9.1.12 - Malware (Practice Questions), Certified Ethical Hacker Pro, Ch 14 Ethical Hacker Pro, All Chapters
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output?
-SX port 443
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n
Jorge, a hacker, has gained access to a Linux system. He has located the usernames and IDs. He wants the hashed passwords for the users that he found. Which file should he look in?
/etc/shadow
Which of the following ports are used by null sessions on your network?
139 and 445
Which of the following HTTP response messages would you receive if additional action needs to be taken to complete the request?
3xx: Redirection
Who would be most likely to erase only parts of the system logs file?
A black hat hacker
Which of the following best describes an anti-virus sensor system?
A collection of software that detects and analyzes malware.
The program shown is a crypter. Which of the following best defines what this program does?
A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect
Which of the following best describes the Security Account Manager (SAM)?
A database that stores user passwords in Windows as an LM hash or a NTLM hash.
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service.
An attacker conducts a normal port scan on a host and detects protocols used by a Windows operating system and protocols used by a Linux operating system. Which of the following might this indicate?
A honeypot
Which of the following best describes a honeypot?
A honeypot's purpose is to look like a legitimate network resource.
There are two non-government sites that provide lists of valuable information for ethical hackers. Which of the following best describes the Full Disclosure site? A. A list of standardized identifiers for known software vulnerabilities and exposures. B. A list searchable by mechanisms of attack or domains of attack. C. A community-developed list of common software security weaknesses. D. A mailing list that often shows the newest vulnerabilities before other sources.
A mailing list that often shows the newest vulnerabilities before other sources.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?
A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.
Which of the following best describes a wireless access point?
A networking hardware device that allows other Wi-Fi devices to connect to a wired network.
Which of the following information sharing policies addresses the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials?
A printed materials policy
Which of the following best describes active scanning?
A scanner transmits to a network node to determine exposed ports and can also independently repair security flaws.
You work for a very small company that has 12 employees. You have been asked to configure wireless access for them. Knowing that you have a very limited budget to work with, which of the following technologies should you use?
A software-based access point.
Which of the following best describes CCleaner?
A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
Which of the following best describes the SQL Power Injector tool?
A tool used to find SQL injections on a web page.
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
Which of the following best describes a phishing attack?
A user is tricked into believing that a legitimate website is requesting their login information.
Frank, an attacker, has gained access to your network. He decides to cause an illegal instruction. He watches the timing to handle an illegal instruction. Which of the following is he testing for?
A virtual machine
Launch
A virus has replicated itself throughout the infected systems and is executing its payload. Which of the following phases of the virus life cycle is the virus in?
Karen received a report of all of the mobile devices on the network. This report showed the total risk score[...]
A vulnerability scanner
Karen received a report of all the mobile devices on the network. This report showed the total risk score, summary of revealed vulnerabilities, and remediation suggestions. Which of the following types of software generated this report?
A vulnerability scanner
Which of the following best describes a web application?
A web application is software that has been installed on a web server.
Which of the following best describes Microsoft Internet Information Services (IIS)?
A web server technology
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, Inc
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select?
ARP Poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP Poisoning
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active Hijacking
You are using BlazeMeter to test cloud security. Which of the following best describes BlazeMeter?
An end-to-end performance and load testing tool that can simulate up to 1 million users and makes realistic load tests easier.
Which of the following is the difference between an ethical hacker and a criminal hacker?
An ethical hacker has permission to hack a system, and a criminal hacker doesn't have permission.
John, a security specialist, conducted a review of the company's website. He discovered that sensitive company information was publicly available. Which of the following information sharing policies did he discover were being violated?
An internet policy
Sheep dipping
Analyzing emails, suspect files, and systems for malware is known as which of the following?
Which of the following IDS detection types compare behavior to baseline profiles or network behavior baselines?
Anomaly-based
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the intranet can be hacked.
Which of the following is an open-source web server technology?
Apache Web Server
This type of assessment evaluates deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. Open-source and commercial tools are both recommended for this assessment. Which of the following types of vulnerability research is being done?
Application Flaws
The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station in which layer of the OSI model?
Application Layer
20493750979830712-498uoidjflkdas;lkafjoieah jsd are the possible values in
Ascii-32-95
[ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] are the possible values in which of the following hash types?
Ascii-32-95
User-Mode-Linux (UML) is an open-source tool used to create virtual machines. It's efficient for deploying honeypots. One of the big issues with UML is that it doesn't use a real hard disk, but a fake IDE device called /dev/ubd*. How can an attacker find a UML system?
Attackers need to take a look at the /etc/fstab file or execute the mount command.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections.
Which of the following is a short-range wireless personal area network that supports low-power, long-use IoT needs?
