Domain 1.0: Threat and Vuln Management
What is the TCP port for Microsoft SQL server?
1433
LPR/LPD LinePrinterRemote/LinePrinterDaemon uses what TCP port?
515
Matthew is analyzing some code written in the C programming language and discovers that it is using the functions listed here. Which of these functions poses the greatest security vulnerability? A. strcpy() B. main() C. printf() D. scan()
A. strcpy() Reason: Is notorious for leading to buffer overflow vulns and must be used very carefully.
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark PCAP file from the network, which of the following tools can she use to provide automated analysis of the file? A. Ettercap B. NetworkMiner C. Sharkbait D. Dradis
B. NetworkMiner
Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place? A. Credential stuffing B. Password spraying C. Brute-force D. Rainbow Table
B. Password spraying Reason: In a password spraying attack, the attack tries a set of common passwords using many different accounts. A brute-force attack would result in thousands or millions of attempts per username.
Amir's remote scans of a target organization's class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Amir needs to gather additional reconnaissance information about the organization's network, which of the following scanning techniques is most likely to provide additional detail? A. Use a UDP scan. B. Perform a scan from on-site. C. Scan using the -p 1-65535 flag. D. Use nmap's IPS evasion techniques.
B. Perform a scan from on-site.
Greg is concerned about the use of DDos attacks tools against his org, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce? A. Likelihood B. Total attack surface C. Impact D. Adversary capability
C. Impact
Singh incorporated the Cisco Talos tool into his organization's threat intelligence program. He uses it to automatically look up information about the PAST activity of IP addresses sending email to his mail servers. What term best describes this intelligence source? A. Open Source B. Behavioral C. Reputational D. Indicator of compromise
C. Reputational
Joaquin is frustrated at the high level of false positive reports produced by his vulnerability scans and is contemplating a series of actions designed to reduce the false positive rate. Which one of the following actions is LEAST likely to have the desired effect? A. Moving to credentialed scanning B. Moving to agent-based scanning C. Integrating asset information into the scan D. Increasing the sensitivity of the scans.
D. Increasing the sensitivity of the scans.
Harry is developing a vulnerability scanning program for a large network of sensors used by his organization to monitor a transcontinental gas pipeline. What term is commonly used to describe this type of sensor network? A. WLAN B. VPN C. P2P D. SCADA
D. SCADA
What type of information can be gathered from the nbtstat -c command?
NetBIOS name-to-IP address mappings
During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her info gathering. What is the best option?
Perform a DNS brute-force attack. Reason: They often bypass detection systems and don't usually pay attention to DNS queries.
What markup language provides a standard mechanism for describing attack patterns, malware, threat actors, and tools?
STIX Reason: Structured Threat Info eXpression sponsored by Homeland Security. Defines attack patterns, malware, threat actors and tools.
What two pieces of information does nmap need to estimate network path distance?
TTL and Operating System
When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing?
The TCP timeout flag it will set Reason: It will perform the fastest scanning it can, likely setting off any IDS or IPS. 0 slow 5 fast
What wireless network technology does Reaver target?
WPS Reason: Reaver attempts to exploit a vulnerability in the Wi-Fi Protected Setup (WPS)
What tool can be used to review snapshots of a website from multiple points in time?
Wayback Machine
What command will provide me with the most info about a host?
dig -x [ip address]
cpe: /h indicates what?
hardware identification
cpe: /o indicates what?
operating system identification
What TCP ports does RADIUS operate on?
1812 and 1813
Kerberos is a UDP service but also uses what TCP ports?
544 and 2105
IPP(Internet Printing Protocol) uses what port?
631
What are the port numbers for LDAPS and HTTPS?
636 and 443
While performing reconnaissance of an organization's network, Angela discovers that web.org.com, www.org.com, and documents.org.com all point to the same host. What type of DNS record allows this?
A CNAME- A canonical name is used to alias one name to another.
I have systems connected to a remote host on TCP ports 1433 and 1434. If I have no other data what should be my best guess about what the host is?
A Microsoft SQL Server
Kim is preparing to deploy a new vulnerability scanner and wants to ensure that she can get the most accurate view of configuration issues on laptops belonging to traveling sales-people. Which technology will work best in this situation? A. Agent-based scanning B. Server-based scanning C. Passive network monitoring D. Noncredentialled scanning
A. Agent-based scanning Reason: The agent can run the scans and then report results the next time the agent is connected to a network.
