ITN 261 Finals (Ch. 8-13)
In a botnet, what are the systems that tell individual bots what to do called? C2 servers IRC servers HTTP servers ISC2 servers
A
What does a defense in breadth approach add? Consideration for a broader range of attacks Protection against SQL injection Buffer overflow protection Heap spraying protection
A
What is the target of a command injection attack? Operating system Web server Database server User
A
If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5 Traffic just from 192.168.10.5 Traffic to and from 192.168.10.5 Traffic just to 192.168.10.5 All traffic other than from 192.168.86.5
B
If you wanted a tool that could help with both static and dynamic analysis of malware, which would you choose? Cutter IDA PE Explorer MalAlyzer
B
What could you use to generate your own malware? Empire Metasploit Rcconsole IDA Pro
B
What is the four-stage handshake used for? Passing keys Deriving keys Encrypting messages Initialization seeding
B
What is the SSID used for? Encrypting messages Providing a MAC address Identifying a network Seeding a key
C
What does the following line mean? Sequence number: 4361 (relative sequence number) The sequence number shown is not the real sequence number. The sequence number shown has not been incremented. The sequence number shown isn't long enough. The sequence number shown is the acknowledgment number.
A
What is an advantage of a phone call over a phishing email? You are able to go into more detail with pretexting. Phishing attacks are unreliable. Not everyone has email but everyone has a phone. Pretexting only works over the phone.
A
What is one downside to running a default tcpdump without any parameters? DNS requests Not enough information Sequence numbers don't show tcpdump won't run without additional parameters
A
What is the difference between a virus and ransomware? Ransomware may be a virus. Ransomware includes Bitcoins. Ransomware is only generated in Russia. A virus only runs on Windows systems.
A
What is the policy that allows people to use their own smartphones on the enterprise network? Bring your own device Use your own device Bring your own smart device Use your own smart device
A
What is the purpose of a SYN flood? Fill up connection buffers at the operating system Fill up connection buffers in the web server Fill up connection buffers at the Application layer Fill up connection buffers for UDP
A
What is the purpose of a packer for malware? To obscure the actual program To ensure that the program is all binary To compile the program into a tight space To remove null characters
A
What is the purpose of using a disassembler? Converting opcodes to mnemonics Converting mnemonics to opcodes Translating mnemonics to operations Removing the need for an assembler
A
What security element would be a crucial part of a defense in depth network design? Firewall SIEM Web application firewall Log management system
A
What social engineering vector would you use if you wanted to gain access to a building? Impersonation Scarcity Vishing Smishing
A
What would a signal range for a Bluetooth device commonly be? 300 ft. 3,000 ft. 75 ft. 500 ft.
A
What would the result of a high false failure rate be? People having to call security Unauthorized people being allowed in Forcing the use of a man trap Reduction in the use of biometrics
A
What would you use sslstrip for? Getting plaintext traffic Removing all SSL requests Converting SSL to TLS Converting TLS to SSL
A
Which command-line parameter would you use to disable name resolutions in tcpdump? -n -i -r -x
A
Which of these forms of biometrics is least likely to give a high true accept rate while minimizing false reject rates? Voiceprint Iris scanning Retinal scanning Fingerprint scanning
A
You get a phone call from someone telling you they are from the IRS and they are sending the police to your house now to arrest you unless you provide a method of payment immediately. What tactic is the caller using? Pretexting Biometrics Smishing Rogue access
A
How does a slowloris attack work? Holds open connection buffers at the operating system Holds open connection buffers at the web server Holds open connection buffers at the Application layer Holds open connection buffers for UDP
B
How does an evil twin attack work? Phishing users for credentials Spoofing an SSID Changing an SSID Injecting four-way handshakes
B
How many stages are used in the WPA handshake? Two Four Three One
B
How would someone keep a baiting attack from being successful? Disable Registry cloning. Disable autorun. Epoxy external ports. Don't browse the Internet.
B
If you were to see the following command in someone's history, what would you think had happened? msfvenom -i 5 -p windows/x64/shell_reverse_tcp -o program A poison pill was created. A malicious program was generated. Existing malware was encoded. Metasploit was started.
B
What can you say about [TCP Segment Len: 35], as provided by Wireshark? The window size has changed. Wireshark has inferred this information. Wireshark extracted this from one of the headers. Wireshark has additional detail below.
