CEH_Missed_Questions

Which of the following tools is the best option for rooting an Android device? A. SuperOneClick B. Cydia C. Pangu D. evasi0n7

A is correct. SuperOneClick is designed for rooting Android. B, C, and D are incorrect. Each of the remaining options is designed for use on iOS devices.

How would you permanently wipe the data in the hard disk? A. wipe -fik /dev/hda1 B. erase -fik /dev/hda1 C. delete -fik /dev/hda1 D. secdel -fik /dev/hda1

Answer : A

In which location, SAM hash passwords are stored in Windows 7? A. c:\windows\system32\config\SAM B. c:\winnt\system32\machine\SAM C. c:\windows\etc\drivers\SAM D. c:\windows\config\etc\SAM

Answer : A

How do you defend against ARP Poisoning attack? (Select 2 answers) A. Enable DHCP Snooping Binding Table B. Restrict ARP Duplicates C. Enable Dynamic ARP Inspection D. Enable MAC snooping Table

Answer : A,C

Name two software tools used for OS guessing.(Choose two). A. Nmap B. Snadboy C. Queso D. UserInfo E. NetBus

Answer : A,C Explanation: Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user.

Which of the following Registry location does a Trojan add entries to make it persistent onWindows 7? (Select 2 answers) A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run C. HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Answer : A,D

How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack

Answer : B

You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address.What can be inferred from this output? 19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 A. An application proxy firewall B. A stateful inspection firewall C. A host based IDS D. A Honeypot

Answer : B

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

Answer : B Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

When referring to the Domain Name Service, what is denoted by a 'zone'? A. It is the first domain that belongs to a company. B. It is a collection of resource records. C. It is the first resource record type in the SOA. D. It is a collection of domains.

Answer : B Explanation: A reasonable definition of a zone would be a portion of the DNS namespace where responsibility has been delegated.Topic 20, Buffer Overflows -

Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof attack B. Replay attack C. Injection attack D. Rebound attack

Answer : B Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

What is the most common vehicle for social engineering attacks? A. Email B. Direct in person C. Local Area Networks D. Peer to Peer Networks

Answer : B Explanation: All social engineering techniques are based on flaws in human logic known as cognitive biases.

Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACLs (access control lists) to files or folders and also one that can be used within batch files.Which of the following tools can be used for that purpose? (Choose the best answer) A. PERM.exe B. CACLS.exe C. CLACS.exe D. NTPERM.exe

Answer : B Explanation: Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, you can also use it in batch files.

What ICMP message types are used by the ping command? A. Timestamp request (13) and timestamp reply (14) B. Echo request (8) and Echo reply (0) C. Echo request (0) and Echo reply (1) D. Ping request (1) and Ping reply (2)

Answer : B Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.What do you think is the most likely reason behind this? A. There is a NIDS present on that segment. B. Kerberos is preventing it. C. Windows logons cannot be sniffed. D. L0phtcrack only sniffs logons to web servers.

Answer : B Explanation: In a Windows 2000 network using Kerberos you normally use pre- authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.

You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool. The username/password is Admin and [email protected] logon to the system using the brute forced password and plant backdoors and rootkits.After downloading various sensitive documents from the compromised machine, you proceed to clear the log files to hide your trace..Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts? A. AppEvent.Evt B. SecEvent.Evt C. SysEvent.Evt D. WinEvent.Evt

Answer : B Explanation: The Security Event log (SecEvent.Evt) will contain all the failed logins against the system.

The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service.Which of the following Database Server was targeted by the slammer worm? A. Oracle B. MSSQL C. MySQL D. Sybase E. DB2

Answer : B Explanation: W32.Slammer is a memory resident worm that propagates via UDP Port1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039.

You are configuring the security options of your mail server and you would like to block certain file attachments to prevent viruses and malware from entering the users inbox.Which of the following file formats will you block?(Select up to 6) A. .txt B. .vbs C. .pif D. .jpg E. .gif F. .com G. .htm H. .rar I. .scr J. .exe

Answer : B,C,E,F,I,J Explanation:http://office.microsoft.com/en-us/outlook/HP030850041033.aspx

Which of the following tools are used for enumeration? (Choose three.) A. SolarWinds B. USER2SID C. Cheops D. SID2USER E. DumpSec

Answer : B,D,E Explanation: USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.

What are the main drawbacks for anti-virus software? A. AV software is difficult to keep up to the current revisions. B. AV software can detect viruses but can take no action. C. AV software is signature driven so new exploits are not detected. D. Its relatively easy for an attacker to change the anatomy of an attack to bypass AV systems E. AV software isn't available on all major operating systems platforms. F. AV software is very machine (hardware) dependent.

Answer : C Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses.

Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? A. Any cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (single encryption key)

Answer : D

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.Maintaining the security of a Web server will usually involve the following steps:1. Configuring, protecting, and analyzing log files2. Backing up critical information frequently3. Maintaining a protected authoritative copy of the organization's Web content4. Establishing and following procedures for recovering from compromise5. Testing and applying patches in a timely manner6. Testing security periodically.In which step would you engage a forensic investigator? A. 1 B. 2 C. 3 D. 4 E. 5 F. 6

Answer : D

What is Hunt used for? A. Hunt is used to footprint networks B. Hunt is used to sniff traffic C. Hunt is used to hack web servers D. Hunt is used to intercept traffic i.e. man-in-the-middle traffic E. Hunt is used for password cracking

Answer : D Explanation: Hunt can be used to intercept traffic. It is useful with telnet, ftp, and others to grab traffic between two computers or to hijack sessions.

What type of Virus is shown here? "Wake up on 15th of every month and execute code" A. Cavity Virus B. Macro Virus C. Boot Sector Virus D. Metamorphic Virus E. Sparse Infector Virus

Answer : E

You are identifying system vulnerabilities on an NTFS system. Which of the followin command-line statements is an example of alternate data streams (ADS)? A. type bad stuff < good.txt:shh B. echo bad stuff > good.txt:shh C. echo bad stuff > good.txt;shh D. type bad stuff < good.txt;shh

Answer B

An attacker wants to verify live targets on a network, but no ICMP packets seem to successfully do the job. Which of the following options might work in this situation? A. Traceroute B. TCP ping C. Nslookup D. Broadcast ping

B is correct. A single target not responding doesn't necessarily means it's not "awake"—there could be several reasons it's not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can't ping over TCP, so you may have to use tcping.exe (or another comparable tool). A, C, and D are incorrect. Traceroute is designed to display path information and relies on ICMP and TTL flags for answers. Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can't tell you what's necessarily alive. A broadcast ping is simply ICMP sent to the broadcast address in the subnet.

Which of the following commands would be the best choice for a pen tester attempting to perform DNS cache snooping? A. nslookup -fullrecursive one.anywhere.com. B. nslookup -cache /s one.anywhere.com. C. nslookup -norecursive one.anywhere.com. D. nslookup /dnssnoop -cache one.anywhere.c

C is correct. If you can make a nonrecursive query to a DNS server looking for an already resolved hostname, the box is susceptible to DNS cache snooping. To see if you can do this, you may try to find the IP address of a hostname by querying the DNS server nonrecursively (that is, not asking further DNS servers for an answer if the DNS server in question does not know it). A, B, and D are incorrect. The syntax is incorrect in each of these uses of nslookup.

A security admin has turned on MAC filtering on a WAP. Which of the following is the best way to bypass this activity? A. ARP spoofing B. DNS poisoning C. IP spoofing D. MAC spoofing

D is correct. So the admin says, "Only allow these MAC addresses to connect," and the WAP is secure, right? Sure. And I have a future as an NBA player. Simply sniff traffic until you find a MAC that works and spoof it. Voilà! A, B, and C are incorrect. ARP won't do any good here—you can use it to misdirect traffic but not to authenticate. DNS poisoning works with name resolution and has no place here. IP spoofing is on the right track, but MAC filtering is done at Layer 2, so it wouldn't work here.

Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three) A. Internet Printing Protocol (IPP) buffer overflow B. Code Red Worm C. Indexing services ISAPI extension buffer overflow D. NeXT buffer overflow

Answer : A,B,C Explanation: Both the buffer overflow in the Internet Printing Protocol and the ISAPI extension buffer overflow is explained in Microsoft Security Bulletin MS01-023. The CodeRed worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.

Which of the following tools can be used to perform a zone transfer? A. NSLookup B. Finger C. Dig D. Sam Spade E. Host F. Netcat G. Neotrace

Answer : A,C,D,E Explanation: There are a number of tools that can be used to perform a zone transfer.Some of these include: NSLookup, Host, Dig, and Sam Spade.

What is Cygwin? A. Cygwin is a free C++ compiler that runs on Windows B. Cygwin is a free Unix subsystem that runs on top of Windows C. Cygwin is a free Windows subsystem that runs on top of Linux D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

Answer : B Explanation: Cygwin is a Linux-like environment for Windows. It consists of two parts:A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial LinuxAPI functionality.A collection of tools which provide Linux look and feel.The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions ofWindows since Windows 95, with the exception of Windows CE.

On wireless networks, SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless networks? A. The SSID is only 32 bits in length. B. The SSID is transmitted in clear text. C. The SSID is the same as the MAC address for all vendors. D. The SSID is to identify a station, not a network.

Answer : B Explanation: The SSID IS constructed to identify a network, it IS NOT the same as theMAC address and SSIDs consists of a maximum of 32 alphanumeric characters.

Sabotage, Advertising and Assisting are the three stages of _____ A. Social engineering B. Reverse Social Engineering C. Reverse Software Engineering D. Rapid Development Engineering

Answer : B Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.

What are the default passwords used by SNMP?(Choose two.) A. Password B. SA C. Private D. Administrator E. Public F. Blank

Answer : C,E Explanation: Besides the fact that it passes information in clear text, SNMP also uses well-known passwords. Public and private are the default passwords used by SN

If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response? A. 31400 B. 31402 C. The zombie will not send a response D. 31401

Answer : D

Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? A. Netcat -h -U B. Netcat -hU <host(s.> C. Netcat -sU -p 1-1024 <host(s.> D. Netcat -u -v -w2 <host> 1-1024 E. Netcat -sS -O target/1024

Answer : D Explanation: The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 <host>1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.

Which of the following is true of 3DES? A. Stream cipher B. Hashing algorithm C. Stronger than AES D. Symmeric algorithm

Answer: D Symmetric algorithm

Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover

D is correct. Blooover is designed and created for Bluebugging. A, B, and C are incorrect. BBProxy and PhoneSnoop are both BlackBerry tools, and btCrawler is a discovery option.

During a pen test, you notice VoIP traffic is traversing the subnet. Which of the following tools could be used to decode a packet capture and extract voice conversations? A. Black Widow B. Netcat C. Nmap D. Cain

D is correct. Cain (and Abel) can do all sorts of great stuff, including extracting voice from VoIP captures. A, B, and C are incorrect. The remaining answers do not perform the task listed. Black Widow copies websites to your system for later review. Netcat can be used for all sorts of things but is mostly known for its use in creating backdoor access to compromised systems. Nmap is probably the best-known port scanner in the world.

Which of the following tools provides visibility and security controls for servers in a cloud? A. CloudPassage Halo B. Metasploit C. AWSExploit D. CloudInspect

A is correct. CloudPassage Halo "provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds." B, C, and D are incorrect. Metasploit is a framework for delivering exploits. AWSExploit is not a legitimate tool. CloudInspect was designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.

Which of the following lists security and privacy controls for U.S. government federal information systems? A. NIST 800-53 B. FITARA C. HIPAA D. ISO 17799

A is correct. NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations "provides a catalog of security controls for all U.S. federal information systems except those related to national security." Remember that exception—it may help you on the exam. B, C, and D are incorrect. The Federal Information Technology Acquisition Reform Act (FITARA) is a bill from 2013 that determines how the U.S. government purchases technology. The U.S. Health Insurance Portability and Accountability Act (HIPAA) protects the confidentiality of private health information. ISO 17799 defines security objectives based on industry best practices.

Which of the following can be compared to a CSRF attack? A. Session riding B. Side session C. Side channel D. VM straddling

A is correct. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers. B, C, and D are incorrect. Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself. Side session and VM straddling are not legitimate terms.

Which of the following describes a vulnerability allowing attackers to execute concatenated commands in bash? A. Shellshock B. WannaCry C. POODLE D. Heartbleed

A is correct. Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables. B, C, and D are incorrect. These vulnerabilities do not match the described condition.

Which of the following methods correctly performs banner grabbing on a Windows system? A. telnet <IPAddress> 80 B. telnet 80 <IPAddress> C. telnet <IPAddress> 80 -u D. telnet 80 <IPAddress> -u

A is correct. Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most. B, C, and D are incorrect. These are all bad syntax for telnet.

Your new employee is pen testing a fully switched subnet and wants to know how to proceed. Which of the following methods might be useful for sniffing traffic in this situation? (Choose all that apply.) A. ARP spoofing B. Span port C. Port security D. MAC flooding

A, B, and D are correct. Spoofing ARP messages can trick the switch into sending traffic your way, and MAC flooding turns the switch into a hub. Spanning a port requires access to the switch IOS itself but would provide access to traffic. C is incorrect. Port security would frustrate your efforts to sniff traffic.

Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? A. strcpy() B. strcat() C. streadd() D. strscock()

Answer : A,B,C Explanation: When hunting buffer overflows, the first thing to look for is functions which write into arrays without any way to know the amount of space available. If you get to define the function, you can pass a length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-coded maximum amount it will write. If you're using a function someone else (like, say, the compiler vendor) has provided then avoiding functions like gets(), which take some amount of data over which you have no control and stuff it into arrays they can never know the size of, is a good start. Make sure that functions like the str...() family which expect NUL-terminated strings actually get them - store a '\0' in the last element of each array involved just before you call the function, if necessary.Strscock() is not a valid C/C++ function.

Global deployment of RFC 2827 would help mitigate what classification of attack? A. Sniffing attack B. Denial of service attack C. Spoofing attack D. Reconnaissance attack E. Prot Scan attack

Answer : C Explanation:RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IPSource Address Spoofing -

Vulnerability mapping occurs after which phase of a penetration test? A. Host scanning B. Passive information gathering C. Analysis of host scanning D. Network level discovery

Answer : C Explanation:The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning.Topic 23, Mixed Questions -

A program that defends against a port scanner will attempt to: A. Sends back bogus data to the port scanner B. Log a violation and recommend use of security-auditing tools C. Limit access by the scanning system to publicly available ports only D. Update a firewall rule in real time to prevent the port scan from being completed

Answer : D

Which one of the following attacks will pass through a network layer intrusion detection system undetected? A. A teardrop attack B. A SYN flood attack C. A DNS spoofing attack D. A test.cgi attack

Answer : D Explanation:Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks

Which is the Novell Netware Packet signature level used to sign all packets ? A. 0 B. 1 C. 2 D. 3

Answer : D Explanation:Level 0 is no signature, Level 3 is communication using signature only.

