CEH Study Set D
Sniffing takes place on what layer?
Layer 2
You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET anymsg: "BROWSER-IE Microsoft Internet ExplorerCacheSize exploit attempt";flow: to_client,established; file_data;content:"recordset"; offset:14; depth:9;content:".CacheSize"; distance:0; within:100;pcre:"/CacheSize\s*=\s*/";byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? a. An malicious inbound TCP packet b. Any malicious outbound packets c. An malicious outbound TCP packet d. Any malicious inbound packets
a. An malicious inbound TCP packet The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.
Which of the following components of IPsec provides confidentiality for the content of packets? a. ESP b. AH c. ISAKMP d. IKE
a. ESP https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions, and confidentiality through encryption protection for IP packets. ESP also supports encryption-only and authentication-only configurations but using encryption without authentication is strongly discouraged because it is insecure. Incorrect answers: АН https://en.wikipedia.org/wiki/IPsec#Authentication_Header Authentication Header (AH) is a member of the IPsec protocol suite. AH ensures connectionless integrity by using a hash function and a secret shared key in the AH algorithm. AH also guarantees the data origin by authenticating IP packets. IKE https://en.wikipedia.org/wiki/Internet_Key_Exchange Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on the version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS (preferably with DNSSEC) ‒ and a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained. ISAKMP https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK) provide authenticated keying material for use with ISAKMP. For example: IKE describes a protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI.
Which of the following components of IPsec provides confidentiality for the content of packets? a. ESP b. ISAKMP c. AH d. IKE
a. ESP https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions, and confidentiality through encryption protection for IP packets. ESP also supports encryption-only and authentication-only configurations but using encryption without authentication is strongly discouraged because it is insecure. Incorrect answers: АН https://en.wikipedia.org/wiki/IPsec#Authentication_Header Authentication Header (AH) is a member of the IPsec protocol suite. AH ensures connectionless integrity by using a hash function and a secret shared key in the AH algorithm. AH also guarantees the data origin by authenticating IP packets. IKE https://en.wikipedia.org/wiki/Internet_Key_Exchange Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on the version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS (preferably with DNSSEC) ‒ and a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained. ISAKMP https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK) provide authenticated keying material for use with ISAKMP. For example: IKE describes a protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI.
Leonardo, an employee of a cybersecurity firm, conducts an audit for a third-party company. First of all, he plans to run a scanning that looks for common misconfigurations and outdated software versions. Which of the following tools is most likely to be used by Leonardo? a. Nikto b. Metasploit c. Nmap d. Armitage
a. Nikto https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner) Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Armitage https://en.wikipedia.org/wiki/Armitage_(computing) Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open-source network security tool notable for its contributions to red team collaboration allowing for: shared sessions, data, and communication through a single Metasploit instance. Metasploit https://en.wikipedia.org/wiki/Metasploit_Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan.
Lisandro is engaged in sending spam. To avoid blocking, he connects to incorrectly configured SMTP servers that allow e-mail relay without authentication (which allows Lisandro to fake information about the sender's identity). What is the name of such an SMTP server? a. Open mail relay. b. Public SMTP server. c. Weak SMTP. d. Message transfer agent.
a. Open mail relay. https://en.wikipedia.org/wiki/Open_mail_relay An open mail relay is an SMTP server that is configured to allow anyone on the Internet to send email through it, not just mail destined to or originating from known users. Email relay or open mail relay used to be the default configuration in many mail servers; certainly, it was the way the Internet was at first set up. Still, now open mail relays have become unpopular because of their exploitation by spammers and frauds. Moreover, many relays have been closed or were placed on blacklists by other servers. Many Internet service providers use Domain Name System-based Blackhole Lists (DNSBL) to disallow mail from open relays. Once a mail server is detected or reported that allows third parties to send mail through them, they will be added to one or more such lists, and other e-mail servers using those lists will reject any mail coming from those sites. The relay must not actually be used to send spam to be blacklisted; instead, it may be blacklisted after a simple test that confirms open access. This trend reduced the percentage of mail senders that were open relays from over 90% down to well under 1% over several years. This led spammers to adopt other techniques, such as using botnets of zombie computers to send spam.
Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources? a. PaaS b. SaaS c. IaaS d. SECaaS
a. PAAS **Keywords here are hardware and software Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
What type of cloud service would provide you with a complete development and deployment environment in the cloud for you to create customized cloud-based apps? a. PaaS b. IaaS c. SaaS d. DaaS
a. PaaS Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection. PaaS includes infrastructure (servers, storage, and networking) and middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators, or the development tools and other resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else.
Which of the following is a vulnerability in modern processors such as Intel, AMD and ARM using speculative execution? a. Spectre and Meltdown b. Named Pipe Impersonation c. Application Shimming d. Launch Daemon
a. Spectre and Meltdown https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers. Incorrect answers: Named Pipe Impersonation https://en.wikipedia.org/wiki/Named_pipe#In_Windows In Windows OS, named pipes are used to provide legitimate communication between running processes. In this technique, the messages are exchanged between the processes using a file. For example, if process A wants to send a message to another process B, then process A writes the message to a file and process B reads the message from that file. Attackers often exploit this technique to escalate their privileges on the victim system to a user account with higher access privileges. In any Windows system, when a process creates a pipe, it will act as a pipe server. If any other process wants to communicate with this process, it will connect to this pipe and it becomes a pipe client. When a client connects to the pipe, the pipe server can utilize the access privileges and security context of the pipe client. Attackers exploit this feature by creating a pipe server with fewer privileges and trying to connect with a client with higher privileges than the server. Attackers use tools such as Metasploit to perform named pipe impersonation on a target host. Attackers exploit vulnerabilities that exist in the target remote host to obtain an active session and use Metasploit commands such as getsystem to gain administrative-level privileges and extract password hashes of the admin/user accounts. Application Shimming https://en.wikipedia.org/wiki/Shim_(computing) The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs. Launch Daemon https://en.wikipedia.org/wiki/Daemon_(computing) In the context of this question, we are talking about one of the methods of Privilege Escalation. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple's developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons. These LaunchDaemons have property list files which point to the executables that will be launched. Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories. The daemon name may be disguised by using a name from a related operating system or benign software. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon's executable and gain persistence or Privilege Escalation.
Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? a. There is minimal risk being assumed since the cellular modem is configured for outbound connections only b. There is high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator c. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment d. There is medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon
a. There is minimal risk being assumed since the cellular modem is configured for outbound connections only There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer's data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
Identify which term corresponds to the following description: It is can potentially adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. a. Threat b. Attack c. Vulnerability d. Risk
a. Threat Explanation If an asset is what you're trying to protect, then a threat is what you're trying to protect against. It is one of the most common terms that we come across on a daily basis. In cybersecurity, a threat is basically a hypothetical event that has the potential to cause some performing damage to an organisation's business and other processes. Incorrect answers: Attack https://en.wikipedia.org/wiki/Cyberattack In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. An attacker is a person or process that attempts to access data, functions or other restricted areas of the system without authorization, potentially with malicious intent. Depending on context, cyberattacks can be part of cyberwarfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society or organizations, and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyberweapon. A cyberattack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyberattacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations. Legal experts are seeking to limit the use of the term to incidents causing physical damage, distinguishing it from the more routine data breaches and broader hacking activities. Vulnerability A Security Vulnerability is a weakness, flaw, or error found within a security system that has the potential to be leveraged by a threat agent in order to compromise a secure network. Risk Risk is a combination of the threat probability and the impact of a vulnerability. In other words, risk is the probability of a threat agent successfully exploiting a vulnerability, which can also be defined by the following formula: · Risk = Threat Probability * Vulnerability Impact Identifying all potential risks, analyzing their impact and evaluating appropriate response is called risk management. It is a never-ending process, which constantly evaluates newly found threats and vulnerabilities. Based on a chosen response, risks can be avoided, mitigated, accepted, or transferred to a third-party.
The flexible SNMP architecture allows you to monitor and manage all network devices from a single console. The data exchange is based on the Protocol Data Unit (PDU). There are 7 PDUs in the latest version of the SNMP protocol. Which of them sends a notification about the past event immediately, without waiting for the manager's request, and does not need confirmation of receipt? a. Trap b. GetRequest c. GetNextRequest d. InformRequest
a. Trap https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol Simple Network Management Protocol (SNMP) is an application-layer protocol for monitoring and managing network devices on a local area network (LAN) or wide area network (WAN). The purpose of SNMP is to provide network devices such as routers, servers, and printers with a common language for sharing information with a network management system (NMS). There are multiple versions of the SNMP protocol, and SNMP is so popular that most network devices come pre-bundled with SNMP Agents. However, to make use of the protocol, network administrators must first change the default configuration settings of their network devices so SNMP Agents can communicate with the network's management system. SNMP is part of the original Internet Protocol Suite defined by the Internet Engineering Task Force (IETF). The most recent version of the protocol, SNMPv3, includes security mechanisms for authentication, encryption, and access control. SNMP can perform many functions, using a blend of push and pull communications between network devices and the management system. It can issue read or write commands, such as resetting a password or changing a configuration setting. It can also report back how much bandwidth, CPU, and memory are in use, with some SNMP managers automatically sending the administrator an email or text message alert if a predefined threshold is exceeded. Most of the time, SNMP functions in an asynchronous model, with the SNMP manager's communication and the agent sending a response. These commands and messages, typically transported over User Datagram Protocol (UDP) or Transmission Control Protocol/Internet Protocol (TCP/IP), are known as protocol data units (PDUs): · GETRequest Generated by the SNMP manager and sent to an agent to obtain the value of a variable, identified by its OID, in a MIB; · RESPONSE Sent by the agent to the SNMP manager, issued in reply to a GETRequest, GETNEXTRequest, GETBULKRequest, and a SETRequest. Contains the values of the requested variables; · GETNEXTRequest Sent by the SNMP manager to the agent to retrieve the values of the next OID in the MIB's hierarchy; · GETBULKRequest Sent by the SNMP manager to the agent to efficiently obtain a potentially large amount of data, extensive tables; · SETRequest Sent by the SNMP manager to the agent to issue configurations or commands; · TRAP An asynchronous alert sent by the agent to the SNMP manager to indicate a significant event, such as an error or failure, has occurred; · INFORMRequest An asynchronous alert similar to a TRAP requires confirmation of receipt by the SNMP manager.
What flags will be set when scanning when using the following command: #nmap -sX host.companydomain.com a. URG, PUSH and FIN are set. b. SYN flag is set. c. SYN and ACK flags are set. d. ACK flag is set.
a. URG, PUSH and FIN are set. https://nmap.org/book/scan-methods-null-fin-xmas-scan.html When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
You want to surf safely and anonymously on the Internet. Which of the following options will be best for you? a. Use Tor network with multi-node. b. Use public WiFi. c. Use SSL sites. d. Use VPN.
a. Use Tor network with multi-node. Explanation https://en.wikipedia.org/wiki/Tor_(anonymity_network) Tor is free and open-source software for enabling anonymous communication by directing Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays in order to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored. Tor does not prevent an online service from determining that it is being accessed through Tor. As a result, some websites restrict or even deny access through Tor. For example, Wikipedia blocks attempts by Tor users to edit articles unless special permission is sought. Onion routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the next node destination IP address, multiple times and sends it through a virtual circuit comprising successive, random-selection Tor relays. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address. Because the routing of the communication was partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination. An adversary may try to de-anonymize the user by some means. One way this may be achieved is by exploiting vulnerable software on the user's computer. The NSA had a technique that targets a vulnerability - which they codenamed "EgotisticalGiraffe" - in an outdated Firefox browser version at one time bundled with the Tor package and, in general, targets Tor users for close monitoring under its XKeyscore program. Attacks against Tor are an active area of academic research which is welcomed by the Tor Project itself. Tor aims to conceal its users' identities and online activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers around the globe. These onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users anonymity in a network location. That anonymity extends to the hosting of censorship-resistant content by Tor's anonymous onion service feature. Furthermore, by keeping some of the entry relays (bridge relays) secret, users can evade Internet censorship that relies upon blocking public Tor relays. Because the IP address of the sender and the recipient are not both in cleartext at any hop along the way, anyone eavesdropping at any point along the communication channel cannot directly identify both ends. Furthermore, to the recipient, it appears that the last Tor node (called the exit node), rather than the sender, is the originator of the communication.
