus do?

attempt to infect both files and the boot sector at the same time

Which of the following best describe a detective control? (Choose all that apply.) System backups authentication badges audit logs auditory alarms set on doorways

audit logs auditory alarms set on doorways

Which Bluetooth attack is used in an attempt to steal data from the device?

bluesnarfing

what is bluejacking

bluetooth attack where the attacker sends unsolicited messages to the target

In a known-plain-text attack, what does the attacker have access to?

both plain text and cipher text

You use a Linux distribution Live CD to boot a system that is running Ubuntu and enter the following command set: ``` sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd N3wPWD4thi$ ``` Which of the following best describes what you are attempting?

change the password on the underlying desktop Ubuntu installation

Which firewall operates at Layer 5?

circuit level Application-level firewalls work at Layer 7 Packet-filtering and stateful firewalls respectively at Layers 3 and 4.

A victim is directed to a website an attacker has modified: the attacker has created a transparent frame in front of the Click Here To Login button. When the victim clicks to log in to the site, they are redirected instead to a URL the attacker owns. Which of the following best describes the attack?

clickjacking Clickjacking is exactly what it sounds like—stealing the "click" a user intended for one thing and using it for another

You want to separate data ownership from data custodian duties. Which of the following should be implemented to carry this out?

cloud computing

Which of the following commands is used to open Computer Management on a Windows OS machine?

compmgmt.msc

How would OSSTMM categorize PCI DSS? standards base legislative technology based Contractual

contractual Contractual deals with requirements enforced by an industry or non-government group. Legislative deals with regulations enforced by the government. Standards based deals with actions that are recommended and must be adhered to in order to be certified by a group

Which of the following describes a transmission channel that is being used in a manner in which it was not intended?

covert Tunnel

Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this?

cross-certification

what is an xmas scan

derive their name from the set of flags that are turned on within a packet. These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header

Which of the following are good choices to use in preventing DHCP starvation attacks? (Choose two.) enable DCHP snooping on the switch use port security on the switch configure DHCP filters on the switch block all UDP ports 67 and 68 traffic

enable DCHP snooping on the switch use port security on the switch DHCP snooping on a Cisco switch (using the "ip dhcp snooping" command) creates a whitelist of machines that are allowed to pull a DHCP address. Port security can be a means of defense, too, by limiting the number of MACs associated with a port as well as whitelisting which specific MACs can address it

A pen tester wants to deliver a payload to a target inside the organization without alerting any monitoring teams. A peer recommends session splicing as an option for IDS evasion. If the pen tester has access to the target already, which of the following methods represents another possible option?

encrypt the traffic between you and the host

Network File System (NFS) is a protocol for distributed file sharing on a network. Which of the following was designed for sniffing this traffic?

filesnarf Filesnarf is designed specifically with NFS in mind and saves files sniffed from NFS traffic into the current working directory.

Which nmap script can be used to show potentially risky HTTP methods?

http-methods

Which nmap script helps with detection of HTTP GET, POST, HEAD, PUT, DELETE, and TRACE methods?

http-methods

Which nmap script helps with detection of potentially risky HTTP methods?

http-methods

Which of the following is considered by OWASP to be the top vulnerability security professionals should be aware of in IoT systems?

insecure web interface

Which of the following is the crucial architecture layer within the IoT, allowing all communication?

internet layer The Middleware layer sits between the Application and Hardware layer, and handles data and device management, data analysis, and aggregation. First, data handling takes place in the Access Gateway layer, with message identification and routing occurring there. The Edge Technology layer consists of sensors, RFID tags, readers, and the devices themselves.

Which Wireshark filter is the best choice for examining all three-way handshakes originating from 202.99.58.3?

ip.addr==202.99.58.3 and tcp.flags.syn

Which of the following best describes port security?

it allows traffic from a specific MAC address to enter a port

Which of the following best describes a hybrid password-cracking attack?

it substitutes numbers and characters in words to discover a password is correct. Usually a hybrid attack involves a list of passwords that get altered along the way in order to guess the password. For example, if your list contains the word "Fishing," a hybrid attack would start substituting numbers and characters: f1$hing, Fi$H1n6, and so on.