You are heading a committee that is resonsible for creating your company's security policies. What should you do FIRST? A. Develop the new security policies based on company needs B. Perform a risk assessment C. Collect standard guidelines to help guide the committee D. Train and educate users about security awareness

Answer: B Perform a risk assessmen

Which of the following languages poses the highest security risk because of its high penetration rate, number of documented vulnerabitlies, and average user patch status? A. Python B. Java C. C++ D. C#

Answer: B Java A report from WhiteSource examined security vulnerabilities in some of the most popular programming languages and looked at the trends of high security vulnerabilities over the years....Language vulnerabilities C (46.9%) PHP (16.7%) Java (11.4%) JavaScript (10.2%) Python (5.45%) C++ (5.23%) Ruby (4.25%)

You manage a network that contains Windows Server 2008 and Windows Vista computers. you have several laptops that are issued to employees when they are working remotely. You decide to implement EFS on the laptop compuers. What does this provide? A. File level security B. Drive encryption C. File and folder encryption D. Automatic error recovery

Answer: C File and folder encryption

You are engaging a penetration testing provider to identify possible vulnerabilities within your organization. You are about to sign the confidentiality agreemen and non-disclosure agreement (NDA). What should you verify in the legal language before signing them? A. Checklist of testing requirements B. Fees and project schedule C. Negligence and liability D. Rules of engagement

Answer: C Negligence and liability The other options are covered in separate documentation.

An administrator has configured SMTP and HTTP services running on a FreeBSD server. She wants to allow standard email and web tracffic accross registered ports 25, 80, and 443. However, any unauthorized access should be logged and denied. Which daemon should you use for loging and simple access control? A. smtpd B. asmtpd C. tcpd D. httpd

Answer: C tcpd

During security testing, what is the purpose of analyzing the interrupts within a piece of software? A. To determine if secure coding principles were followed B. To test the access controls C. To validate the desin D. To ensure critical data is not changed on the syste

Answer: D

Another member of your security team is confused about cross-site scripting (XSS) attacks. You explain how phishing attempts can use XSS to replace existing content on the webpage. She decies to write a simple JavaScript XSS defacement function. Which document object method(s) should you suggest she use? *(Choose all that apply).* A. write() B. open() C. adoptNode() D. renameNode() E. getElementById() F. getElementByTagName() G. importNode()

Answer: E, F E. getElementById() F. getElementByTagName()

While researching specific security issues for your company, you want to use an anonymizer to ensure that your privacy is protected. Which of the following is *NOT* an anonymizer? A. Psiphon B. Tails C. Proxify D. TOR

Anwer: B Tails is a live operating system that a user can start on any computer from a DVD, USB flash drive, or SD card.

Which of the following are advantages to a single sign-on system? (Choose two.) A. Attacks can occur only at the SSO point. B. Many user authentication problems can be resolved at a central location. C. Users do not need to memorize multiple passwords. D. Centralized recording of all monitoring events at the SSO point makes for a more secure environment.

B and C are correct. Single sign-on is a great thing for users (remember, one password instead of many) and provides some great benefits for administrators as well. Because users are on one password, most authentication issues can be handled with that one password, at the SSO point. A and D are incorrect. Whether you're using SSO or not, attacks can, and do, occur at every point. SSO implementation has nothing to do with logging.

Which of the following provides the integrity method for WPA2? A. RC4 B. CCMP C. AES D. 802.1x

B is correct. As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2). A, C, and D are incorrect. RC4 and AES are encryption algorithms (AES is used in WPA, by the way). 802.1x is the standards family wireless comes from.

Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack? A. Human based B. Computer based C. Technical D. Vishing

B is correct. Computer-based social engineering attacks include any measures using computers and technology. A, C, and D are incorrect. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. There is no such thing as a "technical" social engineering attack. Using a phone during a social engineering effort is known as "vishing" (for "voice phishing").

Which of the following tools can be used in IPSec VPN scanning and fingerprinting? A. Wireshark B. IKE-scan C. Nikto D. Black Widow E. ARPwatch

B is correct. IKE-scan is an IPSec VPN scanning, fingerprinting, and testing tool. A, C, D, and E are incorrect. Wireshark is used for packet capture and sniffing. Nikto and Black Widow are both involved in web server examination and testing. ARPwatch is not applicable here.

You are examining an internal web server and discover there are two hours missing from the log files. No users complained of downtime or accessibility issues. Which of the following is most likely true? A. The log file is simply corrupted. B. The server was compromised by an attacker. C. The server was rebooted. D. No activity occurred during the two-hour time frame.

B is correct. It's a web server used by employees all day during normal business hours and there's "nothing" in the log? Despite this, none of the users complained about it being down at all? No, we think this one is going to require some forensics work. Call the IR team. A, C, and D are incorrect. The log file being corrupted would've been throughout. A crisp two-hour window doesn't match up with that. If the system were rebooted, that in and of itself would've shown in the log. It defies common sense and probability that absolutely nothing occurred to the web server during normal business hours.

Which of the following statements is true regarding Kismet? A. Kismet is used to crack passwords. B. Kismet can discover wireless networks that are not sending beacon frames. C. Kismet relies on beacon frames to sniff wireless networks. D. Kismet is used to identify vulnerabilities in wireless networks.

B is correct. Kismet's primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you. A, C, and D are incorrect. These statements are not true regarding Kismet.

Which of the following is considered by OWASP to be the top vulnerability security professionals should be aware of in IoT systems? A. Insufficient authentication/authorization B. Insecure web interface C. Insecure network services D. Insecure cloud interface

B is correct. Per OWASP, an insecure web interface can be present when an issue such as account enumeration, lack of account lockout, or weak credentials is present. Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however, threats from internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with automated testing tools to identify other issues such as cross-site scripting. A, C, and D are incorrect. Insufficient authentication/authorization, insecure network services, and an insecure cloud interface are ranked second, third, and sixth, respectively.

Which of the following is an attack whereby SOAP messages are replayed as if they were legitimate? A. CSRF B. Wrapping attack C. CR SOAP D. Side channel

B is correct. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate. A, C, and D are incorrect. These attacks do not involve SOAP messaging.

An organization wants to save on time and money and decides to go with an automated approach to pen testing. Which of the following tools would work for this? (Choose all that apply.) A. Nmap B. Netcat C. Core Impact D. CANVAS

C and D are correct. Both Core Impact and CANVAS are automated pen test application suites. A and B are incorrect. Nmap is a port scanner. Netcat is a multipurpose scanner and backdoor.

An attacker is attempting to telnet to an internal server. He has done his homework and knows port 23 is open on the machine, it is listening for requests, and he can reach it using port scans from his current location (nmap). To hide his tracks, he spoofs his IP address and then launches telnet against the server. His attempts fail. What is the most likely cause? A. The firewall is blocking telnet traffic. B. Port 23 is not the correct port for telnet. C. He cannot spoof his IP and successfully use telnet. D. The target is most likely a honeypot.

C is correct. Spoofing the IP address sends all of his replies to that fake address, meaning he cannot spoof his IP and still use telnet: the replies would go to the spoofed address instead of the attacker's own. A, B, and D are incorrect. Because the scans are getting through, the firewall is not blocking port 23 traffic, which is telnet's port. Answer D is a distracter.

In a CSPP attack, which of the following would most likely be used? A. ' B. C. ; D. @

C is correct. The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered "; Integrated Security=true" as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated by treating semicolons as data instead of characters. A, B, and D are incorrect. The single quote is generally associated with SQL injection efforts. The + and @ signs are not applicable here.

Which of the following refers to monitoring security configuration changes over time? A. Patch management B. Vulnerability management C. Baselining D. Change management

C is correct. To develop a baseline, you take a snapshot of the current system's security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren't are cut. A, B, and D are incorrect. Patch and vulnerability management supervise patching and the tracking of vulnerabilities, respectively. Change management deals with controlling changes to systems in the environment.

You are searching for systems with file sharing enabled. Which port would be seen in a listening state on a Microsoft Windows machine, thus indicating file sharing? A. 161 B. 3389 C. 1433 D. 445

D is correct. There are a few ports in Microsoft system file sharing you should be aware of. Microsoft file sharing SMB uses UDP and TCP ports from 135 to 139. Direct-hosted SMB traffic without NetBIOS uses port 445 (TCP and UPD). A, B, and C are incorrect. 161 is an SNMP port, 3389 is associated with Terminal Services (a.k.a. Remote Desktop), and 1433 is an MS SQL port.

How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Splicing B. Session Stealing C. Session Hijacking D. Session Fragmentation

Answer : A

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker? A. 5 minutes B. 23 days C. 200 years D. 16 million years

Answer : A Explanation: A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak.

In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP

Answer : A Explanation: EIP is the instruction pointer which is a register, it points to your next command.

our company trainee Sandra asks you which are the four existing Regional InternetRegistry (RIR's)? A. APNIC, PICNIC, ARIN, LACNIC B. RIPE NCC, LACNIC, ARIN, APNIC C. RIPE NCC, NANIC, ARIN, APNIC D. RIPE NCC, ARIN, APNIC, LATNIC

Answer : B Explanation: All other answers include non existing organizations (PICNIC, NANIC,LATNIC). See http://www.arin.net/library/internet_info/ripe.html

What do you conclude from the nmap results below?Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/)(The 1592 ports scanned but not shown below are in state: closed)PortStateService -21/tcpopenftp25/tcpopensmtp80/tcpopenhttp443/tcpopenhttpsRemote operating system guess: Too many signatures match the reliability guess the OS.Nmap run completed 1 IP address (1 host up) scanned in 91.66 seconds A. The system is a Windows Domain Controller. B. The system is not firewalled. C. The system is not running Linux or Solaris. D. The system is not properly patched.

Answer : B Explanation: There is no reports of any ports being filtered.

What are the most common commands that hackers usually attempt to Trojan A. car, xterm, grep B. netstat, ps, top C. vmware, sed, less D. xterm, ps, nc

Answer : B Explanation:The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999-9/features/rootkits.html

802.11b is considered a ____________ protocol. A. Connectionless B. Secure C. Unsecure D. Token ring based E. Unreliable

Answer : C Explanation: 802.11b is an insecure protocol. It has many weaknesses that can be used by a hacker.

Which of the following is NOT a reason 802.11 WEP encryption is vulnerable? A. There is no mutual authentication between wireless clients and access points B. Automated tools like AirSnort are available to discover WEP keys C. The standard does not provide for centralized key management D. The 24 bit Initialization Vector (IV) field is too small

Answer : C Explanation: The lack of centralized key management in itself is not a reason that theWEP encryption is vulnerable, it is the people setting the user shared key that makes it unsecure.Topic 16, Virus and Worms -

What is the IV key size used in WPA2? A. 32 B. 24 C. 16 D. 48 E. 128

Answer : D

What tool can crack Windows SMB passwords simply by listening to network traffic?Select the best answer. A. This is not possible B. Netbus C. NTFSDOS D. L0phtcrack

Answer : D Explanation: Explanations:This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

Melissa is a virus that attacks Microsoft Windows platforms.To which category does this virus belong? A. Polymorphic B. Boot Sector infector C. System D. Macro

Answer : D Explanation: The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment.Topic 17, Physical Security -

Which of the following snort rules look for FTP root login attempts? A. alert tcp -> any port 21 (msg:"user root";) B. alert tcp -> any port 21 (message:"user root";) C. alert ftp -> ftp (content:"user password root";) D. alert tcp any any -> any any 21 (content:"user root";)

Answer : D Explanation: The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options(content:user root;)

One of the better features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to3.In the list below which of the choices represent the level that forces NetWare to sign all packets? A. 0 (zero) B. 1 C. 2 D. 3

Answer : D Explanation:0Server does not sign packets (regardless of the client level).1Server signs packets if the client is capable of signing (client level is 2 or higher).2Server signs packets if the client is capable of signing (client level is 1 or higher).3Server signs packets and requires all clients to sign packets or logging in will fail.

_______ is one of the programs used to wardial. A. DialIT B. Netstumbler C. TooPac D. Kismet E. ToneLoc

Answer : E Explanation: ToneLoc is one of the programs used to wardial. While this is considered an"old school" technique, it is still effective at finding backdoors and out of band network entry points.

Your company implements two NIDS: one anomaly-based and one signature-based. It also implements two NIPS: one anomaly-based and one stateful protocol-based. Your company employs an ethical hacker who uses ADMutate to disguise a buffer overflow attack. The attack is attempting to breach the network. Which system is most likely being targeted? A. Stateful protocol-based NIPS B. Anomally-based NIDS C. Signature-based NIDS D. Anomally-based NIPS

Answer: C Signature-based NIDS

Which ISO 27000 standard describes audits and certifications? A. 27005 B. 27001 C. 27002 D. 27006

Answer: D ISO 27006

Which of the following testing methodologies addresses security controls? A. SOAP B. CORBA C. OWASP D. OSSTMM

Answer: D OSSTMM The Open Source Security Testing Methodology Manual (OSSTMM) focuses operational security. It is about knowing and measuring how well security work by examining the controls that have been put in place.

Which of the following best describes an API that allows application components to communicate with other components? A. EC2 B. SOAP C. DAR D. SOA

D is correct. Service-Oriented Architecture is an architecture-driven software design where software components deliver information to other components, usually over a network. For example, a company might develop an API that provides software programming access to a specific database, which would then let other developers build applications that could leverage the API to query or upload data. A, B, and C are incorrect. EC2 refers to Amazon Web Services cloud offerings. SOAP (Simple Object Access Protocol) is a messaging protocol using XML (and HTTP) that allows programs running on different operating systems to communicate. Data at rest has nothing to do with this question.

Which of the following tools allow for Bluetooth device discovery? (Choose two.) A. BlueScanner B. BT Browser C. BBProxy D. PhoneSnoop

A and B are correct. BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices. C and D are incorrect. BBProxy is a BlackBerry-centric tool that's useful in an attack called Blackjacking. PhoneSnoop is good for spyware on a BlackBerry.