Shortly after replacing the outdated equipment, John, the company's system administrator, discovered a leak of critical customer information. Moreover, among the stolen data was the new user's information that excludes incorrect disposal of old equipment. IDS did not notice the intrusion, and the logging system shows that valid credentials were used. Which of the following is most likely the cause of this problem? a. Industrial Espionage b. Default Credential c. Zero-day vulnerabilities d. NSA backdoor
b. Default Credential https://en.wikipedia.org/wiki/Default_Credential_vulnerability A Default Credential vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings. The vendor or manufacturer of such devices uses a single pre-defined set of admin credentials to access the device configurations, and any potential hacker can misuse this fact to hack such devices, if those credentials are not changed by the consumers. NOTE: Yeap, it's that simple. It is more likely that the problem is a simple mistake or incompetence of an employee, which was used by an ordinary fraudster, than a full-fledged attack by real hackers or a conspiracy.
The attacker tries to find the servers of the attacked company. He uses the following command: nmap 192.168.1.64/28 The scan was successful, but he didn't get any results. Identify why the attacker could not find the server based on the following information: The attacked company used network address 192.168.1.64 with mask 255.255.255.192. In the network, the servers are in the addresses192.168.1.122, 192.168.1.123 and 192.168.1.124. a. The network must be down and the nmap command and IP address are ok. b. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range. c. He needs to add the command ""ip address"" just before the IP address. d. He needs to change the address to 192.168.1.0 with the same mask.
b. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range. https://en.wikipedia.org/wiki/Subnetwork The attacker uses a subnet mask / 28, the range of which is 15 IP addresses (0.0.0.15) and the range from 192.168.1.64 to 192.168.1.78 will be scanned. A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to a subnet are addressed with an identical most-significant bit-group in their IP addresses. This results in the logical division of an IP address into two fields: the network number or routing prefix and the rest field or host identifier. The rest field is an identifier for a specific host or network interface. The routing prefix may be expressed in Classless Inter-Domain Routing (CIDR) notation written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network. The IPv6 address specification 2001:db8::/32 is a large address block with 296 addresses, having a 32-bit routing prefix. For IPv4, a network may also be characterized by its subnet mask or netmask, which is the bitmask that when applied by a bitwise AND operation to any IP address in the network, yields the routing prefix. Subnet masks are also expressed in dot-decimal notation like an address. For example, 255.255.255.0 is the subnet mask for the prefix 198.51.100.0/24. Traffic is exchanged between subnetworks through routers when the routing prefixes of the source address and the destination address differ. A router serves as a logical or physical boundary between the subnets. The benefits of subnetting an existing network vary with each deployment scenario. In the address allocation architecture of the Internet using CIDR and in large organizations, it is necessary to allocate address space efficiently. Subnetting may also enhance routing efficiency, or have advantages in network management when subnetworks are administratively controlled by different entities in a larger organization. Subnets may be arranged logically in a hierarchical architecture, partitioning an organization's network address space into a tree-like routing structure, or other structures such as meshes.
Which of the following provides accounting, authorization, and authentication via a centralized privileged database, as well as challenge/response and password encryption? a. Multi-factor authentication b. ISAKMP c. TACACS+ d. Network access control
b. ISAKMP TACACS+ is a AAA (accounting, authorization, and authentication) protocol to provide AAA services for access to routers, network access points, and other networking devices.
Which of the following tools is used by a penetration tester to conduct open-source intelligence (OSINT)? a. Nessus b. Maltego c. Empire d. AirCrack-NG
b. Maltego Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.
Enumeration is a process which establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. What type of enumeration is used to get shared resources on individual hosts on the network and a list of computers belonging to the domain? a. SNMP enumeration b. Netbios enumeration c. SMTP enumeration d. NTP enumeration
b. Netbios enumeration https://en.wikipedia.org/wiki/NetBIOS NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers. NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type. Attackers use the NetBIOS enumeration to obtain: · List of computers that belong to a domain · List of shares on the individual hosts on the network · Policies and passwords Incorrect answers: SNMP enumeration https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc. SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system. NTP enumeration https://en.wikipedia.org/wiki/Network_Time_Protocol The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server. SMTP enumeration https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25. SMTP enumeration allows us to determine valid users on the SMTP server.
The absolute majority of routers and switches use packet filtering firewalls. That kind of firewalls makes decisions about allowing traffic to pass into the network based on the information contained in the packet header. At what level of the OSI model do these firewalls work? a. Application layer b. Network layer c. Session layer d. Physical layer
b. Network Layer https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter Packet-filtering firewalls operate at the network layer (Layer 3) of the OSI model. Them make processing decisions based on network addresses, ports, or protocols. A packet-filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it's allowed to pass. If the packet doesn't pass, it's rejected. Packet filters are the least expensive type of firewall. As a result, packet-filtering firewalls are very common. However, packet filtering has a number of flaws that knowledgeable hackers can exploit. As a result, packet filtering by itself doesn't make for a fully effective firewall. One of the biggest weaknesses of packet filtering is that it pretty much trusts that the packets themselves are telling the truth when they say who they're from and who they're going to. Hackers exploit this weakness by using a hacking technique called IP spoofing, in which they insert fake IP addresses in packets that they send to your network. Another weakness of packet filtering is that it examines each packet in isolation without considering what packets have gone through the firewall before and what packets may follow. In other words, packet filtering is stateless. Rest assured that hackers have figured out how to exploit the stateless nature of packet filtering to get through firewalls. In spite of these weaknesses, packet filter firewalls have several advantages that explain why they are commonly used: · Packet filters are very efficient. They hold up each inbound and outbound packet for only a few milliseconds while they look inside the packet to determine the destination and source ports and addresses. After these addresses and ports are determined, the packet filter quickly applies its rules and either sends the packet along or rejects it. In contrast, other firewall techniques have a more noticeable performance overhead. · Packet filters are almost completely transparent to users. The only time a user will be aware that a packet filter firewall is being used is when the firewall rejects packets. Other firewall techniques require that clients and/or servers be specially configured to work with the firewall. · Packet filters are inexpensive. Most routers include built-in packet filtering.
