ITN 261 - Midterm Review
What is the difference between a false positive and a false negative? A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist. A false positive indicates a finding that does exist, while a false negative doesn't indicate a finding that doesn't exist. A false positive doesn't indicate a finding that does exist, while a false negative does indicate a finding that doesn't exist. A false negative does indicate a finding that doesn't exist, while a false positive doesn't indicate a finding that does exist.
A. A false positive is when a finding is identified when it doesn't actually exist. A false negative is when there is no finding identified but, in fact, there is a vulnerability. A true positive is when a finding is identified that is a vulnerability. A true negative is when a finding isn't identified and there is no known vulnerability.
Which of these devices would not be considered part of the Internet of Things? Smartphone Thermostat Light bulb Set-top cable box
A. A thermostat is an embedded device without a traditional user interface. A light bulb would have no user interface, even if it has network capabilities. A set-top cable box would have a custom interface and not a general-purpose one. The only device here that is a general-purpose computing platform with a traditional user interface—screen and keyboard—is the smartphone, so it isn't part of the IoT
What is it called when you obtain administrative privileges from a normal user account? Privilege escalation Account migration Privilege migration Account escalation
A. Account migration, privilege migration, and account escalation are vague and don't have clearly defined definitions, even if they may exist. Privilege escalation, on the other hand, is used to gain elevated privileges when you only have the permissions of a normal user.
What would an attacker use an alternate data stream on a Windows system for? Hiding files Running programs Storing PowerShell scripts Blocking files
A. Alternate data streams are a function of the New Technology File System (NTFS), created to support the resource forks of Apple's file system in Windows NT. Since many of the utilities and programs in Windows don't natively understand alternate data streams, they can't make use of them and won't show them. The file can be accessed if the user knows how to display and manipulate the alternate data streams.
What strategy does a local, caching DNS server use to look up records when asked? Recursive Serial Combinatorics Bistromathics
A. DNS requests from a local caching server start with the cache, then move to root servers and then subsequent servers, always getting closer to the final destination. This process of asking a question, getting an answer, and asking again using the new information is called recursion. Neither serial nor combinatorics make sense in this context, and bistromathics is a field of study invented by Douglas Adams for the book Life, the Universe and Everything.
What is one reason for using a scan like an ACK scan? It may get through firewalls and IDS devices. It is better supported. The code in nmap is more robust. An ACK scan is needed for scripting support.
A. Evasion is an important concept. You may spend a lot of time working on evading detection or getting blocked. Since an ACK without an open connection is aberrant, the firewall or IDS may ignore it, avoiding detection. As a result, you may be able to get ACK messages through. ACK scans are not better supported. In fact, there is really no support from the network stack for an ACK scan. The code is no more robust in nmap for an ACK scan than other scans, or at least there is no evidence of that being the case. ACK scans are not needed for scripting support.
What is the process Java programs identify themselves to if they are sharing procedures over the network? RMI registry RMI mapper RMI database RMI process
A. Interprocess communications across systems using a network is called Remote Method Invocation. The process with which programs have to communicate to get a dynamic port allocation is the RMI registry. This is the program you query to identify services that are available on a system that has implemented RMI.
If you were looking for the definitive documentation on a protocol, what would you consult? Request for Comments Manual pages Standards IEEE
A. Manual pages provide documentation for commands and programs. IEEE is the Institute for Electrical and Electronics Engineers, which does manage some protocols but isn't documentation itself. Standards on the Internet are actually uncommon and only happen after a very long period of time. The best place to find definitive documentation about protocols seen on the Internet is in the Request for Comments (RFC) documents.
If you found a colleague searching at pgp.mit.edu, what would they likely be looking for? Email addresses Company keys Executive names Privacy policies
A. PGP uses public servers and shared verification to store and validate keys and key ownership. Keys are owned by individuals, as a general rule. If someone were searching at pgp.mit.edu, they would likely be looking for people and, most specifically, email addresses.
What is are RPCs primarily used for? Interprocess communications Interprocess semaphores Remote method invocation Process demand paging
A. Remote procedure calls are a way for processes on one system to communicate with processes on another system. This does not preclude two processes on the same system communicating, of course. Semaphores are another concept in computer science that can enable interprocess communication. Remote method invocation is a way for Java programs to implement interprocess communications. Process demand paging isn't a thing.
How would you calculate risk? Probability * loss value Probability * mitigation factor (Loss value + mitigation factor) * (loss value/probability) Probability * mitigation factor
A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified, so it could be put into a risk calculation.
Which of these is an example of an application layer gateway? Web application firewall Runtime application self-protection Java applet Intrusion prevention system
A. Runtime application self-protection is a plug-in used on an application server to prevent bad messages from impacting the application. A Java applet is an implementation of a Java program. An intrusion prevention system is used to detect and block potential intrusions. A web application firewall, however, makes decisions based on Application layer traffic and will either allow or block that traffic. This makes it an Application layer gateway.
What would you use a security information event manager for? Aggregating and providing search for log data Managing security projects Escalating security events Storing open-source intelligence
A. Security information event managers are used to aggregate event data, such as log information. Once the data has been aggregated, it can be searched and correlated. Even though it's called an event manager, it isn't used to manage security projects, nor is it used to escalate security events. Other tools can be used to gather and store open-source intelligence.
You see the following text written down—port:502. What does that likely reference? Shodan search IO search p0f results RIR query
A. Shodan is a website you would use to look for IoT devices. The query language is similar to that used by Google, except it has additional keywords that could be used to identify network traffic. This may include port numbers. p0f is used for passive network traffic analysis. You might query an RIR for information about an IP address block. The domain name for Shodan is shodan.io, but there is no IO search.
