CEH Questions to review C

Ace your homework & exams now with Quizwiz!

Jack, a cybersecurity specialist, plans to do some security research for the embedded hardware he uses. He wants to perform side-channel power analysis and glitching attacks during this research. Which of the following will Jack use? a. ChipWhisperer b. UART c. RIoT d. Foren6

a. ChipWhisperer https://wiki.newae.com/Main_Page https://chipwhisperer.readthedocs.io/en/latest/ https://github.com/newaetech/chipwhisperer ChipWhisperer is an open-source toolchain dedicated to hardware security research. It helps to perform side-channel power analysis and glitching attacks on every engineer and student. This toolchain consists of several layers of open-source components: Hardware: The ChipWhisperer uses a capture board and a target board. Schematics and PCB layouts for the ChipWhisperer-Lite capture board and a number of target boards are freely available. Firmware: Three separate pieces of firmware are used on the ChipWhisperer hardware. The capture board has a USB controller (in C) and an FPGA for high-speed captures (in Verilog) with open-source firmware. Also, the target device has its own firmware; this repository includes many firmware examples for different targets. Software: The ChipWhisperer software includes a Python API for talking to ChipWhisperer hardware (ChipWhisperer Capture) and a Python API for processing power traces from ChipWhisperer hardware (ChipWhisperer Analyzer). Incorrect answers: Universal Asynchronous Receiver-Transmitter (UART) https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter A universal asynchronous receiver-transmitter (UART /ˈjuːɑːrt/) is a computer hardware device for asynchronous serial communication in which the data format and transmission speeds are configurable. It sends data bits one by one, from the least significant to the most significant, framed by start and stop bits so that precise timing is handled by the communication channel. The electric signaling levels are handled by a driver circuit external to the UART. Two common signal levels are RS-232, a 12-volt system, and RS-485, a 5-volt system. Early teletypewriters used current loops. Foren6 https://cetic.github.io/foren6/ Foren6 is a non-intrusive 6LoWPAN network analysis tool. It leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world Internet of Things applications. Retina IoT (RIoT) Scanner (RIoT) https://www.seguridadar.com/bt/ds-retina-iot-s.pdf RIoT is a free vulnerability scanner that identifies Internet of Things (IoT) devices and their associated vulnerabilities across your entire perimeter. It provides the following functionality: Identify high-risk IoT devices Safely check for default or hard-coded passwords Generate clear IoT vulnerability reports and remediation guidance Perform external scans of up to 256 IPs

The attacker disabled the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. His next step was to extract all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks. Which of the following attacks was performed by the attacker? a. Internal monologue attack b. Rainbow table attack c. Dictionary attack d. Phishing attack

a. Internal monologue attack https://github.com/eladshamir/Internal-Monologue The Internal monologue attack allows NTLMv1 challenge-response hashes to be obtained from the victim's system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack. This technique allows a tester to obtain credentials from the system without touching the LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM hash by easily cracking the response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be used for a 'Pass the Hash' attack technique or can be cracked to obtain the plaintext password. Although most modern systems are configured by default to avoid using NetNTLMv1, because the attacked is a local administrator of the system, a NetNTLM Downgrade attack can be performed to enable this weaker authentication scheme. This will disable preventive controls for NetNTLMv1. The attacker can then retrieve the non-network logon tokens from the running processes and impersonate the associated user. Using the impersonated user privilege, the attacker can invoke a local procedure call to the NTLM authentication package called MSV1_0 to encrypt a known challenge using SSPI - secure single sign-on technology in Windows. This will generate a NetNTLMv1 response for that challenge using the impersonated user's NTLM hash as a key. Now, due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can easily extract the NTLM hash by cracking this response and perform a 'Pass the Hash' attack. Incorrect answers: Dictionary attack https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack used for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. Rainbow table attack https://en.wikipedia.org/wiki/Rainbow_table A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space-time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible. Phishing attack https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

Which of the following USB tools using to copy files from USB devices silently? a. USBDumper b. USBGrabber c. USBSnoopy d. USBSniffer

a. USBDumper https://www.ghacks.net/2006/09/15/how-to-dump-all-usb-files-without-the-user-knowing/ USBdumper runs silently as a background process once started and copies the complete contents of every connected usb device to the system without the knowledge of the user. It creates a directory with the current date and begins the background copying process. The user has no indication that the files stored on the USB device are copied from the USB to the local system.

Which of the following is an anonymizer that masks real IP addresses and ensures complete and continuous anonymity for all online activities? a. https://karmadecay.com b. https://www.baidu.com c. https://www.wolframalpha.com d. https://www.guardster.com

d. https://www.guardster.com I know that this question looks very strange. However, you may come across a question on this topic on the exam. In order to answer it, it is enough to know which of the following is a service for anonymous surfing. https://www.guardster.com/ "Guardster offers various services to let you use the Internet anonymously and securely. From our popular free web proxy service, to our secure SSH tunnel proxy, we have a variety of services to suit your needs."

Ivan, a black hacker, wants to attack the target company. He thought about the fact that vulnerable IoT devices could be used in the company. To check this, he decides to use the tool, scan the target network for specific types of IoT devices and detect whether they are using the default, factory-set credentials. Which of the following tools will Ivan use? a. Azure IoT Central b. Bullguard IoT c. Cloud IoT Core d. IoTSeeker

d. IoTSeeker IoTSeeker https://github.com/rapid7/IoTSeeker This scanner will scan a network for specific types of IoT devices to detect if they are using the default, factory-set credentials. The recent Internet outage has been attributed to use the IoT devices (CCTV Cameras, DVRs and others) with default credentials. It's the intention of this tool to help organizations scan their networks to detect these types of IoT devices and to identify whether credentials have been changed or if the device is still using the factory setting. Note that Mirai malware, suspected to have been used to launch the massive internet outage on Oct 21, 2016, mainly focuses on telnet services. IoTSeeker focuses on HTTP/HTTPS services. Incorrect answers: Bullguard IoT https://iotscanner.azurewebsites.net/ Bullguard's solution checks if your internet-connected devices at home are public on Shodan, the world's first search engine for Internet-connected devices. If the result is positive, this means that the public, including hackers, can access them. Knowing if your devices are public on Shodan represents a warning sign, allowing you to take further measures to improve your devices' security level. Azure IoT Central https://azure.microsoft.com/en-us/services/iot-central/#overview Azure IoT Central is an IoT application platform that reduces the burden and cost of developing, managing, and maintaining enterprise-grade IoT solutions. Choosing to build with IoT Central gives you the opportunity to focus time, money, and energy on transforming your business with IoT data, rather than just maintaining and updating a complex and continually evolving IoT infrastructure. Cloud IoT Core https://developers.google.com/iot IoT Core is a fully managed service that allows you to easily and securely connect, manage, and ingest data from millions of globally dispersed devices. IoT Core, in combination with other services on Google Cloud, provides a complete solution for collecting, processing, analyzing, and visualizing IoT data in real-time to support improved operational efficiency.

Emotet malware

Emotet is commonly spread by email, through attachments that contain malware and embedded URLs. The emails may appear to come from people or institutions that you trust, although in many cases these accounts themselves have been compromised. This method helps hackers trick people into clicking on attachments or links that infect their machine. Some of the most recent campaigns imitate receipts, shipping notifications, or "past-due" invoices from different organizations. If Emotet infects a computer connected to a network, it will try to infect other machines on the network by exploiting unpatched vulnerabilities. This is another reason to make sure your computer's operating system and anti-virus protections are regularly updated with the latest patches. Emotet currently uses five known spreader modules, according to the Multi-State Information Sharing & Analysis Center(link is external): NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper: a tool that scrapes names and email addresses from the victim's Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. Credential enumerator: a self-extracting RAR file containing two components, a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and clients) becoming infected.

