INWT 170 LABS
What is the best benefit for choosing a public cloud environment over a private or hybrid cloud environment?
greater scalability
2.5.5 Analyze Passwords using Rainbow Tables: Card 1 You are the security analyst for a small corporate network. Part of your role is to ensure secure access to the company website. You want to verify that the passwords being used meet the company's requirements. To do this, you captured some password hashes in a file named captured_hashes.txt and saved it in the /root directory. You want to use a rainbow table to analyze the passwords captured in this hash file to see if they meet the company's website requirements. Rainbow tables speed up the process of cracking password hashes. A rainbow table is a table of password and their computed hashes. Password for hash: 202cb962ac59075b964b07152d234b70? lmnop Password for hash: 400238780e6c41f8f790161e6ed4df3b? S3cur3Dev!ce Password for hash: 89BF04763BF91C9EE2DDBE23D7B5C730BDD41FF2? DisneyL@nd3 Do not meet the company's password policy? lmnopr
-Create rainbow tables -Sort the rainbow tables using rtsort -Crack the hash using rcrack . -l Complete this lab as follows: Determine which rainbowcrack charset includes all the characters required for your company's password requirements: From the Favorites bar, select Terminal. At the prompt, type cat /usr/share/rainbowcrack/charset.txt Press Enter. In the top right, select Answer Questions. Answer Question 1. Create and sort an md5 and sha1 rainbow crack table: At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. Type rtsort . and press Enter to sort the rainbow table. Analyze the passwords using rcrack: Type rcrack . -l /root/captured_hashes.txt and press Enter to crack the password contained in a hash file. Answer Questions 2-5. Select Score Lab
2.4.6 Configure a Captive Portal: 2nd Card Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Add a captive portal zone named WiFi-Guest. Use the description Guest wireless access zone in GuestWi-Fi interface, configure your portal: Allow a maximum of 50 concurrent connections. Disconnect user from nternet if connection is inactive for 15 minutes. Disconnect user from internet after 45 minutes regardless of their activity. Limit users' downloads and uploads to 7000 & 2400 Kbit/s, Force to pass through your portal prior to authentication. Allow the following MAC and IP address to pass through the portal: MAC: 00:00:1C:11:22:33 IP: 198.28.1.100/16 Set IP address description Security analyst's laptop
4. Allow a MAC address to pass through the portal. a. From the Captive Portal page, select the Edit Zone icon (pencil). b. Under the Services breadcrumb, select MACs. c. Select Add. d. Make sure the Action field is set to Pass. e. For Mac Address, enter 00:00:1C:11:22:33. f. Select Save. 5. Allow an IP address to pass through the portal. a. Under the Services breadcrumb, select Allowed IP Addresses. b. Select Add. c. For IP Address, enter 198.28.1.100. d. Use the IP address drop-down menu to select 16. This sets the subnet mask to 255.255.0.0. e. For the Description field, enter Security analyst's laptop. f. Make sure Direction is set to both g. select Save
8.1.6 Evaluate Network Security with Hunter-1 You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt. Security Onion server: 192.168.0.101 Email address: [email protected] Password: password From Hunt: Examine the ET INFO Dotted Quad Host DLL Request alert event. Answer Questions 1 and 2. Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event. Answer Questions 3 and 4. Potentially malicious network traffic can sometimes trigger multiple events.
Access Security Onion: From the Favorites bar, select Google Chrome. In the address field, enter 192.168.0.101 and press Enter to access Security Onion. Log in to Security Onion using the following: Email address: [email protected] Password: password Select LOGIN Access Hunt: Select the hamburger menu and then click Hunt. Maximize the window for better viewing. Examine the ET INFO Dotted Quad Host DLL Request alert event. Under Events, expand the ET INFO Dotted Quad Host DLL Request event. Examine the various fields, especially network.data.decoded. In the top right, select Answer Questions. Answer Questions 1 and 2. Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event: From Hunt Events, expand the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 event. Examine the various fields, especially event.module and network.data.decoded. Answer Questions 3 and 4.Select Score Lab. Q1What is the name of the virus file being requested from 91.200.103.114? update.dll (Under network.data.decoded) Q2What is unique about the file request that would trigger an alert event? The server is requested using a raw IP address instead of a hostname. Q3Which Security Onion event module generated the download alert? suricata Q4What is the size of the downloaded virus file? 694272
2.5.7 Manage Certificates You are the security analyst for a growing corporate network. You manage the certification authority for your network. As part of your daily routine, you perform several certificate management tasks. CorpCA, the certification authority, is a guest server on CorpServer2. Your network uses smart cards to control access to sensitive computers. Currently, the approval process dictates that you manually approve smart card certificate requests. In this lab, your task is to complete the following:
Approve the pending certificate request for a smart card certificate from mlopez. Deny the pending web server certificate request for CorpSrv16. User bnguyen lost his smartcard. Revoke the certificate assigned to bnguyen.CorpNet.com using the Key Compromise reason code. User tsutton has left his company. Revoke the certificate assigned to tsutton.CorpNet.com using the Change of Affiliation reason code. Unrevoke the CorpDev2 certificate. EXPLANATION Complete this lab: From CorpCA, access Certification Authority: From Hyper-V Manager, select CORPSERVER2.Maximize the window for easier viewing.From the Virtual Machines pane, double-click CorpCA. From Server Manager's menu bar, select Tools > Certification Authority. Maximize the window for easier viewing. From the left pane, expand CorpCA-CA. Approve the pending smart card certificate request for mlopez: Select Pending Requests. From the right pane, right-click on the line containing the mlopez request and select All Tasks > Issue to approve the certificate. Deny the pending smart card certificate request for CorpSrv16: Right-click on the line containing CorpSrv16.CorpNet.com and select All Tasks > Deny. Select Yes. Revoke bnguyen's and tsutton's certificates: From the left pane, select Issued Certificates. From the right pane, right-click bnguyen.CorpNet.com and select All Tasks > Revoke Certificate. Using the Reason code drop-down, select Key Compromise. Select Yes. Right-click tsutton and select All Tasks > Revoke Certificate. Using the Reason code drop-down, select Change of Affiliation. Select Yes. Unrevoke the CorpDev2 certificate: From the left pane, select Revoked Certificates From the right pane, right-click CorpDev2.CorpNet.com and select All Tasks > Unrevoke Certificate.
8.1.5 Evaluate Network Security with Kibana You are the security analyst for a small corporate network. Recently, your network became extremely slow. You have decided to use Security Onion to see if you can determine the cause. In this lab, your task is to: Log in to Security Onion and access Kibana. Email address: [email protected] Password: password From Kibana, examine the Discover and Dashboard pages for possible issues. Answer the questions. The IP address of the Security Onion server is: 192.168.0.101 Q1Which of the following is the MOST likely cause of the network slowness experienced? Your answer: Denial-of-service attack
Complete this lab as follows: Access Security Onion. From the Favorites bar, select Google Chrome. In the address field, enter 192.168.0.101 and press Enter to access Security Onion. Log in to Security Onion using the following: Email address: [email protected]: password Select LOGIN. Access Kibana and examine the Discover and Dashboard pages for possible issues: Select the hamburger menu and then click Kibana. (Kibana opens by default to the Discover page.) Maximize the window for better viewing. From the Discover page, examine the charts and graphs. Select the hamburger menu and then click Dashboard. Examine the charts and graphs on the Dashboard page. Answer the question. In the top right, select Answer Questions. Answer the question. Select Score Lab.
