chapter 14 Quizzes
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ASCII output only. Which of the following tcpdump options will achieve this output?
-X port 443 Explanation -X requests that ASCII and and hexadecimal are included in the output. -I puts an interface into listening mode. -A capture full packets, but only ASCII output is included. -W specifies which file the data should be saved in.
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n Explanation ping -n defines the number of echo requests to send. ping -a is used to resolve addresses to hostnames. ping -l is used to send the buffer size. ping -f is used to set the don't fragment flag in packet.
Which of the following best describes an antivirus sensor system?
A collection of software that detects and analyzes malware.
The program shown is a crypter. Which of the following options best defines what this program does?
A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect.
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server.
The Stuxnet worm was discovered in 2010 and was used to gain sensitive information about Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet?
APT Explanation An APT (advanced persistent threat) is a stealthy attack that gains access to a network or computer system and remains hidden for an extended period of time. A logic bomb is designed to be triggered by a certain event, such as running a specific program, visiting a certain website, or the arrival of a specific date or time. A Trojan horse provides the hacker with covert remote access to the victim's system. These programs are embedded and hidden inside legitimate programs. A virus is a self-replicating program that often attaches and hides itself in a legitimate program. A virus is designed to replicate itself throughout the computer and modify existing programs, often to cause damage to the computer system.
Drag the description on the left to the appropriate switch attack type shown on the right.
ARP Spoofing/Poisoning The source device sends frames to the attacker's MAC address instead of the correct device. VLAN Hopping Switch spoofing and double tagging are the two primary ways an attacker can execute the exploit. MAC Flooding Fills the forwarding table with packets consuming switch memory forcing failopen mode. MAC Spoofing Used to hide the identity of the attacker's computer or impersonate another device on the network.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address. Explanation When using Wireshark to detect ARP poisoning, Wireshark displays a duplicate use of IPs detected. Even without this message, seeing two packets with the same IP address is a good indication that ARP poisoning is taking place on your network.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active hijacking
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the intranet can be hacked.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections.
Which of the following features is supplied by WPA2 on a wireless network? (Select two.)
Authentication Encryption
Match the common threat mitigation techniques that are used to protect against attacks, listed on the left, with the appropriate descriptions on the right. (Each technique may be used once, more than once, or not at all.)
Authentication uses usernames and passwords, smart cards, or other authentication methods. Port authentication (802.1x) The device responds with authentication credentials, which the switch forwards to the authentication device (such as a RADIUS server). Port authentication (802.1x) Protects against rogue servers being connected to the network and performing man-in-the-middle attacks. DHCP snooping Allows only authenticated devices to connect to the LAN through the switch. Port authentication (802.1x) Protects against network issues caused by an employee connecting a consumer-grade router to a network port. DHCP snooping
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black hole filtering
Which of the following laws regulates emails?
CAN-SPAM Act
Which of the following are all network sniffing tools?
Cain and Abel, Ettercap, and TCPDump Explanation The following are sniffing tools: Wireshark TCPDump WinDump Cain and Abel Ufasoft Snif WinARPAttacker Ettercap Etherflood SMAC WinDump The following are not sniffing tools: Shark is a tool that is used to create botnets. KFSensor is a Windows host-based intrusion detection system. It acts as a vulnerable server to attract hackers and record their activities.
You've just finished installing a wireless access point for a client. Which action best protects the access point from unauthorized tampering with its configuration settings?
Changing the default administrative password
Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use?
ClamAV Explanation ClamAV is an open-source anti-malware program that works with most versions of Linux. Kaspersky, Avira, and Bitdefender are popular anti-malware programs, but are not open-source.
Which of the following best describes the process of using prediction to gain session tokens in an Application-level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern.
Two common AAA server solutions are RADIUS and TACACS+. Match the AAA server solutions on the left with the appropriate descriptions on the right. (Each server solution may be used more than once.)