What is the purpose of a security policy? To provide high-level guidance on the role of security To provide specific direction to security workers To increase the bottom line of a company To align standards and practices
A. Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.
What is one outcome from process injection? Hidden process Rootkit Alternate data streams Steganography
A. Steganography is the process of hiding data inside of other data, such as media files like MP3s, WAVs, or video files. An alternate data stream is a secondary data stream attached to a filename in the NT file system. A rootkit can be used to hide processes. It may use process injection but wouldn't be the outcome from process injection. When you inject into a process, you are putting executable operations you have created into the space of another executable. The end result could be an execution thread running your code without any new process name indicating it was running.
Which of these could you enumerate on a WordPress site using wpscan? Plug-ins Posts Administrators Versions
A. The program wpscan can be used to enumerate themes, users, and plug-ins. It can't be used to enumerate administrators, specifically. It also can't be used to enumerate posts, and since there would only be a single version, you wouldn't enumerate versions.
What status code will you get if your attempt to use the VRFY command fails? 550 501 250 200
A. The status code you would get if your VRFY command failed against an SMTP server is 550. 200 is the status code for success with a web server. The other codes are not valid in this context.
What is one reason a UDP scan may take longer than a TCP scan of the same host? UDP will retransmit more. UDP has more ports to scan. UDP is a slower protocol. UDP requires more messages to set up.
A. There is no defined response to a message to a UDP port. It is left entirely up to the application. Since a lack of response can mean the message never reached its recipient, the scanning system has to retransmit to closed ports. UDP is generally quicker than TCP because of a lack of overhead, it requires no messages to set up, and it has the same number of ports as TCP.
If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at? Tunneling attack DNS amplification DNS recursion XML entity injection
A. Tunneling attacks can be used to hide one protocol inside another. They may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn't be found inside a DNS request.
If you wanted to locate detailed information about a person using either their name or a username you have, which website would you use? peekyou.com twitter.com intelius.com facebook.com
A. Twitter and Facebook are social networking sites. While you may be able to locate someone using a username, you may not be able to get detailed information about the user. Intelius is a person search site, and you can get detailed information there, but you can't search by username. PeekYou is a web site that will allow you to search for people by either name or username.
If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use? Metasploit Nmap RMI Postgres
A. While nmap is an excellent program in its own right and can be used to enumerate data across multiple services, it doesn't store data for retrieval later without some additional help. Metasploit can also be used to enumerate data across multiple services and also uses a database on the backend to store data to be retrieved later. RMI is Remote Method Invocation, a way to implement interprocess communications across a network. Postgresql is the database server commonly used underneath Metasploit. Postgres is a much older version of what is now PostgreSQL.
Which of these techniques might be used to maintain access to a system? Run key in the Windows Registry Alternate data stream .vimrc file on Linux PowerShell
A. You may use a PowerShell script to perform functions that could support persistence on a system, but the PowerShell script alone won't be used to maintain access. Alternate data streams won't be of any use for maintaining access, and a .vimrc file is a startup file for the Vi editor. The run key in the Windows Registry, though, could be used to put an entry in that would run a program automatically that could make sure an attacker could get access even after a reboot.
If you were to see the subnet mask 255.255.252.0, what CIDR notation (prefix) would you use to indicate the same thing? /23 /22 /21 /20
B. A /23 network would be 255.255.254.0. A /21 would be 255.255.248. A /20 would be 255.255.240.0. Only a /22 would give you a 255.255.252.0 subnet mask.
What is nmap looking at when it conducts a version scan? TCP and IP headers Application banners Operating system kernel IP ID and TCP sequence number fields
B. A version scan with nmap is looking to identify versions of the services/applications running on the target. The kernel is identified with an OS scan. TCP and IP headers don't provide application versions. The IP ID field and TCP sequence number fields don't provide version information either.
What type of attack is a compromise of availability? Watering hole DoS Phishing Buffer overflow
B. A watering hole attack looks to compromise a system that visits a website. A phishing attack looks to gather information from victims, potentially by compromising the victim's system. A buffer overflow attack tries to introduce code provided by the attacker. A denial of service attack, however, has the intention of making a service unavailable for users.
How would you ensure that confidentiality is implemented in an organization? Watchdog processes Encryption Cryptographic hashes Web servers
B. Confidentiality is keeping secret information secret, which means unauthorized users can't access it. Encryption is a good way to keep unauthorized users from data because in order to get to the data, they need to have the key. Watchdog processes are used to ensure that programs remain running. Cryptographic hashes are used to verify the integrity of data. Web servers are used to serve up information.
If you were checking on the IP addresses for a company in France, what RIR would you be checking with for details? ARIN RIPE AfriNIC LACNIC
B. France is in Europe, and as such, it falls under the jurisdiction of RIPE. ARIN handles North America. AfriNIC handles Africa, and LACNIC handles Latin America and parts of the Caribbean.
What order, from bottom to top, does the TCP/IP architecture use? Network Access, Network, Transport, Application Link, Internet, Transport, Application Physical, Network, Session, Application Data Link, Internet, Transport, Application
B. From top to bottom, the TCP/IP architecture is Link, Internet, Transport, and Application. B is the only answer that reflects that.
What would be necessary for a TCP conversation to be considered ESTABLISHED by a stateful firewall? Final acknowledgment message Three-way handshake complete Sequence numbers aligned SYN message received
B. In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection. While the sequence numbers are shared, they wouldn't be called aligned, which might suggest that each end was using the same sequence number. A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection. Option A, "Final acknowledgment message," is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.