BLE
Which of the following do hackers install in systems to allow them to have continued admittance, gather sensitive information, or establish access to resources and operations within the system?
Backdoors
Information transmitted by the remote host can be captured to expose the application type, application version, and even operating system type and version. Which of the following is a technique hackers use to obtain information about the services running on a target system?
Banner Grabbing
Which of the following are the three metrics used to determine a CVSS score?
Base, temporal, and environmental
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black Hole Filtering
Which enumeration process tries different combinations of usernames and passwords until it finds something that works?
Brute Force
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using?
Brute Force
Which of the following is a password cracking tool that can make over 50 simultaneous target connections?
Brutus
HTTP headers can contain hidden parameters such as user-agent, host headers, accept, and referrer. Which of the following tool could you use to discover hidden parameters?
Burp Suite
Which of the following laws is designed to regulate emails?
CAN-SPAM Act
Which of the following government resources is a dictionary of known patterns of cyberattacks used by hackers?
CAPEC
Which of the following is used to remove files and clear the internet browsing history?
CCleaner
The list of cybersecurity resources below are provided by which of the following government sites? Information exchange -Training and exercises -Risk and vulnerability assessments -Data synthesis and analysis -Operational planning and coordination -Watch operations -Incident response and recovery
CISA
Frank wants to do a penetration test. He is looking for a tool that checks for vulnerabilities in web applications, network systems, wireless networks, mobile devices, and defense systems such as IDS or IPS. Which of the following tools would you recommend to him?
COREImpact Pro
As an ethical hacker, you are looking for a way to organize and prioritize vulnerabilities that were discovered in your work. Which of the following scoring systems could you use?
CVSS
This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resources is described?
CWE
Which of the following are network sniffing tools?
Cain and Abel, Ettercap, and TCPDump
Which of the following describes a rootkit?
Can modify the operating system and the utilities of the target system.
In 2011, Sony was targeted by an SQL injection attack that compromised over a million emails, usernames, and passwords. Which of the following could have prevented the attack?
Careful configuration and penetration testing on the front end.
Which of the following includes all possible characters or values for plaintext?
Charset
Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use?
ClamAV
The results section of an assessment report contains four sub topics. Which of the following sub sections contains the origin of the scan.
Classification
The results section of an assessment report contains four sub-topics. Which of the following subsections contains the origin of the scan?
Classification
Which type of web application requires a separate application to be installed before you can use the app?
Client-based web app
Which of the following packet crafting software programs can be used to modify flags and adjust other packet content?
Colasoft
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern.
A hacker has used an SQL injection to deface a web page by inserting malicious content and altering the contents of the database. Which of the following did the hacker accomplish?
Compromise data integrity
Which of the following cloud security controls includes backups, space availability, and continuity of services?
Computation and storage
Firewalls, whether hardware or software, are only as effective as their __________?
Configuration
A penetration tester is trying to extract employee information during the reconnaissance phase. What kinds of data is the tester collecting about the employees?
Contact names, phone numbers, email addresses, fax numbers, and addresses
Web applications use sessions to establish a connection and transfer sensitive information between a client and a server. Attacking an application's session management mechanisms can help you get around some of the authentication controls and allow you to use the permissions of more privileged application users. Which of the following type of attacks could you use to accomplish this?
Cookie parameter tampering
An attacker is attempting to determine whether a system is a honeypot. Which of the following actions should the attacker take?
Craft a malicious probe packet to scan for services.
You want a list of all open UDP and TCP ports on your computer. You also want to know which process opened the port, which user created the process, and what time is was created. Which of the following scanning tools should you use?
Currports
An attacker installed a malicious file in the application directory. When the victim starts installing the application, Windows searches in the application directory and selects the malicious file instead of the correct file. The malicious file gives the attacker remote access to the system. Which of the following escalation methods best describes this scenario?
DLL Hijacking
Which of the following services is most targeted during the reconnaissance phase of a hacking attack?
DNS
As a penetration tester, you have found there is no data validation being completed at the server, which could leave the web applications vulnerable to SQL injection attacks. Which of the following could you use to help defend against this vulnerability?
Decline any entry that includes binary input, comment characters, or escape sequences.
Joelle, an app developer, created an app using two-factor authentication (2FA) and requires strong user passwords. Which of the following IoT security challenges is she trying to overcome?
Default, weak, and hardcoded credentials
Robin, an IT technician, has implemented identification and detection techniques based on the ability to distinguish legitimate traffic from illegitimate traffic over the network. Which of the following is he trying to achieve?
Defend the network against IDS evasions.
You are an ethical hacker contracting with a medical clinic to evaluate their environment. Which of the following is the first thing you should do?
Define the effectiveness of the current security policies and procedures.