Combines authentication, authorization, and accounting RADIUS Uses TCP port 49 TACACS+ Does not transmit passwords in clear text between the client and the server RADIUS Provides three protocols, one each for authentication, authorization, and accounting TACACS+ Encrypts the entire packet contents, not just authentication packets TACACS+ Uses UDP ports 1812 and 1813 and can be vulnerable to buffer overflow attacks RADIUS
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the internet. What can you do?
Configure port security on the switch.
You have just installed a wireless access point (WAP) for your organization's network. You know that the radio signals used by the WAP extend beyond your organization's building and are concerned that unauthorized users outside may be able to access your internal network. Which of the following steps will BEST protect the wireless network? (Select TWO. Each option is a complete solution.)
Configure the WAP to filter unauthorized MAC addresses. Use the WAP's configuration utility to reduce the radio signal strength.
Which of the following measures will make your wireless network less visible to the casual attacker?
Disable SSID broadcast.
A small business called Widgets, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following using a wireless network locator device: Widgets, Inc. uses an 802.11n wireless network. The wireless network is broadcasting the SID Linksys. The wireless network uses WPA2 with AES security. Directional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security? (Select two.)
Disable SSID broadcast. Change the SSID to something other than the default.
You are a security consultant. You've been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a smart card reader. Network jacks are located in the reception area so employees and vendors can access the company network for work-related purposes. Users within the secured work area are trained to lock their workstations if they will leave them for any period of time. Which of the following recommendations would you MOST likely make to this organization to increase their security?
Disable the switch ports connected to the network jacks in the reception area.
Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine?
Dropper
Match the malware detection methods on the left with the description on the right.
Establishes a baseline of the system and will alert the user if any suspicious system changes occur. Integrity checking Is mainly used against logic bombs and Trojans. Interception Works well against polymorphic and metamorphic viruses. Code emulation Aids in detecting new or unknown malware. Heuristic analysis Could have live system monitoring to immediately detect malware. Scanning
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle attack Explanation A fraggle attack is a DoS attack that targets UDP protocol weaknesses. A large number of UDP packets from a spoofed IP address are broadcast to a network in an attempt to flood the target computer. A Smurf attack is a DoS attack that targets ICMP protocol weaknesses. A SYN flood exploits the TCP three-way handshake. An attacker creates SYN packets with a non-existent source address. When the target machine responds with a SYN-ACK, it goes to the non-existent address, causing the target machine to wait for a response that they will never get. A Teardrop attack prevents TCP/IP packets from being reassembled. This is done by setting the flags on all frames to indicate that they are fragments and providing instructions to connect to another frame that doesn't actually exist.
You are configuring a new 2960 switch. You issue the following commands: switch(config)#interface fast 0/15switch(config-if)#switchport mode accessswitch(config-if)#switchport port-securityswitch(config-if)#switchport port-security maximum 1switch(config-if)#switchport port-security mac-address stickyswitch(config-if)#switchport port-security violation protect You connect a hub with two workstations to port Fa0/15. You power on Device1 and then Device2. What will be the result?
Frames from Device1 will be allowed; frames from Device2 will be dropped.
Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and told him how to secure the system. Which type of hacker is Miguel in this scenario?
Gray hat
Rudy is analyzing a piece of malware discovered in a penetration test. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterward and monitor different components, such as ports, processes, and event logs, and note changes. Which of the following processes is he using?
Host integrity monitoring
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec Explanation Internet Protocol Security (IPsec) is one of the most common methods used to protect packet information and defend against network attacks.
Your organization is frequently visited by sales reps. While on-site, they frequently plug their notebook systems into any available wall jack, hoping to get internet connectivity. You are concerned that allowing them to do this could result in the spread of malware throughout your network. Which of the following would BEST protect you from guest malware infection? (Select two.)
Implement MAC address filtering. Implement static IP addressing. Explanation You should consider enabling MAC address filtering. MAC filtering is configured on your network switches and is used to restrict network access to only systems with specific MAC addresses. You could also consider assigning static IP addresses to your network hosts. If you don't use DHCP, visitor laptops connected to a wired Ethernet jack won't receive a valid IP address and won't be able to communicate with other hosts on your network.