The presence of _____________ triggers specific vulnerability scanning requirements based on law or regulation. A. Credit card info B. Protected health info C. PII D. Trade secret info
A. Credit card info
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering? A. OSINT searches of support forums and social engineering B. Port scanning and social engineering C. Social media review and document metadata D. Social engineering and document metadata
A. OSINT searches of support forums and social engineering
Abdul is conducting a security audit of a multicloud computing environment that incorporates resources from AWS and Microsoft Azure. What tool will be most useful to him? A. Scoutsuite B. Pacu C. Prowler D. Cloudsploit
A. ScoutSuite Pacu, Prowler, Cloudsploit are all AWS-specific.
Nihar wants to conduct an nnap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use? A. Fragmenting packets B. Changing packet header flags C. Spoofing the source IP D. Appending random data
B. Changing packet header flags
Kaiden's organization uses the AWS public cloud environment. He uses the CloudFormation tool to write scripts that create the cloud resources used by his organization. What type of service is CloudFormation? A. SaaS B. IAC C. FaaS D. API
B. IAC(Infrastructure as code)
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered? A. A route change B. Fast-flux DNS C. A load balancer D. An IP mismatch
C. A load balancer Reason: A load balancer can alias multiple servers to the same hostname. Can be confusing when scanning because it may appear that multiple IP addresses or hosts are responding for the same system.
Adam's port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess? A. Web Server B. FTP server C. A printer D. A proxy server
C. A printer
Damian wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk? A. Implement an IPS B. Implement a firewall. C. Disable promiscuous mode for NICs. D. Enable promiscuous mode for NICs.
C. Disable promiscuous mode for NICs.
Sadiq is responsible for the security of a network used to control systems within his organizations manufacturing plant. The network connects manufacturing equipment, sensors, and controllers. He runs a vulnerability scan on this network and discovers that several of the controllers are running very out of date firmware that introduces security issues. The manufacturer of the controllers is out of business. What action can Sadiq take to best remediate this vulnerability in an efficient manner? A. Develop a firmware update internally and apply it to the controllers. B. Post on an Internet message board seeking other organizations that have developed a patch. C. Ensure that the ICS is on an isolated network. D. Use an intrusion prevention system on the ICS network.
C. Ensure that the ICS is on an isolated network.
Which one of the following IoT components contains hardware that can be dynamically reprogrammed by the end user? A. RTOS(Real-time OS) B. SoC(System on a Chip) C. FPGA D. MODBUS
C. FPGA(Field-programmable gate arrays)
While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self-signed. What issue should he report to his management? A. Self-signed certificates do not provide secure encryption for site visitors. B. Self-signed certificates can be revoked only by the original creator. C. Self-signed certificates will cause warnings or error messages. D. None of the above.
C. Self-signed certificates will cause warnings or error messages.
While conducting reconnaissance, Piper discovers what she believes is an SMTP service running on an alternate port. What technique should she use to manually validate her guess? A. Send an email via the open port. B. Send an SMTP probe C. Telnet to the port D. SSH to the port.
C. Telnet to the port
Zara is prioritizing vulnerability scans and would like to base the frequency of scanning on the information asset value. Which of the following criteria would be most appropriate for her to use in this analysis? A. Cost of hardware acquisition B. Cost of hardware replacement C. Types of information processed D. Depreciated hardware cost
C. Types of information processed
Jake is performing a vulnerability assessment and comes across a CAN bus specification. What type of environment is most likely to include a CAN bus? A. Physical access control system B. Building automation system C. Vehicle control system D. Workflow and process automation system
C. Vehicle control system Reason: CAN is a standard for comms among components of a vehicle and is not likely to be found in any other environment.
Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean? A. The machines are unreachable B. The machines are not running SNMP servers C. The community string he used is invalid. D. Any or all of the above may be true.
D. Any or all of the above may be true.
Florian discovered a vulnerability in a proprietary application developed by his organization. The application performs memory management using the malloc() function and one area of memory allocated in this manner has an overflow vulnerability. What term best describes this overflow? A. Buffer Overflow B. Stack Overflow C. Integer Overflow D. Heap Overflow
D. Heap Overflow Reason: The malloc() function allocates memory from the heap.
Sarah wants to detect port scans using syslog so that he can collect and report on the info using his SIEM. If he is using a default CentOS system, what should he do? A. Search for use of privileged ports in sequential order. B. Search for connections to ports in the /var/syslog directory. C. Log all kernal messages to detect scans. D. Install additional tools that can detect scans and send the logs to syslog.
D. Install additional tools that can detect scans and send the logs to syslog.
Stacey encountered a system that shows as "filtered" and "firewalled" during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan? A. Packet fragmentation B. Spoofing the sources address C. Using decoy scans D. Spoofing the destination address
D. Spoofing the destination address
What major differences exist between reconnaissance's of a wired network versus a wireless network?
Encryption and physical accessibility
What is a tool that allows users to handcraft packets for use in attacks and pen tests?
Hping
What term is used to describe the groups of related organizations who pool resources to share cybersecurity threat info and analysts?
ISAC Reason: Information Sharing and Analysis Centers (ISACS) They cover healthcare, financial, aviation, government, and infrastructure.
What is the port number for LDAP?
UDP Port 389 for LDAP network port is used to handle normal authentication queries from client computers.