Identify the encryption algorithm by the description: Symmetric-key block cipher having a classical 12- or 16-round Feistel network with a block size of 64 bits for encryption, which includes large 8 × 32-bit S-boxes based on bent functions, modular addition and subtraction, key-dependent rotation, and XOR operations. This cipher also uses a "masking" key and a "rotation" key for performing its functions. a. CAST-128 b. AES c. DES d. GOST

a. CAST-128 https://www.rfc-editor.org/rfc/rfc2144 CAST-128 (alternatively CAST5) is a symmetric-key block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Government of Canada use by the Communications Security Establishment. CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 and 128 bits (but only in 8-bit increments). The full 16 rounds are used when the key size is longer than 80 bits. Components include large 8×32-bit S-boxes based on bent functions, key-dependent rotations, modular addition and subtraction, and XOR operations. There are three alternating types of round function, but they are similar in structure and differ only in the choice of the exact operation (addition, subtraction or XOR) at various points. CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is used as a "masking" key and a 5-bit quantity Kr is used as a "rotation" key. Incorrect answers: AES https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a subset of the Rijndael block cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen, who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. AES is based on a design principle known as a substitution-permutation network, and is efficient in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, Rijndael per se is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. DES https://en.wikipedia.org/wiki/Data_Encryption_Standard DES is a block cipher and encrypts data in blocks of size of 64 bits each, which means 64 bits of plain text goes as the input to DES, which produces 64 bits of ciphertext. The same algorithm and key are used for encryption and decryption, with minor differences. The key length is 56 bits. The basic idea is shown in the figure. DES has 16 rounds. GOST https://en.wikipedia.org/wiki/GOST_(block_cipher) The GOST block cipher (Magma), defined in the standard GOST 28147-89 (RFC 5830), is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015 (RFC 7801, RFC 8891), specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

Identify the technology according to the description: It's an open-source technology that can help in developing, packaging, and running applications. Also, the technology provides PaaS through OS-level virtualization, delivers containerized software packages, and promotes fast software delivery. This technology can isolate applications from the underlying infrastructure and stimulating communication via well-defined channels. a. Docker b. Paravirtualization c. Virtual machine d. Serverless computing

a. Docker https://en.wikipedia.org/wiki/Docker_(software) Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels. Because all of the containers share the services of a single operating system kernel, they use fewer resources than virtual machines. Incorrect answers: Virtual machine https://en.wikipedia.org/wiki/Virtual_machine A virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination. Virtual machines differ and are organized by their function, shown here: - System virtual machines (also termed full virtualization VMs) provide a substitute for a real machine. They provide functionality needed to execute entire operating systems. A hypervisor uses native execution to share and manage hardware, allowing for multiple environments which are isolated from one another, yet exist on the same physical machine. Modern hypervisors use hardware-assisted virtualization, virtualization-specific hardware, primarily from the host CPUs. - Process virtual machines are designed to execute computer programs in a platform-independent environment. Paravirtualization https://en.wikipedia.org/wiki/Paravirtualization Paravirtualization or para-virtualization is a virtualization technique that presents a software interface to the virtual machines which is similar, yet not identical to the underlying hardware-software interface. The intent of the modified interface is to reduce the portion of the guest's execution time spent performing operations which are substantially more difficult to run in a virtual environment compared to a non-virtualized environment. The paravirtualization provides specially defined 'hooks' to allow the guest(s) and host to request and acknowledge these tasks, which would otherwise be executed in the virtual domain (where execution performance is worse). A successful paravirtualized platform may allow the virtual machine monitor (VMM) to be simpler (by relocating execution of critical tasks from the virtual domain to the host domain), and/or reduce the overall performance degradation of machine execution inside the virtual guest. Serverless computing https://en.wikipedia.org/wiki/Serverless_computing Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual amount of resources consumed by an application. It can be a form of utility computing. "Serverless" is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. However, developers of serverless applications are not concerned with capacity planning, configuration, management, maintenance, fault tolerance, or scaling of containers, VMs, or physical servers.

Experienced employees of the EC-Council monitor the market of security providers every day in search of the best solutions for your business. According to EC-Council experts, which vulnerability scanner combines comprehensive static and dynamic security checks to detect vulnerabilities such as XSS, File Inclusion, SQL injection, command execution, and more? a. AT&T USM Anywhere b. Syhunt Hybrid c. Cisco ASA d. Saleae Logic Analyzer

b. Syhunt Hybrid https://www.syhunt.com/en/?n=Products.SyhuntHybrid Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt's unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit. Incorrect answers: AT&T USM Anywhere https://cybersecurity.att.com/products/usm-anywhere USM Anywhere centralizes security monitoring of networks and devices in the cloud, on-premises, and in remote locations, helping you to detect threats virtually anywhere. Saleae Logic Analyzer https://www.saleae.com/ It is a powerful logic analyzer that lets you record and display signals in your circuit, so you can debug it fast. From Arduino projects to spacecraft control systems, over 20,000 professionals and enthusiasts use Logic each month to debug and understand their electrical designs. Cisco ASA https://en.wikipedia.org/wiki/Cisco_ASA Cisco ASA (Adaptive Security Appliance)— is a series of hardware firewalls developed by Cisco Systems. NOTE: I know I know. How will this "knowledge" help me in my work? It won't. This knowledge is required only for the exam.

Which of the following is a Metasploit post-exploitation module that is used to escalate privileges on systems? a. autoroute b. getsystem c. getuid d. keylogrecorder

b. getsystem https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/ Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges. At the link above, you can see an example of using getsystem to escalate privileges.

The attacker wants to draw a map of the target organization's network infrastructure to know about the actual environment they will hack. Which of the following will allow him to do this? a. Network enumeration b. Vulnerability analysis c. Scanning networks d. Malware analysis

c. Scanning networks https://en.wikipedia.org/wiki/Network_mapping https://w4rri0r.com/hacking-tools-windows-os-x-linux-android-solaris-unixware/network-mapping.html It would be much more logical to use the phrase "Network mapper," but you can meet a question on this topic with exactly this wording on the exam. The network map provides a topology view of your network to help you visualize network partitions, dependencies, and bottlenecks. Network mapping is the process of visualizing all the devices on network, how they're connected, and how the overall network is structured. There are two main levels of maps to consider: physical and logical. While open-source network mapping tools can create a physical network map, they may not offer automated scannin g to ensure the map is always up to date. There are three levels of maps to consider—physical, logical, and functional. A physical network map diagrams all the actual components of your network, including cords, plugs, racks, ports, servers, cables, and more. A physical network map gives you a visual representation of all the material elements of your network and the connections between them. A logical map is more abstract than the physical network map. It shows the type of network topology (bus, ring, etc.), and how the data flows between the physical objects in your network. This includes IP addresses, firewalls, routers, subnets and subnet masks, traffic flow, voice gateways, and other segments of the network. To note: Since logical and physical network maps depict the same network environment from two different perspectives, it's best to use both types to get a more comprehensive look at your network. A functional network map shows you how application traffic flows through the network physically. These types of network maps are only as useful as they are accurate, which means you need an appropriate and high-quality tool. Incorrect answers: Vulnerability Analysis A vulnerability analysis is a review that focuses on security-relevant issues that either moderately or severely impact the security of the product or system. Malware analysis https://en.wikipedia.org/wiki/Malware_analysis Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission. Network enumeration https://en.wikipedia.org/wiki/Network_enumeration Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.

The attacker needs to collect information about his victim - Maria. She is an extrovert who often posts a large amount of private information, photos, and location tags of recently visited places on social networks. Which automated tool should an attacker use to gather information to perform other sophisticated attacks? a. HULK b. Hootsuite c. Ophcrack d. VisualRoute

b. Hootsuite https://en.wikipedia.org/wiki/Hootsuite You can easily find a question on this topic in the exam, so it will be presented in this test, but I absolutely disagree with the EC-Council on this. Hootsuite is a social media management platform (for auto-posting, trends analyzing, etc.). It collects information from social networks only about users registered in it (photos, posts, etc.). You can read a little more information about their policies here: https://www.hootsuite.com/legal/privacy But, in the EC-Council's training materials, you will find the only mention of Hootsuite that refers to the answer to this question: "Many online tools such as Followerwonk, Hootsuite, and Sysomos are available to search for both geotagged and non-geotagged information on social media sites." Incorrect answers: Ophcrack https://en.wikipedia.org/wiki/Ophcrack Ophcrack is a free open-source (GPL licensed) program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. On most computers, ophcrack can crack most passwords within a few minutes. VisualRoute http://www.visualroute.com/ VisualRoute offers a wide variety of network tools that help users keep one step ahead of network issues such as bottle necks and packet loss/latency issues. HULK HULK is a Denial of Service (DoS) tool used to attack web servers by generating unique and obfuscated traffic volumes. HULK's generated traffic also bypasses caching engines and hits the server's direct resource pool.