A small business named BigBikes, Inc. has hired you to evaluate their wireless network security practices. As you analyze their facility, you note the following: BigBikes, Inc. uses an 802.11a wireless network. The wireless network SSID is set to BWLAN. The wireless network is not broadcasting the network SSID. The wireless network uses WPA2 with AES security. Omnidirectional access points are positioned around the periphery of the building. Which of the following would you MOST likely recommend your client do to increase their wireless network security?
Implement directional access points.
Which of the following malware detection methods establishes a baseline of the system and will alert the user if any suspicious system changes occur?
Integrity checking
Which of the following is the first step you should take if malware is found on a system?
Isolate the system from the network immediately.
A virus has replicated itself throughout systems it has infected and is executing its payload. Which of the following phases of the virus life cycle is this virus in?
Launch
Which of the following attacks, if successful, causes a switch to function like a hub?
MAC flooding Explanation MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub) instead of to only the correct ports, as per normal operation.
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man-in-the-middle
What is the least secure place to locate an omnidirectional access point when creating a wireless network?
Near a window
Your network devices are categorized into the following zone types:
Network segmentation Explanation The secure network architecture concept used in this example is network segmentation. The most common way to segment networks is to create multiple VLANs for each network zone. These zones can also be separated by firewalls to ensure only specific traffic is allowed. One way to segment a network is to categorize systems into different zones (for example, a no-trust zone, low-trust zone, medium-trust zone, high-trust zone, and highest-trust zone).
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive hijacking Explanation Passive hijacking is when an attacker uses a sniffer to monitor traffic between a victim and a host. Active hijacking is when an attacker manipulates a client's connection to eject the real client and make the server think the attacker is the authenticated user.
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text.
Authentication, authorization, and accounting (AAA) are the three security components used to protect network access and communications. Which of the following describes the authorization security component?
Permits or denies access to the network resources a user needs to perform tasks.
Drag the network attack technique on the left to the appropriate description or example on the right. (Each technique may be used once, more than once, or not at all.)
Perpetrators attempt to compromise or affect the operations of a system. Active attack Unauthorized individuals try to breach a network from off-site. External attack Attempting to find the root password on a web server by brute force. Active attack Attempting to gather information without affecting the flow of information on the network. Passive attack Sniffing network packets or performing a port scan. Passive attack
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks are completed, which of the following is the next step?
Run anti-malware scans Explanation After the penetration tester has run system scans and checked different areas of the system, you should run anti-malware scans. Before running these scans, make sure the software is updated. After the anti-malware scans are performed, the pentester needs to document all findings. The documentation helps you determine the next steps to take if malware is detected. If malware is detected on a system, the first step to combat it is to isolate the system from the network. If malware is detected on a system, you need to sanitize the system after it is isolated from the network.
Anti-malware software uses several methods to detect malware. One of these methods is scanning. Which of the following best describes scanning?
Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs.
Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action?
Scareware
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down.
Your network administrator has set up training for all users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session fixation Explanation User education is an important part of security. Because attacks like session fixation rely on a user clicking on a link in an email or instant message, users should be trained not to click on these links. A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. DNS spoofing, also known as DNS cache poisoning, targets Active Directory or other DNS-reliant networks. Packet filtering firewalls look at packets' header information to determine legitimate traffic
A certain attack task includes five steps as follows: Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server. Which of the following tasks does the above list describe?
Session hijacking
Analyzing emails, suspect files, and systems for malware is known as which of the following?
Sheep dipping
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing Explanation Switched networks provide a natural barrier for an attacker using a sniffer. Be sure to configure settings so the switch shuts down a port when the maximum number of MAC addresses is reached so that MAC flooding isn't possible. Session hijacking is the process of taking over an established connection between a host and a user. DNS spoofing, also known as DNS cache poisoning, targets Active Directory or other DNS-reliant networks. Packet filtering firewalls look at a packet's header information to determine legitimate traffic.