Which of the following best describes the Platform as a Service (PaaS) cloud computing service model?
Delivers everything a developer needs to build an application on the cloud infrastructure.
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated.
Anabel purchased a smart speaker. She connected it to all the smart devices in her home. Which of the following communication models is she using?
Device-to-device
What are the four primary systems of IoT technology?
Devices, gateway, data storage, and remote control
The following are countermeasures you would take against a web application attack: -Secure remote administration and connectivity testing. -Perform extensive input validation. -Configure the firewall to deny ICMP traffic. -Stop data processed by the attacker from being executed. Which of the following attacks would these countermeasures prevent?
DoS Attacks
Ping of death, teardrop, SYN flood, Smurf, and fraggle are all examples of which of the following?
DoS attack types
Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine?
Dropper
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled?
Dumpster Diving
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled.
Dumpster diving
Xavier is doing reconnaissance. He is gathering information about a company and its employees by going through their social media content. Xavier is using a tool that pulls information from social media postings that were made using location services. What is the name of this tool?
Echosec
In which phase of the ethical hacking process do you gather information from a system to learn more about its configurations, software, and services?
Enumeration
As part of your penetration test, you have captured an FTP session, as shown below. Which of the following concerns or recommendations will you include in your report?
FTP uses clear-text passwords
Which of the following is the best defense against cloud account and service traffic hijacking?
Find and fix software flaws continuously, use strong passwords, and use encryption.
Randy is an ethical hacker student. He has learned how nmap flag manipulation can help find open ports. Although the name of the operating system did not jump right out at him, he might be able to figure it out by reviewing packet information. In a packet, Randy can see a TTL of 255 and a window size of 4128. What type of scanning process is Randy using?
Fingerprinting
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets?
Firewalking
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the following tools would you use?
Firewalking
Gathering information about a system, its components, and how they work together is known as ________?
Footprinting
Jin, a penetration tester, was hired to perform a black box penetration test. He decides to test their firewall. Which of the following techniques should he use first?
Footprinting
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle Attack
What are the two types of Intrusion Detection Systems (IDSs)?
HIDS and NIDS
You are looking for a web server security tool that will detect hidden malware in websites and advertisements. Which of the following security tools would you most likely use?
Hackalert
It may be tempting for an organization to feel secure after going through the process of penetration testing and the corrections and hardening that you must perform. Which of the following should you help them to understand?
Hackers have time on their side, and there will always be new threats to security.
Which of the following motivates attackers to use DoS and DDoS attacks?
Hacktivism, profit, and damage reputation
Jessica needs to set up a firewall to protect her internal network from the Internet. Which of the following would be the best type of firewall for her to use?
Hardware
Worm
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using?
Trojan Horse
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using?
Which of the following best describes the scan with ACK evasion method?
Helps determine whether the firewall is stateful or stateless and whether or not the ports are open.
Which of the following could a hacker use Alternate Data Streams (ADS) for?
Hiding evidence
Which of the following honeypot interaction levels simulate all service and applications and can be completely compromised by attackers to get full access to the system in a controlled area?
High-level
An attacker is attempting to connect to a database using a web application system account instead of user-provided credentials. Which of the following methods is the attacker attempting to use?
Hijacking web credentials
Lorena, the CIO, wants to ensure that the company's security practices and policies match well with their firewall security configuration for maximum protection against hacking. Which of the following actions should Lorena take?
Hire a penetration tester.
Mark, an ethical hacker, is looking for a honeypot tool that will simulate a mischievous protocol such as devil or mydoom. Which of the following honeypot tools should he use?
HoneyBOT
Ports that show a particular service running but deny a three-way handshake connection indicate the potential presence of which of the following?
Honeypot
Which of the following is a physical or virtual network device set up to masquerade as a legitimate network resource?
Honeypot
Rudy is analyzing a piece of malware discovered in a pentest. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterwards and monitor different components such as ports, processes, event logs, and more for any changes. Which of the following processes is he using?
Host integrity monitoring
Which of the following assessment types focus on all types of user risks, including threats from malicious users, ignorant users, vendors, and administrators?
Host-based Assessment
You are on a Windows system. You receive an alert that a file named MyFile.txt.exe had been found. Which of the following could this indicate?
Host-based IDS
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec
You are employed by a small start-up company. The company is in a small office and has several remote employees. You must find a business service that will accommodate the current size of the company and scale up as the company grows. The service needs to provide adequate storage as well as additional computing power. Which of the following cloud service models should you use?
IaaS
A hacker finds a target machine but wants to avoid getting caught, so the hacker finds another system to take the blame. This system is frequently called a zombie machine because it's disposable and creates a good distraction. Which of the following port scans is being used?