B
What could you use to inform a defensive strategy? SIEM output Attack life cycle Logs Intrusion detection system
B
What has been done to the following string? Base64 encoding URL encoding Encryption Cryptographic hashing
B
What is the /etc/ettercap/etter.dns file used for? Enabling firewall rules for Ettercap Configuring hostnames to IP addresses Setting up mail for Ettercap Disabling ARP spoofing in Ettercap
B
What is the purpose of a deauthentication attack? Disabling stations Forcing stations to reauthenticate Reducing the number of steps in the handshake Downgrading encryption
B
What is the web page you may be presented with when connecting to a wireless access point, especially in a public place? Credential harvester Captive portal Wi-Fi portal Authentication point
B
What mode has to be enabled on a network interface to allow all headers in wireless traffic to be captured? Promiscuous Monitor Radio Wireless LAN
B
What protection could be used to prevent an SQL injection attack? Buffer overflows Input validation XML filtering Lateral movement
B
What protocol is used for a Smurf attack? DNS ICMP TCP SMTP
B
What types of authentication are allowed in a WPA-encrypted network? Handshake and personal Personal and enterprise Enterprise and handshake 802.11 and personal
B
What would be one reason not to write malware in Python? Python interpreter is slow. Python interpreter may not be available. Library support is inadequate. Python is a hard language to learn.
B
What would you use a bluebugging attack for? Identifying Bluetooth devices nearby Listening to a physical space Enabling a phone's camera Gathering data from a target system
B
Which of the social engineering principles is in use when you see a line of people at a vendor booth at a security conference waiting to grab free USB sticks and CDs? Reciprocity Social proof Authority Scarcity
B
Which of these tools would be most beneficial when trying to dynamically analyze malware? Cutter OllyDbg Metasploit AV-Test
B
Why is bluesnarfing potentially more dangerous than bluejacking from the standpoint of the victim? Bluejacking sends while bluesnarfing receives. Bluejacking receives while bluesnarfing sends. Bluejacking installs keyloggers. Bluesnarfing installs keyloggers.
B
Why might you have more endpoints shown at layer 4 than at layer 2? Layer 4 multiplexes layer 2. Systems may initiate multiple connections to the same host. Ports are more numerous than MAC addresses. The IP addresses dictate the endpoints.
B
Why might you have problems with sslstrip? sslstrip is deprecated. sslstrip doesn't work with newer versions of TLS. sslstrip doesn't support TLS. sslstrip only works with Ettercap.
B
Why would you use an encoder when you are creating malware using Metasploit? To compile the malware To evade antivirus To evade user detection To compress the malware
B
Why would you use automated tools for social engineering attacks? Better control over outcomes Reduce complexity Implement social proof Demonstrate authority
B
Why would you use wireless social engineering? To send phishing messages To gather credentials To get email addresses To make phone calls
B
You've received a text message from an unknown number that is only five digits long. It doesn't have any text, just a URL. What might this be an example of? Vishing Smishing Phishing Impersonation
B
At which protocol layer does the Berkeley Packet Filter operate? Internetwork Transport Data Link Protocol
C
If you were to see the following in a packet capture, what attack would you expect is happening? SQL injection Command injection Cross-site scripting Buffer overflow
C
The following shows a time stamp. What does the time of this message reflect? 630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] The time since 1970 The time of day The time since packet start There is no time in the summary
C
What attack injects code into dynamically allocated memory? Buffer overflow Cross-site scripting Heap spraying Slowloris
C
What do we call an ARP response without a corresponding ARP request? Is-at response Who-has ARP Gratuitous ARP IP response
C
What does the malware that is referred to as a dropper do? Drops antivirus operations Drops CPU protections against malicious execution Drops files that may be more malware Drops the malware into the Recycle Bin
C
What information does a buffer overflow intend to control? Stack pointer Frame pointer Instruction pointer Buffer pointer
C
What is one advantage of static analysis over dynamic analysis of malware? Malware is guaranteed to deploy. Dynamic analysis is untrustworthy. Static analysis limits your exposure to infection. Static analysis can be run in virtual machines.
C
What is the primary difference between a worm and a virus? A worm uses polymorphic code. A virus uses polymorphic code. A worm can self-propagate. A virus can self-propagate.
C
What is the primary purpose of polymorphic code for malware programs? Efficiency of execution Propagation of the malware Antivirus evasion Faster compilation
C
What is the purpose of performing a Bluetooth scan? Identifying open ports Identifying available profiles Identifying endpoints Identifying vendors
C
What method might you use to successfully get malware onto a mobile device? Using the Apple Store or Google Play store Using external storage on an Android Using a third-party app store Jailbreaking
C
What part of the encryption process was weak in WEP? Keying Diffie-Hellman Initialization vector Seeding vector
C
What problem does port spanning overcome? Switches don't support layer 3. Switches aggregate ports. Switches filter traffic. Switches are unreliable.
C
What program could be used to perform spoofing attacks and also supports plug-ins? arpspoof fragroute Ettercap sslstrip
C
What tool could you use to clone a website? httclone curl-get wget wclone
C
What tool could you use to generate email attacks as well as wireless attacks? Meterpreter wifiphisher SE Toolkit Social Automator
C
What tool would allow you to run an evil twin attack? Wireshark Ettercap Wifiphisher Aircrack-ng
C
What wireless attack would you use to take a known piece of information in order to be able to decrypt wireless traffic? Sniffing Deauthentication Key reinstallation Evil twin
C
What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes? Heap spraying SQL injection Buffer overflow Slowloris attack
C
What would the Low Orbit Ion Cannon be used for? SQL injection attacks Log management Denial of service attacks Buffer overflows
C
What would you need to do before you could perform a DNS spoof attack? Set up a port span Start up Wireshark ARP spoof Configure sslstrip
C
What would you use Cuckoo Sandbox for? Static analysis of malware Malware development Dynamic analysis of malware Manual analysis of malware
C
Which form of biometrics scans a pattern in the area of the eye around the pupil? Retinal scanning Fingerprint scanning Iris scanning Uvea scanning
C
Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers? Conversations Endpoints Protocol hierarchy Statistics view
C
Which hardware vendor uses the term SPAN on switches? HP 3COM Cisco Juniper
C
Which of these would be an example of pretexting? Web page asking for credentials A cloned badge An email from a former co-worker Rogue wireless access point
C
Which protocol is commonly used for amplification attacks? TCP SMTP DNS XML
C
Why would someone use a Trojan? It acts as malware infrastructure. It evades antivirus. It pretends to be something else. It's polymorphic.
C
With a rotation of 4, what does erwaiv decrypt to? waive wave answer decrypt
C
You are working on a red-team engagement. Your team leader has asked you to use baiting as a way to get in. What are you being asked to do? Make phone calls Clone a website Leave USB sticks around Spoof an RFID ID
C
Which end of a client/server communication goes on the infected system if it is communicating with infrastructure? _______________
Client
If you were to see the following in a packet capture, what would you think was happening? Cross-site scripting SQL injection Command injection XML external entity injection
D
In the following packet, what port is the source port? 20:45:55.272087 IP yazpistachio.lan.62882 > loft.lan.afs3-fileserver: Flags [P.], seq 915235445:915235528, ack 3437317287, win 2048, options [nop,nop,TS val 1310611430 ecr 1794010423], length 83 lan fileserver yazpistachio 62882
D
What are the two types of wireless networks? Star and ring Bus and hybrid Infrastructure and hybrid Infrastructure and ad hoc
D
What are two sections you would commonly find in a portable executable file? Text and binary Binary and data Addresses and operations Text and data
D
What attack can a proximity card be susceptible to? Tailgating Phishing Credential theft Cloning
D
What element could be used to facilitate log collection, aggregation, and correlation? Log manager Firewall IDS SIEM
D
What is a viable approach to protecting against tailgaiting? Biometrics Badge access Phone verification Man traps
D
What is the target of a cross-site scripting attack? Web server Database server Third-party server User
D
What kind of access point is being used in an evil twin attack? Infrastructure Ad hoc WPA Rogue
D
What protocol is being used in the frame listed in this summary? 719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU] TLS UDP IP TCP
D
What statistic are you more likely to be concerned about when thinking about implementing biometrics? False positive rate False negative rate False failure rate False acceptance rate
D
What technique does a slow read attack use? Small HTTP header requests Small HTTP body requests Small HTTP POST requests Small file retrieval requests
D
What tool could you use to enable sniffing on your wireless network to acquire all headers? Ettercap Tcpdump Aircrack-ng Airmon-ng
D
What would you use VirusTotal for? Checking your system for viruses Endpoint protection As a repository of malware research Identifying malware against antivirus engines
D
What wouldn't you see when you capture wireless traffic that includes radio headers? Capabilities Probe requests SSIDs Network type
D
Which of these would be a reason why it is best for communications to originate from inside the infected network? Antivirus Virtual machines Intrusion detection Firewall
D
Which program would you use if you wanted to only print specific fields from the captured packet? fielddump tcpdump wiredump tshark
D
Which social engineering principle may allow a phony call from the help desk to be effective? Social proof Imitation Scarcity Authority
D