A.2.5 Pro Domain 5: Audit and Security Assessment

You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO:

From Server Manager's menu bar, select Tools > Group Policy Management. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Maximize the windows for better viewing. Right-click WorkstationGPO and select Edit. Maximize the windows for better viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Select Security Options. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select the policy settings as required. Select OK. Select Yes to confirm changes as necessary. Repeat steps 3b - 3f for additional policy settings. From the left pane, select Event Log. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select the policy settings as required. Select OK. From the left pane, expand Advanced Audit Policy Configuration > Audit Policies. Select the audit policy category. From the right pane, double-click the policy you want to edit. Select Configure the following audit events. Select the policy settings as required. Select OK. Repeat steps 5b-5f for additional policy settings.

You are the IT security administrator for a small corporate network. You want to spoof the DNS to redirect traffic as part of a man-in-the-middle attack. In this lab, your task is to: (Optional) From the Exec computer, access rmksupplies.com and verify that site can be accessed. From the Linux Support computer, use Ettercap to begin sniffing and scanning for hosts. Configure the Exec computer (192.168.0.30) as the target 1 machine. Initiate DNS spoofing. From the Exec computer, access rmksupplies.com and verify that it has been redirected to a different site.

From the Favorites bar, select Ettercap. Select Sniff > Unified sniffing. From the Network Interface drop-down menu, select enp2s0. Select OK. Select Hosts >Scan for hosts. Select Hosts > Host list. Under IP Address, select 192.168.0.30. Select Add to Target 1 to assign it as the target. Select Plugins > Manage the plugins. Select the Plugins tab. Double-click dns_spoof to activate it. Select Mitm > ARP poisoning. Select Sniff remote connections and then select OK. From the top navigation tabs, select Floor 1 Overview. Under Executive Office, select Exec. From the taskbar, select Google Chrome. In the URL field, type rmksupplies.com and then press Enter. Notice that the page was redirected to RUS Office Supplies despite the web address staying the same.

You are the IT security administrator for a small corporate network. You've received a zip file that contains sensitive password-protected files. You need to access these files. The zip file is located in the home directory. In this lab, your task is to use John the Ripper to: Crack the root password on the Linux computer named Support. Crack the password of the protected.zip file located in the home directory on IT-Laptop.

From the Favorites bar, select Terminal. At the prompt, type cd /usr/share/john and press Enter. Type ls and press Enter. Type cat password.lst and press Enter to view the password list. Type cd and press Enter to go back to the root. Type john /etc/shadow and press Enter. The password is shown. Can you find it? Type john /etc/shadow and press Enter to attempt to crack the Linux passwords again.Notice that it does not attempt to crack the password again. The cracked password is already stored in the john.pot file. Use alternate methods of viewing the previously cracked password Type john /etc/shadow --show and press Enter. Type cat ./.john/john.pot and press Enter to view the contents of the john.pot file. In the top right, select Answer Questions and then answer question 1: 1worm4b8. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select IT-Laptop. From the Favorites bar, select Terminal. At the prompt, type ls and press Enter.Notice the protected.zip file you wish to crack. Type zip2john protected.zip > ziphash.txt and press Enter. Type cat ziphash.txt and press Enter to confirm that the hashes have been copied. Type john --format=pkzip ziphash.txt and press Enter to crack the password.The password is shown. Can you find it? Type john ziphash.txt --show and press Enter to show the previously cracked password. In the top right, select Answer Questions. In the top right, select Answer Questions and then answer Question 2: p@ssw0rd. Select Score Lab.

A recent breach of a popular 3rd party service has exposed a password database. The security team is evaluating the risk of the exposed passwords for the company. The password hashes are saved in the root user's home directory, /root/captured_hashes.txt. You want to attempt to hack these passwords using a rainbow table. The password requirements for your company are as follows: The password must be 12 or more characters in length. The password must include at least one uppercase and one lowercase letter. The password must have at least one of these special characters: !, ", #, $, %, &, _, ', *, or @. All passwords are encrypted using a hash algorithm of either md5 or sha1. In this lab, your task is to: Create md5 and sha1 rainbow tables using rtgen. Sort the rainbow tables using the rtsort command. Crack the hashes using rcrack command. You can run rcrack on an individual hash or run it on the hash file (/root/captured_hashes.txt). Answer the questions.