You need to protect the company's network from imminent threats. To complete this task, you will enter information about threats into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the company's network. Which of the following types of threat intelligence will you use? a. Tactical threat intelligence. b. Technical threat intelligence. c. Strategic threat intelligence. d. Operational threat intelligence.

b. Technical threat intelligence. With technical cyber intelligence, information about the attacker's resources such as command and control channel, tools are collected. For example, it focuses on phishing emails or technical tips that indicate the cybersecurity threat to fraudulent URLs. The aim is to collect information about specific IOCs (IP address, phishing email header, hash checksum). This type of threat intelligence is important because it allows to analyze attacks. However, the value of technical threat intelligence is short-lived, as hackers often change their tactics. IOCs that are detected and analyzed at the right time are important. Tactical intelligence is used by employees in the SOC team. Thanks to the information obtained here, new rules are written in the current security products of the organization (such as IDS / IPs, firewall, endpoint security system). Also, suspicious IPs are detected by spam emails. The information obtained here feeds the products of the organization directly. Incorrect answers: Strategic threat intelligence Strategic Threat Intelligence provides a high level of information on the cybersecurity posture, threats, financial impact of cyber activities, attack trends, and their impact on business decisions. The information obtained can be used by senior executives at the company. The purpose of Strategic Threat Intelligence is to manage existing cyber risks and unknown future risks. This intelligence offers a risk-based approach. It focuses on the effects and possibilities of risks. The information provided here is suitable for long-term use. It helps in making strategic business decisions. For example, it can evaluate these results when deciding on budget / employee / product balance in protecting critical assets. Data collection sources for strategic intelligence are also high-level sources: OSINT, CTI vendors, and ISAO / ISACS. Operational threat intelligence Operational threat intelligence provides information to the managers of the defense teams about the specific threat to the company. People like head of network defenders, fraud detection manager incident response team manager understand the attack effect With incoming intelligence, it is attempted to identify the threat actor and to determine his capabilities and threatened IT assets. In operational threat intelligence, information is collected through hacker forums, chat rooms, social media, and the current cyber attack. The attack that may come with the collected information is estimated, and protection planning is issued. Tactical threat intelligence Tactical threat intelligence provides detailed information on the tactics, techniques, and procedures of threat actors. It is predominantly for a technical audience and helps them to understand how their networks are attacked based on the latest methods attackers used to achieve their goals. It provides information that can be consumed by security experts such as IT managers, SOC managers, NOC managers. These employees use tactical cyber intelligence to understand the technical capability and objectives of the offensive and identify their detection and mitigation strategies. Tactical cyber intelligence is collected through malware and incident reports, attack group reports, human Intelligence, and campaign reports.

Which of the following is a Mirai-based botnet created by threat group Keksec, which specializes in crypto mining and DDoS attacks? a. Censys b. BlueBorne c. SeaCat d. Enemybot

d. Enemybot https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet Keksec, aka Nero and Freakout, the threat actor behind the advanced EnemyBot botnet, is expanding its reach by leveraging more exploits, compromising multiple organizations regardless of their industry vertical. The EnemyBot malware authors took all the best and left behind the obsolete of code used in other botnets such as Gafgyt, Qbot, or Mirai. The botnet is currently used to weaponize security holes in products of such vendors as VMware, D-Link, Adobe, Zyxel, and WordPress, as well as leveraging vulnerabilities in web and CMS servers as well as Android and IoT devices. Adversaries put the bugs to use to be able to move laterally to get deeper into a compromised network and also launch distributed denial-of-service (DDoS) attacks. New one-day vulnerabilities quickly fall under the umbrella of this malware's attack capabilities. The botnet has four modules. The first section contains the python script, which is used to retrieve all dependencies and create the malware for various OS architectures. The second module is the main botnet source code. The third section is an obfuscation segment, and the last one includes the command-and-control component. Once in the system, the malware connects to the C&C server for instructions, which might include spreading to new devices, operating DDoS attacks, and running shell commands. Incorrect answers: Censys https://censys.io/ Censys is a web-based search platform for assessing attack surface for Internet connected devices. The tool can be used not only to identify Internet connected assets and Internet of Things/Industrial Internet of Things (IoT/IIoT), but Internet-connected industrial control systems and platforms. BlueBorne https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability) BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, an IoT security firm, on 12 September 2017. SeaCat https://teskalabs.com/products/seacat SeaCat cyber-security platform consists of a SeaCat SDK that is to be added into an mobile or IoT application, the SeaCat Gateway that is to be installed into demilitarized zone (DMZ) in front of the application backend servers and SeaCat PKI that is a service that provides enrolment, access and identity management. It is designed to be transparent to a mobile application developers, easily operable by sysadmins and to provide maximum visibility for cybersecurity teams.

nmap -T

Sets the timing for the scan: ▪ T0 - Paranoid (one port every five minutes) ▪ T1 - Sneaky (one port every 15 seconds) ▪ T2 - Polite ▪ T3 - Normal ▪ T4 - Aggressive ▪ T5 - Insane

Evil hacker Ivan knows that his target point and user are compatible with WPA2 and WPA 3 encryption mechanisms. He decided to install a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to connect. As soon as the connection is established, Ivan plans to use automated tools to crack WPA2-encrypted messages. Which of the following attacks does Ivan want to perform? a. Side-channel attack b. Timing-based attack c. Cache-based attack d. Downgrade security attack

d. Downgrade security attack https://www.welivesecurity.com/2019/04/11/wpa3-flaws-steal-wifi-passwords/ Downgrade Security Attacks To launch this attack, the client and AP should support both WPA3 and WPA2 encryption mechanisms. Here, the attacker forces the user to follow the older encryption method, WPA2, to connect to the network. A downgrade security attack can be implemented in the following two ways. - Exploiting backward compatibility: If a user and AP are compatible with both WPA2 and WPA3 encryption mechanisms, then the attacker installs a rogue AP with only WPA2 compatibility in the vicinity and forces the client to go through the four-way handshake (WPA2) to get connected. Once the connection is established, the attacker uses all the attack tools available to exploit or crack the WPA2 encryption. - Exploiting the Dragonfly handshake: In this method, the attacker masquerades as an authentic AP. When a user attempts to exchange keys to access the Internet using the WPA3 authentication mechanism, the attacker informs the user that it does not support the WPA3 method. Then, the attacker suggests the use of a weaker encryption mechanism such as WPA2 for accessing the Internet. Subsequently, the attacker can use various techniques to exploit or crack the WPA2 encryption. Incorrect answers: Side-channel attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel attacks: see social engineering and rubber-hose cryptanalysis. General classes of side-channel attack include: Cache attack — attacks based on attacker's ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service. Timing attack — attacks based on measuring how much time various computations (such as, say, comparing an attacker's given password with the victim's unknown one) take to perform. Power-monitoring attack — attacks that make use of varying power consumption by the hardware during computation. Electromagnetic attack — attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks. Acoustic cryptanalysis — attacks that exploit sound produced during a computation (rather like power analysis). Differential fault analysis — in which secrets are discovered by introducing faults in a computation. Data remanence — in which sensitive data are read after supposedly having been deleted. (i.e. Cold boot attack) Software-initiated fault attacks — Currently a rare class of side-channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss). Optical - in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below).

Which of the following parameters is Nmap helps evade IDS or firewalls? a. -T b. -R c. -r d. -A

a. -T https://nmap.org/book/performance-timing-templates.html While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0-5) or their name. The template names are: paranoid (0) sneaky (1) polite (2) normal (3) aggressive (4) insane (5) The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. Incorrect answers: -A (Aggressive scan options) This option enables additional advanced and aggressive options. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute). More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well. Options which require privileges (e.g. root access) such as OS detection and traceroute will only be enabled if those privileges are available. -R (DNS resolution for all targets) Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts. -r Nmap randomizes the port scan order by default to make detection slightly harder. The -r option causes them to be scanned in numerical order instead.

John, a black hat hacker, wants to find out if there are honeypots in the system that he will attack. For this purpose, he will use a time-based TCP fingerprinting method to validate the response to a computer and the response of a honeypot to a manual SYN request. Identify which of the following techniques will John use? a. Detecting the presence of Honeyd honeypots. b. Detecting the presence of Snort_inline honeypots. c. Detecting the presence of UML Honeypot. d. Detecting the presence of Sebek-based honeypots.

a. Detecting the presence of Honeyd honeypots. Detecting the presence of Honeyd Honeypot: Honeyd is a simulator honeypot engine that can create thousands of honeypots easily. The honeyd would respond to received SMTP requests with fake responses. An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods. Incorrect answers: Detecting the presence of User-Mode Linux (UML) Honeypot: Attackers can identify the presence of UML honeypots by analyzing files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information. Detecting the presence of Sebek-based Honeypots: Attackers can detect the existence of Sebek-based honeypots by analyzing the congestion in the network layer, as Sebek data communication is usually unencrypted. Since Sebek logs everything that is accessed via reading () call before transferring to the network, it causes the congestion effect. Detecting the presence of Snort_inline Honeypot: Attackers can identify these honeypots by analyzing the outgoing packets. If an outgoing packet is dropped, it might look like a black hole to an attacker. When the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification.

The boss has instructed you to test the company's network from the attacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world by using devices such as firewalls, routers, and servers. During this process, you should also external assessment estimates the threat of network security attacks external to the organization. What type of vulnerability assessment should you perform? a. External assessment b. Active Assessments c. Host-based Assessments d. Passive assessment

a. External assessment https://info-savvy.com/top-8-most-useful-vulnerability-assessments/ External Assessments External assessment assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices like firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. it determines how secure the external network and firewall are. Incorrect answers: Host-based Assessments Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools. Passive Assessments Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerability assessments. Even passive assessments provide a list of the users who are recently using the network. Active Assessments Active evaluation is a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. These network scanners have the capability to reduce the intrusiveness of the checks they perform.

