CHAP 14 PQ
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ASCII output only. Which of the following tcpdump options will achieve this output?
-X port 443
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n
Which of the following best describes an antivirus sensor system?
A collection of software that detects and analyzes malware.
The program shown is a crypter. Which of the following options best defines what this program does?
A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect.
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service.
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
The Stuxnet worm was discovered in 2010 and was used to gain sensitive information about Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet?
APT
Drag the description on the left to the appropriate switch attack type shown on the right.
ARP Spoofing/Poisoning The source device sends frames to the attacker's MAC address instead of the correct device. VLAN Hopping Switch spoofing and double tagging are the two primary ways an attacker can execute the exploit. MAC Flooding Fills the forwarding table with packets consuming switch memory forcing failopen mode. MAC Spoofing Used to hide the identity of the attacker's computer or impersonate another device on the network.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active hijacking
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the intranet can be hacked.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections.
Match the common threat mitigation techniques that are used to protect against attacks, listed on the left, with the appropriate descriptions on the right. (Each technique may be used once, more than once, or not at all.)
Authentication uses usernames and passwords, smart cards, or other authentication methods. Port authentication (802.1x) The device responds with authentication credentials, which the switch forwards to the authentication device (such as a RADIUS server). Port authentication (802.1x) Protects against rogue servers being connected to the network and performing man-in-the-middle attacks. DHCP snooping Allows only authenticated devices to connect to the LAN through the switch. Port authentication (802.1x) Protects against network issues caused by an employee connecting a consumer-grade router to a network port. DHCP snooping
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black hole filtering
Which of the following laws regulates emails?
CAN-SPAM Act
Which of the following are all network sniffing tools?
Cain and Abel, Ettercap, and TCPDump
A small business called Widgets, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following using a wireless network locator device: Widgets, Inc. uses an 802.11n wireless network. The wireless network is broadcasting the SID Linksys. The wireless network uses WPA2 with AES security. Directional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security? (Select two.)
Change the SSID to something other than the default. Disable SSID broadcast.
You've just finished installing a wireless access point for a client. Which action best protects the access point from unauthorized tampering with its configuration settings?
Changing the default administrative password
Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use?
ClamAV
Which of the following best describes the process of using prediction to gain session tokens in an Application-level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern.
Two common AAA server solutions are RADIUS and TACACS+. Match the AAA server solutions on the left with the appropriate descriptions on the right. (Each server solution may be used more than once.)
Combines authentication, authorization, and accounting RADIUS Uses TCP port 49 TACACS+ Does not transmit passwords in clear text between the client and the server RADIUS Provides three protocols, one each for authentication, authorization, and accounting TACACS+ Encrypts the entire packet contents, not just authentication packets TACACS+ Uses UDP ports 1812 and 1813 and can be vulnerable to buffer overflow attacks RADIUS
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the internet. What can you do?
Configure port security on the switch.
You have just installed a wireless access point (WAP) for your organization's network. You know that the radio signals used by the WAP extend beyond your organization's building and are concerned that unauthorized users outside may be able to access your internal network. Which of the following steps will BEST protect the wireless network? (Select TWO. Each option is a complete solution.)
Configure the WAP to filter unauthorized MAC addresses. Use the WAP's configuration utility to reduce the radio signal strength.
Which of the following measures will make your wireless network less visible to the casual attacker?
Disable SSID broadcast.
You are a security consultant. You've been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a smart card reader. Network jacks are located in the reception area so employees and vendors can access the company network for work-related purposes. Users within the secured work area are trained to lock their workstations if they will leave them for any period of time. Which of the following recommendations would you MOST likely make to this organization to increase their security?
Disable the switch ports connected to the network jacks in the reception area.
Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine?
Dropper
Which of the following features is supplied by WPA2 on a wireless network? (Select two.)
Encryption Authentication
Match the malware detection methods on the left with the description on the right.
Establishes a baseline of the system and will alert the user if any suspicious system changes occur. Integrity checking Is mainly used against logic bombs and Trojans. Interception Works well against polymorphic and metamorphic viruses. Code emulation Aids in detecting new or unknown malware. Heuristic analysis Could have live system monitoring to immediately detect malware. Scanning
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle attack
You are configuring a new 2960 switch. You issue the following commands: switch(config)#interface fast 0/15switch(config-if)#switchport mode accessswitch(config-if)#switchport port-securityswitch(config-if)#switchport port-security maximum 1switch(config-if)#switchport port-security mac-address stickyswitch(config-if)#switchport port-security violation protect You connect a hub with two workstations to port Fa0/15. You power on Device1 and then Device2. What will be the result?
Frames from Device1 will be allowed; frames from Device2 will be dropped.
Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and told him how to secure the system. Which type of hacker is Miguel in this scenario?
Gray Hat
Rudy is analyzing a piece of malware discovered in a penetration test. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterward and monitor different components, such as ports, processes, and event logs, and note changes. Which of the following processes is he using?