From the Favorites bar, select Terminal. At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. Type rtsort . and press Enter to sort the rainbow table. To crack the password contained in a hash file, type rcrack . -l /root/captured_hashes.txt and press Enter.This command lists the hashes continued in the hash file and shows the passwords. To crack the password contained in a hash, type rcrack . -h hash_value and press Enter.This command only shows the password for the specified hash. Repeat step 2b for the remaining hashes. In the top right, select Answer Questions. Answer the questions: Q1: 123 Q2: MaryHad_A_Sm@ll_Lamb Q3: DisneyL@nd3 Q4: 1 Select Score Lab.

You are the IT security administrator for a small corporate network. You believe a hacker has penetrated your network and is using ARP poisoning to infiltrate it. In this lab, your task is to discover whether ARP poisoning is taking place as follows: Use Wireshark to capture packets on the enp2s0 interface for five seconds. Analyze the Wireshark packets to determine whether ARP poisoning is taking place. Use the 192.168.0.2 IP address to help make your determination. Answer the questions.

From the Favorites bar, select Wireshark. Maximize the window for easier viewing. Under Capture, select enp2s0. From the menu bar, select the blue fin to begin a Wireshark capture. After capturing packets for five seconds, select the red box to stop the Wireshark capture. In the Apply a display filter field, type arp and press Enter to only show ARP packets. In the Info column, look for the lines containing the 192.168.0.2 IP address. In the top right, select Answer Questions. Answer the questions: 00:00:1B:11:22:33 and 00:00:1B:33:22:11. Select Score Lab.

You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP-SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you should use this computer to investigate the problem. In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark.Use the enp2s0 interface. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question.

From the Favorites bar, select Wireshark. Under Capture, select enp2s0. From the menu, select the blue fin to begin the capture. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter Wireshark to display only those packets with both the SYN flag and ACK flag.You may have to wait up to a minute before any SYN-ACK packets are captured and displayed. Select the red square to stop the capture. In the Apply a display filter field, change the tcp.flags.ack ending from the number 1 to the number 0 and press Enter.Notice that there are a flood of SYN packets being sent to 198.28.1.1 (www.corpnet.xyz) that are not being acknowledged. In the top right, select Answer Questions. Answer the question: multiple source addresses for the SYN with the destination address 192.168.1.1. Select Score Lab.

You are the IT security administrator for a small corporate network. You need to enable logging on the switch in the networking closet. In this lab, your task is to: Enable logging and the Syslog Aggregator. Configure RAM Memory Logging as follows:Emergency, Alert, and Critical: EnableError, Warning, Notice, Informational, and Debug: Disable Configure Flash Memory Logging as follows:Emergency and Alert: EnableCritical, Error, Warning, Notice, Informational, and Debug: Disable Copy the running configuration file to the startup configuration file using the following settings:Source File Name: Running configuration Destination File Name: Startup configuration

From the left menu, expand Administration > System Log. Select Log Settings. For Logging, mark Enable. For Syslog Aggregator, mark Enable. Under RAM Memory Logging: Mark Emergency, Alert, and Critical. Clear Error, Warning, Notice, Informational, and Debug. Under Flash Memory Logging: Mark Emergency and Alert. Clear Critical, Error, Warning, Notice, Informational, and Debug. Select Apply. From the top menu bar, select Save. Under Copy/Save Configuration, select Apply. Select OK. Select Done.

You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Mary is the primary administrator for the network and the only person authorized to perform local administrative actions. The company network security policy requires complex passwords for all users. It is also required that Windows Firewall is enabled on all workstations. Sharing personal files is not allowed. In this lab, your task is to: Run a vulnerability scan for the Office2 workstation using the Security Evaluator. A shortcut is located on the taskbar. Remediate the vulnerabilities found in the vulnerability report for Office2. Re-run a vulnerability scan to make sure all of the issues are resolved.

From the taskbar, open Security Evaluator. Next to Target Local Machine, select the Target icon to select a new target. Select Workstation. From the Workstation drop-down list, select Office2 as the target. Select OK. Next to Status, select the Run/Rerun Security Evaluation icon. Review the results to determine which issues you need to resolve on Office2. From the top navigation tabs, select Floor 1. Under Office 2, select Office2. From Office2, right-click Start and select Computer Management. Expand and select Local Users and Groups > Users. Right-click Administrator and select Rename. Enter a new name of your choice and press Enter. Right-click Guest and select Properties. Select Account is disabled and then select OK. Right-click Mary and select Set Password. Select Proceed. Enter a new password of your choice (12 characters or more). Confirm the new password and then select OK. Select OK. Right-click Mary and select Properties. Clear Password never expires. Select User must change password at next logon and then select OK. Right-click Susan and select Properties. Clear Account is locked out and then select Apply. Select the Member of tab. Select Administrators. Select Remove. Select OK. Close Computer Management. Right-click Start and then select Settings. Select Network & Internet. From the right pane, scroll down and select Windows Firewall. Under Domain network, select Turn on. Under Private network, select Turn on. Under Public network, select Turn on. Close all open Windows. From the taskbar, select File Explorer. From the left pane, select This PC. From the right pane, double-click Local Disk (C:). Right-click MyMusic and select Properties. Select the Sharing tab. Select Advanced Sharing. Clear Share this folder. Select OK. Select OK. From the top navigation tabs, select Floor 1. Under IT Administration, select ITAdmin. From Security Evaluator, select the Run/Rerun Security Evaluation icon to rerun the security evaluation. If you still see unresolved issues, select Floor 1, navigate to the Office2 workstation and remediate any remaining issues.