8.1.7 Evaluate Network Security with Hunter-2 You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. Log in to Security Onion and access Hunt.Security Onion server: 192.168.0.101Email address: [email protected]: password From Hunt:Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event. Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event.Answer Questions 3 and 4.Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event.Answer Question 5.Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event.
Complete this lab as follows: Access Security Onion: From the Favorites bar, select Google Chrome. In the address field, enter 192.168.0.101 and press Enter to access Security Onion. Log in to Security Onion using the following: Email address: [email protected] Password: password Select LOGIN. Access Hunt: Select the hamburger menu and then click Hunt. Maximize the window for better viewing. Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event. Under Events, locate and expand the ET MALWARE Win32/Trickbot Data Exfiltration event. Examine the various fields, especially destination.geo.country_name and network.data.decoded. In the top right, select Answer Questions. Answer Questions 1 and 2. Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event. Under Events, locate and expand the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 event. Examine the various fields, especially destination.port and network.data.decoded. In the top right, select Answer Questions. Answer Questions 3 and 4. Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event. Under Events, expand the ET USER_AGENTS Suspicious User-Agent (contains loader) event. Examine the various fields, especially network.data.decoded. Answer Question 5. Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event. Under Events, expand the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response event. Examine the various fields, especially network.data.decoded. Answer Question 6. Select Score Lab. Q1 203.176.135.102 Cambodia Q2 00-08-02-1C-47-AE Q3 It is not a standard HTTP port. Q4 8015558861 Q5 imgpaper.png or cursor.png Q6446515
6.1.11 Prevent Zone Transfer You are the security analyst for a small corporate network. While conducting some tests to see if your network can be hacked, you have discovered that you can obtain a copy of the zone information from the CorpDC3 server. This server is a domain controller in the CorpNet.local domain and holds an Active Directory-integrated zone for the CorpNet.local domain. To better protect the company zone data, you have decided to prevent zone transfers. In this lab, your task is to disable zone transfers for the CorpNet.local zone.
Complete this lab as follows: Access the CorpNet.local properties settings: From Server Manager, select Tools > DNS. From the left pane, expand CORPDC3 > Forward Lookup Zones. Right-click CorpNet.local and then select Properties. Disable zone transfers: Select the Zone Transfers tab. Clear Allow zone transfers. Select OK.
2.5.6Configure Account Password Policies You are the security analyst for a small corporate network. You are attempting to improve the password security of the Windows 10 laptop located in the Lobby. In each policy, the Explain tab provides a description of the policy's effects to help you identify the policies and values to configure. In this lab, your task is to use the Local Security Policy tool to configure password restrictions as follows: New passwords cannot be the same as the previous 4 passwords. Passwords must be changed every 30 days. New passwords cannot be changed for at least 2 days. Passwords must be at least 10 characters long. Passwords must contain non-alphabetical characters. Automatically unlock locked accounts after 1 hour. Lock the user account after four incorrect logon attempts within a 40-minute period. Policy changes will not be enforced within the simulation.
Complete this lab as follows: Access the Local Security Policy: Select Start > Windows Administrative Tools. Select Local Security Policy. Maximize the window for easier viewing. Configure the password policies: From the left pane, expand and select Account Policies > Password Policy. Double-click the policy you want to configure. Configure the policy settings: Select OK. Repeat steps 2b-2d to configure additional policies. Configure the account lockout policies: From the left pane, select Account Lockout Policy. Double-click the policy you want to configure. Configure the policy settings: Select OK. Repeat steps 3b-3d to configure policy settings.
You are the security analyst for a small corporate network. You are currently using pfSense as your security appliance. In this lab, your task is to: Change the password for the default pfSense account from pfsense to: Donttre@donme Create a new administrative user with the following parameters: Username: lyoung Password: C@nyouGuess!t Full Name: Liam Young Group Membership: admins Set a session timeout of 20 minutes for pfSense. Disable the webConfigurator anti-lockout rule for HTTP. Access the pfSense management console through Google Chrome using: http://198.28.56.22 Default username: admin Password: pfsense
Complete this lab as follows: Access the pfSense management console: From the taskbar, select Google Chrome. Maximize the window for better viewing. In the Google Chrome address bar, enter 198.28.56.22 and then press Enter. Enter the pfSense sign-in information as follows: Username: admin Password: pfsense Select SIGN IN. Change the password for the default (admin) account. From the pfSense menu bar, select System > User Manager. For the admin account, under Actions, select the Edit user icon (pencil). For the Password field, change to Donttre@donme. For the Confirm Password field, enter Donttre@donme. Scroll to the bottom and select Save. Create and configure a new pfSense user. Select Add. For Username, enter lyoung. For the Password field, enter C@nyouGuess!t. For the Confirm Password field, enter C@nyouGuess!t. For Full Name, enter Liam Young. For Group Membership, select admins and then select Move to Member of list. Scroll to the bottom and select Save. Set a session timeout for pfSense. Under the System breadcrumb, select Settings. For Session timeout, enter 20. Select Save. Disable the webConfigurator anti-lockout rule for HTTP. From the pfSense menu bar, select System > Advanced. Under webConfigurator, for Protocol, select HTTP. Select Anti-lockout to disable the webConfigurator anti-lockout rule. Scroll to the bottom and select Save.
2.4.9 Configure a Security Appliance You are the security analyst for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance on your network. Using pfSense, you now need to configure DNS and a default gateway. In this lab, your task is to: Sign in to pfSense using the following case-sensitive information: URL: 198.28.56.22 Username: admin Password: pfsense Configure the DNS servers as follows: Primary DNS server: 163.128.78.93 - Hostname: DNS1Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows: Enable the interface. Use a static IPv4 address of 65.86.24.136/8 Add a new gateway using the following information: Type: Default gateway Name: WANGateway IP address: 65.86.1.1
Complete this lab as follows: Access the pfSense management console: From the taskbar, select Google Chrome. Maximize the window for better viewing. In the address bar, type 198.28.56.22 and then press Enter. Sign in using the following case-sensitive information: Username: admin Password: pfsense Select SIGN IN or press Enter. Configure the DNS Servers. From the pfSense menu bar, select System > General Setup. Under DNS Server Settings, configure the primary DNS server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None Select Add DNS Server to add a secondary DNS server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 Gateway: None Scroll to the bottom and select Save. Configure the WAN settings: From pfSense menu bar, select Interfaces > WAN. Under General Configuration, select Enable interface. Use the IPv4 Configuration Type drop-down to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. Use the IPv4 Address subnet drop-down to select 8. Under Static IPv4 Configuration, select Add a new gateway. Configure the gateway settings as follows: Default: Select Default gateway Gateway name: Enter WANGateway Gateway IPv4: 65.86.1.1 Select Add. Scroll to the bottom and select Save. Select Apply Changes.
7.3.3 Counter Malware with Windows Defender You are the security analyst for a small corporate network. You recognize that the threat of malware is increasing, and you have implemented Windows Security on the office computers. In this lab, your task is to configure Windows Security as follows: Add a file exclusion for D:\Graphics\book.jpg. Add a process exclusion for files associated with your corporate software (corp_process.exe). Check for virus and threat updates. Perform a quick scan
Complete this lab as follows: Add a file exclusion.In the search field on the taskbar, type Windows Security.Under Best match, select Windows Security.Maximize the window for better viewing.Select Virus & threat protection.Under Virus & threat protection settings, select Manage settings.Under Exclusions, select Add or remove exclusions.Select + Add an exclusion.From the drop-down lists, select File.Under This PC, select Data (D:).Double-click Graphics.Select book.jpg.Select Open. Add a process exclusion.Select + Add an exclusion.From the drop-down lists, select Process.In the Enter process name field, enter corp_process.exe for the process name.Select Add. Update protection definitions.In the left menu, select the shield (Virus & threat protection) icon.Under Virus & threat protection updates, select Check for updates.Under Security Intelligence updates, select Check for updates. Perform a quick scan.In the left menu, select the shield icon.Under Current threats, select Quick scan to run a quick scan now.
