CEH Flashcard Set 4

Which of the scenarios corresponds to the behaviour of the attacker from the example below: The attacker created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. A) Data staging. B) DNS tunnelling. C) Unspecified proxy activities. D) Use of command-line interface.

C) Unspecified proxy activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains.

Rajesh wants to make the Internet a little safer and uses his skills to scan the networks of various organizations and find vulnerabilities even without the owners' permission. He informs the company owner about the problems encountered, but if the company ignores him and does not fix the vulnerabilities, Rajesh publishes them publicly and forces the company to respond. What type of hacker is best suited for Rajesh?

Gray hat

Hashcat

Hackers use Hashcat to automate attacks against passwords and other shared secrets. It gives the user the ability to brute-force credential stores using known hashes, to conduct dictionary attacks and rainbow tables, and to reverse engineer readable information on user behavior into hashed-password combination attacks.

John, a black hacker, is trying to do an SMTP enumeration. What useful information can John gather during a Simple Mail Transfer Protocol enumeration?

He can use two internal commands VRFY and EXPN, which provide information about valid users, email addresses, etc.

Heap spraying

Heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process's heap and fill the bytes in these blocks with the right values.

Hypervisor-Level rootkit:

Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.

Storing cryptographic keys carries a particular risk. In cryptography, there is a mechanism in which a third party stores copies of private keys. By using it, you are can ensure that in the case of a catastrophe, be it a security breach, lost or forgotten keys, natural disaster, or otherwise, your critical keys are safe. What is the name of this mechanism?

Key escrow

Black-hat hacker Ivan attacked the SCADA system of the industrial water facility. During the exploration process, he discovered that outdated equipment was being used, the human-machine interface (HMI) was directly connected to the Internet and did not have any security tools or authentication mechanism. This allowed Ivan to control the system and influence all processes (including water pressure and temperature). What category does this vulnerability belong to?

Lack of Authorization/Authentication and Insecure Defaults Most SCADA / ICS equipment has a dedicated system for managing and monitoring industrial systems. Most people in the industry call this a human-machine interface or HMI. This system is essential for managing industrial systems, but it can also be an important vector for attackers. If an attacker could endanger the HMI, the attacker owns your industrial network. These systems have been compromised in at least two ways: protocol attacks and HMI attacks. The major areas where SCADA software vulnerabilities occur are: - Memory corruption. - Credential management. - Lack of authentication/authorization and insecure defaults. - Code injection. - A big chunk of other areas.

You need to identify the OS on the attacked machine. You know that TTL: 64 and Window Size: 5840. Which is OS running on the attacked machine?

Linux OS Linux: - IP Initial TTL: 64; TCP Windows Size: 5840 Google's Customized Linux: - IP Initial TTL: 64; TCP Window Size: 5720 FreeBSD: - IP Initial TTL: 64; TCP Window Size: 65535 Windows XP: - IP Initial TTL: 128; TCP Window Size: 65535 Windows 7, Vista and Server 2008: - IP Initial TTL: 128; TCP Window Size: 8192 Cisco Router (IOS 12.4): - IP Initial TTL: 255; TCP Window Size: 4128

In which of the following Logging framework was a vulnerability discovered in December 2021 that could cause damage to millions of devices and Java applications? A) SLF4J B) Apache Commons Logging C) Logback D)Log4J

Log4J The Log4j exploit allows threat actors to take over compromised web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution.

macvlan

Macvlan is a network driver designed to create a network connection between container interfaces and the parent host interface or subinterfaces using the Linux macvlan bridge mode.

Whois services allow you to get a massive amount of valuable information at the stage of reconnaissance. Depending on the target's location, they receive data from one of the five largest regional Internet registries (RIR). Which of the RIRs should the Whois service contact if you want to get information about an IP address registered in France?

RIPE NCC

Retina IoT (RIoT) Scanner (RIoT)

RIoT is a free vulnerability scanner that identifies Internet of Things (IoT) devices and their associated vulnerabilities across your entire perimeter. It provides the following functionality: - Identify high-risk IoT devices - Safely check for default or hard-coded passwords - Generate clear IoT vulnerability reports and remediation guidance - Perform external scans of up to 256 IPs

The network administrator has received the task to eliminate all unencrypted traffic inside the company's network. During the analysis, it detected unencrypted traffic in port UDP 161. Which protocol uses this port and what actions should the network administrator take to fix this problem?