An attacker gained access to a Linux host and stolen the password file from /etc/passwd. Which of the following scenarios best describes what an attacker can do with this file? a. Nothing because he cannot read the file because it is encrypted. b. Nothing because the password file does not contain the passwords themselves. c. The attacker can perform actions as root because the file reveals the passwords to the root user only. d. The attacker can perform actions as a user because he can open it and read the user ids and corresponding passwords.
b. Nothing because the password file does not contain the passwords themselves. https://en.wikipedia.org/wiki/Passwd#Password_file The /etc/passwd file is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. In many operating systems this file is just one of many possible back-ends for the more general passwd name service. The file's name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations. The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands. The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
Which of the following is true about the AES and RSA encryption algorithms? a. Both are asymmetric algorithms, but RSA uses 1024-bit keys. b. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data. c. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data. d. Both are symmetric algorithms, but AES uses 256-bit keys.
b. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data. https://en.wikipedia.org/wiki/RSA_(cryptosystem) The RSA algorithm is the basis of a cryptosystem -- a suite of cryptographic algorithms that are used for specific security services or purposes -- which enables public key encryption and is widely used to secure sensitive data, particularly when it is being sent over an insecure network such as the internet. RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology, though the 1973 creation of a public key algorithm by British mathematician Clifford Cocks was kept classified by the U.K.'s GCHQ until 1997. Public key cryptography, also known as asymmetric cryptography, uses two different but mathematically linked keys -- one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government to protect classified information. AES is implemented in software and hardware throughout the world to encrypt sensitive data. It is essential for government computer security, cybersecurity and electronic data protection. The National Institute of Standards and Technology (NIST) started development of AES in 1997 when it announced the need for an alternative to the Data Encryption Standard (DES), which was starting to become vulnerable to brute-force attacks. NIST stated that the newer, advanced encryption algorithm would be unclassified and must be "capable of protecting sensitive government information well into the [21st] century." It was intended to be easy to implement in hardware and software, as well as in restricted environments -- such as a smart card -- and offer decent defenses against various attack techniques. AES was created for the U.S. government with additional voluntary, free use in public or private, commercial or noncommercial programs that provide encryption services. However, nongovernmental organizations choosing to use AES are subject to limitations created by U.S. export control.
In which phase of the ethical hacking process can Google hacking be used? For example: allintitle: root passwd a. Maintaining Access b. Reconnaissance c. Gaining Access d. Scanning and Enumeration
b. Reconnaissance First we need to understand what is an allintitle: in Google Search Operators https://ahrefs.com/blog/google-advanced-search-operators/ intitle: Find pages with a certain word (or words) in the title. In our example, any results containing the word "apple" in the title tag will be returned. Example: intitle:apple allintitle: Similar to "intitle," but only results containing all of the specified words in the title tag will be returned. Example: allintitle:apple iphone Based on the fact that we are just looking for information in the headings of web pages, we can confidently say that this belongs to the reconnaissance phase. 1. Reconnaissance: This is the first step of Hacking. It is also called as Footprinting and information gathering Phase. This is the preparatory phase where we collect as much information as possible about the target. We usually collect information about three groups: · Network · Host · People involved There are two types of Footprinting: · Active: Directly interacting with the target to gather information about the target. Eg Using Nmap tool to scan the target · Passive: Trying to collect information about the target without directly accessing the target. This involves collecting information from social media, public websites etc. 2. Scanning: Three types of scanning are involved: Port scanning: This phase involves scanning the target for the information like open ports, Live systems, various services running on the host. Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the haking process. 3. Gaining Access: This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a system, he has to increase his privilege to administrator level so he can install an application he needs or modify data or hide data. 4. Maintaining Access: Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or persist the connection in the background without the knowledge of the user. This can be done using Trojans, Rootkits or other malicious files. The aim is to maintain access to the target until he finishes the tasks he planned to accomplish in that target. 5. Clearing Track: No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. This involves modifying/corrupting/deleting the values of Logs, modifying registry values and uninstalling all applications he used and deleting all folders he created.
To send an email using SMTP protocol which does not encrypt messages and leaving the information vulnerable to being read by an unauthorized person. To solve this problem, SMTP can upgrade a connection between two mail servers to use TLS, and the transmitted emails will be encrypted. Which of the following commands is used by SMTP to transmit email over TLS? a. OPPORTUNISTICTLS b. STARTTLS c. UPGRADETLS d. FORCETLS
b. STARTTLS StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL. StartTLS is used with SMTP and IMAP, while POP3 uses a slightly different command for encryption, STLS. The StartTLS process SMTP always starts unencrypted. The StartTLS command starts the negotiation between server and client. Here's an outline of the communication that happens between the email client and the email server. 1. The process begins with the Transmission Control Protocol (TCP) handshake to help both the email client and server identify each other. 2. The server identifies with 220 Ready that the email client can proceed with the communication. 3. The client sends the server "EHLO" to inform the server that the client would like to use Extended SMTP (the more advanced version of SMTP that lets you include images, attachments, etc.). 4. The client sends "250-STARTTLS" to the mail server to ask whether or not StartTLS is accepted. 5. If the server sends back "go head," the StartTLS connection can be created. 6. The client restarts the connection and the email message has been encrypted.
You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner's findings in the automated report. Which of the following is MOST likely to be a false positive? a. Missing secure flag for the site's cookies b. Version disclosure of server information c. Supports weak cipher suites d. Unencrypted transfer of data
b. Version disclosure of server information *aka banner grabbing The disclosure of internal server information, such as its version, is a common vulnerability on both static webpages and dynamic webpages. This disclosure can occur during banner grabber or by reviewing the source course of the webpage.