Amanda is a pen test team member scanning systems on an event. She notices a system using port 445, which is active and listening. Amanda issues the following command: *for /f "tokens=1 %%a in (myfile.txt) do net use * \\192.168.1.3\c$ /user."administrator" %%a* Which of the following best describes what Amanda is trying to accomplish? A. She is trying to password-crack the user account named "administrator." B. She is trying to carry out a denial-of-service attack. C. She is trying to enumerate all user accounts on the machine from a known administrator account login. D. She is trying to escalate her privileges.

A is correct. Amanda is attempting to successfully log in to the user account called "administrator" using a list of passwords in the myfile.txt file. Port 445 is for Microsoft-DS SMB file sharing. B, C, and D are incorrect. Although the admin account may get locked out eventually, it's not the purpose of this script to accomplish that. It is also not enumerating users or elevating a privilege for another account.

In Amazon's EC2, virtual machines are provided and can be controlled through a service API. Which of the following best defines this service? A. IaaS B. PaaS C. SaaS D. Public

A is correct. Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS. B, C, and D are incorrect. These do not match the Amazon EC2 service description.

In which of the following OSs are you most likely to experience problems in collecting 802.11 management and control packets while passively sniffing? A. Windows B. macOS C. Linux D. FreeBSD 5.2

A is correct. For whatever reason, many wireless NICs don't have good support for monitor mode in Windows. They seem to be okay catching general traffic, but the control packets are hard to come by. B, C, and D are incorrect. Linux variants and macOS wireless NICs provide better support for monitor mode

Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate a means to notify administrators of problems or performance. What default port Syslog daemon listens on? A. 242 B. 312 C. 416 D. 514

ANSWER: D

This TCP flag instructs the sending system to transmit all buffered data immediately. A. SYN B. RST C. PSH D. URG E. FIN

Answer : C

What is the current recommended RSA key length for a PKI? A. 2048 bits B. 8192 bits C. 4096 bits D. 1024 bits

Answer: A 2048 bits

Your organization uses a cloud computing model that shares cloud infrastructure for data and services. Which deployment model matches this description? A. Private B. Community C. Public D. Hybrid

B is correct. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. A, C, and D are incorrect. A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). The hybrid cloud model is a composite of two or more cloud deployment models

Which of the following can best be mitigated by setting the HttpOnly flag in cookies? A. CSRF B. XSS C. Buffer overflow D. CSPP

B is correct. Cross-side scripting occurs when the bad guy injects code—usually in the form of a script—into a web page. Because setting the HttpOnly flag in a cookie prevents the cookie from being accessible by a client-side script, this would be a good idea for XSS mitigation. A, C, and D are incorrect. None of these will be remediated by the HttpOnly flag.

Which firewall operates at Layer 5? A. Application level B. Circuit level C. Packet filtering D. Stateful

B is correct. It's true that circuit-level firewalls can and do monitor TCP handshakes (Layer 4) and that they can monitor and filter on upper-layer protocols (Application layer), but they don't make filtering decisions based on the data within those protocols. They primarily work at the Session layer (Layer 5). A, C, and D are incorrect. Application-level firewalls work at Layer 7, and packet-filtering and stateful firewalls respectively at Layers 3 and 4.

Which one of the following tools can be used for passive OS fingerprinting? A. ping B. whois C. nmap D. tracert

C is correct. Nmap has all sorts of switches that allow you to search for nearly everything. For example, the -O switch would come in handy here. A, B, and D are incorrect. The remaining answers make no sense at all here.

A security consulting group is brought in to assist in improving the security posture of the environment. Team members perform footprinting, enumeration, scanning, and vulnerability assessments, then attempt exploitation of specific findings. Other team members attend the security tools and policies of the environment before, during, and after the attacks to monitor and suggest improvements on the environment's security suite. Which of the following best describes the team? A. Red team B. Blue team C. Purple team D. Gray team

C is correct. Red and blue teams are pretty well known. Red teams are on offense, employed to go on the attack, simulating the bad guys out in the world by trying to exploit anything they can find, and blue teams are the security professionals trying to defend the network. They are often merged into "purple" teams in the real world to better test and secure environments. A, B, and D are incorrect. The team is performing both red and blue team duties, making A and B incorrect choices. D is included as a distractor.

Which of the following best represents SOA? A. A file server B. An application containing both the user interface and the code allowing access to the data C. An API that allows different components to communicate D. A single database accessed by multiple sources

C is correct. Service-Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology. A, B, and D are incorrect. These do not describe SOA.

Which of the following attacks is also known as "cross-guest VM breach"? A. Session riding B. CSRF C. Side channel D. VM strafing

C is correct. Side-channel attacks, also known as "cross-guest VM breach," deal with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of naughty activities. A, B, and D are incorrect. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers. CSRF is an attack leveraging a legitimate open session with a phishing attack to send a message from the user's browser to the target server without the user knowing it. VM strafing sounds like fun, depending on the caliber, but is not a legitimate attack.

Ethical hacker Brad is testing insecure direct object reference. He attempts to gain account access to resources under a username he discovered called Joe. Which of the following best demonstrates an attempt to exploit the insecure direct object reference? A. GET /restricted/\r\n%00account%00Joe%00access HTTP/1.1 Host: somebank.com B. GET /restricted/accounts/?name=Joe HTTP/1.1 Host: somebank.com C. GET /restricted/bank.getaccount('Joe') HTTP/1.1 Host: somebank.com D. GET /restricted/goldtransfer?to=Brad&from=1 or 1=1' HTTP/1.1 Host: somebank.com

B is correct. Of the choices provided, this is the only one that attempts direct access to Joe's account. The following is from OWASP's page on the subject: "Applications frequently use the actual name or key of an object when generating web pages. Applications don't always verify the user is authorized for the target object. This results in an insecure direct object reference flaw." An attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn't authorized for. A, C, and D are incorrect. These attempts do not attempt direct access to Joe's account.

In which phase of the Security Development Lifecycle is "fuzz" testing performed? A. Implementation B. Verification C. Design D. Release

B is correct. The Security Development Lifecycle (SDL) phases include training, requirements, design, implementation, verification, release, and response, and each phase holds specific actions. For example, in the training phase, core security training for developers is performed. In the requirements phase, the level of security desired is set. In the verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed. A, C, and D are incorrect. The implementation phase includes using approved tools and static analysis and turning off unsafe functions. Design includes requirements, attack surface analysis, and threat modeling. Release includes an incident response plan, final security review, and certification.

James is a member of a pen test team newly hired to test a bank's security. He begins searching for IP addresses the bank may own, using public records on the Internet, and also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is James working? A. Reconnaissance B. Pre-attack C. Assessment D. Attack E. Scanning

B is correct. The pre-attack phase (a.k.a the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases. A, C, D, and E are incorrect. Reconnaissance and scanning are part of the ethical hacking phases (reconnaissance, scanning/enumeration, gaining access, maintaining access, and clearing tracks). Assessment is akin to the attack phase.

Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of ___________ measures within physical security. A. physical B. technical C. operational D. None of the above

C is correct. Operational measures are the policies and procedures you set up to enforce a security-minded operation. A, B, and D are incorrect. Physical controls include all the things you can touch, taste, smell, or get shocked by. Technical controls are measures taken with technology in mind to protect explicitly at the physical level.

Which of the following statements is true? A. Pcap is an encryption algorithm. B. Pcap is used on Linux. Libpcap is used on Windows. C. Pcap is used on Windows. Libpcap is used on Linux. D. Pcap is a command-line tool for sniffing.

C is correct. Pcap (for Windows) and its Linux-based brother libpcap are the packet capture libraries/drives used by virtually every sniffing and scanning tool you can think of—nmap, Snort, Wireshark, tcpdump, kismet, and L0phtCrack, for example. For extra fun—and possibly a Jeopardy-type question on your exam—libpcap was written in C/C++. A, B, and D are incorrect. The other answers provided are not true regarding Pcap.

Which of the following statements is true? A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks. B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks. C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks. D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.

D is correct. A CSRF attack occurs when the attacker takes one session while you're connected on a legitimate one and sends messages as if they're from you. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it's naughty and dropped. A, B, and C are incorrect. XSS, buffer overflows, and parameter manipulation are not stopped by random challenges.

Which of the following best matches the purpose of key escrow? A. Allows a third party to back up encrypted data B. Allows a third party to provide a key should one get lost C. Allows a third party to provide authentication and identification services D. Allows a third party to access sensitive data if the need arises

D is correct. Key escrow agents are usually used when the government needs access to something during an investigation. A, B, and C are incorrect. Backups have nothing to do with key escrow. Lost key replacement is done by something called a recovery agent. Your CA provides for identification services, not the key escrow agent.

You use a Linux distribution Live CD to boot a system that is running Ubuntu and enter the following command set: *sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd N3wPWD4thi$* Which of the following best describes what you are attempting? A. Change the password of the underlying desktop Ubuntu installation. B. Change the password of the Live CD install for the session. C. Create a password-protected share. D. Install a rootkit.

A is correct. Let's walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user's password. B, C, and D are incorrect. These answers do not match the output of the command-line entries.

You use a Linux distribution Live CD to boot a system that is running Ubuntu and enter the following command set: sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd N3wPWD4thi$ Which of the following best describes what you are attempting? A. Change the password of the underlying desktop Ubuntu installation. B. Change the password of the Live CD install for the session. C. Create a password-protected share. D. Install a rootkit.

A is correct. Let's walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user's password. B, C, and D are incorrect. These answers do not match the output of the command-line entries.

When would a secondary name server request a zone transfer from a primary? A. When the primary SOA serial number is higher B. When the primary SOA serial number is lower C. Only when it is rebooted D. When the SOA record TTL reaches zero

A is correct. Secondary servers check in with the primary based on the refresh interval. The primary increments the serial number every time the SOA changes. If the secondary checks in and the primary's copy has a higher serial number, then it knows the SOA has changed and it needs a new copy. B, C, and D are incorrect. The secondary does not request a new copy if the serial number is lower or when the server is rebooted. The TTL reaching zero has nothing to do with requesting a zone transfer.

How would OSSTMM categorize PCI DSS? A. Contractual B. Legislative C. Technology based D. Standards based

A is correct. The Open Source Security Testing Methodology Manual (OSSTMM) defines three types of compliance: contractual, legislative, and standards based. Contractual deals with requirements enforced by an industry or non-government group. B, C, and D are incorrect. Legislative deals with regulations enforced by the government. Standards based deals with actions that are recommended and must be adhered to in order to be certified by a group. Technology based doesn't exist.

A pen tester is using Metasploit to attack an FTP server. He wants the attack to use the FTP server as a launching point to "pivot" to an internal LAN segment. Which of the following should be accomplished to perform the attack? A. Create a route statement within the meterpreter. B. Set payload action in meterpreter to propagate. C. Choose the pivot exploit. D. Set network configuration parameters to reconfigure in the meterpreter.

A is correct. The meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Adding a route statement allows for the "pivot" action. B, C, and D are incorrect. These steps will not assist in pivoting.

X.509 defines the standard for digital certificates. Per this standard, which of the following are fields within a certificate? (Choose all that apply.) A. Version B. Algorithm ID C. Private key D. Public key E. Key usage F. PTR record

A, B, D, and E are correct. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description. C and F are incorrect. The private key is never shared. A PTR record is a DNS record type, not a component of a digital signature.

Which of the following statements are true? (Choose three.) A. Aircrack can use a dictionary list to crack WEP keys. B. Aircrack can use PTW to crack WEP keys. C. Aircrack can use Korek to crack WEP keys. D. Aircrack can use a rainbow table to crack WEP keys.

A, B, and C are correct. Aircrack-ng can make use of dictionary lists. It uses something called the Pyshkin, Tews, Weinmann (PTW) technique by default, but can also use the Fluhrer, Mantin, Shamir (FMS) technique or the Korek technique to crack WEP. When it comes to WPA or WPA2, it uses dictionary lists only. D is incorrect. Rainbow tables are used in password cracking but not in wireless key cracking. Wrong place, wrong tool.

You are performing an internal scan of a private subnet with the followin command: *hping 3 -1 192.168.1.127* All hosts are configured with the subnet mask 255.255.255.192. Which IP address or rane of addresses will be scanned as a resul of running this command? A. 192.168.1.1-126 B. 192.168.1-254 C. 192.168.1.127 D. 192.168.1.65-126

Answe: D 192.168.1.65-126

Bret is a web application administrator and has just read that there are a number of surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet.He has also read that when an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is determined to weed out any vulnerabilities. What are some common vulnerabilities in web applications that he should be concerned about? A. Non-validated parameters, broken access control, broken account and session management, cross-side scripting and buffer overflows are just a few common vulnerabilities B. No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords are just a few common vulnerabilities C. Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured are just a few common vulnerabilities D. No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator are just a few common vulnerabilities

Answer : A

Google uses a unique cookie for each browser used by an individual user on a computer.This cookie contains information that allows Google to identify records about that user on its database. This cookie is submitted every time a user launches a Google search, visits a site using AdSense etc. The information stored in Google's database, identified by the cookie, includes-> Everything you search for using Google-> Every web page you visit that has Google Adsense adsHow would you prevent Google from storing your search keywords? A. Block Google Cookie by applying Privacy and Security settings in your web browser B. Disable the Google cookie using Google Advanced Search settings on Google Search page C. Do not use Google but use another search engine Bing which will not collect and store your search keywords D. Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.

Answer : A

Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software? A. Steganography B. Wrapping C. ADS D. Hidden Channels

Answer : A

You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network.Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. (http contains "hotmail") && ( http contains "Reply-To") B. (http contains "e-mail" ) && (http contains "hotmail") C. (http = "login.passport.com" ) && (http contains "SMTP") D. (http = "login.passport.com" ) && (http contains "POP3")

Answer : A Explanation: Each Hotmail message contains the tag Reply-To:<sender address> and xxxx-xxx-xxx.xxxx.hotmail.com in the received tag.

Shayla is an IT security consultant, specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics, a subcontractor for theDepartment of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security.No employees for the company, other than the IT director, know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics offices.What type of insider threat would Shayla be considered? A. She would be considered an Insider Affiliate B. Because she does not have any legal access herself, Shayla would be considered an Outside Affiliate C. Shayla is an Insider Associate since she has befriended an actual employee D. Since Shayla obtained access with a legitimate company badge; she would be considered a Pure Insider

Answer : A

Your are trying the scan a machine located at ABC companys LAN named mail.abc.com. Actually that machine located behind the firewall. Which port is used by nmap to send the TCP synchronize frame to on mail.abc.com? A. 443 B. 80 C. 8080 D. 23

Answer : A

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame? A. 0xFFFFFFFFFFFF B. 0xAAAAAAAAAAAA C. 0xBBBBBBBBBBBB D. 0xDDDDDDDDDDDD

Answer : A Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame.