7.1.15 Encrypt a Hard Drive You are the security analyst for a small corporate network. Your boss is concerned that her computer (Exec) contains sensitive company information. To prevent this information from being stolen, you have decided to encrypt the drive using BitLocker. The Exec computer has a built-in TPM on the motherboard. In this lab, your task is to configure BitLocker drive encryption as follows: Try to turn on BitLocker for the System (C:) drive. Answer the question. From the BIOS settings, turn on and activate TPM. Turn on BitLocker for the System (C:) drive. Save the recovery key to \\CorpServer\BU-Exec. Encrypt the entire System (C:) drive. Run the BitLocker system check. What prevented you from enabling BitLocker? Windows indicates that a TPM was not found.
Complete this lab as follows: Attempt to enable BitLocker: In the search field on the taskbar, enter Bitlock. Under Best match, select Manage BitLocker. Under Operating system drive, select Turn on BitLocker.In the top right, select Answer Questions.Answer Question 1 and then minimize the question dialog.Select Cancel. Access Exec's BIOS settings.From the taskbar, right-click Start and then select Shut down or sign out > Restart.When the TestOut logo appears, press Delete to enter the BIOS. Turn on and activate TPM.From the left pane, expand Security.Select TPM Security.From the right pane, select TPM Security to turn TPM security on.Select Apply.Select Activate.Select Apply.Select Exit.Windows is restarted and you are signed in. Turn on BitLocker.After Exec finishes rebooting, in the search field on the taskbar, enter Bitlock.Under Best match, select Manage BitLocker.Under Operating system drive, select Turn on BitLocker. Windows is now able to begin the Drive Encryption setup. Save the recovery key to \\CorpServer\BU-Exec.Select: Save to a file to back up your recovery key to a file. Browse the network to \\CorpServer\BU-Exec.Select Save. After your recovery key is saved, select Next. Choose how much of your drive to encrypt and verify that the drive is encrypted: Select Encrypt entire drive and then click Next. Leave the default setting selected when choosing the encryption mode and click Next. Select Run BitLocker system check and then click Continue. Select Restart now. When the encryption process is complete, select Close. Verify that System (C:) is being encrypted: From the taskbar, open File Explorer. From the left pane, select This PC. From the right pane, verify that the System (C:) drive shows the lock icon.In the top right, select Answer Questions.Select Score Lab
You are the security analyst for your company. Through reconnaissance, it was found that a partner company website is broadcasting banner information. Your manager wants you to help them hide IIS banners. In this lab, your task is to configure the IIS web server to stop broadcasting banners by removing HTTP response headers from the partnercorp.xyz website.
Complete this lab as follows: Use the IIS Manager to access the PartnerCorp.xyz website: From Server Manager, select Tools > Internet Information Services (IIS) Manager. From the left pane, expand PartnerWeb(partnercorp.xyz\Administrator) Home. Expand Sites. Select partnercorp.xyz. Remove all HTTP response headers: From the center pane, double-click HTTP Response Headers. Select a response header. Under Actions, select Remove. Select Yes to confirm. Repeat steps 2b-2d for the second response header.
6.2.5 Scan for Open Ports from a Remote Computer You are the security analyst for a small corporate network. You have decided to test how secure the company's network would be if a rogue wireless access point was introduced. To do this, you have connected a small computer to the switch in the Networking Closet. This computer also functions as a rogue wireless access point. You are now sitting in your van in the parking lot of your company, where you are connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you want to test running remote exploits against the company. In this lab, your task is to: Use ssh -X to connect to your rogue computer (192.168.0.251). Use 1worm4b8 as the root password. Use Zenmap on the remote computer to scan all the ports on the internal network and look for computers vulnerable to attack. Answer the questions.
Complete this lab as follows: Connect to the network using the rouge system: From the Favorites bar, select Terminal.At the prompt, type ssh -X 192.168.0.251 and press Enter.For the root password, type 1worm4b8 and press Enter.You are now connected to Rogue1. Scan the network using Zenmap.Type zenmap and press Enter to launch Zenmap remotely.Zenmap is running on the remote computer, but you see the screen locally.In the Command field, type nmap -p- 192.168.0.0/24.Select Scan. Analyze the scan results and answer the questions.From the results, find the computers with ports open that make them vulnerable to attack.In the top right, select Answer Questions.Answer the questions.Select Score Lab. Use ssh -X to connect to the remote computer Use Zenmap to scan 192.168.0.0/24 Q1Which computers are web servers? 192.168.0.15, 192.168.0.22 Q2Which server has a port open that allows unencrypted text communications? 192.168.0.10
!!! 2.5.5 Analyze Passwords using Rainbow Tables You are the security analyst for a small corporate network. Part of your role is to ensure secure access to the company website. You want to verify that the passwords being used meet the company's requirements. To do this, you captured some password hashes in a file named captured_hashes.txt and saved it in the /root directory. You want to use a rainbow table to analyze the passwords captured in this hash file to see if they meet the company's website requirements. Rainbow tables speed up the process of cracking password hashes. A rainbow table is a table of password and their computed hashes. The password requirements for your website are as follows: The password must be eight or more characters in length. The password must include at least one upper and one lowercase letter. The password must have at least one of these special characters: !, ", #, $, %, &, _, ', *,
Complete this lab as follows: Determine which rainbowcrack charset includes all the character required for your company's password requirements: From the Favorites bar, select Terminal. At the prompt, type cat /usr/share/rainbowcrack/charset.txt Press Enter. In the top right, select Answer Questions. Answer Question 1. Create and sort an md5 and sha1 rainbow crack table: At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. Type rtsort . and press Enter to sort the rainbow table. Analyze the passwords using rcrack: Type rcrack . -l /root/captured_hashes.txt and press Enter to crack the password contained in a hash file. Answer Questions 2-5. lmnop S3cur3Dev!ce DisneyL@nd3 lmnop Select Score Lab.
4.5.11Evaluate Windows Log Files You are the security analyst for a small corporate network. You want to proactively address issues to advert any problems on your system. In this lab, your task is run the Get-Eventlog command from PowerShell (Admin) to: Q1How many event logs are being captured on Office1?Correct answer:7 Run Get-Eventlog -logname system Q2Which entry types were used for the last two log entries of the system log?:Correct answer: Warning, Information Run Get-Eventlog -logname application Q3What was the source of the last error entry listed in the application log? :Correct answer:Application Q4What is the InstanceID for the last application log entry? :Correct answer:1085 Q5For which program did the last error message create an entry in the application log? :Correct answer: Notepad++ Run Get-Eventlog -logname security Q6Which security entries might be of MOST concern and may warrant further evaluation
Complete this lab as follows: Get a list of the current logs being capture on Office1: Right-click Start and select Windows PowerShell (Admin). Maximize the window for easier viewing. At the prompt, type Get-Eventlog -logname * and press Enter. In the top right, select Answer Questions.Answer Question 1. View the system log file and answer the question: Use the UP arrow key to reuse previous commands.From PowerShell, type Get-Eventlog -logname system and press Enter. Maximize the window for better viewing. Examine the last two entries. Answer Question 2. View the application log file and answer the questions. You may want to clear the screen using the CLS command: From PowerShell, type Get-Eventlog -logname application and press Enter. Examine the last entry. Answer Questions 3-5. View the security log file and answer the questions: From PowerShell, type Get-Eventlog -logname security and press Enter. Examine the entries. Answer Question 6. Select Score Lab.