The evil hacker Ivan wants to attack the popular air ticket sales service. After careful study, he discovered that the web application is vulnerable to introduced malicious JavaScript code through the application form. This code does not cause any harm to the server itself, but when executed on the client's computer, it can steal his personal data. What kind of attack is Ivan preparing to use? a. CSRF b. XSS c. LDAP Injection d. SQL injection
b. XSS https://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from a petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network. Incorrect answers: SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. LDAP Injection https://en.wikipedia.org/wiki/LDAP_injection LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement. CSRF https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery (CSRF), also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
The analyst needs to evaluate the possible threats to Blackberry phones for third-party company. To do this, he will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defences and gain access to the corporate network. Which of the following tools is best suited for the analyst for this task? a. Paros Proxy b. BBCrack c. BBProxy d. Blooover
c. BBProxy Blackjacking is the act of hijacking a BlackBerry connection. Attackers make use of the BlackBerry environment to bypass traditional security. They attack the host of the network, usually with the BBProxy tool. BlackBerry Attack Toolkit The BlackBerry Attack Toolkit includes the BBProxy and BBScan tools, as well as the necessary Metasploit patches to exploit Web site vulnerabilities. The BBProxy tool allows the attacker to use a BlackBerry device as a proxy between the Internet and the internal network. The attacker either installs BBProxy on a user's BlackBerry or sends it in an e-mail attachment. Once activated, it establishes a covert channel between attackers and compromised hosts on improperly secured enterprise networks. BBScan is a BlackBerry port scanner that looks for open ports on the device to attack. BlackBerry Attachment Service Vulnerability The BlackBerry Attachment Service in the BlackBerry Enterprise Server uses a GDI (Graphics Device Interface) component to convert images into a format viewable on BlackBerry devices. There is, however, a vulnerability in the GDI component of Windows while processing Windows Metafile (WMF) and Enhanced Metafile (EMF) images. This vulnerability could allow an attacker to run arbitrary code on a computer running the BlackBerry Attachment Service. Attackers can exploit this vulnerability with specially made image files. TeamOn Import Object ActiveX Control Vulnerability The BlackBerry Internet Service is designed to work with T-Mobile My E-mail to give BlackBerry device users secure and direct access to any combination of registered enterprise, proprietary, POP3, and IMAP e-mail accounts on their BlackBerry devices using a single user login account. A vulnerability exists in the TeamOn Import Object Microsoft ActiveX control used by BlackBerry Internet Service 2.0. While using Internet Explorer to view the BlackBerry Internet Service or T-Mobile My E-mail Web sites, if the user attempts to install and run the TeamOn Import Object ActiveX control, an exploitable buffer overflow may occur. Denial of Service in the BlackBerry Browser A Web site creator with malicious intent may insert a long string value within the link to a Web page. If the user accesses the link using the BlackBerry Browser, a temporary denial of service may occur, and the BlackBerry device may become slow or stop responding altogether.
Which of the following Linux-based tools will help you change any user's password or activate disabled accounts if you have physical access to a Windows 2008 R2 and an Ubuntu 9.10 Linux LiveCD? a. SET b. Cain & Abel c. CHNTPW d. John the Ripper
c. CHNTPW https://en.wikipedia.org/wiki/Chntpw chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8, 8.1 and 10. It does this by editing the SAM database where Windows stores password hashes. There are two ways to use the program: via the standalone chntpw utility installed as a package available in most modern Linux distributions or via a bootable CD/USB image. Incorrect answers: John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is among the most frequently used password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. Cain & Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software) Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? a. Birthday attack b. Brute force attack c. Cognitive password attack d. Rainbow table attack
c. Cognitive password attack A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? a. Directory traversals b. File inclusions c. Faulty input validation d. Output encoding
c. Faulty input validation A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website's running process. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.
Identify the type of partial breaks in which the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key? a. Information deduction. b. Total break. c. Global deduction. d. Instance deduction.
c. Global deduction. https://en.wikipedia.org/wiki/Cryptanalysis Global deduction — the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key. Incorrect answers: Instance (local) deduction — the attacker discovers additional plaintexts (or ciphertexts) not previously known. Information deduction — the attacker gains some Shannon information about plaintexts (or ciphertexts) not previously known. Total break — the attacker deduces the secret key.
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. They are classified according to the place of their injection. What type of rootkit loads itself underneath the computer's operating system and can intercept hardware calls made by the original operating system. a. Kernel mode rootkits b. Memory rootkit c. Hypervisor (Virtualized) Rootkits d. Application rootkit
c. Hypervisor (Virtualized) Rootkits **keyword is hardware calls. https://en.wikipedia.org/wiki/Rootkit#Hypervisor_level A hypervisor rootkit takes advantage of the hardware virtualization and is installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. Incorrect answers: Kernel mode rootkits https://en.wikipedia.org/wiki/Rootkit#Kernel_mode Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit's code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Application rootkit Simple rootkits run in user-mode and are called user-mode rootkits. Such rootkits modify processes, network connections, files, events and system services. It is the only type of rootkit that could be detected by a common antivirus application. Memory rootkit This type of rootkit hides in the computer's RAM. These rootkits carry out harmful activities in the background and have a short lifespan. They only live in the computer's RAM and will disappear after the reboot system.
Which of the following is a component of IPsec that performs protocol-level functions required to encrypt and decrypt the packets? a. Oakley b. IPsec Policy Agent c. IPsec driver d. Internet Key Exchange (IKE)
c. IPsec driver This question is based on the information provided in the EC-Council's courseware: IPsec driver: Software that performs protocol-level functions required to encrypt and decrypt packets.
Which protocol relies on mutual authentication of the client and the server for its security? a. RADIUS b. Two-factor authentication c. LDAPS d. CHAP
c. LDAPS (Secure LDAP) The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? a. Forcing the use of TLS for the web application b. Forcing the use of SSL for the web application c. Setting the secure attribute on the cookie d. Hashing the cookie value
c. Setting the secure attribute on the cookie When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.
