v11
CVSS v3.0 and v3.1 Severity ratings:
None: 0.0 Low: 0.1-3.9 Medium: 4.0-6.9 High: 7.0-8.9 Critical: 9.0-10.0
For which geographic region does ARIN manage IP addresses and ASNs?
North America
Aaron is an administrator for a large company. His primary job function is to mitigate known vulnerabilities in software and applications that are running on networked systems. For which management task is Aaron most likely responsible?
Patch management
Charlie, a hacker, wants to exfiltrate data from a target company. He has created a website that contains malware and has created a phishing email campaign that will direct users to the infected website. He is currently searching for the email addresses of company employees. What phase of the APT lifecycle is Charlie performing?
Preparation
You are using a computer that is equipped with a TPM and runs Windows 10. You enable BitLocker encryption to protect data on the computer's HDD. One day, Windows 10 fails to start. You want to access the data on your HDD. What should you do?
Provide the BitLocker recovery password.
Leslie, a software developer, has chosen to implement a REST API to enable third-party application developers to interact with her company's data back end. Jacinda, who is writing the developer documentation for the new API, asks Leslie about the format in which developers will receive data when their applications make calls to the API. What should Leslie's response to Jacinda be?
REST APIs encode data in either XML format or JSON format.
A hacker studies the website and social media accounts of a potential target for information that might be useful in launching an attack. What phase of the ethical hacking methodology is the hacker conducting?
Reconnaissance (Footprinting)
What is an open-source test automation framework for Android applications?
Robotium
What statement is true regarding the SMB protocol?
SMB is used to enable file and printer sharing without the need for NetBIOS port broadcasting.
Randy is a new network administrator for an organization. After taking inventory of the devices on the network, he determines that several different version of SNMP are in use. He wants to ensure that all devices use a version of SNMP that offers both authentication and encryption. What SNMP version should Randy implement?
SNMPv3
What is a type of vulnerability assessment solution that mimics the perspective of a malicious actor?
Service-based
Jenna, a security professional, is conducting a penetration test against her company's LAN. As part of the test, Jenna performs a VLAN hopping attack. The attack is successful. Jenna documents the successful attack and notes that her company should implement some mitigation techniques that protect the company's VLAN trunks. How did Jenna implement the VLAN hopping attack?
She double-tagged 802.1Q frames.
Evan, a malicious hacker, is attempting to perform a Bluesnarfing attack. What is Evan attempting to do?
Steal information from a Bluetooth device.
What tool does not use precomputed hash values to crack weak passwords?
THC-Hydra - It uses dictionary lists and hybrid brute-force methods to crack passwords.
You are an ethical hacker who is attempting to gather information from network devices. You issue the following command: nmap --script eni-info -sU -p 44818 192.168.92.120 What information will be displayed in the output?
The device type, the vendor ID, and the serial number. If a target device is listening on port 44818, it will send a reply containing the following information: - Device type - Vendor ID - Product name - Serial number - Product code - Revision number - Status - State - IP address
Joseph, an iPhone user, performs a semi-tethered jailbreak on his device. Joseph wants his device to remain jailbroken on subsequent reboots. What will be true?
The device will reboot in a jailbroken state, but loading jailbreak extensions will require a computer.
Levi, a hacker, is attempting to determine the status of a port on a target system. He sends a SYN/ACK packet to a zombie host. The zombie host replies with an ACK packet that has an IPID of 37174. Levi then sends a SYN packet to the target host, spoofing the IP address of the zombie host. Finally, Levi sends another SYN/ACK packet to the zombie host. What should Levi expect from the zombie host if the port on the target host is closed?
The zombie host will reply with IPID 37175.
Dennis is a malicious user who intends to perform a TCP session hijacking attack to send email through a mail server that uses IP addresses for authentication. Before launching the attack, Dennis initiates a connection to the mail server and then cancels the connection as soon as he receives a response. What is the most likely reason Dennis initiated a connection to the mail server?
To determine the mail server's current ISN (Initial Sequence Number).
Jamie, a developer, has been tasked with implementing the first tier of the five-tier container technology architecture for a new application. The first tier of the container technology architecture is also known as the developer systems tier. What best describes Jamie's task?
To generate images and send them to testing and accreditation.
You are a penetration tester who is sniffing SMTP traffic. You notice the following output: EHLO What is the function of this command?
To initiate the SMTP conversation
Many, an attacker is attempting to scan ports on a company's server. However, she wants to avoid detection by the company's IDS. She decides to use Nmap with the -D parameter. What will Nmap do?
Use spoofed source IP addresses
Judith, a network engineer, is upgrading an existing Wi-Fi company network with equipment that supports a widely deployed Wi-Fi encryption standard. Judith is upgrading the network because the company's existing Wi-Fi encryption standard has a weak static 24-bit IV that is sent as clear text over the network. What Wi-Fi encryption standard is Judith replacing?