You are the security analyst for your company. Your manager is concerned about the vulnerability of the company's database server which contains the finance and accounting systems. He wants you to perform a port scan on the server (192.168.0.22) to identify all the open ports. In this lab, your task is to: Use nmap to perform a port scan on the database server to determine if any ports are open. Answer the question.
Complete this lab as follows: Scan the company's database server for open ports. From the Favorites bar, select Terminal. At the prompt, type nmap -p- 192.168.0.22. Press Enter. Answer the question. In the top right, select Answer Questions. Answer the question. 4 open ports Select Score Lab.
2.4.6 Configure a Captive Portal: 1st Card You are the security analyst for a small corporate network. You want to make sure that guests visiting your company have limited access to the internet. You have chosen to use pfSense's captive portal feature. Guests must pass through this portal to access the internet. In this lab, your task is to:
Complete this lab as follows: 1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Add a captive portal zone. a. From the pfSense menu bar, select Services > Captive Portal. b. Select Add. c. For Zone name, enter WiFi-Guest. d. For Zone description, enter Guest wireless access zone. e. Select Save & Continue. 3. Enable and configure the captive portal. a. Under Captive Portal Configuration, select Enable. b. For Interfaces, select GuestWi-Fi. c. For Maximum concurrent connections, select 50. d. For Idle timeout, enter 15. e. For Hard timeout, enter 45. f. Scroll down and select Per-user bandwidth restriction. g. For Default download (Kbit/s), enter 7000. h. For Default upload (Kbit/s), enter 2400. i. Under Authentication, use the drop-down menu to select None, don't authenticate users. j. Scroll to the bottom and select Save.
4.5.9 Log Events with pfSense You are the security analyst for a small corporate network. To be more proactive in your defense against possible attacks, you want to save the system logs being captured by the pfSense firewall. In this lab, your task is to: Sign in to pfSense using: Username: adminPassword: P@ssw0rd (zero) Configure the general system logs to:Only show 25 logs at a time. Have a maximum log file size of 250,000 bytes. Enable and configure remote system logging using the following instructions: Save the log files on CorpSever (192.168.0.10). Only forward system and firewall events. Answer the questions.
Complete this lab as follows: Sign in to the pfSense Management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Access the system log settings: From the pfSense menu bar, select Status > System Logs. In the top right, select Answer Questions. Answer Question 1. Configure the general logging options" Under the Status breadcrumb, select Settings. Set the GUI Log Entries field to 25 to show only 25 logs at a time in the GUI. Set the Log file size field to 250000 byes (250 KB) to set the maximum size of each log file. Configure remote logging: Scroll to the bottom and, under Remote Logging Options, select Enable Remote Logging. Make sure the options are set as follows: Source address: Default (any)IP protocol: IPv4 Remote log servers: 192.168.0.10 For Remote Syslog Contents, select the following: System Events Firewall Events Select Save. View the results of the changes made to the number of logs shown: Under the Status breadcrumb, select System. Answer Question 2. Select Score Lab.
6.1.13 Configure a Perimeter Firewall You work as the IT security administrator for a small corporate network, and you recently placed a web server in the screened subnet. Now you need to configure the perimeter firewall on the network security appliance (pfSense) to allow access from the WAN to the web server using both HTTP and HTTPS. You also want to allow all traffic from the LAN network to the screened subnet. In this lab, your task is to: Create and configure a firewall rule to pass HTTP traffic from the internet to the web server. Create and configure a firewall rule to pass HTTPS traffic from the internet to the web server. Create and configure a firewall rule to pass all traffic from the LAN network to the screened subnet
Complete this lab as follows: Sign in to the pfSense management console: In the Username field, enter admin for the username. In the Password field, enter P@ssw0rd (0 is a zero). Select SIGN IN or press Enter. Create and configure a firewall rule to pass HTTP traffic from the WAN to the web server in the screened subnet: From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select DMZ. Select Add (either one). Make sure Action is set to Pass. Under Source, use the dropdown to select WAN net. Under Destination, use the Destination drop-down to select Single host or alias. In the Destination Address field, enter 172.16.1.5 Using the Destination Port Range dropdown, select HTTP (80). Under Extra Options, in the Description field, enter HTTP from WAN to screened subnet Select Save. Select Apply Changes. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the web server in the screened subnet: For the rule just created, select the copy icon (two files). Under Destination, change the Destination Port Range to HTTPS (443). Under Extra Options, change the Description filed to HTTPS from WAN to screene subnet. Select Save. Select Apply Changes. Create and configure a firewall rule to pass all traffic from the LAN network to the screened subnet: Select Add (either one). Make sure Action is set to Pass. For Protocol, use the dropdown to select Any. Under Source, use the dropdown to select LAN net. Under Destination, use the dropdown to select DMZ net. Under Extra Options, change the Description to be LAN to screened subnet Any Select Save. Select Apply Changes.
7.3.6 Configure URL Blocking You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network.
Complete this lab as follows: Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Create a firewall rule that blocks all DNS traffic leaving the LAN network.From the pfSense menu bar, select Firewall > Rules.Under the Firewall breadcrumb, select LAN.Select Add (either one).Under Edit Firewall Rule, use the Action drop-down to select Block.Under Edit Firewall Rule, set Protocol to UDP.Under Source, use the drop-down menu to select LAN net.Under Destination, configure the Destination Port Range to use DNS (53) (for From and To).Under Extra Options, in the Description field, enter Block DNS from LAN.Select Save.Select Apply Changes. Create a firewall rule that allows all DNS traffic going to the LAN network.Select Add (either one).Under Edit Firewall Rule, make sure Action is set to Pass.Under Edit Firewall Rule, set Protocol to UDP.Under Destination, use the drop-down menu to select LAN net.Configure the Destination Port Range to use DNS (53) (for From and To).Under Extra Options, in the Description field, enter Allow all DNS to LAN.Select Save.Select Apply Changes. Arrange the firewall rules in the order that allows them to function properly.Using drag-and-drop, move the rules to the following order (top to bottom):Anti-Lockout RuleAllow all DNS to LANBlock DNS from LANIn the simulated version of pfSense, you can only drag and drop the rules you created. You cannot drag and drop the default rule.Select Save.Select Apply Changes.
You are the security analyst for a small corporate network. In an effort to protect your network against security threats and hackers, you have added Snort to pfSense. With Snort already installed, you need to configure rules and settings and then assign Snort to the desired interface. In this lab, your task is to use pfSense's Snort to complete the following: Sign into pfSense using the following: Username: admin Password: P@ssw0rd (zero) TASK SUMMARY Required Actions Configure Snort rulesShow Details Configure Sourcefire OpenAppID DetectorsShow Details Configure the Rules Update SettingsShow Details Configure General SettingsShow Details Configure the Snort Interface settings for the WAN interface
Complete this lab as follows: Sign into the pfSense management console: In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Access the Snort Global Settings. From the pfSense menu bar, select Services > Snort. Under the Services breadcrumb, select Global Settings. Configure the required rules to be downloaded: Select Enable Snort VRT. In the Sort Oinkmaster Code field, enter 992acca37a4dbd7. You can copy and paste this from the scenario. Select Enable Snort GPLv2. Select Enable ET Open. Configure the Sourcefire OpenAppID Detectors to be downloaded: Under Sourcefire OpenAppID Detectors, select Enable OpenAppID. Select Enable RULES OpenAppID. Configure when and how often the rules will be updated: Under Rules Update Settings, use the Update Interval drop-down to select 4 DAYS. For Update Start Time, change to 00:10. Select Hide Deprecated Rules Categories. Configure Snort General Settings. Under General Settings, use the Remove Blocked Hosts Interval drop-down to select 1 Day. Select Startup/Shutdown Logging. Select Save. Configure the Snort Interface settings for the WAN interface.Under the Services breadcrumb: select Snort Interfaces and then select Add. Under General Settings, make sure Enable interface is selected. For Interface, use the drop-down to select WAN (CorpNet_pfSense_L port 1). For Description, use Snort-WAN. Under Alert Settings, select Send Alerts to System Log. Select Block Offenders. Scroll to the bottom and select Save. Start Snort on the WAN interface: Under the Snort Status column, select the arrow. Wait for a checkmark to appear, indicating that Snort was started successfully.
4.1.5 Manage Linux Services While working on your Linux server, you want to practice starting, stopping, and restarting a service using the systemctl command. In this lab, your task is to: Use the systemctl command to start bluetooth.service. Use the systemctl command to stop bluetooth.service. Use the systemctl command to restart bluetooth.service. *After each command, you can check the service status with the systemctl is-active bluetooth.service command.
Complete this lab as follows: Start the Bluetooth service using the systemctl command: From the Favorites bar, select Terminal. At the prompt, type systemctl start bluetooth.service and then press Enter. Type systemctl is-active bluetooth.service to verify that the service is active. Stop the Bluetooth service using the systemctl command. At the prompt, type systemctl stop bluetooth.service and then press Enter. Type systemctl is-active bluetooth.service to verify that the service is active. Restart the Bluetooth service using the systemctl command: At the prompt, type systemctl restart bluetooth.service and then press Enter. Type systemctl is-active bluetooth.service to verify that the service is active.
8.3.11 Analyze FTP Credentials with Wireshark You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have decided to run a test to see if FTP is being used. If any FTP packets are found, you need to determine information about who is using this protocol. In this lab, your task is to capture FTP packets as follows: Use Wireshark to capture packets on the enp2s0 interface for five or more seconds. Filter for FTP packets. Answer the questions.
Complete this lab as follows: Using Wireshark, capture packets for five seconds: From the Favorites bar, select Wireshark. Under Capture, select enp2s0. Select the blue fin to start a Wireshark capture. Capture packets for five seconds. Select the red box to stop the Wireshark capture. Maximize the window for easier viewing. Apply the FTP filter and answer the questions: In the Apply a display filter field, type ftp and press Enter. In the top right, select Answer Questions. Answer the questions. (Optional) Use filters for only the required information: In the Apply a display filter field, type ftp.request.command==USER and then press Enter to find the user account. In the Apply a display filter field, type ftp.request.command==PASS and then press Enter to find the password. In the Apply a display filter field, type ftp.request.command==RETR and then press Enter to find the file retrieved. Select Score Lab.
You are the security analyst for a small corporate network. You have had problems with users installing remote access services like Remote Desktop Services and VNC Server. You need to find, stop, and disable these services on all computers running them. In this lab, your task is to: Use Zenmap to run a scan on the 192.168.0.0/24 network to look for the following open ports: Port 3389 - Remote Desktop Services (TermServices)Port 5900 - VNC Server (vncserver) Answer Questions 1 and 2. Disable and stop the services for the open ports found running on the applicable computers. Use the following table to identify the computers: IP Address | Computer Name 192.168.0.30 Exec 192.168.0.31IT Admin1 92.168.0.32 Gst-Lap 192.168.0.33 Office 1192.168.0.34 Office 2192.168.0.45 Support 192.168.0.46 IT-Laptop Use Command: nmap -p 3389,5900 192.168.0.0/24
Complete this lab as follows: Using Zenmap, scan the network for open remote access ports: From the Favorites bar, select Zenmap. Maximize the windows for better viewing. In the Command field, type nmap -p [port number] 192.168.0.0/24 to scan the port. Select Scan (or press Enter) to scan the subnet for a given service. Using the table in the scenario, identify the computer(s) with the open port using the IP address found. In the top right, select Answer Questions. Answer Question 1. Repeat steps 1c-1e and then answer Question 2. For the computers that have a remote access service port open, disable then stop the applicable service from running: From the top navigation tabs, select Floor 1 Overview. Select the computer with the remote access service port open. In the search field on the taskbar, type Services. Under Best Match, select Services. Maximize the window for easier viewing. Double-click the service (Remote Desktop Services or VNC Server) that needs to be stopped. Using the Startup Type drop-down, select Disabled. Under Service status, select Stop. Select OK. Repeat step 2a-2i. In the top right, select Answer Questions. Select Score Lab. *You would also want to remove or uninstall these services.
7.1.16 Compare an MD5 Hash You are the security analyst for a small corporate network. You have just downloaded a new release of the ThreatProtec program, which you use to do your job. You need to make sure that the file was not altered before you received it. To help do this, you also downloaded the ThreatProtec_hash.txt file, which contains the original file hash for the new release of the ThreatProtec program. The two files are located in C:\Downloads. Use the standard directory or file names notation for this lab (without the dot-slash .\). TASK SUMMARY Lab Questions -Get the file hash for the ThreatProtec.zip file -Extract the hash from the ThreatProtec_hash.txt file -Ccompare the hashes to see if they are the same Q1Do the file hashes match?Yes
Complete this lab as follows: View the files in the C:\Downloads folder. Right-click Start and select Windows PowerShell (Admin). At the prompt, type cd \downloads and press Enter to navigate to the directory that contains the files. Type dir and press Enter to view the available files. Obtain the hash files for the new releases of the software: Type get-filehash ThreatProtec.zip -a md5 and press Enter to view the MD5 hash for the new release. Type get-content ThreatProtec_hash.txt and press Enter to view the known hash contained in the .txt file. Compare the hashes and answer the question: Type "calculated hash" -eq "known hash" and press Enter to determine if the file hashes match. In the top right, select Answer Questions. Answer the question. Select Score Lab.
