405 Final

Ace your homework & exams now with Quizwiz!

Fill in the missing piece of the command: Nmap has the ability to generate decoys that make the detection of the actual scanning system become much more difficult. The nmap command to generate decoys is nmap ____ RND:10 target_IP_address

-D

In actively defending against SQL injection attacks, you create queries that have placeholders for values from your users' input. Which of the following SQL injection countermeasures did you implement with these queries?

Prepared statements

You are using Burpsuite to evaluate a new employee portal that will be put into production soon. Based on the highlighted POST traffic and the information in the bottom pane, what can you conclude?

The portal is using HTTP and login information is probably being transmitted in cleartext.

What does the HTTP response message 5xx indicate?

The server did not complete the request.

Which of the following attacks involves modifying the IP packet header and source address to make it look like they are coming from a trusted source?

Spoofing

Which of the following BEST describes a network policy?

A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.

You are the security analyst working for CorpNet (198.28.1.1). You are trying to see if you can discover weaknesses in your network. You have just run the nmap command shown in the image. Which weakness, if any, was found?

A compromise was found while scanning port 8080.

You have been hired by an organization that has been victimized by session hijacking. What is one of the most important steps you as a security analyst can take to prevent further session hijacking attacks?

Encrypt network traffic.

Which of the following works together by calling on each other, passing data to each other, and returning values in a program?

Function

A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done?

Fuzz testing

An attacker has captured the username and password from an executive in your organization through ARP poisoning during an on-path (man-in-the-middle) attack. Which of the following will be MOST likely to stop this form of attack in the future?

Implement HTTPS

Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?

Less than one day

An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?

MAC spoofing

Which of the following attacks is a SYN flood attack an example of?

Protocol DDoS

Which type of honeypot is a high-interaction honeypot that is deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders?

Research honeypot

Which of the following firewall evasion countermeasures should be implemented to mitigate firewall evasion? (Select two.)

Defense in Depth Filtering an intruder's IP address

Which of the following permissions would take precedence over the others?

Deny Read

Which of the following attack types overflows the server, causing it to not function properly?

DoS

Which of the following is a type of malware that can be purchased in a ready-to-use state, is created to be used with a variety of targets, can be integrated with other malware programs, and can be implemented in stages?

Commodity malware

Which of the following BEST describes steps in an active defense against DDoS attacks?

Train staff for warning signs, allow only necessary outside access to servers, and configure network devices' preexisting mitigation settings, like router throttling.

A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?

NIDS

Which of the following Windows permissions apply to local files and directories?

NTFS

Which of the following HTTP request/response types is used to request that the web server send data using HTML forms?

POST

In what order are rules in an ACL processed?

Top to bottom

You are in the process of configuring pfSense Suricata as your intrusion detection and prevention system (IDS/IPS). You have just finished configuring the Global Settings and have enable the installation of the ETOpen Emerging Threats rules. To get these rules, select the option tab you must use next.

Updates

Which of the following BEST describes the role of a remediation server?

Works to bring devices up to a minimum security level.

Which of the following Linux permissions allows files to be added or deleted from a directory?

Write

Which Windows command line tool can be used to show and modify a file's permissions?

icacls

Which of the following is a valuable resource for security analysts to find out what the newly discovered Trojan and malware risks are?

it-isac.org

Cisco devices have a special interface called _____, which is designed to act as a blackhole.

null0

Which command is used to allow a string to be copied in the code, but can be exploited to carry out overflow attacks?

strcpy

Which of the following honeypot interaction levels simulates a real OS, its applications, and its services?

Medium

While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?

There is an ICMP flood attack.

Which of the following attacks exploit vulnerabilities in the web application and allows the attacker to compromise a user's interactions with the app?

XSS

Your company has decided to use a Pentbox honeypot to learn which types of attacks may be targeting your site. They have asked you to install and configure the honeypot. You have already installed Pentbox. Which menu allows you to configure the honeypot?

2- Network tools

An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack?

Input fields in the comment forms were not being validated.

Which of the following needs to be configured so a firewall knows which traffic to allow or block?

Rules

Which of the following types of attacks involves constructing malicious commands with the goal of modifying a database?

SQL injection

You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?

Sniffing

Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?

Static analysis

You have just used OWASP ZAP to run a vulnerability scan on your company's site. From the Information window, select the tab that lets you view the vulnerabilities found.

Alerts

You are the security administrator for your organization. You need to provide Mary with the needed access to make changes to the finances.xlsx file located in the Accounting directory. Which of the following permissions should you set for Mary?

Allow Write permission on the finances.xlsx file.

Which of the following BEST describes a DoS fragmentation attack?

An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.

Which of the following BEST describes a TCP session hijacking attack?

An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.