You are the IT security administrator for a small corporate network. You have some security issues on a few Internet of Things (IoT) devices. You have decided to use the Security Evaluator to find these problems. In this lab, your task is to use the Security Evaluator to: Find a device using the IP address of 192.168.0.54. Find all devices using an IP address in the range of 192.168.0.60 through 192.168.0.69. Answer the questions.

From the taskbar, open Security Evaluator. Next to Target Local Machine, select the Target icon. Select IPv4 Address. Enter 192.168.0.54 as the IP address. Select OK. Next to Status No Results, select the Run/Rerun Security Evaluation icon to run a security evaluation. In the top right, select Answer Questions. Answer Questions 1: Thermostat and 2: 3. From the Security Evaluator, select the Target icon to select a new target. Select IPv4 Range. In the left field, type 192.168.0.60 as the beginning IP address. In the right field, type 192.168.0.69 as the ending IP address. Select OK. Next to Status No Results, select the Run/Rerun Security Evaluation icon to run a security evaluation. Answer Question 3: 0.66. Select Score Lab.

You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Use the Security Evaluator tool to run a vulnerability scan on the CorpDC domain controller. In this lab, your task is to: Run a vulnerability scan for the CorpDC domain controller using the Security Evaluator on the taskbar. Remediate the vulnerabilities in the Default Domain Policy using Group Policy Management on CorpDC. Re-run a vulnerability scan to make sure all of the issues are resolved.

From the taskbar, open Security Evaluator. Next to Target: Local Machine, select the Target icon to select a target. Select Domain Controller. Using the Domain Controller drop-down list, select CorpDC as the target. Select OK. Next to Status: No Results, select the Status Run/Rerun Security Evaluation icon. Review the results to determine which issues you need to resolve on CorpDC. From the top navigation tabs, select Floor 1. Under Networking Closet, select CorpDC. From Server Manager, select Tools > Group Policy Management. Maximize the window for easier viewing. Expand Forest: CorpNet.local > Domains >CorpNet.local. Right-click Default Domain Policy and then select Edit. Maximize the window for easier viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policies. From the left pane, select Password Policy. From the right pane, double-click the policy. Select Define this policy setting. Enter the password setting and then select OK. Repeat steps 4c-4e for each additional password policy. From the left pane, select Account Lockout Policy. From the right pane, double-click Reset account lockout counter after. Select Define this policy setting. Enter 60 minutes and then select OK. From the left pane, select Event Log. From the right pane, double-click the policy. Select Define this policy setting. Select Do not overwrite events (clear log manually) and then select OK. Repeat steps 6b-6d for each additional Event Log policy. From the left pane, select System Services. From the right pane, double-click the policy. Select Define this policy setting. Make sure Disabled is selected and then select OK. Repeat steps 7b-7d for the remaining System Services policy. From the top navigation tabs, select Floor 1. Under IT Administration, select ITAdmin. From Security Evaluator, select the Status Run/Rerun Security Evaluation icon to rerun the security evaluation. If you still see unresolved issues, select Floor 1, navigate to CorpDC, and remediate any remaining issues.

You are the IT security administrator for a small corporate network. You need to use a vulnerability scanner to check for security issues on your Linux computers. In this lab, your task is to: Use the Security Evaluator to check the security:On the Linux computer with the 192.168.0.45 IP address.On the Linux computers in the IP address range of 192.168.0.60 through 192.168.0.69 Answer the questions.

From the taskbar, open Security Evaluator. Next to Target: Local Machine, select the Target icon. Select IPv4 Address. Enter 192.168.0.45 Select OK. Next to Status: No Results, select the Status Run/Rerun Security Evaluation icon. Review the results. In the top right, select Answer Questions. Answer Question 1: root-password does not expire. From Security Evaluator, select the Target icon to select a new target. Select IPv4 Range. In the left field, type 192.168.0.60 In the right field, type 192.168.0.69 Select OK. Select the Status Run/Rerun Security Evaluation icon. Review the results. Answer Questions 2: 0.65 & 0.68 and 3: backup-password does not expire. Select Score Lab.

You are the IT security administrator for a small corporate network. You perform vulnerability scans on your network. You need to verify the security of your wireless network and your Ruckus wireless access controller. In this lab, your task is to: Run a vulnerability scan for the wireless access controller 192.168.0.6 using Security Evaluator, which is accessible from the taskbar. Remediate the vulnerabilities found in the vulnerability report for the wireless access controller.New admin name: your choiceNew password: your choiceEnable reporting of rogue devices for intrusion prevention. Rerun a vulnerability scan to make sure all of the issues are resolved.

From the taskbar, select Security Evaluator. Next to Target: Local Machine, select the Target icon to select a new target. Select IPv4 Address. Enter 192.168.0.6 for the wireless access controller. Select OK. Next to Status No Results, select the Status Run/Rerun Security Evaluation icon to run the security evaluation. Review the results to determine which issues you need to resolve on the wireless access controller. From the taskbar, open Google Chrome. Maximize Google Chrome for easier viewing. In the address bar, type 192.168.0.6 and press Enter. For Admin name, enter admin (case-sensitive). For Password, enter password. Select Login. Select the Administer tab. Make sure Authenticate using the admin name and password is selected. In the Admin Name field, replace admin with a username of your choice. In the Current Password field, enter password. In the New Password field, enter a password of you choice. In the Confirm New Password field, enter the new password. On the right, select Apply. Select the Configure tab. On the left, select WIPS. Under Intrusion Detection and Prevention, select Enable report rogue devices. On the right, select Apply. From the taskbar, select Security Evaluator. Next to Status Needs Attention, select the Status Run/Rerun Security Evaluation icon to re-run the security evaluation. Remediate any remaining issues.

You work as the IT security administrator for a small corporate network. In an effort to protect your network against security threats and hackers, you have added Snort to pfSense. With Snort already installed, you need to configure rules and settings and then assign Snort to the desired interface. In this lab, your task is to use pfSense's Snort to complete the following: Enable the downloading of the following:Snort free registered User rulesOinkmaster Code: 359d00c0e75a37a4dbd70757745c5c5dg85aaSnort GPLv2 Community rulesEmerging Threats Open rulesSourcefire OpenAppID detectorsAPPID Open rules Configure rule updates to happen once a day at 1:00 a.m.Hide any deprecated rules. Block offending hosts for 1 hour. Send all alerts to the system log when the Snort starts and stops. Assign Snort to the WAN interface using a description of WANSnort.Include:Sending alerts to the system logAutomatically blocking hosts that generate a Snort alert Start Snort on the WAN interface.

In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Services > Snort. Under the Services breadcrumb, select Global Settings. Select Enable Snort VRT. In the Sort Oinkmaster Code field, enter 359d00c0e75a37a4dbd70757745c5c5dg85aa. You can copy and paste this from the scenario. Select Enable Snort GPLv2. Select Enable ET Open. Under Sourcefire OpenAppID Detectors, select Enable OpenAppID. Select Enable RULES OpenAppID. Under Rules Update Settings, use the Update Interval drop-down menu to select 1 Day. For Update Start Time, change to 01:00. Select Hide Deprecated Rules Categories. Under General Settings, use the Remove Blocked Hosts Interval drop-down menu to select 1 HOUR. Select Startup/Shutdown Logging. Select Save. Under the Services breadcrumb, select Snort Interfaces and then select Add. Under General Settings, make sure Enable interface is selected. For Interface, use the drop-down menu to select WAN (PFSense port 1). For Description, use WANSnort. Under Alert Settings, select Send Alerts to System Log. Select Block Offenders. Scroll to the bottom and select Save. Under the Snort Status column, select the arrow. Wait for a checkmark to appear, indicating that Snort was started successfully.

You work as the IT security administrator for a small corporate network in the United States of America. The name of your site is www.corpnet.xyz. The company president has received several questionable emails that he is concerned may be malicious attacks on the company. He has asked you to determine whether the emails are hazardous and to handle them accordingly. In this lab, your task is to: Read each email and determine whether it is legitimate. Delete any emails that are attempts at social engineering. Keep emails that are safe.

Microsoft Windows Update Center - D Joe Davis - D Executive Recruiting - D HR - K Online Banking - D Grandma Jacklin - D Emily Smith - D Sara Goodwin - D Grandma Jacklin - D HR - K Activities Committee - K Robert Williams - K