Which of the following is a cloud malware designed to exploit misconfigured kubelets in a Kubernetes cluster and infect all containers present in the Kubernetes environment? a. Hildegard b. Trivy c. Heartbleed d. Kubescape

a. Hildegard https://attack.mitre.org/software/S0601/ In January 2021, was detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. The name of this new malware is Hildegard, the username of the tmate account that the malware used. Incorrect answers: Kubescape https://github.com/kubescape/kubescape Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. Heartbleed https://heartbleed.com/ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Trivy https://github.com/aquasecurity/trivy Trivy is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it. Trivy has different scanners that look for different security issues, and different targets where it can find those issues. Targets: Container Image Filesystem Git repository (remote) Kubernetes cluster or resource

Identify the correct sequence of steps involved in the vulnerability-management life cycle. a. Identify assets and create a baseline -> Vulnerability scan -> Risk assessment -> Remediation -> Verification -> Monitor. b. Vulnerability scan -> Identify assets and create a baseline -> Risk assessment -> Remediation -> Verification -> Monitor. c. Remediation -> Monitor -> Verification -> Vulnerability scan -> Risk assessment -> Identify assets and create a baseline. d. Vulnerability scan -> Risk assessment -> Identify assets and create a baseline -> Remediation -> Monitor -> Verification.

a. Identify assets and create a baseline -> Vulnerability scan -> Risk assessment -> Remediation -> Verification -> Monitor. According to EC-Council courseware, the correct order is as follows: 1. Identify assets and create a baseline This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system. This creates a good baseline for vulnerability management. 2. Vulnerability scan This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organization's infrastructure. 3. Risk assessment In this phase, all profound uncertainties associated with the system are assessed and prioritized, and remediation is planned to eliminate system flaws permanently. The risk assessment summarizes the vulnerability and risk level identified for each of the selected assets. 4. Remediation Remediation is the process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. 5. Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. 6. Monitor Organizations need to perform regular monitoring to maintain system security. They use tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.

Which of the following is a Kubernetes component that can assign nodes based on the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions? a. Kube-scheduler b. Kube-apiserver c. cloud-controller-manager d. Kube-controller-manager

a. Kube-scheduler According to EC-Council courseware: Kube-scheduler: Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions. Kube-apiserver: The API server is an integral part of the Kubernetes control panel Module 19 Page 2834 that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage. Kube-controller-manager: Kube-controller-manager is a master component that runs controllers. Controllers are generally individual processes (e.g., node controller, endpoint controller, replication controller, service account and token controller) but are combined into a single binary and run together in a single process to reduce complexity. cloud-controller-manager: This is the master component used to run controllers that communicate with cloud providers. Cloud-controller-manager enables the Kubernetes code and cloud provider code to evolve separately.

Which of the following frameworks contains a set of the most popular tools that facilitate your tasks of collecting information and data from open sources? a. OSINT framework b. BeEF c. WebSploit Framework d. Speed Phish Framework

a. OSINT framework https://osintframework.com/ This tool is mainly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance. It provides a simple web-based interface that allows you to browse different OSINT tools filtered by categories. It also provides an excellent classification of all existing intel sources, making it an excellent resource for knowing what infosec areas you are neglecting to explore or the next suggested OSINT steps for your investigation. Incorrect answers: WebSploit Framework https://sourceforge.net/projects/websploit/ This is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities. This tool is very powerful and support multiple vulnerabilities. BeEF https://beefproject.com/ This is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Speed Phish Framework https://github.com/tatanus/SPF SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.

You have been instructed to collect information about specific threats to the organization. You decide to collect the information from humans, social media, chat rooms, and events that resulted in cyberattacks. You also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks in this process. Thanks to this information, you were able to disclose potential risks and gain insight into attacker methodologies. What is the type of threat intelligence collected by you? a. Operational threat intelligence. b. Strategic threat intelligence. c. Technical threat intelligence. d. Tactical threat intelligence.

a. Operational threat intelligence. https://info-savvy.com/types-of-threat-intelligence/ Operational Threat Intelligence: Operational threat intelligence provides info above specific threats against the organization. It provides contextual info above security events and incidents that help defenders disclose potential risks, offers bigger insight into offender methodologies, establishes past malicious activities, and performs investigations on malicious activity in a very more economical way. it's consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection groups. It helps organizations understand the possible threat actors and their intention, capability, and opportunity to attack vulnerable IT assets, and also the impact of the attack if it's with success several cases, only government organizations will collect this type of intelligence, that also helps IR and forensic groups in deploying security assets with the aim of identifying and stopping future attacks, up the capability of detecting attacks at an early stage, and reducing its harm thereon assets. Operational threat intelligence is mostly collected from sources like humans, social media and chat rooms, and additionally from real-world activities and events that lead to cyber-attacks. Operational threat intelligence is obtained by analyzing human behaviour, threat teams, and so on. This info helps in predicting future attacks and therefore enhancing incident response plans and mitigation ways as required. Operational threat intelligence is mostly within the kind of a report that contains known malicious activities, recommended courses of action, and warnings of emerging attacks. Incorrect answers: Strategic Threat Intelligence: Strategic threat intelligence provides high-level information relating to cyber security posture, threats, details regarding the money impact of various cyber activities, attack trends, and the impacts of high-level business selections. This info is consumed by high-level executives and management of the organization like IT management and CISO. It helps the management in characteristic current cyber risks, unknown future risks, threat teams, and attribution of breaches. The intelligence obtained provides a risk primarily based read that primarily focuses on high-level ideas of risks and their chance. It primarily focuses on long-term problems and provides a period of time alerts of threats on an organization's vital assets like IT infrastructure, employees, customers, and applications. This type of threat intelligence is employed by the management to require strategic business selections and to investigate the results of such decisions. supported the analysis, the management will assign comfortable budgets and employees to guard vital IT assets and business processes. Tactical Threat Intelligence: Tactical threat intelligence plays a serious role in protecting the resources of the organization. It provides info related to TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals such as IT service managers, security operations managers, network operations center {NOC) employees, administrators, and architects. It helps the cyber security professionals understand however the adversaries area unit expected to perform the attack on the set-up; identify the knowledge leakage from the organization, and the technical capabilities and goals of the attackers alongside the attack vectors. Using tactical threat intelligence security personnel develop detection and mitigation ways beforehand by change security merchandise with known indicators, patching vulnerable systems, etc. The collection sources for tactical threat intelligence embrace campaign reports, malware, incident reports, attack group reports, human intelligence, etc. This intelligence is mostly obtained by reading white/technical papers, communicating with different organizations, or getting intelligence from third parties. It includes extremely technical info like malware, campaigns, techniques, and tools within the form of forensic reports. Technical Threat Intelligence: Technical threat intelligence provides information above an attacker's resources that are used to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific loC. It provides rapid distribution and response to threats. For example, a malware used to perform an attack is tactical threat intelligence, where as the details related to the specific implementation of the malware come under technical threat intelligence. Other examples of technical threat intelligence include specific IP addresses and domains used by malicious endpoints, phishing email headers, the hash checksum of malware, etc. Technical threat intelligence is consumed by SOC staff and IR teams. The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties. These inculcators are generally collected as part of investigations on attacks performed on various organizations. This information helps security professionals add the identified indicators to the defensive systems such as 105/IPS, firewalls, and endpoint security systems, thereby enhancing the detection mechanisms used to identify the attacks at an early stage. It also helps them identify malicious traffic and suspected IP addresses used to spread malware and spam mails. This intelligence is directly fed into the security devices in digital format to block and identify inbound and outbound malicious traffic entering the organization's network.

The company "Work Town" hired a cybersecurity specialist to perform a vulnerability scan by sniffing the traffic on the network to identify the active systems, network services, applications, and vulnerabilities. What type of vulnerability assessment should be performed for "Work Town"? a. Passive assessment. b. External assessment. c. Active assessment. d. Internal assessment.

a. Passive assessment. To answer this question, we will have to look at the EC-Council training materials and look at their classification Types of Vulnerability Assessment. Passive Assessment Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Active Assessment A type of vulnerability assessment that uses network scanners to identify the hosts, services, and vulnerabilities present in a network. External Assessment The external assessment examines the network from a hacker's point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. Internal Assessment An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities.