What does John the Ripper's single crack mode, the default mode, do? Checks every possible password Uses known information and mangling rules Uses a built-in wordlist Uses wordlist and mangling rules
B. Incremental mode in John will run an attack in which it will try every possible password within specified parameters, meaning John will generate the passwords. The default mode in John is single crack mode, which uses information including the username and the home directory to generate a password using mangling rules. Incremental mode does not use wordlists, though John does support the use of wordlists.
What would you use a job listing for when performing reconnaissance? Executive staff Technologies used Phishing targets Financial records
B. It would be unusual to find executive staff identified in a job listing. It may be possible to get phishing targets, but it's not guaranteed, and a single individual usually isn't identified. No financial records would be available in a job listing. Technologies used at a company, though, would be identified in order to ensure that the applicant has the right experience.
What could you use to obtain password hashes from a compromised system? John the Ripper Mimikatz Rainbow tables Process dumping
B. John the Ripper and Rainbow tables are tools for cracking passwords, not gathering or obtaining password hashes. Process dumping could possibly yield passwords associated with a certain process/application. However, you may not get password hashes, depending on how the passwords are maintained in memory. Process dumping is taking the memory space of a process and writing it out to disk for analysis. Mimikatz is a utility and Metasploit module that could be used to extract passwords from a compromised system.
What would you get from running the command dig ns domain.com? Mail exchanger records for domain.com Name server records for domain.com Caching name server for domain.com IP address for the hostname ns
B. Mail exchanger records would be identified as mx records. A name server record is identified with the tag ns. While an enterprise may have one or even several caching name servers, the caching name server wouldn't be said to belong to the domain because it doesn't have any domain identification associated with it.
What is it called when you manipulate the time stamps on files? Time stamping Timestomping Meta stomping Meta manipulation
B. Manipulating time stamps on files is called timestomping. It is used to set file times, which may be used to throw off investigations or identify intrusions. None of the other answers are real things.
What would you use MegaPing for? Running exploits Running a port scan Issuing manual web requests Crafting packets
B. MegaPing can be used to perform a lot of different functions, but crafting packets, sending manual web requests, and running exploits are not functions it supports. It can, though, run a port scan.
Which of these tools allows you to create your own enumeration function based on ports being identified as open? Metasploit Nmap Netcat nbtstat
B. Metasploit can be extended with user-created programs. However, you wouldn't call a Metasploit module based on ports being open. Netcat doesn't do any enumeration, and nbtstat is a Windows program that can't be extended. Nmap can be extended with user-written scripts. An nmap script includes a port registration so nmap knows to call that script when specific ports are found to be open.
What application would be a common target for client-side exploits? Web server Web browser Web application firewall Web pages
B. Of all of the options presented, only the web browser exists on the client side. By definition, the web server is on the server. A web application firewall is placed with the server to protect the server from Application layer attacks. Web pages are hosted on a web server. They are not a target for client-side exploits, though they would be used to carry out those attacks.
What does pivoting on a compromised system get you? Database access A route to extra networks Higher level of privileges Persistent access
B. Pivoting is the process of using a compromised system to move onto other systems and networks within the target environment. Pivoting does not get you higher-level permissions or persistent access. You may ultimately get to a database server by pivoting, but that's not what pivoting does or is specifically used for. It would be a nice side effect of pivoting.
Which of these may be considered an evasive technique? Scanning nonstandard ports Encoding data Using a proxy server Using nmap in blind mode
B. Scanning nonstandard ports isn't evasive. It's just as noisy as, and potentially more detectable than, scanning standard ports. You could use a proxy for some tasks, but all it would do would be to hide your own IP address, which isn't evasive. You could still be blocked or detected. Nmap does not have a blind mode. When you encode data, though, you make it harder for the firewall or IDS to identify something bad that may be happening, since these devices can't read the messages coming through.
The UDP headers contain which of the following fields? Source address, destination address, checksum, length Destination port, source port, checksum, length Flags, source port, destination port, checksum Length, checksum, flags, address
B. The IP headers include addresses. UDP headers use ports. TCP headers use flags, but UDP headers do not. The UDP headers have the source and destination port fields along with checksum and length.
What tool does a Java program need to use to implement remote process communication? JRE rmic rmir JDK
B. The JRE is the Java runtime environment and is necessary to run Java programs. The JDK is the Java development kit and is necessary to develop Java programs. The program rmic is used to create RMI programs. It creates the stubs necessary for RMI to function. rmir isn't anything.
What is the SMB protocol used for? Data transfers using NFS Data transfers on Windows systems Data transfers for email attachments Data transfers for Windows Registry updates
B. The Server Message Block (SMB) protocol is used for multiple functions on Windows networks. One of them is to transfer files (data) from one system to another. Email attachments would be transmitted using SMTP. NFS manages its own data transfer when files are being copied from one system to another. There are no data transfers specifically for Windows Registry updates.
What would you use the program rtgen for? Generating wordlists Generating rainbow tables Generating firewall rules Persistent access
B. The program rtgen is a program that is part of the rcrack suite. rcrack is used to crack passwords with rainbow tables. It is used to generate the rainbow tables that rcrack will use to crack passwords. Rainbow tables are not wordlists but mappings of plaintext passwords to hashes, which makes it much easier to get passwords from hashes.
What program would you use to enumerate services? smbclient Nmap enum4linux snmpwalk
B. The programs smbclient and enum4linux may be used to enumerate information using SMB. The program snmpwalk can be used to enumerate information over SNMP. Nmap, though, can be used to enumerate services running on all the systems on a network.