Which of the following represents the initial two commands that an IRC client sends to join an IRC network? A. USER, NICK B. LOGIN, NICK C. USER, PASS D. LOGIN, USER

Answer : A Explanation: A "PASS" command is not required for either client or server connection to be registered, but it must precede the server message or the latter of the NICK/USER combination. (RFC 1459)

Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address.She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above? A. Smurf B. Bubonic C. SYN Flood D. Ping of Deat

Answer : A Explanation: A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.

What hacking attack is challenge/response authentication used to prevent? A. Replay attacks B. Scanning attacks C. Session hijacking attacks D. Password cracking attacks

Answer : A Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authentication you ensure that captured packets cant be retransmitted without a new authentication.

Travis works primarily from home as a medical transcriptions.He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. He uses voice recognition software is processor intensive, which is why he bought the new computer. Travis frequently has to get on the Internet to do research on what he is working on. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to.Travis uses antivirus software, anti-spyware software and always keeps the computer up-to-date with Microsoft patches.After another month of working on the computer, Travis computer is even more noticeable slow. Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over four hours pouring over the files and folders and cant find anything but before he gives up, he notices that his computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive, Travis thinks this is very odd.Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According to his calculations, he should have around 150 GB of free space. What is mostly likely the cause of Travis problems? A. Travis's Computer is infected with stealth kernel level rootkit B. Travi's Computer is infected with Stealth Torjan Virus C. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Logic Bomb's triggered at random times creating hidden data consuming junk files

Answer : A Explanation: A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources.

Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels.How should mark protect his network from an attacker using Hping2 to scan his internal network? A. Blocking ICMP type 13 messages B. Block All Incoming traffic on port 53 C. Block All outgoing traffic on port 53 D. Use stateful inspection on the firewalls

Answer : A Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for anICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0.

Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers.Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers. A. Hardware, Software, and Sniffing. B. Hardware and Software Keyloggers. C. Passwords are always best obtained using Hardware key loggers. D. Software only, they are the most effective.

Answer : A Explanation: Different types of keylogger planted into the environment would retrieve the passwords for Bob..

If you perform a port scan with a TCP ACK packet, what should an OPEN port return? A. RST B. No Reply C. SYN/ACK D. FIN

Answer : A Explanation: Open ports return RST to an ACK scan.

You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why? A. A firewall is blocking port 23 B. You cannot spoof + TCP C. You need an automated telnet tool D. The OS does not reply to telnet even if port 23 is open

Answer : A Explanation: Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states open, closed, or filtered a port can be in an open state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, You cannot spoof +TCP, well you can spoof + TCP, so we strike that out.

Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-knownGPS mapping package that would interface with PrismStumbler?Select the best answer. A. GPSDrive B. GPSMap C. WinPcap D. Microsoft Mappoint

Answer : A Explanation: Explanations:GPSDrive is a Linux GPS mapping package. It recommended to be used to sendPrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real software package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows, it isn't going to do what Joe Hacker is wanting to do. Microsoft Mappoint is a Windows application.PrismStumbler is a Linux application. Thus, these two are not going to work well together.

Paula works as the primary help desk contact for her company. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. Paula walks over to the users computer and sees the Blue Screen of Death screen. The users computer is running WindowsXP, but the Blue screen looks like a familiar one that Paula had seen a Windows 2000Computers periodically.The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. She checks the network IDS live log entries and notices numerous nmap scan alerts.What is Paula seeing happen on this computer? A. Paula's Network was scanned using FloppyScan B. Paula's Netwrok was scanned using Dumpsec C. There was IRQ conflict in Paula's PC D. Tool like Nessus will cause BSOD

Answer : A Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP Send the results by e-mail to a remote server.

What is Form Scalpel used for? A. Dissecting HTML Forms B. Dissecting SQL Forms C. Analysis of Access Database Forms D. Troubleshooting Netscape Navigator E. Quatro Pro Analysis Tool

Answer : A Explanation: Form Scalpel automatically extracts forms from a given web page and splits up all fields for editing and manipulation.

You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text Credit Card and password. It then zips all the scanned files and sends an email to a predefined hotmail address.You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? A.HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices B.HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C.HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices D.HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices

Answer : A Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted.

Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit.Choose the attack type from the choices given below. A. Database Fingerprinting B. Database Enumeration C. SQL Fingerprinting D. SQL Enumeration

Answer : A Explanation: He is trying to create a view of the characteristics of the target database, he is taking its fingerprints.

Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on theInternet. All the machines on that subnet respond to this broadcast. By spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IPAddress. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out.Who are the primary victims of these attacks on the Internet today? A. IRC servers are the primary victim to smurf attacks B. IDS devices are the primary victim to smurf attacks C. Mail Servers are the primary victim to smurf attacks D. SPAM filters are the primary victim to surf attacks

Answer : A Explanation: IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.

The GET method should never be used when sensitive data such as credit is being sent to a CGI program. This is because any GET command will appear in the URL and will be logged by any servers. For example, lets say that youve entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=454543433532234The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information.How would you protect from this type of attack? A. Replace the GET with POST method when sending data B. Never include sensitive information in a script C. Use HTTOS SSLV3 to send the data instead of plain HTTPS D. Encrypt the data before you send using GET method

Answer : A Explanation: If the method is "get", the user agent takes the value of action, appends a ? to it, then appends the form data set, encoded using the application/x-www-form- urlencoded content type. The user agent then traverses the link to this URI. If the method is"post" --, the user agent conducts an HTTP post transaction using the value of the action attribute and a message created according to the content type specified by the enctype attribute.

Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well.Which of the choices below indicate the other features offered by Snort? A. IDS, Packet Logger, Sniffer B. IDS, Firewall, Sniffer C. IDS, Sniffer, Proxy D. IDS, Sniffer, content inspector

Answer : A Explanation: Snort is a free software network intrusion detection and prevention system capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire

You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firms clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the office with sensitive information.Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CDs or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken.What software application could you use to hide the data on the CDs and USB flash drives? A. Snow B. File Snuff C. File Sneaker D. EFS

Answer : A Explanation: The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most display programs including web browsers.

When writing shellcodes, you must avoid _________________ because these will end the string. A. Null Bytes B. Root Bytes C. Char Bytes D. Unicode Bytes

Answer : A Explanation: The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. The original meaning of this character was like NOP when sent to a printer or a terminal, it does nothing (some terminals, however, incorrectly display

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. Snow B. Gif-It-Up C. NiceText D. Image Hide

Answer : A Explanation: The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.

Which of the following Nmap commands would be used to perform a stack fingerprinting? A. Nmap -O -p80 <host(s.> B. Nmap -hU -Q<host(s.> C. Nmap -sT -p <host(s.> D. Nmap -u -o -w2 <host> E. Nmap -sS -0p target

Answer : A Explanation: This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtlety in the underlying operating system network stack of the computers you are scanning. It uses this information to create a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-os- fingerprints file. to decide what type of system you are scanning.

Under what conditions does a secondary name server request a zone transfer from a primary name server? A. When a primary SOA is higher that a secondary SOA B. When a secondary SOA is higher that a primary SOA C. When a primary name server has had its service restarted D. When a secondary name server has had its service restarted E. When the TTL falls to zero

Answer : A Explanation: Understanding DNS is critical to meeting the requirements of the CEH.When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server, a zone transfer will take place.

Usernames, passwords, e-mail addresses, and the location of CGI scripts may be obtained from which of the following information sources? A. Company web site B. Search engines C. EDGAR Database query D. Whois query

Answer : A Explanation: Whois query would not enable us to find the CGI scripts whereas in the actual website, some of them will have scripts written to make the website more user friendly. The EDGAR database would in fact give us a lot of the information requested but not the location of CGI scripts, as would a simple search engine on the Internet if you have the time needed.

Reflective DDoS attacks do not send traffic directly at the targeted host. Instead, they usually spoof the originating IP addresses and send the requests at the reflectors. These reflectors (usually routers or high-powered servers with a large amount of network resources at their disposal) then reply to the spoofed targeted traffic by sending loads and loads of data to the final target.How would you detect these reflectors on your network? A. Run floodnet tool to detect these reflectors B. Look for the banner text by running Zobbie Zappers tools C. Run Vulnerability scanner on your network to detect these reflectors D. Scan the network using Nmap for the services used by these reflectors

Answer : A Explanation: http://www.exterminate-it.com/malpedia/remove-floodnet

E-mail scams and mail fraud are regulated by which of the following? A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

Answer : A Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.htmlTopic 6, Trojans and Backdoors -

Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network.Which of the following tool achieves this? A. ./macof B. ./sniffof C. ./dnsiff D. ./switchsnarf

Answer : A Explanation: macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).

You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this? A. copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt C. copy secret.txt c:\windows\system32\tcpip.dll |secret.txt D. copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt

Answer : B

More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. This is a technique common among virus writers - it basically hides the true nature of the shellcode in different disguises.How does a polymorphic shellcode work? A. They convert the shellcode into Unicode, using loader to convert back to machine code then executing them B. They compress shellcode into normal instructions, uncompress the shellcode using loader code and then executing the shellcode C. They reverse the working instructions into opposite order by masking the IDS signatures D. They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode

Answer : A Explanation:In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine.Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode

Daryl is a network administrator working for Dayton Technologies. Since Daryls background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure.The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then.What tool would work best for Daryls needs? A. Password sniffer B. L0phtcrack C. John the Ripper D. WinHttrack

Answer : A Explanation:L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords.John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash typesWinHttrack is a offline browser.A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords in clear text.

You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts.Which of the following commands accomplish this? A. Machine A #yes AAAAAAAAAAAAAAAAAAAAAA | nc v v l p 2222 > /dev/null Machine B #yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null B. Machine A cat somefile | nc v v l p 2222 Machine B cat somefile | nc othermachine 2222 C. Machine A nc l p 1234 | uncompress c | tar xvfp Machine B tar cfp - /some/dir | compress c | nc w 3 machinea 1234 D. Machine A while true : do nc v l s p 6000 machineb 2 Machine B while true ; do nc v l s p 6000 machinea 2 done

Answer : A Explanation:Machine A is setting up a listener on port 2222 using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.

Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. Smurf C. Ping of Death D. SYN flood E. SNMP Attack

Answer : A Explanation:The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.

Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.) A. Identifies the wireless network B. Acts as a password for network access C. Should be left at the factory default setting D. Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools

Answer : A,B ???????????????????????????????//

The SYN Flood attack sends TCP connections requests faster than a machine can process them.Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IPAddress Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victims connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the serverHow do you protect your network against SYN Flood attacks? A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first. B. RST cookies The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally. C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro- record of 16-bytes for the incoming SYN object. D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

Answer : A,B,C,D Explanation: All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target.

What file system vulnerability does the following command take advantage of? type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. ADS C. NTFS D. Backdoor access

Answer : B Explanation: ADS (or Alternate Data Streams) is a feature in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.

A team of develoeprs is creating mobile apps that target Apple iOS devices. Which of the following vulnerabilities should they address when using Objective-C? *Choose ALL that apply* A. Thread racing B. Code injection C. Buffer overflow D. Log injection E. Memory corruption F. String formatting G. Access control H. Type confusion

Answer: A, B, C, F

Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4. A. UDP is filtered by a gateway B. The packet TTL value is too low and cannot reach the target C. The host might be down D. The destination network might be down E. The TCP windows size does not match F. ICMP is filtered by a gateway

Answer : A,B,C,F Explanation: If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will die before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.

Which of these are phases of a reverse social engineering attack?Select the best answers. A. Sabotage B. Assisting C. Deceiving D. Advertising E. Manipulating

Answer : A,B,D Explanation: Explanations:According to "Methods of Hacking: SocialEngineering", by Rick N

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for?Select the best answers. A. SNMPUtil B. SNScan C. SNMPScan D. Solarwinds IP Network Browser E. NMap

Answer : A,B,D Explanation: Explanations:SNMPUtil is a SNMP enumeration utility that is a part of the Windows 2000 resource kit.With SNMPUtil, you can retrieve all sort of valuable information through SNMP. SNScan is a SNMP network scanner by Foundstone. It does SNMP scanning to find open SNMP ports. Solarwinds IP Network Browser is a SNMP enumeration tool with a graphical tree-view of the remote machine's SNMP data.

What techniques would you use to evade IDS during a Port Scan? (Select 4 answers) A. Use fragmented IP packets B. Spoof your IP address when launching attacks and sniff responses from the server C. Overload the IDS with Junk traffic to mask your scan D. Use source routing (if possible) E. Connect to proxy servers or compromised Trojaned machines to launch attacks

Answer : A,B,D,E

Which are true statements concerning the BugBear and Pretty Park worms?Select the best answers. A. Both programs use email to do their work. B. Pretty Park propagates via network shares and email C. BugBear propagates via network shares and email D. Pretty Park tries to connect to an IRC server to send your personal passwords. E. Pretty Park can terminate anti-virus applications that might be running to bypass them.

Answer : A,C,D Explanation: Explanations: Both Pretty Park and BugBear use email to spread. PrettyPark cannot propagate via network shares, only email. BugBear propagates via network shares and email. It also terminates anti-virus applications and acts as a backdoor server for someone to get into the infected machine. Pretty Park tries to connect to an IRC server to send your personal passwords and all sorts of other information it retrieves from yourPC.Pretty Park cannot terminate anti-virus applications. However, BugBear can terminate AV software so that it can bypass them.

Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply. A. Linux passwords can be encrypted with MD5 B. Linux passwords can be encrypted with SHA C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish E. Linux passwords are encrypted with asymmetric algrothims

Answer : A,C,D Explanation: Linux passwords are enrcypted using MD5, DES, and the NEW additionBlowfish. The default on most linux systems is dependant on the distribution, RedHat usesMD5, while slackware uses DES. The blowfish option is there for those who wish to use it.The encryption algorithm in use can be determined by authconfig on RedHat-based systems, or by reviewing one of two locations, on PAM-based systems (PluggableAuthentication Module) it can be found in /etc/pam.d/, the system-auth file or authconfig files. In other systems it can be found in /etc/security/ director

There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot?Select the best answers. A. Emulators of vulnerable programs B. More likely to be penetrated C. Easier to deploy and maintain D. Tend to be used for production E. More detectable F. Tend to be used for research

Answer : A,C,D,E Explanation: Explanations:A low interaction honeypot would have emulators of vulnerable programs, not the real programs.A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator.Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance.A low interaction honeypot tends to be used for production.Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot.A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.

