Chapters 9, 11, 12, and 15 Review Questions

Which of the following is most associated with enterprise security access in a wireless network?

802.1x

Jennifer is a junior system administrator for a small firm of 50 employees. For the last week a few users have been complaining of losing connectivity intermittently with no suspect behavior on their part such as large downloads or intensive processes. Jennifer runs Wireshark on Monday morning to investigate. She sees a large amount of ARP broadcasts being sent at a fairly constant rate. What is Jennifer most likely seeing?

ARP poisoning

Which intrusion prevention system can be used in conjunction with fences?

Bollards

A closed network is typically which of the following?

Private network

Monitor mode is used by wireless cards to do what?

Capture information about wireless networks

On a switch, each switchport represents a

Collision Domain

What is a type of combination lock?

cipher lock

Which of the following is considered an administrative control?

security policy

Which of the following is designed to locate wireless access points?

site survey

Which of the following prevents ARP poisoning?

IP DHCP snooping

Which of the following specifies security standards for wireless?

802.11b

What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?

ARP Flooding

What response is missing in a SYN flood attack?

ACK

Which of the following is a detective control when not used in real time?

Alarms (not CCTV?)

Which of the following is not a source of session IDs?

Anonymous login

AirPcap is used to do which of the following?

Assist in the sniffing of wireless traffic

A honeyspot is designed to do what?

Attract victims to connect to it

Session hijacking can be thwarted with which of the following?

Authentication mechanism

MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

A reverse ARP request maps to two hosts

What is a client‐to‐client wireless connection called?

Ad Hoc

A session hijack can be initiated from all of the following except which one?

Devices

What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing?

Hub

Wireless access points function as a

Hub

Session hijacking can be performed on all of the following protocols except which one?

IPSec

An SSID is used to do which of the following?

Identify a network

Jason is the local network administrator who has been tasked with securing the network from possible DoS attacks. Within the last few weeks, some traffic logs appear to have internal clients making requests from outside the internal LAN. Based on the traffic Jason has been seeing, what action should be taken?

Implement ingress filtering

While monitoring traffic on the network, Jason captures the following traffic. What is happening?

SYN flood

Which statement defines session hijacking most accurately?

Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine.

Which feature makes WPA easy to defeat?

WPS support

An 8-foot-tall fence with razor wire stranded on top is considered what type of measure?

a preventative measure

What is a rogue access point?

an access point not managed by a company/client

What mechanism is intended to deter theft of hard drives?

encryption

Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously. What command can Jennifer use?

tcpdump -r capture.log

Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture log. What command can Jennifer use?

tcpdump -w capture.log

Which command launches a CLI version of Wireshark?

tshark

How many characters does a service set identifier contain?

32

Which of the following operates at 5 GHz?

802.11a

A public place workstation contains the browsing history of multiple users who logged in during the last seven days. While digging through the history, a user runs across the following web address: www.snaz22enu.com/&w25/session=22525. What kind of embedding are you seeing?

URL Embedding

Which of the following is a device used to perform a DoS on a wireless network?

Wi-Fi jammer

Which type of biometric system is frequently found on laptops but can be used on entryways as well?

fingerprint

Which Wireshark filter displays only traffic from 192.168.1.1?

ip.addr == 192.1681.1

Which of the following is a good defense against tailgating and piggybacking?

mantraps

Which type of network uses a group of zombie computers to carry out the commands of the bot master?

Botnet

When a wireless client is attached to an access point, it is known as which of the following?

Infrastructure

A man-in-the-middle attack is an attack where the attacking party does which of the following?

Insert themselves into an active session

In a DDoS attack, what communications channel is commonly used to orchestrate the attack?

Internet Relay Chat (IRC)

Adding to and removing from a program stack are known as what?

Push and Pop

Zombies Inc. is looking for ways to better protect their web servers from potential DoS attacks. Their web admin proposes the use of a network appliance that receives all incoming web requests and forwards them to the web server. He says it will prevent direct customer contact with the server and reduce the risk of DoS attacks. What appliance is he proposing?

Reverse Proxy

What is an 8-in-1 DoS tool that can launch such attacks as land and teardrop?

TFN2K

Physical security can prevent which of the following?

Tailgating

The command-line equivalent of WinDump is known as what?