Which header field is used to reassemble fragmented IP packets? Source address IP identification Don't fragment bit Acknowledgment field
B. The source address is used as the address to send back to on the response, making it the destination address. The don't fragment bit is used to tell network devices not to fragment the packet. The acknowledgment field is part of the TCP header and not the IP header. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.
What type of enumeration would you use the utility dirb for? Directory listings Directory enumeration Brute force dialing User directory analysis
B. The utility dirb uses a word list to attempt to enumerate directories available through a web server that may not be available by looking at all the pages and links in the site.
You find after you get access to a system that you are the user www-data. What might you try to do very shortly after getting access to the system? Pivot to another network Elevate privileges Wipe logs Exploit the web browser
B. When the Apache web server runs on a Linux system, it will commonly run as the user www-data. This is a privilege-restricted account that would prevent an attacker from doing much on the system. In order to do anything, like wiping log files or pivoting to another network, you would need to elevate privileges to administrative/root level. Exploiting the web browser wouldn't be done in this context. A web server more than likely wouldn't even have a web browser installed.
What information would you not expect to find in the response to a whois query about an IP address? IP address block Domain association Address block owner Technical contact
B. When you run a whois query against an IP address, you will get the block the address belongs to, the owner of the block, and the technical contact. You will also get address information and possibly additional information. You will not get an association between a domain and the address block. This may be something you might infer, but it is not something that the results provide for you.
Which of these services would be considered a storage as a service solution? Microsoft Azure iCloud Google Compute DropLeaf
B. While Microsoft Azure and Google Compute have storage capabilities, they aren't storage as a service solutions. Drop leaf is a type of table. Dropbox is a storage as a service solution. The only one listed here that is storage as a solution is iCloud, which is Apple's cloud storage platform.
What can an intrusion prevention system do that an intrusion detection system can't? Generate alerts Block or reject network traffic Complete the three-way handshake to bogus messages Log packets
B. While an intrusion prevention system can generate alerts, so can an intrusion detection system. Both systems may also be able to log packets, as needed. A bogus message likely wouldn't result in a completed three-way handshake, and the handshake shouldn't be completed anyway. An intrusion prevention system can, however, block or reject network traffic, while an intrusion detection system can't.
What social networking site would be most likely to be useful in gathering information about a company, including job titles? Twitter LinkedIn Foursquare Facebook
B. While the others may include details about companies, only LinkedIn is primarily used as a business social networking site. People who have profiles there would list job titles, and job searches would indicate openings, including job titles.
If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2 Someone was trying to probe the web port of the target. Someone was trying to probe an email port on the target. Someone was trying to identify if SNMP was supported on 10.5.16.2. Someone had mistyped ping.
B. hping is a program used to send specially designed messages to a target. You use command-line parameters to tell hping what to include in the message being sent. The command hping -S -p 25 10.5.16.2 is used to have hping send SYN messages to port 25, the default SMTP port, at 10.5.16.2. It's possible that someone mistyped ping, but those parameters aren't used by ping programs, and since they are coherent for the action above, it makes more sense that they were trying to use hping. SNMP and web traffic both use different ports than port 25.
What technique would you ideally use to get all of the hostnames associated with a domain? DNS query Zone copy Zone transfer Recursive request
C. A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer.
If you receive a RST packet back from a target host, what do you know about your target? The target is using UDP rather than TCP. The destination port is open on the target host. The source port in the RST message is closed. The target expects the PSH flag to be set.
C. A TCP scan sends messages to the target, expecting to get a response. With a SYN or full connect scan, the target will respond with a SYN/ACK message from an open port. With a closed port, the target will respond with a RST.
The DNS server where records for a domain belonging to an organization or enterprise reside is called the _________ server. Caching Recursive Authoritative Local
C. A local caching server is what most people use to perform DNS lookups from their systems in order to get better performance. Recursion is the process used to look up DNS addresses from a caching server. Eventually, the caching server would ask an authoritative server for the information.
Which information would a packet filter use to make decisions about what traffic to allow into the network? HTTP REQUEST message Ethernet type UDP source port SNMP OID
C. A packet filter would use layer 2/3/4 headers to make decisions. An HTTP REQUEST message is at the Application layer (layer 7). Ethernet type isn't used to make decisions in a packet filter. SNMP OID is also an Application layer message. A packet filter would, though, use source or destination ports, potentially, to make decisions about allowing or blocking a packet.
What are two advantages of using a rootkit? Installing alternate data streams and Registry keys Creating Registry keys and hidden processes Hiding processes and files Hiding files and Registry keys
C. A rootkit is a piece of malicious software that is used to accomplish several tasks. This may include hiding processes and files through the use of kernel-mode drivers or replaced system utilities. A rootkit may also provide a backdoor for attackers to maintain long-term access to the system after the initial compromise. None of the other answers are things that a rootkit does.
You've installed multiple files and processes on the compromised system. What should you also look at installing? Registry keys Alternate data streams Rootkit Root login
C. Attackers often install extra files and run extra processes on systems. These could easily be detected by manual investigation or, certainly, by automated detection tools. The way around that is to install a rootkit, which may include kernel-mode drivers or replacement system utilities that would hide the existence of these files and processes. Alternate data streams may be used to hide files but not processes. Registry keys could also hide files but not processes.
Why is it important to store system logs remotely? Local systems can't handle it. Bandwidth is faster than disks. Attackers might delete local logs. It will defend against attacks.