WEP
What wireless security protocol relies on SAE (Simultaneous Authentication of Equals)and introduces support for PMF (Protected Management Frames)?
WPA3-Personal
Janet, a penetration tester, uses HTTrack Website Copier to mirror a client's website on her local computer. She then examines both the directory structure and source code of the site's files in search of information that might aid her in the penetration test. What is information that Janet might discover about her client by using website mirroring?
Website directory structure that is not obvious to casual users.
Paul, a software developer, has been tasked with replacing an HTTP-based API solution that was first developed in 1998. The API solution uses a call method with a more modern solution. The current solution sends HTTP requests consisting of one or more parameters to a server and receives an HTTP response that contains a single result in XML format. What API is Paul most likely replacing?
XML-RPC (Extensible Markup Language-Remote Procedure Call)
What attack can be used to exploit vulnerabilities in a web application?
XSS attacks
While building a new site for his company, Jeff, a developer, tests a PHP page by loading it in a browser. The browser does not load the page that Jeff expects but instead produces a blank white screen. After examining his file system for a file name MyPhpErrors.log, Jeff notes that the error log files does not exist even though he has configured the server to log errors to a file. Jeff wants to see verbose PHP error messages during his development process but does not need them to be displayed in the browser. What directive in his web server's php.ini file can Jeff adjust to ensure that his error file is created and written to by the PHP process?
error_log
Joseph is examining an application's source code, which is written in C. He wants to determine whether bounds checking is being employed by the code? What C library function performs bounds checking on its input?
fgets()
Ken, a hacker, wants to search for FTP servers on the Internet by using Google dorks. He then hopes to download whatever data exists on the servers that are unprotected. What search query should Ken use to perform his search on Google?
inurl:"ftp://www"
What attack is most likely to be mitigated by DNSSEC?
pharming
What best describes the transfer of data from a laptop to an Android phone?
sideloading
Lisa has been studying command-line penetration testing techniques and has encountered the following code snippet in a security forum: curl -s https://www.boson.com | grep "<a href=\"http" Lisa understands that this command pipeline will pull the boson.com homepage, scan the HTML output for hyperlinks, and then print the matching lines to the screen. However, Lisa would like to further reduce the output to include only the URL contained in each hyperlink. What command pipes should Lisa append to the code snippet to achieve her goal?
| cut -d "\"" -f 2
Corey is an ethical hacker who is attempting to discover all of the active devices behind a restrictive firewall. He decides to send empty TCP packets with the ACK flag set. What Nmap parameter should Corey use?
-PA
Wayne, a hacker, is attempting to discover hosts on a remote network. He assumes that the network is protected by a firewall because he did not receive any replies with a normal ICMP ping scan. Wayne wants to try to bypass the firewall by sending ICMP timestamp requests. What Nmap parameter should Wayne use?
-PP
Kris wants to use Nmap to perform an Xmas scan to discover the status of a port on a remote host. What parameter should Kris use?
-sX
Frankie, a Linux administrator, wants to ensure that all of her custom environment variables, command aliases, and more are removed whenever she completes her work for the day and logs out of her Bash shell. What file should Frankie edit to accomplish her goal?
.bash_logout - It contains configuration commands that are automatically executed when the Linux user logs out of a session.
You are an ethical hacker who is attempting to enumerate devices on a network. You have attached you laptop to the network and have issued the following command from the terminal: hping3 -c 1 -1 10.10.10..255 There are five Linux hosts, five Mac OS X hosts and five Windows 10 hosts in the 10.10.10.0/24 network. All of the hosts are running factory default configurations. How many response should you expect to receive?
10 - Microsoft Window OSs do not allow ICMP
Rick is encrypting some files on a computer. He wants to choose the version of AES that uses the longest key length. What block sizes will be used by AES?
128-bit
Leon is the security administrator for a company. He suspects that an infected IoT device on the network is infecting other IoT devices with Mirai malware. What port should Leon monitor to determine whether a device has been infected?
48101 - This port is used by infected Internet of Things (IoT) devices to infect other IoT devices.
What is SubBrute?
A DNS enumeration tool that recursively crawls enumerated DNS records similar to the way a search engine spider crawls a website. It can enumerate any arbitrary DNS record type, include MX, NS, A, canonical name (CNAME), Start of Authority (SOA), and IP version 6 (IPv6) host (AAAA), and text (TXT) records.
Describe a DROWN attack.
A Decrypting RSA with Obsolete and Weakened eNcryption attack exploits a vulnerability in servers that support SSLv2 connection.
What is Dnsenum?
A Perl script that can be used to enumerate DNS information for a target domain. A malicious actor can extract A records, NS records, and MX records from a DNS server. It can also attempt an AXFR query to determine subdomain information.
What is NetStumbler
A Windows application that can detect wireless traffic on 802.11a, 802.11b, and 802.11g networks but not on 802.11n networks.
David is a hacker who is using a decryption tool to decrypt RSA messages. What attack should David use to exploit a known RSA vulnerability?
A chosen ciphertext attack.
What is Flowmon
A company that provides network flow-based monitoring solutions. It offers tightly integrated solution that offers network security, monitoring, and analysis.
What is Aircrack-ng
A cracking tool for 802.11 WEP and WPA or WPA2 networks. It is commonly used in wireless network assessments to search for weak preshared keys (PSKs) and outdate security mechanisms.
What is IntentFuzzer?
A fuzzing framework for Android Intents. Intents are Inter-process communication (IPC) mechanisms that are used by Android to facilitate intra-app and inter-app communication. It exploits the trust boundary between Android components, such as Activities, Services, Content Providers, and Broadcast Receivers, and seeks to discover new bugs and behaviors.
What rootkit can migrate the OS into a VM?
A hypervisor-level rootkit.
Justin wants to implement a vulnerability management solution that can be implemented as appliances or VMs throughout his organization. Justin wants to ensure that he will effectively have the ability to scan nearly every device in the organization and that none of the target systems will require the installation of scanner-related code? What kind of solution should Justin use to achieve his goal?
A network-based vulnerability scanner.
What is Kismet?
A packet sniffer and intrusion detection system for 802.11 wireless LANs. It sniffs passively and does not inject any packets onto the network. The packet information can be output in a format that can then be imported and examine in Wireshark.
Jeff, a terminated employee, is using binoculars to regularly spy on former coworkers who must enter a numeric combination to enter the glass front doors of a secure building. In addition to monitoring the keypad entries, Jeff notes the number of times per hour that a security guard inside the building is visible through the glass door. Jeff intends to re-create a valid keypad code to enter the building unnoticed by the security guard. What type of attack is Jeff performing?
A reconnaissance attack
What is InstaRecon
A tool that can use Shodan to query for open ports. It is described as a basic digital reconnaissance tool that can perform DNS enumeration.
In 2007, T.J. Maxx experienced an attack that exposed the credit card and debit card numbers of millions of customers. What attack did T.J. Maxx experience?
A wardriving attack
Nicolas is a penetration tester. He wants to determine whether a host is filtered by a stateful firewall. What scan should be perform?
An ACK scan
What is URLFuzzer?
An application that uses fuzzing to seek out hidden files or directories on a web server. It uses a base URL and appends semi-random data.
What best describes a session fixation attack?
An attacker accesses a web application by using the SID value of a logged-in user.
Madeline, an attacker, attempts to perform SQL injection. A custom page is displayed that does not provide any detailed information. What type of SQL injection should Madeline attempt to perform?
Blind-based
You are attempting to brute force the subdomains of a target domain. You want to use the Alexa Top 1 Million subdomains list. What tool should you use?
Bluto
What software vulnerability is the most likely to cause a web browser to send a request that the browser's user does not intend to send?
CSRF (Cross-Site Request Forgery)
Ken clicks a link in an email that appears to take him to a well-known online retailer that is offering a 30 percent discount on smartphone purchases. While browsing the site, Ken decides to take advantage of the offer and clicks a link to add the smartphone to his cart. When he does, he is redirected to a suspicious looking page that requests payment information. What best describes the attack that Ken has experienced?
Clickjacking - Attacker tricks users into clicking a transparent image that is placed over a legitimate link.
Toni, an attacker, is using a botnet to send a flood of illegitimate traffic to TCP port 53 on a company's DNS server. Each DNS query contains the legitimate source address of a bot in the botnet. What attack is Toni deploying?
DNS DDoS
Jerry, an attacker, is performing reconnaissance on an e-commerce website. By using a web browser, Jerry loads the site's sitemap.xml file and examines the text it contains. What type of information is Jerry looking for in the sitemap.xml file?
Detailed information about pages, videos, and other files on the site.
Eric, a cloud security expert, issues the docker pull command. The command is then passed to dockerd, and the required image is pulled from the registry. What component of Docker architecture is Eric using to communicate with Docker?
Docker client
Allison, a terminated employee, knows the domain registrar credentials for her former employer. Allison accesses the registrar account and modifies the name server records for each of the company's public-facing domains. After DNS propagation, Allison is able to establish false payment system accounts, email services, and other servers by using her former employer's domains. What attack is Allison performing?
Domain hijacking - A registrar-level attack in which the name servers that are assigned to resolve a target's top-level domain are modified, thereby redirecting requests for those domains to malicious servers.
Chris, an attacker, is attempting to steal the login credentials of an administrator at a rival company. He is currently in the Command & Control step of the Cyber Kill Chain framework. What following action is Chris most likely to perform?