What are the four steps is used by nmap scanning? A. DNS Lookup B. ICMP Message C. Ping D. Reverse DNS lookup E. TCP three way handshake F. The Actual nmap scan

Answer : A,C,D,F Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.-> If a hostname is used as a remote device specification, nmap will perform a DNS lookup prior to the scan.-> Nmap pings the remote device. This refers to the nmap "ping" process, not(necessarily) a traditional ICMP echo request.-> If an IP address is specified as the remote device, nmap will perform a reverseDNS lookup in an effort to identify a name that might be associated with the IP address. This is the opposite process of what happens in step 1, where an IP address is found from a hostname specification.-> Nmap executes the scan. Once the scan is over, this four-step process is completed. Except for the actual scan process in step four, each of these steps can be disabled or prevented using different IP addressing or nmap options. The nmap process can be as "quiet" or as "loud" as necessary!

You are describing to a team member how multiprotocl label switching (MPLS) is implemented to handle VPN traffic accross the internet. MPLS prefixes lable stack entries to each network packet. Which fields comprise a label stack entry? Choose *ALL* that apply. A. Label B. Traffic Class C. Offset D. Checksum E. Time to live F. Destination Port G. Source Port H. Bottom of Stack

Answer: A, B, E, H

One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out?Select the best answers. A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. C. SYSKEY is an effective countermeasure. D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899. E. Enforcing Windows complex passwords is an effective countermeasure.

Answer : A,C,E Explanation: Explanations:John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to"send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters:0xAAD3B435B51404EEEnforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.

Jack is conducting a port scan of a target network. He knows that his target network has a web server and that a mail server is up and running. Jack has been sweeping the network but has not been able to get any responses from the remote target.Check all of the following that could be a likely cause of the lack of response? A. The host might be down B. UDP is filtered by a gateway C. ICMP is filtered by a gateway D. The TCP window Size does not match E. The destination network might be down F. The packet TTL value is too low and can't reach the targe

Answer : A,C,E,F Explanation: Wrong answers is B and D as sweeping a network uses ICMP

Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) A. Train users in the new policy. B. Disable all wireless protocols at the firewall. C. Disable SNMP on the network so that wireless devices cannot be configured. D. Continuously survey the area for wireless devices.

Answer : A,D Explanation: If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installation of wireless devices on the corporate network.

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on aToshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased aToshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.How was Bill able to get Internet access without using an agency laptop? A. Bill spoofed the MAC address of Dell laptop B. Bill connected to a Rogue access point C. Toshiba and Dell laptops share the same hardware address D. Bill brute forced the Mac address ACLs

Answer : B

Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? A. Rebecca should make a recommendation to disable the () system call B. Rebecca should make a recommendation to upgrade the Linux kernel promptly C. Rebecca should make a recommendation to set all child-process to sleep within the execve() D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege

Answer : B

Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what willSnort look for in the payload of the suspected packets?alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG -SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert A. The payload of 485 is what this Snort signature will look for. B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload. C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged. D. From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

Answer : B

Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered? A. Ursula would be considered a gray hat since she is performing an act against illegal activities. B. She would be considered a suicide hacker. C. She would be called a cracker. D. Ursula would be considered a black hat.

Answer : B

In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID.He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network.Unfortunately unauthorized users are still able to connect to the wireless network.Why do you think this is possible? A. Bob forgot to turn off DHCP. B. All access points are shipped with a default SSID. C. The SSID is still sent inside both client and AP packets. D. Bob's solution only works in ad-hoc mode.

Answer : B Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom.

Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email [email protected]'. The application displays server error. What is wrong with the web application? A. The email is not valid B. User input is not sanitized C. The web server may be down D. The ISP connection is not reliable

Answer : B Explanation: All input from web browsers, such as user data from HTML forms and cookies, must be stripped of special characters and HTML tags as described in the following CERT advisories: http://www.cert.org/advisories/CA-1997-25.html http://www.cert.org/advisories/CA-2000-02.html

In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless communications. Immediately after the implementation, users begin complaining about how slow the wireless network is. After benchmarking the networks speed. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same.Why does this happen in the VPN over wireless implementation? A. The stronger encryption used by the VPN slows down the network. B. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications. C. VPNs use larger packets then wireless networks normally do. D. Using a VPN on wireless automatically enables WEP, which causes additional overhead.

Answer : B Explanation: By applying VPN the access point will have to recalculate all headers destined for client and from clients twice.

This kind of attack will let you assume a users identity at a dynamically generated web page or site: A. SQL Injection B. Cross Site Scripting C. Session Hijacking D. Zone Transfer

Answer : B Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Which FTP transfer mode is required for FTP bounce attack? A. Active Mode B. Passive Mode C. User Mode D. Anonymous Mode

Answer : B Explanation: FTP bounce attack needs the server the support passive connections and the client program needs to use PORT command instead of the PASV command.

What is the name of the software tool used to crack a single account on NetwareServers using a dictionary attack? A. NPWCrack B. NWPCrack C. NovCrack D. CrackNov E. GetCrack

Answer : B Explanation: NWPCrack is the software tool used to crack single accounts on Netware servers.

While doing fast scan using F option, which file is used to list the range of ports to scan by nmap? A. services B. nmap-services C. protocols D. ports

Answer : B Explanation: Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the/etc/services file applicable for the current operating system.

Which of the following commands runs snort in packet logger mode? A. ./snort -dev -h ./log B. ./snort -dev -l ./log C. ./snort -dev -o ./log D. ./snort -dev -p ./log

Answer : B Explanation: Note: If you want to store the packages in binary mode for later analysis use./snort -l ./log -b

A POP3 client contacts the POP3 server: A. To send mail B. To receive mail C. to send and receive mail D. to get the address to send mail to E. initiate a UDP SMTP connection to read mail

Answer : B Explanation: POP is used to receive e-mail.SMTP is used to send e-mail.

on a remote server. The server and the clientare communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250.Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? A. 200-250 B. 121-371 C. 120-321 D. 121-231 E. 120-370

Answer : B Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371(121+250).

Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic.She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would line to tunnel the information to the remote end but does not have VPN capabilities to do so.Which of the following tools can she use to protect the link? A. MD5 B. SSH C. RSA D. PGP

Answer : B Explanation: Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

While performing ping scans into a target network you get a frantic call from the organizations security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organizations IDS monitor. How can you modify your scan to prevent triggering this event in the IDS? A. Scan more slowly. B. Do not scan the broadcast IP. C. Spoof the source IP address. D. Only scan the Windows systems.

Answer : B Explanation: Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same time.Topic 4, Enumeration -

What does the following command in "Ettercap" do?ettercap NCLzs quiet A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP C. This command will detach ettercap from console and log all the sniffed passwords to a file D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs

Answer : C Explanation: -L specifies that logging will be done to a binary file and s tells us it is running in script mode.

A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate? A. The system has crashed B. A buffer overflow attack has been attempted C. A buffer overflow attack has already occurred D. A firewall has been breached and this is logged E. An intrusion detection system has been triggered

Answer : B Explanation: Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators.The reaction to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known.

When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device? A. ICMP ECHO_REQUEST & TCP SYN B. ICMP ECHO_REQUEST & TCP ACK C. ICMP ECHO_REPLY & TFP RST D. ICMP ECHO_REPLY & TCP FIN

Answer : B Explanation: The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP.

Sara is using the nslookup command to craft queries to list all DNS information(such as Name Servers, host names, MX records, CNAME records, glue records(delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer. A. A zone harvesting B. A zone transfer C. A zone update D. A zone estimate

Answer : B Explanation: The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls d domain-name > file-name you have initiated a zone transfer.

What type of cookies can be generated while visiting different web sites on theInternet? A. Permanent and long term cookies. B. Session and permanent cookies. C. Session and external cookies. D. Cookies are all the same, there is no such thing as different type of cookies.

Answer : B Explanation: There are two types of cookies: a permanent cookie that remains on a visitor's computer for a given time and a session cookie the is temporarily saved in the visitor's computer memory during the time that the visitor is using the Web site. Session cookies disappear when you close your Web browser.

Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64The request is made up of:-> %2e%2e%2f%2e%2e%2f%2e%2f% = ../../../-> %65%74%63 = etc-> %2f = /-> %70%61%73%73%77%64 = passwdHow would you protect information systems from these attacks? A. Configure Web Server to deny requests involving Unicode characters. B. Create rules in IDS to alert on strange Unicode requests. C. Use SSL authentication on Web Servers. at the firewall and routers.

Answer : B Explanation: This is a typical Unicode attack. By configuring your IDS to trigger on strangeUnicode requests you can protect your web-server from this type of attacks.

Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. Jane believes that Jack is really an administrator, and tells him her password. Jack now has a user name and password, and can access Brown Co.'s computers, to find the cookie recipe. This is an example of what kind of attack? A. Reverse Psychology B. Social Engineering C. Reverse Engineering D. Spoofing Identity E. Faking Identity

Answer : B Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond? A. The attack did not fall through as the firewall blocked the traffic B. The attack was social engineering and the firewall did not detect it C. The attack was deception and security was not directly compromised D. Security was not compromised as the webpage was hosted internally

Answer : B Explanation: This was just another way to trick the information out of the users without the need to hack into any systems. All traffic is outgoing and initiated by the user so the firewall will not react

On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat

Answer : B Explanation: lsof is a command used in many Unix-like systems that is used to report a list of all open files and the processes that opened them. It works in and supports severalUNIX flavors.

Which of the following are potential attacks on cryptography? (Select 3) A. One-Time-Pad Attack B. Chosen-Ciphertext Attack C. Man-in-the-Middle Attack D. Known-Ciphertext Attack E. Replay Attack

Answer : B,C,E Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

Giles is the network administrator for his company, a graphics design company based inDallas. Most of the network is comprised of Windows servers and workstations, except for some designers that prefer to use MACs. These MAC users are running on the MAC OS X operating system. These MAC users also utilize iChat to talk between each other. Tommy, one of these MAC users, calls Giles and says that his computer is running very slow. Giles then gets more calls from the other MAC users saying they are receiving instant messages from Tommy even when he says he is not on his computer. Giles immediately unplugsTommy's computer from the network to take a closer look. He opens iChat on Tommy's computer and it says that it sent a file called latestpics.tgz to all the other MAC users.Tommy says he never sent those files. Giles also sees that many of the computer's applications appear to be altered. The path where the files should be has an altered file and the original application is stored in the file's resource fork.What has Giles discovered on Tommy's computer? A. He has discovered OSX/Chat-burner virus on Tommy's computer B. Giles has found the OSX/Leap-A virus on Tommy's computer C. This behavior is indicative of the OSX/Inqtana.A virus D. On Tommy's computer, Giles has discovered an apparent infection of the OSX/Transmitter.B virus

Answer : B Explanation:OSX.Leap.A is a worm that targets installs of Macintosh OS X and spreads via iChatInstant Messenger program.http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

Justine is the systems administrator for her company, an international shipping company with offices all over the world. Recent US regulations have forced the company to implement stronger and more secure means of communication. Justine and other administrators have been put in charge of securing the company's digital communication lines. After implementing email encryption, Justine now needs to implement robust digital signatures to ensure data authenticity and reliability. Justine has decided to implement digital signatures which are a variant of DSA and that operate on elliptical curve groups.These signatures are more efficient than DSA and are not vulnerable to a number field sieve attacks.What type of signature has Justine decided to implement? A. She has decided to implement ElGamal signatures since they offer more reliability than the typical DSA signatures B. Justine has decided to use ECDSA signatures since they are more efficient than DSA signatures C. Justine is now utilizing SHA-1 with RSA signatures to help ensure data reliability D. These types of signatures that Justine has decided to use are called RSA-PSS signatures

Answer : B Explanation:The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital SignatureAlgorithm (DSA)which uses Elliptic curve cryptography. http://en.wikipedia.org/wiki/Elliptic_Curve_DSA

James is an IT security consultant as well as a certified ethical hacker. James has been asked to audit the network security of Yerta Manufacturing, a tool manufacturing company in Phoenix. James performs some initial external tests and then begins testing the security from inside the company's network.James finds some big problems right away; a number of users that are working onWindows XP computers have saved their usernames and passwords used to connect to servers on the network. This way, those users do not have to type in their credentials every time they want access to a server. James tells the IT manager of Yerta Manufacturing about this, and the manager does not believe this is possible on Windows XP. To prove his point, James has a user logon to a computer and then James types in a command that brings up a window that says "Stored User Names and Passwords".What command did James type in to get this window to come up? A. To bring up this stored user names and passwords window, James typed in "rundll32.exe storedpwd.dll, ShowWindow" B. James had to type in "rundll32.exe keymgr.dll, KRShowKeyMgr" to get the window to pop up C. James typed in the command "rundll32.exe storedpwd.dll" to get the Stored User Names and Passwords window to come up D. The command to bring up this window is "KRShowKeyMgr"

Answer : B Explanation:The Stored User Names and Passwords applet lets you assign user names and passwords to use when needing to authenticate yourself to services in domains other than the one you are currently logged into. The normal way of running this applet can be difficult to find quickly, so here is a way to launch it using a desktop shortcut using the rundll32.exe program:Click on START - RUN and type the following (follwed by ENTER): rundll32.exe keymgr.dll,KRShowKeyMgr http://www.tweakxp.com/article37352.aspx

Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, and lack of respect or promotion. Disgruntled employees may pass company secrets and intellectual property to competitors for monitory benefits.Here are some of the symptoms of a disgruntled employee:a. Frequently leaves work early, arrive late or call in sickb. Spends time surfing the Internet or on the phonec. Responds in a confrontational, angry, or overly aggressive way to simple requests or comments d. Always negative; finds fault with everythingThese disgruntled employees are the biggest threat to enterprise security. How do you deal with these threats? (Select 2 answers) A. Limit access to the applications they can run on their desktop computers and enforce strict work hour rules B. By implementing Virtualization technology from the desktop to the data centre, organizations can isolate different environments with varying levels of access and security to various employees C. Organizations must ensure that their corporate data is centrally managed and delivered to users just and when needed D. Limit Internet access, e-mail communications, access to social networking sites and job hunting portals

Answer : B,C

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?Select the best answers. A. Use the same machines for DNS and other applications B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers

Answer : B,C,D,E Explanation: Explanations:A is not a correct answer as it is never recommended to use a DNS server for any other application. Hardening of the DNS servers makes them less vulnerable to attack. It is recommended to split internal and external DNS servers (called split-horizon operation).Zone transfers should only be accepted from authorized DNS servers.By having DNS servers on different subnets, you may prevent both from going down, even if one of your networks goes down.