C. Commonly, system logs are stored on the system that generated the log message. Certainly local systems can handle the logs they have generated. Log messages don't typically consume a lot of space at an individual message level, so bandwidth isn't a problem. Transmitting over a network is generally not faster than moving data within local disks. System logs can be used in identifying attacks, but the logs won't defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.
What would you use credentials for in a vulnerability scanner? Better reliability in network findings Authenticating through VPNs for scans Scanning for local vulnerabilities Running an Active Directory scan
C. Credentials wouldn't give better reliability in network findings, and vulnerability scanners don't typically provide a way to directly authenticate through a VPN. The VPN client would be expected to be running ahead of time if the network is behind the VPN. An Active Directory scan is a vague answer, and it may not be something you can do with a vulnerability scanner. If you provide credentials, though, the scanner can authenticate against systems on the network and check for local vulnerabilities.
Which of the following products might be used as an intrusion detection system? Elastic Stack Prewikka Snort Snorby
C. ElasticStack is an implementation of a security information event manager. Prewikka can be used along with an intrusion detection system as a dashboard. Snorby is an auxiliary program used with Snort. Snort is an intrusion detection program.
An intrusion detection system can perform which of the following functions? Block traffic Filter traffic based on headers Generate alerts on traffic Log system messages
C. Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic. A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network. Syslog and the Windows event subsystem can be used to log system messages. Intrusion detection systems can be used to generate alerts on traffic.
What would you be looking for with the following Google query? filetype:txt Administrator:500: Text files owned by Administrator Administrator login from file Text files including the text Administrator:500: 500 administrator files with text
C. Google uses the keyword filetype: to identify filename extensions that should be searched. Administrator: is not a keyword, which means Administrator:500: is the search term that Google would use along with the filetype of txt, which would mean text files.
If you were implementing defense in breadth, what might you do? Install multiple firewalls Install intrusion detection systems Introduce a DevSecOps culture Ensure policies are up to date
C. Installing multiple firewalls and intrusion detection systems and ensuring that policies are up to date are all elements of a defense in depth approach. Introducing a DevSecOps culture may be an attempt to reduce the number of vulnerabilities and also get them resolved more quickly. As such, it might be considered defense in breadth.
If you were looking for detailed financial information on a target company, with what resource would you have the most success? LinkedIn Facebook EDGAR MORTIMER
C. LinkedIn is typically used for business networking, but there wouldn't be much in the way of detailed financial information there. Facebook is a social networking site, commonly used by people for social interaction. EDGAR is the database that is maintained by the SEC and includes filing information from public companies. MORTIMER is a joke. Bonus points if you recognize what the joke is.
Which of these is a reason to use an exploit against a local vulnerability? Pivoting Log manipulation Privilege escalation Password collection
C. Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be "local" to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect passwords; you don't need a vulnerability to do that. Similarly, you don't need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.
Which of these would be a way to exploit a client-side vulnerability? Sending malformed packets to a web server Sending large ICMP packets Sending a crafted URL Brute-force password attack
C. Malformed packets could potentially cause a failure or trigger a vulnerability on the server side. Large ICMP packets aren't likely to do anything and certainly wouldn't exploit a client-side vulnerability. A brute-force password attack isn't exploiting a vulnerability, even if it is an attack technique. Sending a crafted URL could potentially exploit a client-side vulnerability in a web browser.
If you were looking up information about a company in New Zealand, which RIR would you be looking in for data? AfriNIC RIPE APNIC LACNIC
C. New Zealand is located in Oceania, considered to be in the Pacific Rim. This means it falls under the Asia Pacific Network Information Center (APNIC). AfriNIC covers Africa. RIPE covers Europe, and LACNIC covers Latin America and parts of the Caribbean.
To remove malware from the network before it gets to the endpoint, you would use which of the following? Packet filter Application layer gateway Unified threat management appliance Stateful firewall
C. Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.
Which of these passes objects between systems? SunRPC SMB RMI Nmap
C. RMI is a way to implement interprocess communications using Java. Since Java is an object-oriented programming language, it would transmit objects. SMB is the Server Message Block protocol. SunRPC does remote procedure calls but the data transmitted isn't object oriented. Nmap is a program used to scan ports.
What underlying functionality is necessary to enable Windows file sharing? Network File System Common Internet File System Remote procedure call Remote Method Invocation
C. SMB relies on remote procedure calls (RPCs) in order to function. The common Internet File System (CIFS) is an implementation of file sharing and system management using SMB. The Network File System (NFS) is a protocol that makes use of remote procedure calls. Remote Method Invocation (RMI) is a way to call procedures remotely over Java.
What additional properties does the Parkerian hexad offer over the CIA triad? Confidentiality, awareness, authenticity Utility, awareness, possession Utility, possession, authenticity Possession, control, authenticity
C. The Parkerian hexad takes the confidentiality, integrity, and availability of the CIA triad and adds utility, possession (or control), and authenticity.
Which of these addresses would be considered a private address (RFC 1918 address)? 172.128.10.5 9.10.10.7 172.20.128.240 250.28.17.10
C. The RFC 1918 address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The only address listed that fits into one of those address blocks is 172.20.128.240. The address block is 172.16.0.0-172.31.255.255.
What SMTP command would you use to get the list of users in a mailing list? EXPD VRFY EXPN VRML
C. The SMTP command used to expand a mailing list alias to get the underlying email addresses that belong to that mailing list or group is EXPN. VRFY is verify, and the other two are not valid SMTP commands.