SNMP and he should change it to SNMP V3 SNMPv3 was recognized by the IETF in 2004. It adds both encryption and authentication options to prevent snooping and unauthorized access. Set us is far more complicated than creating a community string but mitigates many of the risks inherent in SNMP v1 and v2c

Speed Phish Framework

SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.

What service is running on port 427?

Service Location Protocol

Experienced employees of the EC-Council monitor the market of security providers every day in search of the best solutions for your business. According to EC-Council experts, which vulnerability scanner combines comprehensive static and dynamic security checks to detect vulnerabilities such as XSS, File Inclusion, SQL injection, command execution, and more?

Shyhunt Hybrid

Modern security mechanisms can stop various types of DDoS attacks, but if they only check incoming traffic and mostly ignore return traffic, attackers can bypass them under the disguise of a valid TCP session by carrying an SYN, multiple ACK, and one or more RST or FIN packets. What is the name of such an attack?

Spoofed session flood attack

Strategic Threat Intelligence:

Strategic threat intelligence provides high-level information relating to cyber security posture, threats, details regarding the money impact of various cyber activities, attack trends, and the impacts of high-level business selections. This info is consumed by high-level executives and management of the organization like IT management and CISO. It helps the management in characteristic current cyber risks, unknown future risks, threat teams, and attribution of breaches. The intelligence obtained provides a risk primarily based read that primarily focuses on high-level ideas of risks and their chance

Tactical Threat Intelligence:

Tactical threat intelligence plays a serious role in protecting the resources of the organization. It provides info related to TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals such as IT service managers, security operations managers, network operations center {NOC) employees, administrators, and architects.

You need to protect the company's network from imminent threats. To complete this task, you will enter information about threats into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the company's network. Which type of threat intelligence will you use?

Technical threat intelligence

Technical Threat Intelligence:

Technical threat intelligence provides information above an attacker's resources that are used to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific loC. It provides rapid distribution and response to threats.

Identify the security model by description: In this security model, every user in the network maintains a ring of public keys. Also, a user needs to encrypt a message using the receiver's public key, and only the receiver can decrypt the message using their private key.

Web of trust

Whitelist validation

Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion.

Out-of-band SQL Injection

With Out-of-band SQL Injection, the application shows the same response regardless of the user input and the database error. To retrieve the output, a different transport channel like HTTP requests or DNS resolution is used; note that the attacker needs to control said HTTP or DNS server.

Identify Google advanced search operator which helps an attacker gather information about websites that are similar to a specified target URL?

[related:]

You need to hide the file in the Linux system. Which of the following characters will you type at the beginning of the filename? A) . (Period) B) _ (Underscore) C) ! (Exclamation mark) D) ~ (Tilda)

A) . (Period) Linux hides files and folders that have a period at the start of their name. To hide a file or folder, rename it and place a period at the start of the filename.

Ivan, a black hacker, wants to get information about IoT cameras and devices used by the attacked company. For these purposes, he will use a tool that collects information about the IoT devices connected to a network, open ports and services, and the attack surface area. Thanks to this tool, Ivan constantly monitors every available server and device on the internet. This opportunity will allow him to exploit these devices in the future. Which of the following tools did Ivan use to carry out this attack? A) Censys B) NeuVector C) Lacework D) Wapiti

A) Censys

Jack, a cybersecurity specialist, plans to do some security research for the embedded hardware he uses. He wants to perform side-channel power analysis and glitching attacks during this research. Which of the following will Jack use? A) ChipWhisperer B) UART C) RIoT D) Foren6

A) ChipWhisperer ChipWhisperer is an open-source toolchain dedicated to hardware security research. It helps to perform side-channel power analysis and glitching attacks on every engineer and student.

Which of the following services is running on port 21 by default? A) File Transfer Protocol B) Service Location Protocol C) Border Gateway Protocol D) Domain Name System

A) File Transfer Protocol

The attacker disabled the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. His next step was to extract all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks. Which of the following attacks was performed by the attacker? A) Internal monologue attack B) Dictionary attack C) Phishing attack D) Rainbow table attack

A) Internal Monologue Attack The Internal monologue attack allows NTLMv1 challenge-response hashes to be obtained from the victim's system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack.