You are performing penetration testing with your team and successfully gain access to a machine. You discover a hidden folder on the system that has an individual's bank account password and user ID stored in plain text. Which of the following should you do?

keep testing

what is firewalking

method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall

Which of the following is the proper syntax on Windows systems for spawning a command shell on port 8080 using Netcat?

nc -L 8080 -t -e cmd.ext

Which of the following commands will display all current shares on the Windows machine?

net share net use - connects/disconnects a computer to a shared resource net view - used to show a list of computers and network devices on the network net config - displays the configurable services that are running

Which of the following provides a means to discover an organization's restricted URLs and possibly OS information from selected targets? whois nmap netcraft

netcraft

Which command would display all connections and listening ports in numerical form?

netstat -an

what do TLS and SSL encrypt?

network traffic

Which of the following commands would be the best choice for a pen tester attempting to perform DNS cache snooping?

nslookup -norecursive one.anywhere.com If you can make a nonrecursive query to a DNS server looking for an _already resolved_ hostname, the box is susceptible to DNS cache snooping

what does a cavity virus do?

overwrite unused portions of a file without changing its size

what is THC Hydra?

password guessing tool for linux/unix

You are concerned about static electricity problems in your data center. Which of the following will not assist you in dealing with the problem?

positive pressure

In which phase of a pen test is scanning performed?

pre-attack

Which command displays all running processes on a Linux machine?

ps -ef

Which of the following commands lists the running services on a Windows machine? sc query netstat -s netsh servies wmic bios get services

sc query Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 statistics. Wmic provides the ability to take advantage of a host of Windows management information tie-ins but is not applicable here (not to mention the syntax is invalid).

Which of the following describes the intended use of the sigverif tool?

searching for unsigned drivers

Which of the following can be used to edit the local security policy of a Windows machine?

secpol.msc

Which of the following is an example of a logical control? fire alarms security tokens security policy guards

security token (logical means technical)

Which jailbreaking method does not retain the iOS patched kernel after reboot, but does leave the software on the device, allowing for future jailbreak activities?

semi-tethered jailbreaking

Which of the following can be compared to a CSRF attack? VM stradding side session session riding side channel

session riding Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself

Which of the following attacks is also known as "cross-guest VM breach"?

side channel

Which of the following is a valid Google Search entry for searching for spreadsheet files possibly containing passwords?

site:sample.com filetype:xls username password

Which attack falsifies a broadcast ICMP echo request and includes a primary victim and a secondary victim?

smurf smurf attack involves spoofing a ping request to the broadcast address of the subnet. The ping request is altered so that it appears to come from another host

Which of the following commands can be used to launch the executable bad.exe hidden in the file NoProblems.txt

start noproblems.txt:bad.exe

You are concerned a machine (192.168.15.12) on the network does not seem to be sending logs to a system running syslog (192.168.15.90). Which of the following filters is the best choice to see if the system is sending messages to the syslog server?

tcp.dstport==514 && ip.dst==192.168.15.90

Which of the following is a command-line sniffer and packet analyzer? nessus netstat tcpdump netcat

tcpdump Nessus is a vulnerability scanner, netstat will display port information on your system, and netcat is used for maintaining access on a system (along with other things)

All communication between two subnets is encrypted via SSL. The security staff is concerned about possible nefarious activity and places an IDS between the two segments. Which of the following statements is most correct, given the circumstances?

the IDS is blind to SSL traffic

what is Bluescarfing

the acutal theft of data from bluetooth exchanges

A security administrator notices a machine generating a tremendous amount of traffic to port 500 on several other systems. What can be inferred from this traffic?

the system is checking for IPSec on remote machines

You are examining malware code and discover that a particular piece copies itself into the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What is the purpose of this?

to ensure the malware rus at every login to the OS

What is being attempted by the following command? ``` aireplay -ng -0 0 -a 0B:11:EB:17:44:80 -c mon0 ```

to use deauthentication packets to generate lots of network traffic

A systems administrator notices log entries from a host named MACHINE_A (195.16.88.12) are not showing up on the syslog server (195.16.88.150). Which of the following Wireshark filters would show any attempted syslog communications from the machine to the syslog server? tcp.dstport==514 && ip.dst==195.16.88.150 udp.dstport==514 && ip.dst==195.16.88.150

udp.dstport==514 && ip.src==195.16.88.12

An attacker places his sites on a specific group. After several days of monitoring the group members' traffic, he notes several websites they frequently visit and goes to work infecting those sites with malware. Which of the following best defines this attack?

watering hole attack

what is a false positive

when a the system flags a finding as malicious when it is not

Which of the following consists of a publicly available set of databases containing domain name registration contact information?

whois Whois provides all sorts of information on registrants—technical POCs, who registered the domain, contact numbers, and so on. CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it. IANA regulates IP allocation, and IETF is a standards organization.