Tcpdump

In the following screen shot, what is the plaintext password that was used to create the secured web connection by the client?

The key cannot be derived

In the field of IT security, the concept of defense in depth is the layering of more than one control on another. Why is this?

To provide better protection

What is the name given for the device component physically located on the motherboard that stores encryption keys for hard drives, preventing an adversary from removing the hard drive and using it on another computer?

Trusted Platform Module

What protocol is used to carry out a fraggle attack?

UDP

What is the key difference between a smurf and fraggle attack

UDP vs ICMP

Which of the following options shows the protocols in order from strongest to weakest?

WPA2, WPA, WEP, Open

Session fixation is a vulnerability in which of the following?

Web applications

Julie has sniffed an ample amount of traffic between the targeted victim and an authenticated resource. She has been able to correctly guess the packet sequence numbers and inject packets, but she is unable to receive any of the responses. What does this scenario define?

Blind hijacking

A man-in-the-browser attack is typically enabled by using which mechanism?

Trojans

When applications create variable memory segments in a dynamic fashion, what type of memory is being used?

Heap

What is the name for the dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization?

Heap

A method that defends against a flooding attack and massive DoS attacks is referred to as what?

Flood guard

Which of the following attacks use UDP packets to target the broadcast address and cause a DoS?

Fraggle

Which pointer in a program stack gets shifted or overwritten during a successful overflow attack?

EIP (Extended instruction pointer)

Based on the diagram, what attack is occurring?

MITM

Which of the following is a characteristic of USB flash drives that makes security a problem?

Easily hidden

According to the following image, what browser is the user using?

Firefox

What is the generic syntax of a Wireshark filter?

protocol.field operator value

Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What filter string matches that which Tiffany would like to use?

tcp.port eq 139

What common tool can be used for launching an ARP poisoning attack?

Cain and Abel

The stack operates on a _________ basis

LIFO (last in first out)

What is a single-button DoS tool suspected to be used by groups such as Anonymous?

LOIC

Which DoS attack sends traffic to the target with a spoofed IP of the target itself?

Land

Which of the following attacks forges a TCP packet as both the source and destination IP address of the victim and causes the victim's computer to freeze or crash?

Land

The wardriving process involved which of the following?

Locating wireless networks

You are a security administrator tasked with determining the expected losses a media firm may incur in the event of a fire. You estimate the firm could expect to lose half of its assets, equal to $10 million dollars. You also determine that the likelihood of a fire occurring is once every 10 years. What is the annual loss expectancy (ALE)?

Loss of $500,000

Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?

MAC Flooding

Warchalkingis used to do which of the following?

Make others aware of a wireless network

A session hijack can happen with which of the following?

Networks and applications

Julie has been working with sniffing and session-hijacking tools on her company network. Since she wants to stay white hat—that is, ethical—she has gotten permission to undertake these activities. What would Julie's activities be categorized as?

Passive

Cipher locks, mantraps, and bollards are considered what?

Physical controls

Session hijacking can do all of the following except which one?

Place a cookie on a server

What mode must be configured to allow an NIC (network interface card) to capture all traffic on the wire?

Promiscuous Mode

Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?

SSH

What is the main difference between DoS and DDoS?

Scale of attack

What is the most common sign of a DoS attack?

Slow performance

Based on the packet capture shown in the graphic, what is contained in the highlighted section of the packet?

Source and destination IP address

An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using?

Source routing

Network-level hijacking focuses on the mechanics of a connection such as the manipulation of packet sequencing. What is the main focus of web app session hijacking?

Stealing session IDs

Which network device can block sniffing to a single network collision domain, create VLANs , and make use of SPAN ports and port mirroring?

Switch

WEP is designed to offer security comparable to which of the following?

Wired networks

As a security administrator, you have security concerns regarding the plans to utilize wire-less networks to bridge different corporate offices. Due to the location of these offices, traditional connections are cost prohibitive. Which of the following antennas will provide the best coverage while limiting the probability of unwanted signal interception?

Yagi

Which of the following could be considered required components of an alarm system?

a visual and audio alerting method

Which function(s) are considered dangerous because they don't check memory bounds?

gets() strcpy() scanf() strcat()

What command-line utility can you use to craft custom packets with specific flags set?

hping3