7.3.4 Configure Windows Defender Application Control You are the security analyst for a small corporate network. To defend against non-authorized applications from being installed on the systems in you company, you have decided to implement Microsoft's Windows Defender Application Control (WDAC). You have already created a golden system containing all of the desired applications. In this lab, your task is to complete the following:
Complete this lab as follows: From Office2, create an XML file that will be used to create the initial code integrity policy (CIPolicy).Right-click Start and then select Windows PowerShell (Admin).From PowerShell, run New-CIpolicy AppCIP.xml -Level Pca -ScanPath C:\ -UserPEsWait for the scan to complete. Convert the XML file to a binary file and save it on CorpDC in the WDAC share.From PowerShell, run ConvertFrom-CIPolicy AppCIP.xml C:\AppCIP.binFrom the Windows taskbar, select File Explorer.From the left pane, expand and select This PC > System (C:).Right-click AppCIP.bin and then select Copy.From the left pane, expand and select Network > CorpDC > WDACIn the right pane, right-click and select Paste. Switch to CorpServer and connect to the Hyper-V CorpDC server.From the top navigation area, select Floor 1 Overview.Under Networking Closet, select CorpServer.From the Hyper-V Manager, select CORPSERVER.From the Virtual Machines pane, double-click CorpDC. Create the WDAC GPO in the CorpNet.local domain.From Server Manager's menu bar, select Tools > Group Policy Management.Maximize the window for better viewing.Expand Forest: CorpNet.local > Domains.Right-click CorpNet.local and select Create a GPO in this domain, and link it here.In the Name field, use App-WDAC and then select OK. Enable and configure the Deploy Windows Defender Application Control policy to distribute the AppCIP initial code integrity policy.Expand CorpNet.local and then right-click App-WDAC and select Edit.Maximize the window for better viewing.From the left pane, expand and select Computer Configuration > Policies > Administrative Templates > System > Device Guard.From the right pane, double-click Deploy Windows Defender Application Control.Select Enabled.In the Code Integrity Policy file path field, enter C:\WDAC\AppCIP.bin.The WDAC network share on C
You are the security analyst for a small corporate network. The receptionist, Maggie Brown, uses an iPad to manage employee schedules and messages. You need to help her make the iPad more secure. The current simple passcode for her iPad is 3141. In this lab, your task is to: Set a secure passcode on the iPad as follows: Require a passcode: After 5 minutes New passcode: youwontguessthisone Turn simple passcodes off. Configure the iPad to erase data after 10 failed passcode attempts
Complete this lab as follows: On the iPad, set Require Passcode for 5 minutes.Select Settings.From the left menu, select Touch ID & Passcode.Enter 3141 for the passcode. From the right pane, select Require PasscodeSelect After 5 minutes. Turn off simple passcodes.At the top, select Passcode Lock. Next to Simple Passcode, slide the switch to turn off simple passcodes. Enter 3141 for the passcode.Enter youwontguessthisone as the new passcode and then select Next. Enter youwontguessthisone to re-enter the new passcode and then select Done. Configure the iPad to erase data after 10 failed passcode attempts. From the Touch ID & Passcode page, next to Erase Data, slide the switch to enable Erase Data. Select Enable.
*** 2.4.7 Discover Bluetooth Devices You are the security analyst for a small corporate network. To protect your Bluetooth devices from attacks, you want to discover which Bluetooth devices are running in your company and gather information about each of them. In this lab, your task is to use the Terminal to: Use hciconfig to discover and enable the onboard Bluetooth adapter. Use hcitool to find all of the Bluetooth devices. Answer Question 1. Use l2ping to determine if the Bluetooth device is alive and within range. Answer Question 2. Use sdptool to query Francisco's laptop to determine the Bluetooth services available on the device. Answer Question 3. Use hcitool to determine the clock offset and class for Brian's Braven Speaker device. Answer Question 4.
Complete this lab as follows: 1. Initialize the Bluetooth adapter. a. From the Favorites bar, select Terminal. b. At the prompt, type hciconfig and press Enter to view the onboard Bluetooth adapter. c. Type hciconfig hci0 up and press Enter to initialize the adapter. d. Type hciconfig and press Enter to verify that the adapter is up and running. 2. Find all Bluetooth devices within range. a. Type hcitool scan and press Enter to view the detected Bluetooth devices and their MAC addresses. b. In the top left, select Answer Questions. c. Answer Question 1. 3. Determine if the Bluetooth devices found are in range. a. Type l2ping MAC_address and press Enter to determine if the Bluetooth device is in range. b. Press Ctrl + c to stop the ping process. To copy the MAC addresses from the scan, highlight the MAC address and then right-click. c. Repeat steps 3a-3b for all the devices. d. Answer Question 2. 4. Find details for Francisco's laptop using sdptool. a. Type sdptool browse AF:52:23:92:EF:AF and press Enter to view the details for Francisco's laptop. b. Answer Question 3. 5. Find details for Brian's Echo Show using hcitool. a. Type hcitool inq and press Enter to determine the clock offset and class for each device. b. Answer Question 4. c. Select Score L
7.3.6 Configure URL Blocking..cont. You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network.
Enable pfBlockerNG.From the pfSense menu bar, select Firewall > pfBlockerNG.Under General Settings, select Enable pfBlockerNG.Scroll to the bottom and select Save. Enable and configure DNS block lists.Under the Firewall breadcrumb, select DNSBL.Select Enable DNSBL.For DNSBL Virtual IP, enter 192.168.0.0.Scroll to the bottom and expand TLD Blacklist.Enter the following URLs in the TLD Blacklist box:instagram.comnetflix.comgoogleanalytics.netExpand TLD Whitelist and then enter the following URLs:.www.google.com.play.google.com.drive.google.comSelect Save.
6.2.6 Discover a Hidden Network You are the security analyst for a small corporate network. You suspects that one of the computers in your company is connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. The computer suspected of using the rogue access point is Gst-Lap. In this lab, your task is to complete the following: On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. Use airodump-ng to find the hidden access point. Answer the question. From the Gst-Lap computer, connect to the rogue AP using the SSID of BookStore.
Find the hidden access point Q1What is the BSSID of the rogue access point?Your answer:00:00:1b:45:21:aaCorrect answer:00:00:1b:45:21:11 Connect to the rogue AP using the CoffeeShop SSID EXPLANATION Complete this lab as follows: From the IT-Laptop, configure the wlp1s0 card to run in monitor mode.From the Favorites bar, select Terminal.At the prompt, type airmon-ng and press Enter to find the name of the wireless adapter.Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode.Type airmon-ng and press Enter to view the new name of the wireless adapter. Use airodump-ng to discover and isolate the hidden access point.Type airodump-ng wlp1s0mon and press Enter to discover all of the access points.Press Ctrl + c to stop airodump-ng.Find the hidden access point ESSID.In the top right, select Answer Questions.Answer the question.In Terminal, type airodump-ng wlp1s0mon --bssid 00:00:1B:45:21:11 and press Enter to isolate the hidden access point. Switch to the Gst-Lap and connect to the Wi-Fi network.From the top navigation tabs, select Floor 1 Overview.Under Executive Office, select Gst-Lap.From the notification area, select the Wi-Fi network icon.Select Hidden Network.Select Connect.In the Enter the name (SSID) for the network field, type BookStore.In a real environment, you'll only need to wait until the employee connects to the rogue access point again.Select Next.Select Yes.Wait for the connection to be made.Under Lab Questions, select Score Lab.
8.1.7 Evaluate Network Security with Hunter-2 You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt. Security Onion server: 192.168.0.101 Email address: [email protected] Password: password
From Hunt: Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event.Answer Questions 1 and 2.Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event.Answer Questions 3 and 4. Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event.Answer Question 5.Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event.
You work as a security analyst for a small corporation. Your manager has asked you to check the external servers of a potential partner's company for potentially vulnerable ports. The company hosts an external web server at www.partnercorp.xyz. In this lab, your task is to perform reconnaissance on the PartnerCorp external servers to find potentially vulnerable ports as follows: On Analyst-Lap Use the whois.org website to determine the domain name servers used by PartnerCorp.xyz. Answer Question 1. Which of the following name servers are being used by PartnerCorp.xyz? ns1.nethost.net Use nslookup to determine the primary web server address. Use Zenmap to search for 50 of the top ports opened on the network identified by nslookup above.
From the Analyst-Lap computer, find the domain name servers used by partnercorp.xyz: From the taskbar, select Google Chrome. Maximize the windows for better viewing. In the URL field, type whois.org and press Enter. In the Search for a domain name field, enter partnercorp.xyz. Select Search. In the top right, select Answer Questions. Answer Question 1. Which of the following name servers are being used by PartnerCorp.xyz? ns1.nethost.net Find the IP address used by www.partnernetcorp.xyz: Right-click Start and select Windows PowerShell (Admin). At the PowerShell prompt, type nslookup www.partnercorp.xyz name_server (see the answer to question 1) and press Enter. Answer Question 2. What is the IP address for www.partnercorp.xyz? 73.44.215.1 On Analyst-Lap2 Minimize the Lab Questions dialog. Use Zenmap to run an Nmap command to scan for open ports: From the navigation tabs, select Buildings. Under Blue Cell, select Analyst-Lap2. From the Favorites bar, select Zenmap. Maximize Zenmap for easier viewing. In the Command field, use nmap --top-ports 50 73.44.215.0/24 to scan for open ports. Select Scan to scan for open ports on all servers located on this network. In the top right, select Answer Questions. Answer Question 3. Which of the following servers use the potentially vulnerable FTP or Telnet ports? 73.44.215.5 Select Score Lab.