What is an XMAS scan? TCP scan with SYN/ACK/FIN set UDP scan with FIN/PSH set TCP scan with FIN/PSH/URG set UDP scan SYN/URG/FIN set
C. The XMAS scan is a TCP scan that uses unusual flag settings in the TCP headers to attempt to evade firewalls or IDSs. The XMAS scan uses the FIN, PSH, and URG flags and is called an XMAS scan because it looks like the packet is lit up like a Christmas tree. None of the other answers match what an XMAS scan is.
What might an attacker be trying to do by using the clearev command in Meterpreter? Run an exploit Manipulate time stamps Manipulate log files Remote login
C. The clearev command is a Meterpreter command used to clear the Windows Event Viewer logs. While you may be able to manipulate time stamps and log files in Meterpreter, you wouldn't use the clearev command for that. The clearev command does not allow an attacker to log in remotely.
You are working with a colleague and you see them interacting with an email server using the VRFY command. What is it your colleague is doing? Verifying SMTP commands Verifying mailing lists Verifying email addresses Verifying the server config
C. The extended SMTP (ESMTP) protocol has a command that is abbreviated VRFY that is used to verify email addresses. A mail server may or may not have exposed this command, even if the server software supports ESMTP. Expanding mailing lists is EXPN. You wouldn't use VRFY for a mailing list in that same sense. The other two don't have specific commands that are specified in the SMTP protocol definition.
What is fragroute primarily used for? Altering network routes Capturing fragmented packets Fragmenting application traffic Fragmenting layer 2 and layer 3 headers
C. The program fragroute uses configuration statements to determine what should be done to packets destined for a specific host. This may include fragmenting application traffic as well as duplicating and delaying traffic. While there is a possibility of fragmenting layer 3 headers, if layer 2 headers were fragmented, there would be no way to get the message to the destination.
What is an advantage of using masscan over nmap? masscan has been around longer. Nmap is hard to use. masscan can scan more addresses faster. masscan has access to scan more of the Internet.
C. The program masscan is a port scanner, like nmap. However, masscan was developed to scan the entire Internet as quickly as possible. As a result, if speed is a consideration, and especially if you are scanning large address blocks, masscan is probably better suited for that task. Both nmap and masscan have access to the same address space, and masscan uses the same command-line parameters, for the most part, as nmap, so they are similarly easy to use. nmap has also been around for considerably longer, since the 1990s, than masscan has.
What are the three steps in the TCP handshake as described by the flags set? SYN, SYN/URG, RST RST, SYN, ACK SYN, SYN/ACK, ACK SYN, SYN/ACK, ACK/URG
C. The three-way handshake is used to establish a connection. The first message has the SYN flag set and includes the sequence number. The response from the server has the ACK flag set for the SYN message that was sent from the client. The acknowledgment number is set. Additionally, in the same message, the server sends its own SYN flag and sequence number. The client then responds with an ACK message. So, the sequence is SYN, SYN/ACK, and ACK.
Which protocol is necessary to enable the functionality of traceroute? HTTP SNMP ICMP IP
C. The traceroute program uses UDP messages with the time to live field starting at 1. This is incremented for each hop in the network until the destination is reached. Each device would send an ICMP time exceeded in transit message back to indicate the TTL had expired. The source of that message indicates the address of the network hop. On Windows systems, tracert uses ICMP echo request messages, also incrementing the time to live value. Because of these two factors, traceroute requires ICMP to work.
Why does an ACK scan not indicate clearly that ports are open? The scanner has to guess. ACK is not a supported flag. The target system ignores the message. ACK scans cause a lot of retransmits.
C. When a system receives an ACK message, meaning a TCP segment with the ACK flag enabled (bit position storing a 1), it assumes there is an open connection and there is data that is being acknowledged. When there is no open connection, there is nothing to respond with. The system, not having anything else to do with the ACK, discards it. The scanner won't receive a response if the port is open. However, the scanner can't be certain that the message hasn't just been discarded by a firewall. As a result, it indicates that the port is either open or filtered. Either would result in no response. The scanner isn't guessing; it is providing two alternatives but can't be certain which it is. ACK is a supported flag in the right circumstances and ACK scans do not cause retransmits, since no response means one of two things.
Which of these may be considered worst practice when it comes to vulnerability scans? Scanning production servers Notifying operations staff ahead of time Taking no action on the results Using limited details in your scan reports
C. You would be expected to scan production servers, since that would be where you would be most interested to find vulnerabilities. Letting operations staff know ahead of time is polite since vulnerability scans may inadvertently knock over systems that would need to be stood back up. Being paged in the middle of the night unexpectedly isn't fun. If you know it's coming, it makes it easier. You may have reasons to use limited details in your scan reports, including trying to reduce the disk space used or the paper used in printing the reports. Taking no action on the results of a vulnerability scan is about the worst thing you can do when it comes to vulnerability scans. It's worse than not running them, since you could be considered liable because you know about the vulnerabilities but you aren't doing anything about them.
What would you be trying to enumerate if you were to use enum4linux? Procedures Linux-based services Shares and/or users Memory utilization
C. enum4linux is a tool that makes use of other, underlying tools to scan systems that have implemented SMB. This means enum4linux can be used to enumerate shares or users, as well as other information. None of the other options are valid.
What is the difference between a SYN scan and a full connect scan? A SYN scan and a full connect scan are the same. A full connect scan sends an ACK message first. A SYN scan uses the PSH flag with the SYN flag. The SYN scan doesn't complete the three-way handshake.
D. A SYN scan sends the first SYN message and then responds with a RST message after receiving the SYN/ACK from the target. A full connect scan completes the three-way handshake before sending the RST message. Since the full connect scan follows the correct order of the three-way handshake, it doesn't send an ACK first. There is also no PSH flag sent with the SYN flag, since there is no data to push up the stack yet.