Identify a low-tech way of gaining unauthorized access to information? a. Sniffing b. Scanning c. Social engineering d. Eavesdropping
c. Social engineering https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware", are exploited in various combinations to create attack techniques. The attacks used in social engineering can be used to steal employees' confidential information. The most common type of social engineering happens over the phone. Other examples of social engineering attacks are criminals posing as exterminators, fire marshals, and technicians to go unnoticed as they steal company secrets. Incorrect answers: Sniffing https://en.wikipedia.org/wiki/Sniffing_attack A sniffing attack or a sniffer attack is theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer. Using a sniffer application, an attacker can analyze the network and gain information to eventually cause the network to crash or to become corrupted, or read the communications happening across the network. Scanning Scanning attacks is scan devices in HIS to gather network information of these devices before launching sophisticated attacks to undermine HIS security. Commonly used scanning techniques to gather computer network information include IP address scanning, port scanning, and version scanning. Eavesdropping https://en.wikipedia.org/wiki/Network_eavesdropping Network eavesdropping is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data.
ISAPI filters is a powerful tool that is used to extend the functionality of IIS. However, improper use can cause huge harm. Why do EC-Council experts recommend that security analysts monitor the disabling of unused ISAPI filters? a. To defend against wireless attacks b. To prevent leaks of confidential data c. To defend against webserver attacks d. To prevent memory leaks
c. To defend against webserver attacks The security analyst should disable unnecessary ISAPI filters for all of the above reasons. ISAPI filters can be used to essentially open technological gateways. Thus, they can be used to open items that have already been cued as "access denied" and allow hackers to enter into web spaces that are intended to be confidential.
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? a. httpd_log b. apache_log c. access_log d. http_log
c. access_log On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers? a. locate type=ns b. request type=ns c. set type=ns d. transfer type=ns
c. set type=ns The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
Identify a tool that can be used for passive OS fingerprinting? a. ping b. nmap c. tcpdump d. tracert
c. tcpdump http://www.ouah.org/incosfingerp.htm#:~:text=In%20this%20paper%2C%20we%20will%20look%20at%20packets%20captured%20by%20TCPDUMP.&text=All%20that%20is%20needed%20to,a%20response%20from%20that%20machine. The passive operating system fingerprinting is a feature built into the tcpdump tools. By the link provided in the explanation, you can take a closer look at the process of taking OS fingerprinting. Incorrect answers: nmap, ping and tracert are issuing packets and may studying the response to guess the OS.
Jack needs to analyze the files produced by several packet-capture programs such as Wireshark, tcpdump, EtherPeek and WinDump. Which of the following tools will Jack use? a. Nessus b. tcptraceroute c. tcptrace d. OpenVAS
c. tcptrace https://github.com/blitz/tcptrace tcptrace is a TCP connection analysis tool. It can tell you detailed information about TCP connections by sifting through dump files. The dump file formats supported are: · Standard tcpdump format (you need the pcap library) · Sun's snoop format · Macintosh Etherpeek format · HP/NetMetrix protocol analysis format · NS simulator output format · NetScout · NLANR Tsh Format Incorrect answers: tcptraceroute https://linux.die.net/man/1/tcptraceroute tcptraceroute is a traceroute implementation using TCP packets. The more traditional traceroute sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example: · Availability of vulnerable versions of services or domains · Configuration errors (for example, no need for authorization on the SMTP server) · Default, blank, or weak passwords The program has a client-server architecture, which greatly expands the scanning capabilities. According to a survey conducted by securitylab.ru, 17% of respondents use Nessus. OpenVAS https://en.wikipedia.org/wiki/OpenVAS OpenVAS (Open Vulnerability Assessment System, originally known as GNessUs) is a software framework of several services and tools offering vulnerability scanning and vulnerability management.
Which of the following best describes of counter-based authentication system? a. An authentication system that uses passphrases that are converted into virtual passwords. b. An authentication system that bases authentication decisions on physical attributes. c. An authentication system that bases authentication decisions on behavioral attributes. d. An authentication system that creates one-time passwords that are encrypted with secret keys.
d. An authentication system that creates one-time passwords that are encrypted with secret keys. In counter-based tokens, both the token and the authenticating server maintain a counter, whose value besides a shared secret key is used to generate the one-time password. This type of token requires one or more actions from the user before generating and displaying the one-time password. Usually, the actions are pushing a power-on button, and in some types to enter a PIN number. The user action(s) will cause the token and the authenticating server to increment the counter.
You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point? a. Fragmentation attack b. Deauthentication attack c. Karma attack d. Downgrade attack
d. Downgrade attack A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design.
Ivan, a black-hat hacker, performs a man-in-the-middle attack. To do this, it uses a rogue wireless AP and embeds a malicious applet in all HTTP connections. When the victims went to any web page, the applet ran. Which of the following tools could Ivan probably use to inject HTML code? a. tcpdump b. Wireshark c. Aircrack-ng d. Ettercap
d. Ettercap https://en.wikipedia.org/wiki/Ettercap_(software) The question states that the attacker used the man-in-the-middle attack (MITM) and the list contains only one tool that allows this type of attack - ettercap Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Incorrect answers: Wireshark https://en.wikipedia.org/wiki/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of version 2 of the GNU General Public License. Aircrack-ng https://en.wikipedia.org/wiki/Aircrack-ng Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux, FreeBSD, macOS, OpenBSD, and Windows; the Linux version is packaged for OpenWrt and has also been ported to the Android, Zaurus PDA and Maemo platforms; and a proof of concept port has been made to the iPhone. tcpdump https://en.wikipedia.org/wiki/Tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows version of libpcap.
Which of the following best describes the operation of the Address Resolution Protocol? a. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. b. It sends a reply packet for a specific IP, asking for the MAC address. c. It sends a request packet to all the network elements, asking for the domain name from a specific IP. d. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
d. It sends a request packet to all the network elements, asking for the MAC address from a specific IP. https://en.wikipedia.org/wiki/Address_Resolution_Protocol When a new computer joins a LAN, it is assigned a unique IP address to use for identification and communication. When an incoming packet destined for a host machine on a particular LAN arrives at a gateway, the gateway asks the ARP program to find a MAC address that matches the IP address. A table called the ARP cache maintains a record of each IP address and its corresponding MAC address. All operating systems in an IPv4 Ethernet network keep an ARP cache. Whenever a host requests a MAC address to send a packet to another host in the LAN, it checks its ARP cache to see if the IP to MAC address translation already exists. If it does, then a new ARP request is unnecessary. If the translation does not exist, then the request for network addresses is sent, and ARP is performed. ARP broadcasts a request packet to all the LAN machines and asks if any of the machines know they are using that particular IP address. When a machine recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and proceed with the communication. Host machines that don't know their own IP address can use the Reverse ARP (RARP) protocol for discovery. An ARP cache size is limited and is periodically cleansed of all entries to free up space; in fact, addresses tend to stay in the cache for only a few minutes. Frequent updates allow other devices in the network to see when a physical host changes their requested IP address. In the cleaning process, unused entries are deleted, and any unsuccessful attempts to communicate with computers that are not currently powered on.