Ivan, a black hacker, wants to attack the target company. He thought about the fact that vulnerable IoT devices could be used in the company. To check this, he decides to use the tool, scan the target network for specific types of IoT devices and detect whether they are using the default, factory-set credentials. Which of the following tools will Ivan use? A) IoTSeeker B) Bullguard IoT C) Cloud IoT Core D) Azure IoT Central

A) IoTSeeker

Which of the following is a rootkit that adds additional code or replaces portions of the core operating system to obscure a backdoor on a system? A) Kernel-level rootkit. B) Hypervisor-level rootkit. C) Application-level Rootkit. D) User-mode rootkit.

A) Kernel-level rootkit

Which of the following frameworks contains a set of the most popular tools that facilitate your tasks of collecting information and data from open sources? A) OSINT framework B) BeEF C) Speed Phish Framework D) WebSploit Framework

A) OSINT framework

Which of the following standards is most applicable for a major credit card company? A) PCI-DSS B) HIPAA C) Sarbanes-Oxley Act D) FISMA

A) PCI-DSS

Your company plans to open a new division. You have been assigned to choose a cloud deployment model. The main requirements for the cloud model are infrastructure operated solely for your organization with the ability to customize hardware, network, and storage characteristics. Which of the following solutions will suit your organization? A) Private cloud B) Hybrid cloud C) Community cloud D) Public cloud

A) Private Cloud

Which term from the following describes a set of vulnerabilities that allows spyware to be installed on smartphones with the iOS operating system, allowing those who conducted espionage to track and monitor every action on the device? A) Trident B) DroidSheep C) Androrat D) Zscaler

A) Trident

Assume you used Nmap, and after applying a command, you got the following output: Starting Nmap X.XX (http://nmap.org) at XXX-XX-XX XX:XX EDT Nmap scan report for 192.168.1.42 Host is up (0.00023s latency). Not shown: 932 filtered ports, 56 closed ports PORT STATE SERVICE - 21/Rep open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds Which command-line parameter could you use to determine the service protocol, the application name, the version number, hostname, device type?

-sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.

Andrew, an evil hacker, research the website of the company which he wants to attack. During the research, he finds a web page and understands that the company's application is potentially vulnerable to Server-side Includes Injection. Which web-page file type did Andrew find while researching the site?

.stm SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the webserver analyzes SSI before supplying the page to the user.

Identify the correct sequence of steps involved in the vulnerability-management life cycle.

1. Identify assets and create a baseline. 2. Vulnerability scan 3. Risk assessment 4. Remediation 5. Verification 6. Monitor

Kuryr Network Plugin

A network plugin is developed as part of the OpenStack Kuryr project and implements the Docker networking (libnetwork) remote driver API by utilizing Neutron, the OpenStack networking service. It includes an IPAM driver as well.

Weave Network Plugin

A network plugin that creates a virtual network that connects your Docker containers - across multiple hosts or clouds and enables the automatic discovery of applications. Weave networks are resilient, partition tolerant, and secure, and work in partially connected networks and other adverse environments - all configured with delightful simplicity.

Universal Asynchronous Receiver-Transmitter (UART)

A universal asynchronous receiver-transmitter (UART /ˈjuːɑːrt/) is a computer hardware device for asynchronous serial communication in which the data format and transmission speeds are configurable. It sends data bits one by one, from the least significant to the most significant, framed by start and stop bits so that precise timing is handled by the communication channel. The electric signaling levels are handled by a driver circuit external to the UART. Two common signal levels are RS-232, a 12-volt system, and RS-485, a 5-volt system. Early teletypewriters used current loops.

WPS is a rather troubled wireless network security standard. While it can make your life easier, it is also vulnerable to attacks. An attacker within radio range can brute-force the WPS PIN for a vulnerable access point, obtain WEP or WPA passwords, and likely gain access to the Wi-Fi network. However, first, the attacker needs to find a vulnerable point. Which of the following tools is capable of determining WPS-enabled access points? A) wash B) ntptrace C) net view D) macof

A) wash Wash is a utility for identifying WPS enabled access points. It can survey from a live interface or it can scan a list of pcap files.It is an auxiliary tool designed to display WPS enabled Access Points and their main characteristics.

Which of the following is an anonymizer that masks real IP addresses and ensures complete and continuous anonymity for all online activities? A) https://www.guardster.com B) https://www.wolframalpha.com C) https://www.baidu.com D) https://karmadecay.com

A. "Guardster offers various services to let you use the Internet anonymously and securely. From our popular free web proxy service, to our secure SSH tunnel proxy, we have a variety of services to suit your needs."

