Final Study Guide
Which Linux folder holds the password and shadow files?
/etc
A security professional gains access to a SAM file that is protected with SYSKEY and wants to use a program named Syscraker to decrypt the SAM file and run the hashes through a password cracker. How many bits does SYSKEY use for encryption?
128
The IP address 132.58.90.55/20 is given for a machine your team is to test. Which of the following represents an address within the same subnet?
132.58.88.254
A junior security employee tells you a web application has halted. An examination of the syslog shows an entry from the web application indicating the canary word has been altered. What does this message indicate?
A buffer overflow was attempted but failed
Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?
Nessus
While pen testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures?
No, the hash reveals a seven-character-or-less password has been used
What is the difference between offline attack and nonelectronic attack for password attack?
Offline attack uses password cracking tools on hashed passwords, while nonelectronic attack uses social engineering
Which of the following HTTP method is used to send data in HTTP request body?
POST
Considering making a password that is not easy for cracking, which of the following is the most important for making a strong password?
Password length
What kind of attack is made through the above URL?
Path traversal
Which of the following are true regarding a pen test? (Choose all that apply)
Pen tests may include unannouced attacks against the network Pen tests always have a scope
Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?
Post-attack
In which phase of a pen test would you compile a list of vulnerabilities found?
Post-attack
In which phase of a pen test is scanning performed?
Pre-attack
What are the three phases of a pen test?
Pre-attack, attack, post-attack
What marks the major difference between a hacker and an ethical hacker (pen test team member)?
Predefined scope and agreement made with the system owner
In the "Gaining Access" phase, the attacker tries to do what?
Privilege escalation Password cracking
Which of the following challenges can be solved by firewalls?
Protection against scanning
Web application are used to
Provide dynamic content
A _____________ is an offline attack.
Rainbow attack
What type of database uses multiple tables linked together in complex relationships?
Relational
Metasploit is a framework allowing for the development and execution of exploit code against a remote host and is designed for use in pen testing. The framework consists of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework?
Rex
Which of the following is another name for a record in a database?
Row
A _______________ is a file used to store passwords
SAM
can be used to attack databases
SQL injection
Which of the following statements is (are) true?
SQL injection is an example of injecting into interpreted context Injecting via Perl an example of injecting into interpreted context
______________ is used to partially encrypt the SAM
SYSKEY
NTLM provides what benefit versus LM?
Security
Which security assessment is designed to check policies and procedures within an organization?
Security audit
Which character is the best choice to start an SQL injection attempt?
Single quote
Which of the following would be considered a passive online password attack?
Sniffing subnet traffic to intercept a password
A security staff is preparing for a security audit and wants to know if additional security training for the end user would be beneficial. Which of the following methods would be the best option for testing the effectiveness of user training in the environment?
Social Engineering
A pen test member is experimenting with a web form on a target website and receives the following error message:Microsoft OLE DB Provider for ODBC Drivers error '80040e08' [Microsoft] {OBDC SQL Server Driver}What might this error indicate?
The application may be vulnerable to SQL injection
Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?
The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items
A security administrator monitoring logs comes across a user login attempt that reads "UserJoe)(&)." What can you infer from this username login attempt?
The attacker is attempting LDAP injection
You are examing IDS logs and come accross the following entry:Mar 20 10:31:07 (1123): IDS1661/NOPS-x86: 64.118.55.64:1146->192.168.119.56:53What can you infer from this log entry?
The attacker is attempting a buffer overflow against 192.168.119.56
In LM hash, if you see second half of the hash value is AAD3B435B51404EE, what does it mean?
The password is only 7-char long
Two pen testers are attempting to crack hash values found in a password file. The first tester uses a rather large file containing a list of possible passwords. The second uses a similar list but configures the cracker to substitute numbers and symbols. Which of the following statements is true?
The second tester is performing a hybrid attack
The attacker then clicks the Search button and a pop-up appears stating "It Worked." What can you infer from this?
The site is vulnerable to XSS.
There are 5 folder like structures displayed at the top level of Windows registry. What are these?
These are root level keys
What will happen when someone supplies the following username and any password (in HTML page username and password text box fields): admin'--
This user can log in as admin assuming admin is a user in the system
Which of the following causes a potential security breach?
Threat
Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them?
Vulnerability assessment
Which command is used to query data in SQL Server?