Host integrity monitoring
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec
A small business named BigBikes, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following: BigBikes, Inc. uses an 802.11a wireless network. The wireless network SSID is set to BWLAN. The wireless network is not broadcasting the network SSID. The wireless network uses WPA2 with AES security. Omnidirectional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security?
Implement directional access points.
Your organization is frequently visited by sales reps. While on-site, they frequently plug their notebook systems into any available wall jack, hoping to get internet connectivity. You are concerned that allowing them to do this could result in the spread of malware throughout your network. Which of the following would BEST protect you from guest malware infection? (Select two.)
Implement static IP addressing. Implement MAC address filtering.
Which of the following malware detection methods establishes a baseline of the system and will alert the user if any suspicious system changes occur?
Integrity checking
Which of the following is the first step you should take if malware is found on a system?
Isolate the system from the network immediately.
A virus has replicated itself throughout systems it has infected and is executing its payload. Which of the following phases of the virus life cycle is this virus in?
Launch
Which of the following attacks, if successful, causes a switch to function like a hub?
MAC flooding
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man-in-the-middle
What is the least secure place to locate an omnidirectional access point when creating a wireless network?
Near a window
Your network devices are categorized into the following zone types: No-trust zone Low-trust zone Medium-trust zone High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept used on this network?
Network segmentation
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive hijacking
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text.
Authentication, authorization, and accounting (AAA) are the three security components used to protect network access and communications. Which of the following describes the authorization security component?
Permits or denies access to the network resources a user needs to perform tasks.
Drag the network attack technique on the left to the appropriate description or example on the right. (Each technique may be used once, more than once, or not at all.)
Perpetrators attempt to compromise or affect the operations of a system. Active attack Unauthorized individuals try to breach a network from off-site. External attack Attempting to find the root password on a web server by brute force. Active attack Attempting to gather information without affecting the flow of information on the network. Passive attack Sniffing network packets or performing a port scan. Passive attack
When comparing RADIUS to TACACS+, which of the following statements are true? (Select three.)
RADIUS is more interoperable because TACACS+ is Cisco proprietary software. TACACS+ is more secure than RADIUS because RADIUS only encrypts the password. TACACS+ is considered more reliable than RADIUS because of TCP.
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks are completed, which of the following is the next step?
Run anti-malware scans
Anti-malware software uses several methods to detect malware. One of these methods is scanning. Which of the following best describes scanning?
Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs.
Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action?
Scareware
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down.
Your network administrator has set up training for all users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session fixation
A certain attack task includes five steps as follows: Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server. Which of the following tasks does the above list describe?
Session hijacking
Analyzing emails, suspect files, and systems for malware is known as which of the following?
Sheep dipping
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
Put the steps for developing an anti-malware program on the left in proper order on the right.
Step 1: Identify unique characteristics of malicious software. Step 2: Write the scanning process. Step 3: Update the anti-malware program. Step 4: Scan the system
Part of a penetration test is checking for malware vulnerabilities. There are twelve steps that are followed when testing for malware vulnerabilities. Put the steps in order.
Step 1: Scan for open ports. Step 2: Scan for running processes. Step 3: Check for suspicious or unknown registry entries. Step 4: Verify all running Windows services. Step 5: Check startup programs. Step 6: Look through event logs for suspicious events. Step 7: Verify all installed programs. Step 8: Scan files and folders for manipulation. Step 9: Verify that device drivers are legitimate. Step 10: Check all network and DNS settings and activity. Step 11: Scan for suspicious API calls. Step 12: Run anti-malware scans.
Which of the following are true of port security sticky addresses? (Select two.)
They are placed in the running-config file and can be saved to the startup-config file. They can be learned automatically or manually configured.
Which statement best describes a suicide hacker?
This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught.
The process of analyzing an organization's security and determining its security holes is called:
Threat modeling
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using?
Trojan horse
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic.
Frank, an IT tech, works for the ABC company. His friend Joe, who works for the XYZ company, informs Frank that XYZ company has been hit by a new malware attack. What is the first thing Frank should do for the ABC company?
Verify that ABC company's anti-malware software is updated and running.
In which of the following attacks does the attacker blocks all traffic by taking up all available bandwidth between the target computer and the internet?
Volumetric attack
Which of the following is the most secure protocol for wireless networks?
WPA2
Which type of threat actor only uses skills and knowledge for defensive purposes?
White hat
You suspect that an ICMP flood attack is taking place on your system from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?
With the flood, all packets come from the same source IP address in quick succession.
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using?
Worm
In which of the following situations would you use port security?
You want to restrict the devices that can connect through a switch port.
In which of the following situations would you use port security?
You wanted to restrict the devices that could connect through a switch port.
After enabling the DHCP snooping feature, you want to apply it to your network globally. Which command will apply DHCP snooping globally?
ip dhcp snooping
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
Daphne suspects that a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDNs of locations those programs are connecting to. Which command will allow her to do this?
netstat -f -b
You've just enabled port security on an interface of a Catalyst 2950 switch. You want to generate an SNMP trap whenever a violation occurs. Which feature should you enable?restrict
restrict
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?