Which of the following is the best description of The final phase of every successful hacking - Clearing tracks? A) During a cyberattack, a hacker corrupts the event logs on all machines. B) After a system is breached, a hacker creates a backdoor. C) A hacker gains access to a server through an exploitable vulnerability. D) During a cyberattack, a hacker injects a rootkit into a server.

A. The final phase of every successful hacking attack is clearing the tracks. It is very important, after gaining access and misusing the network, that the attacker cover the tracks to avoid being traced and caught. To do this, the attacker clears all kinds of logs and malicious malware related to the attack. During this phase, the attacker will disable auditing and clear and manipulate logs.

Lisandro was hired to steal critical business documents of a competitor company. Using a vulnerability in over-the-air programming (OTA programming) on Android smartphones, he sends messages to company employees on behalf of the network operator, asking them to enter a PIN code and accept new updates for the phone. After the employee enters the PIN code, Lisandro gets the opportunity to intercept all Internet traffic from the phone. What type of attack did Lisandro use?

Advanced SMS phishing

What is the name of a popular tool (or rather, an entire integrated platform written in Java) based on a proxy used to assess the security of web applications and conduct practical testing using a variety of built-in tools?

Burp Suite

In which of the following cloud service models do you take full responsibility for the maintenance of the cloud-based resources? A) PaaS B) BaaS C) IaaS D) SaaS

C) IaaS (Infrastructure as a Service)

You need to increase the security of keys used for encryption and authentication. For these purposes, you decide to use a technique to enter an initial key to an algorithm that generates an enhanced key resistant to brute-force attacks. Which of the following techniques will you use? A) PKI B) KDF C) Key stretching D) Key reinstallation

C) Key stretching

Your company started working with a cloud service provider, and after a while, they were disappointed with their service and wanted to move to another CSP. Which of the following can become a problem when changing to a new CSP? A) Virtualization B) Lock-up C) Lock-in D) Lock-down

C) Lock-in

Ivan, an evil hacker, spreads Emotet malware through the malicious script in the organization he attacked. After infecting the device, he used Emote to spread the infection across local networks and beyond to compromise as many machines as possible. He reached this thanks to a tool which is a self-extracting RAR file (containing bypass and service components) to retrieve information related to network resources such as writable share drives. What tool did Ivan use?

Credential enumerator

Application-level rootkit:

Application-level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behaviour of present applications with patches, injected code etc.

Alex received an order to conduct a pentest and scan a specific server. When receiving the technical task, he noticed the point: "The attacker must scan every port on the server several times using a set of spoofed source IP addresses." Which of the following Nmap flags will allow Alex to fulfill this requirement? A) -f B) -D C) -S D) -A

B) -D -D decoy1[,decoy2][,ME][,...] (Cloak a scan with decoys). Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.

Which of the following is an on-premise or cloud-hosted solution responsible for enforcing security, compliance, and governance policies in the cloud application? A) Secure access service edge B) Cloud Access Security Broker C) Container Security Tools D) Next-Generation Secure Web Gateway

B) Cloud Access Security Broker

Which of the following is the type of attack that tries to overflow the CAM table? A) Evil twin attack B) MAC flooding C) DNS flood D) DDoS attack

B) MAC Flooding A CAM overflow attack occurs when an attacker connects to a single or multiple switch ports and then runs a tool that mimics the existence of thousands of random MAC addresses on those switch ports. The switch enters these into the CAM table, and eventually the CAM table fills to capacity. When a switch is in this state, no more new MAC addresses can be learned; therefore, the switch starts to flood any traffic from new hosts out of all ports on the switch. A CAM overflow attack turns a switch into a hub, which enables the attacker to eavesdrop on a conversation and perform man-in-the-middle attacks.

Which of the following help to prevent replay attacks and uses in garage door openers or keyless car entry system? A) Unlocking code B) Rolling code C) Rotating code D) Locking code

B) Rolling code

Which of the following SOAP extensions apply security to Web services and maintain the integrity and confidentiality of messages? A) WS-BPEL B) WS-Security C) WSDL D) WS-Policy

B) WS-Security

Passwords are rarely stored in plain text, most often, one-way conversion (hashing) is performed to protect them from unauthorized access. However, there are some attacks and tools to crack the hash. Look at the following tools and select the one that can NOT be used for this. A) Hashcat B) Ophcrack C) Netcat D) John the Ripper

C) Netcraft. Netcat is a utility capable of establishing a TCP or UDP connection between two computers, meaning it can write and read through an open port. With the help of the program, files can be transferred and commands can be executed in some instances.