Establishing two-way communication.
What enables secure FTP connection over TCP ports 20 and 21 if the FTP client requests security from the server?
Explicit FTPS
Grayson, an attacker, is attempting to exfiltrate data from a company. He discovered the email addresses of several employees by searching the Internet. Grayson then created a website that contained malware and developed a phishing email campaign that would direct user to the infected website. He then sent those phishing emails to the company employees. What step of the Cyber Kill Chain framework will occur next?
Exploitation
In 2002, a U.S. law was enacted that required every federal agency to implement information security programs. In 2014, it was update to codify the authority of DHS with regard to the implementation of information security policies. What is this law called?
FISMA
Casey, an attacker, is attempting to perform a DNS cache poisoning attack. He first queries a DNS server for a nonexistent subdomain. What action should Casey perform next?
He should query the authoritative DNS server for the domain.
What scanning techniques typically has the highest initial infection rate for malware?
Hit-list scanning
Drew, an ethical hacker, wants to learn more about specific attacks against cellular network devices. During her research, Drew finds information that describes an active aLTEr attack. What best describes the information that Drew has discovered?
How an attacker simulate a legitimate cellular tower to redirect connections.
Ben, a web developer at a small company, suspect that the company's on-premises web server is experiencing a Slowloris attack. Ben's company maintains one production web server and one staging server. Ben examines output in a terminal window that displays a sample list of the web server's HTTP requests and notices an excessive amount of open connection to the server that appears to be coming from a source that is bypassing DNS. Instead, the attacker is targeting the specific web server by using its public IP address. In response to the attack, Ben decreases the amount of time that a connection is allowed to remain open on the server. His changes seem to make no difference. The web server remains unavailable to legitimate users as the attack continues. What mitigation tactic will Ben most likely pursue next?
Increase server availability
Describe DGA (Domain Generation Algorithm)
It exploits the nature of reputation-based security systems. It is a technique that is commonly used by attackers to ensure that their command and control (C2) systems remain accessible.
Emily is performing a penetration test for an organization. She issues the nbtstat -a BOSON command and analyzes the output. One line of output indicates the NetBIOS code <20> with type UNIQUE. What is the function of this NetBIOS code?
It indicates the PDC for the domain. NetBIOS Code - Type - Description <00> - UNIQUE - Host name <00> - GROUP - Domain name <03> - UNIQUE - Messenger service <1B> - UNIQUE - Domain master browser <1C> - GROUP - Domain controller <1D> - GROUP - Master browser <20> - UNIQUE - Server service
Denise is researching free encryption standards for a new project that is intended to secure files on a file system. After examining the available options, Denise settles on Twofish as the encryption method for her application. What is true about Denise's encryption choice?
It is a symmetric 128-bit block cipher that uses keys of 128 bits or 256 bits in length.
What best describes Web-Stat?
It is a tool that can provide detailed tracking and analysis data for a website.
What best describes the purpose of the single quote (') character in SQL commands?
It is used to denote a character string.
Nate is using public key cryptography to send data to Oscar. When is Nate's private key used?
It is used when Nate adds a digital signature.
Describe Infoga
It provides an open-source tool that can be used to gather email data from a variety of public sources.
Describe ZoomInfo.
It provides tools to assist sales representatives with researching target markets, planning territories, and generating new business leads.
Bill, an attacker, wants to gain shell access to a target system by causing a buffer overflow. He uses MSFvenom to generate shellcode. What best describes the function of the LHOST option?
It specifies the IP address of the attacker.
You verify that TCP port 389 is open between a server and its clients. What are you most likely configuring?
LDAP
CVSS v2.0 Severity ratings:
Low: 0.0-3.9 Medium: 4.0-6.9 High: 7.0-10.0
Matthew, a professional hacker, is looking for open-source software that can be used to browse an LDAP tree. He wants to find a solution that uses Python because the machines he can access are running Linux and do not have a Java interpreter installed. What LDAP browser should Matthew consider?
Luma
Stan is a developer who has been tasked with implementing a TCP/IP publish/subscribe network protocol to transmit information between IoT devices that are being manufactured by Stan's employer. Stan decides to implement a solution that is defined by OASIS and specified in ISO 20922. What technology has Stan decided to implement?
MQTT - Message Queuing Telemetry Transport
Misty, a hacker, is trying to bypass a firewall. She determines that port 53 is open on the firewall. What tool should she use to bypass the firewall?
NSTX - It is used to tunnel IP traffic within Domain Name System (DNS) packets.
Caleb, a security administrator, is performing a wireless assessment. He wants to determine whether any wireless networks within his organization are using weak or outdate security mechanisms. What tool is Caleb least likely to use to achieve his goal?
Netstat