Idle Scan
Which of the following is the most basic way to counteract SMTP exploitations?
Ignore messages to unknown recipients instead of sending back error messages.
Which of the following firewall limitations is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside the organization?
Inability to detect the keep the state status
Which of the following functions does a single quote (') perform in an SQL injection?
Indicates that data has ended and a command is beginning.
Which of the following assessment types relies on each step to determine the next step, and then only tests relevant areas of concern?
Inference-based
Which of the following elements of penetration testing includes the use of web surfing, social engineering, dumpster diving, and social networking?
Information Gathering Techniques
Which of the following is the correct order for a hacker to launch an attack?
Information gathering, vulnerability scanning, launch attack, gain remote access, maintain access
Which of the following web server countermeasures is implemented to fix known vulnerabilities, eliminate bugs, and improve performance?
Install Patches and Updates
Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?
Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.
Roger, a security analyst, wants to tighten up privileges to make sure each user has only the privileges they need to do their work. Which of the following additional countermeasure could he take to help protect privilege?
Instigate multi-factor authentication and authorization.
YuJin drove his smart car to the beach to fly his drone in search of ocean animal activity. Which of the following operation systems are most likely being used by his car and drone?
Integrity RTOS and snappy
Jerry runs a tool to scan a clean system to create a database. The tool then scans the system again and compares the second scan to the clean database. Which of the following detection methods is Jerry using?
Integrity-based
An ethical hacker is running an assessment test on your networks and systems. The assessment test includes the following items: Inspecting physical security Checking open ports on network devices and router configurations Scanning for Trojans, spyware, viruses, and malware Evaluating remote management processes Determining flaws and patches on the internal network systems, devices, and servers Which of the following assessment tests is being performed?
Internal Assessment
Which of the following has five layers of structure that include Edge technology, Access gateway, Internet, Middleware, and Application?
IoT architecture
There are several types of signature evasion techniques. Which of the following best describes the obfuscated codes technique?
Is an SQL statement that is hard to read and understand.
Which of the following is the first step you should take if malware is found on a system?
Isolate the system from the network immediately.
Which of the following is a benefit of using a proxy when you find that your scanning attempts are being blocked?
It filters incoming and outgoing traffic, provides you with anonymity, and shields you from detection.
Which of the following best describes Qualys Vulnerability Management assessment tool.
It is a cloud-based service that keeps all of your data in a private virtual database
Which of the following best describes Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database.
Patrick is planning a penetration test for a client. As part of this test, he will perform a phishing attack. He needs to create a virus to distribute through email and run a custom script that will let him track who has run the virus. Which of the following programs will allow him to create this virus?
JPS
Which of the following extracts service account credentials from Active Directory using a brute force for offline cracking over a non-secure network by using tickets or service principal names (SPNs)?
Kerberoasting
After the enumeration stage, you are considering blocking port 389. Your colleague has advised you to use caution when blocking ports that could potentially impact your network. Which of the following necessary services could be blocked?
LDAP
A virus has replicated itself throughout the infected systems and is executing its payload. Which of the following phases of the virus lifecycle is the virus in?
Launch
The SQL injection methodology has four parts. Which of the following parts is similar to playing the game 20 questions?
Launch a SQL attack
Which of the following best describes the countermeasures you would take against a cross-site request forgery attack?
Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.
Which of the following virus types is shown in the code below? if Day (date) > 25 then Sd=q ("OLB^XDRUUBISXRTBU [Thaspfub [Jnduhthas [Nisbu") & q("ibs 'Blwkhubu [Jfni [Tsfus 'Wf`b") Sg=q ("ossw=((ppp) `ufsntpbe) dhj (jfdonibcufjhi6(") & _ q ("tfdonbk) mw`) tdu") gw.regWrite Sd, Sg end if if (Month (date) + Day (date) = 30) then msgbox "Oracion antes de entrar"& "al internet:" & vbCrlf & " & vbCrlf & 11 "Satelite nuestro que estas "&_ "en el cielo," & vbCrlf & "Acelerado sea tu link," & vbCrlf & "Venga a nosotros tu hipertexto, " & vbCrlf & "Hagase tu conexion en lo real como " & " en lo virtual," & vbCrlf & "Danos hoy el download de cada dia," & vbCrlf & "Perdona el cafe en el Teclado," & vbCrlf & "Asi como nosotros perdonamos a"& "nuestros proveedores, "&vbCrlf& "No nos dejes caer la conexion, " & vbCrlf & "Y libranos de todo Virus," & vbCrlf & "En nombre del Server, del Modem y del "& "santo User-name. "&vbCrlf& "Log-in. "&vbCrlf& "&vbCrlf& end if
Logic Bomb
Which of the following honeypot interaction levels can't be compromised completely and is generally set to collect information about attacks like network probes and worms?