Which of these isn't an example of an attack that compromises integrity? Buffer overflow Man in the middle Heap spraying Watering hole
D. A buffer overflow attack is used to execute attacker-supplied code by altering the return address in the stack. A man in the middle attack can be used to intercept and potentially alter a conversation between two systems. A heap spraying attack sends a lot of data into the heap to overwrite what's there. A watering hole attack does not compromise integrity since its purpose is to introduce malware to a system. The malware might eventually compromise integrity, but the watering hole attack itself does not.
The PDU for TCP is called a _______________ . Packet Datagram Frame Segment
D. At the Network layer, the PDU is a packet. The Network layer is IP. At the Data Link layer, the PDU is a frame. Commonly, the protocol would be Ethernet there. UDP uses datagram as the PDU. TCP uses segment for the PDU.
If you were on a client engagement and discovered that you left an external hard drive with essential data on it at home, which security principle would you be violating? Confidentiality Integrity Non-repudiation Availability
D. Confidentiality is about making sure secrets are kept secret. Integrity makes sure that data isn't altered accidentally or by an unauthorized agent. Non-repudiation makes sure someone can't say a message didn't originate with them if it came from their identity. Availability means making sure data is where it needs to be when it should be there. This includes services as well.
Which of these would be an example of a loss of integrity? User making changes to a file and saving it Bad blocks flagged on disk Credit cards passed in cleartext Memory failures causing disk drivers to run incorrectly
D. If a user makes a change to a file and saves it, that's an intentional act and the data is what the user expects and wants. If the disk drive has flagged bad blocks on the disk, the drive won't write any data out to those blocks, so there will be no loss of integrity. Credit cards passed in cleartext would be a violation of confidentiality. Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.
What tool would you use to compromise a system and then perform post-exploitation actions? Nmap John the Ripper searchsploit Metasploit
D. John the Ripper is used for cracking passwords, while nmap is used for port scanning. They could be part of the overall process of system compromise, but neither could be used to compromise a system, in spite of what it suggests in The Matrix. searchsploit is a program used to search a local exploit-db repository. Metasploit is an exploit framework that could be used to compromise a system. Once the system is compromised, Metasploit could then be used for post-exploitation actions using modules that come with it.
What would be a reason to use the Override feature in OpenVAS? You want to run a different plug-in for a vulnerability. You want to change the scanner settings. You want to use TCP rather than UDP. You want to change a severity rating on a finding.
D. Plug-ins are matched to vulnerabilities. A different plug-in would identify a different vulnerability and there is no way to change that. Scanner settings can be changed when you set up a scan. Using TCP rather than UDP is vague. If you want to change a severity rating from the one supplied by OpenVAS, you would override that rating. You may have mitigations in place or you may have investigated and found the finding to be a false positive.
What is the trade-off for using rainbow tables? Disk space prioritized over speed Accuracy prioritized over disk space Speed prioritized over accuracy Speed prioritized over disk space
D. Rainbow tables use precomputed hashes that are mapped to plaintext passwords in order to speed up the process of obtaining the passwords from stored hashes. Rainbow tables, though, are very expensive when it comes to disk space. Hashes and passwords are stored in the rainbow tables. Accuracy is neither sacrificed nor prioritized using rainbow tables. You will give up disk space to get faster cracking times using rainbow tables.
Which network topology are you most likely to run across in a large enterprise network? Ring topology Bus topology Full mesh Star-bus hybrid
D. Ring networks were once common but are much less so now. You may find a ring network in a service provider network today. A bus topology is best suited for a smaller network. Full mesh isn't a very common topology, in part because of the expense and complexity it brings. A star-bus hybrid would be common. An enterprise would use multiple switches that were all connected to one another over a bus, while all the endpoints would connect to the switch in a star topology.
What are data descriptions in SNMP called? Management-based information Data structure definition Extensible markup language Management information base
D. SNMP can be used to retrieve information from remote systems. This information has to be described, including the different data types. All of the information available is described in a management information base (MIB). The Extensible Markup Language (XML) is a way of packaging data in a structured way but it is not used in SNMP.
How do you authenticate with SNMPv1? Username/password Hash Public string Community string
D. SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn't use hashes, and while the word public is often used to describe a community string, a public string is not a way to authenticate with SNMPv1.
Which of the following is one factor of a defense in depth approach to network design? Switches Using Linux on the desktop Optical cable connections Access control lists on routers
D. Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don't add any security features. You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems. Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detection systems.
What is a MAC address used for? Addressing systems over a VPN Addressing systems through a tunnel Addressing systems over TCP Addressing systems on the local network
D. Systems over a VPN may use a MAC address but they may also use IP addresses. The same would be true for a tunnel. Using TCP, we would use ports for addressing. On the local network, the MAC address is used.
If you wanted a lightweight protocol to send real-time data over, which of these would you use? TCP HTTP ICMP UDP
D. TCP uses a three-way handshake, which is fairly heavyweight. HTTP uses TCP and adds more on top of it. ICMP is used for control messages. UDP has very little overhead and is commonly used for real-time data transport.
What financial filing is required for public companies and would provide you with the annual report? 10-Q 11-K 401(k) 14-A
D. The 10-Q is a quarterly filing. The 11-K form is related to stock options for employees. The 401(k) is a retirement account. The 14-A report required by the SEC for public companies would include the annual report to shareholders.
What is the IPC$ share used for? Process piping Interprocess construction Remote process management Interprocess communication
D. The IPC$ share is a named pipe that enables interprocess communications over a network. While you may be able to do some remote management using the IPC$ share, it is not used for remote process management.
