Chapter 10-12 Quizzes
A security analyst is using tcpdump to capture suspicious traffice detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output?
-SX port 443
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n
Which of the following HTTP response messages would you receive if additional action needs to be taken to complete the request?
3xx Redirection
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service.
An attacker conducts a normal port scan on a host and detects protocols used by a Windows operating system and protocols used by a Linux operating system. Which of the following might this indicate?
A honeypot
Which of the following best describes a honeypot?
A honeypot's purpose is to look like a legitimate network resource.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?
A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
Which of the following best describes a phishing attack?
A user is tricked into believing that a legitimate website is requesting their login information.
Frank, an attacker, has gained access to your network. He decides to cause an illegal instruction. He watches the timing to handle an illegal instruction. Which of the following is he testing for?
A virtual machine
Which of the following best describes a web application?
A web application is software that has been installed on a web server.
Which of the following best describes Microsoft Internet Information Services (IIS)?
A web server technology
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, inc
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option. To complete the configuration of this test, which of the following MITM options should you select?
ARP Poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active hijacking
Which of the following IDS detection types compare behavior to baseline profiles or network behavior baselines?
Anomaly-based
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the intranet can be hacked.
Which of the following is an open-source web server technology?
Apache Web Server
User-Mode-Linux (UML) is an open-source tool used to create virtual machines. It's efficient for deploying honeypots. One of the big issues with UML is that it doesn't use a real hard disk, but a fake IDE device called /dev/ubd*. How can an attacker find a UML system?
Attackers need to take a look at the /etc/ftsab file or execute the mount command.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections.
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black hole filtering
Which of the following is a password cracking tool that can make over 50 simultaneous target connections?
Brutus
HTTP headers can contain hidden parameters such as user-agent, host headers, accept and referrer. Which of the following tool could you use to discover hidden parameters.
Burp Suite
Frank wants to do a penetration test. He is looking for a tool that checks for vulnerabilities in web applications, network systems, wireless networks, mobile devices, and defense systems such as IDS or IPS. Which of the following tools would you recommend to him?
COREImpact Pro
Which of the following are network sniffing tools?
Cain and Abel, Ettercap, and TCPDump
Which type of web application requires a separate application to be installed before you can use the app?
Client-based web app
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern.
Firewalls, whether hardware or software, are only effective as their _____________?
Configuration
Web application use sessions to establish a connection and transfer sensitive information between a client and a server. Attacking an application's session management mechanisms can help you get around some of the authentication controls and allow you to use the permissions of more privileged application users. Which of the following type of attack could you use to accomplish this?
Cookie parameter tampering
An attacker is attempting to determine whether a system is a honeypot. Which of the following actions should the attacker take?
Craft a malicious probe packet to scan for services.
Robin, an IT technician, has implemented identification and detection techniques based on the ability to distinguish legitimate traffic from illegitimate traffic over the network. Which of the following is he trying to achieve?
Defend the network against IDS evasions.
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated.
Ping of death, teardrop, SYN flood, Smurf and fraggle are all examples of which of the following?
DoS attack types
As part of your penetration test, you have captured an FTP session as shown below. Which of the following concerns or recommendations will you include in your report?
FTP uses clear-text passwords
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets?
Firewalking
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the followings tools would you use?
Firewalking
Gathering information about a system, its components and how they work together is known as?
Footprinting
Jin, a penetration tester, was hired to perform a black box penetration test. He decides to test their firewall. Which of the following techniques should he use first?
Footprinting
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle attack
What are the two types of Intrusion Detection Systems (IDS)?
HIDS and NIDS
You are looking for a web server security tool that will detect hidden malware in websites and advertisements. Which of the following security tools would you most likely use?
Hackalert
Which of the following motivates attackers to use DoS and DDoS attacks?
Hacktivism, profit, and damage reputation
Jessica needs to set up a firewall to protect her internal network from the Internet. Which of the following would be the best type of firewall for her to use?
Hardware
Which of the following honeypot interaction levels simulate all service and applications and can be completely compromised by attackers to get full access to the system in a controlled area?
High-level
Lorena, the CIO, wants to ensure the company's security practices and policies match well with their firewall security configuration for maximum protection against hacking. Which of the following actions should Lorena take?
Hire a penetration tester.
Mark, an ethical hacker, is looking for a honeypot tool that will simulate a mischievous protocol such as devil or mydoom. Which of the following honeypot tools should he use?
HoneyBOT
Ports that show a particular service but deny a three-way handshake connection indicate the potential presence of which of the following?
Honeypot
Which of the following is a physical or virtual network device set up to masquerade as a legitimate network resource?