Having a sufficient database of passwords, you can use statistical analysis of the list of words, you can create a very effective way to crack passwords for such tools as, for example, John the Ripper. Which of the attacks uses such an analysis to calculate the probability of placing characters in a quasi-brute attack? a. Prince b. Toggle-Case c. Fingerprint d. Markov Chain
d. Markov Chain Humans are considered the weakest link when it comes to data security since they will typically pick passwords that are easier to remember over something more secure. But this way, the password becomes easy to hack, as well. And even if the user has come up with a strong password, there are still numerous techniques to crack it open in just a few hours using a regular computer. There are two main categories of password cracking techniques: offline and online. · Online attacks are performed on a live host or system by either brute-force or wordlist attack against a login form, session, or another type of authentication technique. · Offline attacks are made by extracting the password hash or hashes stored by the victim and attempting to crack them without alerting the targeted host, which makes offline attacks the most widespread password cracking method. Security holes in the victim's infrastructure are what make this type of attack possible. To use the Markov Chains technique, hackers need to assemble a certain password database, split each password into 2-grams and 3-grams (2- and 3-character-long syllables), and develop a new alphabet of different elements act as letters and then match it with the existing password database. Finally, the hacker sets a threshold of occurrences that will be based on the next step and selects only the letters from the new alphabet that appear at least the minimum number of times, as chosen by the hacker. Then the method combines these into words of a maximum of eight characters in length and utilizes the dictionary attack once again. Incorrect answers: Toggle-Case This attack creates every possible case combination for each word in a dictionary. The password candidate "do" would also generate "Do" and "dO." Fingerprint This method is fairly sophisticated. It breaks possible passphrases down into "fingerprints," single- and multi-character combinations that a user might choose. For the word "dog," the technique would create fingerprints including "d," "o," "g," along with "do," and "og." This can be an especially effective attack when a user remembers part of a password. However, due to its sophistication, it requires extraordinary computing power. Prince Stands for "PRobability INfinite Chained Elements." The PRINCE attack uses an algorithm to try the most likely password candidates with a refined combinator attack. It creates chains of combined words by using a single dictionary.
Identify the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange? a. SOA b. single sign-on c. biometrics d. PKI
d. PKI https://en.wikipedia.org/wiki/Public_key_infrastructure PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. Incorrect answers: single sign-on https://en.wikipedia.org/wiki/Single_sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign on allows the user to login once and access services without re-entering authentication factors. It should not be confused with same-sign on (Directory Server Authentication), often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers. Biometrics https://en.wikipedia.org/wiki/Biometrics Biometric authentication refers to security processes that verify a user's identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. SOA https://en.wikipedia.org/wiki/Service-oriented_architecture Service-oriented architecture (SOA) is a style of software design where services are provided to the other components by application components, through a communication protocol over a network. A SOA service is a discrete unit of functionality that can be accessed remotely and acted upon and updated independently, such as retrieving a credit card statement online. SOA is also intended to be independent of vendors, products and technologies.
You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. You want to capture all of the victim's web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal? a. Perform a deauthentication attack b. Perform an SSL downgrade attack c. Perform a man-in-the-middle attack d. Perform an SSL stripping attack
d. Perform an SSL stripping attack An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.
You want to exploit the NETBIOS name service on a Windows-based network. Which of the following tools should you use? a. Arpspoof b. Nessus c. John the Ripper d. Responder
d. Responder Responder provides a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS (NETBIOS), POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords. Responder is configured to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the client's protocol, thus harvesting the user's credentials.
In order to prevent collisions and protect password hashes from rainbow tables, Maria, the system administrator, decides to add random data strings to the end of passwords before hashing. What is the name of this technique? a. Masking b. Extra hashing c. Stretching d. Salting
d. Salting https://en.wikipedia.org/wiki/Salt_(cryptography) A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user's password against being read from the system. A salt is one of those methods. A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised. Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.
Transmission Control Protocol accepts data from a data stream, divides it into chunks, and adds a TCP header creating a TCP segment. A TCP segment consists of a segment header and a data section. The segment header contains 10 mandatory fields and an optional extension field. Which of the suggested fields is not included in the TCP segment header? a. Checksum b. Sequence Number c. Source Port d. Source IP address
d. Source IP address Source Port (16 bits) Identifies the sending port. Sequence Number (32 bits) · If the SYN flag is set (1), then this is the initial sequence number. The sequence number of the actual first data byte and the acknowledged number in the corresponding ACK are then this sequence number plus 1. · If the SYN flag is clear (0), then this is the accumulated sequence number of the first data byte of this segment for the current session. Checksum (16 bits) The 16-bit checksum field is used for error-checking of the TCP header, the payload and an IP pseudo-header. The pseudo-header consists of the source IP address, the destination IP address, the protocol number for the TCP protocol (6) and the length of the TCP headers and payload (in bytes).