What command would you use to get the list of mail servers for a domain? whois mx zone=domain.com netstat zone=domain.com mx dig domain.com @mx dig mx domain.com
D. The command whois would be used to query the RIR for information about an IP address block. It could also be used to identify information about a domain. The program netstat is used for network statistics. dig can be used, but when you provide the @ parameter, it would be followed by the name server you want to query. The correct way to look for name server records is to use ns as the record type. When you are looking for mail servers, you would look for the mx record type.
What important event can be exposed by enabling auditing? System shutdown Service startup Package installation User login
D. While system shutdown, service startup, and package installation may be events that are logged, they are generally logged by normal system logging. Auditing functions are different between Windows and Linux/Unix, but audit systems for both will generate logs when a user logs into a system.
You need to identify all Excel spreadsheets available from the company Example, Inc., whose domain is example.com. What search query would you use? site:example.com files:pdf site:excel files:xls domain:example.com filetype:xls site:example.com filetype:xls
D. The keyword site indicates the site (or domain) you want to search in. You need to provide either a domain, which would catch all FQDNs in that domain that were available in the search database, or a specific hostname. The keyword filetype indicates the file extension for the results. This keyword requires that a file extension be provided. There is no files or domain keyword that can be used in Google or other search engines.
Which of these is a built-in program on Windows for gathering information using SMB? nmblookup smbclient Metasploit nbtstat
D. The program nmblookup can be used on Linux systems. smbclient is a program that comes with a Samba installation that can be used to interact with a system using SMB. Metasploit has a lot of functions, but it's not built into Windows. The program nbtstat, though, can be used to gather information using SMB, and it is a program that is installed with Windows.
What are the three times that are typically stored as part of file metadata? Moves, adds, changes Modified, accessed, deleted Moved, accessed, changed Modified, accessed, created
D. There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file expecting to modify it, but not end up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC, like modified, accessed, and created, those are not tasks associated with file times.
What would be the purpose of running a ping sweep? You want to identify responsive hosts without a port scan. You want to use something that is light on network traffic. You want to use a protocol that may be allowed through the firewall. All of the above.
D. There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it's used for troubleshooting and diagnostics
What version of SNMP introduced encryption and user-based authentication? 1 2 2c 3
D. Version 1 of SNMP used community strings. Version 2c also used community strings. Version 2 improved version 1, but it was version 3 that implemented user-based authentication as well as encryption.
If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume? They were trying to break into a system. They didn't know how to use Nessus. They didn't know how to use OpenVAS. They were trying to reduce false positives.
D. Vulnerability scanners don't exploit vulnerabilities in order to gain access to a system. They would only exploit a vulnerability to the extent necessary to determine whether a vulnerability exists. If they didn't know how to use Nessus or OpenVAS, they likely wouldn't be using them. It's possible they are looking to compare results from the two, but it's also very likely they are trying to compare the results with the intention of reducing false positives.
What would you use Wappalyzer for? Analyzing web headers Analyzing application code Identifying web headers Identifying web technologies
D. WappAlyzer is an extension for the Chrome browser that can be used to identify technologies used in a website. It will, in part, use HTTP headers, but it doesn't identify the headers. It's also not used for analyzing web headers because there is more to what WappAlyzer does than that. It may look at some pieces of application code to get frameworks that are used, but it doesn't analyze application code in the traditional sense of application code analysis.
What does nmap look at for fingerprinting an operating system? The operating system headers The application version The response from connecting to port 0 The IP ID field and the initial sequence number
D. When nmap performs an operating system scan, it is looking for fingerprints of the network stack in the operating system kernel. Some of the information that nmap will look at is in the IP ID field to see what numbers are used. Similarly, it will look at the initial sequence number in TCP messages to see what numbers are used there. The application version isn't relevant to an operating system scan, and there are no operating system headers that would be associated with network traffic. Operating system headers could be considered to be part of the source code for the operating system, but nmap wouldn't be able to see those. Port 0 is considered an invalid port, so the response to a connection from that port is irrelevant.
Which of these protocols would be used to communicate with an IoT device? ICMP SMTP Telnet HTTP
D. While ICMP may be used as part of passing control messages in case of errors in the network, it wouldn't be used between the IoT device and a server. SMTP is an email protocol that also wouldn't be used. Telnet is a cleartext protocol used to gain command-line access to a system. HTTP would commonly be used to pass messages between a controlling server and an IoT device.
If you were looking for reliable exploits you could use against known vulnerabilities, what would you use? Tor network Meterpreter msfvenom Exploit-DB
D. While the Tor network may be used to obtain an exploit against a vulnerability, there is some question as to how reliable that exploit may be. The Tor network may contain malicious content, even in the case of source code. Meterpreter and msfvenom are elements of Metasploit that don't have anything to do with locating vulnerabilities. Exploit-DB is a website and repository of exploits that could be searched to locate an exploit targeting specific and known vulnerabilities.
What information could you get from running p0f? Local time Remote time Absolute time Uptime
D. p0f can provide the uptime for some systems. Packets don't include any time information, so it's not possible to gather local or remote time. Absolute time would be based in a particular time zone, and time zones aren't communicated at the Network or Data Link layers.
What tool could be used to gather email addresses from PGP servers: Bing, Google, or LinkedIn? whois dig netstat theHarvester
D. whois is used to inquire about domains, IP addresses, and other related information. dig is used to issue queries to DNS servers. netstat is used for network statistics. theHarvester, though, can be used to search across multiple sources, including Bing, Google, PGP servers, and LinkedIn.