Identify the type of fault injection attack to IoT device by description: During this attack attacker injects faults into the power supply that can be used for remote execution, also causing the skipping of key instructions. Also, an attacker injects faults into the clock network used for delivering a synchronized signal across the chip. a. Power/clock/reset glitching b. Frequency/voltage tampering c. Optical, EMFI, BBI d. Temperature attack

a. Power/clock/reset glitching According to EC-Council's courseware: Power/Clock/Reset Glitching These types of attacks occur when faults or glitches are injected into the power supply that can be used for remote execution, also causing the skipping of key instructions. Faults can also be injected into the clock network used for delivering a synchronized Signal across the chip. Incorrect answers: Optical, Electromagnetic Fault Injection (EMFI), Body Bias Injection (BBI) The main objective of these attacks is to inject faults into devices by projecting lasers and electromagnetic pulses that are used in analog blocks such as random number generators (RNGs) and for applying high-voltage pulses. These faults are then used by the attackers in compromising the system's security. Frequency/Voltage Tampering In these attacks, the attackers try to tamper with the operating conditions of a chip, and they can also modify the level of the power supply and alter the clock frequency of the chip. The attackers intend to introduce fault behaviour into the chip to compromise the device security. Temperature Attacks Attackers alter the temperature for operating the chip, thereby changing the whole operating environment. This attack can be operated in non-nominal conditions.

The network administrator has received the task to eliminate all unencrypted traffic inside the company's network. During the analysis, it detected unencrypted traffic in port UDP 161. Which of the following protocols uses this port and what actions should the network administrator take to fix this problem? a. SNMP and he should change it to SNMP V3. b. SNMP and he should change it to SNMP V2. c. CMIP and enable the encryption for CMIP. d. RPC and the best practice is to disable RPC completely.

a. SNMP and he should change it to SNMP V3. https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol SNMP operates in the application layer of the Internet protocol suite. All SNMP messages are transported via User Datagram Protocol (UDP). The SNMP agent receives requests on UDP port 161. The manager may send requests from any available source port to port 161 in the agent. The agent response is sent back to the source port on the manager. The manager receives notifications (Traps and InformRequests) on port 162. SNMPv1 is the oldest and original version of the SNMP protocol, supporting 32-bit counters. SNMP v1 biggest flaw is its use of a clear-text community string, which is used to identify the device and forms a very primitive style of authentication. With most devices using the default community string is "public", there is a significant risk of snooping or unauthorized changes depending on whether permissions have been set to read-only or write. SNMPv2 was created to alleviate the issue of the 32-bit counters, upgrading the protocol's capabilities to support 64-bit. The risks surrounding the community string still remain. SNMPv3 was recognized by the IETF in 2004. It adds both encryption and authentication options to prevent snooping and unauthorized access. Set us is far more complicated than creating a community string but mitigates many of the risks inherent in SNMP v1 and v2c.

What is the "wget 192.168.0.10 -q -S" command used for? a. Using wget to perform banner grabbing on the webserver. b. Download all the contents of the web page locally. c. Performing content enumeration on the web server to discover hidden folders. d. Flooding the web server with requests to perform a DoS attack.

a. Using wget to perform banner grabbing on the webserver. https://securitytrails.com/blog/banner-grabbing Banner Grabbing allows an attacker to discover network hosts and running services with their versions on the open ports and moreover operating systems so that he can exploit the remote host server. There are many tools for banner grabbing, including wget. Command: wget 192.168.0.10 -q -S The -q will suppress the normal output, and the -S parameter will print the headers sent by the HTTP server, which also works for FTP servers. The result: [test@wgettest ~]# wget 192.168.0.15 -q -S HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 08 Nov 2021 13:29:13 GMT Content-Type: text/html Content-Length: 5683 Last-Modified: Thu, 21 Oct 2021 17:44:09 GMT Connection: keep-alive ETag: "5bb65169-1633" Accept-Ranges: bytes [test@wgettest ~]#

This attack exploits a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. Also, it further allows the transmission of web-service requests and response messages using different TCP connections. Which of the following attacks matches the description above? a. WS-Address spoofing b. Soap Array Attack c. XML Flooding d. SOAPAction spoofing

a. WS-Address spoofing https://www.ws-attacks.org/WS-Addressing_spoofing The WS-Address standard allows the addition of routing information to the SOAP Header, allowing asynchronous communication. WS-Address spoofing - Generic - The generic definition describes the following scenario: An attacker sends a SOAP message, containing WS-Address information, to a web service server. The <ReplyTo> element doesn't contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too. WS-Address spoofing - BPEL Rollback This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a <ReplyTo> element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in <ReplyTo>. This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine.In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result.This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through. Incorrect answers: SOAPAction spoofing https://www.ws-attacks.org/SOAPAction_Spoofing Each web service request contains some sort of operation that is later executed by the application logic. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This "optimisation" can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction attribut. XML Flooding https://www.ws-attacks.org/XML_Flooding XML Flooding (also known XML Flood) aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond. Soap Array Attack https://www.ws-attacks.org/Soap_Array_Attack SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C . However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability. Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn't limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let's assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.

To collect detailed information about services and applications running on identified open ports, nmap can perform version detection. To do this, various probes are used to receive responses from services and applications. Nmap requests probe information from the target host and analyzes the response, comparing it with known responses for various services, applications, and versions. Which of the options will allow you to run this scan? a. -sN b. -sV c. -sF d. -sX

b. -sV https://nmap.org/man/ru/man-version-detection.html - -sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things. - -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that "if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response." Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: "you are unlikely to get here, but if you do, drop the segment, and return." When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: - Null scan (-sN) Does not set any bits (TCP flag header is 0) - FIN scan (-sF) Sets just the TCP FIN bit. - Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

What is the name of a popular tool (or rather, an entire integrated platform written in Java) based on a proxy used to assess the security of web applications and conduct practical testing using a variety of built-in tools? a. Wireshark b. Burp Suite c. CxSAST d. Nmap

b. Burp Suite https://portswigger.net/burp Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp Suite is installed by default in Kali Linux. The tool is written in Java and developed by PortSwigger Web Security. The tool has three editions: a Community Edition that can be downloaded free of charge, a Professional Edition and an Enterprise Edition that can be purchased after a trial period. The Community edition has significantly reduced functionality. It intends to provide a comprehensive solution for web application security checks. The Burp tools you will use for particular tasks are as follows: · Scanner - This is used to automatically scan websites for content and security vulnerabilities. · Intruder - This allows you to perform customized automated attacks, to carry out all kinds of testing tasks. · Repeater - This is used to manually modify and reissue individual HTTP requests over and over. · Collaborator client - This is used to generate Burp Collaborator payloads and monitor for resulting out-of-band interactions. · Clickbandit - This is used to generate clickjacking exploits against vulnerable applications. · Sequencer - This is used to analyze the quality of randomness in an application's session tokens. · Decoder - This lets you transform bits of application data using common encoding and decoding schemes. · Comparer - This is used to perform a visual comparison of bits of application data to find interesting differences. Incorrect answers: Wireshark https://en.wikipedia.org/wiki/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. CxSAST https://checkmarx.com/product/cxsast-source-code-scanning/ CxSAST is application performance management software and includes features such as diagnostic tools.

Christian received a letter in his email. It stated that if he forwarded this email to 10 more people, he would receive the money as a gift. Which of the following attacks was Christian subjected to? a. Spam Messages b. Chain letters c. Hoax letters d. Instant chat messenger

b. Chain letters https://www.greycampus.com/opencampus/ethical-hacking/computer-and-mobile-based-social-engineering Chain letters: Asking people to forward emails or messages to a predetermined number of recipients for gifts such as money and software. Hoax Letters: These are fake emails sending warnings about malware, virus, and worms causing harm to the computers. Spam Messages: These are unwanted irrelevant emails trying to gather user information. Instant Chat messengers: Gathering personal information from a single user by chatting with them.

Passwords are rarely stored in plain text, most often, one-way conversion (hashing) is performed to protect them from unauthorized access. However, there are some attacks and tools to crack the hash. Look at the following tools and select the one that can NOT be used for this. a. Hashcat b. Netcat c. John the Ripper d. Ophcrack

b. Netcat https://en.wikipedia.org/wiki/Password_cracking Most systems don't store passwords on them. Instead they store hashes of passwords and when authentication takes place, the password is hashes and if the hashes match authentication is successful. Different systems store password hashes in different ways depending on the encryption used. Password hash cracking usually consists of taking a wordlist, hashing each word and comparing it against the hash you're trying to crack. This is a variation of a dictionary attack because wordlists often are composed of not just dictionary words but also passwords from public password dumps. This type of cracking becomes difficult when hashes are salted). https://en.wikipedia.org/wiki/Netcat Netcat is a utility capable of establishing a TCP or UDP connection between two computers, meaning it can write and read through an open port. With the help of the program, files can be transferred and commands can be executed in some instances. Incorrect answers: Hashcat https://hashcat.net/ Hackers use Hashcat to automate attacks against passwords and other shared secrets. It gives the user the ability to brute-force credential stores using known hashes, to conduct dictionary attacks and rainbow tables, and to reverse engineer readable information on user behavior into hashed-password combination attacks. John the Ripper https://www.openwall.com/john/ John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attacker's machine. Although it's primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more. Ophcrack https://ophcrack.sourceforge.io/ Ophcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.