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? a. Dynamic code analysis b. Pair programming c. Manual Peer Review d. Static code analysis
d. Static code analysis Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
John needs to send a super-secret message, and for this, he wants to use the technique of hiding a secret message within an ordinary message. The technique provides "security through obscurity." Which of the following techniques will John use? a. Deniable encryption b. Encryption c. Digital watermarking d. Steganography
d. Steganography Steganography is the art of hiding a secret message in an ordinary object. The secret message and ordinary objects can be an image, text, audio, files, etc. A user can hide the secret in an ordinary-looking object using some tools and techniques, and the receiver can then use a similar technique to get the secret back. Steganography is required to send the message without disclosing the presence of the message. This is how steganography differs from cryptography. Cryptography ensured that the message is encrypted, and this crypto message will not make any sense to the user without decryption. A malicious user can intercept this message and try to recover the message or the key used to encrypt the message using cryptographic attacks (Here's a resource that will navigate you through cybersecurity attacks). Steganography ensures that the object in which the message is hidden will not attract the hackers to try and get the message as there is no sign that there is something in the ordinary-looking object. Steganography provides security through obscurity. If no one can see it, no one can crack it. Incorrect answers: Digital watermarking https://en.wikipedia.org/wiki/Digital_watermarking A digital watermark is a kind of marker covertly embedded in a noise-tolerant signal such as audio, video or image data. It is typically used to identify ownership of the copyright of such signal. "Watermarking" is the process of hiding digital information in a carrier signal; the hidden information should, but does not need to, contain a relation to the carrier signal. Digital watermarks may be used to verify the authenticity or integrity of the carrier signal or to show the identity of its owners. It is prominently used for tracing copyright infringements and for banknote authentication. Deniable encryption https://en.wikipedia.org/wiki/Deniable_encryption Plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists. The users may convincingly deny that a given piece of data is encrypted, or that they are able to decrypt a given piece of encrypted data, or that some specific encrypted data exists. Such denials may or may not be genuine. For example, it may be impossible to prove that the data is encrypted without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext. Encryption https://en.wikipedia.org/wiki/Encryption Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
Jason is conducting a physical penetration test against a company. His objective is to enter the server room that is protected by a lock using a fingerprint reader. Jason attempts to use his finger to open the lock several times without success. He then turns his finger 45 degrees to the left, and the lock authenticates him. What is MOST likely the reason the lock opened? a. The crossover error rate is tuned towards true negatives b. The biometric lock is set to fail open after five invalid attempts c. The biometric lock is set to fail closed after five invalid attempts d. The crossover error rate is tuned towards false positives
d. The crossover error rate is tuned towards false positives A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? a. The attacker will conduct a man-in-the-middle attack b. The same vulnerability will be compromised on their servers c. The attacker will conduct a SQL injection against their database d. They may now be vulnerable to a credential stuffing attack
d. They may now be vulnerable to a credential stuffing attack The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn't mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.
Sniffing is a process of monitoring and capturing all data packets passing through a given network. An intruder can capture and analyze all network traffic by placing a packet sniffer on a network in promiscuous mode. Sniffing can be either Active or Passive in nature. How does passive sniffing work? a. This is the process of sniffing through the gateway. b. This is the process of sniffing through the switch. c. This is the process of sniffing through the router. d. This is the process of sniffing through the hub.
d. This is the process of sniffing through the hub. Sniffing is a process of monitoring and capturing all data packets passing through given network. Sniffers are used by network/system administrator to monitor and troubleshoot network traffic. Attackers use sniffers to capture data packets containing sensitive information such as password, account information etc. Sniffers can be hardware or software installed in the system. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Active Sniffing Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target. In order to capture the traffic between target sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can be done in various ways. Passive Sniffing This is the process of sniffing through the hub. Any traffic that is passing through the non-switched or unbridged network segment can be seen by all machines on that segment. Sniffers operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. This is called passive since sniffers placed by the attackers passively wait for the data to be sent and capture them.
You need to conduct a technical assessment of the network for a small company that supplies medical services. All computers in the company use Windows OS. What is the best approach for discovering vulnerabilities? a. Create a disk image of a clean Windows installation. b. Check MITRE.org for the latest list of CVE findings. c. Use the built-in Windows Update tool. d. Use a scan tool like Nessus.
d. Use a scan tool like Nessus. https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Examples of vulnerabilities and exposures Nessus can scan for include: · Vulnerabilities that could allow unauthorized control or access to sensitive data on a system. · Misconfiguration (e.g. open mail relay, missing patches, etc.). · Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. · Denials of service vulnerabilities · Nessus scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure. Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system. Nessus can also support configuration and compliance audits, SCADA audits, and PCI compliance. Incorrect answers: Use the built-in Windows Update tool https://en.wikipedia.org/wiki/Windows_Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of an operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Windows, as well as the various Microsoft antivirus products, including Windows Defender and Microsoft Security Essentials. Since its inception, Microsoft has introduced two extensions of the service: Microsoft Update and Windows Update for Business. The former expands the core service to include other Microsoft products, such as Microsoft Office and Microsoft Expression Studio. The latter is available to business editions of Windows 10 and permits postponing updates or receiving updates only after they have undergone rigorous testing. Check MITRE.org for the latest list of CVE findings https://www.mitre.org/about/corporate-overview https://cve.mitre.org/ As a not-for-profit organization, MITRE works in the public interest across federal, state and local governments, as well as industry and academia. We bring innovative ideas into existence in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.
Your network security manager wants a monthly report of the security posture of all the assets on the network (e.g., workstations, servers, routers, switches, firewalls). The report should include any feature of a system or appliance that is missing a security patch, OS update, or other essential security feature and its risk severity. Which solution would work best to find this data? a. Security policy b. Penetration test c. Virus scan d. Vulnerability scanner
d. Vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. Most vulnerability scanners also create an itemized report of their findings after the scan.
You are logged into the Windows command prompt and want to find what systems are alive in a portion of a Class B network (172.16.0.0/24) using ICMP. What command would best accomplish this? a. ping 172.16.0.0 b. ping 172.16.0.255 c. for %X in (1 1 255) do PING 172.16.0.%X d. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply"
d. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply" The Windows command line does support some fundamental scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end#, the command will execute. When the iterative variable exceeds end#, the command shell exits the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: "for /L %variable in (start# step# end#) do command [CommandLineOptions]."
3-2-1 Backup Rule
The most effective way to handle ransomware attacks is to use the 3-2-1 backup rule: keep at least three separate versions of data on two different storage types with at least one offsite.
tcptrace
Tool for analyzing TCP dump files that were produced with tcpdump, wireshark, snort, etherpeek, etc.