WHERE SELECT from
SOAP is used to package and exchange information for web services. What does SOAP use to format this information?
XML
How can you mitigate XSS vulnerabilities?
You can filter user input at server side by using input validation Database query output data should be HTML-encoded to sanitize potentially malicious chars Do not insert untrusted user input data into your HTML document
Where is SAM file stored on Windows PC?
\Windows\system32\config
You decided to hide a few files from casual browsing on a Windows XP box. Which command will successfully engage the hidden attribute on file.txt?
attrib +h file.txt
A malicious file has been hidden inside a text file on the system. Which command would be used to extract the malicious file for use on the system?
cat filename.txt$badfile.exe > badfile.exe
You want to assign all privileges to the user, only read and write to the group, and only read access for all others for file1. Which command will accomplish this?
chmod 764 file1
which command is used to remove a table from a database?
drop table
Which command can be used to access the command prompt in SQL Server?
xp_cmdshell
What is the phase after "Gaining Access" in system attack phases?
Maintaining access
What can an error message tell an attacker?
All of the above
Which of the following tests is generally faster and costs less but is susceptible to more false reporting and contract violation?
Automatic
Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up?
Meterpreter
Alternate Data Streams (ADS) requires what to be present?
NTFS
Input validation is used to prevent which of the following
Bad input SQL injection
You have successfully acquired a copy of the password hashes from a Windows XP box. In previous enumerations, you've discovered the network policy requires complex passwords of at least eight characters. Which of the following offline password attacks would be best suited to discovering the true passwords?
Brute force
How is a brute-force attack performed?
By trying all possible combinations of characters
Where is the SAM file stored on a Windows 7 system?
C:\Windows\System32\Config
Which of the following is a scripting language?
CGI
EC-Council defines six stages of scanning methodology. Which of the following correctly lists the six steps?
Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, prepare proxies
Databases can be a victim of code exploits depending on
Configuration
Which of the following would be a good choice for an automated penetration test? (Choose all that apply)
Core Impact CANVAS
Alternate Data Streams are supported in which file system?
NTFS
If a domain controller is not present, what can be used instead?
NTLMv2
SQL injection attacks are aimed at which of the following?
Databases
http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exeWhat type of attack is in use?
Directory traversal
What type of database has its information spread across many disparate systems
Distributed
What is the main problem that Kerberos solved?
Doing authentication without transferring password in cleartext over the network
Which of the following may be effective countermeasures against an inside attacker?
Enforce elevated privilege control Secure all dumpsters and shred collection boxes Enforce good physical security practice and policy Perform background checks on all employees
Which of the following would you find in a final report from a full penetration test? (Choose all that apply)
Executive summary A list of findings from the test The names of all the participants
As HTTP POST can send HTML form data in HTTP request body, it is great for transferring data to the web server. Thus HTTP POST is a secure way to transfer data and HTTP GET is not a secure way to transfer data. Is the above statement true?
False
You can do this by scanning the URL only once and removing ../ or ..\ from the URL in web application code. Is the above statement true?
False
Which of the following would be considered an active online password attack?
Guessing passwords against an IPC$ share
A _____________ is used to store a password in a format that is not easily reversible.
Hash
Browsers do not display
Hidden fields
Joe is part of a penetration test team and is starting a test. The client has provided him a system on one of their subnets but did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Joe performing?
Internal, black box
What is inside a Makefile?
It has instruction/scripts for compiling source code
When sending data to web server using HTTP GET method, where is the data in HTTP request?
It is part of the URL
XSS attack can be used to steal the session token of a legitimate user. What is session token?
It is usually browser cookie
When a user searches for all books published by Wiley, the application performs the following query on its backend database
It return a list of books published by all publishers, not just Wiley
Which system should be used instead of LM or NTLM?
Kerberos
A _____________ is a hash used to store passwords.
LM
On newer Windows systems, what hashing mechanism is disabled?
LM
Which of the following Windows password hashing scheme is the weakest?
LM hash
An administrator installs IIS with all default settings. A pen tester is successful in running a buffer overflow attack, and the server spawns a shell for his use. Under which privileges will the shell run?
LOCAL SYSTEM
A good defense against password guessing is __________
Long and complex passwords
Which hash algorithm is used by NTLMv2?
MD5