During testing, you discovered a vulnerability that allows hackers to gain unauthorized access to API objects and perform actions such as viewing, updating and deleting sensitive data. Which of the following API vulnerabilities have you found? A) Code Injections. B) RBAC Privilege Escalation. C) No ABAC validation. D) Business Logic Flaws.

C) No ABAC validation

Foren6

Foren6 is a non-intrusive 6LoWPAN network analysis tool. It leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world Internet of Things applications.

The attacker wants to draw a map of the target organization's network infrastructure to know about the actual environment they will hack. Which of the following will allow him to do this? A) Malware analysis B) Vulnerability analysis C) Scanning networks D) Network enumeration

C) Scanning networks

Alex, a security engineer, needs to determine how much information can be obtained from the firm's public-facing web servers. First of all, he decides to use Netcat to port 80 and receive the following output: HTTP/1.1 200 OK - Server: Microsoft-IIS/6 - Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type: text/html - Accept-Ranges: bytes - Last Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag:"b0aac0542e25c31:89d" Content-Length: 7369 - What did Alex do?

Banner Grabbing

Blacklist Validation

Blacklist validation rejects all malicious inputs that have been disapproved for protected access. Blacklist validation can be challenging as every content and character of the attack should be interpreted, understood, and anticipated for future attacks as well. Blacklist validation can also be termed as negative validation or exclusion.

Blind SQL Injection

Blind SQL Injection attack does not show any error message, hence "blind" in its name. It is more difficult to exploit as it returns information when the application is given SQL payloads that return a true or false response from the server. By observing the response, an attacker can extract sensitive information.

Identify the type of SQLi by description: This type of SQLi doesn't show any error message. Its use may be problematic due to as it returns information when the application is given SQL payloads that elicit a true or false response from the server. When the attacker uses this method, an attacker can extract confidential information by observing the responses.

Blind SQLi

What service is running on port 179?

Border Gateway Protocol

Identify what the following code is used for: #!/usr/bin/python import socket buffer=["A"] counter=50 while len(buffer)<=100: buffer.apend ("A"*counter) counter=counter+50 commands=["HELP","STATS.","RTIME.","LTIME.","SRUN.","TRUN.","GMON.","GDOG.","KSTET.","GTER.","HTER.","LTER.","KSTAN."] for command in commands: for buffstring in buffer: print "Exploiting" +command+":"+str(len(buffstring)) s=socket.socket(socket.AF_INET.socket.SOCK_STREAM) s.connect(('127.0.0.1',9999)) s.recv(50) s.send(command+buffstring) s.close()

Buffer Overflow

This attack exploits a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. Also, it further allows the transmission of web-service requests and response messages using different TCP connections. Which of the following attacks matches the description above? A) SOAPAction spoofing B) XML Flooding C) WS-Address spoofing D) Soap Array Attack

C) WS-Address spoofing The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The <ReplyTo> element doesn't contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too.

You want to prevent possible SQLi attacks on your site. To do this, you decide to use a practice whereby only a list of entities such as the data type, range, size, and value, which have been approved for secured access, is accepted. Which of the following practices are you going to adopt? A) Output encoding. B) Blacklist validation. C) Whitelist validation. D) Enforce least privileges.

C) Whitelist validation

The attacker knows about a vulnerability in a bare-metal cloud server that can enable him to implant malicious backdoors in firmware. Also, the backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS. What type of cloud attack can be performed by an attacker exploiting the vulnerability discussed in the above scenario?

Cloudborne attack

Which of the following is a Docker network plugin designed for building security and infrastructure policies for multi-tenant microservices deployments? A) Macvlan B) Kuryr C) Weave D) Contiv

D) Contiv

Which of the following is a Kubernetes component that can assign nodes based on the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions? A) cloud-controller-manager B) Kube-apiserver C) Kube-controller-manager D) Kube-scheduler

D) Kube-scheduler: Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.