Low-level
Mark is moving files from a device that is formatted using NTFS to a device that is formatted using FAT. Which of the following is he trying to get rid of?
Malicious Alternate data streams
Strict supply chain management, comprehensive supplier assessment, HR resource requirements, transparent information security and management, compliance reporting, and a security breach notification process are defenses against which of the following cloud computing threats?
Malicious insiders
What's the name of the open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information?
Maltego
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man in the middle/ MITM
A hacker finds a system that has a poorly design and unpatched program installed. He wants to create a backdoor for himself. Which of the following tools could he use to establish a backdoor?
Metasploit
Which of the following steps in the web server hacking methodology involves setting up a web server sandbox to gain hands-on experience attacking a web server?
Mirroring
Which of the following is another name for the signature-based detection method?
Misuse detection
Jessica, an employee, has come to you with a new software package she would like to use. Before you purchase and install the software, you would like to know if there are any known security-related flaws or if it is commonly misconfigured in a way that would make it vulnerable to attack. You only know the name and version of the software package. Which of the following government resources would you consider using to find an answer to your question?
NVD
A company has implemented the following defenses: The data center is located in safe geographical area. Backups are in different locations. Mitigation measures are in place. A disaster recovery plan is in place. Which of the following cloud computing threats has the customer implemented countermeasures against?
Natural disasters
Google Cloud, Amazon Web Services, and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompts companies to take advantage of cloud storage?
Need to bring costs down and growing demand for storage.
Clive, a penetration tester, is scanning for vulnerabilities on the network, specifically outdated versions of Apple OS. Which of the following tools should he use.
Nessus
Clive, a penetration tester, is scanning for vulnerabilities on the network, specifically outdated versions of Apple iOS. Which of the following tools should he use?
Nessus
Which of the following is an online tool that is used to obtain server and web server information?
Netcraft
You are looking for a web application security tool that runs automated scans looking for vulnerabilities susceptible to SQL injection, cross-site scripting, and remote code injection. Which of the following web application security tools would you most likely use?
Netsparker
A ping sweep is used to scan a range of IP addresses to look for live systems. A ping sweep can also alert a security system, which could result in an alarm being triggered or an attempt being blocked. Which type of scan is being used?
Network Scan
Whois, Nslookup, and ARIN are all examples of:
Network footprinting tools
Which of the following is a sign of a network-based intrusion?
New or unusual protocols and services running.
Which of the following would be the best open-source tool to use if you are looking for a web server scanner.
Nikto
Which of the following would be the best open-source tool to use if you are looking for a web server scanner?
Nikto
An older technique for defeating honeypots is to use tarpits, which sometimes operate at different levels of the OSI model, depending on their function. Which of the following layers of the OSI model do tarpits work at?
OSI layers 2 (DataLink), 4 (Transport), and 7 (Application)
Which of the following is a nonprofit organization that provides tools and resources for web app security and is made up of software developers, engineers, and freelancers?
OWASP
Penetration testing is a practice conducted by an ethical hacker to see how an organization's security policies and security practices measure up to the organization's actual overall successful system security. When can an ethical hacker start the penetration test?
Once all the legal contracts are signed, formalities are settled, and permissions are given.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter?
Only packets with 192.168.0.34 in either the source or destination address are captured.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Which of the following best describes a proxy server?
Operates at Layer 7 (Application) of the OSI model.
Which of the following is a tool for cracking Windows login passwords using rainbow tables?
Ophcrack
Joe wants to use a stealthy Linux tool that analyzes network traffic and returns information about operating systems. Which of the following banner grabbing tools is he most likely to use?
P0f
Which of the following flags is used by a TCP scan to direct the sending system to send buffered data?
PSH
Which of the following firewall technologies operates at Layers 3 (Network) and 4 (Transport) of the OSI model?
Packet Filtering
Which of the following types of wireless antenna is shown in the image?
Parabolic
Sam has used malware to access Sally's computer on the network. He has found information that will allow him to use the underlying NTLM to escalate his privileges without needing the plaintext password. Which of the following types of attacks did he use?
Pass the Hash
Which of the following assessment types can monitor and alert on attacks but cannot stop them?
Passive
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive Hijacking
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash?
Password Salting
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text
Which of the following system exploitation methods happens by adding a malicious file to a file path that is missing quotation marks and has spaces in it?
Path Interception
JPS
Patrick is planning a penetration test for a client. As a part of this test, he will perform a phishing attack. He needs to create a virus to distribute through email and run a custom script that will let him track who has run the virus. Which of the following programs will allow him to create this virus?