What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, andXP?(Choose all that apply. A. 110 B. 135 C. 139 D. 161 E. 445 F. 1024

Answer : B,C,E Explanation: NetBIOS traffic can quickly be used to enumerate and attack Windows computers. Ports 135, 139, and 445 should be blocked.

Samantha was hired to perform an internal security test of company. She quickly realized that all networks are making use of switches instead of traditional hubs.This greatly limits her ability to gather information through network sniffing.Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch?(Choose two) A. Ethernet Zapping B. MAC Flooding C. Sniffing in promiscuous mode D. ARP Spoofing

Answer : B,D Explanation: In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight.Which of these are true about PKI and encryption?Select the best answers. A. PKI provides data with encryption, compression, and restorability. B. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman. C. When it comes to eCommerce, as long as you have authenticity, and authenticity, you do not need encryption. D. RSA is a type of encryption.

Answer : B,D Explanation: PKI provides confidentiality, integrity, and authenticity of the messages exchanged between these two types of systems. The 3rd party provides the public key and the receiver verifies the message with a combination of the private and public key. Public- key encryption WAS invented in 1976 by Whitfield Diffie and Martin Hellman. The famous hashing algorithm Diffie-Hellman was named after them. The RSA Algorithm is created by the RSA Security company that also has created other widely used encryption algorithms.

What are two things that are possible when scanning UDP ports? (Choose two). A. A reset will be returned B. An ICMP message will be returned C. The four-way handshake will not be completed D. An RFC 1294 message will be returned E. Nothing

Answer : B,E Explanation: Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.

Attackers footprint target Websites using Google Hacking techniques. Google hacking is a term that refers to the art of creating complex search engine queries. It detects websites that are vulnerable to numerous exploits and vulnerabilities. Google operators are used to locate specific strings of text within the search results.The configuration file contains both a username and a password for an SQL database.Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. WordPress uses config.php that stores the database Username and Password.Which of the below Google search string brings up sites with "config.php" files? A. Search:index config/php B. Wordpress:index config.php C. intitle:index.of config.php D. Config.php:index list

Answer : C

Bob is going to perform an active session hijack against company. He has acquired the target that allows session oriented connections (Telnet) and performs sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network.So, what is Bob most likely to do next? A. Take over the session. B. Reverse sequence prediction. C. Guess the sequence numbers. D. Take one of the parties' offline.

Answer : C

If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? A. The zombie computer will respond with an IPID of 24334. B. The zombie computer will respond with an IPID of 24333. C. The zombie computer will not send a response. D. The zombie computer will respond with an IPID of 24335.

Answer : C

Which of the following Trojans would be considered 'Botnet Command Control Center'? A. YouKill DOOM B. Damen Rock C. Poison Ivy D. Matten Kit

Answer : C

Which port, when configured on a switch receives a copy of every packet that passes through it? A. R-DUPE Port B. MIRROR port C. SPAN port D. PORTMON

Answer : C

You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: A. Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers B. Examining the SMTP header information generated by using the mx command parameter of DIG C. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address D. Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers

Answer : C

You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? A. display==facebook B. traffic.content==facebook C. tcp contains facebook D. list.display.facebook

Answer : C

You want to know whether a packet filter is in front of 192.168.1.10. Pings to192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next? A. Use NetScan Tools Pro to conduct the scan B. Run nmap XMAS scan against 192.168.1.10 C. Run NULL TCP hping2 against 192.168.1.10 D. The firewall is blocking all the scans to 192.168.1.10

Answer : C

You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQLServer to launch these attacks? A. System services B. EXEC master access C. xp_cmdshell D. RDC

Answer : C

Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sysWhich step would you perform to detect this type of Trojan? A. Scan for suspicious startup programs using msconfig B. Scan for suspicious network activities using Wireshark C. Scan for suspicious device drivers in c:\windows\system32\drivers D. Scan for suspicious open ports using netstat

Answer : C

When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) A. Cover his tracks by eradicating the log files and audit trails. B. Gain access to the remote computer in order to conceal the venue of attacks. C. Perform a reconnaissance of the remote target for identical of venue of attacks. D. Always begin with a scan in order to quickly identify venue of attacks.

Answer : C Explanation: A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both).

Which of the following is not an effective countermeasure against replay attacks? A. Digital signatures B. Time Stamps C. System identification D. Sequence numbers

Answer : C Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Effective countermeasures should be anything that makes it hard to delay or replay the packet (time stamps and sequence numbers) or anything that prove the package is received as it was sent from the original sender (digital signature)

Which of the following is the primary objective of a rootkit? A. It opens a port to provide an unauthorized service B. It creates a buffer overflow C. It replaces legitimate programs D. It provides an undocumented opening in a program

Answer : C Explanation: Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesnt show the files and process implanted by the attacker.

What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? A. All are hacking tools developed by the legion of doom B. All are tools that can be used not only by hackers, but also security personnel C. All are DDOS tools D. All are tools that are only effective against Windows E. All are tools that are only effective against Linux

Answer : C Explanation: All are DDOS tools.

You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.What should be the next logical step that should be performed? A. Connect to open ports to discover applications. B. Perform a ping sweep to identify any additional systems that might be up. C. Perform a SYN scan on port 21 to identify any additional systems that might be up. D. Rescan every computer to verify the results.

Answer : C Explanation: As ICMP is blocked youll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems.

An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price? A. By using SQL injection B. By using cross site scripting C. By changing hidden form values in a local copy of the web page D. There is no way the attacker could do this without directly compromising either the web server or the database

Answer : C Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.

Ethereal works best on ____________. A. Switched networks B. Linux platforms C. Networks using hubs D. Windows platforms E. LAN's

Answer : C Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.

You are a Administrator of Windows server. You want to find the port number forPOP3. What file would you find the information in and where?Select the best answer. A. %windir%\\etc\\services B. system32\\drivers\\etc\\services C. %windir%\\system32\\drivers\\etc\\services D. /etc/services E. %windir%/system32/drivers/etc/services

Answer : C Explanation: Explanations: %windir%\\system32\\drivers\\etc\\services is the correct place to look for this information.

Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e- mails from company B. How do you prevent DNS spoofing? (Select the BestAnswer.) A. Install DNS logger and track vulnerable packets B. Disable DNS timeouts C. Install DNS Anti-spoofing D. Disable DNS Zone Transfer

Answer : C Explanation: Explantion: Implement DNS Anit-Spoofing measures to prevent DNS CachePollution to occur.

When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this? A. macof B. webspy C. filesnarf D. nfscopy

Answer : C Explanation: Filesnarf - sniff files from NFS trafficOPTIONS --i interfaceSpecify the interface to listen on.-v "Versus" mode. Invert the sense of matching, toselect non-matching files.patternSpecify regular expression for filename matching.expressionSpecify a tcpdump(8) filter expression to selecttraffic to sniff.SEE ALSO -Dsniff, nfsd -

Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to? A. Cross Site Scripting B. SQL injection Attack C. Format String Attack D. Unicode Traversal Attack

Answer : C Explanation: Format string attacks are a new class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .

Which of the following activities will NOT be considered as passive footprinting? A. Go through the rubbish to find out any information that might have been discarded. B. Search on financial site such as Yahoo Financial to identify assets. C. Scan the range of IP address found in the target DNS database. D. Perform multiples queries using a search engine.

Answer : C Explanation: Passive footprinting is a method in which the attacker never makes contact with the target systems. Scanning the range of IP addresses found in the target DNS is considered making contact to the systems behind the IP addresses that is targeted by the scan.

Clive has been hired to perform a Black-Box test by one of his clients.How much information will Clive obtain from the client before commencing his test? A. IP Range, OS, and patches installed. B. Only the IP address range. C. Nothing but corporate name. D. All that is available from the client site.

Answer : C Explanation: Penetration tests can be conducted in one of two ways: black-box (with no prior knowledge the infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be tested). As you might expect, there are conflicting opinions about this choice and the value that either approach will bring to a project.

What is the most common vehicle for social engineering attacks? A. Phone B. Email C. In person D. P2P Networks

Answer : C Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

How many bits encryption does SHA-1 use? A. 64 bits B. 128 bits C. 160 bits D. 256 bits

Answer : C Explanation: SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 264 - 1 bits, and is based on principles similar to those used byProfessor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.

Why do you need to capture five to ten million packets in order to crack WEP withAirSnort? A. All IVs are vulnerable to attack B. Air Snort uses a cache of packets C. Air Snort implements the FMS attack and only encrypted packets are counted D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

Answer : C Explanation: Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement theFluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files? A. Snort B. argus C. TCPflow D. Tcpdump

Answer : C Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

An nmap command that includes the host specification of 202.176.56-57.* will scan_______ number of hosts. A. 2 B. 256 C. 512 D. Over 10,000

Answer : C Explanation: The hosts with IP address 202.176.56.0-255 & 202.176.56.0-255 will be scanned (256+256=512)

What are the differences between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at the transport layer and S-HTTP operates at the application layer D. SSL operates at the application layer and S-HTTP operates at the transport layer

Answer : C Explanation: The main difference between the protocols is the layer at which they operate.SSL operates at the transport layer and mimics the "socket library," while S-HTTP operates at the application layer. Encryption of the transport layer allows SSL to be application- independent, while S-HTTP is limited to the specific software implementing it. The protocols adopt different philosophies towards encryption as well, with SSL encrypting the entire communications channel and S-HTTP encrypting each message independently.

Joe the Hacker breaks into companys Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.Running ifconfig a will produce the following:# ifconfig a1o0: flags=848<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232inet 127.0.0.1 netmask ff000000hme0:flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu1500inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether8:0:20:9c:a2:35What can Joe do to hide the wiretap program from being detected by ifconfig command? A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu B. Run the wiretap program in stealth mode from being detected by the ifconfig command. C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. D. You cannot disable Promiscuous mode detection on Linux systems.

Answer : C Explanation: The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.

Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company? A. To create a denial of service attack. B. To verify information about the mail administrator and his address. C. To gather information about internal hosts used in email treatment. D. To gather information about procedures that are in place to deal with such messages.

Answer : C Explanation: The replay from the email server that states that there is no such recipient will also give you some information about the name of the email server, versions used and so on.

You are running a penetration test for a small IT service provier during normal operating hours. Which of the following activities is most likely to be restricted in the rules of engagement (ROE)? *Choose ALL that apply* A. Distributed denial of service B. Port scanning C. Password crackin D. Network sniffing E. Social engineering

Answer: A, C

Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board.Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack? A. Phishing B. Denial of Service C. Cross Site Scripting D. Backdoor installation

Answer : C Explanation: This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.

You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming.Which command would you execute to extract the Trojan to a standalone file? A. c:\> type readme.txt:virus.exe > virus.exe B. c:\> more readme.txt | virus.exe > virus.exe C. c:\> cat readme.txt:virus.exe > virus.exe D. c:\> list redme.txt$virus.exe > virus.exe

Answer : C Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe

John Beetlesman, the hacker has successfully compromised the Linux System ofAgent Telecommunications, Incs WebServer running Apache. He has downloaded sensitive documents and database files off the machine.Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting. for ((i=0;i<1;i++));do?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda doneWhat exactly is John trying to do? A. He is making a bit stream copy of the entire hard disk for later download B. He is deleting log files to remove his trace C. He is wiping the contents of the hard disk with zeros D. He is infecting the hard disk with random virus strings

Answer : C Explanation: dd copies an input file to an output file with optional conversions. if is input file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCIIASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive.

LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP? A. Stop the LM service in Windows XP B. Disable LSASS service in Windows XP C. Disable LM authentication in the registry D. Download and install LMSHUT.EXE tool from Microsoft website

Answer : C Explanation: http://support.microsoft.com/kb/299656

What does the following command in netcat do?nc -l -u -p 55555 < /etc/passwd A. logs the incoming connections to /etc/passwd file B. loads the /etc/passwd file to the UDP port 55555 C. grabs the /etc/passwd file when connected to UDP port 55555 D. deletes the /etc/passwd file when connected to the UDP port 55555

Answer : C Explanation:-l forces netcat to listen for incoming connections.-u tells netcat to use UDP instead of TCP-p 5555 tells netcat to use port 5555< /etc/passwd tells netcat to grab the /etc/passwd file when connected to.