During testing, you discovered a vulnerability that allows hackers to gain unauthorized access to API objects and perform actions such as viewing, updating and deleting sensitive data. Which of the following API vulnerabilities have you found? a. Code Injections. b. No ABAC validation. c. Business Logic Flaws. d. RBAC Privilege Escalation.

b. No ABAC validation. No ABAC validation: No proper attribute-based access control (ABAC) validation allows attackers to gain unauthorized access to API objects or perform actions such as viewing, updating, or deleting. RBAC Privilege Escalation: Privilege escalation is a common vulnerability present in APls having role-based access control (RBAC) where changes to endpoints are made without proper attention. Allow attackers to gain access to users' sensitive information Business Logic Flaws: Many APIs come with vulnerabilities in business logic. Allow attackers to exploit legitimate workflows for malicious purposes. Code Injections: If the input is not sanitized, attackers may use code injection techniques such as SQLi and XS5 to add malicious SQL statements or code to the input fields on the API. Allow attackers to steal critical information such as session cookies and user credentials.

Which of the following is the fastest way to perform content enumeration on a web server using the Gobuster tool? a. Skipping SSL certificate verification. b. Performing content enumeration using a wordlist. c. Performing content enumeration using the brute-force mode and 10 threads. d. Performing content enumeration using the brute-force mode and random file extensions.

b. Performing content enumeration using a wordlist. https://en.wikipedia.org/wiki/Dictionary_attack https://en.wikipedia.org/wiki/Brute-force_attack To answer this question, you need to pay attention to the phrase "fastest way", and nothing is said about success. Naturally, a Dictionary attack (a form of brute force attack) will be much "faster" than the common brute-force attack. Wordlist Specification (Gobuster) https://patchthenet.com/articles/using-gobuster-to-find-hidden-web-content/ Gobuster enumerates directories and files by performing dictionary attacks. A dictionary attack consists of testing a list of words, (or a combination of words) in the hope that the correct word is contained within this list. So, in order for Gobuster to perform a dictionary attack, we need to provide it with a wordlist. To do that, just type in the '-w' option, followed by the path to the wordlist file. We can use a file from the wordlists that we've downloaded earlier.

Modern security mechanisms can stop various types of DDoS attacks, but if they only check incoming traffic and mostly ignore return traffic, attackers can bypass them under the disguise of a valid TCP session by carrying an SYN, multiple ACK, and one or more RST or FIN packets. What is the name of such an attack? a. UDP flood attack. b. Spoofed session flood attack. c. Peer-to-peer attack. d. Ping-of-death attack.

b. Spoofed session flood attack. https://ddos-guard.net/en/terminology/attack_type/fake-session-attack-spoofed-session-flood The algorithm of this type of attacks comes down to TCP session emulation on networks with asymmetric routing: the attacker generates fake SYN-packets that are followed by a lot of ACK, and finally FIN/RST packets. All these packets resemble real TCP session traffic that is being sent from one host to another. Bearing in mind that today most networks have asymmetric traffic routing (in which incoming and outgoing packets are being sent via different routes), and modern network security tools are designed for the analysis of unidirectional traffic (and not for the analysis of return traffic), conditions for this type of attack are perfect. Thus, simulating TCP communication and bypassing security tools that analyze only the incoming traffic, the attacker can exhaust system resources and make the victim server inaccessible. There are two types of such attacks: 1. The attack starts with sending several falsified SYN packets, followed by a number of ACK, and one or more FIN/RST packets; 2. Skipping SYN packets, the attack starts with sending multiple ACK, followed by one or more FIN/RST packets. Due to the relatively low speed used to send fake packets, it is more difficult to detect this type of attack than a regular flood, while achieving the same result: exhaustion of the victim server system resources. Incorrect answers: UDP flood attack https://en.wikipedia.org/wiki/UDP_flood_attack Numerous fabricated UDP packets are fired at a server until it becomes unresponsive. Peer-to-peer attack https://en.wikipedia.org/wiki/Denial-of-service_attack#Peer-to-peer_attacks A peer-to-peer DDoS attack is when an attacker exploits bugs in peer-to-peer servers to execute a DDoS attack. Ping-of-death attack https://en.wikipedia.org/wiki/Ping_of_death A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.

Which antenna is commonly used in communications for a frequency band of 10 MHz to VHF and UHF? a. Parabolic grid antenna b. Yagi antenna c. Omnidirectional antenna d. Dipole antenna

b. Yagi antenna https://en.wikipedia.org/wiki/Yagi%E2%80%93Uda_antenna A Yagi-Uda antenna or simply Yagi antenna, is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles. Yagi-Uda antennas consist of a single driven element connected to a radio transmitter and/or receiver through a transmission line, and additional "parasitic elements" with no electrical connection, usually including one so-called reflector and any number of directors. It was invented in 1926 by Shintaro Uda of Tohoku Imperial University, Japan, with a lesser role played by his colleague Hidetsugu Yagi. Reflector elements (usually only one is used) are slightly longer than the driven dipole and placed behind the driven element, opposite the direction of intended transmission. Directors, on the other hand, are a little shorter and placed in front of the driven element in the intended direction. These parasitic elements are typically off-tuned short-circuited dipole elements, that is, instead of a break at the feedpoint (like the driven element) a solid rod is used. They receive and reradiate the radio waves from the driven element but in a different phase determined by their exact lengths. Their effect is to modify the driven element's radiation pattern. The waves from the multiple elements superpose and interfere to enhance radiation in a single direction, increasing the antenna's gain in that direction. Also called a beam antenna and parasitic array, the Yagi is very widely used as a high-gain antenna on the HF, VHF and UHF bands. It has moderate to high gain depending on the number of elements present, sometimes reaching as high as 20 dBi, in a unidirectional beam pattern. As an end-fire array, it can achieve a front-to-back ratio of up to 20 dB. It retains the polarization common to its elements, usually linear polarization (its elements being half-wave dipoles). It is relatively lightweight, inexpensive and simple to construct.The bandwidth of a Yagi antenna, the frequency range over which it maintains its gain and feedpoint impedance, is narrow, just a few percent of the center frequency, decreasing for models with higher gain, making it ideal for fixed-frequency applications. The largest and best-known use is as rooftop terrestrial television antennas, but it is also used for point-to-point fixed communication links, in radar antennas, and for long distance shortwave communication by shortwave broadcasting stations and radio amateurs.

Which of the following commands is used to clear the bash history? a. history -a b. history -c c. history -n d. history -w

b. history -c https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html history -c Clear the history list. This may be combined with the other options to replace the history list completely. history -w Write out the current history list to the history file history -a Append the new history lines to the history file. These are history lines entered since the beginning of the current Bash session, but not already appended to the history file. history -n Append the history lines not already read from the history file to the current history list. These are lines appended to the history file since the beginning of the current Bash session.

Lisandro was hired to steal critical business documents of a competitor company. Using a vulnerability in over-the-air programming (OTA programming) on Android smartphones, he sends messages to company employees on behalf of the network operator, asking them to enter a PIN code and accept new updates for the phone. After the employee enters the PIN code, Lisandro gets the opportunity to intercept all Internet traffic from the phone. What type of attack did Lisandro use? a. Tap 'n ghost attack. b. Bypass SSL pinning. c. Advanced SMS phishing. d. Social engineering.

c. Advanced SMS phishing. The following link presents an investigation by Check Point Researchers: Advanced SMS Phishing Attacks Against Modern Android-based Smartphones A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research -- the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday. Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages. The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. However, researchers at Check Point found that the industry standard for OTA provisioning -- the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker. NOTE: For the exam, it is enough just to know about this type of attack, but I advise you to read the full investigation - it is very interesting. This vulnerability affected a lot of Android phones, but it was quickly discovered and vendors released patches to fix it. Nevertheless, this vulnerability gave rise to a new level of smishing attacks - Advanced SMS Phishing.

Are you sure your network is perfectly protected and no evil hacker Ivan listens to all your traffic? What, ignorance is the greatest source of happiness. There is a powerful tool written in Go that will allow an attacker to carry out a Man in the middle (MITM) attack using, for example, ordinary arp spoofing. What kind of tool are we talking about? a. Gobbler b. Wireshark c. BetterCAP d. DerpNSpoof

c. BetterCAP https://www.bettercap.org/ bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. One of the main feature is: · ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks. Incorrect answers: Wireshark https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. DerpNSpoof https://github.com/Trackbool/DerpNSpoof Simple DNS Spoofing tool made in Python 3 with Scapy. Gobbler http://gobbler.sourceforge.net/ Spoofed remote OS detection tool.