First, you must locate the live nodes in the network. Second, you must itemize each open port and service in the network. Finally, you test each open port for known vulnerabilities. These are the three basic steps in which of the following types of testing?
Penetration
Which of the following best describes the HTTP Request/Response TRACE?
Performs a loopback test to a target resource.
Which of the following scans is used to actively engage a target in an attempt to gather information about it?
Port Scan
Which of the following best describes the verification phase of the vulnerability management life cycle?
Proves your work to management and generates verifiable evidence to show that your patching and hardening implementations have been effective.
Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed?
RST
Jack is tasked with testing the password strength for the users of an organization. He has limited time and storage space. Which of the following would be the best password attack for him to choose?
Rainbow Attack
Which of the following attacks utilizes encryption to deny a user access to a device?
Ransomware attack
A company has subscribed to a cloud service that offers cloud applications and storage space. Through acquisition, the number of company employees quickly doubled. The cloud service vendor was able to add cloud services for these additional employees without requiring hardware changes. Which of the following cloud concepts does this represent?
Rapid elasticity
When a penetration tester starts gathering details about employees, vendors, business processes, and physical security, which phase of testing are they in?
Reconnaissance
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Rose, an ethical hacker, has created a report that clearly identifies her findings and recommendations for locking down an organization's systems and patching problems. Which of the following phases of the vulnerability management life cycle is she working in?
Risk Assessment
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester will need to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run anti-malware scans
Host integrity monitoring
Ruudy is analyzing a piece of malware discovered in a pentest. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterwards and monitor different components such as ports, processes, event logs, and more for any changes. Which of the following processes is he using?
Which of the following types of injections can be injected into conversations between an application and a server to generate excessive amounts of spam email?
SMTP Injection
Robby, a security specialist, is taking countermeasures for SNMP. Which of the following utilities would he most likely use to detect SNMP devices on the network that are vulnerable to attacks?
SNscan
TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection to a system port. Computer 1 sends a SYN packet to Computer 2. Which packet does Computer 2 send back?
SYN/ACK
Which of the following cloud computing service models delivers software applications to a client either over the Internet or on a local area network?
SaaS
Anti-malware software utilizes different methods to detect malware. One of these methods is scanning. Which of the following best describes scanning?
Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs.
You are using an iOS device. You want to scan networks, websites, and ports to find open network devices. Which of the following network mapping tools should you use?
Scany
Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action?
Scareware
Upload bombing and poison null byte attacks are designed to target which of the following web application vulnerabilities?
Scripting Errors
Which of the following best describes the heuristic or behavior-based detection method?
Searches for execution path hooking, which allows a function value in an accessible environment to be changed.
You are looking for a vulnerability assessment tool that detects vulnerabilities in mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
Security Metrics Mobile
Which of the following includes a list of resolved vulnerabilities
Security vulnerability summary
Which of the following includes a list of resolved vulnerabilities?
Security vulnerability summary
You are looking for a vulnerability assessment tool that detects vulnerabilities in mobile devices and gives you a report containing a total risk score.
SecurityMetrics Mobile
Which of the following footprinting methods would you use to scan a web server to find ports that the web server is using for various services?
Service Discovery
If an attacker's intent is to discover and then use sensitive data like passwords, session cookies, and other security configurations such as UDDI, SOAP, and WSDL, which of the following cloud computing attacks is he using?
Service hijacking through network sniffing.
Which of the following solutions creates the risk that a hacker might gain access to the system?
Service-based
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down.
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session Fixation
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using?
Session fixation attack
Which of the following tasks is being described? Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server.
Session hijacking
Which of the following tools can be used to create botnets?
Shark, PlugBot, and Poison Ivy
Analyzing emails, suspect files, and systems for malware is known as which of the following?
Sheep dipping
What does the Google Search operator allinurl:keywords do?
Shows results in pages that contain all of the listed keywords.
Which of the following is also known as ZeroAccess and has virus, Trojan horse, and rootkit components?
Sirefef
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing
Allen, the network administrator, needs a tool that can do network intrusion prevention and intrusion detection, capture packets, and monitor information. Which of the following tools would he most likely select?
Snort
Julie is looking for a honeypot detection tool that is capable of packet manipulation. Which of the following tools should she use?
Snort inline
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occured?
Social Engineering
MinJu, a penetration tester, is testing a client's security. She notices that every Wednesday, a few employees go to a nearby bar for happy hour. She goes to the bar and starts befriending one of the employees with the intention of learning the employee's personal information. Which information gathering technique is MinJu using?
Social Engineering
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account [...]
Social engineering
Which of the following best describes shoulder surfing
Someone nearby watches you enter your password on your computer and records it.
Which of the following best describes shoulder surfing?