Analyze passwords using rainbow tables:
Here's how to analyze passwords using rainbow tables: 1. **Generate Rainbow Tables**: - Use the rtgen command to generate rainbow tables for a specific hash algorithm, character set, and password length. For example: rtgen md5 ascii-32-95 1 20 0 1000 1000 0 - This generates a table for MD5 hashes using ASCII characters (printable characters from space to ~) with password lengths from 1 to 20. 2. **Sort and Optimize the Rainbow Tables**: - After generating the tables, sort and reduce them for faster lookups using: rtsort . 3. **Obtain Hashed Passwords**: - Collect the hashed passwords you want to analyze. These hashes should be stored in a file, for example /root/captured_hashes.txt 4. **Run RainbowCrack**: - Use the rcrack command to compare the captured hashes against the rainbow tables: rcrack . -l /root/captured_hashes.txt - This command tells RainbowCrack to use the rainbow tables in the current directory to attempt to crack the hashes listed in the file. 5. **Analyze Results**: - Review the output from RainbowCrack to see which hashes were successfully cracked. The results will show the original plaintext passwords corresponding to the cracked hashes. Using rainbow tables can significantly speed up the process of cracking hashed passwords compared to brute force methods, but it's important to ensure that these activities are conducted legally and ethically, such as for penetration testing or security research with proper authorization.
You are the security analyst for a small corporate network. You have heard complaints that the CorpServer (192.168.0.10) seems to be very unresponsive. You suspect that the server may be under a SYN attack. In this lab, your task is to: Use Zenmap to find which ports on CorpServer (192.168.0.10) are open. Use Wireshark and the enp2s0 network interface to determine if the CorpServer is under a SYN attack. Analyze the packets captured. Answer the questions.
How many ports are open on CorpServer? Correct answer: 5 Q2What indications are there of a SYN attack? Correct answer: All SYN packets have the same source IP address., The time between SYN packets is very short. Q3Which ports are under a SYN attack?21, 22, 23, 25 Q4Which of the following MAC addresses is initiating the SYN flood attack?00:60:98:7f:41:e0 Complete this lab as follows: From Zenmap, use nmap to find the open ports used on CorpServer. From the Favorites bar, select Zenmap: In the Command field, type nmap -p 0-100 192.168.0.10 Select Scan. In the top right, select Answer Questions. Answer Question 1. Close Zenmap. Capture SYN packets on the CorpServer machine: From the Favorites bar, select Wireshark. Under Capture, select enp2s0. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1 Press Enter. Select the blue fin to start a Wireshark capture. Capture packets for a few seconds. From Wireshark, select the red box to stop the Wireshark capture. Maximize Wireshark for better viewing. Analyze Wireshark data for signs of a SYN attack. Notice that only SYN packets were captured. Notice the time between each packet that was sent to host 192.168.1.10. Look for the port numbers being used in the SYN packets. Maximize the Lab Question dialog. Answer Questions 2 and 3. Locate the MAC address of the computer initiating the SYN flood attack: From the middle pane, expand Ethernet II. Notice the source MAC address of the computer sending the SYN flood. Answer Question 4. Select Score Lab.
What is one disadvantage for choosing a hybrid cloud environment over a public or private cloud environment?
Increased Complexity
What is the best benefit for choosing a private cloud environment over a public or hybrid cloud environment?
Increased Control
4.1.6 Enable and Disable Linux Services You are the security analyst for a small corporate network. While working on your Linux server, you have determined that you need to enable and disable a few services. In this lab, your task is to: Use the systemctl command to enable anaconda.service. Use the systemctl command to disable vmtoolsd.service. After each command, check the service status with the systemctl is-enabled command.
Q1 Which computer(s) have port 3389 open? 192.168.0.34 Q2 Which computer(s) have port 5900 open? 192.168.0.31 Complete this lab as follows: Enable the Anaconda service: At the prompt, type systemctl enable anaconda.service and then press Enter. Type systemctl is-enabled anaconda.service and then press Enter to check the service's status. Disable the VMware tools service: Type systemctl disable vmtoolsd.service and press Enter. Type systemctl is-enabled vmtoolsd.service and press Enter to check the service's status.
2.4.7 Discover Bluetooth Devices You are the security analyst for a small corporate network. To protect your Bluetooth devices from attacks, you want to discover which Bluetooth devices are running in your company and gather information about each of them. In this lab, your task is to use the Terminal to: Use hciconfig to discover and enable the onboard Bluetooth adapter. Use hcitool to find all of the Bluetooth devices. Answer Question 1. Use l2ping to determine if the Bluetooth device is alive and within range. Answer Question 2. Use sdptool to query Francisco's laptop to determine the Bluetooth services available on the device. Answer Question 3. Use hcitool to determine the clock offset and class for Brian's Braven Speaker device. Answer Question 4.
Questions: Q1 As a result of the scan, how many devices were found? 6 Use l2ping to determine if a Bluetooth device is up Q2 How many of the devices scanned were alive and in range? 6 Run sdptool to query Francisco's Precission Laptop Q3 Which service searches were successful on Francisco's Precision Laptop? Ad Hoc User Service & Device ID Service Record Q4 Using the MAC address, what is the class ID number for the Brian;s Braven speaker? 0x248080 Complete this lab as follows: Initialize the Bluetooth adapter: From the Favorites bar, select Terminal. At the prompt, type hciconfig and press Enter to view the onboard Bluetooth adapter. Type hciconfig hci0 up and press Enter to initialize the adapter. Type hciconfig and press Enter to verify that the adapter is up and running. Find all Bluetooth devices within range: Type hcitool scan and press Enter to view the detected Bluetooth devices and their MAC addresses. In the top left, select Answer Questions. Answer Question 1. Determine if the Bluetooth devices found are in range: Type l2ping MAC_address and press Enter to determine if the Bluetooth device is in range. Press Ctrl + c to stop the ping process. 5 To copy the MAC addresses from the scan, highlight the MAC address and then right-click. Repeat steps 3a-3b for all the devices. Answer Question 2. Find details for Francisco's laptop using sdptool: Type sdptool browse AF:52:23:92:EF:AF and press Enter to view the details for Francisco's laptop. Answer Question 3. Find details for Brian's Echo Show using hcitool. Type hcitool inq and press Enter to determine the clock offset and class for each device. Answer Question 4. Select Score Lab.
You are the security analyst for your company. Your friend at a partner company asked you to scan his company's public-facing servers to see if they have any obvious vulnerabilities. The PartnerCorp servers are on the 73.44.216.0 network. In this lab, your task is to: Perform a scan using the following information:Network address: 73.44.216.0Subnet mask: Class C Answer the questions.
TASK SUMMARY Required Actions & Questions Scan the 73.44.216.0/24 network Q1Do your friend's public facing servers have any obvious security vulnerabilities?Your answer:YesCorrect answer:Yes Q2Which service vulnerability should be remediated first?Your answer:noCorrect answer:telnet EXPLANATION Complete this labs as follows: Scan the PartnerCorp servers for vulnerabilities: From the Favorites bar, select Zenmap. At the prompt, type nmap 73.44.216.0/24. Select Scan. Find the network vulnerabilities in the output and then answer the questions. In the top right, select Answer Questions. Answer the questions. Select Score Lab.
*** 2.3.4 Implement Physical Security Countermeasures Based on your review of physical security, you have recommended several improvements. Your plan includes smart card readers, IP cameras, signs, and access logs. Implement your physical security plan by dragging the correct items from the shelf into the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted. In this lab, your task is to: Install the smart card key readers in the appropriate locations to control access to key infrastructure. Install the IP security cameras in the appropriate locations to record which employees access the key infrastructure. Install a Restricted Access sign in the appropriate location to control access to the key infrastructure. Add the visitor log to a location appropriate for logging visitor access.
TASK SUMMARY Install the smart card key readers Install the IP security cameras Install the Restricted Access sign on the Networking Closet door Place the visitor log on the Lobby desk Complete this lab as follows: 1. Install the smart card key readers. a. From the Shelf, expand Door Locks. b. Drag a Smart Card Reader from the shelf to the highlighted location outside the building's front door. c. Drag a Smart Card Reader from the shelf to the highlighted location outside the Networking Closet's door. 2. Install the IP security cameras. a. From the Shelf, expand CCTV Cameras. b. Drag the IP Security Camera from the shelf to the highlighted circle inside the Networking Closet. c. Drag the IP Security Camera from the shelf to just outside the Networking Closet. 3. Install the Restricted Access sign. a. From the Shelf, expand Restricted Access Signs. b. Drag the Restricted Access Sign from the shelf to the Networking Closet door. 4. Install the visitor log. a. On the Shelf, expand Visitor Logs. b. Drag the Visitor Log from the shelf to the Lobby desk
You are the security analyst for a small corporate network. You suspect that your Linux system may have been compromised. In this lab, your task is to: Use the ps command to view and analyze the status of the Linux processes. Answer the questions about the processes that may be indications of compromise. Answer the questions. When using the ps command (with its applicable options), use | more or | less to view all the processes. Use Command: ps aux | more ps aux | less
Use the ps aux command to view the list of processes on your Linux system. From the Favorites bar, select Terminal. At the prompt, type ps aux | less and press Enter to view the list of processes. Answer the questions about selected processes. In the top right, select Answer Questions. Answer the Questions. Select Score Lab. Q1What is the PID for the hald process? 1194 Q2What is the state of the ./shell.elf process? running Q3What is the percentage of memory used by the ./shell.elf process? 3.0 Q4Which command invoked PID 1857? python
4.5.10 Evaluate Event Logs in pfSense You are the security analyst for a small corporate network. To be more proactive in your defense against possible attacks, you want to perform passive reconnaissance on your network using pfSense's logging capabilities. You are concerned that attackers may be attempting to gain access to your network, especially through on-path attacks (man-in-the-middle attacks). In this lab, your task is to: Sign in to pfSense using:Username: admin Password: P@ssw0rd (zero) Examine the log files to see if an on-path attack has occurred. Answer the question.
What, if any, indication is there of an on-path attack?Your answer:There are two DHCPACK entries with the same IP and MAC address.Correct answer:There are two DHCPACK entries with the same IP and MAC address. Complete this lab as follows: Sign in to the pfSense management console: In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Access pfSense logs: From the pfSense menu bar, select Status > System Logs. Under the Status breadcrumb, select DHCP. Examine the entries.In the top right, select Answer Questions.Answer Question 1.
You are the security analyst for a small corporate network. You are concerned about unauthorized activity in your DMZ. You have decided to set up a honeypot to study hacking attempts. In this lab, your task is to: Create a honeypot on the computer named www_stage using Pentbox. Using Google Chrome, test the honeypot on the computer named Marketing3 using the www_stage.corpnet.xyz URL. Using the www_stage system, review the effects of the intrusion. Answer the questions.
Which message is displayed? Access denied Q2What is the IP address associated with the intrusion attempt? 92.168.0.39 Complete this lab as follows: Use Pentbox to create a honeypot on www_stage: From the Favorites bar, select Terminal. At the prompt, type cd pentbox-1.8 and press Enter to change to the pentbox directory. Type ./pentbox.rb and press Enter to start Pentbox. Type 2 and press Enter to select Network Tools. Type 3 and press Enter to select Honeypot. Type 1 and press Enter to select Fast Auto Configuration. From the Analyst-Lap computer, test the honeypot using Google Chrome: From the top navigation tabs, select Buildings. Under Building A, select Floor 2. Under Marketing Group B, select Marketing3. From the taskbar, select Google Chrome. In the URL field, enter www_stage.corpnet.xyz and press Enter. In the top right, select Answer Questions. Answer Question 1. Minimize the Lab Questions dialog. Review the effects of the intrusion on www_stage. From the top navigation tabs, select Building A. Under Building A, select Basement. Under Basement, select www_stage. Notice the INTRUSION ATTEMPT DETECTED message at the bottom of the Pentbox window. Answer the questions.In the top right, select Answer Questions. Answer Question 2 Select Score Lab.
You are the security analyst working for CorpNet. You are trying to see if you can discover weaknesses in your network. From outside of the CorpNet network, you found that the web server (www.corpnet.xyz) has an IP address of 198.28.1.1. To test for weaknesses, you decide to perform several nmap scans using a few http scripts. In this lab, your task is to run the following nmap scripts on port 80 of 198.28.1.1 and answer the applicable questions:
http-server-header.nse To display the HTTP server header Question 1: Microsoft-IIS 10.0 http-chrono.nse To measure the time a website takes to deliver a web page Question 2: 3.14ms http-headers.nse To performs a HEAD request for the root folder Question 3: 3 http-errors.nse To crawl through the website and return any error pages http-malware-host.nse To look for malware signatures of known server compromises Question 4: no http-comments-displayer.nse To display HTML and JavaScript comments Question 5: <!--Google Analytics Code--> Complete this lab as follows: Display the HTTP server header: From the Favorites bar, select Terminal. At the prompt, type nmap --script=http-server-header -p80 198.28.1.1 and press Enter to run the script. Answer Question 1. Measure the time a website takes to deliver its web pages: Type nmap --script=http-chrono -p80 198.28.1.1 and press Enter to run script. Answer Question 2. Perform a HEAD request for the root folder and crawl through the website to look for error pages: Type nmap --script=http-headers -p80 198.28.1.1 and press Enter to run the script. Type nmap --script=http-errors -p80 198.28.1.1 and press Enter to run the script. Answer Question 3. Look for malware signatures of known server compromises: Type nmap --script=http-malware-host -p80 198.28.1.1 and press Enter to run the script. Answer Question 4. Display HTML and JavaScript comments: Type nmap --script=http-comments-displayer -p80 198.28.1.1 and press Enter to run the script. Answer Question 5. <!--Google Analytics Code--> Select Score Lab.
4.2.9Analyzing Network Infrastructures
see pic
6.1.14 Perform a Decoy Scan You are the security analyst for a small corporate network. You want to run a test to see if you can avoid being detected by the intrusion detection systems. You have decided to use Nmap to perform a decoy scan on CorpNet.local. In this lab, your task is to perform a decoy scan on CorpNet.local: Use Zenmap or Terminal to run the scan Use Wireshark to capture the scan.Interface: enp2s0Number of random IP addresses: 5IP address to target: 192.168.0.10 Perform a decoy scan Q1From the results of the decoy scan, which IP address is most likely that of the attacker?192.168.0.47
see pic