You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for?

Any results that show something unexpected being passed back from the server

Which of the following web server technologies does Linux typically use?

Apache

Which type of web application is designed to work on Android or iOS?

Mobile

The information below is from Wireshark. Which kind of attack is occurring?

A DDoS attack

You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You have configured the options shown in the image, but when you try to save your changes, pfSense won't let you continue. What did you forget to configure?

A Snort Oinkmaster Code was not entered.

Which of the following attack types takes advantage of user input fields on a website?

HTTP response splitting

Which of the following NAC policies is MOST commonly implemented?

Health

File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?

Malware signature

Which of the following tools would you use to perform a SYN flood attack?

Metasploit

Which of the following BEST describes the process of verifying that a device meets the minimum health requirements?

Posture assessment

The network IDS has sent alerts regarding malformed messages and sequencing errors. Which of the following IDS detection methods is most likely being used?

Protocol

You are the security analyst for your organization. During a vulnerability analysis, you have discovered what looks to be malware, but it does not match any signatures or identifiable patterns. Which of the following BEST describes the threat you have discovered?

Zero-day

Which of the following uses the TCP/IP stack and is effectively employed to slow down the spread of worms, backdoors, and similar malware?

Layer 4 tarpit

Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?

MAC flooding

Which of the following blackhole implementations sends traffic going to a specific destination to the blackhole?

Remote blackhole filtering

Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)

Rootkit Ransomware

Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?

Run anti-malware scans

Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate?

SQL injection

A new openSSH vulnerability has been discovered. You are tasked with finding all systems running an SSH service on the network. The nmap 192.168.122.0/24 command has been run to find all potentially vulnerable systems, and the output is shown below. Which machines on the following IP addresses will likely need their SSH software updated immediately? (Select two.)

192.168.122.82 192.168.122.1

An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened?

ARP poisoning

Which cybersecurity approach seeks to asymmetrically put the odds in the security analyst's favor by using maneuverability of sensitive data, honeypots, and anti-malware programs?

Active defense approach

Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what Jason has done?

Active hijacking

Which of the following attacks would use the following syntax? http://www.testout.com.br/../../../../ some_dir/ some_file

Directory traversal

Which of the following firewall identification methods uses a TCP packet with a TTL value set to expire one hop past the firewall?

Firewalking

Which of the following is a popular honeypot that can be used to create thousands of other honeypots?

Honeyd

Which of the following should be designed to look and function like a real resource in order attract attackers?

Honeypot

Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?

IDA Pro

Which of the following is used to define minimum security requirements a device must meet before it can connect to a network?

NAC

The following steps describe the process for which type of attack? Locate and sniff an active connection between a host and web server. Monitor traffic to either capture or calculate the session ID. Desynchronize the session. Remove the authenticated user. Inject packets to the server.

Session hijacking

While reviewing a machine that a user has reported for strange behavior, you decide to use ipconfig to review its network configuration. Afterward, you see the output shown below. No changes were made manually to the machine's network configuration and all IP configuration is automatic. The proper default gateway for this network segment is 10.10.10.1. Which of the following would explain the output shown

The machine in question is being targeted by a DHCP on-path (man-in-the-middle) attack.

You created a honeypot server using Pentbox. After a while, you go back to the honeypot server to see what it has been capturing. Which of the following can be gleaned from the results shown?

The operating system used by the attacker

While configuring a perimeter firewall on your network using pfSense, you created the rule shown in the image. The intent of the rule is to allow secure traffic coming from the internet through the firewall and to the web server (172.16.1.5) in the DMZ. What have you configured incorrectly?

The source and destination ports should be HTTPs.

Which of the following are uses for the sqlmap utility? (Select two.)

To detect vulnerable web apps To determine SQL server parameters, including version, usernames, operating systems, etc.

There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?

sniffer-detect

You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have been capturing data for a while using Wireshark and are now examining the filtered FTP results. You see that several employees are still using FTP. Which user account used the password of lsie*$11?

jsmith

You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You want to ensure that it includes the anti-malware IDS/IPS rule set that enables users with cost constraints to enhance their existing network-based malware detection. Select the option that would add these rule sets.

Click to enable download of Emerging Threats Open rules

Which web application architecture layer includes the physical devices that are used to access the web application?

Client/Presentation

You train your staff to notify you if they notice any of the following signs: - Services are unavailable or very slow - Unexpected 503 error messages - Abnormal spikes in network traffic - Customer complaints about access Which type of attack are you preparing against?

DDoS attack

Which of the following firewall evasion techniques is used to redirect a user to a malicious website?

DNS poisoning

Which of the following should be implemented as protection against malware attacks?

DNS sinkhole

While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?

There is a website that someone on your network logged into that has no encryption.