Adam is a shopaholic, and he constantly surfs on the Internet in search of discounted products. The hacker decided to take advantage of this weakness of Adam and sent a fake email containing a deceptive page link to his social media page with information about a sale. Adam anticipating the benefit didn't notice the malicious link, clicked on them and logged in to that page using his valid credentials. Which of the following tools did the hacker probably use? a. sixnet-tools b. XOIC c. Evilginx d. PyLoris

c. Evilginx During the exam, you will meet several questions where the situation will be described very abstractly, and several tools are given to choose from. You can answer these questions by the exclusion method. One of the options will be correct, and three are absolutely wrong, such as in this question. Evilginx (https://github.com/kgretzky/evilginx) - Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server. XOIC is a DDoS attacking tool. PyLoris is aslow HTTP DoS tool which enables the attacker to craft its own HTTP request headers. sixnet-tools is a tool for exploiting sixnet RTUs.

In which of the following attacks does the attacker receive information from data sources such as voice assistants, multimedia messages, and audio files by using a malicious app to breach speech privacy? a. DroidDream b. SIM swap scam c. Spearphone attack d. Smudge attack

c. Spearphone attack http://www.winlab.rutgers.edu/~yychen/papers/(WiSec'21)%20Spearphone%20a%20lightweight%20speech%20privacy%20exploit%20via%20accelerometer-sensed%20reverberations%20from%20smartphone%20loudspeakers.pdf The Spearphone attack breaches speech privacy by exploiting the motion sensor 'accelerometer' and capturing speech reverberations generated through the loudspeaker. This, in turn, empowers the attackers to listen to every sound coming out of the loudspeaker including conversations, music, or any other audio. Incorrect answers: Smudge attack https://en.wikipedia.org/wiki/Smudge_attack A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user. DroidDream DroidDream is a mobile botnet type of malware that appeared in spring 2011. The DroidDream Trojan gained root access to Google Android mobile devices in order to access unique identification information for the phone. Once compromised, a DroidDream-infected phone could also download additional malicious programs without the user s knowledge as well as open the phone up to control by hackers. SIM swap scam https://en.wikipedia.org/wiki/SIM_swap_scam A SIM swap scam (also known as a port-out scam, SIM splitting, Smishing, and simjacking, SIM swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

Which of the scenarios corresponds to the behavior of the attacker from the example below: The attacker created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. a. Data staging. b. DNS tunnelling. c. Unspecified proxy activities. d. Use of command-line interface.

c. Unspecified proxy activities. You will probably find such a classification of Adversarial Behavioral Identification only in the EC-Council's training materials. Still, you can find a question on this topic on the exam, so you need to understand it. Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Use of Command-Line Interface On gaining access to the target system, an adversary can use the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Data staging After successfully penetrating a target's network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, financial information, etc. DNS tunnelling Adversaries use DNS tunnelling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunnelling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration.

Andrew, an evil hacker, researched the website of the company which he wants to attack. During the research, he finds a web page and understands that the company's application is potentially vulnerable to Server-side Includes Injection. Which web-page file type did Andrew find while researching the site? a. .rss b. .html c. .stm d. .cms

c. stm https://medium.com/@briskinfosec/server-side-includes-injection-4b2b624393c7 SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the webserver analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . " - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these types of pages does not mean that the application is protected against SSI attacks. In any case, the attack will be successful only if the webserver permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the webserver process owner.

The date and time of the remote host can theoretically be used against some systems to use weak time-based random number generators in other services. Which option in Zenmap will allow you to make ICMP Timestamp ping? a. -PY b. -PN c. -PU d. -PP

d. -PP https://nmap.org/book/host-discovery-techniques.html Don't ping - nmap -PN [target] UDP ping - Nmap -PU [target] ICMP Timestamp ping nmap - nmap -PP [target] SCTP Init Ping - nmap -PY [target] NOTE: https://nmap.org/zenmap/ Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open-source application that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows the interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

Techniques such as, password cracking or enumeration are much more efficient and faster if performed using a wordlist. Of course, there are a huge number of them in different directions on the Internet or already installed in your Kali or Parrot OS, but an attacker can create his wordlist specifically for the target he is attacking. This requires conducting intelligence and collecting information about the victim. Many tools allow you to automate this process. Which of the following tools can scan a website and create a wordlist? a. Orbot b. Psiphon c. Shadowsocks d. CeWL

d. CeWL https://tools.kali.org/password-attacks/cewl CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. Incorrect answers: Orbot https://en.wikipedia.org/wiki/Orbot It is a free software Proxy server project to provide anonymity on the Internet for users of the Android operating system. It acts as an instance of the Tor network on such devices and allows traffic routing from a device's web browser, e-mail client, map program, etc., through the Tor network, providing anonymity for the user. Shadowsocks https://en.wikipedia.org/wiki/Shadowsocks It is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. Psiphon https://en.wikipedia.org/wiki/Psiphon It is a free and open-source Internet censorship circumvention tool that uses a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy). Psiphon is a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single- and multi-hop architecture.

Which of the following is an on-premise or cloud-hosted solution responsible for enforcing security, compliance, and governance policies in the cloud application? a. Container Security Tools b. Next-Generation Secure Web Gateway c. Secure access service edge d. Cloud Access Security Broker

d. Cloud Access Security Broker https://en.wikipedia.org/wiki/Cloud_access_security_broker https://www.microsoft.com/en-ww/security/business/security-101/what-is-a-cloud-access-security-broker-casb A cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point between cloud service consumers and providers to combine and interject enterprise security policies as cloud-based resources are accessed. CASB solutions help to reduce cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control. Incorrect answers: Next-Generation Secure Web Gateway https://gbhackers.com/next-generation-swg/ A Next-Generation Secure Web Gateway is a cloud-based security solution that provides advanced protection against data risks. Next-Gen SWGs use a variety of security techniques, including but not limited to: application control, user and entity behavior analytics (UEBA), and machine learning to protect against threats. A next-generation SWG will also give you visibility into all traffic passing through your network, including encrypted traffic. Secure access service edge https://en.wikipedia.org/wiki/Secure_access_service_edge https://www.cisco.com/c/en/us/products/security/what-is-sase-secure-access-service-edge.html A secure access service edge (SASE) is a technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection (user, device, Internet of things (IoT) device, or edge computing location) rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users and their devices with digital transformation and application modernization initiatives. Container Security Tools Container security tools help to protect containerized files or applications with their connected networks and infrastructure. Usually, container security solutions use to test security, manage access, and safeguard cloud computing infrastructure operating containerized applications. Administrators can use management features to help them decide who can access container information or integrate with containerized applications. Testing helps inform security policies, identify zero-day vulnerabilities, and replicate attacks from known threat areas.

Ivan, an evil hacker, spreads Emotet malware through the malicious script in the organization he attacked. After infecting the device, he used Emote to spread the infection across local networks and beyond to compromise as many machines as possible. He reached this thanks to a tool which is a self-extracting RAR file (containing bypass and service components) to retrieve information related to network resources such as writable share drives. What tool did Ivan use? a. NetPass.exe b. Mail PassView c. Outlook scraper d. Credential enumerator

d. Credential enumerator **keyword is RAR https://cybersecurity.wa.gov/news/emotet-growing-threat Credential enumerator: a self-extracting RAR file containing two components, a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and clients) becoming infected. Incorrect answers: NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper: a tool that scrapes names and email addresses from the victim's Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.

sqlmap.py -u "http://10.10.37.12/?p=1&forumaction=search" --dbs Which of the following does this command do? a. Creating backdoors using SQL injection. b. Retrieving SQL statements being executed on the database. c. Searching database statements at the IP address given. d. Enumerating the databases in the DBMS for the URL.

d. Enumerating the databases in the DBMS for the URL. http://manpages.org/sqlmap -u URL, --url=,URL/ Target URL (e.g. "http://www.site.com/vuln.php?id=1") --dbs Enumerate DBMS databases

Which of the following is a tool that passively maps and visually displays an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems? a. Radare2 b. Fritzing c. SearchDiggity d. GRASSMARLIN

d. GRASSMARLIN https://github.com/nsacyber/GRASSMARLIN GRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems. Incorrect answers: Fritzing https://fritzing.org/ Fritzing is an open-source hardware initiative that makes electronics accessible as creative material for anyone. The Fritzing tool assists attackers in designing electronic diagrams and circuits. Radare2 https://en.wikipedia.org/wiki/Radare2 https://github.com/radareorg/radare2 Radare2 is a complete framework for reverse-engineering and analyzing binaries, composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software that generates assembly language source code from machine-executable code, it supports various executable formats for different processor architectures and operating systems. SearchDiggity https://resources.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ https://bishopfox.com/tools/google-hacking-diggity-project SearchDiggity is the primary attack tool of the Google Hacking Diggity Project. It's Bishop Fox's MS Windows GUI application serves as a front-end to the most recent versions of Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.

