Ethical Hacking Final
Scenario:1. Victim opens the attacker's web site 2. Attacker sets of the web site which contains interesting and attractive content like "Do you want to make$1000 in a day?". 3. They can clicks to the interesting and attractive content url 4. Attacker creates a transparent 'iframe' in front of the URL which victim attempts to click, so victim thinks thathe/she clicks the " do you want to make $1000 in a day?" URL but actually he/she clicks to the content or URL that exist in a transparent 'iframe' which is set up by the attacker. What is the name of the attack which is mentioned in the scenario?
ClickJacking attack
What is the correct process for the TCP three way handshake connection establishment and connection termination?
Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete?
Containment
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gain access to the DNS server and redirect the direction www.google.com to his own IP address. Now when the employees of the office wants to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
DNS spoofing
___________ Is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types.
DNSSEC
Which of the following security policies define the use of VPN for gaining access to an internal corporate network?
Defense in depth
You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS).What is the best way to evade the NIDS?
Encryption
A polymorphic virus
Evades detection through rewritting itself
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configuring properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
False Negative
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type of an alert is this?
False positive
A newly discovered flaw in a software application would be considered which kind of security vulnerability?
0-day vulnerability
You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled.Which port would you see listening on these Windows machines in the network?
445
In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following that best describes what spammers use to hide the origin of these types of emails?
A blacklist of companies that have their mail server relays configured to be wide open
Craig received a report of all the computers on the network that showed all the missing patches in weak passwords. What type of software generated this report?
A vulnerability scanner
Which of the following is used to set permissions on content in a website?
ACL
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?
Active
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
An Intrusion Detection System
________________can be used to identify a web server.
Banner grab
The security concept of "separation of duties" is most similar to the operation of which type of security device?
Bastion host
Which type of security feature stops vehicles from crashing through the doors of a building?
Bollards
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server?
Botnet Trojan
What is the way to decide how a packet will move from untrusted outside hosts to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet filter and the firewall
Firewalking
An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In what order should he perform these steps?
First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles and electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?
HIPAA
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is:nmap 192.168.1.64/28 Why he cannot see the servers?
He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?
He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer
You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening?
ICMP could be disabled on the target server
What is a SID used to do?
Identify a user
You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible IDS.What is the best approach?
Install Cryptcat and encrypt outgoing packets from this server
An enterprise recently moved to a new office in the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
Install a CCTV with cameras pointing to the entrance doors and the street
Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting?
Internal, Blackbox
How does the Address Resolution Protocol (ARP) work?
It sends a request packet to all the network elements, asking for the MAC address from a specific IP
What could be used to monitor application errors and violations on a web server or application?
Logs
Which of the following programs is usually targeted at Microsoft Office products?
Macro virus
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?
Make sure that legitimate network routers are configured to run routing protocols with authentication.
Rebecca commonly sees an error on her windows system that states that a data execution prevention (DEP) error has taken place. Which of the following is most likely taking place?
Malicious code is attempting to execute instruction in a non-executable memory region.
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?
Maltego
You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it.What tool will help you with the task?
Metagoofil
SNMP is used to do which of the following?
Monitor network devices
Which of the following describes the characteristics of a Boot Sector Virus?
Moves the MBR to another location on the nard disk and copies itself to the original location of the MBR
Using Windows CMD, how would an attacker list all the shares to which the current user context has access?
NET VIEW
Which intrusion detection system is a best applicable for large environments were critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?
Network based intrusion detection system (NIDS)
An intrusion detection system, IDS, has alerted the network administrator to a possible malicious sequence of packets sent to a web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file.What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Network sniffer
You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?
Network-based IDS
You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx QUITTING!What seems to be wrong?
OS Scan requires root privileges
The "black box testing" methodology enforces which kind of restriction?
Only the external operation of a system is accessible to the tester
This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach.Which of the following organizations is being described?
Payment Card Industry (PCI)
Jimmy is standing outside a secure entrance to a facility. He is pretending to having tense conversation on his cell phone as an authorized employee badges. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?
Piggybacking
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a backup plan, and testing plans for an organization?
Preparation phase
It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition?
Ransomware
Your team has won a contract to infiltrate an organization. The company wants to have the attack be a realistic as possible; therefore, they did not provide any information besides the company name.What should be the first step in security testing the client?
Reconnaissance
A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which is security policy it must the security analyst check to see if dial-out modems are allowed?
Remote access policy
Which of the following security policies define the use of VPN for gaining access to an internal corporate network?
Remote access policy
Which results will be returned with the following Google search query? site:target.com site:Marketing.target.com accounting
Results matching "accounting" in domain target.com but not on the site Marketing.target.com
Which of the following security operations is used for determining the attack surface of an organization?
Running a network scan to detect network services in the corporate DMZ
The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?
SYN
You are doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out?
Scan servers with Nmap
Which of the following is a low-tech way of gaining unauthorized access to system?
Social engineering
Which of the following is the BEST way to defend against network sniffing?
Using encryption protocols to secure network communications
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
Vulnerabilities in the application layer are independent of the network layer. Attacks in mitigation techniques are almost identical.
Which system consists of a publicly available set of databases that contain a domain name registration contact information?
WHOIS
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small size packets to the target computer, making it very difficult for an IDS to detect the attack signatures.Which tool can be used to perform session splicing attacks?
Whisker
The network administrator contacts you and tells you that she noticed the temperature of the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router?
Wireshark
This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" look like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?
footprinting
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?
msfencode
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use?
nmap -T4 -F 10.10.0.0/24
Which of the following will perform an Xmas scan using NMAP?
nmap -sX 192.168.1.254
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?
promiscuous mode
When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine?
site: target.com filetype:xls username password email
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You performed a syn scan in your network, and you noticed that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the message are going to the kiwi syslog machine.What wireshark filter will show the connections from the snort machine to kiwi syslog machine?
tcp.dstport==514 && ip.dst == 192.168.0.150 B. tcp.srcport==514 && ip.src == 192.168.0.150
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?
tcp.port eq 25
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
tcpdump
Which of the following tools can be used for passive OS fingerprinting?
tcpdump
Nation-state threat actors often discover vulnerabilities and hold on the them until they want to launch a sophisticated attack. The Sutxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called?
zero-day
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network.What testing method did you use?
Social engineering
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Stateful
Which of the following types of firewalls ensures that the packets are part of the established session?
Stateful inspection firewall
A DNS zone transfer is used to do which of the following?
Synchronize server information
If the tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?
TCP ping
Jimmy is standing outside a secure entrance to a facility. He is pretending to having a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?
Tailgating
A penetration tester is conducting a port scan on a specific host. The tester found several ports open that were confusing in concluding the operating system (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-0315 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open HTTP 139/tcp open netbios-ssn 515/tcp open 631/tcp open lpp 9100/tcp open MAC address: 00:00:48:0d:EE:8
The host is likely a printer
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the OS version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8
The host is likely a printer.
The "gray box testing" methodology enforces what kind of restriction?
The internal operation of a system is only partly accessible to the tester
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn it based on the scan results? TCP port 21 - no response TCP port 22 - no response TCP port 23 - Time-to-live exceeded.
The scan on port 23 passed through the filtering device. This indicates the port 23 was not blocked at thefirewall.
What is the benefit of performing an unannounced Penetration Testing?
The tester will have an actual security posture visibility of the target network
What does a firewall check to prevent particular ports and applications from getting packets into an organization?
Transport layer port numbers and application layer headers
Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt." In the background, the files copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered?
Trojan
Which of the following viruses tries to hide from antivirus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
Tunneling virus
Which of the following is an extremely common IDS evasion technique in the web world?
Unicode Charcters
In order to have a an anonymous Internet surf, which of the following is best choice?
Use TOR network with multi-node
Your company was hired by a small healthcare provider to perform a technical assessment on the network.What is the best approach for discovering vulnerabilities on a Windows-based computer?
Use a scan tool like Nessus
What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?
User Access Control (UAC)
Enumeration is useful to system hacking because it provides which of the following?
Usernames