Someone nearby watches you enter your password on your computer and records it.
Hugh, a security consultant, recommended the use of an internal and external DNS to provide an extra layer of security. Which of the following DNS countermeasures is being used?
Split DNS
Julie configures two DNS servers, one internal and one external, with authoritative zones for the corpnet.xyz domain. One DNS server directs external clients to an external server. The other DNS server directs internal clients to an internal server. Which of the following DNS countermeasures is she implementing?
Split DNS
ARP, DNS, and IP are all examples of which of the following?
Spoofing methods
Which of the following is malware that works by stealth to capture information and then sends it to a hacker to gain remote access?
Spyware
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
Cameron wants to send secret messages to his friend Brandon, who works at a competitor's company. To secure these messages, he uses a technique to hide a secret message within a video. Which of the following techniques is he using?
Steganography
The method of embedding data into legitimate files like graphics to hide it and then extracting the data once it reaches its destination is called:
Steganography
You believe your system has been hacked. Which of the following is the first thing you should check?
System Log Files
What port does a DNS zone transfer use?
TCP 53
IP address spoofing, fragmentation attacks, using proxy servers, ICMP tunneling, and ACK tunneling are all examples of which of the following firewall penetration testing techniques?
TCP Packet Filtering
LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use?
TCP/UDP 389
Typically, you think of the username as being the unique identifier behind the scenes, but Windows actually relies on the security identifier (SID). Unlike the username, a SID cannot be used again. When viewing data in the Windows Security Account Manager (SAM), you have located an account ending in -501. Which of the following account types did you find?
The Built-in guest
You are configuring a wireless access point and are presented with the image shown below. Which of the following is the most correct statement regarding the access point's configuration?
The Host Name is what the users see in the list of available networks when they connect to the access point.
Which of the following phases of the vulnerability management lifecycle implements patches, hardening, and correction of weaknesses?
The Remediation Phase
You are configuring several wireless access points for your network. Knowing that each access point will have a service set identifier (SSID), you want to ensure that it is configured correctly. Which of the following SSID statements are true?
The SSID is a unique name, separate from the access point name.
Which of the following best describes a cybersquatting cloud computing attack?
The hacker uses phishing scams by making a domain name that is almost the same as the cloud service provider.
Which of the following best describes source routing?
The packet's sender designates the route that a packet should take through the network.
A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect.
The program shown is a crypter. Which of the following best defines what this program does?
You are using software as a service (SaaS) in your office. Who is responsible for the security of the data stored in the cloud?
The provider is responsible for all the security.
Which of the following best describes telnet?
The tool of choice for banner grabbing that operates on port 23.
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening?
There are multiple SYN packets with different source addresses destined for 128.28.1.1.
Which of the following statements is true regarding cookies?
They were created to store information about user preferences and web activities.
Hackers can maintain access to a system in several ways. Which of the following best describes the unsecure file and folder method?
This can lead to DLL hijacking and malicious file installations on a non-admin targeted user.
An IDS can perform many types of intrusion detections. Three common detection methods are signature-based, anomaly-based, and protocol-based. Which of the following best describes protocol-based detection?
This detection method can include malformed messages and sequencing errors.
Diana, a penetration tester, executed the following command. Which answer describes what you learn from the information displayed?
This is a DNS zone transfer.
You have just run the John the Ripper command shown in the image. Which of the following was the command used for?
To extract the password hashes and save them in the secure.txt file
You have just run the John the Ripper command shown in the image. Which of the following was this command used for? Command: zip2john secure.zip > secure.txt
To extract the password hashes and save them in the secure.txt file.
James, a hacker, has hacked into a Unix system and wants to change the timestamps on some files to hide his tracks. Which of the following timestamp tools would he most likely use?
Touch
Which of the following tools enables security professionals to audit and validate the behavior of security devices?
Traffic IQ professional
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using?
Trojan Horse
An IT technician receives an IDS alert on the company network she manages. A seemingly random user now has administration privileges in the system, some files are missing, and other files seem to have just been created. Which of the following alerts did this technician receive?
True positive
A hacker has gained physical access to a system and has changed an administrator's account password. Which of the following tools did the hacker most likely use to accomplish this?
Ultimate Boot CD
Which of the following privilege escalation risks happens when a program is being installed without the constant supervision of the IT employee and fails to clean up after?
Unattended installation
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic.
A hacker has managed to gain access to the /etc/passwd file on a Linux host. What can the hacker obtain from this file?
Usernames, but no passwords
Which of the following best describes IPsec enumeration?
Uses ESP, AH, and IKE to secure communication between VPN endpoints.
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?