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
Put the steps for developing an anti-malware program on the left in proper order on the right.
Step 1: Identify unique characteristics of malicious software. Step 2: Write the scanning process. Step 3: Update the anti-malware program. Step 4: Scan the system.
Part of a penetration test is checking for malware vulnerabilities. There are twelve steps that are followed when testing for malware vulnerabilities. Put the steps in order.
Step 1: Scan for open ports. Step 2: Scan for running processes. Step 3: Check for suspicious or unknown registry entries. Step 4: Verify all running Windows services. Step 5: Check startup programs. Step 6: Look through event logs for suspicious events. Step 7: Verify all installed programs. Step 8: Scan files and folders for manipulation. Step 9: Verify that device drivers are legitimate. Step 10: Check all network and DNS settings and activity. Step 11: Scan for suspicious API calls. Step 12: Run anti-malware scans.
When comparing RADIUS to TACACS+, which of the following statements are true? (Select three.)
TACACS+ is considered more reliable than RADIUS because of TCP. TACACS+ is more secure than RADIUS because RADIUS only encrypts the password. RADIUS is more interoperable because TACACS+ is Cisco proprietary software.
Which of the following are true of port security sticky addresses? (Select two.)
They can be learned automatically or manually configured. They are placed in the running-config file and can be saved to the startup-config file.
Which statement best describes a suicide hacker?
This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught.
The process of analyzing an organization's security and determining its security holes is called:
Threat modeling Threat modeling is the process of analyzing an organization's security and determining its security holes. Once a threat model is put together, the organization can begin securing its systems and data.
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using?
Trojan horse
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic. Explanation Using encryption methods is the best practice to secure network traffic in this scenario. It becomes one of the last lines of defense. If the encryption method used is strong enough, it will take the attacker too long to decrypt the obtained encrypted traffic to be worth the effort.
Frank, an IT tech, works for the ABC company. His friend Joe, who works for the XYZ company, informs Frank that XYZ company has been hit by a new malware attack. What is the first thing Frank should do for the ABC company?
Verify that ABC company's anti-malware software is updated and running.
In which of the following attacks does the attacker blocks all traffic by taking up all available bandwidth between the target computer and the internet?
Volumetric attack
Which of the following is the most secure protocol for wireless networks?
WPA2
Which type of threat actor only uses skills and knowledge for defensive purposes?
White hat
You suspect that an ICMP flood attack is taking place on your system from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?
With the flood, all packets come from the same source IP address in quick succession.
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using?
Worm
In which of the following situations would you use port security?
You want to restrict the devices that can connect through a switch port.
In which of the following situations would you use port security?0
You wanted to restrict the devices that could connect through a switch port.
After enabling the DHCP snooping feature, you want to apply it to your network globally. Which command will apply DHCP snooping globally?
ip dhcp snooping
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3 Explanation The ne filter stands for not equal. This command displays all traffic not equal to 192.168.142.3. == stands for equal to. && stands for and. eq is another way to write equal to.
Daphne suspects that a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDNs of locations those programs are connecting to. Which command will allow her to do this?
netstat -f -b Explanation netstat -f -b shows the fully qualified domain name (FQDN) and the names of programs that are making connections. netstat -a -b shows the open ports on the local system and the names of programs that are making connections. netstat -f -a shows the fully qualified domain name and the open ports on the local system. netstat -f -a -b shows the fully qualified domain name, the open ports on the local system, and the names of programs that are making connections.
You've just enabled port security on an interface of a Catalyst 2950 switch. You want to generate an SNMP trap whenever a violation occurs. Which feature should you enable?
restrict Explanation The restrict feature configures two actions whenever a violation occurs: The interface will not forward any frames from source addresses not assigned to the port. The switch generates a console message and sends an SNMP trap to a designated network management station whenever a violation occurs. When the protect feature is enabled, the interface will not forward any frames from source addresses not assigned to the port. The shutdown feature shuts down the port when a violation occurs requiring it to be re-enabled by an administrator. There is no secure feature in the switchport port-security violation command.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