Honeypot
You are on a Windows system. You receive an alert that a file name MyFile.txt.exe had been found. Which of the following could this indicate?
Host-based IDS
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec
Which of the following firewall limitations is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside the organization?
Inability to detect the keep the state status.
Which of the following web server countermeasures is implemented to fix known vulnerabilities, eliminate bugs, and improve performance?
Install patches and updates
Which of the following honeypot interaction levels can't be compromised completely and is generally set to collect information about attacks like network probes and worms?
Low-level
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man-in-the-middle
Which of the following steps in the web server hacking methodology involves setting up a web server sandbox to gain hands-on experience attacking a web server?
Mirroring
Which of the following is another name for the signature-based detection method?
Misuse detection
Which of the following is a sign of network-based intrusion?
New or unusual protocols and services running.
An older technique for defeating honeypots is to use tarpits, which sometimes operate at different levels of the OSI model, depending on their function. Which of the following layers of the OSI model do tarpits work at?
OSI layers 2 (DataLink), 4 (Transport), and 7 (Application)
Penetration testing is a practice conducted by an ethical hacker to see how an organization's security policies and security practices measure up to the organization's actual overall successful system security. When can an ethical hacker start the penetration test?
Once all of the legal contracts are signed, formalities settled, and permissions are given.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.169.0.34 filter?
Only packets with the 102.168.0.32 in either the source or destination address are captured.
Which of the following best describes a proxy server?
Operates at Layer 7 (Application) of the OSI model.
Which of the following firewall technologies operates at Layers 3 (Network) and 4 (Transport) of the OSI model?
Packet filtering
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive hijacking
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text.
Which of the following best describes the HTTP Request/Response TRACE?
Performs a loopback test to a target resource
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Upload bombing and poison null byte attacks are designed to target which of the following web application vulnerabilities?
Scripting errors
Which of the following footprinting methods would you use to scan a web server to find ports that the web server is using for various services?
Service discovery
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down.
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session fixation
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using?
Session fixation attack
Which of the following tasks is being described? -Sniff the traffic between the target computer and the server. -Monitor traffic with the goal of predicting the packet sequence numbers. -Desynchronize the current session. -Predict the session ID and take over the session. -Inject commands to target the server.
Session hijacking
Which of the following tools can be used to create botnets?
Shark, PlugBot, and Poison Ivy
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing
Allen, the network administrator, needs a tool that can do network intrusion prevention and intrusion detection, capture packets, and monitory information. Which of the following tools would he most likely select?
Snort
Julie is looking for a honeypot detection tool that is capable of packet manipulation. Which of the following tools should she use?
Snort inline
ARP, DNS, and IP are all examples of which of the following?
Spoofing methods
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
IP Address spoofin, fragmentation attacks, using proxy servers, ICMP tunneling, and ACP tunneling are all examples of which of the following firewall penetration testing techniques?
TCP packet filtering
Which of the following best describes source routing?
The packet's sender designates the route that a packet should take through the network.
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening?
There are multiple SYN packets with different source addresses destined for 128.28.1.1.
Which of the following statements is true regarding cookies?
They were created to store information about user preferences and web activities.
An IDS can perform many types of intrusion detection. Three common detection methods are signature-based, anomaly-based, and protocol-based. Which of the following best describes protocol-based detection?
This detection method can include malformed messages and sequencing errors.
Which of the following tools enables security professionals to audit and validate the behavior of security devices?
Traffic IQ Professional
An IT technician receives an IDS alert on the company network she manages. A seemingly random user now has administration privileges in the system, some files are missing, and other files seem to have just been created. Which of the following alerts did this technician receive?
True positive
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?
Volumetric attack
Which of the following explains why web servers are often targeted by attackers?
Web servers provide an easily found, publicly accessible entrance to a network that users are encourages to enter into and browser.
You are analyzing the web applications in your company and have newly discovered vulnerabilities. You want to launch a denial-of-service (DoS) attack against the web server. Which of the following tools would you most likely use?
WebInspect
Which of the following types of web server attacks is characterized by altering or vandalizing a website's appearance in an attempt to humiliate, discredit, or annoy the victim?
Website defacement
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?
With the flood, all packets come from the same source IP address in quick succession.
Which of the following actions was performed using the WinDump command line sniffer?
Wrote packet capture files from interface 1 into mycap.pcap
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command?
nmap -D RND:10 target_IP_address
Nmap provides many commands and scripts that are used to evade firewalls and intrusion detection systems. Which of the following is the proper nmap command to use the decoy option?
nmap -D RND:25 10.10.10.1
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