Volumetric attack
In a world where so much private information is stored and transferred digitally, it is essential to proactively discover weaknesses. An ethical hacker's assessment sheds light on the flaws that can open doors for malicious attackers. Which of the following types of assessments does an ethical hacker complete to expose these weaknesses?
Vulnerability Assessment
What type of scan is used to find system weaknesses such as open ports, access points, and other potential threats?
Vulnerability Scan
Jaxon, a pentester, is discovering vulnerabilities and design flaws on the Internet that will open an operating system and applications to attack or misuse. Which of the following tasks is he accomplishing?
Vulnerability research
A technician is using a modem to dial a large block of phone numbers in an attempt to locate other systems connected to a modem. Which type of network scan is being used?
Wardialing
SQL injections are a result of which of the following flaws?
Web Applications
Which of the following explains why web servers are often targeted by attackers?
Web servers provide an easily found, publicly accessible entrance to a network that users are encouraged to enter into and browse.
You are analyzing the web applications in your company and have newly discovered vulnerabilities. You want to launch a denial-of-service (DoS) attack against the web server. Which of the following tools would you most likely use?
WebInspect
Which of the following types of web server attacks is characterized by altering or vandalizing a website's appearance in an attempt to humiliate, discredit, or annoy the victim?
Website Defacement
A collection of software that detects and analyzes malware.
Which of the following best describes an anti-virus sensor system?
CAN-SPAM Act
Which of the following laws is designed to regulate emails?
Scareware
Which of the following malware types shows the user signs of potential harm that could occur if the user doesnt take a certain action?
Dropper
Which of the following parts of the trojan horse packet installs the malicious code onto the target machine?
Logic bomb
Which of the following virus types is shown in the code below?
Iggy, a penetration tester, is conducting a black box penetration test. He wants to do reconnaissance by gathering information about ownership, IP addresses, domain name, locations, and server types. Which of the following tools would be most helpful?
Whois
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?
With the flood, all packets come from the same source IP address in quick succession.
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using?
Worm
Which of the following actions was performed using the WinDump command line sniffer? C:\windump -i 1 -w C:\test\nycap.pcap windump: listening on Device NPF_{012 EA6C6-5E4B-4F82-9A61-25B043F61EA6) 6014 packets captured 6015 packets received by filter 0 packets dropped by kernel C:\.
Wrote packet capture files from interface 1 into mycap.pcap.
Which of the following types of wireless antenna is shown?
Yagi
Phil, a hacker, has found his way into a secure system. He is looking for a Windows utility he can use to retrieve, set, back up, and restore logging policies. Which of the following utilities should he consider?
auditpol
During a penetration test, Omar found unpredicted responses from an application. Which of the following tools was he most likely using while assessing the network?
beSTORM
Which of the following is the name of the attribute that stores passwords in a Group Policy preference item in Windows?
cPasswords
Plaintext
charset
Which of the following enumeration tools provides information about users on a Linux machine?
finger
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
Shawn, a malicious insider, has obtained physical access to his manager's computer and wants to listen for incoming connections. He has discovered the computer's IP address, 192.168.34.91, and he has downloaded netcat. Which of the following netcat commands would he enter on the two computers?
nc -l -p 2222 and nc -nv 192.168.34.91 2222
Daphne suspects a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDN of where those programs are connecting to. Which command will allow her to do this?
netstat -f -b
On your network, you have a Windows 10 system with the IP address 10.10.10.195. You have installed XAMPP along with some web pages, php, and forms. You want to put it on the public-facing internet, but you are not sure if it has any vulnerabilities. On your Kali Linux system, you have downloaded the nmap-vulners script from GitHub. Which of the following is the correct nmap command to run?
nmap --script nmap-vulners -sV 10.10.10.195
When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command?
nmap -D RND:10 target_IP_address
Nmap provides many commands and scripts that are used to evade firewalls and intrusion detection systems. Which of the following is the proper nmap command to use the decoy option?
nmap -D RND:25 10.10.10.1
You are in the reconnaissance phase at the XYZ company. You want to use nmap to scan for open ports and use a parameter to scan the 1,000 most common ports. Which nmap command would you use?
nmap -sS xyzcompany.com
Nmap can be used for banner grabbing. Nmap connects to an open TCP port and returns anything sent in a five-second period. Which of the following is the proper nmap command?
nmap -sV --script=banner ip_address
You have found the IP address of a host to be 172.125.68.30. You want to see what other hosts are available on the network. Which of the following nmap commands would you enter to do a ping sweep?
nmap -sn 172.125.68. 1-255
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash
password salting
limited time
rainbow attack
You have created and sorted an md5 rainbow crack table. You want to crack the password. Which of the following commands would you use to crack a single hash?
rcrack . -h 202cb962ac59075b964b07152d234b70
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