Gerald is a Certified Ethical Hacker working for a large financial institution in OklahomaCity. Gerald is currently performing an annual security audit of the company's network. One of the company's primary concerns is how the corporate data is transferred back and forth from the banks all over the city to the data warehouse at the company's home office. To see what type of traffic is being passed back and forth and to see how secure that data really is, Gerald uses a session hijacking tool to intercept traffic between a server and a client. Gerald hijacks an HTML session between a client running a web application which connects to a SQL database at the home office. Gerald does not kill the client's session; he simply monitors the traffic that passes between it and the server.What type of session attack is Gerald employing here? A. He is utilizing a passive network level hijack to see the session traffic used to communicate between the two devices B. Gerald is using a passive application level hijack to monitor the client and server traffic C. This type of attack would be considered an active application attack since he is actively monitoring the traffic D. This type of hijacking attack is called an active network attack

Answer : C Explanation:Session Hijacking is an active attack

Stephanie works as a records clerk in a large office building in downtown Chicago. OnMonday, she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored.Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it.What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Cookie Disabler B. Stealth Anonymizer C. Stealth Firefox D. Stealth IE

Answer : C Explanation:Stealth Firefox If there are times you want to surf the web without leaving a trace in your local computer, then this is the right extension for you. https://addons.mozilla.org/en-US/firefox/addon/1306

Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with itself. This causes the system to go into an infinite loop trying to resolve this unexpected connection. Eventually, the connection times out, but during this resolution, the machine appears to hang or become very slow. The attacker sends such packets on a regular basis to slow down the system.Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks. What type of Denial of Service attack is represented here? A. SMURF Attacks B. Targa attacks C. LAND attacks D. SYN Flood attacks

Answer : C Explanation:The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination.The reason a LAND attack works is because it causes the machine to reply to itself continuously. http://en.wikipedia.org/wiki/LAND

Darren is the network administrator for Greyson & Associates, a large law firm in Houston.Darren is responsible for all network functions as well as any digital forensics work that is needed. Darren is examining the firewall logs one morning and notices some unusual activity. He traces the activity target to one of the firm's internal file servers and finds that many documents on that server were destroyed. After performing some calculations,Darren finds the damage to be around $75,000 worth of lost data. Darren decides that this incident should be handled and resolved within the same day of its discovery.What incident level would this situation be classified as? A. This situation would be classified as a mid-level incident B. Since there was over $50,000 worth of loss, this would be considered a high-level incident C. Because Darren has determined that this issue needs to be addressed in the same day it was discovered, this would be considered a low-level incident D. This specific incident would be labeled as an immediate-level incident

Answer : D

Perimeter testing means determining exactly what your firewall blocks and what it allows.To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network. A. hping3 -T 10.8.8.8 -S netbios -c 2 -p 80 B. hping3 -Y 10.8.8.8 -S windows -c 2 -p 80 C. hping3 -O 10.8.8.8 -S server -c 2 -p 80 D. hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

Answer : D

Sandra is the security administrator of ABC.com. One day she notices that theABC.com Oracle database server has been compromised and customer information along with financial data has been stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of competitors. Sandra wants to report this crime to the law enforcement agencies immediately.Which organization coordinates computer crime investigations throughout theUnited States? A. NDCA B. NICP C. CIRP D. NPC E. CIA

Answer : D

What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected? A. nc -port 56 -s cmd.exe B. nc -p 56 -p -e shell.exe C. nc -r 56 -c cmd.exe D. nc -L 56 -t -e cmd.exe

Answer : D

What is the default Password Hash Algorithm used by NTLMv2? A. MD4 B. DES C. SHA-1 D. MD5

Answer : D

Which of the following is NOT a valid NetWare access level? A. Not Logged in B. Logged in C. Console Access D. Administrator

Answer : D Explanation: Administrator is an account not a access level.

Which of the following best describes session key creation in SSL? A. It is created by the server after verifying theuser's identity B. It is created by the server upon connection by the client C. It is created by the client from the server's public key D. It is created by the client after verifying the server's identity

Answer : D Explanation: An SSL session always begins with an exchange of messages called theSSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.

RC4 is known to be a good stream generator. RC4 is used within the WEP standard on wireless LAN. WEP is known to be insecure even if we are using a stream cipher that is known to be secured.What is the most likely cause behind this? A. There are some flaws in the implementation. B. There is no key management. C. The IV range is too small. D. All of the above. E. None of the above.

Answer : D Explanation: Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.Many WEP systems require a key in hexadecimal format. Some users choose keys thatSuch keys are often easily guessed.

Derek has stumbled upon a wireless network and wants to assess its security.However, he does not find enough traffic for a good capture. He intends to useAirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? A. Use any ARP requests found in the capture B. Derek can use a session replay on the packets captured C. Derek can use KisMAC as it needs two USB devices to generate traffic D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic

Answer : D Explanation: By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key.

An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified:21 ftp23 telnet80 http443 httpsWhat does this suggest ? A. This is a Windows Domain Controller B. The host is not firewalled C. The host is not a Linux or Solaris system D. The host is not properly patched

Answer : D Explanation: Explanation: If the answer was A nmap would guess it, it holds the MS signature database, the host not being firewalled makes no difference. The host is not linux or solaris, well it very well could be. The host is not properly patched? That is the closest; nmaps OS detection architecture is based solely off the TCP ISN issued by the operating systems TCP/IP stack, if the stack is modified to show output from randomized ISN's or if your using a program to change the ISN then OS detection will fail. If the TCP/IP IP ID's are modified then os detection could also fail, because the machine would most likely come back as being down.

NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish? nslookup> server <ipaddress>> set type =any> ls -d <target.com> A. Enables DNS spoofing B. Loads bogus entries into the DNS table C. Verifies zone security D. Performs a zone transfer E. Resets the DNS cache

Answer : D Explanation: If DNS has not been properly secured, the command sequence displayed above will perform a zone transfer.

Which of the followin settings can be specified in the Snort configuration file? *Choose *ALL* that apply. A. Network range of protected IP addresses B. FIN, URG and PUSH flags for TCP headers C. XOR encoders for NOPS D. Excluded rule files

Answer: A, D

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block TCP at the firewall B. Block UDP at the firewall C. Block ICMP at the firewall D. There is no way to completely block tracerouting into this area

Answer : D Explanation: If you create rules that prevents attackers to perform traceroutes to yourDMZ then youll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.

What is GINA? A. Gateway Interface Network Application B. GUI Installed Network Application CLASS C. Global Internet National Authority (G-USA) D. Graphical Identification and Authentication DLL

Answer : D Explanation: In computing, GINA refers to the graphical identification and authentication library, a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services.

Why would an attacker want to perform a scan on port 137? A. To discover proxy servers on a network B. To disrupt the NetBIOS SMB service on the target host C. To check for file and print sharing on Windows systems D. To discover information about a target host using NBTSTAT

Answer : D Explanation: Microsoft encapsulates netbios information withinTCP/Ip using ports 135-139. It is trivial for an attacker to issue the following command: nbtstat -A (your Ip address) from their windows machine and collect information about your windows machine (if you are not blocking traffic to port 137 at your borders).

You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization.While some of the methods listed below work, which holds the least risk of detection? A. Make some phone calls and attempt to retrieve the information using social engineering. B. Use nmap in paranoid mode and scan the web server. C. Telnet to the web server and issue commands to illicit a response. D. Use the netcraft web site look for the target organization's web site.

Answer : D Explanation: Netcraft is providing research data and analysis on many aspects of theInternet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the internet.

In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bobs public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can decrypt the message.Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bobs public key and use it to verify Bobs signature, they cannot discover Bobs private key and use it to forge digital signatures.What does this principle refer to? A. Irreversibility B. Non-repudiation C. Symmetry D. Asymmetry

Answer : D Explanation: PKI uses asymmetric key pair encryption. One key of the pair is the only way to decrypt data encrypted with the othe

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan? A. It is a network fault and the originating machine is in a network loop B. It is a worm that is malfunctioning or hardcoded to scan on port 500 C. The attacker is trying to detect machines on the network which have SSL enabled D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Answer : D Explanation: Port 500 is used by IKE (Internet Key Exchange). This is typically used forIPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a-boxVPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for use across firewalls that block IP protocols other thanTCP or UDP).

Annie has just succeeded is stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? A. Any Cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie can't be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (Single Encryption Key)

Answer : D Explanation: Single key encryption (conventional cryptography) uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible.

Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally.He enters the following at the command prompt.$ nc -l -p 1026 -u -vIn response, he sees the following message.cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.Windows has found 47 Critical Errors.To fix the errors please do the following:1. Download Registry Repair from: www.reg-patch.com2. Install Registry Repair3. Run Registry Repair4. Reboot your computerFAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!What would you infer from this alert? A. The machine is redirecting traffic to www.reg-patch.com using adware B. It is a genuine fault of windows registry and the registry needs to be backed up C. An attacker has compromised the machine and backdoored ports 1026 and 1027 D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

Answer : D Explanation: The "net send" Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a "university diploma service"...

Which of the following is a common Service Oriented Architecture (SOA) vulnerability that can be addressed by filters and gateways? A. XML denial of service issues B. Insecure communications C. Replay attacks D. Information leakage

Answer: A XML denial of service issues A common SOA vulnerability is an XML denial of service, in which the attacker crafts an XML message with very large payloads, recursive content, excessive nesting, malicious external entities, or with malicious DTDs (Data Type Definitions). it can be mitigated by using XML filters and XML gateways, and by ensuring that the XML parser in use is robust and the XML parsing process is not processor intensive.

You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this?GET /scripts/root.exe?/c+dir -GET /MSADC/root.exe?/c+dir -GET /c/winnt/system32/cmd.exe?/c+dirGET /d/winnt/system32/cmd.exe?/c+dirGET /scripts/..%5c../winnt/system32/cmd.exe?/c+dirGET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dirGET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dirGET -/msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+diGET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dirGET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dirGET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dirGET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dirGET /scripts/..%35c../winnt/system32/cmd.exe?/c+dirGET /scripts/..%35c../winnt/system32/cmd.exe?/c+dirGET /scripts/..%5c../winnt/system32/cmd.exe?/c+dirGET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir A. The Morris worm B. The PIF virus C. Trinoo D. Nimda E. Code Red F. Ping of Death

Answer : D Explanation: The Nimda worm modifies all web content files it finds. As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby, infecting the browsing system. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines and allow intruders the ability to execute arbitrary commands within the Local System security context on machines running the unpatched versions of IIS.

You have initiated an active operating system fingerprinting attempt with nmap against a target system: [root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDTInteresting ports on 10.0.0.1:(The 1628 ports scanned but not shown below are in state: closed)Port State Service -21/tcp filtered ftp22/tcp filtered ssh25/tcp open smtp80/tcp open http135/tcp open loc-srv139/tcp open netbios-ssn389/tcp open LDAP443/tcp open https465/tcp open smtps1029/tcp open ms-lsa1433/tcp open ms-sql-s2301/tcp open compaqdiag5555/tcp open freeciv5800/tcp open vnc-http5900/tcp open vnc6000/tcp filtered X11Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SENmap run completed -- 1 IP address (1 host up) scanned in 3.334 secondsUsing its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or95/98/98SE. What operating system is the target host running based on the open ports shown above? A. Windows XP B. Windows 98 SE C. Windows NT4 Server D. Windows 2000 Server

Answer : D Explanation: The system is reachable as an active directory domain controller (port 389,LDAP)

Pandora is used to attack __________ network operating systems. A. Windows B. UNIX C. Linux D. Netware E. MAC OS

Answer : D Explanation: While there are not lots of tools available to attack Netware, Pandora is one that can be used.

Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruders IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet.But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use.Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruders attempts.Samuel wants to completely block hackers brute force attempts on his network.What are the alternatives to defending against possible brute-force password attacks on his site? A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. Enforce complex password policy on your network so that passwords are more difficult to brute force D. You can't completely block the intruders attempt if they constantly switch proxies

Answer : D Explanation: Without knowing from where the next attack will come there is no way of proactively block the attack. This is becoming a increasing problem with the growth of large bot nets using ordinary workstations and home computers in large numbers.

Steven is the senior network administrator for Onkton Incorporated, an oil well drilling company in Oklahoma City. Steven and his team of IT technicians are in charge of keeping inventory for the entire company; including computers, software, and oil well equipment. To keep track of everything, Steven has decided to use RFID tags on their entire inventory so they can be scanned with either a wireless scanner or a handheld scanner. These RFID tags hold as much information as possible about the equipment they are attached to. WhenSteven purchased these tags, he made sure they were as state of the art as possible. One feature he really liked was the ability to disable RFID tags if necessary. This comes in very handy when the company actually sells oil drilling equipment to other companies. AllSteven has to do is disable the RFID tag on the sold equipment and it cannot give up any information that was previously stored on it.What technology allows Steven to disable the RFID tags once they are no longer needed? A. Newer RFID tags can be disabled by using Terminator Switches built into the chips B. RFID Kill Switches built into the chips enable Steven to disable them C. The company's RFID tags can be disabled by Steven using Replaceable ROM technology D. The technology used to disable an RFIP chip after it is no longer needed, or possibly stolen, is called RSA Blocking

Answer : D Explanation: http://www.rsa.com/rsalabs/node.asp?id=2060

Sandra is conducting a penetration test for ABC.com. She knows that ABC.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. UsingNetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP.What do you think is the reason behind this? A. Netstumbler does not work against 802.11g. B. You can only pick up 802.11g signals with 802.11a wireless cards. C. The access points probably have WEP enabled so they cannot be detected. D. The access points probably have disabled broadcasting of the SSID so they cannot be detected. E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. F. Sandra must be doing something wrong, as there is no reason for her to not see the signals.

Answer : D Explanation:Netstumbler can not detect networks that do not respond to broadcast requests.

One of your ethical hackers logs into several computers using Telent and grabs the banner on these computers. What information is the etchical hacker able to discover? A. Current operating system B. Currently logged-in user C. Running applications D. Open ports

Answer: A Current operating system

Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? A. Eric network has been penetrated by a firewall breach B. The attacker is using the ICMP protocol to have a covert channel C. Eric has a Wingate package providing FTP redirection on his network D. Somebody is using SOCKS on the network to communicate through the firewall

Answer : D Explanation:Port Description:SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another internal host. Done to either reach a protected internal host or mask true source of attack.Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off aMILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.

You have installed antivirus software and you want to be sure that your AV signatures are working correctly. You don't want to risk the deliberate introduction of a live virus to test theAV software. You would like to write a harmless test virus, which is based on the EuropeanInstitute for Computer Antivirus Research format that can be detected by the AV software.How should you proceed? A. Type the following code in notepad and save the file as SAMPLEVIRUS.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-ANTIVIRUS-TEST- FILE!$H+H* B. Type the following code in notepad and save the file as AVFILE.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* C. Type the following code in notepad and save the file as TESTAV.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* D. Type the following code in notepad and save the file as EICAR.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Answer : D Explanation:The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for ComputerAntivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi- million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from theTCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. B. Send your attack traffic and look for it to be dropped by the IDS. C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. D. The sniffing interface cannot be detected.

Answer : D Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected.

Because UDP is a connectionless protocol: (Select 2) A. UDP recvfrom() and write() scanning will yield reliable results B. It can only be used for Connect scans C. It can only be used for SYN scans D. There is no guarantee that the UDP packets will arrive at their destination E. ICMP port unreachable messages may not be returned successfully

Answer : D,E Explanation: Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).

Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? A. Spoof Attack B. Smurf Attack C. Man in the Middle Attack D. Trojan Horse Attack E. Back Orifice Attack

Answer : D,E Explanation:To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.

In the following example, which of these is the "exploit"?Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites.Select the best answer. A. Microsoft Corporation is the exploit. B. The security "hole" in the product is the exploit. C. Windows 2003 Server D. The exploit is the hacker that would use this vulnerability. E. The documented method of how to use the vulnerability to gain unprivileged access.

Answer : E Explanation: Explanations:Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the"vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.

