Certified Ethical Hacker: Quiz 06

You just purchased the latest DELL computer, which comes pre-installed with Windows XP, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it. A. Install the latest signatures for Antivirus software B. Configure "Windows Update" to automatic C. Create a non-admin user with a complex password and logon to this account D. Enable "guest" account E. Install a personal firewall and lock down unused ports from connecting to your computer F. New installation of Windows should be patched by installing the latest service packs and hotfixes G. You can start using your computer since the vendor such as DELL, HP and IBM already would have installed the latest service packs up-to-date

A,B,C,E,F A. Install the latest signatures for Antivirus software B. Configure "Windows Update" to automatic C. Create a non-admin user with a complex password and logon to this account E. Install a personal firewall and lock down unused ports from connecting to your computer F. New installation of Windows should be patched by installing the latest service packs and hotfixes

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker? A. 5 minutes B. 16 million years C. 200 years D. 23 days

A. 5 minutes

Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defenses, but is still worried about programs like Hping2 that can get into a network through covert channels. How should mark protect his network from an attacker using Hping2 to scan his internal network? A. Block ICMP type 13 messages B. Block all outgoing traffic on port 53 C. Use stateful inspection on the firewalls D. Block all incoming traffic on port 53

A. Block ICMP type 13 messages

Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it. What kind of Denial of Service attack was best illustrated in the scenario above? A. DOS attacks which involves crashing a network or system B. DOS attacks which involves flooding a network or system C. Simple DDOS attack D. DOS attacks which is done accidentally or deliberately

A. DOS attacks which involves crashing a network or system

Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. Why will this not be possible? A. Firewalls cannot inspect traffic at all, they can only block or allow certain ports B. Firewalls cannot inspect traffic coming through port 80 C. Firewalls cannot inspect traffic coming through port 443 D. Firewalls can only inspect outbound traffic

A. Firewalls cannot inspect traffic at all, they can only block or allow certain ports

Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. His chooses to use printf(str) where he should have ideally used printf("%s", str). What attack will his program expose the web application to? A. Format String Attack B. Unicode Traversal Attack C. SQL injection Attack D. Cross Site Scripting

A. Format String Attack

Bob is very security conscious; he is about to test a site that is known to have malicious applets, code, and more. Bob always makes use of a basic Web Browser to perform such testing. Which of the following web browsers can adequately fill this purpose? A. Lynx B. Mozilla C. Internet Explorer D. Tiger

A. Lynx

Which of the following is a patch management utility that scans one or more computers on your network and alerts you if any important Microsoft security patches are missing. It then provides links that enable those missing patches to be downloaded and installed. A. MBSA B. ASNB C. PMUS D. BSSA

A. MBSA C. PMUS

access-list as below: Current configuration : 1206 bytes ! version 12.3 ! hostname Victim ! enable secret 5 $1$h2iz$DHYpcqURF0APD2aDuA.YX0 ! interface Ethernet0/0 p address dhcp p nat outside alf-duplex !i nterface Ethernet0/1 p address 192.168.1.1 255.255.255.0 p nat inside alf-duplex ! router rip etwork 192.168.1.0 !i p nat inside source list 102 interface Ethernet0/0 overload no ip http server ip classless ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 102 permit ip any any ! snmp-server community public RO snmp-server community private RW 1 snmp-server enable traps tty !l ine con 0 ogging synchronous ogin line aux 0 line vty 0 4 assword secret ogin !! end You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed? A. Run a network sniffer and capture the returned traffic with the configuration file from the router B. Use the Cisco's TFTP default password to connect and download the configuration file C. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0 D. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

A. Run a network sniffer and capture the returned traffic with the configuration file from the router C. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

What are the differences between SSL and S-HTTP? A. SSL operates at the transport layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at the application layer and S-HTTP operates at the transport layer D. SSL operates at the network layer and S-HTTP operates at the application layer

A. SSL operates at the transport layer and S-HTTP operates at the application layer

What does the term 'Hacktivism' means? A. Someone who is hacking for a cause B. Someone who has at least 12 years of hacking experience C. Someone who subscribe to hacker's magazine D. Someone that has an urge to constantly hack

A. Someone who is hacking for a cause

Study the log below and identify the scan type. tcpdump -vv host 192.168.1.10 17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166) 17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796) 17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066) 17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585) 17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834) 17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292) 17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058) tcpdump -vv -x host 192.168.1.10 17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 A. nmap S 192.168.1.10 B. nmap -sO -T 192.168.1.10 C. nmap R 192.168.1.10 D. nmap V 192.168.1.10

B. nmap -sO -T 192.168.1.10

What port number is used by Kerberos protocol? A. 419 B. 44 C. 88 D. 487

C. 88

Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A. All IVs are vulnerable to attack B. Air Snort uses a cache of packets C. Air Snort implements the FMS attack and only encrypted packets are counted D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

C. Air Snort implements the FMS attack and only encrypted packets are counted

Study the snort rule given: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attemptedadmin; sid:2193; rev:1;) From the options below, choose the exploit against which this rule applies? A. IIS Unicode B. SQL Slammer C. MS Blaster D. WebDav

C. MS Blaster

_____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. A. Discretionary Access Control B. Role-based Access Control C. Mandatory Access Control D. Authorized Access Control

C. Mandatory Access Control

What hacking attack is challenge/response authentication used to prevent? A. Scanning attacks B. Password cracking attacks C. Replay attacks D. Session hijacking attacks

C. Replay attacks

Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond? A. The attack was deception and security was not directly compromised B. Security was not compromised as the webpage was hosted internally C. The attack was social engineering and the firewall did not detect it D. The attack did not fall through as the firewall blocked the traffic

C. The attack was social engineering and the firewall did not detect it

StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use _____ defense against buffer overflow attacks. A. Format checking B. Hex editing C. Non-executing stack D. Canary

D. Canary

Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. What are the means that Bob can use to get password from his client hosts and servers? A. Passwords are always best obtained using Hardware key loggers B. Hardware and Software Keyloggers C. Software only, they are the most effective D. Hardware, Software, and Sniffing

D. Hardware, Software, and Sniffing

You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permissions. You need to know what your privileges are within the shell. What are your current privileges? A. Administrator B. IIS default installation account C. IUSR_COMPUTERNAME D. Local_System

D. Local_System

True or False: Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

False