Drag the possible detection state to the matching description:

The system accurately detected a threat. True-Positive The system accurately detected legitimate traffic and did not flag it. True-Negative The system flagged harmless traffic as a potential threat. False-Positive Malicious traffic is flagged as harmless. False-Negative

You are working with ACLs on your Windows machine and have created some complex permissions with many users and groups defined. Now you want to back up those permissions so that they can be restored in the event of a system failure. What is missing from the below command?

There has been no file name specified.

Which of the following BEST describes a disassembler program?

A program that translates machine code into assembly language, or low-level language.

Which of the following BEST describes a relational database?

A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.

You are configuring a new email server for your organization and need to implement a firewall solution. The firewall will be designed to handle connections to the email server. Which of the following would be the BEST firewall solution?

Bastion host

Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?

Blind injection attack

You have decided to configure an ARP cache poisoning on-path (man-in-the-middle) attack to test a new computer on your network to verify that it connects to required company resources securely. After defining the target hosts in Ettercap and capturing data during several login attempts, you see the following. What should your next step be in checking for a cookie hijacking attack?

Copy the user_token field value and use a cookie copy tool, such as the Google Chrome Copy Cookies extension, to attempt to access the same resource found at the URL listed.

You are the security analyst for your organization. During a vulnerability analysis, you have noticed the following: File attributes being altered Unknown .ozd files Files that do not match the existing naming scheme Changes to the log files Which of the following do these signs indicate has occurred?

Host-based intrusion

After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?

Implement switched networks.

John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad. Which type of attack method is Chris most likely using?

Cross-site scripting

In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?

DDoS attack

A suspicious program is run in a controlled environment, where a security analyst monitors the program's execution to track the effect it has on computer resources, like its operating system. The analyst can set breakpoints or pause the program for reports on memory content, storage devices, or CPU registers. Which reverse engineering tool is the analyst using?

Debugger

You have just finished creating several network polices using the Network Policy Server (NPS) as shown in the image. Vera belongs to the Sales, Marketing, and Research groups. What kind of access will Vera have?

She will be granted access because she belongs to the Sales group, and that group is evaluated first.

An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this?

Smurf DDoS attack

An attacker wants to use a SQL injection attack against your web application. Which of the following can provide useful information to the attacker about your application's SQL vulnerabilities?

Error messages

What is a likely motivation for DoS and DDoS attacks?

Injury of the target's reputation

A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from?

IoT Trojan

You discover that your network is under a DDoS SYN flood attack. Which of the following DDoS attack methods does this fall under?

Protocol DDoS

Which of the following is an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?

Reflected cross-site scripting

You are testing a compromised machine on an isolated network, and you find a web server running on an open port. When you browse to it, you see the following information. Which kind of infection does this computer have?

Remote Access Trojan

Which type of malware can infect the core of an operating system, giving an attacker complete control of the entire system remotely, including the ability to change code?

Rootkit

A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?

Run a network bandwidth test on the company's network to determine if there are any anomalies.

Drag the vulnerability to the appropriate mitigation technique.

Run all processes using the least privileged account. Use secure web permissions and access control mechanisms. Unused User Accounts and Services Disable the directory listing option and remove the ability to load non-web files from a URL File and Directory Management Use scripts and systems to compare file hash values with the master value to detect possible changes. Website Changes Remove user input fields when possible. HTTP Response Splitting Attacks

Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?

Run an antivirus software scan on Karen's device and scan the entire network.

The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here?

SQL injection

Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark?

The HTML Form URL Encoded: subtree would have the POST data

Which IPsec method is the most used and protects an entire packet by wrapping it with a new IP header, encrypting it, and then sending it on to the receiving host?

Tunnel mode

A machine on your network has been infected with a crude ransomware application. You have obtained a copy of the software and are reverse engineering it with Ghidra. You are hoping that the password for the software is hard-coded into the application. You are presented with the default view in Ghidra, which displays the assembly (machine) code for the application. What might you do next to locate the password?

Use a string search looking for "password" and its variants.

You have just run the nmap command shown below. Which vulnerabilities were found on the target firewall?

VPN

A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?

Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.

A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?

netstat -e -s

You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?

tcpdump port 22


Related study sets

Marketing chapter 12 practice questions

View Set

Substance Related and Addictive Disorders

View Set

Suaugusių vertinimas - Gudaitė iki 80psl

View Set

ATI Pharmacology Practice Assessment (Analgesic and F&E Meds)

View Set

Exam #2 (CH 43 - Patients With Musculoskeletal Trauma)

View Set

Module 2, 2.1.1 Python Functions

View Set

B: Matrices and Rational Functions

View Set

QUIZ "The Love Song of J. Alfred Prufrock" by T.S. Eliot

View Set