Black-hat hacker Ivan attacked the SCADA system of the industrial water facility. During the exploration process, he discovered that outdated equipment was being used, the human-machine interface (HMI) was directly connected to the Internet and did not have any security tools or authentication mechanism. This allowed Ivan to control the system and influence all processes (including water pressure and temperature). What category does this vulnerability belong to? a. Code Injection. b. Credential Management. c. Memory Corruption. d. Lack of Authorization/Authentication and Insecure Defaults.

d. Lack of Authorization/Authentication and Insecure Defaults. https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-of-scada-hmi-vulnerabilities Most SCADA / ICS equipment has a dedicated system for managing and monitoring industrial systems. Most people in the industry call this a human-machine interface or HMI. This system is essential for managing industrial systems, but it can also be an important vector for attackers. If an attacker could endanger the HMI, the attacker owns your industrial network. These systems have been compromised in at least two ways: protocol attacks and HMI attacks. The major areas where SCADA software vulnerabilities occur, respectively: - Memory corruption. - Credential management. - Lack of authentication/authorization and insecure defaults. - Code injection. - A big chunk of other areas. Memory corruption The vulnerabilities in this category are code security issues that include out-of-bounds read/write vulnerabilities and heap- and stack-based buffer overflow. Credential management Includes all vulnerabilities from not protecting credentials enough and storing passwords in a recoverable format to the use of hard-coded passwords. Lack of authentication/authorization and insecure defaults The vulnerabilities in this category include transmission of confidential information in cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for scripting. NOTE: The situation in the question relates to this vulnerability because the problem is not just in a simple password or in its insecure storage, but in the complete absence of the authentication mechanism itself. Code injection The vulnerabilities in this category include common code injections such as SQL, OS, command, and some domain-specific injections.

In which of the following Logging framework was a vulnerability discovered in December 2021 that could cause damage to millions of devices and Java applications? a. Apache Commons Logging b. SLF4J c. Logback d. Log4J

d. Log4J https://logging.apache.org/log4j/2.x/security.html https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 In December 2021, a vulnerability in the open-source Log4J logging service used by developers to monitor their Java applications first came to light, leaving enterprises scrambling to patch affected systems. The Log4j exploit allows threat actors to take over compromised web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution. The Log4J vulnerability is triggered by attackers inserting a JNDI lookup in a header field (likely to be logged) linking to a malicious server. After Log4j logs this string, the server is queried and gives directory information leading to the download and execution of a malicious java data class. This means cybercriminals can both extract private keys and, depending on the level of defenses in place, download and run malware directly on impacted servers.

Which of the following tools is an automated tool that eases his work and performs vulnerability scanning to find hosts, services, and other vulnerabilities in the target server? a. NCollector Studio b. Infoga c. WebCopier Pro d. Netsparker

d. Netsparker https://www.netsparker.com/support/what-is-netsparker/ Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws. Netsparker can scan all types of web applications, regardless of the platform or the language with which they are built. Netsparker is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way, in order to confirm identified issues. It also presents proof of the vulnerability so that you do not need to waste time manually verifying it. For example, in the case of a detected SQL injection vulnerability, it will show the database name as the proof of exploit. Incorrect answers: Infoga https://github.com/m4ll0k/Infoga Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. NCollector Studio NCollector Studio is an all in one offline browser, website ripper/crawler aimed at home users and professionals needing to download specific files from a website or full websites for offline browsing. WebCopier Pro WebCopier Pro allows saving complete copies of your favorite sites, magazines, or stock quotes. Companies can transfer their intranet contents to staff computers, create a copy of companies' online catalogs and brochures for sales personal, backup corporate web sites, print downloaded files.

Incorrectly configured S3 buckets are among the most common and widely targeted attack vectors. All it takes is one or two clicks to upload sensitive data to the wrong bucket or change permissions on a bucket from private to public. Which one of the following tools can you use to enumerate bucket permissions? a. DumpsterDiver b. Ruler c. Sysdig d. S3 Inspector

d. S3 Inspector https://github.com/clario-tech/s3-inspector Tool to check AWS S3 bucket permissions: Checks all your buckets for public access For every bucket gives you the report with: Indicator if your bucket is public or not Permissions for your bucket if it is public List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public Incorrect answers: Ruler https://github.com/sensepost/ruler Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely. Sysdig https://github.com/draios/sysdig Sysdig identifies Kubernetes vulnerabilities by integrating continuous integration (CI) or continuous delivery/deployment (CD) pipelines, image registry, and Kubernetes admissions controllers. Sysdig also validates container images at the orchestration level using the Kubernetes admission controller feature. Sysdig automatically generates an inventory of each image content and continuously checks for any new vulnerabilities or common vulnerabilities and exposures (CVEs) associated with containers. DumpsterDiver https://github.com/securing/DumpsterDiver DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.

Enabling SSI directives allows developers to add dynamic code snippets to static HTML pages without using full-fledged client or server languages. However, suppose the server is incorrectly configured (for example, allowing the exec directive) or the data is not strictly verified. In that case, an attacker can change or enter directives to perform malicious actions. What kind of known attack are we talking about? a. CRLF injection b. Server-side JS injection c. Server-side template injection d. Server-side includes injection

d. Server-side includes injection https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. NOTE: All options are associated with injections. You just need to choose the right technology.

During the pentest, Maria, the head of the blue team, discovered that the new online service has problems with the authentication mechanism. The old password can be reset by correctly answering the secret question, and the sending form does not have protection using a CAPTCHA, which allows a potential attacker to use a brute force attack. What is the name of such an attack in the Enumeration of Common Disadvantages (CWE)? a. User impersonation. b. Insecure transmission of credentials. c. Verbose failure messages. d. Weak password recovery mechanism.

d. Weak password recovery mechanism. https://cwe.mitre.org/data/definitions/640.html It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account. Weak password recovery schemes completely undermine a strong password authentication scheme. This weakness may be that the security question is too easy to guess or find an answer to (e.g. because the question is too common, or the answers can be found using social media). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system.

You need to increase the security of keys used for encryption and authentication. For these purposes, you decide to use a technique to enter an initial key to an algorithm that generates an enhanced key resistant to brute-force attacks. Which of the following techniques will you use? a. KDF b. PKI c. Key reinstallation d. Key stretching

d. key stretching https://en.wikipedia.org/wiki/Key_stretching Key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker. There are several ways to perform key stretching. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. For example, in applications where the key is used for a cipher, the key schedule in the cipher may be modified so that it takes a specific length of time to perform. Another way is to use cryptographic hash functions that have large memory requirements - these can be effective in frustrating attacks by memory-bound adversaries. Key stretching algorithms depend on an algorithm that receives an input key and then expends considerable effort to generate a stretched cipher (called an enhanced key[citation needed]) mimicking randomness and longer key length. The algorithm must have no known shortcut, so the most efficient way to relate the input and cipher is to repeat the key stretching algorithm itself. This compels brute-force attackers to expend the same effort for each attempt. If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as stretched by that same length. Key stretching leaves an attacker with two options: - Attempt possible combinations of the enhanced key, but this is infeasible if the enhanced key is sufficiently long and unpredictable ( ⁠i.e., the algorithm mimics randomness well enough that the attacker must trial the entire stretched key space). - Attempt possible combinations of the weaker initial key, potentially commencing with a dictionary attack if the initial key is a password or passphrase, but the attacker's added effort for each trial could render the attack uneconomic should the costlier computation and memory consumption outweigh the expected profit. If the attacker uses the same class of hardware as the user, each guess will take the similar amount of time to process as it took the user (for example, one second). Even if the attacker has much greater computing resources than the user, the key stretching will still slow the attacker down while not seriously affecting the usability of the system for any legitimate user. This is because the user's computer only has to compute the stretching function once upon the user entering their password, whereas the attacker must compute it for every guess in the attack. This process does not alter the original key-space entropy. The key stretching algorithm is deterministic, allowing a weak input to always generate the same enhanced key, but therefore limiting the enhanced key to no more possible combinations than the input key space. Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel (effectively a shortcut to repeating the algorithm). For this reason, key stretching is often combined with salting. Incorrect answers: KDF https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (KDF) is a cryptographic hash function that derives one or more secret keys from a secret value such as the main key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie-Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation. PKI https://en.wikipedia.org/wiki/Public_key_infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. When done over a network, this requires using a secure certificate enrollment or certificate management protocol such as CMP. Key reinstallation https://en.wikipedia.org/wiki/KRACK KRACK ("Key Reinstallation Attack") is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept sent and received data.

kubelet

An agent that runs on each node in the cluster. It makes sure that containers are running in a pod.

nmap -A

Aggressive OS detection

CASB

Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies.

Gobuster

a command-line tool that can be used to enumerate applications, directories, and files, including hidden ones, on internet-connected web servers.


Related study sets

ACC307 Chapter 7- Data Analytics and Presentation

View Set

Sub-queries and MERGE statements

View Set

Chapter 7: Concepts of Bio Midterm

View Set

Social studies map like 10 biggest country Saudi Arabia

View Set

75% Math, Data Analysis and Probability

View Set

Prokaryotic and Eukaryotic Cells

View Set