The following exploit code is extracted from what kind of attack? #define MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)&0xff00)8),(((x)&0xff0000)16), (((x)&0xff000000)24)char infin_loop[]=/* for testing purposes */"\xEB\xFE";char bsdcode[] =/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43""\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0""\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0""\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80""\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9""\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75""\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd""\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46""\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56""\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53""\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30""\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e""\x67\x6c\x69\x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; static char *magic_str=NULL; int before_len=0; char *target=NULL, *username="user", *password=NULL; struct targets getit; A. Remote password cracking attack B. SQL Injection C. Distributed Denial of Service D. Cross Site Scripting E. Buffer Overflow

Answer : E Explanation: This is a buffer overflow with it's payload in hex format.

Which of the following represent weak password? (Select 2 answers) A. Passwords that contain letters, special characters, and numbers Example: ap1$%##f@52 B. Passwords that contain only numbers Example: 23698217 C. Passwords that contain only special characters Example: &*#@!(%) D. Passwords that contain letters and numbers Example: meerdfget123 E. Passwords that contain only letters Example: QWERTYKLRTY F. Passwords that contain only special characters and numbers Example: 123@$45 G. Passwords that contain only letters and special characters Example: bob@&ba H. Passwords that contain Uppercase/Lowercase from a dictionary list Example: OrAnGe

Answer : E,H

What is the proper response for a X-MAS scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

Answer : F Explanation: Closed ports respond to a X-MAS scan by ignoring the packet.

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool SIDExtractor. Here is the output of the SIDs: s-1-5-21-1125394485-807628933-54978560-100Johns s-1-5-21-1125394485-807628933-54978560-652Rebecca s-1-5-21-1125394485-807628933-54978560-412Sheela s-1-5-21-1125394485-807628933-54978560-999Shawn s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-500chang s-1-5-21-1125394485-807628933-54978560-555MicahFrom the above list identify the user account with System Administrator privileges. A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

Answer : F Explanation: The SID of the built-in administrator will always follow this example: S-1-5- domain-500

Which preliminary activity differentiates a penetration test performed by a white hat hacker and a gray hat hacker? A. Gaining permission from concerned authorities B. Gathering informationwithout direct interaction with targets C. Gaining covert authorization from the governement D. Gathering information from targets by any possible means

Answer A A. Gaining permission from concerned authorities

You would like to encrypt a VPN connection at the Data Link Layer of the OSI Model. Which protocol should you choose? A. IPSec B. PPTP C. GRE D. L2TP

Answer B PPTP L2TP doesn't provide encryption

An attacker is using the traceroute tool to carry out network footprinting. Which of the following may NOT be discovered using this tool? A. IP addresses of internal comptuers B. IP addresses of routers and firewalls C. FQDNs of all intermediary devices D. Structure of the network

Answer C The FQDN of all intermediary devices may NOT be discovered using the traceroute tool. You may be able to learn the FQDN for some of the intermediary devices, but not all.

Your software company has recently implemented an IaaS solution with a cloud service provider. Mutiple web sites use PKI to provid user account security to customers. Which component(s) are the responsibility of your company to manage? *Choose all that apply* A. Secure web gateway B. Digital certificate C. Public key D. Digital signature E. Private key

Answer D, E

While implementing a DMZ to protec several network resources, your company decides to implement a bastion host. What is the *BEST* description of this device? A. Gateway between an inside network that is located on the public side of the DMZ and is deisnged to defend against attacks aimed at the inside network. B. System fitted with two network interfaces that sits between a public, untrusted network and an internal network to provide secure access. C. Resource, usually located on the DMZ, that pretends to be a real target, but is really an isolated resource where the attacker cannot do any real damage. D. Component that restricts access between an internal network and the Internet or between other sets of networks.

Answer: A

You are a security analyst evaluating possible threats using Blackberry mobile devices. Which best describes a blackjacking attack? A. Using a mobile app to gain access to internal networks B. Using the Blackberry Enterprise Server (BES) to limit the rights of mobile apps C. Usin a mobile app to gain access to the Blackberry Enterprise Server (BES) D. Using the Blackberry Enterprise Server (BES) to block mobile app installation

Answer: A

Joe, who does not work for your company, was able to steal an employee badge from a car in the parking lot and use it to enter he facility. What type of threat does Joe present? A. Outside affiliate B. Insider associate C. Insider affiliate D. Pure insider

Answer: A *Pure insider* = an employee with all the rights and access associated with being employed by the company *Insider affiliate* = a spouse, friend, or even client of an employee who uses the employee's credentials to gain access *Outside affiliate* = non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. *Insider associate* = someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category.

Which of the following security tools should be examined before implementation to gauge its effects on performance? A. Auditing B. Antivirus software C. Vulnerability scanner D. Wireless sniffer

Answer: A Auditing can greatly impact the performance of a system, especialy if it generates large log files. The act of collecting audi information takes resources from the system, and storing the gathered information requires disk space.

Which layers of the Fibre Channel stack are replaced with Ethernet when using FCoE? Choose *ALL* that apply. A. FC-1 B. FC-0 C. FC-4 D. FC-2 E. FC-3

Answer: A, B

You need to perform a thorough audit of your company's infrastructure configuration. The proposed security policy will require detailed vulnerability assessment and compliance with industry accepted best practices, including SOX and PCI. Enterprise assessments, reporting, and patch management must be centralized. Which tool will *BEST* meet these requirements? A. Ecora Auditor Professional B. Active Network Security (Hping) C. Network Mapper (Nmap) D. Tenable Nessus Professional

Answer: A. Ecora Auditor Professional

Which of the followin tools is used to obfuscate binary code in an executable so that it is undetectable by anti-virus software? A. CyberGate B. SwyzCryptor C. g++ D. Cygwin E. ChewBacca

Answer: B

Which of the following is *NOT* a drawback to implementing anti-virus systems? A. They negatively affect the performance of the system no which they reside B. They are usually expensive to implement C. They rely upon signature file updates D. They often provide limited detection techniques

Answer: B

You are a security administrator working in Chicago. The Chicago office currently has a policy in place that users should not read personal emai on corporate devices. However, you have recently noticed a lot of POP3 traffic over your network even though your company's email service uses SMTP and IMAP. The office manager requesets that you block POP3 traffic at the firewall. What should you do? A. Block incoming traffic over port 110 B. Block all traffic over port 110 C. Block all traffic over port 25 D. Block incoming traffic over port 25

Answer: B

You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words you are trying to penetrate an otherwise impenetrable system. How would you proceed? A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly- paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100,000 or more "zombies" and "bots" D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques

Answer: B

Which of the following is the BEST example of defense in depth? A. Two access control lists on the same router B. Two factors required for authentication on a single system C. Two different anti-virus applications installed on every computer D. ACLs on the router and NTFS permission on files

Answer: D

Your company has recently launched several wireless networks at its primary location. Contrary to your suggestions, all the wireles use WEP encryption keys. You are concerned that hackers will easily obtain the WEP encryption key. Which tool should you use to demonstrate this vulnerability? A. Netstumbler B. Nessus C. Wireshark D. AirSnort

Answer: D

You are learning to create Trojans by using wrapper tools. You write the following endless loop: *include <iostream> using namespace std; int main( ) { bool done = false; while (!done) { cerr << "Warning, Warning--Trojan running--Warning! Warning!" << end1; } }* How would you use a wrapper tool to hide this malware inside of the legitimate Windows executable winlogon.exe? A. Bind the implementation file (.cpp) to winlogon.exe B. Bind the declaration file (.h) to winlogon.exe C. Bind the library file (.lib) to winlogon.exe D. Bind the compilation file (.exe) to winlogon.exe

Answer: D D. Bind the compilation file (.exe) to winlogon.exe

You are a network security analyst for your company. You perform the following scan from a remote machine: *nmap -sX 141.8.225.72* You use WireShark to cature the response packets. How do you determine which ports are open? A. On all machines, there is SYN/ACK response B. On Windows machines, there is no response C. On all machines, there is RST response D. On Linux/Unix machiens, there is no response.

Answer: D D. On Linux/Unix machiens, there is no response. On Linux/Unix machines, there is no response. Because their implemetnation of the TCP/IP stack conforms strictly with RFC 793, Linux/Unix machiens will send no response if a port is open, but will send a RST response if the port is closed. On Windows machines, there is no response from both open and closed ports. Xmas scans are only intended for Linux/Unix machines that are open with RFC 793. Open pots can only be detected on Linux/Unix machines with a Xmas scan. A RST response usually means a port is closed on full/half open and idle sans or RST/ACK on FIN scans. A SYN/ACK response usually means a port is open on full/half open scans.

Which tool(s) are used to disvoery nearby Wi-Fi network or device? Choose *ALL* that apply. A. Skyhook B. AirPcap C. Wireshark D. WirelessMon E. NetStumbler F. Vistumbler

Answer: D, E, F

Your company has completed all the appropriate steps to prepare for a potential incident. The next day, a user informs you that the internal Web server is unavailiable. When you research the issue, you deermine that a DDoS atack has been carried out against the internal Web server. You need to follow the appropriate incident response procedures to recover the internal Web server. What is the first step to perform when an incident has occured? A. Notify B. Contain C. Detect and analyze D. Classify and prioritize

Answer: Detect and analyze 1.) Prepare for incident handling and response 2.) Detect and analyze 3.) Classify and prioritize 4.) Notify 5.) Contain 6.) Investigate 7.) Eardicate and recover 8.) Perform post-incident activities

You have been asked to perform a thorough vulnerability assessment for your company's file server. You must ensrue that you complete all of the appropriate steps for the assessment. What is the first step or phase? A. Generating reports B. Analyzing C. Evaluation D. Idenification E. Acquisition

Answer: E 1.) Acquisition 2.) Identifiation 3.) Analyzing 4.) Evaluation 5.) Generating reports

Which of the following statements are *FALSE* with regard to Whitfield Diffie and Martin Hellman? Choose *ALL* that apply. A. The system they devised provides compression and restorability B. They invented public key encryption C. The algorithm nmed after them performs encryption D. They invented RSA encryption

Answers: A, C, D

On a Windows-based machine, which switch can be used in ping to set the size of the echo request packet? A. -a B. -s C. -l D. -t

C is correct. The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes. A, B, and D are incorrect. The -a switch resolves addresses to hostnames. The -s switch provides a timestamp for count hops. The -t switch indicates the ping will continue until stopped.

Which of the following commands lists the running services on a Windows machine? A. netsh services B. netstat -s C. sc query D. wmic bios get services

C is correct. The built-in sc command provides all sorts of information about running services on a Windows machine. A, B, and D are incorrect. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer. Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 statistics. Wmic provides the ability to take advantage of a host of Windows management information tie-ins but is not applicable here (not to mention the syntax is invalid).

Which of the following is the proper syntax on Windows systems for spawning a command shell on port 8080 using Netcat? A. nc -r 56 -c cmd.exe B. nc -p 56 -o cmd.exe C. nc -L 56 -t -e cmd.exe D. nc -port 56 -s -o cmd.exe

C is correct. This is the correct syntax on Windows for using Netcat to leave a command shell open on port 8080. A, B, and D are incorrect. None of these is the proper syntax.

You want to separate data ownership from data custodian duties. Which of the following should be implemented to carry this out? A. Data-at-rest protection B. Whole disk encryption C. Virtual machines D. Cloud computing

D is correct. As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity that is accountable for the data itself, while the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that. A, B, and C are incorrect. DAR and WDE do a great job protecting data against loss or theft but have nothing to do with separation of duties. Virtual machines play a role in the cloud, obviously, but in and of themselves do not provide separation of duties.

Which of the following protects against MITM attacks in WPA? A. AES B. RC4 C. CCMP D. MIC

D is correct. Message integrity check (MIC) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them. A, B, and C are incorrect. AES and RC4 are encryption algorithms. CCMP does provide for integrity checking, but it's part of WPA2, not WPA.

Joe sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a contact number to call. Joe then performs a denial of service on several systems. He then receives phone calls from users asking for assistance. Which social engineering practice is in play here? A. Phishing B. Impersonation C. Technical support D. Reverse social engineering

D is correct. Reverse social engineering occurs when you get the targets to call you. A, B, and C are incorrect. Phishing is an e-mail social engineering attack. Impersonation and technical support are both similar attacks where the attacker calls the target.

Which of the following methods of concealment involves a hacker spoofing an IP address to have packets returned directly to him regardless of the routers between the sender and receiver? A. Proxy server B. Anonymizer C. Filtering D. Source routing

D is correct. Source routing specifies the route a packet will take to a destination, regardless of what the route tables between the two systems say. As an aside, in the real world, source routing is almost always blocked. A, B, and C are incorrect. Proxy servers and anonymizers are used to hide your presence on the Web. Filtering is used on firewalls, routers, and other network devices to block or allow traffic.

An attacker tries to do banner grabbing on a remote web server and executes the following command: *$ nmap -sV one.sample.com -p 80 He gets the following output: Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for one.sample.com (172.16.22.201) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds* Which of the following statements is true regarding the results? A. The hacker successfully completed the banner grabbing. B. The hacker failed to do banner grabbing because he didn't get the version of the Apache web server. C. Nmap can't retrieve the version number of any running remote service. D. The hacker should've used nmap -O host.domain.com.

D is correct. The -sV option is for standard service version detection, in this case on port 80. The response shows Apache but nothing else: no banner, no version, no nothing. An -O scan may provide even more detail than would otherwise be gleaned from a simple banner grab. A, B, and C are incorrect. The remaining answers do not match what was returned from the command syntax.

Which IoT attack involves sniffing, jamming, and replaying a car key fob signal? A. BlueBorne B. KeyFobbing C. Auto Scrolling D. Rolling code

D is correct. The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attacker can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing him to steal the code...and your car. A, B, and C are incorrect. A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities. KeyFobbing and Auto Scrolling don't exist.

Which of the following is a legitimate use for tcp-over-dns? A. Packet crafting B. Network sniffing C. OS fingerprinting D. Firewall evasion

D is correct. Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because...well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris. A, B, and C are incorrect. These are not uses for the tcp-over-dns tool.

An attacker leverages IoT vulnerabilities to shut off the air conditioning on the data floor, causing a major disruption. What is this attack called? A. SCADA attack B. DDoS attack C. Zigbeez attack D. HVAC attack

D is correct. Yes, this is really what it's called. No, I'm not making it up. An HVAC attack takes place when one hacks IoT devices in order to shut down air conditioning services. A, B, and C are incorrect. Although SCADA may have appealed to you here, it's incorrect in this scenario (SCADA and IoT don't necessarily have anything to do with one another). A DoS may have occurred here, but there's no specific indication it occurred. Zigbeez doesn't exist.