Which of the following USB tools using to copy files from USB devices silently? A) USBGrabber B) USBSniffer C) USBSnoopy D) USBDumper

D) USBDumper

John, a black hat hacker, wants to find out if there are honeypots in the system that he will attack. For this purpose, he will use a time-based TCP fingerprinting method to validate the response to a computer and the response of a honeypot to a manual SYN request. Identify which technique will John use?

Detecting the presence of Honeyd Honeypots. Honeyd is a simulator honeypot engine that can create thousands of honeypots easily. The honeyd would respond to received SMTP requests with fake responses. An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods.

Ivan, a black hat hacker, got the username from the target environment. In conditions of limited time, he decides to use a list of common passwords, which he will pass as an argument to the hacking tool. Which of the following is the method of attack that Ivan uses?

Dictionary Attack

Identify the technology according to the description: It's an open-source technology that can help in developing, packaging, and running applications. Also, the technology provides PaaS through OS-level virtualization, delivers containerized software packages, and promotes fast software delivery. This technology can isolate applications from the underlying infrastructure and stimulating communication via well-defined channels.

Docker

What service is running on port 53?

Domain Name System

Which of the following is a Mirai-based botnet created by threat group Keksec, which specializes in crypto mining and DDoS attacks?

Enemybot

Enforcing Least Privileges

Enforcing least privileges is a security best practice whereby the lowest level of privileges is assigned to every account accessing the database. It is recommended not to assign DBA level and administrator-level access rights to the application. In some critical situations, some applications may require elevated access rights; hence, proper groundwork should be done by the security professionals and they should also figure out the exact requirements of the application.

Error-based SQL Injection

Error-based SQL Injection is one of the most common types of SQL Injection vulnerabilities. It is also quite easy to determine. It relies on feeding unexpected commands or invalid input, typically through a user interface, to cause the database server to reply with an error that may contain details about the target: structure, version, operating system, and even to return full query results.

Error-based SQLi

Error-based SQL injections are exploited by triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results or gain information on how to restructure the query for further exploitation.

Adam is a shopaholic, and he constantly surfs on the Internet in search of discounted products. The hacker decided to take advantage of this weakness of Adam and sent a fake email containing a deceptive page link to his social media page with information about a sale. Adam anticipating the benefit didn't notice the malicious link, clicked on them and logged in to that page using his valid credentials. Which tool did the hacker probably use?

Evilginx Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

-S IP_Address (Spoof source address).

In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.

John the Ripper

John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attacker's machine. Although it's primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more.

-f (fragment packets); --mtu (using the specified MTU).

Nmap scan syntax. The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments).

You have been instructed to collect information about specific threats to the organization. You decide to collect the information from humans, social media, chat rooms, and events that resulted in cyberattacks. You also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks in this process. Thanks to this information, you were able to disclose potential risks and gain insight into attacker methodologies. What is the type of threat intelligence collected by you?

Operational Threat Intelligence

Ophcrack

Ophcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.

Out-of-band SQLi

Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database server's ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server's xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database's UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

Output Encoding

Output encoding is a validation technique that can be used after input validation. This technique is used to encode the input to ensure that it is properly sanitized before passing it to the database.

The company "Work Town" hired a cybersecurity specialist to perform a vulnerability scan by sniffing the traffic on the network to identify the active systems, network services, applications, and vulnerabilities. What type of vulnerability assessment should be performed for "Work Town"?

Passive assessment

WebSploit Framework

This is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities. This tool is very powerful and support multiple vulnerabilities.

BeEF

This is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

-A (Aggressive scan options).

This option enables additional advanced and aggressive options. I haven't decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).. More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well.

Identify the type of SQL injection where attacks extend the results returned by the original query, enabling attackers to run two or more statements if they have the same structure as the original one?

Union SQL Injection

Union-based SQLi

Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

User-mode rootkit:

User-mode rootkits run along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.

What is the name of the technique in which attackers move around the territory in a moving vehicle and use special equipment and software to search for vulnerable and accessible WiFi networks?

Wardriving

During the pentest, Maria, the head of the blue team, discovered that the new online service has problems with the authentication mechanism. The old password can be reset by correctly answering the secret question, and the sending form does not have protection using a CAPTCHA, which allows a potential attacker to use a brute force attack. What is the name of such an attack in the Enumeration of Common Disadvantages (CWE)?

Weak password recovery mechanism

Alex was assigned to perform a penetration test against a website using Google dorks. He needs to get results with file extensions. Which operator should Alex use to achieve the desired result?

filetype: